City of Washington, NC
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) Compliance Policy

Policies

I - - Security, Levels of Access & Limited Disclosure & Use of Protected Health Information
II - - Employees’ Medical Records
III - - Use of Computer Information Systems & Equipment With Regards to Protected Health Information
IV - - FAX Cover Sheet
V - - Privacy Training
VI - - Designated Record Set
VII - - Patient Access Amendment & Restriction on Use of Protected Health Information
VIII - - Procedure for Request for Amendment to Protected Health Information
IX - - Privacy Complaint Policy
X - - Sanctions for Breach of HIPAA Privacy Rules
XI - - Prohibiting Retaliation Against Employees, Individuals or Others
XII - - Distribution of Notice of Privacy
Definitions

Note: Appendix items available at Washington-Fire-Rescue-EMS


I - - Security, Levels of Access & Limited Disclosure & Use of Protected Health Information

A. Purpose

To outline levels of access to Protected Health Information (PHI) by authorized staff members of the City of Washington and to provide a policy and procedure on limiting access, disclosure, and use of PHI.

B. Policy

1. The City of Washington shall maintain strict requirements on the security, access, disclosure and use of PHI. Access, disclosure and use of PHI shall be based on the role of individual staff members in the organization, and only to the extent that the staff members need access to PHI to complete necessary job functions.

2. When PHI is accessed, disclosed and used, the individuals involved shall make every effort, except in patient care situations, to access, disclose and use PHI only to the extent necessary to accomplish the intended purpose.

C. Procedure

1. Access to PHI shall be limited to those who need access to PHI to carry out their duties. Unless specified elsewhere in this policy, access to PHI shall be restricted to appropriate staff members of the Washington Department of Fire-Rescue-EMS and the City of Washington Finance Department. The following matrix describes the specific categories or types of PHI to which such persons need access, and the conditions that would apply to such access.

Job Title/Department Description of PHI to Be Accessed Conditions of Access to PHI

EMT-EMT-I/
Fire-Rescue-EMS Services

Dispatch information from PD Dispatch, PreMIS forms May access only as part of completion of a patient event and post-event activities and only while actually on duty
Billing Clerk/
Finance Department
PreMIS forms, billing claim forms, remittance advice statements, other patient records from facilities May access only as part of duties to complete patient billing and follow up and only during actual work shift
Shift Supervisor/
Fire-Rescue-EMS Services
Dispatch information from PD Dispatch, PreMIS forms May access only as part of completion of a patient event and post-event activities, as well as for quality assurance checks and corrective counseling of staff
Training Coordinator/
Fire-Rescue-EMS Services
Dispatch information from PD Dispatch, PreMIS forms May access only as part of training and quality assurance activities. All individually identifiable patient information shall be redacted prior to use in training and quality assurance activities
Administrative Support Staff/
Fire-Rescue-EMS Services and Finance Dept.
  May access only to the extent necessary to complete job functions and only during actual work shift
Operations Chief / Privacy Officer
Fire-Rescue-EMS Services
  May access only to the extent necessary to monitor compliance and to accomplish appropriate supervision and management of personnel

Information Systems/Finance Department

  May access only to the extent necessary to repair/correct computer hardware/software malfunctions

2. Access to PHI shall be limited to the above identified persons only, and to the identified PHI only, based on the City’s reasonable determination of the persons or classes of persons who require PHI, and the nature of the health information they require, consistent with their job responsibilities.

3. Access to a patient’s entire file shall not be permitted except where otherwise authorized in this and other policies and procedures, and the justification for use of the entire medical record is specifically identified and documented.

D. Disclosures To and Authorizations From the Patient

1. Staff members are not required to be limited to the minimum amount of information necessary to perform their job function, and are not limited to disclosures of PHI to patients who are the subject of the PHI. In addition, disclosures authorized by the patient are exempt from the minimum necessary requirements unless the authorization to disclose PHI is requested by the City.

2. Authorizations received directly from third parties, such as Medicare, or other insurance companies, to release PHI to those entities are not subject to the minimum necessary standards. For example, if a patient authorizes disclosure of PHI to Medicare, Medicaid or another health insurance plan for claim determination purposes, the City is permitted to disclose the PHI requested without making any minimum necessary determination.

