C , D T
advertisement
CATHOLIC CHARITIES, DIOCESE OF TRENTON POLICIES AND PROCEDURES MANUAL HIPAA POLICIES AND PROCEDURES TABLE OF CONTENTS Section 1.00 Confidentiality and Privacy HP-1.01 Overview of Confidentiality and Privacy Section HP-1.02 Distribution of Notice of Privacy Practices Attachment to HP-1.02: Notice of Privacy Practices Notice of Privacy Practices - Spanish Version HP-1.03 Client’s Request for Access to Health Information Attachment A to HP-1.03: Client Request to Review or Obtain Copy of Health Information Attachment B to HP-1.03: Notice of Denial of Client Request to Review or Obtain Copy of Health Information HP-1.04 Designated Record Set HP- 1.05 Client’s Request to Amend Health Information Attachment A to HP-1.05: Client Request to Amend Health Information Attachment B to HP-1.05: Notice of Denial of Client Request to Amend Health Information HP-1.06 Client Requests for Restriction of Uses/Disclosures of Private Health Information and/or Confidential Communications Attachment to HP-1.07: Client Request for Restriction of Uses/Disclosures of Private Health Information and/or Confidential Communications Form HP-1.07 Client’s Request for Accountings of Disclosures of Health Information Attachment A to HP-1.07: Disclosure Sheet Attachment B to HP-1.07: Records Release Authorization HP-1.08 Application of “Minimum Necessary” Criteria for Use and Disclosure of Health Information HP-1.09 Subpoenas and Court Orders HP-1.10 Client Privacy Complaints Attachment A to HP-1.10: Privacy Complaint Form Attachment B to HP-1.10: Complaint/Comment Log 1 HP-1.11 Workforce Privacy Training and Sanctions for Violations of Privacy Policies HP-1.12 Retention of Health Information and Documentation of Compliance with HIPAA Privacy Regulations, and Appropriate Destruction of Client Health Information HP-1.13 Storage of Protected Health Information HP-1.14 Disclosure of De-Identified Information HP-1.15 Computer, E-Mail, and Internet Usage Policies (aka AP-4.05) Section 2.00 Safety and Security HP-2.01 Overview of Safety and Security Section Attachment to HP-2.01: Incident Log HP-2.02 HIPAA Security Plans Attachment A to HP-2.02: Privacy and Security Plan Attachment B to HP-2.02: Disaster Prevention Plan Attachment C to HP-2.02: Disaster Recovery and Emergency Operation Plan Attachment D to HP-2.02: Disaster Recovery Teams Attachment E to HP-2.02: Data Security Backup Plan/Staff Training Plan HP-2.03 Security – Passwords HP-2.04 Data Classification Policy HP-2.05 Software/Hardware Policy HP-2.06 Policy on Workstation Use HP-2.07 Virus Prevention Policy HP-2.08 Access, Control, and Validation HP-2.09 Termination Process HP-2.10 Computer, E-Mail, and Internet Usage Policies Attachment A to HP-2.10: Acknowledgment of Understanding Attachment B to HP-2.10: Request for Internet Access Section 3.00 Risk Analysis HP-3.01 Risk Analysis Attachment to HP-3.01: Risk Analysis Form 2 HP-1.01 HIPAA Policies and Procedures OVERVIEW OF CONFIDENTIALITY AND PRIVACY SECTION OF THE HIPAA POLICIES AND PROCEDURES 1. Purposes and Importance of Confidentiality The primary purpose of the client record is to document the course of the client’s health care treatment and to provide a medium of communication among health care professional for current and future care of the client. In order to fulfill these purposes, significant amounts of data must be revealed and recorded. The client must be assured that the information shared with us will remain confidential; otherwise the client may withhold critical information, which could affect the quality of care provided. Catholic Charities is committed to protecting the confidentiality of all client information from unauthorized disclosure at all stages of collection, use, storage, release of information and destruction. 2. Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act (HIPAA) were implemented on April 14, 2003. HIPAA’s purpose was to improve the efficiency and effectiveness of the health care system. The law requires the adoption of security and privacy standards in order to protect personal health information. 3. Protected Health Information (PHI) Protected Health Information (PHI) means individually identifiable health information maintained in any form or medium. The following are examples for Protected Health Information: Name Address Date of birth Social Security number Services provided Other personal information Reason for visit Treatment and/or medications Past and present health conditions Past treatment provided by our agency Past treatment elsewhere 4. Penalties for Violations of the HIPAA Law Criminal Penalties Fines and imprisonment for wrongful disclosure of PHI (sell PHI for money) Penalties increase with the severity of the offense (fines up to $250,000 and/or 10 years in prison Civil Penalties Fines for inadvertent violations (not for personal gain) $100.00 per violation up to $25,000 3 5. Ownership of Records The information, not the physical record, contained in the client record belongs to the client and the client is entitled to have this information protected. All client information is regarded as confidential and made available only to those authorized by the patient or his/her legal representative. The client record is the property of Catholic Charities, is maintained to serve the client and health care providers, and will be maintained in accordance with legal, regulatory, and accrediting agency requirements. The record will be available at all times for client care and treatment. Any data collection on a client, whether by interview, observation or review of documents is conducted in a setting that provides maximum privacy and protects the information from unauthorized individuals. 6. Notice of Privacy Practices Under HIPAA, clients served must be given a written Notice of Privacy Practices. This notice outlines the uses and disclosures of protected health information that may be made and notifies the clients of their rights and our legal duties with respect to protected health information. 6.1 The Notice of Privacy Practice must be given to each client upon admission, or in the event of an emergency, the therapist will provide the notice at the first opportunity available. 6.2 Receipt of the notice will be maintained in the client’s record. 6.3 The Notice of Privacy Practice will be posted in a prominent and public location at each facility. 6.4 Reference: Policy/Procedure on Notice of Privacy Practice. 7. Intimidating or Retaliatory Acts and Waiver of Rights Prohibited Neither the Agency, nor any division, department, office, program facility or workforce member shall intimidate, threaten, coerce, discriminate against or take other retaliatory action against any client for the exercise of his/her rights or participation in any process relating to HIPAA or against any person for filing a compliant with the Secretary of U.S. Department of Health and Human Services, participating in a HIPAA investigation, compliance review, proceeding or hearing or engaging in reasonable opposition to any acts or practice that the person in good faith believes to be unlawful under HIPAA regulations as long as the action does not involve disclosure or protected health information in violation of the regulations. 8. Prohibition on Waiver of Rights No division, department, office, program, facility, or workforce member shall require individuals to waive any of their rights under HIPAA as a condition for treatment. 9. Client Right to Access Protected Health Information Clients have a right to access and obtain a copy of their protected health information and any information in their designated record set. All client requests for access and/or copying will be processed within 30 days of receipt of the request. Whenever access is permitted, it will be provided in the form or format requested if it is readily producible in such format, or in a readable hard copy. Catholic Charities may charge a reasonable fee for photocopying. (Reference: Policy/Procedure: Client Right to Access) 9.1 Denial of Access Access to clients protected health information may be denied where, using professional judgment: 4 Access to the information is reasonably likely to endanger the life or physical safety of the client or another Access is likely to cause substantial harm to a non healthcare provider referenced in the record Access is likely to cause substantial harm to the client or another person Access has a significant risk of exacerbating the client’s symptoms and would be harmful to the client’s treatment and health. This denial may be temporary until the client symptoms decrease and the client is stable. Information consist of psychotherapy notes which are not accessible under HIPAA In the case of denial of a client’s request to access his/her protected health information; the professional denying access will inform the client in writing and will document such rationale in the client’s record. The client, under certain circumstances, may request a denial review. A licensed profession who was not involved in the client’s treatment would do this review. He/she would do an objective review to determine the appropriateness of the denial of access. Access may or may not be granted based on the independent review. 9.2 Denial of Access to Psychotherapy Notes Catholic Charities may not disclose psychotherapy notes, except in specific situations or as otherwise required by law. A client does not have the right to inspect or copy psychotherapy notes. A client may not request a review of a denial of access to psychotherapy notes. (Reference: Policy/procedure on Client’s Right to Access) 10. Client Right to Amendment of Protected Health Information The client has a right to request an amendment of their health information maintained within the designated record set. This request must be done in writing and it will be processed within 40 days of receipt. 10.1 Approval of Request If the request is approved, Catholic Charities will clearly identify the records within the designated record set that are affected by the amendment with a clearly documented link between the documents. The client will be informed of the acceptance of the amendment and Catholic Charities will obtain the client’s agreement to have Catholic Charities notify such person who may have relied on, or may likely rely in the future, on the information that is the subject of the amendment. 10.2 Denying the Amendment If the request to amend records is denied by Catholic Charities, the client will be notified with the reason for denial. Denial may be due to: The information is accurate and complete. The information was not created by Catholic Charities. The information is not part of the designated record set. The information would not be available for inspection under HIPAA. Under HIPAA the client has the right to write a statement of disagreement, which will be included in the record. (Reference: Policy/Procedure on Client’s Right to Amend) 11. Client’s Right to Restrict Protected Health Information 5 The client has a right to request a restriction on the uses and disclosures of his/her protected health information. Catholic Charities does not have to agree to this request and cannot agree to a restriction relating to disclosure required under law. 11.1 Approval of Request to Restrict If Catholic Charities agrees to the requested restriction(s), the healthcare professional must document the agreed upon restriction and abide by the restriction unless the individual is in need of emergency treatment, the information is need for treatment and the disclosure is to another provider only for the purposes of such treatment. Catholic Charities must request that the other provider agree not to further disclose the protected health information. 11.2 Denial of Request to Restrict Catholic Charities will notify the client, in writing of any denial to restrict access. (Reference: Policy/Procedure on Clients Right to Restrict PHI) 12. Client’s Right to an Accounting of Disclosures The client has the right to obtain an accounting of disclosures of their protected health information by Catholic Charities for a period of time of up to six years prior to the date of the request for such an accounting. The request will be processed within 60 days of the actual request. The accounting will include a listing of the: Date of the disclosure Name and address of the recipient of the information A general description of the information disclosed The purpose of the disclosure. The first accounting in any 12-month period must be provided to the client free of charge. A reasonable fee may be charged for additional accountings within the twelve-month period. (Reference: Policy/Procedure: Client’s Right to an Accounting) 13. Authorization for Use or Disclosure of Protected Health Information 13.1 Mental Health Information on a Minor. A minor client, 14 years or older, may authorize the disclosure of his/her records in the same manner as an adult. 13.2 Substance Abuse Treatment for a Minor. A minor can consent to substance abuse treatment without the need of parental or guardians consent. As a consequence, a minor who consents to substance abuse treatment without parental or guardian consent has the sole authority to disclose protected health information relating to substance abuse treatment. 13.3 Authorization. An authorization must be obtained prior to using or disclosing mental health/substance abuse/HIV related information. The authorization must contain ALL of the following elements: A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion The name of the person or class of persons to whom the information is to be released or disclosed to. The name of the person or class of persons who are authorized to release or disclosure the information. A description of the purpose of the requested use or disclosure 6 Authorization expires 90 days or an event that is time limited and does not exceed one year and is updated during treatment plan review preceding expiration date. Signature of the individual and date. If a personal representative, legal guardian signs the authorization, then a description of such representative’s authority is documented. Witness signature. A revocation clause and a description on how the individual can revoke the authorization (in writing) A statement to reflect that treatment is not condition on the authorization. Confidentiality Statement to reflect that Federal and State law protects the information. A copy is offered to the client and documented on the authorization form. Client’s name and date of birth or social security number A statement that the client has the right to inspect information. Reference: Policy/Procedure on Verification of Identity 13.4 Family Therapy Records. Information cannot be disclosed to third parties without authorization of all individuals receiving therapy. 13.5 Minimum Necessary. When using or disclosing protected health information or when requesting protected health information from another entity, reasonable efforts will be made to limit the protected health information used or disclosed to the minimum necessary to accomplish the purpose of the use/disclosure. Information released or disclosed will be limited to only that information that is necessary to fulfill the purpose stated in the authorization to release information. (Reference: Policy/Procedure on Minimum Necessary Standard) 13.6 Access to Client’s Record. Access to client’s record by Catholic Charities employees is limited to personnel who: Are involved in the direct care of a client Are involved in the supervision of this care Have essential administrative functions including file maintenance, data entry, billing or Are responsible for the maintenance of the MIS system, and Have signed an agreement to abide by the Agency’s confidentiality policy Client records may also be made available to auditors without an authorization as stipulated in State and Federal Law: Professional Standards Review Organizations participants Quality Management and Utilization Review committees clinical audit teams 7 Monitoring and site review from the Department of Human Services, Department of Health, New Jersey Department of Health and Senior Services, Division of Youth and Family Services Authorized personnel of the Division of Youth and Family Services or other legal child protective agency supervising care of abused or neglected children may have access to record of those minor children wherever possible, names of clients shall be deleted from records being reviewed. 14. Subpoenas and Court Orders Catholic Charities will respond to subpoenas in a manner consistent with applicable state and federal law. Protected health information shall not be released pursuant to a subpoena unless instructed to do so in writing by counsel for the Agency. Staff shall not provide testimony in response to a subpoena unless instructed to do so in writing by counsel for the agency. Upon receipt of a court order, the staff member will immediately provide a copy to the Program Director and the Division Director. The Division Director will contact counsel for the agency to obtain advice. (Reference: Policy/Procedure Subpoena and Court Orders) 15. Complaints Any client or other individual wishing to make a complaint concerning Catholic Charities HIPAA policies and procedures and/or the Agency’s compliance with those policies and procedures shall be offered a Privacy Complaint Form to document their complaint, suggestion and or other comments. The complaints will be forwarded to the Division Director and the Director of Compliance. Catholic Charities will review each complaint and will document appropriate corrective action. (Reference: Policy/Procedure on Privacy Complaints) 16. Sanctions Catholic Charities will apply and document application of appropriate corrective against staff that fails to comply with HIPAA policies and procedures. (Reference: Policy/Procedure Human Resources Employee Discipline) 17. Emergency Situations In life threatening situations, pertinent protected health information may be released to health care providers responsible for the clients care without consent of the client. The caller will be asked to identify himself/herself, their credentials, location, and telephone number and where he/she is calling. This assists in verifying the caller and where he/she is calling. Only the minimum necessary information shall be released for the immediate care of the client. This release of information must be documented in the record. 18. Public Responsibility State and Federal law permit and/or require certain uses and disclosures of protected health information for various purposes related to public responsibility. Such uses and disclosures may be made without the authorization of the client. The following uses and disclosures fall into this category: A public health authority authorized by law to collect or receive information for the purpose of preventing or controlling disease, conducting public health surveillance etc. A public health or other government authority authorized by law to receive reports of child abuse or neglect. 8 A person subject to the jurisdiction of the Food and Drug Administration (FDA) regarding his/her responsibility for quality, safety, or effectiveness of an FDA regulated product, to report adverse events, product defects or problems, recalls, repairs etc. Serious threats to Health or Safety – consistent with applicable law and ethical standards, protected health information may be used or disclosed if the licensed health professional believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to another person or the public. Disclosure is limited to: - Arranging for client to be admitted voluntarily to a psychiatric unit or facility - Advising a local law enforcement authority of the client’s threat and the identity of the intended victim -Warning the intended victim of the threat, or in case of an intended victim who is under the age of 18, warning the parent or guardian of the intended victim. -If the client is under the age of 18 and threatens to commit suicide or bodily injury upon himself/herself, warning the parent or guardian of the client. -The disclosure is documented in the record. 19. Retention and Destruction of Protected Health Information Catholic Charities will maintain all protected health information in accordance with Federal and State Laws. Destruction of protected health information will be done in accordance with standards of practice for record destruction. (Reference: Policy/Procedure on Retention/Destruction of Health Information) 20. Storage of Protected Health Information All client record and protected health information will be maintained in a secure room, locked file cabinets or other similar secured area when not in use. Safeguards are taken to prevent loss from fire, water, damage, theft, and any breaches of confidentiality. (Reference: Policy/Procedure on Storage of PHI) 21. Computers, E-mail, Internet, Telephones and Fax Password and user logins are unique to each authorized user and will be assigned by the Information Technology Department. Passwords are maintained confidentially, are not revealed or shared, are not coded into programs or written down where unauthorized access could occur. Employees utilize the computer, email, Internet, and telephone system only for the business purposes of Catholic Charities. 21.1 Computers: Password and User Login Identification are required in order to access the computer system. Users must keep confidential all references and resource labels of Catholic Charities’ computer system including but not limited to internal domain names, server names, printer names, IPA addresses, and Directory services. No employee may download software without the approval of the IT Department. All remote access to the computer system, whether dial-up or Internet access, must use encryption services to protect the confidentiality of the session. 9 21.2 E-mail: Catholic Charities reserves the right to review files and communications to maintain system integrity and ensure that users are using the system appropriately, responsibly and in accordance with Catholic Charities policies and procedures. At no time should any protected health information of any clients be transmitted via electronic mail outside of Catholic Charities network, unless it is encrypted. Due care shall be used when transmitting private health information of any client by electronic mail within Catholic Charities internal network, to prevent the transmittal and/or receipt of such information to any staff member not authorized to have access to the information. Staff member shall not forward to any third party outside of Catholic Charities any email messages that contain any form of individually identifiable health information, unless expressly authorized by the client on a signed authorization for use/disclosure of health information form. Catholic Charities will incorporate e-mail messages sent or received that concern the diagnosis or treatment of a client, or payment for treatment, into the client’s chart and/or billing file and shall maintain such information with the same degree of confidentiality as the remainder of the client’s chart and billing file. 21.3 Telephone: All employees will use caution to protect the confidentiality of a client’s protected health information in the course of a telephone discussion with a client or any third party. Telephone discussions should be conducted away from people, preferably in an office or conference room with the door closed. Whenever a telephone call is placed to a client, a staff member shall make a reasonable attempt to confirm that the person, with whom they are speaking, is in fact, the client, and prior to the commencement of a discussion of any protected health information. At no time shall any staff member leave any detailed health information in a message on any answering machine, in a voice mail message, with an answering service or with a family member, friend, colleague, or any other third party answering the telephone. 21.4 Internet: Any employee accessing the Internet from a Catholic Charities site is responsible for all on-line activities which take place through the use of his/her login and password. 21.5 Facsimile (Fax) Machines: All incoming faxes should be immediately removed from each fax machine and placed in a folder or envelop for the intended recipient. Each office will coordinate the assignment and programming of the fax numbers of those healthcare providers, health plans, and other payers to whom Catholic Charities regularly faxes the protected health information of its clients, uniformly into the memory of each fax machine. The “speed dial” numbers shall be reserved for the healthcare providers, health plans, or other payers. Each such programmed number shall be tested prior to transmission of any protected health information. A directory of these speed dial numbers shall be maintained and made available to staff members and may be posted near each fax machine. All staff members are to use those speed dial numbers when faxing protected health information. Should it be determined, or suspected, at any point, that a fax transmission containing the protected health information of one or more clients, may have been transmitted to an unintended recipient, a telephone call shall immediately be placed, or if necessary, an additional fax shall be sent, to make arrangements to retrieve the errant fax. (Reference: Policy/Procedure Information Technology, Computer, E-mail, and Internet) 10 22. Privacy Officer The Director of Compliance has been designated as the individual to be the Privacy Officer. The Privacy Officer is responsible for the development, implementation, and maintenance of the Agency’s policies and procedures covering the privacy of, and access to client health information in compliance with federal and state laws. Approved 12-03 Revised 12-04 Reviewed 6-05 11 HP-1.02 HIPAA Policies and Procedures DISTRIBUTION OF NOTICE OF PRIVACY PRACTICES Policy It is the policy of Catholic Charities to provide our clients with written notice of our privacy practices, including among other things a statement of each client’s rights as set out by the HIPAA Privacy Regulations. The written Notice of Privacy Practices adopted by Catholic Charities shall be distributed to each client, parent/guardian or their legal representative pursuant to the guidelines set forth below: 1. Each client, parent/guardian and/or their legal representative shall be provided a copy of the most current Notice of Privacy Practices at the time of their initial intake, unless impracticable in the case of emergency treatment. In the case of emergency treatment, it shall be the responsibility of therapist to provide this notice and take the further steps described below, at the first opportunity available. 2. Each client, parent/guardian or their legal representative shall be asked to sign Consent for Treatment, and an Acknowledgement of Receipt of Notice of Privacy Practices to acknowledge that they received a copy of the Notice of Privacy Practices. If the client or legal representative is unwilling or unable to acknowledge receipt in this way, the staff member shall document his/her effort to obtain this acknowledgement and the refusal or the reason the client or legal representative did not sign the acknowledgement on the Notice of Privacy Practice form with the date and the workforce member’s signature. 3. The acknowledgement form and/or the documentation of refusal or inability to sign shall be immediately placed in the client’s chart in the intake section. A copy of the Notice of Privacy Practice will be given to the client/guardian/custodian. 4. The Notice of Privacy Practices shall also be posted upon on bulletin boards in client areas. 5. The Notice of Privacy Practice is also posted on the Catholic Charities, Diocese of Trenton's website. Approved 12-03 Revised 12-04 Approved 6-05 12 Attachment to HP-1.02 Notice of Privacy Practice - Spanish Version Please see page 123 – 127. Revised 12-04 Approved 6-05 13 Attachment to HP-1.02 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton NOTICE OF PRIVACY PRACTICES This Notice describes how health information about you may be used and disclosed and how you can get access to this information. This document will be explained to you during the admission process, however, please review it carefully. We have a legal duty to safeguard your protected health information. We will protect the privacy of the personal health information that we maintain that identifies you, whether it deals with the provision of health care to you or the payment for health care. We are required by law to provide you with this Notice about our privacy practices. It explains how, when and why we may use and disclose your health information. With some exceptions, we will avoid using or disclosing any more of your health information than is necessary to accomplish the purpose of the use or disclosure. We are legally required to follow the privacy practices that are described in this Notice, which is currently in effect. (Reference: Health Insurance Portability and Accountability Act of 1996). However, we reserve the right to change the terms of this Notice and our privacy practices at any time. Any changes will apply to any of your health information that we already have. Before we make an important change to our policies, we will promptly change this Notice and post a new Notice on the bulletin board on your unit/program. You may also request, at any time, a copy of our Notice of Privacy Practices that is in effect at any given time, from your therapist. We would like to take this opportunity to answer some common questions concerning our privacy practices: QUESTION: HOW WILL THIS ORGANIZATION USE AND DISCLOSE MY PROTECTED HEALTH INFORMATION? Answer: We use and disclose health information for many different reasons. For some of these uses or disclosures, we need your specific authorization. Below, we describe the different categories of our uses and disclosures and give you some examples of each. 1. Uses and Disclosures Relating to Treatment, Payment, or Healthcare Operations. We may, by federal law, use and disclose your health information for the following reasons: 1.1 For Treatment. We may disclose necessary health information to other health care providers who are involved in your care. For example, we may disclose your medical history to a hospital if you need medical attention while at our facility or to a residential care program we are referring you to. Reasons for such a disclosure may be: to get them the medical history information they need to appropriately treat your condition, to coordinate your care or to schedule necessary testing. 1.2 To Obtain Payment for Treatment. We may use and disclose necessary health information in order to bill and collect payment for the treatment that we have provided to you. For example, we may provide certain portions of your health 14 information to your health insurance company, Medicare or Medicaid, in order to get paid for taking care of you. 1.3 For Health Care Operations. We may, at times, need to use and disclose your health information to run our organization. For example, we may use your health information to evaluate the quality of the treatment that our staff has provided to you. We may also need to provide some of your health information to our accountants, attorneys, and consultants in order to make sure that we’re complying with law. 2. Certain Other Uses and Disclosures are permitted by Federal Law. We may use and disclose your health information without your authorization for the following reasons: 2.1 When a Disclosure is required by Federal, State, or Local Law, in Judicial or Administrative Proceedings or by Law Enforcement. For example, we may disclose your protected health information if we are ordered by a court, or if a law requires that we report that sort of information to a government agency or law enforcement authorities, such as in the case of a dog bite, suspected child abuse or a gunshot wound. 