Dr.
Manjit Kaur Khalsa Ed.D.
Patient Records Privacy
Policy and Proceedures
POLICIES
AND PROCEDURES
In
my office:
§
I keep a
copy of each policy for HIPAA in a “HIPAA Compliance” notebook.
§
I have
documented the procedures I employ to ensure that my office is HIPAA compliant.
These are also kept in my “HIPAA Compliance” notebook.
I will
update my procedures in the future should my practice grow or change or to take
account of changes in the law.
Use and Disclosure of PHI
Protected Health Information (“PHI”) may not be used or disclosed in
violation of the Health Insurance Portability and Accountability Act (“HIPAA”)
Privacy Rule (45 C.F.R. parts 160 and 164) (hereinafter, the “Privacy Rule”)
or in violation of state law.
I am permitted, but not mandated, under the Privacy Rule to use and
disclose PHI without patient consent or authorization in limited circumstances.
However, state or federal law may supercede, limit, or prohibit these
uses and disclosures.
Under the Privacy Rule, these permitted uses and disclosures include those made:
· To the patient
· For treatment, payment, or health care operations purposes, or
·
As authorized by the patient.
Additional permitted uses and disclosures include those related to or made pursuant to:
· Reporting on victims of domestic violence or abuse, as required by law
· Court orders
· Workers’ compensation laws
· Serious threats to health or safety
· Government oversight (including disclosures to a public health authority, coroner or medical examiner, military or veterans’ affairs agencies, an agency for national security purposes, law enforcement)
· Health research
·
Marketing or fundraising.
I do not use or disclose PHI in ways that would be in violation of the
Privacy Rule or state law. I use
and disclose PHI as permitted by the Privacy Rule and in accordance with state
or other law. In using or
disclosing PHI, I meet the Privacy Rule’s “minimum necessary requirement,”
as appropriate.
The procedures needed to protect PHI are included, consistent with this policy, in the next section, Minimum Necessary Disclosure.
When using, disclosing or requesting PHI, I make reasonable
efforts to limit PHI to the minimum necessary to accomplish the intended purpose
of the use, disclosure or request. I
recognize that the requirement also applies to covered entities that request my
patients’ records and require that such entities meet the standard, as
required by law.
The minimum necessary requirement does not apply to disclosures for
treatment purposes or when I share information with a patient.
The requirement does not apply for uses and disclosures when patient
authorization is given. It does not apply for uses and disclosures as required by law
or to uses and disclosures that are required for compliance with the Privacy
Rule.
· In my office, I am the only person with access to PHI. I carry out the duties and any appropriate limitations to access.
·
Steps I take to ensure
compliance with the Minimum Necessary Requirement When information is
released, no one else but me will see it in my office. I will review the statute
limitations before leasing any information. A a request for disclosure include a
release from the patient unless it is a request for PHI. I will check the rules
before sending. I have a sheet to document when,
to whom and what information has been provided. (as covered below)
·
I will limit disclosure of
PHI. I will limit disclosure of PHI to that “reasonably necessary to
accomplish the purpose for which the request is made.” PHI will only contain
the following: Names, start-stop time, Modality used, Diagnosis, Functional
status, Treatment Plan, Symptoms, Prognosis, Progress, Reason for seeking
therapy, impact on patients life. It will not include Psychotherapy Notes.
Note: Non-routine disclosure
requests require review on an individual basis in
accordance
with the criteria.
·
What happens when I request
PHI? As a psychologist, I must also limit my request for PHI to the minimum
necessary. PHI will only contain the following: Names, start-stop time, Modality
used, Diagnosis, Functional status, Treatment Plan, Symptoms, Prognosis,
Progress, Reason for seeking therapy, impact on patients life. It will not
include Psychotherapy Notes.
Note: Non-routine disclosure
requests require review on an individual basis in
accordance
with the criteria.
·
For both requests to me and my requests to others for PHI, my
procedures include:
·
I may rely, if such reliance is reasonable under the
circumstances, on a requested disclosure as the minimum necessary for the stated
purpose, if the PHI is requested by another covered entity, by a public official
(who represents that the information requested is the minimum necessary), or by
a researcher (with appropriate documentation).
·
I may rely, if such reliance is reasonable under the
circumstances, on a requested disclosure as the minimum necessary for the stated
purpose, if the PHI is requested by a member of my staff or business associate.
·
I will not use, disclose, or request an entire medical record,
except when the entire medical record is justified as the amount that is
reasonably necessary to accomplish the purpose of the use, disclosure, or
request.
