REFERENCE: 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq.
PURPOSE: It is REACH’s policy to comply fully with the legal requirements and privacy standards required by the Health Information Portability Accountability Act (HIPAA).
SCOPE: This policy applies to all REACH employees, volunteers, interns, board members, business associates and independent contractors. The term “employee” includes all these types of workers.
DEFINITIONS:
“Covered Entity:” A covered entity is any person or organization that furnishes, bills, or is paid for health care services in the normal course of business. Pursuant to HIPAA, individually identifiable health information collected or created by a covered entity is considered “protected health information,” or PHI. REACH is a covered entity for the purposes of HIPAA.
“Personal Health Information (PHI)” Any information that can be used to identify a client – whether living or deceased – that relates to the client’s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services.
INTRODUCTION:
The Privacy and Security Rules restrict the use and disclosure of PHI. PHI may be used and disclosed only as permitted under the Privacy and Security Rules. Each use and disclosure of and each request for PHI must meet the “minimum necessary” standard. This policy describes permitted uses and disclosures of PHI and application of the minimum necessary standard to those uses and disclosures.
All employees must comply with all applicable HIPAA privacy and information security policies. If after an investigation you are found to have violated the organization’s HIPAA privacy and information security policies then you will be subject to disciplinary action up to termination or legal ramifications if the infraction requires it
POLICY:
BASIC RULE
REACH will not use or disclose PHI except (a) as permitted or required by this rule (b) in accordance with REACH’s Notice of Privacy Practices, and (c) in compliance with the minimum necessary standard of the Privacy Rule.
Examples of PHI include:
Client names;
Client demographic information;
Client phone number; email address
Client records, including PRRs and IRs;
Vehicle identifiers
Full face photographs or images
Appointment dates
Lab/test results
Invoices
Diagnoses
Psychotherapy notes
All elements of dates (Birth, Death, Admission, Discharge, Etc.)
Any health information that can lead to the identity of an individual or can be used to make a reasonable assumption as to the identity of the client.
PERMITTED USES AND DISCLOSURES
Permitted uses and disclosures of PHI include:
to the individual client;
incidental uses or disclosures, described below;
to carry out treatment, payment or other health care operations;
pursuant to and in compliance with a valid authorization by the client;
pursuant to a verbal agreement from an individual client that permits disclosure to a caregiver;
for certain “priority” purposes such as disclosures required by law;
for various research purposes, pursuant to an appropriate waiver of authorization, as part of a limited data set and/or to create de-identified information (see policy on “Research”); and
to business associates, as described below.
Incidental uses and disclosures. The HIPAA Privacy Rule permits certain incidental uses and disclosures that occur as a byproduct of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard where applicable. This means there must be a permissible primary reason for the disclosure, for there to be a valid secondary incidental disclosure.
Incidental disclosures and reasonable safeguards include:
speaking quietly when discussing a client’s condition with family members in a waiting room or other public area;
avoiding using patients’ names in public hallways and elevators,
isolating or locking file cabinets or records rooms; or
Business associates. With the approval of the Privacy Officer and in compliance with HIPAA, REACH may disclose PHI to the Company’s business associates and allow the REACH’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” employees must contact the Privacy Officer and verify that a business associate contract is in place.
Required disclosures. The Privacy Rule requires REACH to disclose PHI in the following instances:
when the individual requests access to information about himself or herself;
when the Department of Health and Human Services (“HHS”) requests information to investigate or determine REACH’s compliance with the rules; and
when required by law.
Non-routine disclosures. For non-routine disclosures, it is REACH’s policy to make such disclosures only in compliance with criteria designed to limit disclosure to only the minimum amount of PHI necessary to accomplish the purpose of the disclosure and review requests for such disclosures in accordance with those criteria.
Among the factors that may be considered in making such a determination are:
What is the purpose of the disclosure? This could be relevant if the disclosure is not covered by the minimum necessary standard.
What is the minimum amount of PHI that can be disclosed to accomplish the purpose of the disclosure
Are there standards in other industries or among health care providers as to what amount of information is sufficient to fulfill the intended purpose of the disclosure?
To what extent would the disclosure increase the number of persons with access to the PHI?
What is the likelihood of further disclosures?
Can substantially the same purpose be achieved using de-identified information?
NOTE:
Employees may only access a client’s PHI if the access is necessary for the client’s treatment. This means that employees at one site may not access a client at another site’s PHI. Employees should not discuss a client’s PHI with employees at other sites, unless it is specifically necessary for the client’s treatment.
Removing PHI from Company Premises.
The general rule is that employees should not remove PHI from any REACH premises. However, when REACH deems it necessary for an employee to work from a location other than one of our sites, PHI may be accessed and/or removed under the following circumstances:
Before removing PHI from the company you must receive the approval from the Executive Director
REACH will only allow the paper (participant records, reports) removal of PHI when transported in a secure locked bag and when approved by the Executive Director
The following safeguards are required of all employees when working from a non-REACH site:
When outside the facility, only work on health information in a secure private environment. Keep the information with you at all times while in transit. Do not permit others to have access to the information. Never email participant information. Don’t save participant information to your home computer. Do not print records of any type. Return all information the next business day or as soon as required.
RESPONSIBILITIES AS A COVERED ENTITY.
Privacy Officer: The Compliance Manager will be the HIPAA Privacy Officer for REACH. The Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this HIPAA privacy policy. The Privacy Officer will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI. The Privacy Officer can be reached at (216)-332-9360.