3. When necessary to request authorization to use or disclose PHI, the City shall request the patient to complete a ‘Authorization to Use and Disclose Specific Protected Health Information’ Form (See Appendix ‘A’). Forms shall be submitted to the HIPAA Privacy Officer who in turn shall maintain a log of such authorizations (See Appendix ‘B’).

E. City Requests for PHI

1. If the City needs to request PHI from another health care provider on a routine or recurring basis, it must limit its request to only the reasonably necessary information needed for the intended purpose as described below. For requests not covered below, the City must make this determination individually for each request and should consult the HIPAA Privacy Officer for guidance. For example, if the request is non-recurring or non-routine, like making a request for documents via a subpoena, the City must review it to make sure the request covers only the minimum necessary PHI to accomplish the purpose of the request.

Holder of PHI Purpose of Request Information Reasonably Necessary to Accomplish Purpose

Skilled Nursing Facility

To have adequate patient records to determine medical necessity for service and to properly bill for services provided Patient face sheets, discharge summaries, Physician Certification Statements and Statements of Medical Necessity, Mobility Assessments
Hospitals To have adequate patient records to determine medical necessity for service and to properly bill for services provided Patient face sheets, discharge summaries, Physician Certification Statements and Statements of Medical Necessity, Mobility Assessments
Mutual Aid Ambulance or EMS Services
To have adequate patient records to conduct billing operations for patients mutually treated/transported by the City
PreMIS forms


2. For all other requests, the reasonably necessary information must be determined on a request-by-request basis.

F. Incidental Disclosures

1. The City understands that there will be times when there are incidental disclosures about PHI in the context of caring for a patient. The privacy laws were not intended to impede common health care practices essential in providing health care to the individual. Incidental disclosures are inevitable, but these will typically occur in radio or face-to-face conversations between health care providers, or when written patient care information or computer forms are left out in the open for others to access or see.

2. The fundamental principle is that staff needs to be sensitive about the importance of maintaining the confidentiality and security of all material created or used that contains patient care information. Coworkers and other staff members should not have access to information not necessary for the staff member to complete his/her job. For example, it is generally not appropriate for field personnel to have access to billing records of the patient.

3. All personnel must be sensitive to avoid incidental disclosures to other health care providers and others who do not have a need to know the information. Pay attention to who is within earshot when verbal statements are made about a patient’s health information, and follow some of these common sense procedures for avoiding accidental or inadvertent disclosures.

G. Verbal Security

1. Waiting or Public Areas: If patients are in waiting areas to discuss the service provided to them or have billing questions answered, make sure that there are no other persons in the waiting area, or if so, bring the patient into a protected area before engaging in discussion.

2. Garage Areas: Staff members should be sensitive to the fact that members of the public and other agencies may be present in the garage and other easily accessible areas. Conversations about patients and their health care should not take place in areas where those without a need to know are present.

3. Other Areas: Staff members may only discuss patient care information with those who are involved in the care of the patient, regardless of their physical location. Staff should be sensitive to their voice level and to the fact that others may be in the area. This approach is not meant to impede anyone’s ability to speak with other health care providers freely when engaged in the care of the patient. When it comes to treatment of the patient, staff should be free to discuss all aspects of the patient’s medical condition, treatment provided, and any health information they may have in their possession with others involved in the care of the patient.

H. Physical Security

1. Patient Care and Other Patient or Billing Records: PreMIS forms shall be stored in safe and secure areas. When any paper records concerning a patient are completed, they shall not be left in open bins or on desktops or other surfaces. Only those with a need to have the information for the completion of their job duties should have access to any paper records. PreMIS forms and Billing Records shall only be transported in secured containers via City vehicles. Billing records including all notes, remittance advices, charge slips or claim forms may not be left out in the open and shall be stored in files or boxes that are secure and in an area with access limited to those who need access to the information for the completion of their job duties.

2. Computers and Entry Devices: Computer access terminals and other remote entry devices such as PDAs and laptops containing PHI or DRS shall be kept secure. Access to any computer device shall be by password only (See Appendix ‘C’). Staff requiring such access to PHI or DRS shall submit a Password Authorization Form which, in turn, shall be kept on file by the HIPAA Privacy Officer. Staff members shall be sensitive to who may be in viewing range of the monitor screen and take simple steps to shield viewing of the screen by unauthorized persons. All remote devices such as laptops and PDAs shall remain in the physical possession of the individual to whom it is assigned at all times. (See City of Washington Personnel Policy, Article XI, Sections 1 & 2)

3. Should it be necessary to permit outside agencies, vendors, etc., access to computers containing PHI for the purpose of hardware/software repairs, installation, etc., the City of Washington must forward correspondence to such agencies or vendors advising them of the business associate status in accordance with HIPAA definitions (See Appendix ‘D’), and the requirement to file an Amendment to Business Associate Agreement with the City of Washington prior to gaining access (See Appendix ‘E’).

II - - Employees’ Medical Records

A. Purpose:

To provide guidance to the City of Washington management and staff concerning the privacy of employees’ medical records.

B. Policy:

1. The City of Washington shall, to the extent required by law, protect medical records it receives about employees or other staff in a confidential manner. Generally, only those with a need to know the information will have access to it, and, even then, they will only have access to as much information as is minimally necessary for the legitimate use of the medical records.

2. In accordance with the laws concerning disability discrimination, all medical records of staff shall be kept in separate files apart from the employee's general employment file. These records shall be secured with limited access by management.

3. In accordance with the HIPAA Privacy Rule, medical records not considered employment records shall be treated in accordance with the safeguards of the HIPAA Privacy Rule with respect to their use and disclosure.

4. Employment records are not considered to be protected health information (PHI) subject to HIPAA safeguards, including certain employees’ medical records related to the job. Those employment records not covered under HIPAA include, but are not limited to, information obtained to determine suitability to perform job duties (such as physical examination reports), drug and alcohol tests obtained in the course of employment, doctor's excuses provided in accordance with an attendance policy, work-related injury and occupational exposure reports, and medical and laboratory reports related to such injuries or exposures, especially to the extent necessary to determine workers' compensation coverage.

5. Regardless of HIPAA status, the City of Washington shall limit the use and disclosure of these records to only those with a need to have access to them such as certain management staff, the City's designated physician and state agencies pursuant to state law.

6. With respect to City of Washington staff members, only health information obtained about staff in the course of providing ambulance or other medical services directly to them is considered PHI under HIPAA. In other words, if the City of Washington provides ambulance service to an employee, the protections typically given to such information about its ambulance service patients apply to the employee. These protections are subject to HIPAA exceptions such as in the situation in which a staff member used City of Washington services and was involved in a work-related injury while on duty. As another example, if the City of Washington receives an employee’s medical record in the course of providing that employee with treatment and/or transport, it does not matter that the City of Washington is the employer, that record is PHI. If, however, the employee submits a doctor's statement to a supervisor to document an absence or tardiness from work, the City of Washington does not need to treat that statement as PHI. Other health information that could be treated as employment related, and not PHI, includes medical information needed for the City of Washington to carry out its obligations under the FMLA, ADA and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, drug screening results, workplace medical surveillance, and fitness-for-duty-tests of employees.

7. Questions about how medical information about employees is used and disclosed by the City of Washington should be directed to the HIPAA Privacy Officer.

III - - Use of Computer Information Systems & Equipment With Regards to Protected Health Information

A. Purpose

1. The City of Washington is committed to protecting staff members, the patients it serves and the City from illegal or damaging actions by individuals, and the improper release of protected health information (PHI) and other confidential or proprietary information.

2. The purpose of this policy is to outline the acceptable use of computer equipment by the City of Washington with regards to PHI. Inappropriate use exposes the City of Washington to risks, compromise of network systems and services, breach of patient confidentiality and other legal claims.

B. Policy

This policy applies to employees, volunteers, contractors, consultants, temporary employees, students and others authorized by the City of Washington to have access to computer equipment and other equipment which stores patient data, including all personnel affiliated with third parties. This policy applies to all equipment owned or leased by the City of Washington.