While a patient may authorize the release of any of his PHI, the Privacy
Rule specifically requires patient authorization for the release of
Psychotherapy Notes. Psychotherapy
Notes authorization is different from patient consent or authorization of other
PHI, because a health plan or other covered entity may not condition treatment,
payment, enrollment, or eligibility for benefits on obtaining such
authorization.
As
defined by the Privacy Rule, “Psychotherapy Notes” means “notes recorded
(in any medium) by a mental health professional, documenting or analyzing the
contents of conversation during a private counseling session or a group, joint,
or family counseling session and that are separate from the rest of the
individual’s medical record.” The
term “excludes medication prescription and monitoring, counseling session
start and stop times, the modalities and frequencies of treatment furnished,
results of clinical tests, and any summary of the following items: Diagnosis,
functional status, the treatment plan, symptoms, prognosis, and progress to
date.”
I abide by the Psychotherapy Notes authorization requirement of the Privacy Rule, unless otherwise required by law. In addition, authorization is not required in the following circumstances--
· For my use for treatment
· For use or disclosure in supervised training programs where trainees learn to practice counseling
· To defend myself in a legal action brought by the patient, who is the subject of the PHI
·
For purposes of HHS in determining my compliance with the Privacy
Rule
· By a health oversight agency for a lawful purpose related to oversight of my practice
· To a coroner or medical examiner
·
In instances of permissible disclosure related to a serious or
imminent threat to the health or safety of a person or the public.
I recognize that a patient may revoke an authorization at any time in
writing, except to the extent that I have, or another entity has, taken action
in reliance on the authorization.
·
Psychotherapy Notes are
kept either in my notebook or in a locked file in my home office. Psychotherapy
Notes are kept separate from other PHI.
· What is the process I employ to secure a signed authorization form from your patient? I will generally not release Psychotherapy notes (PN), but if requested, then the patient will have to sign an authorization form. What happens if a patient refuses to sign the form? I will inform the requester, unless otherwise specified in the law, which I will review each time. If a patient indicates restrictions, I will check those against the law, obey the law and keep the patient informed.
Note: I document and retain
such authorization.
·
What steps do I take to
confirm that I have received a valid authorization? Before sending PN, I
will check that the requester provided a valid authorization.
The following points outline key elements that must be included in a
valid authorization as required by the HIPAA Privacy Rule.
A valid
authorization—
·
Must be completely filled out with no false information.
·
May not be combined with another patient authorization.
·
Must be written in plain language
·
Must contain a statement adequate to put the patient on notice of
his or her right to revoke the authorization in writing and either exceptions to
such right and a description of how to revoke, or a reference to revocation in
the notice provided to the patient.
·
Must contain a statement adequate to put the patient on notice of
the inability to condition treatment, payment, enrollment, or eligibility for
benefits on the authorization.
·
Must contain a statement adequate to put the patient on notice of
the potential for information to be redisclosed and no longer protected by the
rule.
Further, a valid authorization must contain the
following information
·
A description of the information to be used and disclosed that
identifies the information in a specific and meaningful fashion.
·
The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use and disclosure.
·
The name or other specific identification of the person(s), or
class of persons, to whom the requested use and disclosure will be made.
·
A description of each purpose of the requested use or disclosure.
The statement “at the request of the individual” is a sufficient
description of the purpose when a patient initiates the authorization and does
not, or elects not to, provide a statement of the purpose.
·
An expiration date that relates to the individual or the purpose
of the use or disclosure.
·
A signature (or if signed by a personal representative, a
description of authority to sign) and date.·
Note: patients are provided a copy of the authorization.
As
required under the Privacy Rule, and in accordance with state law, I provide
notice to patients of the uses and disclosures that may be made regarding their
PHI and my duties and patient rights with respect to notice.
I make a good faith effort to obtain written acknowledgment that my
patient receives this notice.
·
Who is the privacy officer
in my practice? Manjit Khalsa Ed.D. is the privacy officer for my practice.
The phone number is 781 235-0009.
·
What is the process I
employ to secure a signed Notice Form from your patient?
·
I provide notice to my new patients on the first date of
treatment. In an emergency
situation, I provide notice “as soon as reasonably practicable.” (This first
date of treatment timing requirement applies to electronic service delivery, and
a patient may request a paper copy of notice when services are electronically
delivered.) For all clients, notice
was given to them as soon after April 14, 2003 as was possible, depending on the
forms being totally finished and my next appointment with them
·
Except in emergency situations, I make a good faith effort to
obtain from a patient written acknowledgement of receipt of the notice.
