Effective Date: 11/14/11
Review Dates: 6/29/13
Revision Date: 06/01/13
CATHOLIC HEALTH SERVICES
Rockville Centre, New York
IT Security & Privacy Policies and Procedures
Policy Number: 105
Last Revision Date:
The facility must establish policies and procedures that all facility personnel are expected to adhere to when using or disclosing the health information of its patients. Facility personnel are required to maintain the confidentiality of patient information in accordance with the regulations promulgated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
This policy applies to all facility staff members and medical staff members. Facility staff members include all employees, medical staff, medical or other students, trainees, residents, interns, volunteers, consultants, contractors and subcontractors and Business Associates at the facility. Medical staff members include physicians as well as allied health professionals.
1. PROTECTED HEALTH INFORMATION
a. As described in the Facility Patient Health Information Policy, HIPAA and HITECH impose restrictions on the use and disclosure of protected health information (“PHI”). PHI is defined as information that is created or received by a health care organization. PHI can be written or verbal, it can be recorded on paper, computer or removable or other media. PHI includes information that is individually identifiable, such as name, address, telephone number, medical insurance number and social security number. PHI relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
b. The facility must comply with the requirements of HIPAA with respect to the PHI of a deceased individual for a period of 50 years following the death of the individual.
2. RESTRICTIONS ON USE AND DISCLOSURE OF PHI
a. Under HIPAA, a patient has the right to request restrictions on how the facility may use
or disclose PHI, but the facility does not have to agree to the restrictions. However, the
facility must agree to a patient’s restriction on the disclosure of a patient’s PHI to the
patient’s health plan if the disclosure is for the purpose of carrying out payment or
health care operations, is not otherwise required by law, and the patient has paid the
facility for the health care services provided. The facility must inform the patient of the
decision regarding a request for a restriction when the facility receives a request for a
restriction by a patient. If the facility agrees to a restriction, the facility will honor the
restriction, unless the patient subsequently agrees to terminate the restriction or if the
facility is required to provide emergency treatment to the patient. A request for a
restriction, and the facility’s decision regarding the request, must be documented by
facility personnel. See also Patient Requests for Additional Privacy Protections Policy.
3. PATIENT AUTHORIZATIONS
a. If the facility intends to use or disclose PHI for purposes other than treatment, payment
or health care operations and when the use or disclosure is not otherwise authorized
under HIPAA or HITECH, the facility must obtain a valid written and signed authorization
from the patient or his or her personal representative.
b. The following individuals are authorized to sign an authorization for a patient:
i. The patient, provided that the patient is competent and at least eighteen (18)
years of age;
ii. A parent of a minor;
iii. A personal representative with the legal authority to make medical decisions for
an incapacitated patient;
iv. An administrator or executor of a deceased patient’s estate
c. The facility must document the process of obtaining an authorization from a patient and
retain a written, signed copy of such authorization for six (6) years from the date of the
authorization’s execution or the date when the authorization was last in effect,
whichever is later.
d. The facility will not accept an authorization if the authorization’s expiration date has
passed or the expiration event is known by the facility to have occurred. The facility will
reject any authorization that has not been properly executed or contains information
known by the facility to be false, to have been revoked or inappropriately created.
e. An authorization for the use or disclosure of PHI cannot be combined with any other document. However, any type of authorization may be combined with any other type of authorization, except when the authorization conditions the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
f. An authorization for the use or disclosure of psychotherapy notes may only be combined with another psychotherapy note authorization.
g. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of PHI for such research or a consent to participate in such research (refer to the facility’s HIPAA Policies and Procedures for Research Studies).
h. The facility will not condition a patient’s treatment, payment, enrollment in a health plan, or eligibility for benefits on the patients providing an authorization. The facility may condition the provision of health care when it is solely for the purpose of creating PHI for disclosure to a third party. For example, if the facility has a contract with an employer to provide fitness-for-duty mental health exams to its employees, the facility can refuse to conduct the exam if the employee refuses to provide an authorization to disclose the exam results to the employer.
i. An individual may revoke his or her authorization, in writing, at any time, unless, and to the extent that, the facility has relied upon the authorization.
4. USES AND DISCLOSURES OF PHI FOR PURPOSES OTHER THAN TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
a. The Facility will only use or disclose PHI for purposes of treatment, payment and health care operations. Exceptions for use and disclosure of PHI are noted below:
i. The facility may disclose PHI to the patient.
ii. The facility may use and disclose PHI pursuant to a valid HIPAA authorization, as noted in above section, Patient Authorizations.
iii. The facility may disclose PHI to a patient’s personal representative, and to a deceased person’s family if the PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for services of care.
iv. The facility may disclose PHI relating to a patient’s proof of immunization if required by State or other law for school admittance with documented authorization.
v. The facility may disclose PHI to another covered entity or health care provider to assist in the treatment plan of a patient.
vi. The facility may disclose PHI to another covered entity for its payment activities.
vii. The facility may disclose PHI to a business associate in accordance with an applicable business associate agreement.
viii. The facility may disclose PHI to a public or private entity authorized by law or by its obligation to assist in disaster relief efforts.
ix. The facility may disclose PHI to the Department of Health and Human Services or the New York State Department of Health for compliance reviews and investigations, as required by law.
x. The facility may use or disclose PHI for legal, employment and regulatory purposes in accordance with the facility’s policies for such disclosure.
xi. The facility may disclose PHI to the FDA for purposes related to a product approved by the FDA for product recalls, tracking of products or incident reporting.
xii. The facility may use or disclose PHI if the facility has entered into a data use agreement with a recipient that meets the requirements of HIPAA regulations.
xiii. The facility may use or disclose PHI as is permitted or required by federal regulations.
b. The facility shall not sell PHI for direct or indirect remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. This does not include the exchange of PHI:
i. For public health purposes;
ii. For research purposes, if the facility receives only a cost-based fee to prepare and transmit the patient information;
iii. For treatment or payment for treatment;
iv. For the sale, transfer, merger, or consolidation of the facility; and
v. To a business associate if the facility only receives remuneration for the performance of health care related activities.
5. SPECIFIC AUTHORIZATIONS
a. Specific authorizations are required for psychotherapy notes, HIV-related information, alcohol and/or substance abuse records, sexually transmitted diseases, genetic information, mental health records, research, marketing involving direct or indirect remuneration to the facility for the PHI, sale of PHI involving direct or indirect remuneration to the facility for the PHI, and fund raising activities unless the use or disclosure is only the patient’s name, address, or other contact information, age, gender, date of birth, dates of health care provided, department of service information, treating physician, outcome information, and/or health insurance status.
a. If you have questions about this policy, please contact your department supervisor or the facility’s Privacy Officer immediately. It is important that all questions be resolved as soon as possible to ensure protected health information is used and disclosed appropriately
REVIEW OF POLICY
In the event that a significant regulatory change occurs, the policy will be reviewed and updated as needed. The policy will be reviewed periodically to determine its effectiveness in complying with the HIPAA Security Regulations, as well as meeting business needs.
Lynn Taylor, CPO Date
Dr. Patrick O’Shaughnessy, CMO Date