Sacred Heart Healthcare System
Total Page:16
File Type:pdf, Size:1020Kb
SACRED HEART HEALTHCARE SYSTEM SACRED HEART HOSPITAL 421 CHEW STREET ALLENTOWN, PA 18102-3490
HEALTH INFORMATION MANAGEMENT POLICY AND PROCEDURE MANUAL
Subject: HIPAA Definitions Policy Number: PSEC_002
Approval: ______Initial Effective Date: 7/2010 Most Recent Revision: 3/2014 Page 1 of 6
I. PURPOSE:
The purpose of this policy is to ensure that Sacred Heart Healthcare System (SHHS) employees understand the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and as amended by the Health Information Technology for Economic and clinical Health Act (HITECH) and the Omnibus final rule.
II. SCOPE
Sacred Heart Healthcare System and its departments, including, but not limited to, Sacred Heart Hospital, , Transitional Care Facility, Older Adult Behavioral Medicine Center, all Physician practices, and Sacred Heart Imaging Northampton.
III. RESPONSIBILITY:
These Policies will apply to all Protected Health Information (PHI) and electronic Protected Health Information (ePHI) collected by SHHS entities after March 1, 2014. The Policies apply to all SHHS personnel.
These Policies supersede and replace any existing conflicting policies and procedures of any SHHS entity relating to the Use and Disclosure of PHI and ePHI. SHHS entities may maintain separate policies and procedures relating to the Use and Disclosure of PHI and ePHI only to the extent that they do not conflict with these Policies. SHHS entities may add to or supplement the Policies or the related forms, but they may not delete any without first consulting with the Privacy Official.
Unless otherwise provided, the definitions below apply to all of the Privacy Policies. Certain terms will be capitalized when used in the Policies to indicate that they have been uniquely defined by the SHHS or federal law.
IV. REFERENCES
Accounting of Disclosures: A listing of all disclosures made by SHHS of a patient’s PHI in the six years prior to the date on which the accounting is requested by the patient. Disclosures exempted from this listing are those made: Pursuant to the individual’s own authorization To carry out treatment, payment and health care operations Subject: HIPAA Definitions Policy Number: PSEC_002 Page 2 of 6
To individuals of PHI and ePHI, both medical and dental about themselves for the facility’s directory or to persons involved in the individual’s care For national security or intelligence purposes To correctional institutions or law enforcement officials That occurred prior to the compliance date of April 14, 2003 for HIPAA.
Authorization: A release required in writing by the patient (or his/her representative) for all other uses and disclosures of PHI and ePHI not included in treatment, payment or healthcare operations, such as when a patient requests his/her records for use outside of SHHS.
Business Associate (BA) : a person or business, other than a workforce member, who creates, maintains, receives or transmits PHI and/or ePHI on behalf of SHHS; or a person or business that provides services to or for SHHS involving disclosure of PHI or ePHI. The service might include but is not limited to claims processing or administration, data analysis, data storage, billing and practice management, consulting, accreditation or financial services.
Breach: a breach is generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI or ePHI. An impermissible use or disclosure of PHI or ePHI is presumed to be a breach unless the covered entity or BA, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
1. The nature and extent of the PHI or ePHI involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the PHI or ePHI to whom the disclosure was made; 3. Whether the PHI or ePHI was actually acquired or viewed; and 4. The extent to which the risk to the PHI or ePHI has been mitigated.
Covered entities and BA’s, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach.”
1. The unintentional acquisition, access, or use of PHI or ePHI by a workforce member or person acting under the authority of a covered entity or BA, if such acquisition, access, or use was made in good faith and within the scope of authority. 2. The inadvertent disclosure of PHI or ePHI by a person authorized to access PHI and ePHI at a covered entity or BA to another person authorized to access PHI and ePHI at the covered entity or BA, or organized health care arrangement in which the covered entity participates. 3. If the covered entity or BA has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information. Subject: HIPAA Definitions Policy Number: PSEC_002 Page 3 of 6
Note; in both 1 and 2, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
Business Associates agreement (BAA): means an agreement related to the exchange of PHI or ePHI, whether the agreement is distinct or part of a larger agreement.
De-identification: means health information, both medical and dental that does not identify an individual. If there is no reasonable basis to believe that the information can be used to re-identify an individual, the information is not individually identifiable health information (IIHI), both medical and dental.
Designated record set: A group of records maintained by or for SHHS, which are the medical records and billing records about patients used, in whole or in part, to make decisions about patients.
Disclosure: means with respect to individually identifiable health information, both medical and dental: the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
Fundraising: is defined as the organized activity of raising funds for an organizational cause.
Health care operations (medical and dental): means any of the following activities: Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; Business planning and development and: Business management and general administrative activities HIPAA: A federal law, the intent of which is to protect the privacy and security of patient health information, both medical and dental that is created, maintained, received or transmitted by health care providers.
HITECH : The Health Information Technology for Economic and Clinical Health Act, passed on February 17, 2009.
IIHI: is a subset of health information, both medical and dental, including demographic and financial information collected from an individual, and: Subject: HIPAA Definitions Policy Number: PSEC_002 Page 4 of 6
Is created, maintained, transmitted or received by a health care provider, health plan, employer, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care, both medical and dental to an individual; or the past, present, or future payment for the provision of health care, both medical and dental to an individual which: Identifies the individual Or causes reasonable belief that such information can be used to identify the patient.
Marketing: communication’s about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made: To describe a health-related product or service (or payment for such product or service) that is provided by SHHS. For treatment of the individual; or For case management or care coordination for the individual, or To direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. An arrangement between a covered entity and any other entity whereby the covered entity discloses PHI or ePHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
Minimum Necessary: SHHS shall make reasonable efforts not to use or disclose more than the minimum amount of PHI, both medical and dental, necessary to accomplish the intended purpose of the use or disclosure. All practical and technological limitations will be considered.
Notice of Privacy Practices: A document that provides an individual notice of the uses and disclosures of medical/dental PHI or ePHI that may be made by SHHS, and of the patient’s rights and our legal duties with respect to medical/dental PHI and ePHI. An acceptance of the Privacy Notice by the patient is obtained in writing.
PHI (including medical, mental health and dental): information in any form or medium that relates to any past, present or future health condition, treatment or payment of an individual. ePHI (including medical, mental health and dental): any PHI that is created, stored, transmitted or received electronically. This includes but is not limited to computers, hard drives, USB flash drives, magnetic tape, smart phones, and tablets.
Psychotherapy Notes . Notes recorded in any medium by a Health Care Provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.
Psychotherapy Notes exclude medication prescription and monitoring, counseling sessions start and stop times, the modalities and frequencies of treatment furnished, Subject: HIPAA Definitions Policy Number: PSEC_002 Page 5 of 6
results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. 45 C.F.R § 164.501.
Record: means any item, collection, or grouping of information that includes PHI and ePHI, both medical (including mental health) and dental and is created, received, maintained or transmitted by or for SHHS.
Required by law: means a mandate contained in law that compels SHHS to make a use or disclosure of PHI or ePHI, both medical and dental, and that is enforceable in a court of law. Required by law includes, but is not limited to: court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; medicare Conditions of Participation (CoP) with respect to health care, both medical and dental providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
Research: means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Sanctions: A consequence given to members of SHHS’s workforce who fail to comply with SHHS privacy policies and procedures.
Treatment: means the provision, coordination, or management of health care, both medical and dental and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Use: means, with respect to individually identifiable health information, both medical and dental: the sharing, employment, application, utilization, examination, or analysis of such information within SHHS.
Workforce: means employees, volunteers, trainees, agents and other persons whose conduct, in the performance of work for SHHS, is under the direct control of SHHS, whether or not they are paid by SHHS.
Reference: §160.103 and § 164.501 The Health Insurance Portability and Accountability of 1996
V. PROCEDURE/METHODS Subject: HIPAA Definitions Policy Number: PSEC_002 Page 6 of 6
These Policies apply to all PHI and ePHI, regardless of the form in which it is created, received, maintained or transmitted (i.e., whether oral, written, or electronic). These Policies apply to the PHI and ePHI of living patients and patients deceased less than 50 years. .
VI. EXCEPTIONS None
Disclaimer Statement This policy and the implementing procedures are intended to provide a description of recommended courses of action to comply with statutory or regulatory requirements and/ or operational standards. It is recognized that there may be specific circumstances not contemplated by laws or regulatory requirements that make compliance inappropriate. For advice in these circumstances, please consult with Risk Management/Patient Safety and/or Legal Services.
Reviewed Dates: 7/2010; 2/2013 Revised Dates: 3/2014 Typist Name: DMajka