COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Transcription

1 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION JULY 2017 Health Services HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-publishing website at for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication. OPR: AFMSA/SG3S Policy Branch Certified by: AF/SG3/5 (Maj Gen Roosevelt Allen, Jr.) Pages: 60 This publication implements Air Force Policy Directive (AFPD) 41-2, Medical Support. This Instruction identifies and defines the requirements, policies, procedures, and activities necessary to ensure successful compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It describes how to manage administration functions for the establishment of the HIPAA privacy program, including personnel designations, training, safeguarding medical information, handling complaints, sanctions, mitigation, policies and procedures, refraining from intimidating or retaliatory acts, and documentation requirements. Organizational alignment of these functions may vary among Medical Treatment Facilities. This Instruction requires the collection and or maintenance of information protected by HIPAA, 45 CFR Parts 160 & 164, and the Privacy Act (PA) of 1974, 5 United States Code (U.S.C.) Section 552a. The applicable SORN [F044 F SG E, Electronic Medical Records System] is available at: Forms affected by the PA have an appropriate PA statement. This instruction applies to all Air Force medical units; Air National Guard or Air Force Reserve Component personnel when assigned to or provide operational support when members are working as part of the covered entity. This instruction does not apply to Air Force personnel participating at a non-air Force facility, military or civilian, as part of their official duties pursuant to an agreement; in those instances, the other facility s policies and procedures would apply. This publication may be supplemented at any level, but all supplements must be routed to the Office of Primary Responsibility (OPR) listed above for coordination prior to certification and approval. Refer recommended changes and questions about this publication to the OPR listed above using the AF Form 847, Recommendation for Change of Publication; route AF Forms 847 from the field through the appropriate chain of command. The authorities to waive wing/unit level requirements in this publication are identified with a Tier ( T-0, T-1, T-2,

2 2 AFI JULY 2017 T-3 ) number following the compliance statement. See AFI , Publications and Forms Management, Table 1.1 for a description of the authorities associated with the Tier numbers. Submit requests for waivers through the chain of command to the appropriate Tier waiver approval authority, or alternately, to the Publication OPR for non-tiered compliance items. Ensure that all records created as a result of processes prescribed in this publication are maintained IAW Air Force Manual (AFMAN) , Management of Records, and disposed of IAW the Air Force Records Disposition Schedule (RDS) in the Air Force Records Information Management System (AFRIMS). The use of the name or mark of any specific manufacturer, commercial product, commodity, or service in this publication does not imply endorsement by the Air Force. Chapter 1 PROGRAM OVERVIEW HIPAA within the Air Force Medical Service Interaction Between HIPAA Privacy and Patient Administration Functions... 5 Chapter 2 ORGANIZATIONAL STRUCTURE AND FUNCTIONAL ROLES AND RESPONSIBILITIES The Air Force Medical Support Agency (AFMSA) Air Force Medical Operations Agency (AFMOA) Medical Group Commander or MTF Commander MTF HIPAA Privacy Officer (HPO) Roles and Responsibilities Breach Response Coordinator (BRC) Roles and Responsibilities HIPAA Security Officer (HSO) Roles and Responsibilities Chapter 3 HIPAA ADMINISTRATION Administrative Requirements NoPP Requirements Accessing Information Minimum Necessary Incidental disclosures De-identification Accounting of Disclosures HIPAA Training Oversight Document Retention, Destruction, and Disposal

3 AFI JULY Removal of PHI from the Facility Storage of Electronic Documents Containing PHI Chapter 4 USE AND DISCLOSURE OF PHI Uses and Disclosures for Which an Authorization is Required Uses and Disclosures Requiring an Opportunity for the Patient to Agree or Object Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is not Required Chapter 5 SPECIAL CONSIDERATIONS FOR USE AND DISCLOSURE OF PHI Command Authorities ARC Access Individual Medical Readiness (IMR) and Mission-Related Medical Communications For Release of Information for Personnel Reliability Assurance Program (PRAP) Purposes Occupational Safety and Health Administration (OSHA) Chapter 6 COMPLAINTS & INVESTIGATIONS Complaints Department of Health and Human Services (HHS) inquiries Identification Investigation Notification Procedures to Affected Individuals Other Reporting Requirements Incident Closure Chapter 7 USE OF ELECTRONIC COMMUNICATIONS Use of Non-Clinical Communications with Patients Secure Messaging Text Messaging Appointment Reminders

4 4 AFI JULY Electronic Copies of Health Records Social Media Other Types of E-Communications Fax transmissions Tele-Health Chapter 8 HEALTH RECORD AUDITS FOR HIPAA INVESTIGATIONS Purpose Requesting a Health Record Audit for Breach Incidents Document Retention for Audit Requests Chapter 9 OTHER BUSINESS RELATIONSHIPS Business Associates Health Information Exchanges/Organizations (HIE/O) Patient Safety Organizations (PSO) Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 51 Attachment 2 DIRECTIVE 60

