Title: HIPAA PRIVACY ADMINISTRATIVE

Similar documents
Health Information Privacy Policies and Procedures

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

HIPAA Training

Information Privacy and Security

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

HIPAA PRIVACY TRAINING

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

HIPAA Education Program

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA and HITECH: Privacy and Security of Protected Health Information

MCCP Online Orientation

CAPITAL SURGEONS GROUP, PLLC

Compliance Program, Code of Conduct, and HIPAA

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Appendix E Checklist for Campus Safety and Security Compliance

CLINICIAN S GUIDE TO HIPAA PRIVACY

HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Training for Non-Clinical Workforce

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

HIPAA Notice of Privacy Practices

Chapter 9 Legal Aspects of Health Information Management

The Privacy & Security of Protected Health Information

Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints

HIPAA: Privacy Officers 1. Samuel Knapp, Ed.D. Previous articles in the Pennsylvania Psychologist have given an overview of the

Southwest Acupuncture College /PWFNCFS

HIPAA THE PRIVACY RULE

HIPAA 201: Student Self-Learning Module & Test

Privacy and Security For Teammates

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

Alignment. Alignment Healthcare

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

A general review of HIPAA standards and privacy practices 2016

Patient Privacy Requirements Beyond HIPAA

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

FCSRMC 2017 HIPAA PRESENTATION

2012 Medicare Compliance Plan

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA


Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Anti-Fraud Plan Scripps Health Plan Services, Inc.

Compliance Program And Code of Conduct. United Regional Health Care System

Compliance Program Code of Conduct

Notice of Privacy Practices

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

Date of Review: N/A Original Date: September 30, Subject: Policy Protecting Competitively Sensitive Information

Your Role in Protecting Patient Privacy 2018

HIPAA Privacy Policies & Procedures Table of Contents

always legally required to follow the privacy practices described in this Notice.

Notice of Privacy Practices

HIPAA P12 CMS Data Use Agreements & Data Management Plans

Compliance Program. Life Care Centers of America, Inc. and Its Affiliated Companies

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Emergency Medical Treatment and Active Labor Act (EMTALA) AUDIT GUIDE

CODE OF CONDUCT (Regarding Legal and Ethical Conduct) PERFORMED BY: All Staff

HIPAA Policies and Procedures Manual

Greenwood Connections Notice of Privacy Practice

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

COMPLIANCE PLAN PRACTICE NAME

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

Health Insurance Portability and Accountability Act (HIPAA)

THE MONTEFIORE ACO CODE OF CONDUCT

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Notice of Privacy Practices

HIPAA Breach Policy & Procedures Handbook

GUIDE TO SERVICES Service Coordination

HIPAA Privacy Rule. Best PHI Privacy Practices

Advanced HIPAA Communications and University Relations

2018 Employee HIPAA Orientation (EHO) Handbook

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

National Policy Library Document

Senior Care Pharmacy Wichita

Privacy Practices Home Visit Doctor, LLC July 2017

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

VHA Privacy Policy Training FY VHA Privacy Office

Stanford University Privacy Guidelines Fundraising

PROTECTING PATIENT PRIVACY IS NOT ONLY

HIPAA Privacy & Security Training

The Purpose of this Code of Conduct

Notice of HIPAA Privacy Practices Updates

Compliance Program Updated August 2017

Protecting Patient Privacy It s Everyone s Responsibility

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices for Protected Health Information (PHI)

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Transcription:

Administrative-HIPAA Privacy Title: HIPAA PRIVACY ADMINISTRATIVE Scope: All MultiCare Health System (MHS) workforce members, which includes but not limited to, employees, residents, students, volunteers and other persons who are under direct control of MHS, who access, use, disclose or come in contact with Protected Health Information (PHI) in any form (paper, electronic or verbal). Location Scope: MultiCare Health System adopts the following policy and procedure for the following locations: Tacoma General Hospital/Allenmore Hospital, Mary Bridge Children s Hospital, MultiCare Good Samaritan Hospital, MultiCare Auburn Medical Center, MultiCare Deaconess Hospital, MultiCare Valley Hospital, Covington Medical Center and all ambulatory and retail sites. Policy Statement: This policy includes all HIPAA Privacy requirements under 164.530. Policy Table of Contents: I. Privacy Official Contact II. III. IV. HIPAA Education and Training Privacy Safeguards Complaints V. Sanctions VI. VII. Duty to Mitigate HIPAA Retaliatory Acts VIII. HIPAA Policy Revisions IX. Waiver of Rights X. Document Retention Policy: I. Privacy Official Contact A. Based on 164.530(a)(1) of the HIPAA Privacy Rule, MHS must designated a privacy official who is responsible for the development and implementation of the HIPAA Privacy policies and procedures. In additional, MHS must designate a contact person and/or office to be responsible for receiving complaints related to the Privacy Regulations and to provide further information about matters covered by MHS Notice of Privacy Practices. Page 1 of 7

