1303A West Campus Drive

Similar documents
[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

HIPAA Policies and Procedures Manual

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

Module: Research and HIPAA Privacy Protections ( )

Southwest Acupuncture College /PWFNCFS

NOTICE OF PRIVACY PRACTICES

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Notice of Privacy Practices for Protected Health Information (PHI)

PATIENT INFORMATION. In Case of Emergency Notification

HIPAA Privacy Rule and Sharing Information Related to Mental Health

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

HIPAA PRIVACY TRAINING

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Notice of Privacy Practices

Patient Privacy Requirements Beyond HIPAA

NOTICE OF PRIVACY PRACTICES

Notice of HIPAA Privacy Practices Updates

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

NOTICE OF PRIVACY PRACTICES

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

Information Privacy and Security

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

NOTICE OF PRIVACY PRACTICES

CAPITAL SURGEONS GROUP, PLLC

HIPAA Notice of Privacy Practices

Privacy Board Standard Operating Procedures

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

CLINICIAN S GUIDE TO HIPAA PRIVACY

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Creation Date: 1/30/15 Title: Patient Right to Access, Inspect and Copy Revision History:

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

Lou Eckart, Ph.D. and Associates Licensed Clinical Psychologists 22 Mill St. Suite 305 Arlington, MA

HIPAA Training

VHA Privacy Policy Training FY VHA Privacy Office

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

A general review of HIPAA standards and privacy practices 2016

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

NOTICE OF PRIVACY PRACTICES

The Queen s Medical Center HIPAA Training Packet for Researchers

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

HIPAA Privacy Regulations Governing Research

ETHICAL AND REGULATORY CONSIDERATIONS

Senior Care Pharmacy Wichita

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

The HIPAA privacy rule and long-term care : a quick guide for researchers

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

FERPA, CHALLENGES FACING SCHOOL NURSES & DISCIPLINARY ACTIONS FERPA. MELANIE BALESTRA, MN, NP, JD JD August May 4, 22, 2012

SUMMARY OF NOTICE OF PRIVACY PRACTICES

OREGON HIPAA NOTICE FORM

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

The Privacy & Security of Protected Health Information

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

HIPAA and HITECH: Privacy and Security of Protected Health Information

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Notice of privacy practices

Southwest Medical Thermal Imaging & Ultrasound, LLC. Informed Consent for Thermal Imaging. Patient Name: DOB:

Psychological Services Agreement

John W. Steele, Ph.D., Licensed Psychologist 1285 Fairfield Drive, Boulder, CO 80305

Information Sharing and HIPAA Compliance

NOTICE OF PRIVACY PRACTICES

PROCEDURE-STUDENT RECORDS

NOTICE OF PRIVACY PRACTICES MedQuest Effective April 2003 Revised January 2014

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Notice of Privacy Practices for Protected Health Information (PHI)

Advanced HIPAA Communications and University Relations

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

The HIPAA Privacy Rule and Research: An Overview

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Test Overview

I. Preamble: II. Parties:

NOTICE OF PRIVACY PRACTICES

The Health Insurance Portability and Accountability Act (HIPAA) Implementation via Case Law

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA COMPLIANCE APPLICATION

The Arizona HIO Statute

OUR LEGAL DUTY PERSONS COVERED BY THIS NOTICE

Florida Medicaid. Medicaid School Based Services Coverage Policy. Agency for Health Care Administration. Draft Rule

HIPAA-HITECH HELPBOOK NJ Physician Practices

always legally required to follow the privacy practices described in this Notice.

******************************************************************** Policy Expectation:

Outpatient Hospital Facilities

The care of your newborn child, or the placement of a child with you for adoption or foster care; or

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

Notice of Privacy Practices

Counseling Center of Montgomery County

GRAVES-GILBERT CLINIC NOTICE OF CURRENT PRIVACY PRACTICES

Texas Higher Education oordinating oard Office of General ounsel P.O. ox 12788!ustin, TX

INFORMED CONSENT FOR TREATMENT

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

Karen LeVasseur, LCSW Calm4Kids Therapy Center, LLC 514 Main Street Bradley Beach, NJ

SANTA RITA CARE CENTER Notice of Information Practices

Transcription:

Page 1 of 5 Applies to: faculty staff student clinicians Effective Date of This Revision: April 6, 2005 student employees visitors contractors Contact for More Information: HIPAA Chief Privacy Officer 1303A West Campus Drive 989.774.3971 Board Policy Administrative Policy Procedure Guideline PURPOSE: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) granted certain rights to patient/client/employees regarding their protected health information (PHI). This policy has been drafted to assist CMU to comply with the law and to guide CMU staff in assisting patient/client/employees to exercise their rights. DEFINITIONS: The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164. Minimum Necessary is not defined in the Privacy Rule, but is a term used to describe the amount of PHI needed to perform a particular task or function. POLICY: CMU shall take reasonable steps to limit the uses, disclosures of, and requests for PHI to the minimum necessary to accomplish the intended purpose. CMU shall maintain policies and procedures that identify persons or classes of persons within CMU and its business associates who need access to PHI to carry out their job duties, the categories or types of PHI needed, and conditions appropriate for such access. When access to an entire medical record is necessary, CMU policies and procedures shall state so explicitly and include written justification for such access. The minimum necessary provisions contained in this policy and procedure do not apply to the following: a. Disclosures to or requests by a health care provider for treatment purposes b. Uses and disclosures to the patient/client/employee who is the subject of the information c. Uses or disclosures made pursuant to an authorization provided by a patient/client/employee d. Uses or disclosures required for compliance with the standardized HIPAA transactions e. Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes Authority: M. Rao, President History: No Prior History Indexed as: HIPAA Minimum Necessary Use and Disclosure of Protected Health Information; HIPAA Protected Health Information; HIPAA Disclosure of Protected Health Information

Page 2 of 5 f. Uses or disclosures that are required by other law. PROCEDURE: 1.0 Use of PHI: Persons and Classes of Persons in the CMU Workforce Who Need Access to PHI. CMU recognizes that a number of persons and groups of persons need access to some level of PHI to carry out their job duties. The Privacy Officer for each unit of the hybrid entity shall maintain a list of the classifications of personnel (including student clinicians/interns and volunteers) approved to have routine access to PHI in the performance of their duties. Receivable Accounting: Employees in this unit of the university may have access to PHI to the extent necessary to fulfill their responsibilities. For example, this office may handle some billing and collections of a) employees for health plan premiums, b) students for health insurance, c) students and others for services received from University Health Services, and d) clients/patients of The Psychological Training & Consultation Center. The records to which this unit would have access are limited to those related to billing and usually include only personally identifying information (name, identifying numbers, address, telephone number), amount owed, date of service, general statement of service rendered, unit of University rendering service. All employees in Receivable Accounting and student services advisors may have access to those records. Internal Audit: Employees in this unit of the university may have access to PHI to the extent necessary to fulfill their responsibilities. For example, if an employee or unit of the university is accused or suspected of violating certain HIPAA and University policies regarding the security and privacy of PHI, this office may be involved in reviewing systems and safeguards, both in order to assess what occurred in the past and to recommend changes in the future. Also, this office may audit an area with PHI, such as Health Services or the Speech-Language Pathology and Audiology Clinics, to determine, among other things, if HIPAA regulations, as well as departmental or university policies and procedures, are being followed. In the process of conducting these reviews, the office may have access to PHI on employees, clients or patients. The Director and auditors would have primary access to those records needed to conduct the review. The support staff in that office might have some access to those records in order to assist (e.g., setting up and organizing the file; putting the file away and retrieving it, preparing letters, typing witness notes, etc.). General Counsel: Employees in this unit of the university may have access to PHI to the extent necessary to fulfill their responsibilities. For example, the attorneys and legal assistant may be consulted about the application of HIPAA rules and University policies to specific situations where PHI must be disclosed to the attorneys or legal assistant in order to obtain legal advice. Also, if a faculty member or staff is accused or suspected of violating HIPAA and University policies regarding PHI, this office would provide advice in conducting an investigation and, if necessary, disciplining the employee. This office would be involved in handling allegations of violations of HIPAA by the University itself or its employees, if a complaint were filed with an outside administrative agency or court. The support staff in that office might have access to those records in order to assist (e.g., setting up and organizing the file, putting the file away and retrieving it, preparing correspondence, typing notes, etc.). Faculty Personnel Services: Employees in this unit of the university may have access to PHI to the extent necessary to fulfill their responsibilities. For example, if a faculty member is accused or suspected of violating HIPAA or University policies regarding PHI, this office would be involved in conducting an investigation and, if necessary, disciplining the employee. This unit also may need access to certain PHI in order to address personnel decisions or benefit enrollment, eligibility, claims and system design, for

Page 3 of 5 example, in relation to early retirement agreements. The Director and Assistant Directors of Faculty Personnel Services would have primary access to those records needed. The support staff in that office might have some access to those records in order to assist (e.g., setting up and organizing the file; putting the file away and retrieving it, preparing letters, typing witness notes, etc.). Benefits and Wellness: Employees in this unit of the university administer the self funded health plans, and they may have access to PHI of employees and their dependents to the extent necessary to fulfill their responsibilities. For example, they handle enrollment and eligibility information, claims management, and system design. All employees of this unit will have access to this information maintained by the unit. Employee Relations and Training, Human Resources: Employees in this unit of the university may have access to PHI to the extent necessary to fulfill their responsibilities. For example, if an employee is accused or suspected of violating HIPAA and University policies regarding PHI, this office would be involved in conducting an investigation and, if necessary, disciplining the employee. The Director and Assistant Director of Employee Relations and Training would have primary access to those records needed to conduct the investigation or discipline process. The support staff in that office might have some access to those records in order to assist (e.g., setting up and organizing the file; putting the file away and retrieving it, preparing letters, typing witness notes, etc.). University Health Services: Employees of this department of the university may have access to PHI to the extent necessary to fulfill their responsibilities. For example, the receptionist will handle enrollment, insurance, and appointment information; physicians have access to the full medical record in order to provide treatment; the laboratory staff will have access to the laboratory order and report information. Specific access will be permitted for each position as required to facilitate the treatment, payment, and health care operations of the department. The Carls Center for Clinical Care and Education: The Center provides clinical services through several specialty clinics. Currently included are the Speech-Language Pathology and Audiology Clinics, the Psychological Training and Consultation Center and Physical Therapy Clinics. The Carls Center provides centralized scheduling and billing and other support services for each of these specialty clinics, and its employees may have access to PHI to the extent necessary to fulfill their responsibilities. For example, a receptionist may handle appointments; the billing persons will handle insurance and billing; support staff may provide support services (setting up files; putting the file away and retrieving it, preparing letters, typing notes, etc.). Professional faculty and staff and student clinicians provide clinical services to clients and may have access to PHI to the extent necessary to fulfill their responsibilities. They, and clinical supervisors, will have access to the full clinical record of their clients received from other health care providers and developed by them in order to conduct testing, diagnosis, treatment, and supervision of student clinicians. Student and employee clinicians may consult with other health care providers about diagnosis and treatment or provide information regarding orders and service for hearing instruments, augmentative communication devices, rehabilitation plans. Business Associates: The Business Associates of units within the hybrid entity may have access to PHI as described in the Business Associate Agreements. 2.0 Use, Disclosure and Requests for entire medical record. CMU will not use, disclose or request an entire medical record, except as allowed by 1.0 above, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. In general, few members of the CMU workforce will have access to an entire clinical record. Only physicians, physician assistants, nurse practitioners,

Page 4 of 5 health information specialists, licensed and unlicensed therapists, and student clinicians/interns will be authorized to review an entire clinical record. Such access will be limited to the records of patient/client/employees with which the professional has a current therapeutic relationship or for whom a professional consultation has been requested. Access to the entire clinical record of these patient/client/employees has been determined to be critical to the continuity of the patient/client/employee s care as well as essential to diagnosis, treatment selection and the health and safety of the patient/client/employee and others. 3.0 Routine Disclosures of and Requests for PHI. CMU recognizes that the need for information varies according to the duties performed by the party obtaining the information. Routine disclosures/requests are those that do not require individual review/analysis of the purpose and amount of information necessary before a disclosure/request may be made. Each unit of the CMU Hybrid Entity shall maintain a list of the classes of persons within the workforce and the types of PHI which are routinely available to that class. The list shall be developed using a worksheet to identify disclosures routinely made by the unit by the following characteristics: The type of PHI to be used or disclosed, The types of persons who will use or who will receive the disclosure, The conditions that will apply to the use or disclosure, and The purpose for which the PHI will be used or disclosed. 4.0 Non Routine disclosures and requests. All non-routine disclosures will be reviewed by the privacy officer for the unit of the hybrid entity that houses the information in order to determine that the disclosure complies with the minimum necessary standard, in accordance with criteria contained in this Policy. The following criteria will be considered when limiting the amount of PHI requested, used, or disclosed by CMU personnel to the minimum necessary amount: a. The use, disclosure, or request is permissible under HIPAA b. An Authorization for use, disclosure, or request has been obtained, if required c. Additional privacy restrictions do not apply, e.g., FERPA d. The patient has not objected to the disclosure and has had the opportunity to do so e. Written criteria have been established and referred to in evaluating the request -- does the requesting individual have the authority/right to receive the requested information? --has the requesting individual clearly stated the purpose for the request, use, or disclosure of the PHI? -- are all of the individuals identified for whom the use or disclosure of the PHI is required? -- does each of them have the type of access required in order to receive it? 5.0 Reliance on request for disclosure as minimum necessary. CMU will rely on requested disclosure as the minimum necessary when:

Page 5 of 5 the information is requested by another covered entity or from another entity within the CMU hybrid; or the request comes from a public official who represents that the information requested is the minimum necessary the information is requested by a professional who is an employee of CMU or a business associate of CMU for the purpose of providing professional services to CMU, if the person represents that the information requested is the minimum necessary; or documentation required by the Institutional Review Board (IRB) demonstrates that the request is only for the minimum amount of PHI necessary to accomplish the purpose of IRB review or is consistent with the informed consent of the individual who consents to participate in the research. Central Michigan University reserves the right to make exceptions to, modify or eliminate these guidelines. This document supersedes all previous guidelines relative to its subject.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback