Opportunities for Williamson & Burnet Counties (“Opportunities”) is committed to protecting the privacy of consumer health information which is sometimes referred to as Protected Health Information (PHI). A part of this commitment involves compliance with the privacy standards contained in the regulations outlined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The following policy provides a general overview of the requirements of the HIPAA privacy regulations. Opportunities is referred to as a “Covered Entity” by these regulations and in this statement. A Business Associate refers to any entity that creates, maintains or transmits PHI on behalf of a Covered Entity.
The HIPAA regulations govern the use and disclosure of PHI. In general, a Covered Entity may use PHI for purposes of treatment*, payment, and health care operations. It may disclose PHI:
- With the individual’s authorization;
- To another healthcare provider for treatment and payment purposes with the individual’s authorization; and
- In certain other circumstances described by the regulations.
*For the purposes of these policies, the term “treatment” may refer to care coordination referrals and service authorizations, services or care provided by this agency or its Business Associates.
In using or disclosing PHI a Covered Entity must restrict the use or disclosure to the minimum amount necessary to accomplish the purpose of its use. The Covered Entity will determine an employee’s access to PHI in relation to their job classification in order to comply with the minimum necessary requirement.
The HIPAA regulations also give individuals several rights with respect to their PHI. In addition to the rights to have access and to receive confidential communications about PHI, the individual may copy and inspect PHI, restrict its use and disclosure, amend it, and receive an accounting of disclosures made of their PHI.
There are many obligations imposed on a Covered Entity by the privacy regulations. These include but are not limited to the following:
- Developing and implementing HIPAA policies and procedures;
- Training employees and volunteers on HIPAA requirements;
- Developing and implementing safeguards to protect PHI; and
- Designating a Privacy Officer.
A Privacy Officer is an individual designated by the Covered Entity who is responsible for the development and implementation of the required policies and procedures as well as the individual responsible for handling complaints. The Privacy Officer may delegate responsibilities about the entity’s practices with respect to PHI to a member of the Covered Entity’s designated team.
The Covered Entity must state its practices with respect to the use and disclosure of PHI, the individual’s rights and the Covered Entity’s obligations in a “Notice of Privacy Practices”. This Notice must be given to individuals at the time the treatment relationship begins.
The HIPAA Privacy Rule requires that Consumers be permitted to request access and amendment to their Protected Health Information (“PHI”) contained in Opportunities Consumer Services Records. These records may be in the form(s) of a survey, intake, assessment, enrollment, etc. The information gathered may be shared with other Business Associates in order to effectively plan, arrange, and deliver services to meet consumer needs. If records from other providers are used by Opportunities to make decisions to assist Consumers in making decisions, then these records are also considered part of the Consumer Services Record. Some documents obtained from other agencies may be excluded. The Consumer Services Record is to be retained according to state and federal regulations and following Opportunities retention procedures.
Consumers may make a request to access his or her Protected Health Information (“PHI”). Consumer access is not absolute and there may be situations where access is not allowed; however, the Agency will respond to all requests to access a Consumer’s health information.
Requests for access to PHI and release of information will be managed by Opportunities’ Privacy Officer.
The Consumer or representative will be provided with a copy of an Access to Protected Health Information
(“Access”) form upon receiving an inquiry from a Consumer to obtain copies of his or her PHI. The request
will not be evaluated until the form is completed.
If a Consumer or Consumer’s personal representative requests to view or review PHI, they will have to complete a Authorization to use and/or Disclose Health Information. Opportunities will make every effort to respond to the request within 30 days. However, extension(s) may be necessary given the nature of request, records storage and/or civil, criminal or administrative action or proceeding.
Opportunities’ policy is to provide a Notice of Privacy Practices (“Notice”) to each Consumer upon each intake to the Agency, and make a good faith effort to obtain Acknowledgement of Receipt of Notice of Privacy Practices (“Acknowledgement”) from the Consumer.
The Notice shall include all elements and statements that are required by law. The Notice shall inform the Consumers of:
- Uses and disclosures of Protected Health Information (“PHI”) that may be made by the Agency;
- The Consumer’s rights with respect to his PHI; and
- The Agency’s legal duties with respect to such PHI.
Any member of the workforce who has knowledge of a violation or potential violation of this Policy must make a report directly to the Privacy Officer.
The policy of Opportunities is to ensure, to the extent possible, that PHI is not intentionally or unintentionally used or disclosed in a manner that would violate the HIPAA Privacy Rule or any other federal or state regulation governing confidentiality and privacy of health information. The following procedure is designed to prevent improper uses and disclosures of PHI and limit incidental uses and disclosures of PHI that is, or will be, contained in a Consumer’s Record. At the same time, Opportunities recognizes that access to all or part of a Consumer’s Record by personnel is essential to ensure the efficient quality delivery of care or services. The Privacy Officer is responsible for the security of all Records. All staff members are responsible for the security of the Consumer Records in their possession.
Opportunities Privacy/Security Officer shall periodically monitor the organization’s compliance regarding its reasonable efforts to safeguard PHI.
There may be occasions where verbal discussions or written correspondence may be required in order to coordinate client services. Only staff members who have a “need to know” will have access to the information. Specific types of situations where PHI may be discussed and/or disseminated include, but are not limited to:
- Staff Meetings
- Supervision Meetings
- Consumer Conferences
- Telephone Discussions
- Written Correspondence (email, fax, printing, US Postal)
- Information on a computer, IPad or other electronic device
Opportunities will make every effort to safeguard Consumer Records such as, but not limited to, the following:
- Records shall be stored in an area that allows staff providing services to access the records quickly and easily (these records may be written or stored electronically in a database).
- Records shall not be left unattended.
- Only authorized staff shall review the Records.
- Records shall be protected from loss, damage and destruction.
It is the policy of Opportunities to protect the electronic transmission of PHI as well as to fulfill our duty to protect the confidentiality and integrity of Consumer PHI as required by law, professional ethics and accreditation requirements. The information released will be limited to the minimum necessary to meet the requestor’s needs and/or to provide service coordination on behalf of the consumer. Whenever possible, de-identified information will be used.
Documentation that is not part of the Record and which will not become part of the Record shall be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed by shredding.
Prior to the disposal of any computer equipment, including donation, sale or destruction, Opportunities must determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment.
- In accordance with the HIPAA Privacy Rule, when PHI is to be used or disclosed for purposes other than service delivery, service coordination, payment, or health care operations, Opportunities will use and disclose it only pursuant to a valid, written authorization, unless such use or disclosure is otherwise permitted or required by law. Use or disclosure pursuant to an authorization will be consistent with the terms of such authorization.
PHI may never be used or disclosed in the absence of a valid written authorization if the use or disclosure is:
- For the purpose of marketing; or
- For the purpose of fundraising.
When Opportunities is using or disclosing PHI and an authorization is required for the use or disclosure, Opportunities will not use or disclose the PHI without a valid written authorization from the Consumer or the Consumer’s personal representative.
If the use or disclosure requires a written authorization, Opportunities shall not use or disclose the PHI unless the request for disclosure is accompanied by a valid authorization. PHI may not be discussed or information disseminated about individual unless authorization and disclosure is received and approved and/or until 50 years after the individual’s expiration. This authorization includes not only an individual’s PHI but also photographs.
The Consumer may revoke his authorization at any time. The authorization may ONLY be revoked in writing by the Consumer or Consumer’s Representative.