II. B. MHS currently has a Corporate Privacy Office, led by the Chief Privacy Officer, which reports up through the Corporate Compliance department. C. The Inland Northwest region has Facility Privacy Officers at each location, which report privacy related issues to the Chief Privacy Officer. HIPAA Education and Training A. Based on 164.530(b)(1) of the HIPAA Privacy Rule, MHS must train all workforce members on the policies and procedures with respect to PHI as necessary for the workforce to carry out their functions with the covered entity. B. MHS will train all workforce members on the HIPAA Privacy policies and procedures. Failure to complete the training course(s) may result in disciplinary actions, up to and including termination. Each training course is reviewed and updated (if necessary) on an annual basis. All training completion dates are documented by the ILD Education department. C. Workforce Training Methods: 1. Training on HIPAA Privacy is provided during New Employee Orientation (NEO). 2. The annual Computer Based Learning (CBL) HIPAA Privacy course is part of annual mandatory training and all workforce members are required to complete the CBL within the two months prior to their birth month. 3. The Corporate Privacy Office (Facility Privacy Officer) attends department staff meetings to give privacy updates or provide additional HIPAA training to that area. 4. The Corporate Privacy Office (Facility Privacy Officer) provides areas with HIPAA training documentation for the department heads to educate their staff. Workforce Member New Employee Orientation (NEO) New Volunteer Orientation (NVO) Annual Computer Based Learning (CBL) Ad Hoc Training Employees X X X Non-Employees Travelers X X X Volunteers X X Daily Agency (Per Diem) 5. The Corporate Privacy Office (Facility Privacy Officer) X X X Page 2 of 7

provides education during announced and unannounced HIPAA Privacy walkthroughs and tours. D.Requirements: 1. The Chief Privacy Officer is responsible for the development, approval and implementation of the HIPAA Privacy training consistent with HIPAA requirements. 2. The Chief Information Security Officer is responsible for the development, approval and implementation of the HIPAA Security training consistent with HIPAA requirements. 3. MHS workforce members are required to be trained on HIPAA policies and procedures. 4. The completion date of the required annual CBL is maintained in the Learning Management System (LMS), owned by the ILD Education department. 5. Documentation of attendance of HIPAA-related education and training that is not documented in the training system will be forwarded to the Privacy Officer and placed in the ComplyTrack system. III. Privacy Safeguards A. Based on 164.530(c) of the HIPAA Privacy Rule, MHS must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of patients PHI. B. MHS must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of MHS policies and/or procedures. This includes but is not limited to the following: 1. MHS has a business associate agreement with a professional shredding company (Iron Mountain) to provide shredding services of all paper PHI. Locked shred bins are located throughout all MHS facilities for convenient and confidential PHI disposal. 2. Efforts are made to de-identify all materials containing PHI that are unable to be placed in a shred bin (i.e. PHI on IV bags). 3. Faxes containing PHI should include an MHS fax coversheet, which includes a confidentiality notice. 4. Workforce members are to verify that the fax number is accurate and the correct PHI is attached before faxing to another location. 5. Fax machines and printers are placed in secure locations to prevent unauthorized access to patients information. Workforce members are to remove PHI immediately from faxes and copiers to avoid HIPAA disclosures. 6. Workforce members are to double check each page prior to handing out paperwork to patients (i.e. After Visit Summary, Discharge Instructions, prescriptions, etc.). Page 3 of 7

7. Departments are expected to store any paper PHI in a secure location (i.e. locked office, locked drawer, nursing station, etc.). 8. When discussing PHI orally in the proximity of others, workforce members are to reasonably safeguard the information by lowering his or her voice. PHI should not be discussed in high traffic areas, or areas easily accessible by the public (i.e. cafeterias or elevators). 9. Workforce members will lock or log out of their workstation when leaving the workstation unattended. (See MHS Information Security: MHS Common Security Policy & Management Plan) IV. Complaints A. Based on 164.530(d)(1) of the HIPAA Privacy Regulations, a patient has the right to make a complaint to the covered entity, and to the Office for Civil Rights (OCR), concerning the following: 1. The covered entity s privacy policies and procedures; 2. The covered entity s compliance with the requirements of the Privacy Regulations (see the MHS Notice of Privacy Practices). B. The Corporate Privacy Office (and Facility Privacy Officer) is responsible for responding to complaints via written notification in a timely manner. MHS may not intimidate, threaten, coerce, discriminate against, or take any retaliatory action against the patient for exercising this right. V. Sanctions A. Based on 164.530(e) of the HIPAA Privacy Rule, MHS must have and apply appropriate sanctions against workforce members who fail to comply with MHS privacy policies and procedures, or the requirements of the Breach Notification Rule. B. Violations of MHS HIPAA Privacy policies and procedures by workforce members may result in progressive guidance up to termination. (See Human Resources: Progressive Guidance policy.) C. Violations of MHS HIPAA Privacy policies and procedures by community health care providers with access to MHS systems may result in progressive action up to termination of access. (See Technology: Actions for Policy Violations by Non-MHS Entities policy.) D.The Privacy Office will conduct investigations into potential violations of MHS HIPAA Privacy policies and procedures in conjunction with (but not limited to) Human Resources and the workforce member s supervisor or manager. Page 4 of 7 E. Once it is determined that a violation of MHS HIPAA Privacy policies and procedures has occurred, sanctions will be imposed as outlined in MHS Human Resources policies and procedures, and will be documented in the employee s file.