C. Procedure

1. Use and Ownership of Equipment Storing Patient Data

a. All data created or recorded using any equipment owned, controlled or used for the benefit of the City of Washington is at all times the property of the City of Washington. Because of the need to protect the City’s network, the City cannot guarantee the confidentiality of information stored on any network device, except that it shall take all steps necessary to secure the privacy of all PHI in accordance with all applicable laws.

b. Staff members are responsible for exercising good judgment regarding the reasonableness of personal use and must follow operational guidelines for personal use of Internet/Intranet/Extranet systems and any computer equipment as stated in City and Departmental policies on electronic media.

c. For security and network maintenance purposes, authorized individuals may monitor equipment, systems and network traffic at any time to ensure compliance with all City policies.

2. Security and Proprietary Information

a. Confidential information shall be protected at all times regardless of the medium by which it is stored. Examples of confidential information include but not limited to: individually identifiable health information concerning patients; patient lists and reports; and research data. Staff members shall take all necessary steps to prevent unauthorized access to this information.

b. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, and user level passwords should be changed every thirty (30) days.

c. All PC’s, laptops, workstations and remote devices containing PHI and/or Designated Record Sets (DRS) shall be secured with a password-protected screen saver, wherever possible, and set to deactivate after being left unattended for ten (10) minutes or more, or by logging-off when the equipment will be unattended for an extended period.

3. Unacceptable Use

a. Under no circumstances shall staff members of the City of Washington be authorized to engage in any activity that is illegal under local, state, or Federal law while utilizing the City of Washington’s computer resources. Activities which are strictly prohibited include, but are not limited to:

1. Revealing individual account passwords to others or allowing use of individual account by others.

2. Using any City of Washington computer device to actively engage in procuring or transmitting material in violation of the Privacy Rights.

3. Making fraudulent statements or transmitting fraudulent information when dealing with patient or billing information and documentation, accounts or other patient information, including the facsimile or electronic transmission of PreMIS forms and billing reports and claims.

4. Causing security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the staff member is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties.

5. Providing information about, or lists of City of Washington staff members or patients to parties outside the City of Washington.

6. Sending PHI or DRS via e-mail.

4. No PHI may be sent via FAX without the approved FAX cover sheet (See Appendix ‘F’) and permission from a Supervisor.

5. Use of Remote Devices

a. The appropriate use of Laptop Computers, Personal Digital Assistants (PDAs), and remote data entry devices is of utmost concern to the City of Washington. These devices, collectively referred to as “remote devices”, pose a unique and significant patient privacy risk because they may contain confidential patient, staff member or City information, and these devices can be easily misplaced, lost, stolen or accessed by unauthorized individuals.

b. Remote devices shall not be purchased or used without prior City approval.

c. The City of Washington shall approve the installation and use of any software used on the remote device prior to its installation.

d. Remote devices containing confidential or patient information shall not be left unattended.

e. If confidential or patient information is stored on a remote device, access controls shall be employed to protect improper access. This includes, where possible, the use of passwords and other security mechanisms.

f. Remote devices should be configured to automatically power off following a maximum of ten (10) minutes of inactivity.

g. Remote device users shall not permit anyone else including, but not limited to, user’s family and/or associates, patients, patient families or unauthorized staff members to use City-owned remote devices for any purpose.

h. Users of City-owned remote devices shall immediately report the loss of a remote device to a supervisor and the HIPAA Privacy Officer.

6. Any staff member found to have violated this policy may be subject to disciplinary action, up to and including suspension and termination.

IV - - FAX Cover Sheet

A. Any PHI or related material referenced in these policy statements sent via FAX may only be sent from the Washington Department of Fire-Rescue-EMS FAX machine. Any PHI or related material reference in these policy statements sent via FAX must have a Washington Department Fire-Rescue-EMS FAX cover sheet specifically designed for that purpose (See Appendix ‘F’).

B. The Washington Department of Fire-Rescue-EMS FAX cover sheet shall include provisions for the receiver of the FAX to sign as having received the FAX, and instructions to return the signed FAX cover sheet to the original sender.

