To implement compliance with the privacy regulations (45.C.F.R. 164,500 et seq.) issued by the Department of Health and Human services (HHS) under the Health Improvement, Portability, and Accountability Act (HIPAA), the office has appointed a privacy officer.
The general policy of the office is to provide to a patient, as permitted by law, his or her protected health information (PHI) and to protect the confidentiality of such health information as required by law.
- Beth Bartell is designated as the privacy officer responsible for development and implementation of the policies and procedures for the office.
- Beth Bartell is designated as the contact person responsible for receiving requests and complaints related to access, privacy, amendment, and accountings of protected health information and any other request or complaint relating to PHI issues and such person will be able to provide further information about matters covered in the office’s privacy notice.
The office will train all members of its workforce on the policies and procedures as to protected health information. All staff shall receive such training no later than April 14, 2003. Thereafter, new members of the workforce will receive such training in a reasonable time after they join the workforce. Periodic training will occur for all staff and when there has been a material change in the policies or procedures.
Training will be documented.
The office will put in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. The safeguards include, but are not limited to, the following:
- The privacy officer will serve as a contact person for employees and patients to assure the office policies on protected health information are followed accurately and lawfully.
- Employees will be limited to the use of protected health information as acknowledged in their job descriptions.
- Administration will enforce policy rules on third party entities to guard against misuse of protected health information.
- All employees will be allowed to gain access of protected health information via company computers through the use of a password system.
- Employees will be given password authority according to their level of need for protected health information.
- Business agreements will be pursued for any third party entity which accesses protected health information through the company via personnel, phone, or electronic transmission.
- Protected health information kept in charts will be organized, and stored in a secure room.
- Other forms containing protected health information, but used for purposes other than medical records, will be secured in a designated location to maximize privacy.
- The office will be secured against unlawful entry by an electronic alarm system in direct communication with the local fire and law authorities.
All safeguards are intended to reasonably safeguard protected health information from intentional or unintentional use or disclosure.
Complaints to the Office
The office has established a process through which a patient may make complaints to the office regarding it policies and procedures. Notice of this complaint process and information on initiating the complaint process is provided with the notice given to all new patients. Furthermore, the office will post a sign that indicates that patients may request a complaint form if the patient has a complaint or issue concerning any aspect of the office’s privacy policies.
When any patient requests a complaint form, the member of the workforce to whom the request is made shall refer the patient to the designated staff member. The designated staff member shall provide the form to the patient and inform the patient to complete the form and return it.
Upon receipt of a written complaint, the designated staff member shall investigate the complaint and form an ad hoc committee consisting of appropriate members of the office’s staff. After investigating the complaint, and considering the merits of the complaint, the ad hoc committee shall make a recommendation to the governing body of the entity as to appropriate action on the complaint.
Upon receipt of the recommendation from the ad hoc committee, the governing body shall make a determination as to the merits of the complaint and direct such further action as is necessary. The governing body shall notify the designated staff member to advise the patient of the governing body’s resolution of the issue.
The privacy officer shall maintain copies of all complaints and of resolution of the complaints.
The office will apply appropriate sanctions against members of its staff who fail to comply with the office’s policies and procedures. Any sanctions applied shall be documented.
To the extent a violation of the privacy regulations or the office’s privacy policies occurs, the office will mitigate to the extent practicable any harmful effect that is know to the office because of the violation.
Refrain from Intimidating or Retaliatory Acts
The office will not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against an individual for exercising legal rights granted patients by law.
Waiver of Rights
The office will not require individuals to waive any rights under HIPAA or its privacy policies as a condition or provision of treatment.
Retention of Documents
To the extent such documents are not required to be kept longer by other applicable federal or state law, documents relating to implementation and compliance with HIPAA and these privacy policies and procedures shall be maintained for a minimum of six years.
To the extent required by law, the entity will obtain an authorization prior to disclosing any protected health information.
The office will establish a procedure to allow patients to obtain access to their protected health information within a reasonable time.
The office entity shall maintain an accounting, as required by law, reflecting any uses or disclosures of protected health information.
The office shall establish a procedure for allowing an individual to request amendment to its medical records.
Confidentiality & Communication Requests
The office shall establish a procedure for allowing an individual to request that its records be maintained in a certain confidential manner and that communications be transmitted to him/her a certain way.
The office shall distribute a Notice of its Privacy Policies to all new patients and make revised notices available to all patients.