F. Violations of a severe nature may result in notification to law enforcement, regulatory agencies, and accreditation or licensure organizations. VI. Duty to Mitigate VII. A. Based on 164.530(f) of the HIPAA Privacy Rule, MHS must mitigate, to the extent practicable, any harmful effect that is known to MHS of a use or disclosure of PHI in violation of MHS policies and procedures. B. MHS Corporate Privacy Office (Facility Privacy Officer) determines whether, under the circumstances, the mitigation should include notice to the patient. Additional considerations include whether credit monitoring will be offered to patients depending on the circumstances. (See Administrative-HIPAA Privacy: HIPAA Privacy Breach Notification policy.) C. The Chief Privacy Officer (Facility Privacy Officer) will take prompt action to mitigate potentially harmful effects of any improper use or disclosure of PHI to the degree that mitigation is possible and reasonable. HIPAA Retaliatory Acts A. Based on section 164.530(g) of the HIPAA Privacy Rule, MHS may not intimidate, threaten, coerce, discriminate or retaliate against an individual who exercises his or her rights, including filing a complaint, under the HIPAA Privacy Rule. B. MHS will not tolerate any workforce member who attempts to intimidate, threaten, coerce, discriminate, or retaliate against any person who: 1. Makes a complaint to HHS, OCR, DOH, and/or CMS; 2. Makes a complaint to the MHS Corporate Privacy Office or Facility Privacy Officer; 3. Testifies for, assists with, or participates in an investigation, compliance review, proceeding, or hearing by HHS or other appropriate authority; 4. Opposes any act or practice the person believes in good faith is illegal under the HIPAA Privacy Rules, provided the opposition is reasonable and does not involve illegal disclosure of PHI. C. If a workforce member suspects someone at MHS has committed a retaliatory act pertaining to their HIPAA Privacy Rights or that of a patient, he or she should report the incident to the Corporate Privacy Office or the Corporate Compliance Hotline immediately so the following steps can occur: 1. The Chief Privacy Officer will investigate the grievance; 2. The Chief Privacy Officer will conduct the investigation in coordination with but not limited to Corporate Compliance, Legal Services, Facility Privacy Officer, Risk Management and/or Human Resources to discuss Page 5 of 7

the findings, if any; 3. The workforce member will be notified in writing when the issue has been resolved in accordance with MHS policy and procedure. 4. All documentation will be retained in the Corporate Privacy Office. VIII. HIPAA Policy Revisions A. Based on section 164.530(i) of the HIPAA Privacy Rule, MHS must implement policies and procedures with respect to PHI that address each applicable standard in the Privacy Regulations. B. MHS HIPAA Privacy policies, procedures, and forms are reviewed by the Chief Privacy Officer on an annual basis and updated, if necessary. All HIPAA Privacy policies and procedures take into account how PHI relates to each department and the entity as a whole to ensure compliance. 1. The Corporate Privacy Office will conduct an annual review of all policies, procedures, and forms according to the policy revision date. 2. The Corporate Privacy Office may make changes to a policy, procedure, and/or form at any time, if the changes do not materially affect the content of the Notice of Privacy Practices (NPP). 3. If changes to the documentation occur, the appropriate committee will approve all changes made by the Corporate Privacy Office. 4. If a change occurs to the HIPAA Privacy Rule or other applicable state or federal laws before the annual evaluation period, the Corporate Privacy Officer will update the HIPAA Privacy policies, procedures, and/or form to comply with the change(s). 5. Once the policy is reviewed and/or updated by the Privacy Office and the appropriate committee, the revision and approval dates will be updated and all documentation saved on the HIPAA shared drive. 6. Any necessary communications to workforce members affected by the policy change(s) will be communicated by the Corporate Privacy Office. IX. Waiver of Rights A. Based on 164.530(h) of the HIPAA Privacy Rule, MHS may not require individuals to waive their rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. (See the MHS Standards for Business Conduct and the MHS Notice of Privacy Practices.) X. Document Retention A. Based on 164.530(j)(2) of the HIPAA Privacy Rule, all documentation related to HIPAA Privacy and patients PHI will be retained in the Corporate Privacy Office up to six (6) years. However, there may be additional retention requirements at an MHS system level. Page 6 of 7

Related Policies: Administrative-HIPAA Privacy: HIPAA Privacy Breach Notification Administrative-HIPAA Privacy: Incidental Uses and Disclosures of Protected Health Information (PHI) MHS Policy Progressive Guidance MHS Information Security: MHS Common Security Policy & Management Plan Notice of Privacy of Practices MHS Standards for Business Conduct References: 45 C.F.R. 164.530: Administrative requirements Point of Contact: MHS Privacy Office (253) 459-8300 Approval by: SKRB on behalf of CMC MEC Quality Safety and Steering Committee Original Date: Revision Dates: Reviewed with no Changes Dates: Distribution: MHS Intranet Scope updated (added CMC only) April, 2018. Date of Approval: 4/18 11/17, 4/18 9/17 XX XX Page 7 of 7

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback