Privacy Standards

Privacy Standards

 

 

Policy Statement

 

Our Company is committed to the protection of confidential business information and trade secrets, which includes but is not limited to, information about employees, patient information, customer lists, and financial information. We recognize we have a responsibility to each employee and patient we serve to safeguard his or her privacy. We do not share any personal information with outside companies unless consent has been given and is necessary to complete business. The policies and procedures of maintaining confidentiality are outlined in this handbook.

 

I.       General Policy Standards

 

A.     Cancer Care Group, P.C. (CCG) shall be HIPAA compliant.

B.     CCG is a covered entity as defined by §160.102 and §160.103 of HIPAA.

C.     CCG shall adopt all reasonable rules and standards to protect individuals’ rights and privileges to privacy.

D.     All standards, requirements, policies and procedures shall be in compliance with public policy.

E.      CCG’s Privacy Standards shall incorporate all applicable HIPAA standards, regulations and implementation specifications.

F.      Privacy is an important component of the individual-covered entity relationship. It is the duty of every CCG employee and business associate to ensure the safety, security and privacy of an individual’s Individually Identifiable Health Information.

 

II. Consent (§164.506)

           

CCG will investigate all complaints, including those involving Consent.  CCG shall follow established policies and procedures regarding the investigation of said complaint.

 

III. Authorization (§164.508)

 

  1. CCG shall follow and implement all policies and procedures to enforce all applicable Authorization requirements.
  2. CCG shall seek and receive an authorization to disclose medical information signed by the member prior to the disclosure of Individually Identifiable Health Information. The exception to this shall be information that is disclosed for the purpose of treatment, payment or other health-care related operations or circumstances where authorization is not required. An authorization is valid if it is written in plain language and includes:

 

    1. A specific and meaningful description of the information to be disclosed as well as a description of each purpose of the requested use or disclosure;
    2. The name or other specific identification of the person(s) authorized to make the requested disclosure;
    3. The name or other specific identification of the person(s) to whom CCG may make the requested disclosure;
    4. A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization;

a.       If an individual chooses to revoke the authorization they must do so in writing and submit to the CCG Privacy Officer.  An individual may revoke an authorization if submitted in writing, except to the extent that:

i.         CCG has taken action in reliance thereon; or

ii.       If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.

    1. Signature of the individual and date; and
    2. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual.
  1. CCG shall follow established policies and procedures designed to ascertain the identity of the individual(s) to whom the Individually Identifiable Health Information is being disclosed.
  2. CCG shall follow established policies and procedures to allow for an individual or their representative(s) the right to revoke a previously provided authorization.
  3. CCG shall not:
    1. Disclose Individually Identifiable Information upon the presentation of a defective authorization. (§164.508(b)(2)) And authorization is defective if:

a.       It has expired (1 year from the date of the signature).

b.       The authorization has not been filled out completely or lacks any required elements.

c.       The authorization has been revoked.

d.       Improper compound authorization.

e.       Improper conditioning.

f.        Information known to be false.

    1. Accept compound authorizations except for authorizations related to research related activities. (§164.508(3))
    2. Condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization.
  1. Any and all questions, concerns, comments or other issues shall be directed to CCG’s designated Privacy Official for review and response.
  2. CCG may condition authorization for the following:
    1. CCG may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research;
    2. CCG may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
  3. CCG will provide the individual with a copy of the authorization.

 

 

IV. Use and Disclosures of Individually Identifiable Health Information (§164.502)

 

A.     CCG shall follow established policies and procedures that prevent the disclosure of Individually Identifiable Health Information and Protected Health Information without first obtaining an authorization to disclose the information from the individual unless as listed as an exception under HIPAA Privacy Rules.

  1. Permitted use and disclosures permitted without an authorization include:
    1. Disclosures to the individual upon the presentation of a written request.
    2. Uses and disclosures to carry out treatment, payment and health care operations.
    3. Incidental to a use or disclosure otherwise permitted or required if that disclosure was done properly.
    4. Pursuant to and in compliance with a valid authorization.
    5. When allowed if the individual has been given an opportunity to object.
    6. When specifically permitted to (underwriting, where no authorization is required, for a limited dataset, etc.).
  1. CCG shall follow established policies and procedures that limit the disclosures of Individually Identifiable Health Information to the minimum necessary information to accomplish the intended purpose of the use, disclosure or request.
    1. Prior to disclosure, CCG shall identify:

a.       Those persons or classes of persons, in its workforce who need access to protected health information to carry out their duties; and

b.       For each person or class of person, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.

2.       CCG shall appoint a single entity or office responsible for receiving and processing all requests for disclosure of PHI that CCG owns and/or controls and to:

a.       Develop criteria designed to limit disclosure.

b.       Review all requests for disclosure on an individual basis.

c.       Limit all disclosures to the minimum necessary.

d.       Maintain a record of all disclosures that were not for the purpose of treatment, payment or health care operations.

