PRIVACY PRACTICES POLICY
Statement of Purpose and Policy:
Center For NeuroScience has instituted this policy as part of its Compliance Program to reflect its commitment to comply with applicable federal laws, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), state and local laws and sound ethical business practices. It is Center For NeuroScience policy to only disclose the amount of confidential personal health information necessary to achieve the purpose of the request.
All uses, disclosures of, or requests for protected health information (PHI) will be limited to the minimum amount necessary to accomplish the stated purpose. Professional judgment will determine the amount of information to be released. The minimum necessary standard is not intended to impede the provision of quality health care.
Disclosures of personal health information between providers for treatment, payment and health care operations, or pursuant to an authorization without complying with this requirement are exempt from the minimum necessary rule.
1.Protected Health Information PHI . The final rule defines PHl as individually identifiable health information that is transmitted by electronic media; maintained in any electronic medium such as magnetic tape, disc, optical file; or transmitted or maintained in any other form or medium (i.e. paper, voice, Internet, fax etc.).
2. Individually Identifiable Health Information (IIHI). A subset of health information, including demographic information collected from an individual and that is created or received by a health care provider: and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and which identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
3. Access to Medical Records. Access to PHI will be granted only to those staff members who have a need to access such information to fulfill his/her job responsibilities,
- Role based access has been adopted by this practice which allows only certain people to access certain information (Do nor include role based access if it is not applicable, customize for practice).
- For example:
i. The billing manager may access an individual’s contract and billing information but not medical history
ii. The treating physician has full access to the individual’s medical history and subsequent treatment records.
d. The Security Officer will grant access rights to new employees based on their job responsibilities.
e. The Security Officer will modify an employee’s access rights if his/her job responsibilities change.
4. Uses of PHI,. Staff members with a need to access PHI to carry out their job function will be identified and receive specific training on the minimum necessary standard.
a. Staff members who access PHI as part of their job responsibilities will be taught what specific information they may access as part of their assigned duties.
b. The practice will make reasonable efforts to limit the access of its staff to only the information appropriate to their job requirements.
c. Staff members should not be reviewing or using other parts of an individual’s medical record or another persons records if they do not need to.
5. Exceptions to the Minimum Necessary Rule. The minimum necessary standard DOES NOT apply to the following:
a. Disclosures to or requests by a health care provider for treatment purposes.
b. Disclosures to the individual who is the subject of the information.
c. Uses or disclosures made pursuant to an individual’s authorization.
d. Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
e. Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
f. Uses or disclosures that are required by other law if use or disclosure complies with and is limited to the relevant requirements of such law.
6. Routine Disclosures. For routine and recurring disclosures, the rule requires the practice must limit the disclosures to the amount reasonably necessary to achieve the purpose of the disclosures. (Practice must customize the following)
a. The types of protected health information to be disclosed
b. Identify the types of persons who would receive the protected health information;
c. The conditions that would apply to such access
7. Non Routine Disclosures. (Italicized area must be customized for the practice)
a. Practice must develop reasonable criteria to limit the amount of information disclosed to the minimum necessary to accomplish the purpose of the disclosure; and
b. These criteria must be used to review these disclosures on an individual basis.
8. Routine, Recurring Requests.
a. (Designate/Privacy Officer) must identify what information is reasonably necessary for the purpose of the request
b. The practice must limit the request for protected health information to that information only.
9. All Other Disclosures. The practice must develop criteria designed to limit the PHI disclosed to the minimum necessary to achieve the purpose of the request.
a. The practice has a responsibility to verify that uses and disclosures arc indeed for treatment purposes and therefore are not subject to the minimum,necessary rule.
b. In any instance in which the identity or authority of a requestor is not known to the practice, staff must obtain applicable documentation, statements, or representations in support of the purpose of the request and/or identity of the requestor
10. Practice Requests for PHT. Staff must review each request on an individual basis and must limit any request it makes for PHI to that which is reasonably necessary to accomplish the purpose of the request.
11. Training. All staff receives privacy training. Staff whose job responsibilities include the use and disclosure of PHI will be trained to adhere to the minimum necessary requirement.
a. Requests for an entire medical record should only be made when necessary and not if staff can achieve the purpose of the request by limiting the information requested.
b. New staff will not make any uses and disclosures of PHI until training is completed.
c. Staff whose job responsibilities change to include access to PHI will not make any uses and disclosures of PHI until training is completed.
12. Compliance Monitoring. To ensure compliance with the minimum necessary requirements Mrs. Stacey Bator or others will periodically monitor audit trails (or other if applicable) and check particularly vulnerable areas (such as all requests for entire medical record).
a. Reviews will be triggered when there are special complaints or incidents.
b. This compliance process will result in feedback to staff on areas needing more attention and may necessitate the redesign of work processes or procedures to enhance compliance.
- Compliance. Employees have a duty to comply with the policies and procedures set forth by the practice. Any employees found to violate the practices’ policies and procedures are subject to disciplinary action or corrective measures, including but not limited to, education and awareness training, reassignment, additional supervision, disciplinary actions such as warnings, suspension or termination of employment
Statement of Purpose and Policy:
Center for NeuroScience has instituted this policy as part of its Compliance Program to reflect its commitment to comply with applicable federal laws, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), state and local laws and sound ethical business practices. It is Center for NeuroScience policy to provide individuals with a Notice of Privacy Practices prior to an individual’s first date of service and to make a good faith effort to obtain written acknowledgment that the Notice was received by the individual.
1. Process. Staff must provide all individuals with a Notice of Privacy Practices and make a good faith effort to obtain written acknowledgment that the Notice was received (See Attachment A). All individuals must receive the Notice after April 14, 2003, the effective date of the Final Privacy Rules
2. Individuals Who Receive the Notice. All individuals who request treatment from the practice must receive the Notice as well as those individuals who request a copy of the Notice from the practice.
a. New patients must receive the Notice prior to their first date of service. The practice may provide the Notice to the individual in the office prior to his/her visit and is not required to send the Notice via mail or facsimile prior to the visit.
b. Existing patients must receive the Notice upon their fast office visit after the April 14, 2003 compliance deadline.
c. The Privacy Officer will be responsible for ensuring that an updated version of the Notice is always present on the practice website.
3. Written Acknowledgment. Staff will take the following steps to obtain written acknowledgment of receipt of the Notice (See cover page of Attachment A):
a. Ask the patient to initial a separate acknowledgment list.
b. (Staff is not required to obtain written acknowledgment of the Notice in emergency situations.)
4. Acknowledgment Not Obtained. Staff is not required to obtain a signature from an individual. Patient treatment will not be affected in any manner if an individual fails to provide written acknowledgment of receipt of the Notice. An individual may refuse or fail to provide their signature documenting they received the Notice. If a signature indicating receipt of the Notice cannot be obtained, staff must:
a. Document that a good faith effort to obtain such acknowledgment was made;
b. The efforts taken to obtain the written acknowledgment of receipt of the Notice; and
c. The reason for the failure.
d. Documentation must be placed in the individual’s medical file.
5. Review of Notice. The Privacy Committee will meet on a quarterly basis to discuss practice adherence to the Notice and to identify any necessary updates or changes to the Notice.
6. Changes to the Notice. The practice is required to abide by the terms of the Notice, which is currently in effect. The practice reserves the right to change the terms of the notice and to make the new Notice provisions effective for all personal health information the practice already has about an individual and may obtain in the future.
a. The practice must post any changes to the Notice thirty (30) days prior to making the change effective.
b. All revised notices will be promptly posted and made available to individuals in the practice waiting room. Changes to the Notice will only be effective on the date that is reflected at the bottom of the last page on the revised Notice.
c. Business Associates who handle PHI for or on behalf of the practice must be provided with an updated Notice within seven business days of the effective date of the updated Notice.
7. Notice Requests. Individuals may request a current Notice when he/she visits the office. A current Notice must be kept at the reception desk and provided to individuals upon request.
8. Practice Contact. If an individual would like more information about the Notice, Mrs. Stacey Bator will receive and process all requests at 561-638-8872.
9. Compliance. Employees have a duty to comply with the policies and procedures set forth by the practice. Any employees found to violate the practices’ policies and procedures are subject to disciplinary action or corrective measures, including but not limited to, education and awareness training, reassignment, additional supervision, disciplinary actions such as warnings, suspension or termination of employment.