Policy:

It is the policy of Minnie Hamilton Health System to protect the confidentiality, integrity and availability of patient information belonging to our member’s patients. Minnie Hamilton Health System will protect that information in a manner that will comply with State and/or Federal privacy laws. Minnie Hamilton Health System will incorporate portions of this policy, consistent with State and Federal law, into any applicable Human Resources policies.

Definitions:

1. Covered Entity: A type of covered entity is a healthcare provider that conducts certain electronic transactions, including billing and eligibility information. Covered entities are also health plans, and healthcare clearing houses.

1. Business Associate: A business associate is an individual or organization that is not part of a covered entity’s workforce, who provides a service or performs a function for a covered entity which requires the use of PHI. For example, claims processing, data analysis, and/or practice management.

1. HIPAA: The Health Insurance Portability and Accountability Act, as defined in 45 CFR Parts 160, 162, and 164.

1. Inappropriate Disclosure: Inappropriate disclosure of PHI is the release of information, transfer of information, provision of information, and access to or divulging patient information in any manner outside the entity holding the information that has not been authorized by the member or the member’s patient.

1. Joint Venture: A legal arrangement between two or more entities to provide services, products or both.

1. Organized Healthcare Arrangement (OCHA): An arrangement or relationship that allows two or more covered entities who participate in joint activities to share protected health information about individuals in order to manage and benefit their joint operations. This includes utilization review decisions which are reviewed by other participating covered entities; quality improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf. OHCAs also include multiple entities holding themselves out to the public as participating in a joint enterprise and participating in joint activities. IPAs (Independent Practice Associations) that engage in utilization reviews, credentialing and other health care operations are good examples.

1. Privacy Rule: The part of the HIPAA regulations that is related to the privacy of PHI, and is outlined in 45 CFR Subpart E.

1. Designated Privacy Official: Minnie Hamilton Health System has an < >, who is the designated Privacy Official under the HIPAA regulations.

1. Protected Health Information (PHI): PHI is any information including demographic information that is created or received by a covered entity and which relates to:

1. The past, present or future physical or mental health or condition of an individual

1. The provision of healthcare to an individual

1. The past, present, or future payment for the provision of healthcare to an individual, and that identifies the individual or there is a reasonable basis to believe that the information can be used to identify the individual. PHI includes information concerning a person that is living or deceased and may be in written, oral or electronic format. There are 18 identifiers that the Privacy regulation says can be used to identify a person including:

1. Name

1. All geographic subdivisions of a state, including street address, city, county, zip code, and zip code except for the first three digits in a zip code

1. All dates directly related to the individual, including birth date, admission date, discharge date, date of death, (except for the year)

1. Telephone number

1. Fax number

1. E-mail address

1. Social Security Number

1. Medical Record Number

1. Health plan beneficiary number

1. Account number

1. Certificate/license number

1. Vehicle identifiers and serial numbers

1. Device identifiers and serial numbers

1. URL addresses

1. IP addresses

1. Biometric identifiers, including fingerprints

1. Full-face photographs and any comparable images

1. Any unique identifying number, characteristic or code

1. PHI excludes individually identifiable health information:

1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g

1. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv)

1. in employment records held by a covered entity in its role as employer

1. Regarding a person who has been deceased for more than 50 years

Requests for Individually Identifiable Information

Requests for access to a patient’s printed medical record or requests for electronic access to a patient’s medical record will be referred to < > for processing. Requests will be responded to within 30 days.

Sensitive Information

Certain information contained within medical records is particularly sensitive. For example drug and alcohol treatment information, mental health records, Human Immunodeficiency Virus (HIV), and genetic testing information. The electronic medical record (EMR) may contain sensitive information as well as other treatment information that may require a special authorization before it can be released. It is not a breach of PHI for this information to be contained within the EMR. < > will determine who needs access to any PHI, including any sensitive information, and each user’s security for access within the electronic medical record and practice management system will need to be set accordingly.

Confidentiality

Confidentiality means keeping private information private. Minnie Hamilton Health System employees, contractors, and students must not discuss PHI with anyone, unless it is directly required in order to perform their job duties. Conversations about confidential information should be conducted in a manner that preserves the confidentiality of the information.

Employees, students, interns, vendors and contractors must not access or review individual’s health information contained in any of the Minnie Hamilton Health System databases or on paper for any reason other than to perform their job duties.

Confidentiality Agreements

Employees, contractors, consultants, students and others are required to sign a confidentiality agreement as part of the conditions of their employment or their relationship with Minnie Hamilton Health System. Confidentiality agreements should be signed by individuals if the individual may have the occasion to see or hear information about a patient, however, seeing or hearing that information is not part of their duties at Minnie Hamilton Health System. For example, Minnie Hamilton Health System may hire a temporary agency person to help < > with yearend accounting, but their primary duties will not involve seeing or using PHI.

Employees, contractors, consultants, interns and students who violate the Minnie Hamilton Health System confidentiality agreement are subject to disciplinary action, up to and including termination of employment, or termination of contract. The individual may also be held personally responsible for violation of the confidentiality agreement.

Business Associate Agreements

Business Associate Agreements (BAA) are required to be agreed to between organizations when one organization is using PHI belonging to Minnie Hamilton Health System in order to or as part of providing a service to Minnie Hamilton Health System.

BAAs will specify that the business associate agrees to comply with Minnie Hamilton Health System’s privacy and security policies, including reporting security incidents and breaches of unsecured PHI to < > as required under Breach Notification Rule, and ensure subcontractors agree in writing to the same restrictions and conditions that apply to business associates and that they will limit their access to any PHI to the minimum necessary in order to fulfill their obligations to < >. The agreement also will state that the business associate will limit access to PHI by other companies performing work for the business associate, such as software vendors.

BAAs are not required unless PHI is being used by a business associate on a routine basis in order to provide services to Minnie Hamilton Health System. Incidental viewing of PHI does not require that a BAA be signed. For example, the US Postal Service does not need to sign a BAA, even though they may pick up and deliver mail that contains PHI.

Breach of Confidentiality

A breach of confidentiality occurs when an Minnie Hamilton Health System employee, consultant, intern, student, vendor, subcontractor, or business partner accesses, releases, reviews or discusses a patient’s PHI for any reason that is not directly related to the performance of their job duties, and without permission of the clinic, provider or the patient. Breaches of confidentiality must be reported to the < > and the Minnie Hamilton Health System, immediately. Individuals who report breaches will be protected from any retaliation from the employee who was reported for breaching patient confidentiality, or from Minnie Hamilton Health System’s management. Please see the Notification of Breach of Unsecured Protected Health Information Policy for additional details.

Privacy Training

All Minnie Hamilton Health System employees, consultants, contractors, interns and students must complete Minnie Hamilton Health System confidentiality training. Confidentiality training will be completed as part of new employee orientation during the first week of employment, and at a minimum, annually thereafter. Periodic privacy reminders may be sent via e-mail, newsletter, website, US mail. All-staff meetings will also include privacy updates on at least a quarterly basis.

Documentation of employee privacy training will be kept in the employee’s file.

Printing PHI

Printing PHI is discouraged unless it is needed for document decisions that were made regarding a member or a member’s patient. Any printed PHI must be shredded or put in the locked shredder bin after it has been used for its intended purpose. It is not acceptable to put the PHI in a recycle box, or the garbage can.

Printed confidential information that needs to be routed to another individual at Minnie Hamilton Health System should be enclosed in a protective envelope. If printed confidential information must be kept for a period of time, it must be placed in a locked location that only has limited access to others.

