Add to collection(s) Add to saved
  1. Social Science
  2. Law

Privacy Notice Policy - Provider

advertisement 
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
HIPAA COW
NOTICE OF PRIVACY PRACTICES WORKGROUP
PROVIDER NOTICE OF PRIVACY PRACTICES –POLICY DOCUMENT
Disclaimer
This Privacy Notice for Providers-Policy Document is Copyright  by the HIPAA Collaborative
of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this
copyright notice is not removed. When information from this document is used, HIPAA COW
shall be referenced as a resource. It may not be sold for profit or used in commercial documents
without the written permission of the copyright holder. This Privacy Notice for Providers-Policy
Document is provided “as is” without any express or implied warranty. This Privacy Notice for
Providers-Policy Document is for educational purposes only and does not constitute legal advice.
If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA
COW has not addressed all state pre-emption issues related to this Privacy Notice for ProvidersPolicy Document. Therefore, this document may need to be modified in order to comply with
Wisconsin/State law.
Right to Notice
Except for inmates1, HIPAA privacy regulations require health care providers to notify patients
of how the patient’s health information may be used and disclosed, the patient’s rights and
provider’s legal duties with regard to the patient’s health information.2
If the provider is in a direct treatment relationship with the patient (e.g., not providing care under
the orders of another provider),3 then the provider must provide the privacy notice to the patient
no later than the date of the first service delivery, including service delivered electronically. 4 In
an emergency treatment situation, the provider must provide the notice as soon as reasonably
practicable after the emergency treatment situation.5
Except in an emergency treatment situation the provider will make a good faith effort to obtain
written acknowledge of receipt of the notice provided and if not obtained, document its good
faith efforts to obtain such acknowledgment and the reason why the acknowledgement was not
obtained.5
If the first service delivery to an individual is delivered electronically, the provider must provide
electronic notice automatically and contemporaneously in response to the individual’s first
45 CFR § 164.520(a)(3)
45 CFR § 164.520(a)
3 45 CFR § 164.501 (referring to the definitions for both “direct treatment relationship” and “indirect treatment
relationship”).
4 45 CFR § 164.520(c)(2)(i)(A)
5 45 CFR § 164.520(c)(2)(i)(B)
5 45 CFR § 164.520(c)(2)(ii)
1
2
_____________________________________________________________________________
 Copyright HIPAA COW
1
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
request for service. If a summary notice is posted then the full notice must be immediately
available7.
The direct treatment provider that maintains a physical service delivery site must:8
1. Have the notice available at the service delivery site for the individuals to request to take
with them;6 and
2. Post the notice in a clear and prominent location where it is reasonable to expect
individuals seeking service from the covered health care provider to be able to read the
notice7; and
Whenever the notice is revised, make the notice available upon request on or after the effective
date of the revision and promptly comply with the above two requirements if your organization
maintains a physical delivery site.8
Contents of Privacy Notice (Checklist in Order of Appearance in the Regulation):
1. The notice must be written in plain language and contain the elements listed below.9
2. The notice must contain the following statement as a header or otherwise prominently
displayed:
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU
MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO
THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.10
3. The notice must contain a description, including at least one example, of the types of uses
and disclosures that the provider is permitted to make for each of the following purposes:
“treatment, payment and health care operations,” as defined by HIPAA.11 The
description of these uses and disclosures must reflect the more stringent law (either state
or federal).12 For example, if the HIPAA privacy regulations permit health care
operations disclosures without authorization, but state law does require consent for such
disclosures, then state law is more stringent and the disclosure would be listed in the
privacy notice as a disclosure requiring consent.
45 CFR § 164.520(c)(3)(iii)
45 CFR § 164.520(c)(2)(iii)
9 45 CFR § 164.520(c)(2)(iii)A
7 45 CFR § 164.520(c)(2)(iii)B
8 45 CFR § 164.520(c)(2)(iv)
9 45 CFR § 164.520(b)(1)
10 45 CFR § 164.520(b)(1)(i)
11 45 CFR § 164.520(b)(1)(ii)(A)
12 45 CFR § 164.520(b)(1)(ii)(C)
7
8
_____________________________________________________________________________
 Copyright HIPAA COW
2
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
In addition, each description must include sufficient detail to place the individual on
notice of the uses and disclosures that are permitted or required by the HIPAA privacy
rules or other applicable law.13
4. The notice must contain a description of each of the other purposes besides treatment,
payment or health care operations for which the provider is permitted or required to use
or disclose protected health information without the individual’s written authorization.14
The description of these uses and disclosures must reflect the more stringent law (either
state or federal).15 For example, if the HIPAA privacy regulations permit certain
disclosures without written authorization, but state law requires consent for such
disclosures, then the state law is more stringent and the HIPAA-based disclosure would
not be listed in the privacy notice as a disclosure permitted without written authorization.
Furthermore, each description must include sufficient detail to place the individual on
notice of the uses and disclosures that are permitted or required by the HIPAA privacy
rules or other applicable law.16 Under HIPAA, these uses and disclosures include those:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
Required by law.17
For public health activities.18
Regarding victims of abuse, neglect or domestic violence.19
For health oversight activities.20
For judicial and administrative proceedings.21
For law enforcement purposes.22
Regarding decedents, such as to coroners and medical examiners23 or funeral
directors.24
For cadaveric organ, eye or tissue donation purposes.25
For research purposes.26
To avert a serious threat to health or safety.27
For specialized government functions,28 such as military and veterans’ activities,
29
national security and intelligence activities,30 protective services for the
45 CFR § 164.520(b)(1)(ii)(D)
45 CFR § 164.520(b)(1)(ii)(B)
15 45 CFR § 164.520(b)(1)(ii)(C)
16 45 CFR § 164.520(b)(1)(ii)(D)
17 45 CFR § 164.512(a)
18 45 CFR § 164.512(b)
19 45 CFR § 164.512(c).
20 45 CFR § 164.512(d)
21 45 CFR § 164.512(e)
22 45 CFR § 164.512(f)
23 45 CFR § 164.512(g)(1)
24 45 CFR § 164.512(g)(2)
25 45 CFR § 164.512(h)
26 45 CFR § 164.512(i)
27 45 CFR § 164.512(j)
28 45 CFR § 164.512(k)
29 45 CFR § 164.512(k)(1)
30 45 CFR § 164.512(k)(2)
13
14
_____________________________________________________________________________
 Copyright HIPAA COW
3
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
President and others,31 medical suitability determinations,32 and correctional
institutions and other law enforcement custodial situations.33
l. For workers’ compensation purposes.34
m. For facility directories35 (NOTE: this is an opt out use and disclosure, meaning
that a provider may use or disclose a patient’s health information for this purpose
so long as the patient is informed in advance of such use and is given the
opportunity to agree or disagree with the disclosure. The provider may orally
inform the patient of and obtain the patient’s oral agreement or objection to such
disclosure.)36
n. That notify people involved in the patient’s care, such as notifying family
members or others involved with the patient’s care or payment,37 including
disclosures to help identify, locate or describe the health condition of the patient.38
Such disclosure may be in coordination with disaster relief efforts.39 (NOTE: this
too is an opt out use and disclosure, unless the individual is incapacitated or there
is an emergency.)40
5. The notice must contain a description of the type of uses and disclosures that require an
authorization including those for psychotherapy notes, marketing, and the sale of
protected health information. It must also include a statement that other uses and
disclosures not described in the notice will be made only with the individual’s written
authorization and that the individual may revoke any authorization.41 Examples may be
given, but are not required, of such other uses and disclosures that need an authorization,
such as release of psychotherapy notes (unless release of the information is for TPO
purposes or otherwise required by law, in which case patient authorization is not
required),42 or to outside marketers for products unrelated to the plan or the patient’s
treatment.43
6. If the provider intends to engage in fundraising for the provider, the notice must contain a
statement that the provider may raise funds and the individual has a right to opt out of
receiving such communications.44
45 CFR § 164.512(k)(3)
45 CFR § 164.512(k)(4)
33 45 CFR § 164.512(k)(5) Note: “Covered entities that are government programs providing public benefits” are not
included since that is more likely to fall under the privacy notice provided by health plans, not providers. 45 CFR §
164.512(k)(6)
34 45 CFR § 164.512(l)
35 45 CFR § 164.510(a)
36 45 CFR § 164.510
37 45 CFR § 164.510(b)(1)(i)
38 45 CFR § 164.510(b)(1)(ii)
39 45 CFR § 164.510(b)(4)
40 45 CFR § 164.510; 45 CFR § 164.510(b)(3)
41 45 CFR § 164.520(b)(1)(ii)(E); 45 CFR § 164.508(b)(5).
42 45 CFR § 164.508(a)(2)
43 45 CFR § 164.501; 45 CFR § 164.508(a)(3)
44 45 CFR § 164.520(b)(1)(iii)(B)
31
32
_____________________________________________________________________________
 Copyright HIPAA COW
4
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
7. The notice must contain a statement of the individual’s rights with respect to protected
health information and a brief description of how the patient may exercise these rights, as
follows:45
a. The right to request restrictions on certain uses and disclosures of health
information, such as those uses for treatment, payment, health care operations, or
disclosures to those involved in a patient’s care or for notification purposes.46
The notice must also state that the provider is not required to agree to a requested
restriction except in case of a disclosure restricted to a health plan if the disclosure
is for the purpose of carrying out payment or health care operations and is not
otherwise required by law; and the protected health information pertains solely to
a health care item or service for which the individual, or person other than the
health plan on behalf of the individual, has paid the covered entity in full.47
b. The right to receive confidential communications of protected health information,
presuming such request is reasonable, by alternative means or at alternative
locations.48
c. The right to inspect and copy protected health information in a designated record
set, except for information such as psychotherapy notes, information compiled for
civil, criminal or administrative actions/proceedings, or certain information
related to the Clinical Laboratory Improvements Amendments of 1988.49 There
are other exceptions and conditions as well, such as the imposition of a
reasonable, cost-based fee for providing the patient with a copy of his or her
health information.50
d. The right to amend protected health information, with certain restrictions, such as
when the provider does not create the information to be amended, or the provider
believes the information is accurate and complete.51 Providers can require
patients to make amendment requests in writing.52
e. The right to receive an accounting of disclosures of protected health information
made by the provider in the six years prior to the date on which the accounting is
requested.53 The accounting does not have to include disclosures related to
treatment, payment or operations, disclosures for which an authorization is
required, information that is part of a limited data set54, to the patient, for the
45 CFR § 164.520(b)(1)(iv)
45 CFR § 164.520(b)(1)(iv)(A); 45 CFR § 164.522(a)(1)(i)(A)&(B); 45 CFR § 164.510(b)
47 45 CFR § 164.520(b)(1)(iv)(A); 45 CFR § 164.522(a)(1)(ii); 45 CFR § 164.522(a)(1)(iv)(A) & (B)
48 45 CFR § 164.520(b)(1)(iv)(B); 45 CFR § 164.522(b)
49 45 CFR § 164.520(b)(1)(iv)(C); 45 CFR § 164.524(a)(1)(i)-(iii).
50 45 CFR § 164.524(a)(2)-(4)
51 45 CFR § 164.520(b)(1)(iv)(D); 45 CFR § 164.526(a)(2)(i)-(iv)
52 45 CFR § 164.526(b)
53 45 CFR § 164.520(b)(1)(iv)(E)
54 “Limited data set” is defined as “protected health information that excludes the following direct identifies of the
individual or of relatives, employers, or household members of the individual: (i) Names; (ii) Postal address information,
other than town or city, State, and zip code; (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic Mail addresses;
(vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers;
(x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device
identifies and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address
45
46
_____________________________________________________________________________
 Copyright HIPAA COW
5
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
facility’s directory, to persons involved with the patient’s care or other
notification purposes, for national security or intelligence purposes, to
correctional institutions or law enforcement officials, any other use or disclosure
that is permitted or required by law so long as the provider only releases the
minimum amount of information required for the purpose, or disclosures made
prior to April 14, 2003.55
f. The right of an individual, including an individual who has agreed to receive the
notice electronically, to obtain a paper copy of the notice from the provider upon
request.56
8. The notice must contain a statement that the provider is required by law to maintain the
privacy of protected health information and to provide individuals with notice of its legal
duties and privacy practices with respect to protected health information57 and to notify
affected individuals following a breach of unsecured protected health information.58
9. The notice must state that the provider is required to abide by the terms of the notice
currently in effect.59
10. If the provider wishes to apply a privacy practice, different than the practice described in
the notice, to protected health information received prior to issuing a revised notice, the
notice must state that the provider reserves the right to change the terms of its notice and
to make the new notice provisions effective for all protected health information that the
provider maintains.60 The statement must also describe how the provider will provide
individuals with a revised notice.61
11. The notice must contain a statement that individuals may complain to the provider and
the Secretary of the Department of Health and Human Services (Federal) if they believe
their privacy rights have been violated.62 The statement must include a brief description
of how the individual may file a complaint with the provider and a statement that the
individual will not be retaliated against for filing a complaint.63
numbers; (xv) Biometric identifiers, including finger and voice prints; and (xvi) Full face photographic images and any
comparable images.” 45 CFR § 164.514(e)(2)
55 45 CFR § 164.528(a)(1)(i)-(vi) The accounting must include for each disclosure: (i) the date of the disclosure; (ii) the
name of the entity or person who received the health information and, if known, the address of such entity or person;
(iii) a brief description of the health information disclosed; and (iv) a brief statement of the purpose of the disclosure,
or, in lieu of such statement, a copy of a written request for a disclosure from the requesting entity when the disclosure is
required by law. 45 CFR § 164.528(b)(2)(i)-(iv). See also 45 CFR § 164.528(c)(1) (60-day response requirement); 45 CFR
§ 164.528(c)(2) (initial accounting request is free, but cost-based fee may be imposed for additional accounting requests
by the same individual within a 12 month period).
56 45 CFR § 164.520(b)(1)(iv)(F).
57 45 CFR § 164.520(b)(1)(v)(A)
58 45 CFR § 164.520(b)(1)(v)(A)
59 45 CFR § 164.520(b)(1)(v)(B)
60 45 CFR § 164.520(b)(1)(v)(C)
61 Id.
62 45 CFR § 164.520(b)(1)(vi)
63 Id.
_____________________________________________________________________________
 Copyright HIPAA COW
6
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
12. The notice must contain the name, or title, and telephone number of a person or office to
contact for filing complaints and for further information.64
13. The notice must contain the date on which the notice is first in effect, which may not be
earlier than the date on which the notice is printed or otherwise published.65
In addition to the above requirements, providers may also wish to include the following
items in the privacy notice:
A. Information about a joint notice.66 Providers that participate in Organized Health Care
Arrangements (OHCAs) may comply with HIPAA by issuing a joint notice, provided
that:
a. The covered entities participating in the OHCA agree to abide by the terms of the
notice with respect to protected health information created or received by the
covered entity as part of its participation in the OHCA;67
b. The joint notice incorporates all the requirements listed above, except that the
statements required above may be altered to reflect the fact that the notice covers
more than one covered entity;68
c. The notice describes with reasonable specificity the covered entities, or class of
entities, to which the joint notice apples;69
d. The notice describes with reasonable specificity the service delivery sites, or
classes of service delivery sites, to which the joint notice applies;70 and
e. If applicable, the notice should state that the covered entities participating in the
OHCA will share protected health information with each other, as necessary to
carry out treatment, payment, or health care operations relating to the OHCA.71
In addition, a joint notice may want to state that provision of the joint notice to an
individual by any one of the OHCA participants will satisfy HIPAA provision
requirements with respect to all others covered by the joint notice.72
B. Under the FDA regulations regarding medical device tracking requirements, a patient
receiving such device has the right to refuse to release, or refuse permission to release,
the patient’s name, address, telephone number, and Social Security Number, or other
45 CFR § 164.520(b)(1)(vii); 45 CFR § 164.530(a)(1)(ii)
45 CFR § 164.520(b)(1)(viii)
66 45 CFR § 164.520(d)
67 45 CFR § 164.520(d)(1)
68 45 CFR § 164.520(d)(2)
69 45 CFR § 164.520(d)(2)(i)
70 45 CFR § 164.520(d)(2)(ii)
71 45 CFR § 164.520(d)(2)(iii)
72 45 CFR § 164.520(d)(3)
64
65
_____________________________________________________________________________
 Copyright HIPAA COW
7
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
identifying information for the purpose of tracking.73 As a result, a provider may wish to
incorporate this right of refusal in its privacy notice.
C. If provider maintains a web site that provides information about the provider’s customer
services or benefits, the provider must prominently post its notice on the web site and
make it available electronically through the website.74 Consequently, a provider may
wish to incorporate this language into its privacy notice.
D. Providers may wish to include a statement about HIPAA’s minimum necessary rule,
which states that when a provider uses or discloses health information, providers must
make reasonable efforts to limit the health information to the minimum necessary to
accomplish the intended purpose of the use or disclosure.75 The minimum necessary
standard does not apply to disclosures to: (a) health care providers for treatment; (b)
disclosures made to the patient; (c) disclosures made pursuant to an authorization; (d)
disclosures made to DHHS; (e) disclosures required by law; and (f) disclosures required
for compliance with HIPAA.76
E. If a provider decides to limit uses and disclosures permitted under HIPAA, the provider
may describe these more limited uses or disclosures77.
Documentation
1. Providers must archive their Privacy Notices for six years and any changes of the notice
must also be archived.78
Providers must retain a copy of their Privacy Notice and any written acknowledgements of
receipt of the notice, or documentation of the Provider’s good faith effort to obtain such written
acknowledgement. 79 For example, to comply with this documentation requirement, a provider
can document a patient’s written acknowledgement that he/she received the Privacy Notice in the
patient’s record.
21 CFR § 821.55(a)
45 CFR § 164.520(c)(3)
75 45 CFR § 164.502(b)(1)
76 45 CFR § 164.502(b)(2)(i)-(vi)
77 45 CFR § 164.520(b)(2)(i)
78 45 CFR § 164.530(j)(2)
79 45 CFR § 164.520(e); 45 CFR § 164.520(c)(2)(ii); 45 CFR § 164.530(j).
73
74
_____________________________________________________________________________
 Copyright HIPAA COW
8
DRAFT
Version 4: 07/22/2013
Per 01/25/2013Rule
______________________________________________________________________________
Version History:
Current Version: 7/22/13
Prepared by:
Reviewed by:
Julie Coleman, RHIA
Privacy Networking Group
Chris Duprey
Stacie Kemp, MSW, LCSW
Kathy Johnson
Chrisann Lemery, MS, RHIA,
CHPS, FAHIMA
Jennifer Rust-Anderson, JD,
CHC
Holly Schlenvogt, MSH, CPM
Julie Svoboda, RHIA
Judy Titera, MBA, CIPP/US,
CIPP/IT
Content Changed:
Additions and edits to meet
the Omnibus Rule of January
25, 2013
**You may request a copy of
the all the changes made in
this current version by
contacting administration at
admin2@hipaacow.org.
Original Version: 11/1/02
Prepared by:
Barbara J. Zabawa, J.D., M.P.H.
_____________________________________________________________________________
 Copyright HIPAA COW
9
Related documents
Supported Employment, Section 7 (1) of the Act CFR 361.5 (b) (2)
Supported Employment, Section 7 (1) of the Act CFR 361.5 (b) (2)
PASS CHRISTIAN SCHOOL DISTRICT 6457 Kiln
PASS CHRISTIAN SCHOOL DISTRICT 6457 Kiln
Su, Z., Li, K.-F., Natraj, V., Shia, R.-L., Miller, C. E., and Yung, Y. L.
Su, Z., Li, K.-F., Natraj, V., Shia, R.-L., Miller, C. E., and Yung, Y. L.
Letter Requesting FBA and FBS Plan
Letter Requesting FBA and FBS Plan
Exemption Categories
Exemption Categories
US FDA
US FDA
Children`s Product Certificate (CPC) Word
Children`s Product Certificate (CPC) Word
Least Restrictive Environment - Kings County Office of Education
Least Restrictive Environment - Kings County Office of Education
Additional Factors to Consider in an Environmental Assessment
Additional Factors to Consider in an Environmental Assessment
Download
advertisement