5 AFI JULY Chapter 1 PROGRAM OVERVIEW 1.1. HIPAA within the Air Force Medical Service. The purpose of HIPAA is to improve the portability and continuity of health insurance coverage, improve access to long term care services and coverage, and to simplify the administration of healthcare. A primary component of HIPAA administrative simplification provisions, 45 Code of Federal Regulations (CFR) Parts 160 and 164, is the protection and privacy of individually identifiable health information. The HIPAA Privacy Rule governs this component, and DoD R, DoD Health Information Privacy Regulation, implements the requirements of the HIPAA Privacy Rule throughout the MHS. Reference to sections of the DoD R also includes reference to the same content in any successor issuances. This AFI applies to all organizational units and military, civilian, contractor and volunteer staff working at Air Force military treatment facilities. (T-0) 1.2. Interaction Between HIPAA Privacy and Patient Administration Functions. Many of the HIPAA Privacy implementation requirements set forth by DoD R are functions inherently conducted by TRICARE Operations and Patient Administration (TOPA) personnel within the Medical Treatment Facility (MTF). Various sections of AFI also include policy and guidance relating to certain aspects of HIPAA.

6 6 AFI JULY 2017 Chapter 2 ORGANIZATIONAL STRUCTURE AND FUNCTIONAL ROLES AND RESPONSIBILITIES 2.1. The Air Force Medical Support Agency (AFMSA). AFMSA will appoint an Air Force Medical Service (AFMS) HIPAA Privacy Officer (HPO). The primary responsibility of the AFMS HPO is to oversee the activities of the HIPAA Privacy Program, including but not limited to, policy development and interpretation as necessary to ensure AFMS compliance with applicable federal guidelines, Department of Health and Human Services (HHS) rules, Department of Defense (DoD) directives and instructions, and Air Force policies and procedures pertaining to the confidentiality, integrity and availability of individual s health information subject to DoD R, C1.5.1., C Communicates and coordinates with the Defense Health Agency (DHA), external federal agencies, Secretary of the Air Force (SECAF) agencies, and other DoD organizations as necessary to implement, clarify and execute HIPAA privacy activities throughout the Air Force Medical Service Facilitates notice, as applicable, to the Defense Health Agency Privacy and Civil Liberties Office of all breaches of PHI involving MHS beneficiaries Provides policy guidance to Air Force Medical Operations Agency (AFMOA), Health Benefits Support Branch to ensure MTFs are receiving current and accurate information regarding HIPAA privacy policy, procedures, and operational changes The AFMS HPO, in collaboration with AFMOA Health Benefits (AFMOA/SGAT) HIPAA team (collectively referred to as AFMOA HIPAA), will create and distribute HIPAA Privacy Officer guidance for MTF HIPAA Privacy Officers The AFMS HPO also provides HIPAA privacy support and subject matter expertise to all AF/SG directorates assigned to the National Capitol Region (NCR) The AFMS HPO will ensure AF/SG and directorate personnel assigned to the NCR receive initial and annual HIPAA training in accordance with AFMS and HIPAA policy and procedures Participates as a member of the Incident Response Team (IRT), as necessary Air Force Medical Operations Agency (AFMOA). AFMOA will provide centralized capability and lead the AFMS in executing all HIPAA policies. AFMOA will provide privacy and security consultation and Subject Matter Expertise (SME) to support the Air Force medical infrastructure HIPAA execution functions will be centralized at AFMOA within the SGA Directorate, Health Benefits Support. AFMOA will appoint an individual to serve as the single point of contact to funnel privacy and security information between AFMSA and the field. This branch will oversee HIPAA privacy and security functions and will be responsible to monitor AFMS HIPAA compliance, provide centralized technical expertise, conduct site visits, and provide consultative assistance to Major Command (MAJCOM) Surgeons and MTFs.