Privacy Official

Minnie Hamilton Health System has designated the < > as the Privacy Official under the HIPAA Privacy regulation. Questions regarding privacy of member or patient information should be directed to the < > for clarification

Policy:

It is the policy of Minnie Hamilton Health System to protect the confidentiality, integrity and availability of patient information belonging to our member’s patients. Minnie Hamilton Health System will protect that information in a manner that will comply with State and/or Federal privacy laws. Minnie Hamilton Health System will incorporate portions of this policy, consistent with State and Federal law, into any applicable Human Resources policies.

Definitions:

1. Covered Entity: A type of covered entity is a healthcare provider that conducts certain electronic transactions, including billing and eligibility information. Covered entities are also health plans, and healthcare clearing houses.

1. Business Associate: A business associate is an individual or organization that is not part of a covered entity’s workforce, who provides a service or performs a function for a covered entity which requires the use of PHI. For example, claims processing, data analysis, and/or practice management.

1. HIPAA: The Health Insurance Portability and Accountability Act, as defined in 45 CFR Parts 160, 162, and 164.

1. Inappropriate Disclosure: Inappropriate disclosure of PHI is the release of information, transfer of information, provision of information, and access to or divulging patient information in any manner outside the entity holding the information that has not been authorized by the member or the member’s patient.

1. Joint Venture: A legal arrangement between two or more entities to provide services, products or both.

1. Organized Healthcare Arrangement (OCHA): An arrangement or relationship that allows two or more covered entities who participate in joint activities to share protected health information about individuals in order to manage and benefit their joint operations. This includes utilization review decisions which are reviewed by other participating covered entities; quality improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf. OHCAs also include multiple entities holding themselves out to the public as participating in a joint enterprise and participating in joint activities. IPAs (Independent Practice Associations) that engage in utilization reviews, credentialing and other health care operations are good examples.

1. Privacy Rule: The part of the HIPAA regulations that is related to the privacy of PHI, and is outlined in 45 CFR Subpart E.

1. Designated Privacy Official: Minnie Hamilton Health System has an < >, who is the designated Privacy Official under the HIPAA regulations.

1. Protected Health Information (PHI): PHI is any information including demographic information that is created or received by a covered entity and which relates to:

1. The past, present or future physical or mental health or condition of an individual

1. The provision of healthcare to an individual

1. The past, present, or future payment for the provision of healthcare to an individual, and that identifies the individual or there is a reasonable basis to believe that the information can be used to identify the individual. PHI includes information concerning a person that is living or deceased and may be in written, oral or electronic format. There are 18 identifiers that the Privacy regulation says can be used to identify a person including:

1. Name

1. All geographic subdivisions of a state, including street address, city, county, zip code, and zip code except for the first three digits in a zip code

1. All dates directly related to the individual, including birth date, admission date, discharge date, date of death, (except for the year)

1. Telephone number

1. Fax number

1. E-mail address

1. Social Security Number

1. Medical Record Number

1. Health plan beneficiary number

1. Account number

1. Certificate/license number

1. Vehicle identifiers and serial numbers

1. Device identifiers and serial numbers

1. URL addresses

1. IP addresses

1. Biometric identifiers, including fingerprints

1. Full-face photographs and any comparable images

1. Any unique identifying number, characteristic or code

1. PHI excludes individually identifiable health information:

1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g

1. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv)

1. in employment records held by a covered entity in its role as employer

1. Regarding a person who has been deceased for more than 50 years

Requests for Individually Identifiable Information

Requests for access to a patient’s printed medical record or requests for electronic access to a patient’s medical record will be referred to < > for processing. Requests will be responded to within 30 days.

Sensitive Information

Certain information contained within medical records is particularly sensitive. For example drug and alcohol treatment information, mental health records, Human Immunodeficiency Virus (HIV), and genetic testing information. The electronic medical record (EMR) may contain sensitive information as well as other treatment information that may require a special authorization before it can be released. It is not a breach of PHI for this information to be contained within the EMR. < > will determine who needs access to any PHI, including any sensitive information, and each user’s security for access within the electronic medical record and practice management system will need to be set accordingly.

Confidentiality

Confidentiality means keeping private information private. Minnie Hamilton Health System employees, contractors, and students must not discuss PHI with anyone, unless it is directly required in order to perform their job duties. Conversations about confidential information should be conducted in a manner that preserves the confidentiality of the information.

Employees, students, interns, vendors and contractors must not access or review individual’s health information contained in any of the Minnie Hamilton Health System databases or on paper for any reason other than to perform their job duties.

Confidentiality Agreements

Employees, contractors, consultants, students and others are required to sign a confidentiality agreement as part of the conditions of their employment or their relationship with Minnie Hamilton Health System. Confidentiality agreements should be signed by individuals if the individual may have the occasion to see or hear information about a patient, however, seeing or hearing that information is not part of their duties at Minnie Hamilton Health System. For example, Minnie Hamilton Health System may hire a temporary agency person to help < > with yearend accounting, but their primary duties will not involve seeing or using PHI.

Employees, contractors, consultants, interns and students who violate the Minnie Hamilton Health System confidentiality agreement are subject to disciplinary action, up to and including termination of employment, or termination of contract. The individual may also be held personally responsible for violation of the confidentiality agreement.

Business Associate Agreements

Business Associate Agreements (BAA) are required to be agreed to between organizations when one organization is using PHI belonging to Minnie Hamilton Health System in order to or as part of providing a service to Minnie Hamilton Health System.

BAAs will specify that the business associate agrees to comply with Minnie Hamilton Health System’s privacy and security policies, including reporting security incidents and breaches of unsecured PHI to < > as required under Breach Notification Rule, and ensure subcontractors agree in writing to the same restrictions and conditions that apply to business associates and that they will limit their access to any PHI to the minimum necessary in order to fulfill their obligations to < >. The agreement also will state that the business associate will limit access to PHI by other companies performing work for the business associate, such as software vendors.

BAAs are not required unless PHI is being used by a business associate on a routine basis in order to provide services to Minnie Hamilton Health System. Incidental viewing of PHI does not require that a BAA be signed. For example, the US Postal Service does not need to sign a BAA, even though they may pick up and deliver mail that contains PHI.

Breach of Confidentiality

A breach of confidentiality occurs when an Minnie Hamilton Health System employee, consultant, intern, student, vendor, subcontractor, or business partner accesses, releases, reviews or discusses a patient’s PHI for any reason that is not directly related to the performance of their job duties, and without permission of the clinic, provider or the patient. Breaches of confidentiality must be reported to the < > and the Minnie Hamilton Health System, immediately. Individuals who report breaches will be protected from any retaliation from the employee who was reported for breaching patient confidentiality, or from Minnie Hamilton Health System’s management. Please see the Notification of Breach of Unsecured Protected Health Information Policy for additional details.

Privacy Training

All Minnie Hamilton Health System employees, consultants, contractors, interns and students must complete Minnie Hamilton Health System confidentiality training. Confidentiality training will be completed as part of new employee orientation during the first week of employment, and at a minimum, annually thereafter. Periodic privacy reminders may be sent via e-mail, newsletter, website, US mail. All-staff meetings will also include privacy updates on at least a quarterly basis.

Documentation of employee privacy training will be kept in the employee’s file.

Printing PHI

Printing PHI is discouraged unless it is needed for document decisions that were made regarding a member or a member’s patient. Any printed PHI must be shredded or put in the locked shredder bin after it has been used for its intended purpose. It is not acceptable to put the PHI in a recycle box, or the garbage can.

Printed confidential information that needs to be routed to another individual at Minnie Hamilton Health System should be enclosed in a protective envelope. If printed confidential information must be kept for a period of time, it must be placed in a locked location that only has limited access to others.

Privacy Official

Minnie Hamilton Health System has designated the < > as the Privacy Official under the HIPAA Privacy regulation. Questions regarding privacy of member or patient information should be directed to the < > for clarification