2.2 For Public Health Activities. Under the law, we need to report information about certain diseases, and about any deaths, to government agencies that collect that information. With the possible exception of information concerning mental health disorders and/or treatment, drug and alcohol abuse and/or treatment, and HIV status (for which we may need your specific authorization), we are also permitted to provide some health information to the coroner or a funeral director, if necessary, after a client’s death. 2.3 For Health Oversight Activities. For example, we will need to provide your health information if requested to do so by the County and/or the State, when they oversee the program in which you receive care. We will also need to provide information to government bodies, such as New Jersey Division of Mental Health Services, New Jersey Department of Health and Senior Services, Division of Youth and Family Services, etc. that have the right to inspect our offices and/or investigate healthcare practices. 2.4 For Organ Donation. If one of our clients wished to make an eye, organ or tissue donation after their death, we may disclose certain necessary health information to assist the appropriate organ procurement organization. 2.5 For Research Purposes. In certain limited circumstances (for example, where approved by an appropriate Privacy Board or Institutional Review Board under federal law), we may be permitted to use or provide protected health information for a research study. 2.6 To Avoid Harm. If one of our counselors, physicians, or nurses believes that it is necessary to protect you, or to protect another person or the public as a whole, we may provide protected health information to the police or others who may be able to prevent or lessen the possible harm. 15 2.7 For Specific Government Functions. With the possible exception of information concerning mental health disorders and/or treatment, drug and alcohol abuse and/or treatment, and HIV status (for which we may need your specific authorization), we may disclose the health information of military personnel or veterans where required by U.S. military authorities. Similarly, we may also disclose a client’s health information for national security purposes, such as assisting in the investigation of suspected terrorists who may be a threat to our nation. 2.8 For Workers’ Compensation. We may provide your health information as described under the workers’ compensation law, if your condition was the result of a workplace injury for which you are seeking workers’ compensation. 2.9 Appointment Reminders and Health-Related Benefits or Services. Unless you tell us that you would prefer not to receive them, we may use or disclose your information to provide you with appointment reminders or to (give you information about/send to you newsletters about) alternative programs and treatments that may help you. 2.10 Fundraising Activities. For example, if our Organization program chose to raise funds to support one or more of our programs or facilities, or some other charitable cause or community health education program, we may use the information that we have about you to contact you. If you do not wish to be contacted as part of any fundraising activities, please contact your therapist. 3. Certain Uses and Disclosures Require You to Have the Opportunity to Object. 3.1 Disclosures to Family, Friends, or Others Involved in Your Care. We may provide a limited amount of your health information to a family member, friend or other person known to be involved in your care or in the payment for your care, unless you tell us not to. For example, if a family member comes with you to your appointment and you allow them to come into the treatment room with you, we may disclose otherwise protected health information to them during the appointment, unless you tell us not to. 3.2 Disclosures to Notify a Family Member, Friend, or Other Selected Person. When you first started in our program, we asked that you provide us with an emergency contact person in case something should happen to you while you are at our facilities. Unless you tell us otherwise, we will disclose certain limited health information about you (your general condition, location, etc.) to your emergency contact or another available family member, should you need to be admitted to the hospital, for example. 4. Other Uses and Disclosures Require Your Prior Written Authorization. In situations other than those categories of uses and disclosures mentioned above, or those disclosures permitted under federal law, we will ask for your written authorization before using or disclosing any of your protected health information. In addition, we need to ask for your specific written authorization to disclose information concerning your mental health, drug and alcohol abuse and/or treatment, or to disclose your HIV status. If you choose to sign an authorization to disclose any of your health information, you can later revoke it to stop further uses and disclosures to the extent that we haven’t already taken action relying on the authorization, so long as it is revoked in writing. 16 QUESTION: WHAT RIGHTS DO I HAVE CONCERNING MY PROTECTED HEALTH INFORMATION? Answer: You have the following rights with respect to your protected health information: 1. The Right to Request Limits on Uses and Disclosures of Your Health Information. You have the right to ask us to limit how we use and disclose your health information. We will certainly consider your request, but you should know that we are not required to agree to it. If we do agree to your request, we will put the limits in writing and will abide by them, except in the case of an emergency. Please note that you are not permitted to limit the uses and disclosures that we are required or allowed by law to make. 2. The Right to Choose How We Send Health Information to You or How We Contact You. You have the right to ask that we contact you at an alternate address or telephone number (for example, sending information to your work address instead of your home address) or by alternate means (for example, by [e-mail/mail] instead of telephone). We must agree to your request so long as we can easily do so. 3. The Right to See or to Get a Copy of Your Protected Health Information. In most cases, you have the right to look at or get a copy of your health information that we have, but you must make the request in writing. A request form is available from your therapist. We will respond to you within 30 days after receiving your written request. If we do not have the health information that you are requesting, but we know who does, we will tell you how to get it. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons for the denial. In certain circumstances, you may have a right to appeal the decision. If you request a copy of any portion of your protected health information, we will charge you for the copy on a per page basis, only as allowed under New Jersey state law. We need to require that payment be made in full before we will provide the copy to you. If you agree in advance, we may be able to provide you with a summary or an explanation of your records instead. There will be a charge for the preparation of the summary or explanation. 4. The Right to Receive a List of Certain Disclosures of Your Health Information That We Have Made. You have the right to get a list of certain types of disclosures that we have made of your health information. This list would not include uses or disclosures for treatment, payment, or healthcare operations, disclosures to you or with your written authorization, or disclosures to your family for notification purposes or due to their involvement in your care. This list also would not include any disclosures made for national security purposes, disclosures to corrections or law enforcement authorities if you were in custody at the time, or disclosures made prior to April 14, 2003. You may not request an accounting for more than a six (6) year period. To make such a request, we require that you do so in writing; a request form is available upon asking your therapist. We will respond to you within 60 days of receiving your request. The list that you may receive will include the date of the disclosure, the person or organization that received the information (with their address, if available), a brief description of the information disclosed, and a brief reason for the disclosure. We will provide such a list to you at no charge; but, if you make more than one request in the same calendar year, you will be charged $10.00 for each additional request that year. 17 5. The Right to Ask to Correct or Update Your Health Information. If you believe that there is a mistake in your health information or that a piece of important information is missing, you have a right to ask that we make an appropriate change to your information. You must make the request in writing, with the reason for your request, on a request form that is available from your therapist. We will respond within 60 days of receiving your request. If we approve your request, we will make the change to your health information, tell you when we have done so, and will tell others that need to know about the change. We may deny your request if the protected health information: Is correct and complete Was not created by us Is not allowed to be disclosed to you Is not part of our records. Our written denial will state the reasons that your request was denied and explain your right to file a written statement of disagreement with the denial. If you do not wish to do so, you may ask that we include a copy of your request form, and our denial form, with all future disclosures of that health information. 6. The Right to Get a Paper Copy of This Notice. You have the right to a copy of this notice. QUESTION: HOW DO I COMPLAIN OR ASK QUESTIONS ABOUT THIS ORGANIZATION’S PRIVACY PRACTICES? Answer: If you have any questions about anything discussed in this Notice or about any of our privacy practices, or if you have any concerns or complaints, please contact the Compliance Director at Catholic Charities of Trenton, 383 West State Street, Trenton, New Jersey 08607 or call (609) 394-5181 extension 150. You also have the right to file a written complaint with the Secretary of the U.S. Department of Health and Human Services. We may not take any retaliatory action against you if you lodge any type of complaint. QUESTION: WHEN DOES THIS NOTICE TAKE EFFECT? Answer: This Notice takes effect on June 1, 2003. 18 STATEMENT OF ACKNOWLEDGEMENT/UNDERSTANDING I, __________________________________ , have read, reviewed, and had explained to me my rights regarding the use/disclosure of my Personal Health Information collected during the therapeutic process by Catholic Charities. I have asked and have had answered any questions I may have concerning the use/disclosure of said information. I am satisfied that I understand its contents and significance and acknowledge receipt of a copy of these rights as established by the HIPAA of 1996. _________________________________________ Client Signature ______________________________ Date _________________________________________ Parent/Guardian Signature ______________________________ Date _________________________________________ Witness ______________________________ Date Copy: Client Original: Chart Approved 12-03 Reviewed 6-05 19 HP-1.03 HIPAA Policies and Procedures CLIENT'S REQUEST FOR ACCESS TO HEALTH INFORMATION Policy It is the policy of Catholic Charities to provide for an appropriate level of access to an individual client’s own private health information maintained within a designated record set, consisting of mental health, medical and billing records prepared by, or on behalf of, Catholic Charities. The term “designated record set” shall exclude any records prepared and maintained by another health care provider, unless a treating physician within Catholic Charities documents his/her intention to incorporate such records as a part of Catholic Charities’ designated record set. It shall be the duty of the Program Director or designee, under the direction of the Privacy Officer, to receive and process all client requests for access pursuant to the procedure set forth below and the federal privacy regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Personal Representative A personal representative is any adult that has decision-making capacity and who is willing to act on behalf of a patient. A personal representative would include an individual who authority, by law or by written agreement from the individual receiving treatment, to act in the place of the individual. This includes parents, legal guardians or properly appointed agents, like those identified in documents like Durable Power of Attorney with a Healthcare Proxy or Standby medical Guardian for a minor. In stances where there is any doubt that an adult is acting as a personal representative, the healthcare practitioner in a direct treatment relationship with the client shall obtain written documentation (i.e. Court Order, Healthcare Proxy or Standby Medical Guardian) indicating that the adult is a personal representative of the client. A person acting in the role of personal representative must be treated as the individual regarding access unless: The individual is an un-emancipated minor, but is authorized to give lawful consent, or may obtain the health care without consent of the personal representative, and minor has not requested that the person be treated as a personal representative, or the personal representative has assented to agreement of confidentiality between the provider and the minor. Minors over the age of 14 can object to the release of protected health information maintained in a community based mental health program even if the personal representative authorizes the release of protected health information; or There is a reasonable basis to believe that the individual has been or may be subjected to domestic violence, abuse or neglect by the personal representative or that treating that person as a personal representative could endanger the individual, and, in the exercise of professional judgment, it is determined not to be in the best interests of the individual to treat that person as a personal representative. 20 Procedure 1. All client requests for access to the client’s own health information shall be made in writing and signed by the client, or the client’s legal representative, on the form entitled “Client Request to Review or Obtain Copy of Health Information.” The blank forms shall be maintained at the record room and distributed upon request by the client’s therapist. 2. Upon receipt of the request, Program Directors or designee shall document receipt of the request, upon the Client Request form by indicating the date received. The Client Request form and any corresponding forms shall thereafter be maintained as a part of the client’s chart. 3. All processing of client requests for access shall be completed within thirty (30) days of receipt, unless the designated record set is maintained offsite. In the case of offsite records, the processing of the request shall be completed within a total of sixty (60) days, with a written explanation of the reason for the delay and the date by which the processing will be completed, being sent to the client. 4. Whenever access is permitted, it shall be provided in the form requested by the client, if readily producible in that form; if not, then it shall be provided in a readable hard copy form. Access, if appropriate, shall be provided in the manner requested by the client, whether by mailing a copy to the client’s stated address and/or by allowing review of the record(s) by appointment at the record room of Catholic Charities. Prior to mailing a copy of the requested record(s) to the client, the Program Director or designee shall compute and obtain payment from client for all copying and postage charges permitted by law, and document the same upon the Client Request form. If unable or unwilling to pay such charges, the client shall be permitted to schedule an appointment to review the requested record(s) at the record room of Catholic Charities. Program Director or designee upon the Client Request form shall document confirmation of the grant of access and the date(s) upon which copies of the requested record(s) were mailed and/or were reviewed by the client. In order to protect the original medical record from defacement or destruction, the client may review the original record only under supervision of staff. If staff cannot supervise the review of the original medical record, then a copy of the record should be provided for the client to review. 5. In the case of any denial of a client’s request for access to his/her own health information, Program Director or designee, under the direction of the Privacy Office, will issue the “Notice of Denial of Client Request to Review or Obtain Copy of Health Information,” maintaining a copy of this form in the client’s chart and documenting the mailing of this form upon the Client Request form. 5.1 Non-reviewable grounds for denial of access under the HIPAA privacy regulations include: No right to access psychotherapy notes, unless part of the designated record set. No right to access information compiled in reasonable anticipation of civil, criminal or administrative proceedings. No right to access information protected under the Clinical Laboratory Improvements Amendments of 1988 or corresponding regulations. 21 5.2 The direction to deny access to an inmate, made by the correctional facility in which the client is incarcerated. The record(s) requested are subject to the Federal Privacy Act, 5 U.S.C. §552a. The information requested was obtained from someone other than a health care provider under a promise of confidentiality and access would likely reveal the source of the information. The client agreed to a temporary denial of access to this information by consenting to participate in a research study in which treatment is being provided. Catholic Charities does not maintain the requested record(s), in which case, record room staff must tell the client where to direct his/her request, if known. Any licensed health care professional within Catholic Charities who is involved with the treatment and/or care of the client, may indicate the need to deny access to any portion or all of a record within the designated record set, for any one of the reasons set forth below, by placing in the pertinent portion of the chart a readily visible red flag, marked with the professional’s name or initials to indicate that client access to the record shall not be granted without the express permission of that licensed health care professional. Such re-viewable grounds for denial of access include: A determination has been made, using professional judgment, that access to the information requested is reasonably likely to endanger the life or physical safety of the client or another, A determination has been made, using professional judgment, that access to the information requested is reasonably likely to cause substantial harm to a nonhealthcare provider referenced within the record(s), A determination has been made, using professional judgment, that access to the information requested by the client’s legal representative is reasonably likely to cause substantial harm to the client or another person, or Based on professional judgment, the review of health information or medical record has a significant risk of exacerbating the client’s symptoms and would be harmful to the client’s treatment and health. This denial maybe temporary until the client symptoms are decreased and client is stable. 6. Prior to the granting of client access to any record, Program Director or designee, shall thoroughly inspect all requested record(s) for the placement of a [red flag] for access denial, and shall discuss the continued validity of any such [red flags] with the treating professional. Access to such portions of the designated record set shall not be granted without the express authorization of the treating professional who noted the denial by placement of the [red flag] upon the chart. 7. Written requests for review of such re-viewable denials of access are to be made by the client by signing and dating the statement at the bottom of the Notice of Denial form, and returning 22 the form to Catholic Charities. Upon receipt of the request for a review of such a denial, the date received shall be documented upon the original Client Request form. 8. Upon receipt of a request for review of a re-viewable denial of access, the Program Director/ Privacy Officer shall immediately designate a reviewing official who shall be a licensed health care professional (Medical Director or designee) who did not participate in any way in the making of the underlying access denial decision. 9. The reviewing official shall immediately be granted access to any portion of the chart and/or other record(s) deemed necessary to make a proper assessment and determination of whether the underlying access denial was proper. Any treating professional involved in the underlying decision shall cooperate in the reviewing official’s investigation. 10. The designated reviewing official shall reach a prompt decision upon whether the access denial was proper, but in any case no later than thirty (30) days from receipt of the appeal, and shall mail a letter stating the decision to the client, providing a copy to the Catholic Charities for its records. Upon receipt of this determination letter, the Program Director, shall document its date upon the original Client Request form. The decision of the reviewing official shall be binding upon Catholic Charities, and, if awarded by the reviewing official, access shall be provided to the client in the manner requested as soon as reasonably possible. 11. Catholic Charities may not disclose psychotherapy notes, except in specific situations or as otherwise required by law. A client does not have the right to inspect or copy psychotherapy notes. A client may not request a review of a denial of access to psychotherapy notes. 11.1 Staff members may not disclose psychotherapy notes, except in the following situation: For use by the originator of the psychotherapy notes for the purposes of treatment Use or disclosure by Catholic Charities for its own training programs in which students, interns in mental health learn under supervision to practice or improve their skills in group, join, family or individual counseling. Use or disclosure by Catholic Charities to defend itself in a legal action or other proceeding brought by the client Use and disclosure required by law Use and disclosure to health oversight agency for oversight activities authorized by law, including audits. Uses or disclosures to avert a serious threat to health or safety (duty to warn) 12. Copy Fees. (N.J.A.C.42G-15.3) 12.1 The fee copying for records shall not exceed $1.00 per page or $100.00 per record for the first 100 pages. For records, which contain more than 100 pages, a copying fee of no more than 25 cents per page may be charged for pages in excess of the first 100 pages up to a maximum of $200.00 for the entire records. 12.2 In addition to per page cost, the following charges may be permitted: A search fee of no more than $10.00 per patient per request; and A postage charge of actual cost for mailing, not to exceed cost of mailing, not to exceed $5.00 23 12.2 No other charges shall be assessed other than those permitted in 12.1 and 12.2 above. Approved 12-03 Revised 12-04 Reviewed 6-05 24 Attachment A to HP-1.03 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton CLIENT REQUEST TO REVIEW OR OBTAIN COPY OF HEALTH INFORMATION Please complete the following information, printing clearly: Your Name: _______________________ Date of Birth: ____________ (first) (middle) (last) Address: (street) Telephone: _______________________________________ (state) (zip code) (city) _______________ Name of Your Case Manager/Counselor: Which of the following are you requesting? (Please check all that apply.) Healthcare/Treatment Records Billing Information Other: __________ ____________ Purpose: ______________________________________________________________________ Please describe the information that you wish to look at or get a copy of, including the date(s) of the information (date of visit, treatment, or other health care service): __________________________________________ __________________________________________ If you would like a copy of these records, you will need to pay for copying and postage, as allowed by law. Payment will be required prior to the copy being made and sent to you. If you do not wish to pay for a copy of the records, you may make an appointment to come in to look at these record(s) at our records department office. Please note that we need at least five (5) full business days to get these records together for you. Please check at least one of the following: I would like you to send these records to me. I would like to make an appointment to look at these records at this office. Signature (of Client or Legal Representative): _________________________Date: For Office Use Only Date Request Received Access Granted Cost: $ Record(s) Mailed on Record(s) Reviewed by Client on Payment Received Denial Notice Mailed on Request for Review Received on Review Decision Mailed on 25 ___ Attachment B to HP-1.03 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton NOTICE OF DENIAL OF CLIENT REQUEST TO REVIEW OR OBTAIN COPY OF HEALTH INFORMATION We have received your Request to Review or Obtain a Copy of Health Information dated ___________________. There are certain reasons set forth under federal law that allow us to deny your request. We must deny your request for access for the reason(s) that we have checked off below: 1. You do not have a right to access psychotherapy notes. 2. You do not have a right to access information created or put together in reasonable anticipation of civil, criminal, or administrative proceedings. 3. You do not have a right to access information, which is protected under the Clinical Laboratory Improvements Amendments of 1988, or corresponding regulations. 4. We have been directed by the correctional facility in which you are an inmate to deny your request. 5. The record(s) requested are subject to the federal Privacy Act, 5 U.S.C. §552a. 6. The information requested was obtained from someone other than a health care provider under a promise of confidentiality and access is not permitted in that it would likely reveal the source of the information. 7. Your psychiatrist/psychologist/a licensed healthcare professional involved in your treatment/care] has determined, in his/her professional judgment, that access to the information requested is reasonably likely to endanger the life or physical safety of the client or another person, to cause substantial harm to a non-healthcare provider noted within the record(s), or, if requested by the client’s personal representative, to cause substantial harm to the client or another person. 8. This facility does not maintain the requested record(s) within its designated record set. You must direct your request to: 9. You previously agreed to a temporary denial of access to this information when you consented to participate in the research study in which you are receiving treatment. *If the reason that that we have denied you access to these records is the reason listed as number seven (7) above, you have a right to appeal this decision to a reviewing official, who must, by law, be a licensed healthcare professional who did not participate in the underlying decision. To request such a review of the decision, please indicate this below and sign and return a copy of this document to this organization within ten (10) days of the date of this Notice. Please note that you have the right to lodge a complaint with this office by contacting the Privacy Officer at 26 609-394-5181, extension 150, or complaints may be lodged with the Secretary of the U.S. Department of Health and Human Services. Catholic Charities, Diocese of Trenton By: Date: Request for Appeal (only applicable for reason number seven (7) above) I am requesting an appeal of the denial of access. Signature of Client of Personal Representative _____________________________________ Date: ____________________________ 27 HP-1.04 HIPAA Policies and Procedures DESIGNATED RECORD SET Policy To ensure consistency of client information, all Catholic Charities programs will maintain client related information in a similar chart format. The designated record set, which is different from the chart format, consists of mental health, medical and billing records prepared by, or on behalf of, Catholic Charities. The term “designated record set” shall exclude any records, prepared and maintained by another health care provider, unless a treating licensed health care professional of Catholic Charities documents his/her intention to incorporate such records as part of the Catholic Charities’ designated record set. Procedure The designated record set will consist of the following documents: 1. INITIAL INFORMATION 1.1 Client Rights and Responsibilities/Grievance Policy 1.2 Notice of Privacy Practice 1.3 Authorization to Release Information 1.4 Information sheets requiring client signature 1.5 Fee agreement 1.6 Medical and income documentation 2. ASSESSMENT AND SERVICE PLANNING 2.1 Discharge form (if closed case) 2.2 Service Plans (updates and reviews) 2.3 Comprehensive Service Plan 2.4 Other Assessment Material 2.5 Intake Assessment 3. MEDICAL/PSYCHIATRIC/NURSING 3.1. Medication log sheets 3.2 Psychiatric evaluations and monitoring 3.3 Psychiatric evaluation/diagnostic 3.4 Medical/Nursing assessment (where required) 3.5 Laboratory work related to psychotropic medications 3.6 Medical history self report questionnaire 4. SERVICE DOCUMENTATION 4.1 Progress notes 4.2 Contact reports 6. PROGRAM SPECIFIC INFORMATION 6.1 Vocational 6.2 Financial 28 6.3 6.4 6.5 Personal care Homework assignments Program specifics (Please define) Note: Correspondence is NOT part of the designated record set. Note: The chart format (Attachment A to CP-2.02) is similar to the above but includes the Correspondence Section which would be information created by outside agencies, court orders, subpoenas, and other correspondence. Approved 12-03 Reviewed 6-05 29 HP-1.05 HIPAA Policies and Procedures CLIENT'S REQUEST TO AMEND HEALTH INFORMATION Policy It is the policy of Catholic Charities to guarantee the right of our clients to request an amendment of their health information maintained within the designated record set by Catholic Charities, pursuant to the requirements of the HIPAA Privacy Regulations. Copies of all written requests for amendment of health information and any corresponding documentation shall be maintained within the client’s chart. It shall be the duty of the Program Director or designee, under the direction of the Privacy Officer to process all client requests for amendment of that client’s health information pursuant to the procedure set forth below and the federal privacy regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Procedure 1. A client’s request for amendment shall be made in writing on the Client Request to Amend Health Information form. Blank copies of which are to be maintained in the record room. Forms must be filled out completely, and signed by the client or the client’s legal representative. 2. Upon receipt of the Request to Amend, the recipient of the request form shall document the date of its receipt upon the request form and immediately forward the request form to the Program Director or Designee for processing. 3. Within 10 days after receipt of the request, the Program Director or designee shall acknowledge in writing such a request. 4. All Requests to Amend shall be processed, with action being taken (whether that action is a grant or denial of access) and the response being sent to the client or legal representative, within forty (40) days of the date of the Catholic Charities receipt of the Request, absent extenuating circumstances. Under extenuating circumstances only, the Program Director or designee and/or Privacy Officer may extend this deadline by no more than an additional fifteen (15) days, so long as a letter explaining the reason for the delay and the date that the requestor can expect the response to the request. 