  1. CCG will not use, disclose, or request an entire medical record, except when the entire medical record is specifically justified as the amount necessary to accomplish the purpose of the use, disclosure, or request.  “Minimum necessary” does not apply in the following cases:
    1. To a health care provider for treatment.
    2. To the individual (with exceptions of psychotherapy and doctor’s opinion).
    3. With an authorization (stating what is to be disclosed).
    4. To the Secretary of HHS for enforcement (not to a government entity)
    5. When required by law.
  2. CCG shall follow established policies and procedures that will provide a reasonable amount of time for the individual whose Individually Identifiable Health Information is to be disclosed for purposes other than treatment, payment or health care operations, to object to the disclosure. (§164.510)
  3. CCG shall follow established policies and procedures that allow for the disclosure of de-identified Protected Health Information without the individual’s authorization. (§164.514)
    1. Health information has been de-identified if the information disclosed does not or cannot be reasonably inferred to identify an individual.
    2. The following information must be removed before it will be considered de-identified:

a.       Name;

b.       All geographic subdivisions smaller than a State;

c.       All elements of dates (except for year) directly related to an individual;

d.       Telephone/Fax numbers;

e.       Electronic mail addresses and Web Universal Resource Locators (URLs);

f.        Social security number;

g.       Medical record number;

h.       Health plan identification numbers;

i.         Account numbers;

j.         Certificate/license numbers;

k.       Vehicle identifiers and serial numbers;

l.         Device identifiers and serial numbers;

m.     Biometric identifiers, including finger and voice prints;

n.       Full face photographic images and any comparable images; and

o.       Any other unique identifying number, characteristic, or code.

  1. CCG shall not use or disclose Individually Identifiable Health Information for marketing purposes without first obtaining specific authorization from the individual member.
  2. CCG shall follow established policies and procedures for the disclosure and transfer of Individually Identifiable Health Information to business associates pursuant to a valid business associate contract (§164.502(e)(1)).
    1. For all entities determined to be a business associate, CCG and the business associate shall enter into a business associate contract relationship. A contract between CCG and a business associate (§164.504(e)(2)) must:

a.       Establish the permitted and required uses and disclosures of such information by the business associate.

b.      Provide that business associate will comply with all applicable HIPAA standards and regulations.

    1. For all entities determined to be a business associate and where CCG and the business associate do not enter into a business associate contract relationship, CCG shall terminate that business associate relationship.
  1. CCG may disclose, in an emergency, if we believe in good faith the disclosure will prevent harm to someone or the public.  In the event that CCG discloses Individually Identifiable Health Information, CCG will follow the Policy and Procedure for Accounting of Disclosures (any occasion where Protected Health Information is disclosed for purposes other than Treatment, Payment or Operations.

V. Notice of Privacy Practices (§164.520)

 

A.     CCG shall follow established Notice of Privacy Practices.

B.     CCG shall make available the Notice of Privacy Practices to anyone who requests a copy.

C.     The Notice of Privacy Practices shall contain:

 

1.       A Header

2.       A description of various forms of Uses and Disclosures.

    1. A separate statement for the use or disclosure of any or all of the following:

a.       That the covered entity may contact the individual for various health care operations.

b.       That the covered entity may contact the individual for marketing and fundraising purposes.

c.       That the group health plan may, under very limited circumstances, disclose protected health information to the sponsor of the plan.

d.       That other uses and disclosures will be made only with the individual’s written authorization and that the individual may revoke such authorization.

    1. A statement containing the individual’s rights and a brief description of how the individual may exercise those rights.

a.       Right to request restrictions (§164.522(a)) and that the Covered Entity is not required to agree to requested restrictions.

b.       Right to receive confidential communications (§164.522(b)).

c.       Right to inspect and copy protected health information (§164.524).

d.       Right to amend protected health information (§164.526).

e.       Right to receive and accounting of disclosures of protected health information (§164.528); and

f.        Right of the individual to receive a copy of the notice.

g.       Right to make complaints without retaliation.

    1. A statement describing the covered entity’s duties that:

a.       Protects privacy of PHI.

b.       Provides notice of privacy practices, stating that it is required to abide by the terms of the notice currently in effect.

c.       State that it reserves the right to revise its privacy practices, and that revisions will be promptly displayed.

 

VI.  Individual’s Right to Restrict the Uses and Disclosures of Protected Health Information (§164.522)

 

  1. CCG shall follow established policies and procedures to ensure the individual members’ right to request a restriction of the use or disclosure of protected health information.
  2. CCG shall follow established policies and procedures providing for the review of all restriction requests and notification procedures.
  3. CCG shall follow established policies and procedures that will ensure CCG’s compliance with any previously agreed to restrictions on the use or disclosure of an individual’s Individually Identifiable Health Information.
  4. CCG shall follow established policies and procedures that will ensure that CCG’s business associates and trading partners comply with any restrictions agreed to by CCG for the use or disclosure of an individual’s Individually Identifiable Health Information.

 

VII. Individual’s Right to Access to Protected Health Information (§164.524)

 

  1. CCG shall follow established policies and procedures to ensure the individual’s right to inspect and obtain a copy of the individual’s protected health information. Parameters and principals referenced in such policies and procedures shall include:

1.       Limited to records maintained in a “designated record set”.

2.       Timely action.

3.       Form of access.

4.       Time and manner of access.

5.       Fees.

6.       Exceptions:

3.       Psychotherapy notes;

4.       Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and

5.       Information subject to or exempt from the Clinical Laboratory Improvements Amendments of 1988.

  1. CCG shall have the right to deny an individual access to the designated record set based on specific criteria and shall follow established policies and procedures to notify the individual of CCG’s denial.

1.       A denial must be in plain language and contain the following items:

a.       The reason for the denial;

b.       A statement of the individual’s right to appeal; and

c.       A description of how the individual may complain to the covered entity including the identity of the person they may make the complaint.

2.       Policies defining unreviewable grounds for denial.

3.       Policies defining reviewable grounds for denial.

4.       Policies defining the appeal process.

 

VIII. Individual’s Right to Amend Protected Health Information (§164.526)

 

  1. CCG shall follow established policies and procedures that allow the individual the opportunity to request an amendment to the designated record set.

1.       All requests shall be in writing and limited to 250 words.

2.       An addenda shall be attached to the patients designated record set and be included in any future disclosures.

  1. If request is approved, all addendum requests shall be acted upon within 60 days of the date the request was received and must:

1.       Attach the amendment to the designated record set.

2.       Inform the individual that the amendment has been made.

3.       Make reasonable efforts to inform other entities who have access to the information or who may reasonably rely on the information contained within the designated record set.

4.       Individual must identify who it wants to notify and CCG must obtain written authorization from individual to notify designated Business Associates.

  1. CCG shall maintain the right to deny the individual’s request to amend information contained within the designated record set and shall follow established policies and procedures to notify the individual of CCG’s denial. In so doing, CCG shall:

1.       Provide a written denial to the individual explaining the basis for the denial, including an explanation of the individual’s right to appeal the denial.

2.       Keep a record of the request, the denial and any appeals.

  1. CCG shall document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals.

 

IX. For Disclosures of Protected Health Information (§164.528)

 

  1. CCG shall follow established policies and procedures to provide an individual with an accounting of disclosures of protected health information made in the previous six (6) years by CCG or CCG Business Associates, except for disclosures:

1.       To carry out treatment, payment and health care operations;

2.       To individuals of protected health information about them;

3.       To persons involved in the individual’s care or other notification purposes;

4.       To correctional institutions or law enforcement officials;

5.       That occurred prior to the compliance date.

  1. CCG shall require the individual to submit all requests for an accounting in writing.
  2. For each accounting, CCG shall include the following information:

1.       The date of disclosure;

2.       The name and address to whom the disclosure was made;

3.       A brief description of the protected health information disclosed; and

4.       A brief statement of the purpose of the disclosure.

  1. CCG shall follow established policies and procedures requiring a response and disclosure of an accounting to the individual or their representative within 60 days from the date the request was received.

 

X.     Administrative Requirements (§164.530)

 

A.     CCG shall designate a Privacy Official who will be responsible for the development and implementation of the policies and procedures required to conform to the Standards adopted by CCG.

1.       CCG shall document the personnel designations.

2.       The designated Privacy Official shall be responsible for receiving complaints and shall be able to provide further information about matters covered by the privacy notice.

B.     CCG shall provide training to all members of its workforce on policies and procedures with respect to protected health information required in these Standards.

C.     CCG shall follow appropriate administrative, technical, and physical safeguards established to protect the privacy of Protected Health Information.

D.     CCG shall adopt reasonable processes for individuals to make complaints concerning CCG’s policies and procedures required by these Standards.

E.      CCG shall follow established policies and procedures regarding sanctions against members of the workforce who fail to comply with these Standards.

F.      In the event protected health information is disclosed without prior consent or authorization, by a member of its workforce or a business associate, and to the extent the disclosure is known, CCG shall attempt to mitigate any harmful effects that may occur by contacting our attorney for proper direction and professional advice.

G.     CCG shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who exercises their right to notify, disclose, or testify to any wrongful use or disclosures by any member of the CCG workforce.

H.     CCG may not request or require an individual’s waiver of rights under these Standards as a condition of the provision of treatment, payment, enrollment or eligibility.

I.        CCG shall document in either written or electronic form all policies and procedures, designations and communications as required in these Standards.

 

 

  
 

Copyright 2002-2004, Cancer Care Group, P.C.    Disclaimers  |  Notice of Privacy Practices  |  Privacy Standards