7 AFI JULY Develops standardized metrics to be used by MTFs to monitor and analyze HIPAA compliance and identify any trends Maintains centralized aggregation of metrics available to leadership and the AFMS HPO, upon request Assists MTFs on responses and mitigation efforts for breaches of PHI Requests/coordinates external SME input and assistance as necessary to assist the affected organization in reporting, mitigating, documenting and resolving the incident Coordinates with AFMS HPO for actions associated with HHS breach reporting requirements Controls flow of information between involved (affected) organization and higher headquarters/external agencies Serves as an advisor to the MTF IRT, as necessary Medical Group Commander or MTF Commander. The Medical Group Commander or MTF Commander, where there is not a Medical Group Commander assigned, will maintain overall responsibility for the implementation and administration of local MTF HIPAA privacy and security programs designed to ensure compliance with established federal, DoD, and Air Force privacy and confidentiality rules. (T-0) Oversees the development of Medical Group Instructions (MDGIs) to ensure processes, documentation requirements, and implementation specifications relating to HIPAA compliance, beyond what is already included in Air Force instructions. (T-0) The AFMOA HIPAA team can provide additional guidance and resources for the development of an MDGI Designates, in writing, a MTF primary HIPAA Privacy Officer (HPO) and HIPAA Security Officer (HSO) to implement and manage HIPAA Privacy/Security compliance activities throughout the MTF s facilities, and to receive and investigate complaints and allegations of non-compliance with the HIPAA Privacy/Security Rule. MTF HPOs and HSOs have access to systems that are unique and require complex access requests (e.g., PHIMT, JKO) and may also require special training. In the event that a MTF only has one designated individual, the MTF is at risk of non-compliance in the handling of patient requests and complaints if the HPO or HSO is out of the office on extended leave, TDY, or other non-availability. Alternate HPOs and HSOs should also be appointed. (T-0) Reference DoD R, C1.5.1., C14.1.; DoDI , Security of Individually Identifiable Health Information in DoD Health Care Programs Identifies a primary and alternate Breach Response Coordinator (BRC) within the organization to act as a single point of contact for coordinating organizational activities associated with the breach notification and reporting process. (T-1) This individual must be empowered to coordinate personnel and resources throughout the organization as necessary to ensure the prompt investigation and mitigation of the incident. (T-1) Designates the MTF HPO as the BRC, depending on staffing and subject matter expertise.

8 8 AFI JULY Ensures workforce members are trained IAW DoD R to include local policies and procedures for the safeguarding of PII and PHI. (T-0) Personnel must also be trained on action steps for securing PII and PHI and internal reporting procedures in the event of a suspected or actual breach of information. (T-0) Ensures minimum of two (2) Health Record Auditors are assigned in writing. (T-1) See Chapter 8 of this AFI for additional requirements Oversees MTF IRT, as necessary MTF HIPAA Privacy Officer (HPO) Roles and Responsibilities Many activities required by HIPAA privacy overlap with patient administration duties and require interaction with senior level personnel and coordination with external agencies. The individual who is appointed to perform the duties of the MTF HPO must possess the requisite experience, knowledge, and authority to develop, implement, and monitor the HIPAA privacy practices, policies, and procedures throughout the facility. (T-0) For Limited Scope Medical Treatment Facilities (LSMTF). The individual who is appointed to perform the duties of the MTF HPO must possess the requisite experience, knowledge, and authority to develop, implement, and monitor the HIPAA privacy practices, policies, and procedures throughout the facility Develops policies and procedures, as necessary, for local implementation of the HIPAA Privacy regulation IAW DoD R, C14.9., and in the format described in paragraph (T-0) Provides the following MTF Integration Activities: Understands the content of health information in its clinical, research, and business context. (T-2) Understands the decision-making processes throughout the MTF that rely on all forms of health information. (T-2) Identifies and monitors the flow of information within the MTF and throughout the local healthcare network. (T-2) Serves as privacy liaison for users of clinical and administrative systems. (T-2) Coordinates with HIPAA Security Officer (HSO) to review all systemrelated information security plans throughout the MTF network to ensure alignment between security and privacy practices and acts as a liaison to the information systems department. (T-2) Collaborates with HSO to ensure appropriate security measures are in place to safeguard PHI. (T-2) The HPO will coordinate with the appropriate offices (e.g., Patient Administration Functions, Medical Record Administration, and Information Assurance) to validate existing MDGIs adequately address DoD R requirements, align with HIPAA, and should then simply cross-reference the policy rather than duplicate policies in a separate HIPAA instruction.

9 AFI JULY Tracks the delivery of initial and annual refresher privacy training for all members of the MTF workforce, including volunteers, medical and professional staff, physician residents and interns, contractor employees, and visiting personnel such as clinical students who have access to PHI. (T-0) Provides a briefing on patient rights under HIPAA and provides the MHS Notice of Privacy Practices (NoPP) at all Wing/MTF Newcomer s Orientations briefings as part of the TOPA Flight briefing. (T-2) Serves as the Subject Matter Expert (SME) and maintains current knowledge of applicable federal and DoD privacy laws, accreditation standards, DoD and AFMS regulations and policies related to health information. Monitors advancements of emerging privacy technologies to ensure that the MTF is positioned to adapt and comply with these advancements. (T-1) Consults with legal counsel, as needed, when making decisions related to the use and disclosure of PHI in situations which may deviate from normal treatment, payment and health care operations (TPO). (T-2) Ensures continuous assessment, implementation, monitoring, and revision of the MTF HIPAA Privacy programs in light of changing circumstances in its organizational, security, and/or regulatory environment. (T-1) Conducts HIPAA Compliance Assessments/Audits using AFMS approved compliance monitoring tools (e.g., DHA HIPAA Privacy Rule Assessment Tool; HHS/Office for Civil Rights (OCR) HIPAA Privacy, Security, and Breach Audit Protocols). (T-0) Conducts an initial compliance assessment within 60 days of assignment and documents findings. (T-2) Conducts periodic compliance assessments and monitoring thereafter, but no less than annually, to identify shortfalls in compliance and implements corrective action(s) as necessary; documents results using the AFMS approved compliance monitoring tool. (T-1) Ensures a mechanism is in place at the MTF for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization s privacy policies and procedures in coordination and collaboration with other similar functions, and when necessary, legal counsel. (T-0) Reference DoD R, C Chairs the IRT and designates a central point for coordinating information and document gathering for dissemination to members of the IRT. (T-1) Develops a list of key IRT participants and contact information based on the categories outlined in paragraph (T-1) IRT participation will be dependent on the type and severity of the incident. (T-1) MTF or Base IRT members may include the following, depending on the circumstances: MTF HIPAA Privacy Officer/Office (HPO), Installation Privacy Act Official/Officer, MTF HIPAA Security Officer (HSO), Internal Investigator(s), affected Unit/Operations representative(s), Public Affairs, Legal, Finance/Accounting representative(s), Human Resources, and Call Center representative(s).

10 10 AFI JULY Additional representation, depending on the severity, may also include law enforcement, other government entities (such as DHA, HHS/OCR), or identity theft/credit monitoring vendors This is not an exhaustive list and participants can be added on an as needed basis. Each member of the IRT will bring subject matter expertise to aid the MTF HPO/HSO with mitigating and complying with regulatory requirements Ensures IRT, AFMS HPO, and AFMOA HIPAA are informed of all breaches involving 500 or more beneficiaries as well as all other high-visibility breaches, regardless of the affected number of beneficiaries. (T-1) Serves as the liaison between the MTF and Installation Privacy Official to report, resolve and mitigate breaches of personally identifiable information. (T-2) The Installation Privacy Official oversees compliance with the Privacy Act, and should not be confused with the MTF HPO, who oversees compliance with the HIPAA Privacy Rule Refers to the AFMOA Health Information Compliance Team KX website for detailed information on the breach process Coordinates with the BRC, as applicable. (T-1) Documents any disclosures of PHI in the Protected Health Information Management Tool (PHIMT) or other AFMS approved disclosure accounting tool, including unauthorized disclosures of PHI resulting from an incident. (T-0) If the MTF HPO delegates this responsibility, the MTF HPO is still responsible for oversight and compliance for this process Liaisons with Medical Logistics and other MTF activities to ensure the most current and appropriate Business Associate Agreements (BAAs) and/or Data Use/Sharing Agreements are in place, where applicable. (T-0) 2.5. Breach Response Coordinator (BRC) Roles and Responsibilities Any individual within the organization may be appointed to this position, but individuals such as the Privacy Act Monitor, MTF HPO, and HSO are particularly wellsuited based on their functional responsibilities and expertise Keeps MTF HPO, as applicable, informed during the course of receiving, documenting, tracking, and investigating incidents IAW Chapter 6 of this AFI. (T-2) Acts as the single point of contact within the organization with overall responsibility for coordinating information flow and response actions to breaches of PII or PHI under the organization s control. (T-1) Keeps organizational leadership informed of evolving events and response activities through periodic updates and executive summaries, as requested. (T-1) Coordinates with the AFMOA HIPAA team as necessary to ensure all reporting requirements and status updates are up-channeled to AFMS leadership. (T-1) Coordinates with the organization s Chief Information Officer for all incidents involving information systems and e-phi. (T-1)

11 AFI JULY Develops a plan of action to ensure compliance with all reporting requirements and action steps as required. (T-1) Participates as a member of the IRT, as necessary HIPAA Security Officer (HSO) Roles and Responsibilities Implements administrative, physical and/or technical safeguards sufficient to reduce risks and vulnerabilities to electronic PHI (ephi) and associated information systems to a reasonable and appropriate level as specified by relevant Federal, DOD publications, regulations, AFMAN , AFI , and AFI and AFPD (T-0) The individual who is appointed to perform the duties of the MTF HSO must possess the requisite experience, knowledge, and authority to develop, implement, and monitor the HIPAA security practices, policies, and procedures throughout the facility For Limited Scope Medical Treatment Facilities (LSMTF). The individual who is appointed to perform the duties of the MTF HSO must possess the requisite experience, knowledge, and authority to develop, implement, and monitor the HIPAA security practices, policies, and procedures throughout the facility Continuously assesses, implements, monitors, and revises the medical group health information assurance posture as part of overall management of the host base network infrastructure The AF Security Control Assessor's office has approved the HHS/OCR Security Risk Assessment Tool (SRAT) for use in conducting risk analyses. (T-2) Refer to the AFMOA Health Information Compliance Team KX website for additional information and any other versions or tools that have been approved for use Guidance published on the HHS/OCR website states, Risk analysis and risk management are not one-time activities. Risk analysis and risk management are ongoing, dynamic processes that must be periodically reviewed and updated in response to changes in the environment. The risk analysis will identify new risks or update existing risk levels resulting from environmental or operational changes Ensures applicable publications and procedures are periodically reviewed, to include any revisions when significant changes occur in relevant law or operating environment, at least annually. (T-0) The HSO will work with local representatives from the communications squadron as well as health records systems team members to assist with information protection and operational requirements. (T-2) A risk analysis will be conducted, as required by DoDI , Enclosure 4, Section 1.a.(1), by the HSO to include an inventory of all systems and applications that are used to access and house data, and classifying them by level of risk. The HSO can delegate the performance of the risk analysis, as appropriate, but will retain oversight responsibility for the analysis. (T-0) Considers all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage. (T-0)

12 12 AFI JULY Functions as the liaison between the MTF, higher headquarters, base Information Assurance Office, AFMOA and other internal and external organizations in developing, implementing, and maintaining the MTF health information security program. (T-1) The HSO may invite other members of the MTF to participate in workgroups, taskforces, or committees in support of protecting individually identifiable health information and associated information systems Works with the MTF HPO to monitor medical group contracts to ensure those contracts that involve use or disclosure of PHI or electronic PHI includes approved Business Associate Agreement and appropriate HIPAA Security language. (T-0) Co-Chairs the IRT in coordination with the HPO, when applicable.

13 AFI JULY Administrative Requirements. Chapter 3 HIPAA ADMINISTRATION HIPAA covered entities must comply with the administrative, technical, and physical requirements, described in the HIPAA Privacy Rule and DoD R, including but not limited to, adequate safeguards, policies and procedures, document retention requirements, sanctions for members of the workforce who fail to comply with the privacy policies and procedures, training, and refraining from intimidating or retaliatory acts. (T-0) Health care personnel and related assets of the Department of the Air Force under the management authority or employed by the Surgeon General of the Air Force, including Headquarters staff, operating agencies (such as, but not limited to, the Air Force Medical Support Agency and the Air Force Medical Operations Agency), Major Command Surgeons General, and any other organizational level within the Air Force Medical Service, are part of the AFMS covered entity This excludes ARC medical personnel when not working as part of the covered entity Patients have certain rights (e.g., access, accounting, alternate communications, amendment, and restrictions) outlined in the HIPAA Privacy Rule and DoD R. The MTF is required to retain certain documentation IAW DoD R and paragraph 3.9. of this instruction. (T-0) Access and fees. Requests by patients for access to or copies of their health record must be IAW AFI , paragraphs , 4.4., and, as applicable, this AFI, paragraph 7.6. (T-0) Accounting of disclosures. Patient can request an accounting of disclosures. These requests should be handled IAW DoD R and paragraph 3.7. of this instruction A patient can request that the MTF communicate with them through alternate/confidential communications The MTF must accommodate reasonable requests by individuals to receive communications of protected health information by alternate means or at alternate locations. (T-0) Requests for amendment Any correction or amendment to the health record must be IAW DoD R, Chapter 12, AFI , paragraphs , 5.3., and the direction outlined in the Policy for Legal Correction of AHLTA Erroneous Data or Information and process contained in updated guidance found on AFMOA Health Information Compliance Team KX website, as applicable. (T-1) If the MTF HPO delegates this responsibility, the MTF HPO is still responsible for oversight and compliance for this process. (T-1)

14 14 AFI JULY Requests for restrictions must be handled IAW DoD R, C10.1. and AFI , paragraph (T-0) Requests should be submitted to the MTF HPO using the DD Form 2871, Request to Restrict Medical or Dental Information PHIMT can be used for tracking restrictions that have been granted, using the Accountable Disclosure Restriction functionality NoPP Requirements. The AFMS is required to utilize the Military Health System (MHS) NoPP, which explains how the patient s PHI may be used and disclosed. It also describes the patients rights regarding the use of PHI and contact information for complaints or issues. Deliver the NoPP and obtain the patient s acknowledgement no later than the date of the first service delivery, or if an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation (DoD R, Chapter 9.) The MTF must make a good faith attempt to obtain the patient s written acknowledgement of receipt of the NoPP, IAW DoD R, C9.3.2., C9.5. (T-0) MTFs must have a process in place to ensure the patient has acknowledged receipt of the MHS NoPP. (T-0) NoPP acknowledgements must contain each patient s printed and signed name. (T-0) Parents, guardians, and loco parentis must be asked to sign acknowledging their receipt of a copy of the NoPP on behalf of the minor child. (T-0) If the patient, parent, or guardian declines, or is unable, to acknowledge receipt, the MTF must document the reason why the acknowledgement was not obtained. (T-0) See the AFMOA Health Information Compliance Team KX website for information on methodologies for obtaining acknowledgement (e.g., NoPP labels on hard copy records, scanning NoPP labels into HAIMS, electronic capture, or other AFMS approved mechanisms) Ensure copies of the MHS NoPP pamphlet are readily available throughout MTF points of service for beneficiaries to review and take with them. (T-0) Reference DoD R, C Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision The MTF must post the MHS NoPP in a clear and prominent location where it is reasonable to expect individuals seeking service from the MTF will be able to read the notice. Ensure the MTF HPO contact information is provided on the posting in the lower right corner. (T-0) MTFs that maintain an official website describing customer services or benefits must prominently post the MHS Notice of Privacy Practices (NoPP) on the website s home page IAW with guidance published by DHA Privacy and Civil Liberties Office (PCLO). (T-0) 3.3. Accessing Information. The ability to access PHI must be consistent with the staff member s role to access the record for treatment, payment, or health care operations. (T-0)

15 AFI JULY Accessing PHI outside the scope of an individual s job function is not permissible. (T-0) Each situation should be evaluated on a case-by-case basis in order to determine if the individual had a valid reason for obtaining the PHI. HHS specifically stated in the 25 January 2013, Federal Register that access as a result of such snooping would be neither unintentional nor done in good faith and would therefore be considered a breach. Impermissibility may include, but is not limited to the following examples Looking up information on self, co-workers or their family members, friends, family members, political figures, or celebrities Looking up demographic information of a patient in order to contact them outside the work or treatment environment when not in the course of a performing one s job function (e.g., calling a patient for a social encounter) Opening a document in HAIMS that has a sensitive or mental health indicator when you are not treating the patient, just to see what is wrong with them Minimum Necessary. Use or disclosure, or request for PHI is limited to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure, or request unless an exception to the minimum necessary rule, as outlined in DoD R, C8.2.2., applies. (T-0) It may be necessary to develop local policies/procedures to address minimum standards The MTF will need to evaluate its practices and enhance protections as needed to limit unnecessary or inappropriate access to PHI. (T-0) Disclosures for treatment purposes between health care providers are explicitly exempted from the minimum necessary requirements The MTF should ensure any recipients of the information are authorized to receive the information under the Privacy Act, HIPAA, and any other applicable law or regulation Incidental disclosures The MTF must implement reasonable safeguards to limit incidental uses or disclosures. (T-0) Reference DoD R, C It is not required that all risk of incidental use or disclosure be eliminated. For example: The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings The MTF staff are free to engage in communications as required for quick, effective, and high quality health care Overheard communications in these settings may be unavoidable, but it is a good practice to use lowered voices or talking apart from others when sharing PHI De-identification. The MTF should use de-identified data whenever possible (e.g., research, aggregate reporting).

16 16 AFI JULY Health information that has been de-identified under DoD R, Chapter 8, is considered not to be individually identifiable health information and is not subject to the same restrictions on use/disclosure as PHI. (T-0) 3.7. Accounting of Disclosures. A patient has the right to request an accounting of certain disclosures, except for those disclosures outlined in DoD R, C , for the previous 6-year period. (T-0) All MTFs will use a standardized tracking mechanism for accountable HIPAA disclosures. (T-1) PHIMT is the required method to document all accountable disclosures, with the following exceptions Aeromedical Services Information Management System (ASIMS) automatically captures disclosures that are made to command authorities. A separate entry into PHIMT is not required To request an ASIMS accounting of disclosure report, submit a copy of the patient request letter to the AFMOA HIPAA team, who will facilitate with the ASIMS Program Office Disease Reporting System internet (DRSi) captures disclosures that are made to public health authorities within the MHS. A separate entry into PHIMT is not required To request a DRSi accounting of disclosure report, submit a copy of the patient request letter to the MTF Public Health clinic, who will be able to provide a copy of the information Disease reporting made by MTF Public Health to Public Health Agencies outside the MHS that have not been documented in DRSi require an entry into PHIMT When a patient requests an accounting of disclosure, the MTF will provide a report, consisting of PHIMT, ASIMS, and DRSi, of the disclosures made during the time period requested by the patient, for up to 6 years preceding the request. (T-0) In addition, the following statements in paragraph , , and must be included with each response to the patient that is provided by the MTF Recurring Disclosure to ARC Command Authority. If you are a member of a Reserve or National Guard unit (ARC) your Guard or Reserve medical unit has had access to your medical information beginning on the date when you applied for entry to ARC or re-assignment within ARC to a different unit, and thereafter on an ongoing basis, until such time as you are no longer assigned to the particular unit. Such access was for purposes of: determining your fitness for duty and fitness to perform any particular mission, assignment, order, or duty; health surveillance; reporting on casualties; or carrying out any other activity necessary to the proper execution of the mission Recurring Disclosure for Disability Evaluation System. If you have undergone or are currently undergoing a disability review as part of the Disability Evaluation System (DES), your entire medical, dental, and mental health records, have been disclosed by the MTF where you receive the majority of your care, or the nearest Air Force MTF if you were hospitalized away from your installation of assignment or in a non-air Force facility, to individuals involved in the DES process. This includes the prescreening process, AFPC/DP2NP or ARC/SGP review, Deployment Availability

17 AFI JULY Working Group (DAWG), medical evaluation board (MEB), and Veterans Administration. Disclosure of your information occurred at the date the referring provider signed and dated the VA Form , VA/DoD Joint Disability Evaluation Board Claim form, and continued on an ongoing basis for the duration of your involvement in the DES process Recurring Disclosure for Fire Emergency Services. If you were provided treatment by an AF ambulance crew (Emergency Medical Services/Technician (EMS/T)) ambulance service, your medical information contained on the AF Form 552, Air Force Patient Care Report, related to the services you received on the date of the incident was disclosed to the AF Fire Emergency Services (FES), on or about the date you received the service. FES is required by law to document fire department management, dispatch, data collection and fire incident reporting in the Fire Emergency Services Information Management System (FES-IMS) as part of the contingency planning process for fire safety of personnel and property under the control of installation commanders. Medical information maintained by AF FES is safeguarded in accordance with the Privacy Act of If the MTF elects to use an alternate accounting tool, it must be coordinated through the AFMOA HIPAA team and approved by the AFMS HPO prior to implementation to ensure compliance with statutory and regulatory requirements. (T-1) At a minimum, this data must be centralized, the tool must be able to account for all disclosures made throughout the MTF, and it must conform to all privacy and security safeguards. (T-1) All accountable disclosures must be kept for a minimum of 6 years IAW DoD R. (T-0) See paragraph 4.3. for additional information on the various categories of disclosures which must be documented HIPAA Training Oversight. The MTF HPO oversees, directs, and ensures delivery of HIPAA privacy/security training and orientation to the MTF workforce, to include trainees and volunteers. (T-0) Reference DoD R, C Initial and Annual Training. Joint Knowledge Online (JKO) is the method for delivering the DHA PCLO HIPAA and Privacy Act initial and annual refresher training course. MTFs are required to utilize JKO for initial and annual HIPAA training to more effectively track personnel and completions across the AFMS. In the event that the training platform is changed, the AFMS HPO will provide direction and guidance on the future approved mechanism for initial and annual training Annual training is conducted in order to maintain workforce awareness and inform workforce of any changes to privacy policies. (T-1) Upon in-processing to the organization, employees that can provide proof of completion of AFMS approved HIPAA training within the previous 12 months, need only receive local facility training. Employees that cannot offer proof of completion must complete both AFMS approved HIPAA training and local facility training within 30 days of assignment or arrival. (T-2) The MTF HPO should periodically run reports to determine the MTFs compliance with training requirements.

18 18 AFI JULY Reconciliation of JKO reports with personnel rosters or Defense Medical Human Resources System-internet (DMHRSi) reports ensures that all individuals within the facility that require HIPAA training are accurately identified and tracked. (T-1) Alternate Training. MTFs may request use of alternate training in instances where the training platform is determined to be unstable and deficiencies cannot be resolved (e.g., connectivity issues). Use of alternate training and delivery methods must be coordinated through the AFMOA HIPAA team and approved by the AFMS HPO prior to implementation, to ensure compliance with initial training content and documentation requirements. (T-1) The AFMS HPO will provide standardized training content for use by those facilities that are approved for alternate training. Use of commercially available or locally produced training content is not authorized to meet core HIPAA training requirements The alternate training content approved by the AFMS HPO is the equivalent of the current HIPAA and Privacy Act course in the learning management application (e.g., JKO). Completion of this alternate version meets the HIPAA training requirements for the AFMS Organizations approved for use of alternate delivery methods must maintain current and accurate records of initial and annual training of workforce members and provide training statistics to AFMOA HIPAA, upon request. (T-1) ARC is approved for use of alternate training and delivery by the AFMS HPO. Training may be accomplished through individual or group training events. Training completion can be updated in JKO. Test results must be maintained by the Training Coordinator (TC) Alternate training meets the same requirements as are in JKO. Certificates of Completion are valid throughout the AFMS MTFs requesting waiver consideration must submit the following information to AFMOA HIPAA in letter format, endorsed by the MTF Administrator (SGA) or Medical Support Squadron Commander: (T-1) Identify the nature of the technical difficulties that prevent the MTF from using the platform. (T-1) Identify the specific actions that have been taken to correct the problem (e.g., contacting Base Communications or the applicable system Help Desk, and/or user computer configuration attempts). (T-1) Provide contact information for local system administrator or report manager. (T-2) Other audiences There may be situations in which an individual is not able to access JKO due to status as a NON-US CAC User (e.g., OCONUS) or does not have a CAC card. An alternate public-facing course is available. Contact the AFMOA HIPAA team for guidance and information on how to access the public site.

19 AFI JULY Trainees that complete this course must save a copy of their completion certificate prior to exiting the public-facing course. No records are maintained on the server hosting this course and there will be no evidence of completion retained in JKO Trainees will need to provide the HPO with a copy of their Certificate of Completion as proof of successful completion of the course. (T-2) Local Training. Ensure MTF specific HIPAA information (e.g., training on local policies, procedures, and awareness training) is briefed at MTF in-processing sessions, commander s calls, and other venues in order to maintain workforce awareness and to introduce any changes to privacy policies. (T-2) Local privacy training is not a substitute for initial and annual training outlined in paragraph For those individuals that are not required to complete HIPAA training when their job functions do not involve the access/use/disclosure of PHI (non-covered functions) (e.g., janitorial/housekeeping staff, maintenance, or logistics personnel), local privacy training can be accomplished Consult with the AFMOA HIPAA team for additional guidance and requirements for designating categories of individuals that are not subject to HIPAA Any local policies should reference the categories of individuals that are exempt from training requirements Other training. HIPAA Privacy Officer or medical group leadership will make available general HIPAA overview training to new Commanders and First Sergeants within 90 days of assignment using the standardized AFMS briefing template (HIPAA Privacy: An Overview for Commanders (CC)). (T-1) Additional briefings may be provided as needed or upon request of wing leadership The CC and Air Force Leader (HIPAA Privacy: An Overview for Air Force Leaders) briefings are the sole source of HIPAA privacy information presented at the commanders courses. The most current versions are located on the AFMOA Health Information Compliance Team KX website. Alterations to the CC and Air Force briefings can only be approved by local Medical Group leadership Document Retention, Destruction, and Disposal Retention. The MTF must retain the documentation required IAW the HIPAA Compliance Documentation outlined in the Air Force Records Disposition Schedule (RDS) located in the Air Force Records Information Management System (AFRIMS). (T-0) Maintain the policies and procedures provided in written or electronic form; (T- 0) If a communication is required to be in writing, maintain the writing and any response, or an electronic copy, including names/titles of persons or offices responsible for receiving and processing requests, as documentation; and (T-0) If an action, activity, or designation is required to be documented, maintain a written or electronic record of such action, activity, or designation. (T-0)

20 20 AFI JULY Destruction. In the event that any documents requiring retention or documents containing PHI have reached their applicable expiration, the documents must be properly destroyed and disposed of by rendering records or data unusable, unreadable, or indecipherable. (T-0) Disposal. Documents or electronic systems/devices, including computers, copiers or fax machines with memory storage, or other electronic storage devices that may contain PHI must be disposed IAW Air Force Manual (AFMAN) , Management of Records, and Air Force RDS located in the AFRIMS. (T-1) The memory contained in these devices must be swiped or cleared before disposition. (T-0) PHI in paper format should be immediately shredded. If the PHI cannot be immediately shredded, it will be placed in a locked, secure area until it can be destroyed. (T-0) PHI must not be disposed of in the regular garbage or recycle bins. (T-0) Periodic checks of garbage cans, recycle bins, or dumpsters can be made to ensure that PHI is being properly disposed of Removal of PHI from the Facility In general, PHI should not be removed from the MTF for use off-site If there are particular circumstances in which treatment, payment, or health care operations cannot be performed without removing PHI from the facility by a workforce member, the MTF must develop and implement procedures to reasonably protect the physical integrity, security, and confidentiality of the PHI while off-site (e.g., teleworking). (T-0) Use of mobile devices (e.g., laptops, tablets) must comply with relevant Federal, DOD issuances, and Air Force instructions Any paper documents/records must be secured when not in use and must be returned to the facility as soon as is reasonably practical The procedures must ensure that removal of the PHI from the MTF is for an appropriate use and has been approved by the individual s supervisor Any damage to, loss of, or unauthorized access to the PHI must be promptly reported to the MTF and MTF HPO Examples of loss might include theft from a vehicle or missing, lost baggage at airport or other public transportation Storage of Electronic Documents Containing PHI. Excepting the limitations for Alternative Methods to Capture Consults and Referral Results storage, IAW AFI , paragraph , other electronic documents containing PHI that require retention, pursuant to document retention requirements in DoD R, C14.10., may be stored on shared drives or SharePoint locations (e.g., complaint investigations, patient correspondence, congressional inquiries) All MTF computer folders and files containing PHI must be limited to users who can demonstrate a verifiable need for access. (T-0)

21 AFI JULY All computer folders and files containing PHI must offer limited user access and be either password protected or hidden with access restriction requirements. (T-1) Data at rest solutions may be deployed to encrypt files and folders containing PHI When no longer needed for daily operations or record retention, remove PHI which is accessible or viewed through shared drives, SharePoint or similar web base applications IAW paragraph 3.9. (T-1)