V - - Privacy Training

C. Purpose

To ensure that all City of Washington personnel including all employees, volunteers, students and trainees (collectively referred to as “staff members”) having access to patient health information (PHI) understand that the organization’s concern for the respect of patient privacy, and are trained in the City’s policies and procedures regarding PHI.

D. Policy

1. All current staff members ,shall be required to undergo privacy training in accordance with the HIPAA Privacy Rule prior to the implementation date of the City’s compliance policy.

2. All new staff members shall be required to undergo privacy training in accordance with the HIPAA Privacy Rule within a reasonable time upon association with the organization.

3. All staff members shall be required to undergo privacy training in accordance with the HIPAA Privacy Rule within a reasonable time after there is a material change to the City’s policies and procedures on privacy practices.

E. Procedure

1. Privacy training shall be conducted by the HIPAA Privacy Officer or his/her designee.

2. All attendees shall receive copies of the City’s policies and procedures regarding privacy.

3. All attendees shall attend the training in person, and shall sign an agreement to adhere to the City’s policies and procedures on privacy practices (See Appendix ‘G’).

4. Training topics shall include a complete review of the City’s policies and procedures on privacy practices, and other information concerning the HIPAA Privacy Rule such as, but not limited to, the following areas:

a. Overview of the Federal and state laws concerning privacy including the privacy regulations under HIPAA.

b. Description of PHI.

c. Patient rights and staff member responsibilities under the HIPAA Privacy Rule.

d. Role of the HIPAA Privacy Officer.

e. Importance and benefits of privacy compliance.

f. Consequences of failure to follow established privacy policies.

g. Use of the City’s specific privacy forms.

VI - - Designated Record Sets

A. Purpose

1. To ensure that the City of Washington releases Protected Health Information (PHI) in accordance with the Privacy Rule. This policy establishes a definition of what information shall be accessible to patients as part of the Designated Record Set (DRS), and outlines procedures for requests for patient access, amendments and restrictions on the use of PHI.

2. Under the Privacy Rule, the DRS includes medical records that are created or used by the City of Washington to make decisions about patient care.

B. Policy

The DRS shall only include HIPAA covered PHI, and shall not include information used for the operational purposes of the organization such as quality assurance data, accident reports and incident reports. The type of information shall include medical records and billing records.

C. Procedure

1. The DRS for any requests for access to PHI includes the following records:

a. The PreMIS form created by EMS field personnel including any photographs, monitor strips, Physician Certification Statements, Refusal of Care forms or other source data that is incorporated and/or attached to the PreMIS form.

b. The electronic claims records or other paper records of submission of actual claims to Medicare, Medicaid or other insurance companies.

c. Any patient specific claim information including responses from insurance payers such as remittance advice statements, Explanation of Medicare/Medicaid Benefits (EOMBs), charge screens, patient account statements, signature authorization and agreement to pay documents.

d. Medicare/Medicaid Advance Beneficiary Notices, notices from insurance companies indicating coverage determinations, documentation submitted by the patient and copies of the patient’s insurance card or policy coverage summary that relate directly to the care of a patient.

e. Amendments to PHI, statements of disagreement by the patient requesting the amendment when PHI is not amended upon request, and accurate summaries of the statements of disagreement.

2. The DRS also includes copies of records created by other service providers and other health care providers such as first responder units, assisting ambulance services, air medical services, nursing homes, hospitals, police departments, coroner’s office, etc., used by the City of Washington as part of treatment and payment purposes related to the patient.

VII - - Patient Access Amendment & Restriction on Use of Protected Health Information

A. Purpose:

1. Under the HIPAA Privacy Rule individuals have the right to access and to request amendments to, or restrictions on, the use of their protected health information (PHI), and restrictions on its use maintained in designated record sets (DRS). (See Section VI - - Designated Record Sets).

2. To ensure that the City of Washington only releases the PHI covered under the Privacy Rule, this policy outlines procedures for requests for patient access, amendments and restrictions on the use of PHI.

3. This policy also establishes the procedure by which patients or appropriate requesters may access PHI, request amendments to PHI and request restrictions on the use of PHI.

B. Policy:

Only information contained in the DRS outlined in this policy shall be provided to patients who request access, amendments and/or restrictions on the use of their PHI in accordance with the Privacy Rule and the Privacy Practices of the City of Washington.

C. Procedure:

1. Upon presentation to the business office, the patient or appropriate representative will complete a Patient Request for Access Form (See Appendix ‘H’).

2. The staff member receiving the request form must verify the requester’s identity, and if the requester is not the patient, the name of the individual and the reason that the request is being made by this individual. The use of driver’s license, social security card or other form of government issued identification is acceptable for this purpose.

3. The completed form shall be forwarded to the HIPAA Privacy Officer for action.

4. The HIPAA Privacy Officer will act upon the request within thirty (30) days, preferably sooner. Generally, the City must respond to the requests for access to PHI within 30 days of receipt of the access request unless the DRS is not maintained on site, in which case the response period may be extended to sixty (60) days.

5. If the City is unable to respond to the request within these time frames, the requester must be given a written notice no later than the initial due date for a response, explaining why the City could not respond within the time frame and in that case, the City may extend the response time by an additional thirty (30) days.

6. Upon approval of access, the requester may have the right to access the PHI contained in the DRS as outlined below and may make a copy of the PHI contained in the DRS upon verbal or written request.

7. The business office may establish a reasonable charge for copying PHI for the patient or appropriate representative.

8. Access to PHI may be denied under some circumstances, some of which may be subject to review. Under such circumstances, and upon written request of an appeal to the HIPAA Privacy Officer, the City shall:

a. Designate a licensed health care professional not directly involved in the denial to review the request.

b. Promptly refer the request to the reviewing official who shall, within a reasonable period, determine the appropriateness of the denial.

c. Provide the requester with a written notification of the results of the review (See Appendix ‘I’).

9. An appeal is permissible if a request for access to PHI is denied based upon the following circumstances:

a. If, in the exercise of his/her professional judgement, a licensed health care professional has determined that access is reasonably likely to endanger the life or physical safety of the individual or another person.

b. If the requested PHI makes reference to another person (other than a health care provider), and in the exercise of his/her professional judgement, a licensed health care professional has determined that access is reasonably likely to cause substantial harm to that person.

c. If the request is made by a personal representative, and in the exercise of his/her professional judgement, a licensed health care professional has determined that access is reasonably likely to cause harm to the individual or another person.

10. The requester may file a complaint in accordance with the Procedure for Filing Complaints About Privacy Practices (See Section IX - - Privacy Complaint Policy) if the requestor is not satisfied with the City’s determination.

11. Access to the actual files or computers that contain the DRS shall not be permitted. Copies of the records shall be provided for requester review in a confidential area under the direct supervision of a designated City staff member. Under no circumstances shall originals of PHI be permitted to leave the premises.

12. If the requester would like to retain copies of the DRS provided, the City may charge a reasonable fee for the cost of reproduction.

13. Whenever a requester accesses a DRS, a note shall be maintained in a log book indicating the time and date of the request, the date access was provided, what specific records were provided for review and what copies were left with the requester (See Appendix ‘B’).

14. Following a request for access to PHI, the requester may request an amendment to his/her PHI, and request restriction on its use in some circumstances.

D. Requests for Amendment to PHI

1. The requester may only request amendment to PHI contained in the DRS. A ‘Request for Amendment of PHI’ Form must be completed (See Appendix ‘J’).

2. The City must act upon a Request for Amendment within sixty (60) days of the request. If the City is unable to act upon the request within sixty (60) days, it must provide the requester with a written statement of the reasons for the delay, and in that case may extend the time period in which to comply by an additional thirty (30) days.

E. Granting Requests for Amendment

1. All requests for amendment shall be forwarded immediately to the HIPAA Privacy Officer for review.

2. If the HIPAA Privacy Officer grants the request for amendment, the requester will receive a letter indicating that the appropriate amendment to the PHI or record has been made (See Appendix ‘K’).

3. In the event that amended information must be shared with other persons, the requester must identify those others in writing. The ‘Request for Amendment of PHI’ Form shall require that the requester sign to authorize dissemination of that information to those so identified.

4. The City shall forward amended information to those so identified.

5. The City shall add the request for amendment, the denial or granting of the request as well as any statement of disagreement by the requester, and any rebuttal statement by the City to the DRS.

F. Denial of Requests for Amendment

1. The City may deny a request to amend PHI for the following reasons:

a. The City did not create the PHI at issue.

b. The information is not part of the DRS.

c. The information is accurate and complete.

2. The City shall provide a written denial (See Appendix ‘L’) to the requester containing the following:

a. The reason for the denial.

b. A statement indicating the requester’s right to submit a statement disagreeing with the denial, and how the requester may file such disagreement.

c. A statement that if the requester does not submit a statement of disagreement, the individual may request that the City provide the request for amendment and the denial with any future disclosures of PHI.

d. An explanation of how the requester may file a complaint with the City, including the name and telephone number of an appropriate contact person, or advise him/her that a complaint may be filed with the Secretary of the U.S. Department of Health and Human Services.

3. If the requester submits a statement of disagreement, the City may prepare a written rebuttal. The statement of disagreement shall be appended to the PHI, or at the City’s option, a summary of the disagreement will be appended, along with the rebuttal statement.

4. If the City receives a notice from another covered entity such as a hospital that it has amended its own PHI in relation to a particular patient, the City must amend its own PHI, if so affected.

G. Requests for Restriction on Use and Disclosure of PHI

1. A patient may request a restriction on the use and disclosure of his/her PHI. However, the City is not required to agree to any restriction and, given the emergent nature of its operation, it generally will not agree to a restriction.

2. All requests for restriction on use and disclosure of PHI must be submitted in writing on the approved City form (See Appendix ‘M’). All requests shall be reviewed and approved/denied by the HIPAA Privacy Officer.

3. If the City agrees to a restriction, it may not use or disclose PHI in violation of the agreed upon restriction except that if the requester is in need of emergency service, and the restricted PHI is needed to provide the emergency service, the City may use the restricted PHI or may disclose such PHI to another health care provider to provide treatment.

4. The agreement to restrict PHI shall be documented to ensure that the restriction is followed.

5. A restriction may be terminated if requested in writing. Oral agreements to terminate restrictions shall not be accepted. A current restriction may also be terminated by the City as long as the City notifies the patient that PHI created or received after the restriction is removed is no longer restricted. PHI that was restricted prior to the City voiding the restriction must continue to be treated as restricted PHI.

VIII - - Procedure for Request for Amendment to Protected Health Information

A. Purpose

To provide consistent guidelines for City of Washington staff to assist patients in amending their protected health information (PHI) in accordance with their rights under the Federal Privacy Regulations.

B. Policy

An individual has the right to amend his/her PHI maintained by the City of Washington except in the following circumstances:

1. The originator of the record is no longer available.

2. The information was not created by the City of Washington.

3. The information is not part of the DSR.

4. The information is accurate and complete.

5. The information would not be available for inspection as provided by law and, therefore, the City of Washington is not required to consider an amendment. This exception applies to information compiled in anticipation of a legal proceeding.

6. Information was received from someone else under a promise of confidentiality.

C. Procedure

1. Confirm the identity of requester or legal representative. If the requester is a legal representative, require legal proof of their representative status.

2. The requester shall fill out the ‘Request for Amendment of Health Information’ Form completely (See Appendix ‘J’).

3. The City, with the assistance of legal counsel, will act on the request for amendment within sixty (60) days of the request.

4. If the City agrees with the amendment:

a. The record will be amended.

b. The City will notify the individual of the agreement to amend the record.

c. Copies of the amended record will be provided to the City’s business associates, facilities to or from which the City has transported the patient and others involved in the patient’s treatment.

5. The City may deny the request for amendment. If the request is denied, the City shall provide the requester a written statement indicating:

a. The reason for denial.

b. The right to submit a written statement of disagreement.

c. The right to request that if a statement of disagreement is not submitted, the request for amendment and the denial become part of the medical record.

d. The right to complain to the HIPAA Privacy Officer or the Secretary of the U.S. Department of Health and Human Services.

6. All documentation pertaining to the request for amendment will be kept in the medical record.

IX - - Privacy Complaint Policy

A. Policy

Any individual who believes the rights granted by the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations or any other state or Federal laws dealing with privacy and confidentiality have been violated may file a complaint regarding the alleged privacy violation.

B. Procedure

Any privacy related complaint may be made by a patient, employee, student or volunteer at anytime. A ‘HIPAA Privacy Incident Report’ must be completed and forwarded to the HIPAA Privacy Officer (See Appendix ‘N’).

C. Investigation of Complaints

1. Upon receipt of a completed ‘HIPAA Privacy Incident Report’ Form, the HIPAA Privacy Officer shall investigate any and all complaints of alleged privacy violations.

2. In situations involving students, the HIPAA Privacy Officer shall notify the appropriate authority of the investigation.

3. Simultaneously, the HIPAA Privacy Officer shall request an investigation be undertaken by the Security Officer of any applicable information technology systems to determine if a breach of privacy has occurred, whether the complaint is made by a patient, staff member or student.

4. If during the course of an investigation an individual is found to be in violation of a City policy, he/she shall be subject to the disciplinary process for staff, students or volunteers.

5. The HIPAA Privacy Officer shall maintain a log of all complaints filed in accordance with these policies (See Appendix ‘O’).

X - - Sanctions for Breach of HIPAA Privacy Rules

A. Policy

To the extent practicable, the City of Washington shall mitigate any harmful effect that becomes known as a result of use or disclosure of PHI in violation of the City of Washington policies, procedures or applicable law. This may include, but is not limited to, the following sanctions:

1. Operational and procedural corrective measures to remedy violations.

2. Employment actions to re-train, reprimand or discipline employees as necessary up to and including termination.

3. Addressing problems with business associates once the City of Washington is aware of a breach of privacy.

4. Incorporating mitigation solution/s into City of Washington policies as appropriate.

5. Addressing employee violations in accordance with City of Washington procedures.

B. Potential sanctions may include:

1. Additional training, or

2. Disciplinary action under applicable City policy or state law.

C. Enforcement

All supervisors are responsible for enforcing this policy. Individuals who violate this policy may be subject to disciplinary actions.

XI - - Prohibiting Retaliation Against Employees, Individuals or Others

A. It shall be the responsibility of all City Of Washington employees to report perceived misconduct, including actual or potential violations of laws, regulations, policies or procedures.

B. The City of Washington shall maintain an ‘open door’ policy at all levels of management to encourage employees to report problems and concerns.

C. Neither the City of Washington nor any of its employees or agents shall retaliate against employees, individuals or others for:

1. Exercising any right under, or participating in, any process established by Federal, state or ocal law, regulations or policy.

2. Filing a complaint with the City of Washington and/or the Secretary of the U.S. Department of Health and Human Services.

3. Testifying, assisting or participating in any investigation, compliance review, proceeding or hearing.

4. Opposing in good faith any act or practice made by Federal, state or local law, regulation or policy, provided that the manner of the opposition is reasonable and does not itself violate any Federal, state or local law, regulation or policy.

D. All supervisors are responsible for enforcing this policy.

XII - - Distribution of Notice of Privacy

A. In accordance with Federal law each patient shall be given a copy of the City of Washington Notice of Privacy Practices (See Appendix ‘P’).

B. Each patient receiving such a notice shall be requested to sign the ‘Acknowledgment of Receipt of Notice of Privacy Practices’ Form (See Appendix ‘Q’). If the patient is unable to sign the form due to any medical condition which might prevent such signing, a patient representative may sign the form. If no representative is available, the Lead EMS crew member shall provide written documentation explaining the circumstances.

C. The City of Washington Notice of Privacy Practices shall include an explanation of the following:

1. Legal requirements to provide a copy of the notice and to protect their health care information.

2. Legal duties and privacy practices.

3. How patient care information can be used or disclosed.

4. How patients can place restrictions on the information.

5. How patients can access and copy information.


Return to: [Home]  [Policies, Forms & Documents]