SCOPE OF POLICY
This policy applies to all agency staff members. Agency staff members include all employees, trainees, volunteers, consultants, contractors and subcontractors at the agency.
STATEMENT OF POLICY
The agency is committed to protecting the privacy and confidentiality of health information about its consumers. “Protected health information” (as defined below) is strictly confidential and should be used and disclosed only for those purposes authorized under the agency’s policies or applicable law.
IMPLEMENTATION OF POLICY
A. Protected Health Information
For purposes of this policy, the term “protected health information” means any consumer information that
1. relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
2. either identifies the individual or could reasonably be used to identify the individual.
Some examples of protected health information are:
§ information about the consumer’s health condition (such as a condition the consumer may have);
§ information about health care services the consumer has received or may receive in the future (such as PT or OT);
§ information about the consumer’s health care benefits under an insurance plan (such as whether a prescription is covered); and
§ information about whether a consumer is receiving health care services from our agency or any other health care provider;
when combined with:
§ demographic information (such as the consumer’s name, address, race, gender, ethnicity or marital status);
§ geographic information (such as where the consumer lives or works);
§ unique numbers that may identify the consumer (such as a social security number, medical record number, telephone number, or driver’s license number); or
§ other types of information that may identify who the consumer is.
This policy applies to protected health information in any form, including spoken, written or electronic form.
It is the responsibility of every agency staff member to preserve the privacy and confidentiality of all protected health information and to ensure that protected health information is used and disclosed only as permitted under the agency’s policies and applicable law. This includes, but is not limited to, compliance with the protective procedures below.
B. Uses and Disclosures for Treatment, Payment and Health Care Operations (TPO)
Unless the agency has received a specific written authorization from the consumer for, or applicable law otherwise requires or permits, a particular use or disclosure of protected health information, protected health information may only be used or disclosed for purposes of (i) our agency’s treatment activities, payment activities, and health care operations, and (ii) certain treatment activities, payment activities, and health care operations of other health care providers and of health plans.
For purposes of this policy, the term “treatment” means providing, coordinating or managing the consumer’s health care and any related services. Some examples of treatment activities involving the use or disclosure of protected health information are:
· using protected health information about a consumer’s disease or condition to diagnose or provide care to the consumer;
· disclosures of protected health information to other health care providers who are involved in taking care of the consumer;
· disclosures of protected health information to another health care provider in order to obtain advice about how best to diagnose or provide care to the consumer; and
· disclosures of protected health information to another health care provider to whom the consumer has been referred to ensure that this health care provider has the necessary information to diagnose or provide care to the consumer.
For purposes of this policy, the term “payment” generally means the activities undertaken by the agency to obtain or provide reimbursement for the provision of health care. Some examples of payment activities involving the use or disclosure of protected health information are:
· disclosing the consumer’s protected health information to a health insurance plan to determine whether it will provide coverage for the consumer’s treatment;
· disclosing the consumer’s protected health information to obtain pre-approval before providing a treatment or service, such as admitting the consumer to the agency for a particular type of surgery; and
· disclosing the consumer’s protected health information to his or her health insurance plan to obtain reimbursement after the agency has treated the consumer.
Uses and disclosures of protected health information for the agency’ payment purposes are subject to the HIPAA Privacy Regulations’ "minimum necessary" standard
Health Care Operations
For purposes of this policy, the term “health care operations” generally refers to those general business and administrative functions of the agency that are required in order to operate and perform its health care functions. Some examples of uses and disclosures of protected health information for health care operations are:
· uses and disclosures of protected health information for quality assurance and utilization review purposes;
· uses and disclosures of protected health information for education and training of students and other trainees;
· uses and disclosures of protected health information to recommend possible treatment options or alternatives, or health-related benefits or services, that may be of interest to the consumer;
· uses and disclosures of protected health information for legal services, business planning, and other business management and general administrative activities; and
· uses and disclosures of protected health information to raise funds for the benefit of the agency.
Uses and disclosures of protected health information for the agency’s health care operations are subject to the HIPAA Privacy Regulations’ "minimum necessary" standard.
Disclosure for Other Persons’ TPO
Our agency also may disclose protected health information to others for their treatment, payment and health care operations as follows:
· Our agency may disclose protected health information to another health care provider for its treatment activities.
· Our agency may disclose protected health information to a health plan or another health care provider for its payment activities.
· Our agency may disclose protected health information to a health plan or another health care provider for its health care operations, but only if
o (i) both our agency and the other party have, or had, a relationship with the consumer whose information is being disclosed;
o (ii) the protected health information being disclosed pertains to that current (or previous) relationship; and
o (iii) the disclosure is for certain limited health care operations activities, including conducting quality assurance and/or quality improvement activities, education or training of students and other staff, reviewing the competence or qualifications, or the performance, of health care professionals, accreditation, licensing, credentialing, and fraud and abuse detection or compliance activities.
Disclosures of protected health information for others’ payment activities or health care operations are subject to the HIPAA Privacy Regulations’ minimum necessary standard.
C. De-identified Information Not Subject to TPO Restriction
Protected health information is considered “de-identified” when all elements that have the potential to identify the consumer have been removed. Protected health information will be deemed de-identified when (i) a person with appropriate knowledge and experience in scientific and statistical principles for de-identifying information has determined that there is a very small risk that that the information can be used to identify the consumer and has documented the analysis that justifies that decision, or (ii) certain specific identifying elements regarding the consumer and his or her relatives, employers and household members have been removed and the remaining information cannot be used to identify the consumer.
The elements that must be removed include the following:
all geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes;
all elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements (including year) indicative of such age, except that ages and elements may be aggregated into a single category of 90 or older;
- telephone numbers;
- fax numbers;
- electronic mail (e-mail) addresses;
- Social Security numbers;
- medical record numbers;
- health plan beneficiary numbers;
- account numbers;
- certificate/license numbers;
- vehicle identifiers and serial numbers, including license plate numbers;
- device identifiers and serial numbers;
- World Wide Web Universal Resource Locators (URLs);
- internet protocol (IP) address numbers;
- biometric identifiers, including finger and voice prints;
- full face photographic images and comparable images; and
- any other unique identifying number, characteristic or code.
Because de-identified information is no longer considered protected health information, such de-identified information is not subject to the TPO restriction and generally may be used and disclosed without limitation. However, agency staff must obtain approval from Peggy Himes, Privacy Officer that protected health information has been appropriately de-identified prior to treating such information as de-identified information.
D. Uses of Protected Health Information for Reasons Other Than TPO
Agency staff are instructed to consult their department supervisors if they are unsure whether a particular use or disclosure satisfies the definition of TPO, or if they believe they need to use or disclose protected health information for reasons other TPO and they are unsure whether an exception applies or if the agency has obtained an authorization for that particular use or disclosure. The department supervisors will be responsible for providing guidance or directing the individual to the agency staff member or the department better able to provide the necessary guidance.
The agency’s Privacy Officer has general responsibility for implementation of this policy. Members of our agency staff who violate this policy will be subject to disciplinary action up to and including termination of employment or contract with Schoharie County Chapter, NYSARC. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor or the agency’s Privacy Officer. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible Schoharie County Chapter, NYSARC will make every effort to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with Schoharie County Chapter, NYSARC
If you have questions about this policy, please contact the agency’s Privacy Officer immediately. It is important that all questions be resolved as soon as possible to ensure protected health information is used and disclosed appropriately.
Effective Date: April 15, 2003