5. Upon receiving the Request, the Program Director or designee and/or Privacy Officer shall, wherever possible, discuss the Request to Amend with those members of the Catholic Charities staff who were originators of the particular health information at issue, for purposes of determining whether the information was complete and accurate as documented. 6. Wherever amendment is granted, in whole or in part, the Program Director or designee and/or Privacy Officer, or the originator of the health information at the request of the Program Director, shall make the appropriate amendment to the client’s chart or billing 30 record. The amendment shall clearly identify the records in the designated record set that are affected by the amendment, with a clearly documented link being provided to the location of the amendment within the chart or billing record. The date upon which the amendment was made shall be documented upon the Request for Amendment form. 7. Immediately upon amending the record, the Program Director or designee and/or the Privacy Officer shall notify the client for the following purposes: To inform the client that the action has been taken; To ask the client to identify any persons who had previously received the health information that is the subject of the amendment, and who may need the amendment; and To obtain the client’s agreement to have Catholic Charities notify such persons who may have relied, or may likely rely in the future, on the information that is the subject of the amendment. The date of the notification of the client shall be documented upon the Request for Amendment form. 8. The Program Director or designee and/or Privacy Officer shall take all reasonable steps to provide the amendment in writing to the following persons, within a reasonable time under the circumstances of the amendment: All persons identified by the client as having received health information about the client and as needing the amendment; and All persons, including business associates, known to have the information at issue that may have relied, or may likely rely in the future, on the original information, to the detriment of the client. The names and addresses of all persons other than the client who have been provided with the amendment shall be documented on the reverse side of the Request for Amendment form (or an attached sheet, if necessary), along with each date of notification. 9. Grounds for denial of a request for amendment under the HIPAA privacy regulations include: The information is accurate and complete. The information was not created by Catholic Charities. (Should the client provide a reasonable basis to believe that the originator of the health information is no longer available to act upon a request to amend, the request should be granted if there are no other applicable grounds for denial.) The information is not part of the Catholic Charities designated record set. The information would not be available for inspection under the HIPAA Privacy Regulations, as explained in more detail in Catholic Charities Policy and Procedure for Client Requests for Access to Health Information. In the case of any denial of a client’s request for amendment, the Program Director or designee and/or Privacy Officer shall complete and mail to the client the form entitled “Notice of Denial of Client Request to Amend Health Information,” maintaining a copy of this form in the client’s chart and documenting the date of the mailing of this form upon the Request for Amendment form. 10. The Program Director or designee and/or Privacy Officer shall accept any written statement of disagreement that is submitted by the client whose request for amendment was denied, so 31 long as that statement of disagreement does not exceed one side of an 8½ x 11 inch piece of paper. A copy of any such statement of disagreement should be immediately forwarded to each staff member who was an originator of the health information at issue in the request for amendment. In the alternative, the client may request that Catholic Charities provide a copy of the client’s Request to Amend Health Information and the denial form with any future disclosures of the health information requested to be amended. All such requests shall be honored. Whether or not an express request has been made to do this, the client’s Request to Amend Health Information and the denial form shall become part of the designated record set and shall be included whenever the health information at issue in the Request for Amendment is disclosed. 11. The Program Director or designee and/or Privacy Officer shall work with any staff member who was an originator of the health information at issue in the request for amendment, in the preparation of an appropriate rebuttal statement on behalf of Catholic Charities, to be made a part of the chart or billing record, along with the client’s statement of disagreement. Upon incorporating the rebuttal statement into the chart or billing record, a copy of the rebuttal statement shall immediately be mailed to the client by the Program Director or designee/Privacy Officer, and the dates of such actions shall be documented upon the Request for Amendment form. 12. Copies of the client’s Request to Amend Health Information form and all corresponding documentation concerning the grant or denial of the request, including any denial form, any statement of disagreement and any rebuttal statement, shall be maintained within the client’s chart. Where no amendment was made, each portion of the chart or billing record at issue as the result of the Request to Amend shall be marked [with the phrase “Client Request for Amendment” in the margin] to link the information to the portion of the designated record set containing the request form, denial form, statement of disagreement and/or rebuttal form. 13. Should Catholic Charities be informed of an amendment to a client’s health information by another health care provider, health plan or healthcare clearinghouse, the Program Director, or designee/Privacy Officer shall ensure that the amendment is appropriately incorporated into Catholic Charities designated record set. Approved 12-03 Reviewed 6-05 32 Attachment A to HP-1.05 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton CLIENT REQUEST TO AMEND HEALTH INFORMATION Please complete the following information, printing clearly: Client Name: Date of Birth: (last) (first) (middle) Address: (street) Telephone: (city) (state) (zip code) Name of Your Counselor/Case Manager: What health information or record are you requesting to be amended? (Please include the date of each record.) Please state the reason for your request: Please explain exactly how you would like to see the record amended (continue on reverse side if necessary): Signature of Client or Legal Representative ___________________________Date: For Office Use Only Date Request to Amend Received Amendment Granted: Date of Amendment Date of Notice Denial Notice Mailed on Statement of Disagreement: Date Received: Date Added to Record: Request to Attach Request & Denial Date Requested: Date Added to Record: Rebuttal Statement: Date Added to Record: 33 Attachment B to HP-1.05 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton NOTICE OF DENIAL OF CLIENT REQUEST TO AMEND HEALTH INFORMATION To: (name of client) We have received your Request to Amend Health Information form, dated ________________. There are certain reasons set forth under federal law, which allows us to deny your request. We are denying your request to amend your health information or record for the reason(s) that we have checked off below: 1. The information is accurate and complete. 2. The information was not created by Catholic Charities, Diocese of Trenton. 3. The information is not part of our designated record set. 4. The information would not be available for your inspection under the HIPAA Privacy Regulations. You have the right to submit a written statement of disagreement about this decision. This statement may not be any longer than one side of an 8½ x 11 inch piece of paper, and must be sent or delivered to the Program Director/Privacy Officer of Catholic Charities within thirty (30) days of the date of this letter. If you choose not to submit such a statement of disagreement, you may request that we provide a copy of your Request to Amend Health Information and this denial form with any future disclosures of the information that you requested to be amended. All such requests should be directed to the Program Director/Privacy Officer. Please note that you have the right to lodge a complaint with this office by contacting the Privacy Officer, at 609-3945181, extension 150 or complaints may be lodged with the Secretary of the U.S. Department of Health and Human Services. Catholic Charities, Diocese of Trenton By: ____________________________________ 34 Date ______________________ HP-1.06 HIPAA Policies and Procedures CLIENT REQUESTS FOR RESTRICTION OF USES/DISCLOSURES OF PRIVATE HEALTH INFORMATION AND/OR CONFIDENTIAL COMMUNICATIONS Policy It is the policy of Catholic Charities to provide our clients with a process by which they may request the restriction of uses and disclosures of their private health information for purposes of treatment, payment and health care operations, as well as the restriction of any disclosures that may be otherwise permitted for purposes of providing limited information to family or others involved in the client’s care or for notification purposes, in accordance with the HIPAA Privacy Regulations. Catholic Charities will consider all such requests, although Catholic Charities is in no way mandated by the federal HIPAA Privacy Regulations to agree to any such requests. It is also the policy of Catholic Charities to accommodate reasonable requests by clients to receive communications of private health information from Catholic Charities by alternative means or at an alternative location, without explanation from the client as to the reason. It shall be the duty of the Program Director/ Privacy Officer to review, make a determination as to disposition of, and to respond to all such client requests, under the guidelines set forth below: 1. Any client or other individual wishing to make such a request shall do so in writing, upon a Client Request Form for Restriction of Uses/Disclosures of Private Health Information or for Confidential Communications (“Request Form”). Blank Request Forms shall be maintained at the record room and shall be provided to any client (or any legal representative) that indicates a desire to request any such restriction or to request confidential communications. 2. Upon receipt of a Request Form, the recipient of the form shall document the date of its receipt upon it and immediately forward it to the Program Director/Privacy Officer. 3. All Request Forms shall be immediately reviewed by the Program Director/Privacy Officer. A response shall be made by Catholic Charities to any such request as soon as reasonably possible, but, in any event, no later than ten (10) days of the date of the Catholic Charities receipt of the Request Form. The date the response is provided to the client shall be documented by the Privacy Officer upon the Request Form. 4. Copies of all Request Forms shall be maintained by Catholic Charities. 5. The ultimate disposition of the request shall be documented by the Program Director/Privacy Officer upon the Request Form, with any restrictions clearly documented both on the Request Form and in the client’s chart, where appropriate. 6. If such a request is granted, Catholic Charities shall not use nor disclose the applicable health information in violation of the restriction, unless the information is necessary to treat the client in an emergency. If the information is disclosed to another healthcare provider under such emergency circumstances, the staff member making the disclosure shall request that that healthcare provider not further uses nor discloses the information. The disclosure, the nature of the disclosure, the name of the person and agency to whom the disclosure was made, the 35 information disclosed, the staff member’s name, title, and date of disclosure must be documented in the record. 7. Notwithstanding any granted request for a restriction of uses or disclosures, Catholic Charities is permitted to disclose the information: To the client, or the client’s legal representative, where permitted under an approved request for access; or To an appropriate party under any of the provisions of Section 164.512 of the HIPAA Privacy Regulations (45 C.F.R. §164.512), concerning permitted uses and disclosures for which a consent, an authorization, or opportunity to agree or object, is not required. 8. To terminate any restriction that has been granted, Catholic Charities shall do at least one of the following: Obtain the written agreement of the client, or the client’s legal representative; Obtain the verbal agreement of the client, or the client’s legal representative, and document that verbal agreement in the client’s chart; or Inform the client, or the client’s legal representative, that Catholic Charities is terminating its agreement to the restriction with regard only to health information created or received after the date upon which the client or his/her legal representative is informed of the termination. The date and manner of such a termination of restriction shall be documented upon the Request Form. 9. At no time shall the Program Director/Privacy Officer, or any other staff member receiving a request to receive confidential communications by an alternative means or at an alternative location, require an explanation from the client as to the basis for the request as a condition of providing such communications on a confidential basis. 10. No request to receive confidential communications by an alternative means or at an alternative location shall be granted without the client providing both of the following: The client’s specification of an alternative address or other method of contact; and Information as to how payment will be handled, if appropriate. 11. All granted requests for confidential communications shall be documented clearly within the front section of the client’s chart and the front section of the client’s billing file. Approved 12-03 Reviewed 6-05 36 Attachment to HP-1.06 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton CLIENT REQUEST FOR RESTRICTION OF USES/DISCLOSURES OF PRIVATE HEALTH INFORMATION OR FOR CONFIDENTIAL COMMUNICATIONS FORM Please complete the following information, printing clearly: Client Name: Date of Birth: (last) (first) (middle) Address: (street) Telephone: (city) (state) (zip code) Name of Your Counselor/Case Manager: I am requesting that Catholic Charities restrict the use or disclosure of my private health information in the following way: ________________________________________________________________________ (Please note that Catholic Charities has no obligation to grant this request.) I am requesting that Catholic Charities only contact me by the following alternative means or at the following alternative location: ________________________________________________________________________ Signature of Client or Legal Representative ___________________________Date: If you are the legal representative of the client, please check off the basis for your authority: Power of Attorney (attach copy) Guardianship Order (attach copy) Parent of Minor Other_______________________ Date Received: By: FOR OFFICE USE ONLY Date and Manner Client Informed of Decision: Disposition: Restriction terminated? Date and Manner of Termination: 37 By: HP-1.07 HIPAA Policies and Procedures CLIENT'S REQUEST FOR ACCOUNTINGS OF DISCLOSURES OF HEALTH INFORMATION Policy It is the policy of Catholic Charities to guarantee the right of our clients to obtain an accounting of disclosures of their health information, by Catholic Charities and/or Catholic Charities business associates, pursuant to the requirements of the HIPAA Privacy Regulations. In order to be able to account for disclosures under these regulations, it is the policy of Catholic Charities that staff members document within the client’s chart [upon the Disclosure Sheet] the following information about each disclosure of health information: (a) the date of the disclosure, (b) the name and address of the recipient of the information, (c) a brief description of the information disclosed, and (d) the general purpose of the disclosure of health information. Copies of all authorizations and/or other written requests for disclosures shall be maintained within the client’s chart. Documentation of the following types of disclosures is not required: Disclosures to carry out treatment, payment, and/or health care operations of the Organization; Disclosures of health information to the client or to the client’s legal representative; Disclosures made pursuant to an Authorization signed by the client or the client’s legal representative; Disclosures permitted under the HIPAA Privacy Regulations to be made to family members or other persons involved in the client’s care (and/or payment for care) and/or to family members or other persons for notification purposes; Disclosures for national security or government intelligence purposes; Disclosures to correctional institutions and/or law enforcement officials, where the client, at the time, was in custody; Disclosures occurring prior to April 14, 2003. It shall be the duty of Program Director or designee under the direction of the Privacy Officer to process all client requests for accountings of disclosures of that client’s health information, and to prepare a complete accounting under the HIPAA Privacy Regulations and the guidelines set forth below: 1. A client’s request for an accounting shall be made in writing on the Client Request Accounting of Disclosures form, blank copies of which are to be maintained in the record room. Forms must be filled out completely, and signed by the client or the client’s legal representative. 2. A client does not have the right to receive an accounting of any disclosures made prior to April 14, 2003, or made more than six (6) years prior to the date of the Request. 38 3. Upon receipt of the request, the recipient of the request shall document the date of its receipt upon the request form and immediately forward the request to Program Director or designee and the Privacy Officer. 4. Each Request for Accounting shall be processed, with an accounting being prepared and sent to the client or legal representative, within sixty (60) days of the date of Catholic Charities receipt of the request, absent extenuating circumstances. Under extenuating circumstances only, the Program Director/Privacy Officer may extend this deadline by no more than an additional thirty (30) days, so long as a letter explaining the reason for the delay and the date that the requestor can expect the accounting to be completed, is sent to the requestor prior to the expiration of the usual sixty (60) day deadline. 5. Each client has the right to one accounting within each calendar year, free of charge. The cost of each additional accounting for that client within the same calendar year, shall be $10.00, which is based upon the cost of preparing such an accounting. Whenever this charge is applicable to a Request for Accounting, the requestor shall be notified of this charge in writing, and no such request shall be processed further until payment has been made. Documentation of this notification of the charge shall be made upon the request form. 6. Upon receiving the request, the Program Director or designee shall review the client’s chart for documentation of disclosures (other than the types described above) for which an accounting may be prepared. The Program Director or designee shall contact each business associate to whom protected health information of the client has been disclosed; a list of all disclosures made during the relevant period (other than the types described above) by each such business associate shall be obtained from that business associate. A written accounting shall be prepared for the client or the client’s legal representative listing the following information about each disclosure of health information by Catholic Charities and/or its business associates: (a) the date, (b) the name and address of the recipient of the information, (c) a general description of the information disclosed, and (d) the general purpose of the disclosure. 7. Copies of the client’s Request for Accounting and the written accounting shall be maintained within the client’s chart. Approved 12-03 Reviewed 6-05 39 Attachment A to HP-1.07 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton DISCLOSURE SHEET Client Name: Date of Disclosure Social Security Number: Name and address of recipient of information Brief description of information disclosed 40 Purpose of disclosure Staff Initials Attachment B to HP-1.07 HIPAA Policies and Procedures RECORDS RELEASE AUTHORIZATION Client Name:_____________________ Date of Birth:_____________ SS#:_______________ I, ________________________________________________________, hereby authorize ______________________________________________________________________________ (Name) (Organization) ______________________________________________________________________________ (Street Address) (City/State) (Zip Code) To Obtain: _____ Release: _____ the following information (Please check all that apply): ___Medical History ___Treatment Plans ___Summary of Treatment/Progress ___Psychiatric History ___Medication History ___Attendance and Cooperation ___Laboratory Tests ___Psychiatric Evaluation ___Student Evaluation/Records ___Psychological Tests ___Social Work Assessment ___HIV/AIDS ___Admission Record ___Service History ___Other: ___________________ ___Diagnosis This information is to be released to: _______________________________________________ Obtained from:_________________________________________________________________ Person Name: __________________________________________________________________ Organization: __________________________________________________________________ Street Address: ________________________________________________________________ City, State, Zip Code: ___________________________________________________________ The purpose or need for such disclosure is: ___________________________________________ ______________________________________________________________________________ This information may be given (indicate frequency):____________________________________ This authorization expires (specify one option): in 90 days ________________ If selected, this date will not exceed 1 year & will be (specify date) updated at service plan review preceding expiration date. ____________________________ (specify event or condition) I understand I have the right to revoke this authorization at any time. I may not revoke it to the extent that action has been taken in reliance thereon. In order to revoke this authorization, I understand I must revoke it in writing to Catholic Charities. Catholic Charities has forms to use if you wish to revoke this authorization before it expires. I understand that Catholic Charities may not require that I sign this authorization in order to obtain treatment, and that with certain limited exceptions I have the right to inspect the information disclosed subject to provision NJAC 10.37-6.79,4ii, respecting client access to records. I understand that information used or disclosed under this authorization could potentially be redisclosed by the person receiving the information and may no longer be subject to the privacy protections provided to me by law. I understand that my records may be protected under the 41 federal regulations governing Confidentiality of Alcohol and Drug Abuse Client Records (42 CFR, Part 2). I have read this authorization, or had it explained to me and understand its contents: ___________________________________________________________ _________________ Signature of Patient or Person Authorized by Law to Give Consent Date ___________________________________________________________ _________________ Signature of Witness Date If you are the legal representative of the person listed above, please check the basis of your authority: __Power of attorney (attach copy) ___Parent of minor __Guardianship order (attach copy) ___Other: ______________________________ Additional witness signature for verbal consent: ________________________ _____________ Signature Date COPY OFFERED: __________Accepted _________Rejected Approved 12-03 Revised 12-04 Approved 6-05 42 HP-1.08 HIPAA Policies and Procedures APPLICATION OF "MINIMUM NECESSARY" CRITERIA FOR USE AND DISCLOSURE OF HEALTH INFORMATION Policy It is the policy of Catholic Charities to ensure that its staff members only request, use and/or disclose the minimum amount of a client’s individually identifiable health information that is necessary to achieve the intended purpose of the permitted use or disclosure. This Policy does not apply to: Disclosures to, or requests or use by, a health care provider for purposes of treatment; Disclosures to the client, the client’s legal representative, or anyone designated to receive such information in an Authorization form signed by the client or the client’s legal representative; or Disclosures required to be made to the Secretary of the Department of Health and Human Services or its agent. 1. For all other requests, uses and/or disclosures of individually identifiable health information by any member of Catholic Charities staff, the following criteria shall be applied prior to making such a request, use or disclosure: There must be a determination that the information to be used or disclosed does not include any information beyond that which is specifically requested, in terms of scope of time, type of information, etc.; There must be a determination that the information to be requested, used or disclosed does not include any information beyond what a reasonable person would believe is needed for the stated purpose; and There must be a determination that the amount and type of information to be requested, used or disclosed cannot be reduced or limited any further without adversely affecting the ability to use the information for its stated purpose. 2. Each member of Catholic Charities staff may only access the minimum information that is necessary to perform that workforce member’s particular job functions, as defined in his/her job description. 3. At no time shall any staff member review any portion of any client’s chart or billing information that is not required by his/her specific job duties. Reviewed 12-4 Approved 12-03 Reviewed 6-05 43 HP-1.09 HIPAA Policies and Procedures SUBPOENAS AND COURT ORDERS Policy Catholic Charities will respond to subpoenas and court orders in a manner consistent with State and Federal law. Subpoena Procedure Protected health information shall not be released pursuant to a subpoena unless instructed to do so by counsel for the agency. Staff shall not provide testimony in response to a subpoena unless instructed to do so my counsel of the agency. 1. Upon receipt of a subpoena, the staff member will immediately notify his immediate supervisor/Program Director 2. The Program Director will notify the Division Director immediately and/or Director of Behavioral Health Services after Division Director. 3. The Division Director shall contact legal counsel for advice. Note: If there is any disclosure in response to the subpoena, the Program Director shall document this disclosure on the subpoena or attach the cover letter maintained in the client’s record. Court Order Procedure 1. Upon receipt of a court order, the staff member shall immediately provide a copy to the Program Director and Division Director. 2. The Division Director shall contact Legal Counsel for advice. 3. The Program Director shall disclose only the protected health information expressly requested in the court order, unless advised to the contrary. The Program Director shall document this disclosure in the cover letter or document on the court order in the client’s record. Revised 12-04 Approved 12-03 Revised 12-04 Approved 6-05 44 HP-1.10 HIPAA Policies and Procedures CLIENT PRIVACY COMPLAINTS Policy It is the policy of Catholic Charities to provide our clients with a process by which they may complain and/or make suggestions or other comments about our privacy policies and procedures and our compliance with the requirements of the HIPAA Privacy Regulations. Catholic Charities will in no way discriminate against, or take any form of retaliatory action against, any individual for exercising his/her right to file a complaint pursuant to this process, for exercising any other right described in the HIPAA Privacy Regulations, for filing a complaint with the Secretary of the U.S. Department of Health and Human Services, or for assisting in any way with any investigation, compliance review, proceeding or hearing under the HIPAA Privacy Regulations. Catholic Charities will never require any individual to waive his/her right to file a complaint pursuant to this process, or any other right described in the HIPAA Privacy Regulations, as a condition for treatment. It shall be the duty of Privacy Officer to receive and to process all client complaints, and to respond to clients’ requests for information about Catholic Charities privacy practices, under the guidelines set forth below: 1. Any client or other individual wishing to make a complaint shall, whenever possible, be offered a Privacy Complaint Form upon which their complaint, suggestions and/or other comments may be fully explained. Blank Privacy Complaint Forms shall be maintained at the record room. 2. Each privacy complaint made verbally shall be documented by the Privacy Officer on a blank Privacy Complaint Form/in a Complaint Log. Such documentation shall include: the date the complaint was made; the name of the complainant; whether the complainant was a client, legal representative, a client’s family member, or an unrelated person; a description of the discussion in which the complaint was voiced; any suggestions made by the complainant; and the name of the staff member receiving the complaint. 3. Upon receipt of a Privacy Complaint Form, the recipient of the complaint shall document the date of its receipt upon the complaint form and immediately forward the complaint form to Privacy Officer. 4. All complaints, whether written or oral, shall be immediately reviewed by Privacy Officer. A response shall be made by Catholic Charities to any privacy complaint within thirty (30) days of the date of Catholic Charities receipt of the complaint, absent extenuating circumstances. Under extenuating circumstances, the Privacy Officer may extend this deadline as necessary, so long as a letter explaining the reason for the delay and the date that the complainant can expect a disposition on the complaint, is sent to the complainant prior to the expiration of the 45 thirty (30) day deadline. The date the response is sent shall be documented by Privacy Officer upon the Privacy Complaint Form. 5. Copies of all written Privacy Complaint Forms shall be maintained by Catholic Charities. 6. The ultimate disposition of the complaint shall be documented by the Privacy Officer upon the Privacy Complaint Form, whenever a complaint form exists. Whenever a verbal complaint is received and documented in the Complaint Log, the ultimate disposition of the complaint, as well as the date of the response, shall also be documented within the Complaint Log. 7. Client complaints about privacy issues shall not be documented within the client’s chart. 8. All requests for information about Catholic Charities privacy practices, shall be responded to by Privacy Officer as soon as reasonably possible, but, in any event, no later than ten (10) days from the date of the request. Reviewed 12-04 Approved 12-03 Reviewed 6-05 46 Attachment A to HP-1.10 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton Address: PRIVACY COMPLAINT FORM Name: _________ Telephone: Mailing Address: City/State/Zip Code: Are you a client of Catholic Charities? Yes No If you answered “No", what is your relationship to Catholic Charities (family member of client, legal representative of client, etc.)? Please explain your complaint about our privacy practices, providing details as appropriate (continue on reverse side, if necessary): Please provide us with any suggestions as to how we may improve our privacy practices: Signature: ____________________________________________ Date: _____________ Date Received: By: Disposition: FOR OFFICE USE ONLY Date Response Sent: 47 Attachment A to HP-1.10 HIPAA Policies and Procedures Catholic Charities, Diocese of Trenton COMPLAINT/COMMENT LOG Date Name of Complainants Relationship to Client Nature of the Complaint 48 Suggestions to Improve Staff Member Receiving Complaint Disposition HP-1.11 HIPAA Policies and Procedures WORKFORCE PRIVACY TRAINING AND SANCTIONS FOR VIOLATIONS OF PRIVACY POLICIES Policy It is the policy of Catholic Charities to safeguard the private health information of its clients by imposing appropriate sanctions for any breaches of confidentiality, or violations of Catholic Charities information privacy policies, committed by any member of Catholic Charities workforce. This policy shall apply to all employees, volunteers, and any other persons designated as members of Catholic Charities workforce, whether or not receiving payment from Catholic Charities. Catholic Charities shall mitigate, to the extent practical, any harmful effects or unauthorized uses or disclosures of protected health information by the entity or any of its business associates. It is further the policy of Catholic Charities that each member of its workforce shall receive training on the privacy policies of Catholic Charities applicable to his/her job functions, including but not limited to this policy as it relates to sanctions. Privacy training shall be conducted, under the supervision of the Privacy Officer, under the guidelines set forth below: 1. Training shall be provided to each new member of Catholic Charities staff on the privacy policies of Catholic Charities applicable to his/her job functions. Such training shall be completed within the staff member’s orientation period prior to the staff member’s unsupervised access to clients’ private health information. 2. Completion of the privacy training for each staff member shall be documented within the staff member’s personnel file, and shall include a statement of the scope of training, the date completed, and the signature of the staff member supervising the training. 3. Should any material change be made to any privacy policies that would require the publication of a revised Notice of Privacy Practices under the federal HIPAA Privacy Regulations, each staff member shall receive training on the revised privacy policies applicable to his/her job functions. Wherever possible, this training shall be completed prior to the effective date of the revised Notice of Privacy Practices, but, in any event, within 30 of the effective date of the revised Notice of Privacy Practices. 4. Upon completion of privacy training, all workforce members shall sign a confidentiality agreement, acknowledging completion of the training and understanding of Catholic Charities privacy policies. This will be filed in the personnel file. 5. It shall be the duty of the Privacy Officer to make a recommendation to the Director of Human Resources and the Associate Executive Vice President, as to sanctions to be imposed for any breach of client confidentiality and/or for violation of any information privacy policy by any member of the staff of Catholic Charities, considering the severity of the particular breach or violation. 49 6. Sanctions shall be imposed within the appropriate sanctions range by the Director of Human Resources or, where appropriate, the Privacy Officer in conjunction with the Director of Human Resources and Associate Executive Director, upon finding that any of the following categories of breaches of client confidentiality and/or violations of information privacy policies had been committed by any workforce member: Negligent or Unintentional Breach of Sanctions Range A Client Confidentiality and/or Violation of Privacy Policy Actions Demonstrating Intent or Willfulness to Breach Client Confidentiality and/or to Violate Privacy Policy Sanctions Range B Breach of Client Confidentiality or Violation of Privacy Policy, Resulting in (or with the Intention to Result in) Pecuniary Gain to the Workforce Member or the Organization Sanctions Range C Knowingly Participating in an Action of Another that Breaches Client Confidentiality and/or Violates Privacy Policy Sanctions Range C Participation in Intimidating or Threatening Acts Against Any Individual who Exercises any Right Provided by the federal HIPAA Privacy Regulations, and/or Threatening and/or Coercing an Individual to Waive any Right Provided by the federal HIPAA Privacy Regulations Sanctions Range C Particular sanctions imposed shall be at the discretion of the Human Resources Director, with the recommendation of the Privacy Officer, but must always fall within the applicable sanctions range: Sanctions Range A Written Warning Probation (3 month, 6 month or 1 year) (the terms of which shall include immediate termination upon any breach of client confidentiality or violation of privacy policy during term of probation) Suspension with Pay Suspension without Pay Termination (with or without immediate removal from premises) 50 Sanctions Range B Sanctions Range C Probation (1 year) (the terms of which shall include immediate termination upon any breach of client confidentiality or violation of privacy policy during term of probation) Suspension with Pay Suspension without Pay Termination (with or without immediate removal from premises) Suspension without Pay Termination (with immediate removal from premises) All such sanctions imposed shall be consistent with the terms of (and imposed pursuant to the processes set forth in) any applicable collective bargaining agreement and/or employment contract in place at the time. 7. Should a staff member receive two written warnings, the lowest minimum sanction that may be imposed is a one-year probation, the terms of which shall include immediate termination upon any breach of client confidentiality or violation of any privacy policy during the term of the probation. 8. Breaches of confidentiality and/or violations of privacy policies shall be sanctioned pursuant to these guidelines, whether occurring within or outside of the workplace. 9. All written warnings and documentation of sanctions imposed shall be maintained in the staff member’s personnel file. 10. Any staff member against whom sanctions have been imposed pursuant to this policy shall have the right to submit a written statement of disagreement or explanation to the Director of Human Resources and/or the Privacy Officer. All such statements shall be maintained within the staff member’s personnel file for so long as the documentation of the sanction is maintained. 11. The Director of Human Resources, or the Privacy Officer acting in conjunction with the Associate Executive Director shall at all times have the ability to lift a previously imposed sanction should the allegation later be determined to be unfounded. Should any such sanction be lifted, all documentation of the sanction shall be removed from the personnel file of the staff member, and shall be placed in a confidential file maintained by the Privacy Officer to be used only for purposes of compliance with the documentation requirements of the federal HIPAA Privacy Regulations. Approved 12-03 Reviewed 6-05 51 HP-1.12 HIPAA Policies and Procedures RETENTION OF HEALTH INFORMATION AND DOCUMENTATION OF COMPLIANCE WITH HIPAA PRIVACY REGULATIONS, AND APPROPRIATE DESTRUCTION OF CLIENT HEALTH INFORMATION Policy It is the policy of Catholic Charities to retain clients’ health information and documentation of compliance with the HIPAA Privacy Regulations, pursuant to the following schedule: Client’s Medical/Treatment Chart Minimum of 7 years from last date of treatment If the client is under the age of 18, the chart shall be retained for at least 7 years after the client’s 18th birthday Drug and Alcohol records - minimum 10 years from last date of treatment Drug and Alcohol records – if client is under the age of 18, then the record is maintained for 10 years after the clients 18th birthday Client’s Billing File Minimum of 7 years from last date of treatment If the client is under the age of 18, the billing file shall be retained for at least 7 years after the client’s 18th birthday Psychotherapy Notes Minimum of 7 years from last date of treatment, whichever is later If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Each Version of Notice of Privacy Practices 7 years from last date in effect Authorization Forms 7 years from expiration date If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Responses to Requests for Release of Client Information Pursuant to Authorization Form 7 years from date of response to request for release of information If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday 52 Warrants, Subpoenas, Court Orders and/or Administrative/Governmental Requests Concerning Release of Client Information 7 years from date of response If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Responses to Warrants, Subpoenas, Court Orders and/or Administrative/Governmental Requests Concerning Release of Client Information 7 years from date of response If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Requests for Accounting Minimum of 7 years from date of accounting If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Disclosure Sheets [Client’s Disclosure Information Maintained in Computerized Database and/or PrintOut Form] Minimum of 7 years from last date of treatment If disclosure sheets involve a client under the age of 18, all disclosure sheets shall be retained for at least 7 years after the client’s 18th birthday Accountings of Disclosures Minimum of 7 years from date of accounting If accounting involves a client under the age of 18, all accountings produced shall be retained for at least 7 years after the client’s 18th birthday Requests for Restriction on Uses and/or Disclosures and/or for Confidential Communications Minimum of 7 years from date of response to or denial of request If request involves a client under the age of 18, request forms shall be retained for at least 7 years after the client’s 18th birthday Denials of Requests for Restriction on Uses/Disclosures and/or for Confidential Communications Responses to Requests for Restriction on Uses/Disclosures and/or for Confidential Communications, where Request has been Granted Minimum of 7 years from last date of treatment If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Complaint Forms Concerning Privacy Practices Minimum of 7 years from date of response to complaint If complaint involves a client under the age of 18, complaint forms shall be retained for at least 7 years after the client’s 18th birthday Minimum of 7 years from date of denial of request If response involves a client under the age of 18, response shall be retained for at least 7 years after the client’s 18th birthday 53 Responses to Complaint Forms Concerning Privacy Practices Requests for Amendment of Health Information Responses to or Denials of Requests for Amendment of Health Information Minimum of 7 years from date of response to complaint If complaint involves a client under the age of 18, response to complaint shall be retained for at least 7 years after the client’s 18th birthday Minimum of 7 years from date of response to request If request involves a client under the age of 18, request form shall be retained for at least 7 years after the client’s 18th birthday Minimum of 7 years from date of response to complaint If complaint involves a client under the age of 18, response to request for amendment shall be retained for at least 7 years after the client’s 18th birthday Requests for Access to Health Information by Clients and/or Legal Representative 7 years from date of response to or denial of request, or from date of reviewing official’s letter of decision (if review requested) Responses to or Denials of Requests for Access to Health Information by Clients and/or Legal Representative, with or without Requests for Review of Access Denial 7 years from the date of response to or denial of request, or from date of reviewing official’s letter of decision (if review requested) or 7 years past the client’s 18th birthday. Decisions of Reviewing Official on Review of Access Denial 7 years from the date of reviewing official’s letter of decision or 7 years past the client’s 18th birthday. Copies of Powers of Attorney, Guardianship Orders, Letters of Administration, Letters Testamentary, Custody Orders, or Other Proof of Status of Legal Representative As long as the client’s medical chart and/or billing record [or consent for use/disclosure for treatment, payment or healthcare operations and/or acknowledgment of receipt of notice of privacy practices] is maintained Policies and Procedures Concerning Maintaining, Retaining, Safeguarding, Requesting, Using and/or Disclosing Health Information and Related Documentation 7 years from last date policy or procedure was in effect All versions of [Job Descriptions] [Schedule/Table of Workforce Access Determinations pursuant to Minimum Necessary Standard] 7 years from last date each version of [job description/table of workforce access determinations] was in effect 54 All Versions of Personnel and Other Designations Made Pursuant to the HIPAA Privacy Regulations 7 years from last date each version of personnel or other designation was in effect Contracts with “Business Associates” as defined by HIPAA Privacy Regulations 7 years from expiration date of contract or from termination of contract, whichever occurs first Correspondence to and/or Received from HIPAA Business Associates Concerning Breach, Accounting of Disclosures, Amendment of Information, Termination of Agreement Due to Breach, Destruction or Return of Information, or Other HIPAA-related Obligations 7 years from date of most recent correspondence Certificates of Destruction by Third Party (including HIPAA Business Associates) Indefinitely Destruction Log Indefinitely Documentation of Completion of Workforce Training 7 years from last date of employment Personnel File Documentation of Workforce Privacy Sanctions Applied 7 years from date of completion of workforce sanction It is further the policy of Catholic Charities that whenever destruction of client health information of any sort, or other related documents, is permitted pursuant to this retention schedule, destruction shall be completed pursuant to the following guidelines: 1. Documents shall only be destroyed by a process of [cross-cut] shredding [and/or incinerating] each document, leaving no readily readable portion of the document. 2. Immediately upon destruction of any documentation listed in the schedule above, the workforce member charged with the duty of destruction shall immediately document in the Destruction Log: the date of destruction, description of the documents destroyed consistent with the titles in the schedule above, including where appropriate the name of the client(s) to whom individually identifiable health information relates, admission and discharge date, the manner of destruction, and the signature of the person completing the destruction. 3. When destruction of any such documentation is completed by anyone other than a member of the workforce of Catholic Charities, including a business associate of the Organization, a 55 Certificate of Destruction shall be obtained including the information required in Paragraph 2, above. 3. It shall be the responsibility of all staff members to deposit, for appropriate destruction any and all copies of documents containing individually identifiable health information, as soon as this information is no longer in use. Covered containers for such deposits shall be maintained [in the copy room, in the printer access area, etc.]. It shall be the duty of [the receptionist/the runner/etc.] to shred all documents placed into each such covered container daily. Approved 12-03 Reviewed 6-05 56 HP-1.13 HIPAA Policies and Procedures STORAGE OF PROTECTED HEALTH INFORMATION Policy All client records and protected health information shall be maintained in a secure room, locked file cabinet, or other similar secured area when not in use. Safeguards are taken to prevent loss from fire, water, damage, theft and any breaches of confidentiality. Procedure 1. All client records and protected health information are stored in a locked file cabinet in a secured location. 2. Records may be filed according to medical record number or alphabetically in order to facilitate retrieval by authorized staff. 3. Access to client records and protected health information shall be limited to staff members on a need to know basis and as otherwise permitted by law or these policies and procedures. 4. Records may be removed from secured locations for treatment, payment and healthcare operations purposes through the use of a sign out sheet/log book system or similar process wherein information is recorded indicating the location, the date and the borrower of the record. 5. All client records and protected health information shall not be removed from Catholic Charities, except for purpose relating to treatment and healthcare operations, with the permission of the Division Director/Program Director. 6. All staff and volunteers who are designated to come in contact with protected health information will read, understand and be able to ask questions about the Agency Policies on disclosure, confidentiality, access to records and other HIPAA documents. Each staff/volunteer will sign a confidentiality statement. 7. Outside of working hours, staff members must clean desks and working areas such that all protected health information is properly secured, unless the immediate area can be secured from unauthorized access. 8. When not in use, protected health information shall always be protected from unauthorized access. When left in an unattended room, such information must be appropriately secured. If protected health information is secured on a disk or other components of a personal computer, it must be protected by a password or encryption. Unless encrypted, when not in use, the media must be secured from unauthorized access. If protected health information is stored on diskettes or CD-ROM or other removable data storage media, it cannot be commingled with other electronic information. 9. Printing and Copying of Protected Health Information. 57 9.1 Printed version of protected health information should not be copied indiscriminately or left unattended and open to compromise. 9.2 Printers and copiers used for printing protected health information should be in a secure, non-public location. If equipment is in a public location, the information being printed or copied should be strictly monitored. (see policy on fax/copiers) 9.3 Protected health information printed to a shared printer shall be promptly removed. Approved 12-03 (Replaces CP 2.01 and 2.03) Reviewed 6-05 58 HP-1.14 HIPAA Policies and Procedures DISCLOSURE OF DE-IDENTIFIED INFORMATION Policy Catholic Charities has the option to use protected health information in a de-identified format. Once protected health information is de-identified it is not subject to the privacy rule. Note: If Catholic Charities discloses a key or another mechanism for re-identification of the protected health information, the exemption to the privacy rules no longer applies and a client authorization is required prior to use. Procedure Protected health information may be considered not individually identifiable in the following circumstances: A person with appropriate knowledge and experience with generally acceptable statistical and scientific principles and methods determines that the risk is very small that the information could be used, alone or with other reasonable available information, to identify the individual who is the subject of the information; or The following identifiers of the individual (and relatives, employers or household members) are removed: names; information relating to the individual’s geographic subdivision if it contains fewer than 20,000 people; elements of dates (except year) directly related to the individual, and all ages and elements of dates that indicate age for individuals over 89, unless aggregated into a single category of age 90 and older; telephone numbers, fax numbers, email addresses; social security, medical record numbers; health plan beneficiary numbers; account numbers, certificate or license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet protocol (IP) address number; biometric identifiers; full face photographic images; and any other unique identifying numbers, characteristic or code. 1. Protected health information can be de-identified as follows: 1.1 The following data must be removed: Name Location of the client (can use state, but nothing more specific) Dates (admission dates, birth dates, encounter dates/service dates, etc.) Numerical identifiers (addresses, telephone, email, fax numbers, zip codes, social security numbers etc.) 1.2 The following data may be used: Age Race Ethnicity Marital Status 2. Catholic Charities is prohibited from disclosing the mechanism for re-identification. Approved 12-03 Reviewed 6-05 59 HP-1.15 HIPAA Policies and Procedures (aka AP-4.05) COMPUTER, E-MAIL, AND INTERNET USAGE POLICIES This document sets forth Catholic Charities’ policies with regard to computer, e-mail, and Internet usage, including access to, review or disclosure of e-mail messages sent or received by Catholic Charities’ employees, and Internet access and usage. Catholic Charities reserves the right to modify or update these policies at any time. Use of the computer system, e-mail system, or the Internet in violation of these policies or other Catholic Charities’ policies is a serious violation and can result in a loss of access, disciplinary action (including termination), or other legal actions. All employees and volunteers will be required to read the Computer, E-Mail, and Internet Usage Policies and sign the Acknowledgement of Understanding (Attachment A). 1. Use for Business Purposes Only; Catholic Charities’ Access and Review 1.1 Catholic Charities’ Computer Systems. The Catholic Charities computer system, e-mail system, and Internet access are provided to approved employees at Catholic Charities’ expense solely to assist them in carrying out Catholic Charities’ business. The e-mail system permits employees to communicate with each other internally and with selected outside individuals and companies. Internet access permits approved employees to use resources at appropriate Internet sites to help them perform their duties and carry out Catholic Charities’ business. Catholic Charities owns, maintains and is responsible for the computer system. Employees must limit use the computer system, including e-mail and access to the Internet, to the business purposes of Catholic Charities and only to obtain and transmit information in accordance with Catholic Charities’ policies and procedures. 1.1.1 In order to maintain the integrity and the security of Catholic Charities’ Information Technology (IT) infrastructure, software and databases, Internet access will be used only for the business purposes of Catholic Charities’ business. Access to Anasazi and Outlook e-mail is available to all Catholic Charities’ employees. Any staff member requiring access to the Internet beyond Anasazi and Outlook e-mail will require justification and approval from the Program Director, the Division Director/Department Head, and the IT Manager. (See Attachment B: Request for Internet Access form.) 1.2 Access and Review of E-Mail Communications and Internet Usage. Catholic Charities treats all messages sent, received or stored in the e-mail system as business messages. Catholic Charities has the capability to access, review, copy, and delete any messages sent, received, or stored on the e-mail system. Catholic Charities has the ability to access deleted messages. Catholic Charities has the capability to monitor employees’ Internet usage, including the time spent on-line and the sites accessed. Catholic Charities reserves the right to monitor, access, review, audit, intercept, use, copy, or delete e-mail messages of any kind for any purpose and to disclose them to any 60 party (inside or outside Catholic Charities). Catholic Charities reserves the right to review files and communications to maintain system integrity and ensure that users are using the system appropriately, responsibly and in accordance with Catholic Charities’ policy and procedures. 1.3 E-Mail Etiquette. Employees should bear in mind that their e-mail messages may be read by someone other than the person to whom they are addressed and may even someday have to be disclosed to outside parties or a court in connection with litigation. Accordingly, employees are directed to ensure that their messages are courteous, professional and businesslike. E-mail messages, once sent, are usually irretrievable. Employees should be sensitive to the fact that, in the absence of an explanation, e-mail messages may be ambiguous and convey the wrong impression. This is of specific concern when a message is being forwarded to multiple recipients. Rather than quickly sending messages without adequate review, employees should consider printing the messages and reading them prior to distribution to ensure that their content is completely appropriate. The “everyone@cctrenton.org” is to be used for business purpose only. 1.4 E-mail and Confidentiality of Protected Health Information. At no time should any protected health information of any clients be transmitted via electronic mail outside of Catholic Charities network, unless it is encrypted. Due care shall be used when transmitting private health information of any client by electronic mail within Catholic Charities internal network, to prevent the transmittal and/or receipt of such information to any staff member not authorized to have access to the information. Staff member shall not forward to any third party outside of Catholic Charities any email messages that contain any form of individually identifiable health information, unless expressly authorized by the client on a signed authorization for use/disclosure of health information form. Catholic Charities will incorporate e-mail messages sent or received that concern the diagnosis or treatment of a client, or payment for treatment, into the client’s chart and/or billing file and shall maintain such information with the same degree of confidentiality as the remainder of the client’s chart and billing file. 1.5 Storing and Deleting E-Mail Messages. Catholic Charities strongly discourages the storage of large numbers of e-mail messages for a number of reasons. First, because e-mail messages may contain confidential information, it is desirable to limit the number, distribution, and availability of such messages. Second, retention of messages consumes storage space on the network and personal computer hard disks, and can slow down the performance of both the network and individual personal computers. Finally, in the event that Catholic Charities needs to search the network server, back-up tapes or individual hard disks for important documents, the fewer documents it has to search through, the easier the search will be. Accordingly, employees should regularly delete any e-mail messages they send or receive that no longer require action or are not necessary to an ongoing project. Employees should audit their stored e-mail messages periodically to identify messages that are no longer needed and should be deleted. 2. Permitted and Prohibited Uses 2.1 Use Limited to Catholic Charities’ Business Purposes. 61 The computer system, e-mail system, and Internet access may be used only to support and promote Catholic Charities business objectives. The use of computers and Internet access through the Catholic Charities’ system is a privilege, not a right, and may be revoked. Use of the computer system, e-mail system, or the Internet in violation of these policies can result in disciplinary action. Therefore, for example, employees may not: 2.2 2.3 2.1.1 intentionally waste limited computer resources; 2.1.2 engage in activities that have the potential to disrupt the business environment of the workplace; 2.1.3 engage in actions that damage computers, computer systems, or computer networks; 2.1.4 use the computer system for commercial purposes, for personal gain or profit, or to engage in illegal activity; 2.1.5 use the e-mail system to copy and/or transmit any documents, software, or other information protected by the copyright laws; 2.1.6 use their Catholic Charities’ provided Internet address when communicating personal viewpoints on the Internet, unless approved by Catholic Charities’ Senior Management; or 2.1.7 use the computer system to access, view, store or distribute obscene, offensive, harassing, discriminatory, or otherwise objectionable files. E-Mail Use. E-mail messages, whether created inside Catholic Charities or created outside Catholic Charities and transmitted within Catholic Charities or from Catholic Charities to other sites, can generate claims of defamation, harassment, and discrimination. Therefore, employees may not: 2.2.1 use the e-mail system to engage in any communications that are in violation of any policy; or 2.2.2 use the e-mail system to transmit or display defamatory, obscene, intimidating, offensive or harassing messages or pictures, or messages that disclose personal information without authorization. Internet Use. An approved employee accessing the Internet from a Catholic Charities’ site is responsible for all on-line activities that take place through the use of his or her login and password. When using another organization’s networks or computing resources, employees must comply with the rules appropriate for that network. 62 Those employees with Internet access privileges may not: 2.3.1 access inappropriate websites, including those involving gambling, pornography, or obscene materials; 2.3.2 obligate Catholic Charities financially to any commercial web-sites without the express permission of the IT Manager; or 2.3.3 use the Internet from a Catholic Charities’ site to engage in the practice of moonlighting or for any commercial purposes, advertising, or other similar activities. 3. Computer System Security 3.1 Importance of System Security. Catholic Charities is obligated to maintain the confidentiality of its own information, of client information and of communications with clients. As a consequence, all users of the computer system must take steps to ensure the security of the system and to maintain the confidentiality of all information on the system or communicated through the use of the system. Each employee is responsible for what happens under his or her log in name. Violations of security policies are considered serious violations and can result in disciplinary action. 3.2 System Access. Password and User Logon ID’s are unique to each authorized user and will be assigned by the IT Department. Passwords must be kept private. They should not be shared, coded into programs, or written down. In order to protect against dissemination of confidential information, employees should not access their e-mail messages for the first time in the presence of others. E-mail windows should not be left open on the screen when the computer is unattended. E-mail passwords (as well as other computer passwords) should be routinely changed. 3.3 Computer Viruses. Computer viruses can be injected into the system through the receipt of e-mails, e-mail attachments or files from other systems. Exercise particular care when opening files attached to e-mails from unknown senders. Employees must pay attention to and strictly comply with all warnings and instructions of the IT Department relating to viruses. Employees must immediately inform the IT Department of the presence of any virus on any Catholic Charities computer. Any computer that is infected or suspected of being infected must immediately be disconnected from the network to reduce the risk of spreading a virus. Employees are prohibited from disabling or interfering with any virus scanning software installed on their system. 3.4 Installing or Downloading Software. The IT Department must approve and install all software on any Catholic Charities computer. No employee may download software without the approval of the IT Department. When and if authorized to download software, employees must comply with all restrictions and procedures for downloading software, including mandatory virus scanning and detection procedures. Employees must inform the IT Department of any 63 virus, configuration change, or different behavior of a computer or application, especially after the addition of new software to the environment. All employees must obey and follow all licensing agreements and procedures with regard to the use and installation of all software. The IT Department will inspect computers periodically to verify that all software has been approved and licensed properly. 3.5 Remote Access. All remote access to the computer system, whether via dial-up or Internet access, must use encryption services to protect the confidentiality of the session. Information regarding access to the computer system, such as dial-up phone numbers, is confidential. This information must not be posted on electronic bulletin boards, listed in telephone directories, placed on business cards or made available to third parties without express authorization. 3.6 Confidentiality. Users must keep confidential all references and resource labels of Catholic Charities’ computer system including but not limited to internal domain names, server names, printer names, IP addresses, and directory services. 4. Confidentiality of Communications 4.1 Importance of Confidentiality. Employees must exercise a greater degree of caution in transmitting information through e-mail than they take with other means of communicating information (e.g., written memoranda, letters or phone calls) because of the reduced human effort required to redistribute such information and the security considerations on the Internet. Confidential information of Catholic Charities or its clients should never be transmitted or forwarded to outside individuals or companies not authorized to receive that information. Employees should always use care in addressing e-mail messages to make sure that messages are not inadvertently sent to outsiders or the wrong person within Catholic Charities. In particular, employees should exercise care when using distribution lists to make sure that all addressees are appropriate recipients of the information. Lists may not always be kept current and individuals using lists should take measures to ensure that the lists are current. Employees should refrain from routinely forwarding messages containing confidential information to multiple parties unless there is a clear business needs to do so. Employees may contact the IT Department with any questions concerning this policy or procedure. Approved 5-97 Revised and approved 12-03 Reviewed 6-05 64 Attachment A to HP-1.15 HIPAA Policies and Procedures (aka Attachment A to AP-4.05) ACKNOWLEDGMENT OF UNDERSTANDING COMPUTER, E-MAIL, AND INTERNET USAGE POLICIES I acknowledge that I have read and will abide by Catholic Charities’ policies regarding computer, e-mail, and Internet usage. In particular: 1. I understand that Catholic Charities has the complete authority to monitor my computer usage, e-mail communications, and Internet usage, and that Catholic Charities may monitor on a routine and/or special case basis. 2. I will accept personal responsibility for all activities occurring under my password/login. 3. I will keep confidential my password/login and will not utilize another’s password/login to access any system. 4. I will keep confidential all client information, regardless of the medium – computer, email, etc. 5. I understand that the computer system, the e-mail system, and the Internet system are to be used for business purposes only. 6. I understand that I cannot install or download software and/or programs, screen savers, firewalls, etc. without written approval of the IT Manager. 7. I understand that any violation by me of Catholic Charities’ computer, e-mail, or Internet policies may result in a loss of access, disciplinary action (including termination), or other legal action. ______________________________________________ Signature ______________________________________________ Name (please print) Original: Personnel file 65 ______________________ Date Attachment B to HP-1.15 HIPAA Policies and Procedures (aka Attachment B to AP-4.05) REQUEST FOR INTERNET ACCESS Name _____________________________________ Title ____________________________ Program ___________________________________ Division _________________________ Location _______________________________________________________________________ Date of Request _______________________ Justification for access to the Internet: Program Director’s Signature ___________________________ Date __________________ ------------------------------------------------------------------Division Director/Department Head Review and Approval ( ) approved ( ) not approved Signature ___________________________________________ Date ________________ ------------------------------------------------------------------IT Manager’s Signature _______________________________ Original: IT Office Copy: Program Director 66 Date ___________________ HP-2.01 HIPAA Policies and Procedures OVERVIEW OF SAFETY AND SECURITY SECTION OF THE HIPAA POLICIES AND PROCEDURES 1. Introduction The final HIPAA security rule, published in the February 20, 2003 Federal Register (68Fed.Reg.8334-8381) provides a series of implementation specifications for the security of protected health information in electronic form. Catholic Charities strives to: Ensure the confidentiality, integrity, and availability of all electronic protected health information that it creates, receives, maintains, or transmits. Protect against any reasonably anticipated threat or hazard to the security and integrity of such information. Protect against any reasonably anticipated uses or disclosures of such information that are not otherwise permitted or required. Ensure compliance by its workforce. 2. Document Description This document describes Catholic Charities’ policies and procedures relative to the Security part of the Health Insurance Portability and Accounting Act (HIPAA) of 1996. By having this document in place, and exercising the steps required to implement required activities, Catholic Charities declares that it has made its best efforts to be compliant with the Security part of HIPPA, as it applies to Catholic Charities. 3. Purpose The purpose of this document is to list the policies and procedures Catholic Charities has documented and follows to remain compliant with the Security part of HIPAA. This document is used as a set of statements and instructions for Catholic Charities workforce to follow, and as a training guide. 4. Revisions The Catholic Charities HIPAA Compliance Officer and Security Officer are responsible for revisions and updates to this document. This is a “living” document. Updates that are a result of new discoveries, such as changing regulations or processes, will be added as needed. 5. Administrative Safeguards Catholic Charities has implemented administrative policies and procedures to prevent, detect, contain, and correct security violations. These policies and procedures are described in the following sections. 5.1 Risk Analysis and Management Catholic Charities conducts accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held in its computer systems, on a regular basis. When 67 Catholic Charities Compliance Officer and Security Officer believes any risks exist, the Compliance Officer and the Security Officer addresses each risk and completes a risk mitigation report. Catholic Charities has implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule. These measures are described in detail in Sections 3.01 and Risk Analysis of this document. 5.2 Sanction Policy Catholic Charities will apply appropriate sanctions against employees and others who fail to comply with the security policies and procedures, as detailed in the Catholic Charities Policy and Procedure Manual, which is available for review in your division. 5.3 Information System Activity Review, Login Monitoring Catholic Charities has implemented the following procedures to regularly review records of information system activity: The Security Officer reviews files contained on Catholic Charities’ computers weekly. Such reviews include unsuccessful logins, unauthorized access, breaking the glass and security incident tracking reports. 5.4 Assigned Security Responsibility Catholic Charities has named the Information Technology Manager and the Compliance Officer as the security officials who are responsible for the development and implementation of the policies and procedures required by this HIPAA Rule. 5.5 Workforce Security, Authorization, Supervision, Clearance Procedure Catholic Charities policies and procedures ensure that all members of its workforce: Have appropriate access to electronic protected health information, Prevent those workforce members who do not have access from obtaining access to electronic protected health information, Authorize and/or supervise workforce members who work with electronic protected health information, and to determine that the access of a workforce member to electronic protected health information is appropriate. Safeguards utilized are as follows: All employees who are allowed access to PHI are assigned passwords by the IT staff to Catholic Charities computers. See password policy. Access to electronic protected health information is based on a need to know basis with approval from the Program Director/Division Director. Employees who do not have access cannot obtain access, as they do not have the passwords Employees with access to PHI are trained in the importance of protecting electronic PHI. The Security Officer determines what workforce members appropriately have access to PHI, based upon thorough review and understanding of Catholic 68 Charities Policies and Procedures, which are contained in the Administrative and Division Policies and Procedure Manuals. 5.6 Termination Procedures When the employment of a workforce member ends, or they no longer need access to PHI as determined by the Security Officer/Compliance Officer, that workforce member’s access to electronic PHI is terminated by removing his or her user ID, user account and access permissions from Catholic Charities computers. In the case of a resignation, the Information Technology Department can enter in an expiration date (last day of employment) into the system and the Anasazi system will automatically terminate access as of 12 midnight on that day. 5.7 Security Awareness, Training and Reminders Catholic Charities has security awareness/reminders and training program for all members of its workforce. Training sessions will be done on the HIPAA Security Policies and Procedures at orientation. During regular staff meetings, Catholic Charities Directors inform their staff of periodic security updates. 5.8 Protection from Malicious Software Catholic Charities computers have anti-virus scanning software installed, and updates to this software are purchased and installed when available. This ensures that Catholic Charities reasonably guards against, detects, and reports malicious software. 5.9 Security Incident Procedures, Response and Reporting Catholic Charities Security Officer and Compliance Officer notes any security issues he/she is aware of in the agencies’ Compliance Officer Incident Log, contained in the Policy and Procedure Manual and addresses them on a case-by-case basis. 5.10 Contingency, Data Backup, Disaster Recovery, Emergency Mode Operations, Testing and Revisions Catholic Charities backs up its computer systems making a copy of the files from a hard disk to tape for the purpose of retrieval in case the original is erased, copied over, damaged, or destroyed. The backup methods utilized include a full level backup, an incremental level backup, and a differential level backup. The Security Officer or designee takes the backup to a safe, off-site location nightly. Should an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) damage Catholic Charities’ systems, the Security Officer (or designated representative) takes the backup copy and restores the system to its last operational state. 5.11 Evaluation Catholic Charities Security Officer performs a technical and non-technical evaluation of the procedures in this document yearly, or any time there are significant environmental or operational changes affecting the security of electronic protected health information. 5.12 Business Associate Contracts and Other Arrangements Catholic Charities has business associate agreements in place with its business associates who create, receive, maintain, or transmit electronic protected health information on our behalf. This gives us satisfactory assurances that the business 69 associate will appropriately safeguard the information. A template copy of this agreement can be found in the office of the Associate Executive Director of Fiscal Affairs. We realize that this standard does not apply with respect to: Transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual, Transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the relevant HIPAA requirements apply and are met, or Transmission of electronic protected health information from or to other agencies providing the services when the covered entity is a health plan that is a government program providing public benefits, if the relevant HIPAA requirements are met. 6. Physical Safeguards Catholic Charities has implemented physical safeguard-related policies and procedures to prevent, detect, contain, and correct security violations. These policies and procedures are described in the following sections. 6.1 Facility Access Controls Catholic Charities has implemented the following policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed: Computers are kept in offices and private areas. Only personnel requiring access to these systems are authorized to use them. Passwords are required for access to electronic information system, Visitors are required to sign in and be escorted to their designation. 6.2 Contingency Operations Catholic Charities has established procedures that allow facility access in support of restoration of lost data under the disaster recovery plan. See Disaster Recovery Plan for details. 6.3 Facility Security Plan Catholic Charities has implemented policies and procedures to safeguard its facilities and the equipment therein from unauthorized physical access, tampering, and theft. Computers are kept in offices, private locations and the building are secure from unauthorized access. Clients and visitors are required to sign in and out of the facility. Visitors are escorted through critical areas of the facilities at all time. 6.4 Access Control and Validation Procedures Catholic Charities has implemented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. The Security Officer/Compliance Officer and Division Directors oversee access to facilities and computers. 70 6.5 Maintenance Records Catholic Charities has implemented policies and procedures to document repairs and modifications to the physical components of its facility, related to security. The Division Directors ensures, on a daily basis, that the physical facility is in working order and documents any deficiencies for follow-up and repair. 6.6 Workstation Use Catholic Charities has implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of its specific workstation or class of workstation that can access electronic protected health information. Catholic Charities computers are kept in private areas. Only personnel requiring access to these systems are authorized to use them. 6.7 Workstation Security Catholic Charities has implemented physical safeguards for all workstations that access electronic protected health information, and has restricted access to authorized users. Only personnel requiring access to these systems are authorized to use them. 6.8 Device and Media Controls Catholic Charities has implemented policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. The Security Officer oversees the movement, receipt, and removal of all hardware and electronic media on an as-needed basis. Staff utilizing disks have all disk password protected. 6.9 Disposal Catholic Charities has implemented policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. The Security Officer oversees the final disposition of any hardware or electronic media, and erases disks and other media as needed upon disposal. 6.10 Media Re-Use Catholic Charities has implemented procedures for removal of electronic protected health information from electronic media before the media are made available for reuse. The Security Officer oversees the erasure of any electronic media prior to reuse, as applicable. Staff erases all disks prior to re-use. 6.11 Accountability The Security Officer maintains a record of the movements of hardware and electronic media per site. 6.12 Data Backup and Storage The Security Officer or designated authorized representative creates a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. Routinely data is backed up by three methods: full backup, incremental back-up, and differential back up. All backups are stored off site. 71 7. Technical Safeguards Catholic Charities has implemented technical safeguard-related policies and procedures in the following areas to prevent, detect, contain, and correct security violations, as described in the following sections. 7.1 Access Control Catholic Charities has implemented technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. 7.2 Unique User Identification Catholic Charities assigns a unique name and/ or number for identifying and tracking user identities by setting up login IDs and passwords to each employee, as applicable. 7.3 Emergency Access Procedure Catholic Charities has established procedures for obtaining necessary electronic protected health information during an emergency. See Disaster Recovery for more details. 7.4 Automatic Logoff Catholic Charities has implemented electronic procedures that terminate an electronic session after a predetermined time of inactivity (5 hours) and emphasis is placed on employees logging off their computer when they leave their workstation. A screen saver is activated on each computer after 5 minutes of inactivity. 7.5 Encryption, Decryption, and Security Catholic Charities has implemented a mechanism to encrypt and decrypt electronic protected health information whenever it is transmitting this information electronically. This mechanism utilizes a software program for encryption and authentication of transmitted data. 7.6 Audit Controls Catholic Charities has implemented procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. See Workstation Use, for details. 7.7 Integrity Catholic Charities has implemented policies and procedures to protect electronic protected health information from improper alteration or destruction, to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner, and to verify that a person or entity seeking access to electronic protected health information is the one claimed. See Access, Control and Validation Policy and Workstation Use, for details. 72 8. Organizational and Documentation Requirements Catholic Charities has implemented the organizational and documentation requirements mandated by the HIPAA Security Rule. These requirements, and Catholic Charities compliance declarations, are described in more detail in the following sections. 8.1 Business Associate Contracts Catholic Charities has ensured that its contracts with its Business Associates address all necessary safeguards required by the HIPAA Security Rule. Contracts between Catholic Charities and its Business Associates provide that the business associate will: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of Catholic Charities. Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it. Report to Catholic Charities any security incident of which it becomes aware. Business Associate contracts will also authorize termination of the contract by Catholic Charities, if Catholic Charities determines that the business associate has violated a material term of the contract 8.2 Documentation Form, Retention, Availability, and Updates Catholic Charities maintains these policies and procedures implemented to comply with the HIPAA Security Rule in written and/or electronic form. Catholic Charities retains the documentation required by HIPAA Security Rule for seven years from the date of its creation or the date when it last was in effect, whichever is later. Catholic Charities makes documentation available to those persons responsible for implementing the procedures to which the documentation pertains. Catholic Charities reviews documentation periodically, and updates it as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. 9. Reporting and Investigating Security Breaches Questions about breach of privacy issues will be presented initially to the Compliance Officer and/or Security Officer of Catholic Charities. Employees and/or clients who report possible security issues in good faith will not be subjected to retaliation or harassment because of the report. Concerns about possible retaliation or harassment will be reported to the Compliance Director. Whenever a security issue has been identified, through monitoring, reporting of possible issues, investigations, or otherwise, the Security Officer and the Compliance Officer, with the support of the Associate Executive Director of Program Services, shall have the responsibility and authority to take or direct appropriate action to address that issue. The corrective action will be set forth in writing. 73 Corrective actions will be designed to ensure that the specific issues are addressed and similar problems do not occur in the future. Employees who have engaged in willful misconduct will be subject to disciplinary action, up to and including termination in appropriate cases, in accordance with company policies, procedures, and codes of conduct. All employees are directed to cooperate fully with any inquiries undertaken pursuant to this plan. To the extent practical and appropriate, efforts will be made to maintain the confidentiality of such inquiries and the information gathered. The Compliance Officer and the Security Officer will maintain an incident log of security concerns that are reported, as described in this document. The log will record the issues, the individuals or departments affected, and the resolutions. Catholic Charities and its employees are aware of the seriousness of security breaches and understand that appropriate action must be taken to prevent similar instances from occurring. Approved 12-03 Revised 12-04 Approved 6-05 74 Attachment to HP-2.01 HIPAA Policies and Procedures INCIDENT LOG Date & Initials Issue Department/ Division/Site 75 Resolution HP-2.02 HIPAA Policies and Procedures HIPAA SECURITY PLANS Privacy and Security Plan (See Attachment A) Disaster Prevention Plan (See Attachment B) Disaster Recovery and Emergency Operation Plan (See Attachment C) Disaster Recovery Teams (See Attachment D) Data Security Backup Plan\Staff Training Plan (See Attachment E) Approved 12-03 Reviewed 6-05 76 Attachment A to HP-2.02 HIPAA Policies and Procedures PRIVACY AND SECURITY PLAN Background The use of computers and computer networks has become an integral part of the behavioral health and human services industry. These technologies have brought and will continue to bring enormous advantages to our industry and will continue to enable us to innovate the means of delivering services to clients. These technologies have also brought significant risks regarding client confidentiality and privacy. Catholic Charities has established both security and privacy policies that give specific guidelines on an employee’s use of these technologies, in all locations. These policies and procedures have been written in coordination with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Purpose It is the policy of Catholic Charities that all personnel must preserve the integrity and the confidentiality of medical, mental health, substance abuse, HIV data, and other sensitive information pertaining to our clients. The purpose of this policy is to ensure that Catholic Charities and its officers, employees, volunteers and agents have the necessary clinical information and other pertinent information, in order to provide the highest quality service possible while protecting the confidentiality of that information. To that end, Catholic Charities and its officers, employees, and agents will: 1. Collect and use individual clinical information only for the purposes of providing services and for supporting the delivery, payment, integrity, and quality of those services. Catholic Charities and its officers, employees, and agents will not use or release individual clinical information without the proper authorization of our clients. Our staff, volunteers, and agents will have access to client information on a need to know basis only. 2. Collect and use individual protected health information only: 2.1 To provide proper diagnosis and treatment. 2.2 With the individual’s knowledge and consent. 2.3 To receive reimbursement for services provided. 2.4 For research and similar purposes designed to improve the quality and to reduce the cost of health care. 2.5 As a basis for required reporting of health information. 3. Recognize that medical, mental health, substance abuse, HIV information collected about clients must be accurate, timely, complete, and available when needed. Catholic Charities and its officers, employees, and agents will: 77 3.1 Use their best efforts to ensure the accuracy, timeliness, and completeness of data and to ensure that authorized personnel can access it when needed. 3.2 Complete and authenticate medical records in accordance with the law, medical ethics, and standards of practice and accreditation standards. 3.3 Maintain medical records for the retention periods required by law and professional standards. 3.4 Not alter or destroy an entry in a record, but rather designate it as an error while leaving the original entry intact and create and maintain a new entry showing the correct data. 3.5 Implement reasonable measures to protect the integrity of all data maintained about clients. 4. Recognize that clients have a right of privacy and security of their information. Catholic Charities and its officers, employees, and agents will respect clients’ individual rights, dignity, privacy and confidentiality at all times. 5. Act as responsible information stewards and treat all individual medical record data and related financial, demographic, and lifestyle information as sensitive and confidential. Consequently, Catholic Charities and its officers, employees, and agents will: 5.1 Treat all individual medical record data as confidential in accordance with professional ethics, accreditation standards, and legal requirements. 5.2 Not divulge medical record data unless the client (or his or her authorized representative) has properly consented to the release or the release is otherwise authorized by law, such as communicable disease reporting, child abuse reporting, and the like. 5.3 When releasing medical record data, take appropriate steps to prevent unauthorized re-disclosures, such as specifying that the recipient may not further disclose the information without client consent or as authorized by law. 5.4 Implement reasonable measures to protect the confidentiality of medical and other information maintained about clients. 5.5 Remove client identifiers when appropriate, such as in statistical reporting and in medical research studies. 5.6 Not disclose financial or other client information except as necessary for billing or other authorized purposes as authorized by law. 6. All officers, agents, and employees of Catholic Charities must adhere to this policy. Catholic Charities will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with Catholic Charities medical information sanction policy and personnel rules and regulations. 78 The management structure for this Plan is outlined below. These individuals have primary responsibility for the development, deployment, and ongoing management of the Plan and all associated policies and procedures. Executive Director Associate Executive Director/ Program Services Associate Executive Director/Fiscal Affairs Division Directors Program Directors Compliance Director Human Resources Privacy and Security Policies and Procedures Information Technology Information Technology Manager Reporting Security Problems If confidential information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, the Privacy Officer and the Security Officer must be notified immediately. Catholic Charities will mitigate to the extent possible any harmful effects of the security incident. If any unauthorized use of Catholic Charities information systems has taken place, or is suspected of taking place, the Security Officer and Chief Privacy Officer must be notified immediately. Similarly, whenever passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed, the Security Officer and Privacy Officer must be notified immediately. All unusual systems behavior, such as missing files, frequent system crashes, misrouted messages, and the like must also be immediately reported to the Security Officer and the Privacy Officer. This may indicate a computer virus infection or similar security problem. The specifics of security problems should not be discussed widely but should instead be shared on a need-toknow basis. Users must not "test the doors" (probe) security mechanisms at either Catholic Charities or other Internet sites unless they have first obtained permission from the Information Technology Manager. If users probe security mechanisms, alarms will be triggered and resources will needlessly be spent tracking the activity. Depending on the nature of the probing, employee may be subject to disciplinary actions, up to and including termination. Additional Responsibilities As defined below, Catholic Charities Information Technology Department is responsible for Internet security. Employees are responsible for any activity under their password. 79 1. Information Technology will establish an Internet security infrastructure consisting of hardware, software, policies, and standards, and department staff will provide technical guidance on computer security to all Catholic Charities staff. The IT department will also organize an emergency response team to respond to virus infestations, hacker intrusions, and similar events. The Emergency Response Team is identified in the Catholic Charities Disaster Recovery Plan. 2. IT staff will monitor compliance with Internet security requirements, including hardware, software, and data safeguards. Program directors must ensure that their staffs are in compliance with the Internet security policy established in this document. IT staff will also provide administrative support and technical guidance to management on matters related to Internet security. 3. IT staff will periodically, and no less than semi-annually conduct a risk assessment of each production information system they are responsible for to determine both risks and vulnerabilities. 4. IT staff will check that appropriate security measures are implemented on these systems in a manner consistent with the level of information sensitivity. 5. IT staff will check that user access controls are defined on these systems in a manner consistent with the need-to-know. 6. Catholic Charities Division Directors/Program Directors will see to it that the sensitivity of data is defined and designated on these systems in a manner consistent with in-house sensitivity classifications. 7. Catholic Charities program directors will ensure that: 7.1 Employees, under their supervision, implement security measures as defined in this document. 7.2 Employees under their supervision delete sensitive (confidential) data from their disk files when the data is no longer needed or useful. 7.3 Employees under their supervision who are authorized to use personal computers are aware of and comply with the policies and procedures outlined in all Catholic Charities documents that address information security. 7.4 Employees under their supervision complete the pre-exit clearance process upon their official termination of employment or contractual agreement. 8. Users of Catholic Charities Internet connections must: 8.1 8.2 8.3 Know and apply the appropriate Catholic Charities policies and practices pertaining to Internet security. Not permit any unauthorized individual to obtain access to Catholic Charities Internet connections. Not use or permit the use of any unauthorized device in connection with Catholic Charities personal computers. 80 8.4 Not use Catholic Charities Internet resources (software/hardware or data) for other than authorized company purposes. 8.5 Maintain exclusive control over and use of his/her password, and protect it from inadvertent disclosure to others. 8.6 Select a password that bears no obvious relation to the user, the user's organizational group, or the user's work project, and that is not easy to guess. (See Password Protection policy) 8.7 Ensure that data under his/her control and/or direction is properly safeguarded according to its level of sensitivity. 8.8 Report to the Security Officer and the Privacy Officer any incident that appears to compromise the security of Catholic Charities information resources. These include missing data, virus infestations, and unexplained transactions. 8.9 Access only the data and automated functions for which he/she is authorized in the course of normal business activity. 8.10 Obtain IT Manager’s authorization for any uploading or downloading of information to or from Catholic Charities multi-user information systems if this activity is outside the scope of normal business activities. 8.11 Make backups of all sensitive, critical, and valuable data files as often as is deemed reasonable by their program director. Contact Point Questions about this policy may be directed to the Information Technology Manager. Disciplinary Process Violation of these policies may subject employees to disciplinary procedures up to and including termination. 81 Attachment B to HP-2.02 HIPAA Policies and Procedures . DISASTER PREVENTION PLAN Policy As important as having a disaster recovery plan, the measures taken to prevent a disaster or to mitigate its effects beforehand is even more important. This plan reviews the various threats that can lead to a disaster, where our vulnerabilities are, and steps we are taking to minimize our risk. The threats covered here are both natural and human created. Fire Flood Tornados and High Winds Earthquake Computer Crime FIRE The threat of a fire in the Central Administrative Services building is very real and poses the highest risk factor of all the types of disasters. The building is filled with electrical devices and connections that could overheat or short out and cause a fire. The computers within the facilities also pose a quick target for arson from anyone wishing to disrupt operations. Preventive Measures Fire alarms The facilities area equipped with fire alarm systems and with ceiling mounted smoke/heat detectors, which are located throughout the buildings. Fire Extinguishers Hand-held fire extinguishers are required and are placed in visible locations throughout the buildings. Recommendations Install Halon gas system, place fire extinguisher in phone room/computer rooms. Review fire/safety procedures with staff. FLOOD In some locations, several water pipes/drains run directly above the computer/phone system. These factors can create the threat of flooding. This threat includes potential disruption of power, equipment damage due to dirty particles in the water, and destruction of sensitive electrical components. In addition, the presence of water in a room with high voltage electrical equipment can pose a threat of electrical shock to personnel within the computer/phone room. Recommendation 82 Move main computer/phone system to a more suitable location. TORNADOS AND HIGH WINDS Although Catholic Charities may not be in any immediate danger resulting from tornados, gusting winds can cause trees to fall causing damage to the building or underground cabling. EARTHQUAKES No threat of earthquakes in this area. COMPUTER CRIME Computer crime is becoming more of a threat as IT systems become more complex and access is more highly distributed. With the new networking technologies, more potential for improper access is present than ever before. Computer crime usually does not affect hardware in a destructive manner. It may be more insidious and may often come from within an organization. A disgruntled employee can build viruses or time bombs into applications and systems code. A well-intentioned employee can make coding errors that affect data integrity. Preventive Measures All systems have security products installed to protect against unauthorized entry. All systems are protected by passwords, especially those permitting updates to data. All users should are required to change their passwords on a regular basis (every 180 days). All security systems log invalid attempts to access data and the IT Manager or Network Administrator reviews these logs on a regular basis. Recommendations Continue to improve security functions on all platforms. Strictly enforce policies and procedures when violations are detected. Regularly let users know the importance of keeping their passwords a secret. Let users know how to choose strong passwords that are very difficult to guess. 83 Attachment C to HP-2.02 HIPAA Policies and Procedures DISASTER RECOVERY AND EMERGENCY OPERATIONS PLAN Policy Over the years, dependence upon the use of computers in the day-to-day business activities of many organizations has become the norm. Catholic Charities is no exception to this trend. Very powerful computers are located in every department/program within Catholic Charities. These machines are linked together by a sophisticated network that provides communication with other machines across the divisions and around the world. Catholic Charities vital functions are dependent on the availability of this network of computer. Disaster Recovery Plan Focus The primary focus of this document is to provide a plan to respond to a disaster that destroys or severely cripples Catholic Charities computer systems operated by the IT Department. The intent is to restore operations as quickly as possible with the latest and most up-to-date data available. System Access In the event of a major disaster, access to the system will be restricted to the IT department, until such time the IT Manager deems it appropriate to permit additional access. In the event that the disaster creates a critical shortage of resources that do not permit all users to simultaneously access the system, restriction on access will be initiated by the IT Department and priorities will focus on mission critical functions. The IT Department will work with Senior Management and the Division Directors to identify key users to grant immediate access in order to conduct critical business and clinical operations. The IT Department may utilize time blocks for access or restrict the number of users at any given time. Risks The disaster recovery plan assumes a certain amount of risk, the primary one being how much data is lost in the event of a disaster. There are compromises between the amount of time, effort and money spent in the planning and preparation of a disaster and the amount of data loss you can sustain and still remain operational following a disaster. Depending on the need, the recovery effort may focus on a quick recovery or even zero down time, by duplicating and maintaining their computer systems in separate facilities. The techniques for backup and recovery used in this plan do NOT guarantee zero data loss. The administration is willing to assume the risk of data loss and do without computing for a period of time in a disaster situation. In a fiscal sense, the plan is saving dollars in up-front disaster preparation cost and then relying upon business interruption and recovery insurance to help restore computer operations after a disaster. Data recovery efforts in this plan are targeted at getting the systems up and running with the last available off-site backup tapes. Significant effort will be required after the system operation is restored to: Restore data integrity to the point of the disaster. 84 Synchronize that data with any new data collected from the point of the disaster forward. Plan Objectives The Disaster Recovery Plan has the following primary objectives: 1. Present an orderly course of action for restoring critical computing capability to the network within 5 days of the plan. 2. Set criteria for making the decision to recover at a cold site or repair the affected site. 3. Describe an organization structure for carrying out the plan 4. Provide information concerning personnel that will be required to carry out the plan and the computing expertise required. 5. Identify the equipment, floor plan, procedures, and other items necessary for recovery. Plan 1. Personnel Immediately following the disaster, a planned sequence of events begins. Key personnel are notified and recovery teams are grouped to implement the plan. See attached list of personnel and their expertise. The plan has been designed to be usable even if some of the personnel are unavailable. 2. Salvage Operations at the Disaster Site Early efforts are targeted at protecting and preserving the computer equipment. In particular, any magnetic storage media (hard drives, magnetic tapes, diskettes) are identified and either protected from the elements or removed to a clear, dry environment away form the disaster site. 3. Designated Recovery Site At the same time, the appropriate personnel to estimate the amount of time required to put the facility back into working order do a survey of the disaster scene. A decision is then made whether to use the Cold Site, a location some distance away from the scene of the disaster where computing and networking capabilities can be temporarily be restored until the primary site is ready. Work begins immediately at repairing or rebuilding the primary site. 4. Purchase New Equipment The recovery process relies on vendors to quickly provide replacements for the resources that cannot be salvaged. The IT Director will rely upon emergency procurement procedures so orders for equipment, supplies, software and any other needs are met quickly. 5. Begin Reassembly at Recovery Site Salvaged and new components are reassembled at the recovery site according to the instructions contained in this plan. If vendors cannot provide a certain piece of equipment on a timely basis, it may be necessary for the recovery personnel to make last-minute substitutions. After the equipment reassembly phase is complete, the work turns to concentrate on the data recovery procedures. 85 6. Restore Date from Backups Data recovery relies entirely upon the use of backups stored in locations off-site. Backups can take the form of magnetic tape, CD ROMS, disk drives, and other storage media. Early data recovery efforts focus on restoring the operating system(s) for each computer system. In addition, software programs as well as a copy of operating user manual will be maintained at an off-site location. Next, first line recovery of application and user data from the backup takes is done. Individual application owners may need to be involved at this point, so teams are assigned for each major application area to ensure that data is restored properly. 7. Restore Application Data Since some time may have elapsed between the time that the off-site backups were made and the time of the disaster, application owners must have a means for restoring each running application database to the point of the disaster. They must take all new data collected since that point and input it into the application databases. When this process is complete, the computer systems can reopen for business. Some applications may be available only to a limited few key personnel, while others may be available to anyone who can access the computer systems. 8. Move Back to Restored Permanent Facility It the recovery process has taken place at the Cold Site, physical restoration of the disaster site will have begun. When that facility is ready for occupancy, the systems assembled at the Cold site are to be moved back to their permanent home. Testing Testing of the plan to simulate an actual disaster will be done once a year. The Security Officer and the Privacy Officer will declare a test disaster. The test disaster would include the identification of the type of the disaster, the time, and place of the disaster and the plan will be implemented. This test disaster will determine the agency’s readiness and completeness of the plan if an actual disaster has taken place. Although there may be some inconvenience to the users during the test, there will be no prolonged outage to the user. The test will cover the following activities: notifying the disaster recovery team assemble the team in one location visit the site of the disaster retrieve back up tapes determine alternate site and inspect site send notice to all users record events and evaluate revise plan as necessary The results of the test disaster will be reviewed with Senior Management. 86 Attachment D to HP-2.02 HIPAA Policies and Procedures DISASTER RECOVERY TEAMS Policy Teams, in order to function in an efficient manner and to allow independent tasks to proceed simultaneously, will handle the recovery process. This plan calls for eight teams that work together to achieve recovery. Disaster Recovery Teams 1. Recovery Management Team 2. Damage Assessment Team 3. Administrative Support Team Disaster Recovery Team Responsibilities 1. Recovery Management Team The Disaster Recovery Team consists of the following skilled people: 1.1 1.2 1.3 1.4 1.5 IT Manager Network Administrator IT Technicians IT Trainer DDS Consultant The Recovery Manager is part of the Recovery Management Team and has the final authority regarding decisions during the recovery process. Each of the remaining individuals will be the leader of a specialized team that will address a portion of the recovery task. As the recovery process gets underway, there will likely be overlap between teams and close communication will be required. The Recovery Management Team will have regular meetings scheduled to provide for communication. A first meeting agenda might include: Reviewing the current status of the recovery operation Emphasizing what the team’s responsibilities are Making sure that members are aware of any changes to the original recovery plan. Assigning tasks to individual team members Setting up time and location for future meetings. 2. Damage Assessment Team The Recovery Manager will lead the Damage Assessment Team. He will be responsible for selecting the other team members. Likely choices would be a member (s) from facilities, Operations, Network Services, Telephone Service, and technical Services. This tem will not be responsible for a detailed damage assessment for insurance purpose. The purpose of this team is to do two things: 87 Provide information for the Recovery Management Team to be able to make the choice of the recovery site. Provide an assessment of the salvage ability of major hardware components. Based on this assessment the Recovery Management Team can begin the process of acquiring replacement equipment for the recovery. 3. Administrative Support Team The Administrative Coordinator will lead the Administrative Support Team. He/she will not be responsible for selecting the other team members. The Recovery manager will assign or allocate internal or sub-contracted resources. This team will provide: Administrative support to the other recovery teams as well as support to employees Take the burden of administrative details so that the technicians who are responsible for systems recovery can concentrate on their recovery work. Be a liaison to Administration and the Finance Department. Provide support for executing acquisition paperwork. Assist with the detailed damage assessment and insurance procedures. Team members, depending on their area of expertise will be assigned one or some of the tasks listed below: Preparation of recovery site to accommodate the hardware, supplies and personnel necessary for recovery Oversight activities for the repair and/or rebuilding of the system Overseeing the restoration of the network and all network connections Work with vendor on installation of equipment Coordinate food and sleeping arrangement of the recovery staff as necessary. Provide support to track time and expenses related to the disaster. Provide delivery and transportation services to the Cold Site or other locations as required. (Cold Site: Area physically separate from the primary site where space has been identified for use as the temporary home for the computer and network systems while the primary site is being repaired.) Assist in contracting with outside parties for work to be done in the recovery process. 88 Attachment E to HP-2.02 HIPAA Policies and Procedures DATA SECURITY BACKUP PLAN Policy Data Security Backup will occur daily, weekly and monthly. (Note: No matter how reliable the system, it is not possible to restore data that has been deleted, overwritten, or corrupted unless it has been backed up.) Definitions Backup: making a copy of files from a hard disk to tape for the purpose of retrieval in case the original is erased, copied over, damaged, or destroyed. In the event of a problem, the files can be restored from the tape back onto the disk. Backup disks are maintained off site at the end of the day. Archive: the method of long-term or legally required storage of important information that is usually an extra backup copy kept securely offsite. Business Continuity: also called Disaster Recovery, is similar to secure offsite archiving, however, information and sometimes equipment are used temporarily for business continuance in the event of a disaster. Backup Methods Full Level A full backup usually includes the entire system and all its files. Weekly, monthly, and quarterly backups constitute a full backup. The first weekly is a full backup, made on Friday. Subsequent Monday through Thursday backups, until the next full backup, can be either incremental or differential to save time and backup media space. Incremental Level With incremental backup, only the files that have changed since the last full or incremental backup are backed up. Subsequent incremental backups only back up those files that have changed since the previous incremental backup. On average, incremental backups take less time because there are fewer files backed up. However, it takes longer to restore data since data from the last full backup, plus data from all the incremental backups, must be restored. Differential Level With differential backup, every file that has changed since the last full backup is backed up each time. It is faster to restore a differential backup. All you need is the last full and last differential backup. Differential backup is gaining in popularity because it traps files at points in time, for example, prior to virus corruption. 89 Storage of Backup Tapes The backup tapes are taken off-site at the end of the business day. Tape Rotation Method The most commonly used media rotation scheduled is “Grandfather-Father-Son”. This scheme uses daily (Son), weekly (Father), and monthly (Grandfather) backup sets. Four backup media are labeled for the day of the week each backs up, for example Monday through Thursday. Typically, incremental backups are performed on the “Son” group of media. This media is reused each week on the day matching its label. A set of up to five weekly backup media is labeled “Week 1”, Week 2” and so on. Full backups are recorded weekly, on the day that a “Son” media is not used. This “Father” media is reused monthly. The final set of three media is labeled “Month 1”, “Month 2”, and so on, according to which month of the quarter they will be used. This “grandfather” media records full backup on the last business day of each month is reused quarterly. Each of the “media” may be a single tape or a set of tapes, depending on the amount of data to back up. A total of 12 media sets are required for this basic rotation scheme, allowing for a history of two to three months. Because a longer history is often required, archive tapes are periodically pulled from the rotation and replaced with new tapes. Backup (Software Specific) Catholic Charities uses tapes to backup software. This software does: Multi-platform server operating support… Tape rotation… Notification of backup failure Staff Training Plan for Security and Privacy 1. Catholic Charities will train all members of its staff on the policies and procedures with respect to the privacy and security of protected health information as necessary and appropriate for the members of the staff to carry out their function within the agency. This training will: Be provided to each member of Catholic Charities staff, Be provided to all new hires during orientation, and Be provided to each staff member whose functions are affected by a material change in the policies or procedures of Catholic Charities within a reasonable period after the material change becomes effective. 2. Catholic Charities will document that the training has been provided through maintenance of one of the following: Certificate of Training. Staff Testing Document. 90 3. The Staff Certificate of Training and/or the staff-testing document will also be filed in the personnel file. A copy will be maintained in the Compliance Office. 4. The training on security and privacy will include the following topics: 4.1 General awareness of security and privacy issues, including specific awareness of HIPAA regulations and requirements. 4.2 Catholic Charities policies and procedures with respect to protected health information and information security. 4.3 Vulnerabilities of health information in Catholic Charities environment. 4.4 Security responsibilities of each staff member: General security awareness and responsibility Password protection Virus prevention Data backup procedures Remote access Removal of information from Catholic Charities Client records outside of the official medical records Proper authorization and consent to release procedures Workstation acceptable use policies and practices Client rights and responsibilities regarding medical records Procedures to follow in case of a suspected breach of security or privacy Disaster plan and emergency procedures 5. Once this training has been received and acknowledged by all current staff, Catholic Charities will deploy a continuing training plan that includes the following features: 5.1 Basic security awareness training as outlined above will be repeated for all staff at least once every three years after the initial training. Staff members receiving this follow-up training will complete another acknowledgement of training receipt form. 5.2 At least every three months, the Information Technology Department and the Compliance Director, will publish a security reminder newsletter/flyer that will be distributed to all staff via the following means: Email to all staff Revised 12-04 Approved 6-05 91 HP-2.03 HIPAA Policies and Procedures SECURITY - PASSWORDS Policy Password protection is one of the most important principles of network, e-mail, and voice mail security. Catholic Charities provides access to the network, electronic mail and voice mail to all staff in order to support its mission. Passwords are assigned for access to each of these systems in order to authenticate a user’s identity, to protect network users and to provide security. Definitions Password: Authorized individual password assigned by the Information Technology (IT) Department for access to its network, e-mail, and voice mail. Proxy: Person authorized by user to request password change on user’s behalf. Proxy must be a supervisor. User: Anyone who holds a valid account on the network, e-mail, and/or voice mail system. Procedure 1. Request for new, changed, or forgotten password 1.1 Request must be made in person at the IT Department from 9:00 a.m. to 5:00 p.m. Monday through Friday. 1.2 Users unable to request password in person, may designate a proxy to authenticate the request. 1.3 IT Department staff will issue password. 1.4 IT Manager or designee must approve any password changes requested by a user’s supervisor. 2. Password Protection Responsibilities 2.1 System Administrator and user assumes the following responsibilities: System administrator must protect confidentiality of user’s password. User is responsible for all actions and functions performed by his/her account Suspected password compromise must be reported to the IT Director or designee immediately 3. Password Guidelines 3.1 Select a wise password – to minimize password compromises: Do not use any part of the account identifier (username, login ID etc.) 92 Do not use a proper name or any word in the dictionary without altering it in some way 3.2 A password is harder to crack if you utilize several of these selection techniques: Use a minimum of 6 alphanumeric and a maximum of 20 characters. Use mixed case. Use two or three short words that are unrelated. Deliberately misspell words. Take the first letter from each word of a phrase. Include at least two digits or punctuation characters. 3.3 Keep our Password Safe Do not tell your password to anyone. Do to let anyone observe you entering your password. Do not display your password in your work area or any other highly visible place. Change your password periodically. Do not reuse old passwords. 3.4 Additional Security Practice Ensure your workstation is reasonable secure in your absence from your office. Always log off your system when leaving your computer unattended. Passwords will be changed every 180 days. The system will “warn staff” of required password change 7 days in advance The minimum number of characters for password field is six alphanumeric characters. The system will automatically disallow passwords that contain four contiguous characters from a staff member’s first or last name or social security number. (reference Anasazi Manual pg 26-27) After five failed attempts to log on to the system, the system will refuse to permit access and will generate a notice to the Security Officer/Compliance Officer. Approved 12-03 Revised 12-04 Approved 6-05 93 HP-2.04 HIPAA Policies and Procedures DATA CLASSIFICATION POLICY Purpose The purpose of this data classification policy is to provide a system for protecting information that is critical to the organization. All employees who may encounter confidential information are expected to familiarize themselves with this data classification policy and to consistently use it. Policy The organizations data classification system has been designed to support the need to know so that information will be protected from unauthorized disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and help keep the costs for information security to a minimum. Without the consistent use of this data classification system, Catholic Charities unduly risks loss of customer relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage. Applicable Information This data classification policy is applicable to all information in the Catholic Charities possession. For example, medical records on Clients, confidential information from suppliers, business partners and others must be protected with this data classification policy. Consistent Protection Information must be consistently protected throughout its life cycle, from its origination to its destruction. Information must be protected in a manner commensurate with its sensitivity, regardless of where it resides, what form it takes, what technology was used to handle it, or what purpose(s) it serves. Although this policy provides overall guidance, to achieve consistent information protection, workers will be expected to apply and extend these concepts to fit the needs of day-to-day operations. Classification Labels Public: This classification applies to information that is available to the general public and intended for distribution outside the organization. This information may be freely disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases. For Internal Use Only: This classification applies to all other information that does not clearly fit into the other classifications. The unauthorized disclosure, modification, or destruction of this information is not expected to seriously or adversely impact the organization, its Clients, its employees, or its business partners. Examples include the company telephone directory, new employee training materials, and internal policy manuals. 94 Confidential: This classification applies to the most sensitive medical and business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its Clients, its employees, and its business partners. For example, statutorily protected medical information such as, mental health treatment, and HIV testing, sexually transmitted diseases, and alcoholism or substance abuse treatment data. Other examples are personnel files or correspondence with legal counsel. 95 HP-2.05 HIPAA Policies and Procedures SOFTWARE/HARDWARE POLICY Policy The success our organization depends on the quality and upkeep of our software and hardware. Without an effective software/hardware policy in place, Catholic Charities cannot adequately protect these expensive and vital investments. With this in mind, Catholic Charities has created this software/hardware policy that outlines the acceptable use of both software and hardware, defines standard software and hardware equipment, and explains the penalties for inappropriate use of organizational software and hardware. Acceptable Use This section defines the boundaries for the “acceptable use” of Catholic Charities electronic resources, including software, hardware devices, and network systems. Hardware devices, software programs, and network systems purchased and provided by Catholic Charities are to be used only for creating, researching, and processing Catholic Charities related materials. By using Catholic Charities hardware, software, and network systems you assume personal responsibility for their appropriate use and agree to comply with this policy and other applicable Catholic Charities policies, as well as state, and federal laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Software All software acquired for or on behalf of Catholic Charities or developed by Catholic Charities employees or contract personnel on behalf of Catholic Charities is and shall be deemed Catholic Charities property. All such software must be used in compliance with applicable licenses, notices, contracts, and agreements. Purchasing All purchasing of Catholic Charities software shall be centralized with the Information Technology Department to ensure that all applications conform to corporate software standards and are purchased at the best possible price. All requests for corporate software must be submitted to the Program Director/Division Director of that department for approval. The request must then be sent to the Information Technology Manager, who will then determine the standard software that best accommodates the desired request. All software must be purchased and installed by the IT Department. Licensing All software is licensed to Catholic Charities and Catholic Charities will follow all applicable licenses, contracts, and agreements regarding software utilization. 96 Software standards The following list shows the standard suite of software installed on Catholic Charities computers (excluding test computers) that is fully supported by the Information Technology Department: Microsoft Office Suite (Excel, Word, Access & PowerPoint) Anasazi Blackbaud ABRA Microsoft Outlook Employees needing software other than those programs listed above must request such software from the Information Technology Manager. Each request will be considered on a case-by-case basis in conjunction with the software-purchasing section of this policy. Hardware All hardware devices acquired for or on behalf of Catholic Charities or developed by Catholic Charities employees or contract personnel on behalf of the Catholic Charities is and shall be deemed Catholic Charities property. All such hardware devices must be used in compliance with applicable licenses, notices, contracts, and agreements. Purchasing All purchasing of Catholic Charities computer hardware devices shall be centralized with the Information Technology Department to ensure that all equipment conforms to corporate hardware standards and is purchased at the best possible price. All requests for corporate computing hardware devices must be submitted to the Program Director/Division Director of that department for approval. The request must then be sent to the Information Technology Manager, which will then determine standard software that best accommodates the desired request. All hardware must be purchased and installed by the IT Department. Hardware Standards Hardware standards: Current market standards. Employees needing computer hardware other than what is stated above must request such hardware through their Division Director and then from the Information Technology Department. Each request will be considered on a case-by-case basis in conjunction with the hardware-purchasing section of this policy. Outside Equipment No outside equipment may be plugged into Catholic Charities network without the Information Technology Manager’s permission. 97 Re-use of Media The Information Technology Department is responsible for re-furbishing computer media prior to re-use. Staff is responsible for erasing disks prior to re-use. This process will assure that reused media is free of confidential information. Disposal of Hardware and Software The Information Technology Department will utilize current industry standards for disposal of hardware and software. Encryption and Decryption The IT Department utilizes 128-bit encryption/decryption as well as firewalls in order to safeguard information. Confidentiality It is the policy of Catholic Charities that all personnel must preserve the integrity and the confidentiality of all client information regardless of the media utilized. Personnel will treat all client information in accordance with all Catholic Charities Policies, professional standards, federal, state, and accrediting agencies requirements governing confidentiality and privacy. Personnel will use their best effort to ensure the accuracy, timeliness, and completion of data in order to ensure the integrity of the data as well as the privacy and confidentiality. Violations and penalties Penalties for violating the Software/Hardware Policy will vary depending on the nature and severity of the specific violation. Any employee who violates the Software/Hardware Policy will be subject to: Disciplinary action as described in Catholic Charities employee handbook, including but not limited to reprimand, suspension, and/or termination of employment. Civil or criminal prosecution under federal and/or state law. Acknowledgment of Software/Hardware Policy This form is used to acknowledge receipt of and understanding of Catholic Charities Software/ Hardware Policy. Procedure Complete the following steps: 1. Read the Software/Hardware Policy. 98 HP-2.06 HIPAA Policies and Procedures POLICY ON WORKSTATION USE Introduction Catholic Charities has adopted this Policy on Workstation Use to protect the confidentiality and integrity of confidential Protected Health Information as required by law, professional ethics, HIPAA and accreditation requirements. All personnel of Catholic Charities that use computer terminals must be familiar with the contents of this policy and follow its guidance, as appropriate, when using computer equipment. Familiarity with the plan and demonstrated competence in the requirements of the plan are an important part of every employee’s responsibilities. Assumptions Every computer workstation in Catholic Charities is vulnerable to environmental threats, such as fire, water damage, power surges, and the like. Any computer workstation in Catholic Charities can access confidential patient information if the user has the proper authorization. All computer screens cannot be visible to individuals who do not have access to confidential information that may appear on the screen. Preventative Measures All computer users will monitor the computers operating environment and report potential threats to the computer and to the integrity and confidentiality of data contained in the computer system. For example, if air conditioning fails and the temperature around the computer could exceed a safe level, the user must immediately notify the Information Technology Department and the person in your program responsible for maintenance. All computers plugged into an electrical power outlet will use a surge suppressor approved by the Information Technology Department. All personnel using computers will familiarize themselves with, comply with Catholic Charities disaster plans, and take appropriate measures to protect computers and data from disasters. Personnel using computers will not eat nor drink at the terminal to prevent damage due to spills and food debris. Personnel logging onto the system will ensure that no one observes the entry of their password. 99 Personnel will neither log onto the system using another’s password nor permit another to log on with their password. Personnel will not enter data under another person’s password. Please refer to the Password Protection Policy. After five failed attempts to log on, the system will refuse to permit access and generate a notice to the system administrator. Each person using Catholic Charities computers is responsible for the content of any data he or she inputs into the computer or transmits through the agency’s system. No person may hide his or her identity as the author of the entry or represent that someone else entered the data or sent the message. All personnel will familiarize themselves with and comply with the agency’s computer, e-mail, telephone, Internet, and fax policy. No employees may access any confidential client information or other information that they do not have a need to know. No employee may disclose confidential patient or other information unless properly authorized (see the Confidentiality Policy and the Disclosure Policy). Employees must not leave printers unattended when they are printing confidential client information or other information. This rule is especially important when two or more computers share a common printer or when the printer is in an area where unauthorized personnel have access to the printer. Employees may not use the Catholic Charities system to solicit for outside business ventures, organizational campaigns, or political or religious causes. Nor may they enter, transmit, or maintain communications of a discriminatory or harassing nature or materials that are obscene or x-rated. No person shall enter, transmit, or maintain messages with derogatory or inflammatory remarks about an individual's race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition. No person shall enter, maintain, or transmit any abusive, profane, or offensive language. Such transaction will result in disciplinary actions, up to and including termination. Personnel using the computer system will not write down their password and place it at or near the terminal, such as putting their password on a yellow “sticky” note on the screen or on a piece of tape under the keyboard. Each computer will be programmed to generate a screen saver when the computer receives no input for a specified period. Supervisors may specify an appropriate period to protect confidentiality while keeping the computer available for use. Users must log off the system if he or she leaves the computer terminal for more than 30 minutes and must log off if he/she is leaving the premises. No personnel may download data from Catholic Charities system onto diskette, CD, hard drive, fax, scanner, any network drive or any other hardware, software, or paper without the express permission of the department head with notice to the Information Technology Manager. No personnel may download any software without express written permission of the Information Technology Manager. The Information Technology Manager must approve any 100 software that an employee wishes to download. This rule is necessary to protect against the transmission of computer viruses into Catholic Charities’ system. Enforcement All supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to disciplinary actions, up to and including termination from employment, professional discipline, or criminal prosecution in accordance with the Catholic Charities Sanction Policy. Approved 12-03 Revised 12-04 Approved 6-05 101 HP-2.07 HIPAA Policies and Procedures VIRUS PREVENTION POLICY Purpose This policy is designed to protect Catholic Charities equipment and networks from the potential threat of software virus intrusion and infection. The policy is specifically designed to deal with: Boot track and partition table viruses. Executable file viruses. Multipartite, parasitic, stealth, polymorphic and other viruses. Conventional macro viruses. Active communication-enabled viruses, trojans, and worms as well those that may utilize future vectors. Malicious code, which has been compressed by a 32-bit compressor. Self-updating malicious code. Controls outlined in this policy are characterized as either primary controls or synergistic controls. Primary controls are the most important and effective stand-alone preventative technique and constitute Catholic Charities principal policy recommendations for organizations. Synergistic controls function in a way that is analogous to the military strategy of defense-indepth, which provides for redundancy and failure of particular controls. When operating alone, individual policies, controls or screens may have limited value, but synergistically can be quite effective. When used in conjunction with other synergistic controls, serial screens tend to behave according to Baye’s theorem. Their cumulative effect tends to improve with the use of each control and their use tends to enhance the effectiveness of other, primary, controls. Catholic Charities recommends the use of all synergistic controls that a site can easily implement without infringing on other business or clinical productivity. Desktop Systems 1. Catholic Charities Recommended Primary Controls at Desktop Anti-Virus Level These controls will be implemented by the Information Technology Department unless otherwise indicated: 1.1 Install certified anti-virus software on all desktop and laptop PCs and workstations. 1.2 Subscribe to the alert service and virus definition file update service provided by the software vendor. Continuous monitoring of the software vendor’s site for updates will be the responsibility of a designated Information Technology Department staff member. 1.3 Desktop anti-virus software (virus signatures) will be updated automatically through the use of network software policies. No user intervention will be required. 102 1.4 Perform emergency updates within one business day after an alert. 1.5 Implement the following desktop/laptop/workstation anti-virus software configuration: Enable full-time, background, real time, auto-protect or similar mode Enable start-up scanning of memory, master / boot records, system files Configure scanning/checking options to include checking for all files. Enable logs for all desktop virus-related activity. 1.6 Subscribe to alert services from office productivity suite vendors and install all recommended security updates automatically through the use of network software policies. 1.7 Additional notes on desktop level policies: Alerts to users are neither recommended nor discouraged. However, system administrator alerts, logs, or other advisories are to be continuously enabled. If user alerts are enabled, User controls over the anti-virus software will be set to minimum levels to prevent users from “canceling” a virus alert. User-driven scanning policies such as requesting users to scan floppies, downloads or hard drives are not recommended as they are generally more expensive and infringing than useful. 2. Catholic Charities Recommended Synergistic Controls at the Desktop-Level These controls will be implemented by the Information Technology Department unless otherwise indicated: 2.1 Enable Macro Virus Protection in Microsoft Office© Programs. 2.2 Use the anti-virus software heuristic controls (in full-time background mode where available). 3. Synergistic Controls at the E-Mail Client Level 3.1 Turn off auto-open attachments 3.2 Configure for Plain text only 3.3 Configure to challenge execution of all *.EXE, *.HTA, *.VBS and other executables attachments 3.4 Configure to challenge opening of all *.doc, *.xls (and potentially *.ppt files) 3.5 Configure to challenge double click of all attachments 3.6 Do not store “ALL” Company alias in local email lists Network File and Print Servers 1. Primary Control at Inside Server level 103 1.1 Run anti-virus Scanner in full time, background, automatic, auto-protect or similar mode on any file server which potentially stores files which are potentially infect-able such as*.doc files and executables which run on desktops. 1.2 Update server signature as notified via software vendor’s subscription service/alert service. 2. Synergistic Controls at the Inside Server Level 2.1 Utilize centralized anti-virus management 2.2 Utilize centralized desktop management 2.3 Manage Internet Explorer© and Visual Basic© Scripting centrally E-Mail Gateways, Firewalls, Other Gateways and Anti-Spam Tools 1. Catholic Charities Primary Control at the Gateway Level 1.1 Install e-mail gateway antivirus software configured for full-time active mode. 1.2 Configure anti-virus software to check/scan all files 1.3 Filter all arriving (and departing if possible) e-mail traffic by subject line /header. 1.4 Be prepared to rapidly adjust filtering rules based on security notices, software vendor alerts, user reports, etc. 2. Gateway Level, Potential Synergistic Controls 2.1 Filter all arriving and departing e-mail by Spam threshold (greater than 40 identical messages blocked and source traced, if inside). 2.2 Filter all *.exe attachments and similar 2.3 Filter ActiveX© and JavaScript© Human Factors Potential Synergistic Controls 1. Educate users to consider e-mail attachments and links potentially dangerous and to treat them very cautiously. Specifically recommend education: Open only expected attachments and links from known and trusted sources. Delete or question all others before opening. 2. Keep system managers updated and informed. 3. Reinforce the message to users to never double click an e-mail attachment that is not expected. This policy is difficult since the affected (malicious) email will normally come “From” a trusted person. (Well informed users can be taught that *.doc, *.exe, *.doc, *.vbs, and *.hta extensions are the most likely to be dangerous). Desktop anti-virus software will 104 normally work if it is kept updated and properly configured to operate full-time in the background. 4. Users that experience more than 2 anti-virus alerts in a 30-day period may be categorized as “high risk” users. Depending upon the source and nature of the infection, High Risk users will be subject to the following policy: Disabling of email and/or Internet access Disabling of external drives such as CD-ROM drives, floppy drives, ZIP drives, tape drives, etc. Contact point Questions about this policy may be directed to the Information Technology Manager. Disciplinary process Violation of these policies may subject employees or contractors to disciplinary procedures up to and including termination. Approved 12-03 Approved 6-05 105 HP-2.08 HIPAA Policies and Procedures ACCESS, CONTROL, AND VALIDATION Policy To protect PHI (protected health information) from improper access, unauthorized access, disclosure, and destruction by defining a user based/role based access that is based on a need-toknow. This policy defines policies and procedures for verifying access prior to granting physical access and will validate the access privileges of an employee prior to granting such privileges. Need to Know A user has access only to data that he or she needs to perform a particular function. Privacy and Security Hierarchy The Anasazi Central System accommodates the following privacy/security functionality: 1. Level 1A: ability to designate which staff member can login The staff that are permitted to Login are established through the Staff Maintenance view. This view allows for the entering future login dates. This view also permits the entering of a future Login and Expiration Date. For example, staff member will terminate employment next Wednesday, the system will proactively set his/her Login expiration date which will expire on that Wednesday at midnight. 2. Level 1B: ability to designate which staff members can have client activity recorded for them This would indicate if they performed a service, signed an assessment or are the primary server for an assignment. 3. Level 2B: ability to designate which views each staff member can access and the degree of access to each. These views can only be launched by staff that are specifically designated as having access to Security Views and further requires the Staff Password in order to be launched. The system allows for entering a future Expiration Date for this access. 4. Level 3: ability to designate which clients each staff member can access The system supports the need to know concept as it relates to access to client information. The following client access designations are available: All clients (Restricted category – System Administrator approval only) Only clients that are currently open to a Unit/Subunit to which the staff member has access 106 Staff utilizing the report writer does not have access to all clients. If a report is queried for a range of clients, the message “Clients constrained by Staff Access” will print in the heading. 5. Level 4: ability to designate which units/subunits each staff member can access This limits staff’s access to their unit/subunits only. This control will prevent certain client activity from being entered, displayed, processed and reported at Units/subunits to which the staff members does not have access. 6. Level 5A: ability to designate which staff members can add clients Only a defined set of staff members has the capacity to add new clients. This approval is done through the System Administrator. 7. Level 5B: ability to designate which staff members can and cannot add treatment sessions and Assignments for clients. Adding treatment sessions and assignments has special consideration related to the fact that staff members commonly cannot access clients that are not on their caseload, and as such cannot put clients on their caseload. The following designations are permitted for staff: Staff may add treatment sessions and assignment for all clients 8. Level 5C: ability to designate which staff member can carry a caseload The staff members who may carry a caseload are established through the Staff Maintenance view. This control allows or prevents the staff member from being designated as a Primary Server for and Assignment and further allows or prevents the staff from being made a member of a treatment team. 9. Level 6A: ability to designate which client assessment can be accessed by staff members. Within the Assessment and Treatment Planning View, staff members have access to the clients on their Home page. The category of treatment functionality controls which Assessments the staff member can display/access for those clients. For each category of Treatment to which a staff member has access, the degree of access is designated as Show or Add. 10. Level 6B: ability to designate which pages on the Client Assessments can be accessed by staff members. The Assessment and Treatment Planning provides for designating the credentials that a staff member must have in order to access Pages on Assessments. 11. Level 6C: ability to designate which questions on the client assessment can be accessed by staff members. Parameters are established as follows: Administrative Access: staff can neither access clinical questions nor final approve Assessments/Treatment Plans with Clinical Questions. Clinical access: Staff can access clinical questions and final approve Assessments/Treatment Plans with clinical questions 107 Transcription Access: staff can access clinical questions but cannot final approve Assessments/Treatment Plans with Clinical Questions. Reporting A record of every report that has been run is permanently saved. Staff Homepage Access Staff may navigate to another Staff member’s Homepage (i.e. vacation coverage, etc.). The ability to do so is controlled as follows: Clinical Administrators may navigate to any Staff member’s Homepage Staff may navigate to the Homepage of a subordinate in the Supervisor Tree Staff may navigate to the Homepage of a staff member to whom they have been granted Homepage Guest Access. Intake Workers Before an assignment is opened for a new client or for a client that was previously closed, the client is not displayed on any staff member’s caseload or Homepage. Clients are generally initially entered through an Intake Process and intakes are performed by a defined set of Intake Workers at a defined setoff Units/Subunits. The system allows the Intake Worker at each Unit/Subunit to be designated. Staff members are designated as Intake Workers and have the ability to record a “Pre Intake” for a client. Clients which are in the Pre Intake process will display on the Intake Workers’ Homepage and will be displayed on the Refer to Pre-Intake Staff member’s Homepage, which will grant rights to that Staff member to open an Assignment for the client and as such to permanently place the client on a Caseload/Homepage. Treatment Teams Establishing Treatment teams is a means to indicate that more than one staff member is treating a client. The system provides for establishing a Permanent Treatment Teams for which a team leader and team members are designated. Supervisory Tree The Supervisory Tree is a means to indicate the line of supervision. The usage is as follows: Supervisor can access a subordinate’s Homepage A supervisor can grant both Homepage and Client Guest Access to a subordinates Homepage/Clients A single staff can be subordinate to multiple supervisors. Breaking the Glass The Assessment and Treatment Planning system provides a means to “Break the Glass”. Breaking the Glass is a means to, in a crisis situation, put a particular client on a staff member’s Homepage who ordinarily would not be displayed. This Break the Glass will appear on the 108 Privacy/Security Officer’s Homepage along with any other abnormal disclosure authorization etc. Password (see password policy) Requirement that passwords are to be changed every 180 days. Warns staff of required password change in 14 days. Minimum number of characters for a password is 6. Utilizes restricted password – automatically disallows password that contain four contiguous characters from the staff members first or last name Maximum number of login attempts – 3 attempts only. (After that, they will need to contact the Point Person and the Point Person will contact the System Administrator for a new temporary Anasazi Live/Train password). Generates reports concerning any security issues (failed login attempts, breaking the glass…) Maximum Days for a Temporary Guest Privilege is 7. Guest Access Latency Days is 7. Assignment close Latency Day is 7. Monitoring and Audit Control The System Administrator will monitor the following: Login attempts failures Break the Glass Unauthorized Users in Anasazi Anasazi Security Incidents Anasazi Use and Management Report The IT Department will monitor the following: Login attempts failures Unauthorized Users Security Incidents Staff accessing inappropriate sites Internet Usage The Security Officer and the Privacy Officer will review any security incidents and will review such incidents with Senior Management. Approved 12-03 Revised 12-04 Approved 6-05 109 HP-2.09 HIPAA Policies and Procedures TERMINATION PROCESS Purpose To protect the privacy and security of client related information as well as Catholic Charities business information, all employees whose employment ends or job classification changes so they do not have access to client information or business information, will have his/her user ID’s, user accounts and access permissions immediately removed from the system. Procedure 1. Upon knowledge of an employee's termination or change in job description that no longer requires access to client information and Catholic Charities business information, the employee's immediate supervisor is responsible for immediately notifying the Information Technology (IT) Department. 2. The New Employee Hire/Termination email form will be completed and emailed to the IT Department. 3. The Information Technology staff will immediately remover the employee’s user ID, user account and access permissions from the system. 4. If the employee has in his/her possession any of Catholic Charities equipment, it shall be returned to the IT department prior to the employee’s last day of employment or last day in the position that required the equipment. 5. The IT Department staff will check all equipment to assure it is in good repair and to assure the return of all equipment. 6. The IT Department will check with the Program Director prior to deleting any information from the equipment. Approved 12-03 Reviewed 6-05 110 HP-2.10 HIPAA Policies and Procedures (aka AP-4.05) COMPUTER, E-MAIL, AND INTERNET USAGE POLICIES This document sets forth Catholic Charities’ policies with regard to computer, e-mail, and Internet usage, including access to, review or disclosure of e-mail messages sent or received by Catholic Charities’ employees, and Internet access and usage. Catholic Charities reserves the right to modify or update these policies at any time. Use of the computer system, e-mail system, or the Internet in violation of these policies or other Catholic Charities’ policies is a serious violation and can result in a loss of access, disciplinary action (including termination), or other legal actions. All employees and volunteers will be required to read the Computer, E-Mail, and Internet Usage Policies and sign the Acknowledgement of Understanding (Attachment A). 1. Use for Business Purposes Only; Catholic Charities’ Access and Review 1.1 Catholic Charities’ Computer Systems. The Catholic Charities computer system, e-mail system, and Internet access are provided to approved employees at Catholic Charities’ expense solely to assist them in carrying out Catholic Charities’ business. The e-mail system permits employees to communicate with each other internally and with selected outside individuals and companies. Internet access permits approved employees to use resources at appropriate Internet sites to help them perform their duties and carry out Catholic Charities’ business. Catholic Charities owns, maintains and is responsible for the computer system. Employees must limit use the computer system, including e-mail and access to the Internet, to the business purposes of Catholic Charities and only to obtain and transmit information in accordance with Catholic Charities’ policies and procedures. 1.1.1 1.2 In order to maintain the integrity and the security of Catholic Charities’ Information Technology (IT) infrastructure, software and databases, Internet access will be used only for the business purposes of Catholic Charities’ business. Access to Anasazi and Outlook e-mail is available to all Catholic Charities’ employees. Any staff member requiring access to the Internet beyond Anasazi and Outlook e-mail will require justification and approval from the Program Director, the Division Director/Department Head, and the IT Manager. (See Attachment B: Request for Internet Access form.) Access and Review of E-Mail Communications and Internet Usage. Catholic Charities treats all messages sent, received or stored in the e-mail system as business messages. Catholic Charities has the capability to access, review, copy, and delete any messages sent, received, or stored on the e-mail system. Catholic Charities has the ability to access deleted messages. Catholic Charities has the capability to monitor employees’ Internet usage, including the time spent on-line and the sites accessed. 111 Catholic Charities reserves the right to monitor, access, review, audit, intercept, use, copy, or delete e-mail messages of any kind for any purpose and to disclose them to any party (inside or outside Catholic Charities). Catholic Charities reserves the right to review files and communications to maintain system integrity and ensure that users are using the system appropriately, responsibly and in accordance with Catholic Charities’ policy and procedures. 1.3 E-Mail Etiquette. Employees should bear in mind that their e-mail messages may be read by someone other than the person to whom they are addressed and may even someday have to be disclosed to outside parties or a court in connection with litigation. Accordingly, employees are directed to ensure that their messages are courteous, professional and businesslike. E-mail messages, once sent, are usually irretrievable. Employees should be sensitive to the fact that, in the absence of an explanation, e-mail messages may be ambiguous and convey the wrong impression. This is of specific concern when a message is being forwarded to multiple recipients. Rather than quickly sending messages without adequate review, employees should consider printing the messages and reading them prior to distribution to ensure that their content is completely appropriate. The“everyone@cctrenton.org” is to be used for business purpose only. 1.4 E-mail and Confidentiality of Protected Health Information. At no time should any protected health information of any clients be transmitted via electronic mail outside of Catholic Charities network, unless it is encrypted. Due care shall be used when transmitting private health information of any client by electronic mail within Catholic Charities internal network, to prevent the transmittal and/or receipt of such information to any staff member not authorized to have access to the information. Staff member shall not forward to any third party outside of Catholic Charities any email messages that contain any form of individually identifiable health information, unless expressly authorized by the client on a signed authorization for use/disclosure of health information form. Catholic Charities will incorporate e-mail messages sent or received that concern the diagnosis or treatment of a client, or payment for treatment, into the client’s chart and/or billing file and shall maintain such information with the same degree of confidentiality as the remainder of the client’s chart and billing file. 1.5 Storing and Deleting E-Mail Messages. Catholic Charities strongly discourages the storage of large numbers of e-mail messages for a number of reasons. First, because e-mail messages may contain confidential information, it is desirable to limit the number, distribution, and availability of such messages. Second, retention of messages consumes storage space on the network and personal computer hard disks, and can slow down the performance of both the network and individual personal computers. Finally, in the event that Catholic Charities needs to search the network server, back-up tapes or individual hard disks for important documents, the fewer documents it has to search through, the easier the search will be. Accordingly, employees should regularly delete any e-mail messages they send or receive that no longer require action or are not necessary to an ongoing project. Employees should audit their stored e-mail messages periodically to identify messages that are no longer needed and should be deleted. 112 2. Permitted and Prohibited Uses 2.1 Use Limited to Catholic Charities’ Business Purposes. The computer system, e-mail system, and Internet access may be used only to support and promote Catholic Charities business objectives. The use of computers and Internet access through the Catholic Charities’ system is a privilege, not a right, and may be revoked. Use of the computer system, e-mail system, or the Internet in violation of these policies can result in disciplinary action. Therefore, for example, employees may not: 2.2 2.3 2.1.1 intentionally waste limited computer resources; 2.1.2 engage in activities that have the potential to disrupt the business environment of the workplace; 2.1.3 engage in actions that damage computers, computer systems or computer networks; 2.1.4 use the computer system for commercial purposes, for personal gain or profit, or to engage in illegal activity; 2.1.5 use the e-mail system to copy and/or transmit any documents, software, or other information protected by the copyright laws; 2.1.6 use their Catholic Charities’ provided Internet address when communicating personal viewpoints on the Internet, unless approved by Catholic Charities’ Senior Management; or 2.1.7 use the computer system to access, view, store or distribute obscene, offensive, harassing, discriminatory, or otherwise objectionable files. E-Mail Use. E-mail messages, whether created inside Catholic Charities or created outside Catholic Charities and transmitted within Catholic Charities or from Catholic Charities to other sites, can generate claims of defamation, harassment, and discrimination. Therefore, employees may not: 2.2.1 use the e-mail system to engage in any communications that are in violation of any policy; or 2.2.2 use the e-mail system to transmit or display defamatory, obscene, intimidating, offensive or harassing messages or pictures, or messages that disclose personal information without authorization. Internet Use. An approved employee accessing the Internet from a Catholic Charities’ site is responsible for all on-line activities that take place through the use of his or her login and password. When using another organization’s networks or computing resources, employees must comply with the rules appropriate for that network. 113 Those employees with Internet access privileges may not: 2.3.1 access inappropriate websites, including those involving gambling, pornography, or obscene materials; 2.3.2 obligate Catholic Charities financially to any commercial web-sites without the express permission of the IT Manager; or 2.3.3 use the Internet from a Catholic Charities’ site to engage in the practice of moonlighting or for any commercial purposes, advertising or other similar activities. 3. Computer System Security 3.1 Importance of System Security. Catholic Charities is obligated to maintain the confidentiality of its own information, of client information and of communications with clients. As a consequence, all users of the computer system must take steps to ensure the security of the system and to maintain the confidentiality of all information on the system or communicated through the use of the system. Each employee is responsible for what happens under his or her log in name. Violations of security policies are considered serious violations and can result in disciplinary action. 3.2 Password and User Logon ID’s are unique to each authorized user and will be assigned by the IT Department. Passwords must be kept private. They should not be shared, coded into programs, or written down. In order to protect against dissemination of confidential information, employees should not access their e-mail messages for the first time in the presence of others. Email windows should not be left open on the screen when the computer is unattended. E-mail passwords (as well as other computer passwords) should be routinely changed. 3.3 Computer Viruses. Computer viruses can be injected into the system through the receipt of e-mails, email attachments or files from other systems. Exercise particular care when opening files attached to e-mails from unknown senders. Employees must pay attention to and strictly comply with all warnings and instructions of the IT Department relating to viruses. Employees must immediately inform the IT Department of the presence of any virus on any Catholic Charities computer. Any computer that is infected or suspected of being infected must immediately be disconnected from the network to reduce the risk of spreading a virus. Employees are prohibited from disabling or interfering with any virus scanning software installed on their system. 3.4 Installing or Downloading Software. The IT Department must approve and install all software on any Catholic Charities computer. No employee may download software without the approval of the IT Department. When and if authorized to download software, employees must comply with all restrictions and procedures for downloading software, including mandatory virus scanning and detection procedures. Employees must inform the IT Department 114 of any virus, configuration change, or different behavior of a computer or application, especially after the addition of new software to the environment. All employees must obey and follow all licensing agreements and procedures with regard to the use and installation of all software. The IT Department will inspect computers periodically to verify that all software has been approved and licensed properly. 3.5 Remote Access. All remote access to the computer system, whether via dial-up or Internet access, must use encryption services to protect the confidentiality of the session. Information regarding access to the computer system, such as dial-up phone numbers, is confidential. This information must not be posted on electronic bulletin boards, listed in telephone directories, placed on business cards or made available to third parties without express authorization. 3.6 Confidentiality. Users must keep confidential all references and resource labels of Catholic Charities’ computer system including but not limited to internal domain names, server names, printer names, IP addresses, and directory services. 4. Confidentiality of Communications 4.1 Importance of Confidentiality. Employees must exercise a greater degree of caution in transmitting information through e-mail than they take with other means of communicating information (e.g., written memoranda, letters or phone calls) because of the reduced human effort required to redistribute such information and the security considerations on the Internet. Confidential information of Catholic Charities or its clients should never be transmitted or forwarded to outside individuals or companies not authorized to receive that information. Employees should always use care in addressing e-mail messages to make sure that messages are not inadvertently sent to outsiders or the wrong person within Catholic Charities. In particular, employees should exercise care when using distribution lists to make sure that all addressees are appropriate recipients of the information. Lists may not always be kept current and individuals using lists should take measures to ensure that the lists are current. Employees should refrain from routinely forwarding messages containing confidential information to multiple parties unless there is a clear business need to do so. Employees may contact the IT Department with any questions concerning this policy or procedure. Approved 5-97 Revised and approved 12-03 Reviewed 6-05 115 Attachment A to HP-2.10 HIPAA Policies and Procedures (aka Attachment A to AP-4.05) ACKNOWLEDGMENT OF UNDERSTANDING COMPUTER, E-MAIL, AND INTERNET USAGE POLICIES I acknowledge that I have read and will abide by Catholic Charities’ policies regarding computer, e-mail, and Internet usage. In particular: 1. I understand that Catholic Charities has the complete authority to monitor my computer usage, e-mail communications, and Internet usage, and that Catholic Charities may monitor on a routine and/or special case basis. 2. I will accept personal responsibility for all activities occurring under my password/login. 3. I will keep confidential my password/login and will not utilize another’s password/login to access any system. 4. I will keep confidential all client information, regardless of the medium – computer, email, etc. 5. I understand that the computer system, the e-mail system, and the Internet system are to be used for business purposes only. 6. I understand that I cannot install or download software and/or programs, screen savers, firewalls, etc. without written approval of the IT Manager. 7. I understand that any violation by me of Catholic Charities’ computer, e-mail, or Internet policies may result in a loss of access, disciplinary action (including termination), or other legal action. ______________________________________________ Signature ______________________________________________ Name (please print) Original: Personnel file 116 ______________________ Date Attachment B to HP-2.10 HIPAA Policies and Procedures (aka Attachment B to AP-4.05) REQUEST FOR INTERNET ACCESS Name _____________________________________ Title ____________________________ Program ___________________________________ Division _________________________ Location _______________________________________________________________________ Date of Request _______________________ Justification for access to the Internet: Program Director’s Signature ___________________________ Date __________________ ------------------------------------------------------------------Division Director/Department Head Review and Approval ( ) approved ( ) not approved Signature ___________________________________________ Date ________________ ------------------------------------------------------------------IT Manager’s Signature _______________________________ Original: IT Office Copy: Program Director 117 Date ___________________ HP-3.01 HIPAA Policies and Procedures RISK ANALYSIS Purpose Catholic Charities depends heavily on technology and automated systems, and their disruption for even a few days could negatively impact both client services and business functions. The continued operations of an organization depend on management’s awareness of potential disasters, their ability to develop a plan to minimize disruptions of mission critical functions, and the capability to recover operations expediently and successfully. The risk analysis process helps to protect the organization in the event that all or parts of its operations and/or computer services are rendered unusable. Catholic Charities will review each functional area of the organization and determine the potential risks and impact related to various disaster threats. (Risk Analysis) Definition Risk Analysis: A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk assessment involves evaluating existing physical and environmental security and controls, and assessing their adequacy relative to the potential threats of the organization. A business impact analysis involves identifying the critical business functions within the organization and determining the impact of not performing the business function beyond the maximum acceptable outage. Types of criteria that can be used to evaluate the impact include: customer service, internal operations, legal/statutory and financial. Risk Analysis Process 1. Regardless of the prevention techniques employed, possible threats that could arise inside or outside the organization need to be assessed. Although the exact nature of potential disasters or their resulting consequences are difficult to determine, it is beneficial to perform a comprehensive risk assessment of all threats that can realistically occur to the organization. Regardless of the type of threat, the goals of Catholic Charities recovery planning are to ensure the safety of our clients, employees, volunteers and other personnel during and following a disaster. In determining the probability of a specific disaster, Catholic Charities will include, but not be limited to the following: geographic location. topography of the area. proximity to major sources of power, bodies of water and airports. degree of accessibility to facilities within the organization. history of local utility companies in providing uninterrupted services. history of the area’s susceptibility to natural threats. proximity to major highways, which transport hazardous waste and combustible products. 118 2. Potential exposures may be classified as natural, technical, or human threats. Examples include: Natural Threats: Internal flooding, external flooding, internal fire, external fire, seismic activity, high winds, snow and ice storms, tornado, hurricane, epidemic, tidal wave. Technical Threats: Power failure/fluctuation, heating, ventilation or air conditioning failure, malfunction or failure of CPU, failure of system software, failure of application software, telecommunications failure, gas leaks, communications failure, nuclear fallout. Human Threats: Robbery, bomb threats, embezzlement, extortion, burglary, vandalism, terrorism, civil disorder, chemical spill, sabotage, explosion, war, biological contamination, radiation contamination, hazardous waste, vehicle crash, airport proximity, work stoppage (Internal/External), computer crime. 3. Catholic Charities will include all locations and facilities in the risk analysis. Rather than attempting to determine exact probabilities of each disaster, a general relational rating system of high, medium and low can be used to identify the probability of the threat occurring. 4. The risk analysis will determine the impact of each type of potential threat on various functions or departments within the organization. The impact can be rated as: 0 = No impact or interruption in operations. 1 = Noticeable impact, interruption in operations for up to 8 hours. 2 = Damage to equipment and/or facilities, interruption in operations for 8 - 48 hours. 3 = Major damage to the equipment and/or facilities, interruption in operations for more than 48 hours. All main office and/or computer center functions must be relocated. 5. Certain assumptions may be necessary to uniformly apply ratings to each potential threat. Following are typical assumptions that can be used during the risk assessment process: 5.1 Although impact ratings could range between 1 and 3 for any facility given a specific set of circumstances, ratings applied should reflect anticipated, likely or expected impact on each area. 5.2 Each potential threat should be assumed to be “localized” to the facility being rated. 5.3 Although one potential threat could lead to another potential threat (e.g., a hurricane could spawn tornados), no domino effect should be assumed, 5.4 If the result of the threat would not warrant movement to an alternate site(s), the impact should be rated no higher than a “2”. 5.5 The risk assessment should be performed by facility. 119 6. To measure the potential risks, a weighted point rating system can be used. Each level of probability can be assigned points as follows: Probability Points High 10 Medium 5 Low 1 7. Considerations in analyzing risk include: 7.1 Investigating the frequency of particular types of disasters (often versus seldom). 7.2 Determining the degree of predictability of the disaster. 7.3 Analyzing the speed of onset of the disaster (sudden versus gradual). 7.4 Determining the amount of forewarning associated with the disaster. 7.5 Estimating the duration of the disaster. 7.6 Considering the impact of a disaster based on two scenarios: Vital records are destroyed. Vital records are not destroyed. 7.7 Identifying the consequences of a disaster, such as: Personnel availability. Personal injuries. Loss of operating capability. Loss of assets. Facility damage. 7.8 Determining the existing and required redundancy levels throughout the organization to accommodate critical systems and functions, including: Hardware. Software. Information. Communication. Personnel. Services. 7.9 Estimating potential dollar loss: Increased operating costs. Loss of business opportunities. Loss of financial management capability. Loss of assets. Negative media coverage. Loss of goodwill. Loss of income. Loss of competitive edge. Legal actions. 120 8. Estimating potential losses for each business function based on the financial and service impact and the length of time the organization can operate without this business function. The impact of a disaster related to a business function depends on the type of outage that occurs and the time that elapses before normal operations can be resumed. 9. Determining the cost of contingency planning. DISASTER PREVENTION and RECOVERY Reference: Disaster Prevention and Recovery Plan – Information Technology Emergency Preparedness Policies and Procedures Approved 12-03 Reviewed 6-05 121 Attachment to HP-3.01 HIPAA Policies and Procedures RISK ANALYSIS FORM High – Medium – Low 1. Probability H = High (10) L = Low (1) M = Medium (5) Sudden – Gradual 2. Speed of Onset S = Sudden (5) G = Gradual (1) 3. Forewarning Yes – No Y= Yes (1) N= No (5) 4. Duration Long – Intermediate – Short L = Long (10) I = Intermediate (5) S = Short 1) 5. Impact 0 = No impact or interruption in operations. 1 = Noticeable impact, interruption in operations for up to 8 hours. 2 = Damage to equipment and/or facilities, interruption for 8 – 48 hours. 3 = Major damage to equipment and/or facilities, interruption for more than 48 hours. All main office and/or computer center functions must be relocated. 122 Catholic Charities, Diocese of Trenton Notificación de Practicas Confidenciales ESTA NOTIFICACIÓN DESCRIBE LA MANERA EN QUE SE PUEDE USAR Y COMPARTIR SU INFORMACION MEDICA Y COMO USTED PUEDE TENER ACCESO A DICHA INFORMACION. FAVOR DE LEERLA CON MUCHO CUIDADO. Para cumplir con los requisitos del Acto de Portabilidad y Responsabilidad de Seguros de Salud (Health Insurance Portability and Accountability Act – HIPPA.) Tenemos el deber de Guardar y Proteger su información Medica. Nosotros mantendremos información medica personal que lo identifica a usted, sea el servicio medico proveído o pago de su cuidado medico. Se nos requiere por ley proveerle esta noticia de información sobre las practicas de privacidad, que están vigentes. Esto explica como, cuando y por que razón podemos usar o revelar su información medica con algunas excepciones, evitaremos usar o divulgar mas información medica de la que es requerida para el propósito presente. Las condiciones de esta notificación se refiere a todos los documentos con su información medica y demográfica creada por nosotros o en nuestro poder. Nosotros tenemos el derecho de hacer cambios a la notificación de practicas confidenciales. Cualquier cambio a esta notificación será añadida a toda la información que tenemos referente a usted, cualquier información medica que recibamos en el futuro y los documentos que creamos y mantengamos en el futuro. Nuestra organización pondrá una copia con los cambios actuales en nuestras oficinas, en un lugar prominente y usted puede pedir una copia de la notificación mas reciente durante cualquier visita a nuestra organización. Pregunta: COMO PODEMOS NOSOTROS USAR Y COMPARTIR SU INFORMACIÓN: Contesta: Usaremos o divulgaremos su información medica por diferentes razones. Para algunos de estos usos o divulgaciones, pediremos su autorización. A continuación se describen las distintas categorías de divulgación, sus usos y se proveen varios ejemplos. A. Usos y Divulgación Relacionados a Tratamiento, Recompensa por Tratamiento y/o Servicios, o para Funcionamiento del Cuidado de Salud. De acuerdo a la ley federal. 1. Para el Tratamiento: Podemos divulgar información de salud a otros proveedores de servicios de salud que sean parte de su cuidado. Por ejemplo, podemos divulgar su información medica a un hospital si durante su tiempo en nuestra facilidad se requiere, o a un programa residencial al cual sea referido. Las razones para tal divulgación podrían ser: para que usted reciba el tratamiento apropiado para su condición medica, para coordinar su cuido, o para planear exámenes necesarios. 2. Para Lograr Recompensa por Tratamiento y/o Servicios: Podemos usar y compartir su información medica y demográfica para obtener reembolso por los servicios que usted ha recibido de nosotros. Por ejemplo, podemos proveer algunas partes de su información medica a su seguro medico, Medicare o Medicaid para recibir pagos por haberle prestado servicios. 3. Para el Funcionamiento del Cuidado de Salud: En algunas situaciones será necesario usar y/o divulgar su información medica para hacer funcionar nuestra organización. Por ejemplo, podemos usar su información de salud para evaluar la 123 calidad del servicio que le han brindado nuestros empleados. También le proveeremos información a nuestros contables, abogados y asesores para asegurarnos que estamos cumpliendo con la ley. B. Otros Usos de su Información son Permitidos por Ley Federal. Podemos divulgar su información medica sin su autorización por las siguientes razones: 1. Cuando Divulgación de su información se requiere por Ley Federal, Estatal o Local, en Procedimientos Judiciales o Administrativos o a Agentes de Orden Publico: Por ejemplo podemos divulgar su información de salud si se nos ordena por corte, o si la ley requiere que reportemos este tipo de información a un Funcionario de Gobierno, o a Agentes de Orden Publico, tales como en caso de mordida de perro, sospecha de maltrato a menores o una herida con alma de fuego. 2. Actividades de salud publica: Según la ley, es nuestro deber reportar información sobre ciertas enfermedades y/o muerte a agencias de gobierno que colectan esta información. Con la posible excepción de información de capacidad mental y/o tratamiento de abuso de alcohol y drogas, el estatus de VIH (por cual obtendríamos su autorización), también se nos permite proveer alguna información al examinador medico o director de funerales, si fuese necesario después de fallecer el cliente. 3. Actividades de vigilancia del cuidado de salud. Por ejemplo proveeremos su información medica si así lo exige el Condado o el Estado cuando vigilan el programa en cual recibe usted cuidado. También le proveeremos información a oficinas de gobierno, tales como New Jersey División of Mental Health Services, New Jersey Department of Health and Senior Services División of Youth and Family Services, etc. Cuales tienen el derecho de inspeccionar nuestras oficinas y/o investigar practicas de cuidado de salud. 4. Donación de órganos. Si un cliente desea donar ojos, órganos o tejidos después de fallecer, estamos permitidos divulgar información medica necesaria para asistir a la apropiada organización a procurar los órganos. 5. Información sistémica y científica. Bajo ciertas circunstancias, (por ejemplo, donde es aprobado por la Junta de Privacidad o Junta de Revisas bajo ley federal), se nos permite usar o proveer información de salud medica protegida con el propósito de investigación científica. 6. Para evitar amenaza a la salud o seguridad. Si uno de nuestros consejeros, médicos o enfermeras identifican la necesidad de protegerle a usted, otra persona o al publico, podemos proveerle la información de salud protegida a la policía o otros que tengan la posibilidad de reducir la amenaza. 7. Función especial del gobierno. Con la posible excepción de información de desorden mental o tratamiento de alcohol y drogas, y tratamiento de estatus de VIH (por el cual obtendríamos su autorización), podemos divulgar información de personal militar o veteranos cuando sea requerido por autoridades Militares de Estados Unidos. También podemos divulgar información de salud con propósitos de seguridad Nacional, tal como investigación de sospecha de terrorismo que pueda amenazar nuestra nación. 8. Compensación de trabajadores: Nuestra organización puede compartir su información medica como se describe bajo la ley de compensación, si su condición fue resultado de una herida en el trabajo por el cual reclama usted compensación de trabajador. 124 9. Para recordarle una cita: A menos que usted nos haga saber que no desea ser recordado de una cita, podemos usar o divulgar su información para recordarle a usted sus citas. También para proveerle información y avisos sobre programas alternos y tratamientos que le puedan ayudar a usted. 10. Para aumentar fondos: Por ejemplo, si nuestra organización desea levantar fondos para apoyar uno o mas de nuestros programas o facilidades, o otra causa benéfica o para programa de educación de salud a la comunidad, podemos usar la información para hacerle aviso a usted. Si no desea ser parte de actividades de levantar fondos, por favor avisarle a su terapeuta. C. SUS DERECHOS RESPECTO A SU INFORMACIÓN MEDICA Y DEMOGRÁFICA: 1. Divulgar información a miembros de su familia, amistades, o otros envueltos en su cuidado. Podemos proveerle limitada información medica a un miembro de su familia, amistad o otra persona conocida como encargado de su cuidado o en pagar sus gastos, a menos que usted nos avise de forma contraria. Por ejemplo, si un miembro de su familia lo acompaña a una cita medica y usted le permite entrar al cuarto de examen con usted, podemos divulgar información de salud protegida durante la cita, a menos que usted no nos avise de lo contrario. 2. Divulgar información para notificar a miembro de familia, amistades o otra persona selecta. Cuando primero comenzó usted en este programa se le pidió información sobre una persona de contacto de emergencia en caso de que algo le ocurriera a usted mientras este en nuestras facilidades. A menos que usted nos dirija de forma distinta le divulgaremos cierta información de salud medica sobre (su condición general, lugar, etc.) a su contacto de emergencia o a otro miembro de su familia, sea que usted requiera ser admitido a un hospital. D. Otras Divulgaciones Requieren Ser Autorizadas antes por Escrito Por Usted. En situaciones otras de las categorías mencionadas arriba, o otras divulgaciones permitidas bajo ley federal, si desea obtener una divulgación usted debe someter una petición por escrito. También le pediremos su autorización por escrito para divulgar información acerca de su salud mental, uso de alcohol o drogas y/o el tratamiento, y para divulgar su estatus de VIH. Si escoge usted autorizar divulgación de información medica, puede después revocarla para discontinuar uso siempre que ya no se haga tomado a cabo la petición, puede ser revocada por escrito. PREGUNTA: CUALES SON MIS DERECHOS SOBRE MI INFORMACIÓN MEDICA? Contesta: Usted tiene los siguientes derechos respecto a su información medica privada: A. El Derecho de Pedir Limites sobre Uso y Divulgación de Información de Salud. Usted tiene el derecho de pedir limites o restricciones a su información medica. No se nos requiere estar de acuerdo con su petición. Si acordamos con su pedido, le pondremos los limites por escrito y los seguiremos, excepto en caso de 125 emergencia. Favor tomar en cuenta que no se le permite limitar las divulgaciones que se nos requiere o se nos permiten por ley. B. El Derecho de Escoger Como le Comunicamos Información de Salud y Como Nos Ponemos en Contacto con Usted. Usted tiene el derecho de cómo nos ponemos en contacto con usted en una dirección alterna o numero de teléfono (por ejemplo enviando información por correo a su trabajo en vez de a su domicilio) u otra manera alterna (por ejemplo, por email en vez de teléfono.) Nuestro acuerdo es necesario siempre que sea fácil cumplir su pedido. C. El Derecho de Mirar o Obtener una Copia de su Información Medica. En la mayoría de los casos usted tiene el derecho de mirar o obtener una copia de la información medica que esta en nuestro poder, primero debe hacer una petición por escrito. Una petición puede ser obtenida por su terapeuta. Le responderemos acerca de unos 30 días después de haber recibido la petición por escrito. Si no tenemos la información que usted pide, pero si sabemos quien la tiene, le diremos como obtenerla, y por escrito le avisaremos nuestro motivo por el cual le negamos la información. En ciertas situaciones puede usted pedir una apelación. Si pide usted copia de alguna parte de su información medica, le cobraremos por pagina, solo como se permite por la ley de New Jersey. Le pediremos que se pague por completo antes de proveerle la copia. Si esta de acuerdo, con aviso previo le podemos proveer con una explicación de sus archivos, se le cobrara por la preparación de estos. D. El Derecho de recibir una lista de Divulgaciones de Salud que Nosotros Hemos Hecho. Usted tiene el derecho de recibir una lista de ciertas divulgaciones de información medica que se hagan. Esta lista no incluirá usos o divulgación de tratamiento, pago o operaciones de cuido de salud, divulgaciones a usted o con su autorización por escrito, o divulgaciones a su familia con el propósito de notificarle sobre su envolvimiento en su cuidado. Esta lista también no incluirá divulgaciones hechas por motivos de seguridad nacional, divulgaciones a autoridades leyes o a agentes de orden publico si estaba usted en su custodia durante ese tiempo, también divulgaciones hechas antes de Abril 14, 2003, el lapso de tiempo para pedir información es 6 años. Para hacer tal petición, le pedimos se haga por escrito: una petición se puede obtener de su consejero/a. Le responderemos entre 60 días después de haber recibido su pedido. La lista puede incluir la fecha de la divulgación, la persona o organización que recibió la información (con su dirección si esta disponible), una breve descripción de la información divulgada, y una breve razón por la divulgación. Le proveeremos a usted esta lista sin costo a usted: Si hace usted mas de una pedido al año se le cobrara $10.00 por cada petición al año. E. El Derecho de Pedir Cambios, Corregir o Traer al Día Información Medica. Si piensa usted que hay un error en su información medica o que una parte de información importante esta ausente, usted tiene el derecho de pedir que hagamos los cambios apropiados a su información. Usted debe hacer la petición por escrito, identificando su petición, puede obtener una petición de su terapeuta o consejero. Responderemos a su pedido en unos 60 días de haber 126 recibido su petición. Si estamos de acuerdo con su petición, haremos los cambios a su información medica, le avisaremos cuando han sido hechos, y le avisaremos a otros que deben ser avisados sobre estos cambios. Podemos rechazar su petición si la información medica: (1) esta correcta y completa; (2) no fue creada por nosotros; (3) no se permite ser divulgada a usted; (4) no es parte de nuestros archivos. Nuestro rechazo por escrito le explicara la razón o motivo sobre el rechazo, y explicara su derecho de cómo hacer una disputa por escrito de su desacuerdo. Si no desea hacerlo, puede pedir que se le incluya una copia de su petición y nuestro rechazo, con todas divulgaciones futuras de su información de salud. F. El derecho de Obtener una Copia de esta Notificación. Usted tiene derecho una copia de esta notificación. PREGUNTA: COMO HACER UNA QUEJA O HACER PREGUNTAS SOBRE LAS PRACTICAS PRIVADAS DE ESTA ORGANIZACIÓN? Contesta: Si tiene usted preguntas a algo discutido en este aviso o de las practicas privadas, o si tiene inquietud o quejas, favor de avisar a, Compliance Director at Catholic Charities of Trenton, 383 West State Street, Trenton, New Jersey 08607 o llamar al (609) 394-5181 extensión 150. Tambien tiene el derecho de formar una queja con el Secretario de el Departamento de Salud y Servicios Humanos de Estados Unidos. No podemos tomar represalia contra usted si hace alguna queja. PREGUNTA: CUANDO TOMA EFECTO ESTE AVISO? Contesta: Este aviso toma efecto el 3 de Junio, 2003. AL RECIBO DE NOTIFICACIÓN DE PRACTICAS CONFIDENCIALES Yo,_________________________________________, he leído y revisado y me han explicado mis derechos acerca de divulgación de mi información personal de salud tomada durante el proceso terapéutico por Catholic Charities. Yo he preguntado y he contestado preguntas acerca del uso y divulgación de dicha información. Estoy conforme que entiendo su significado y reconozco haber sido proveído una copia de estos derechos como ha sido establecido por HIPPA en 1996. _________________________________________________________ Firma de Cliente Fecha __________________________________________________________ Padre/Guardian Fecha Testigo Fecha Copia: Cliente Original: Archivo 127