If the patient refuses or is unable to acknowledge receipt of notice, I
document why acknowledgement was not obtained.
·
I promptly revise and distribute notice whenever there is a
material change to uses and disclosures, patient’s rights, my legal duties, or
other privacy practices stated in the notice.
· I make notice available in my office for patients to take with them and post the notice in a clear and prominent location.
·
Note: I maintain a web site that provides information about my
practice, and notice is prominently posted and available electronically.
Notice may be made available by e-mail if agreed to by the patient.
The
Privacy Rule permits patients to request
restrictions on the use and disclosure of PHI for treatment, payment, and health
care operations, or to family members. While
I am not required to agree to such restrictions, I will attempt to accommodate a
reasonable request. Once I have
agreed to a restriction, I may not violate the restriction; however, restricted
PHI may be provided to another health care provider in an emergency treatment
situation.
A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures. A restriction is not effective for any uses and disclosures authorized by the patient, or for any required or permitted uses recognized by law.
The
Privacy Rule also permits patients to
request receiving communications from me through alternative means or at
alternative locations. As required
by the Privacy Rule, I will accommodate all reasonable requests.
The following provides guidance
for writing procedures to meet requirements regarding restrictions and
confidential communications.
· How are requests to restrict the use and disclosure of information handled
· A patient must make such a request in writing. It should be precise, clear and in keeping with the laws.
·
The request will be kept with the PHI and honored according to the
law.
· I am not required to accommodate requests to restrict the use and disclosure of information, but once agreed upon, I may not violate the agreement.
· Restricted PHI may be provided to another health care provider in an emergency treatment situation.
· A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures.
·
A restriction is not effective for any uses and disclosures
authorized by the patient, or for any required or permitted uses recognized by
law.
·
I permit patients to request
receiving communications through alternative means or at alternative locations
and I accommodate reasonable requests. I
may not require an explanation for a confidential communication request, and
reasonable accommodation may be conditioned on information on how payment will
be handled and specification of an alternative address or method of contact.
·
What is the process when a
patient wants to terminate a restriction? If a patient wants to terminate a
restriction, they will send a written termination request and I will document
the request.
In
accordance with state law, the Privacy Rule, and other federal law, patients
have access to and may obtain a copy of the medical and billing records that I
maintain. Patients are also
permitted to amend their records in accordance with such law.
A written
request for records from the patient will ensure that they receive one copy, if
possible under the law.
Requests must be in writing and they will be kept with the PHI. Rights
concerning access to the records is outlined in the Massachusetts Notice Form
attached
Upon
request, I will provide my patients with an accounting of disclosures upon
request, for disclosures made up to six years prior to the date of the request.
While I may, I do not have to provide an accounting for disclosures made
for treatment, payment, or health care operations purposes, or pursuant to
patient authorization. I also do
not have to provide an accounting for disclosures made for national security
purposes, to correctional institutions or law enforcement officers, or that
occurred prior to April 14, 2003.
·
How can a patient request
an accounting of disclosures? Patients may request an account of disclosures
by submitting a request in writing. The request must state the time period for
which the accounting is to be supplied, which may not be longer than six years.
The request must state whether the patient wishes to be sent the accounting via
postal or electronic mail.
·
How do I keep track of, and
process, requests for disclosures?
·
A written accounting will be provided.
For each disclosure in the accounting--the date, name and address (if
known) of the entity that received the PHI, a brief description of the PHI
disclosed, and a brief statement of the purpose of the disclosure that
“reasonably informs” the patient of the basis of the disclosure—is
provided. In lieu of the statement
of purpose, a copy of a written request for disclosure for any of the permitted
disclosures in the Privacy Rule or by HHS for compliance purposes may be
provided.
·
I will keep a copy of the accounting and include the name of the
person (can be yourself) who is responsible for receiving and processing
accounting request
·
If multiple disclosures have been made for a single purpose for
various permitted disclosures under the Privacy Rule or to HHS for compliance
purposes, the accounting also includes the frequency, periodicity, or number of
disclosures made and the date of the last disclosure.
·
I provide an accounting within 60 days of a request, and that I
may extend this limit for up to 30 more days by providing the patient with a
written statement of the reasons for the delay and the date that the accounting
will be provided.
·
The first accounting is provided without charge. For each
subsequent request I I charge a $5 per page fee. I will inform the patient of
this fee and provide the patient the option to withdraw or modify his or her
request.
·
I must temporarily suspend providing an accounting of disclosures
at the request of a health oversight agency or law enforcement official for a
time specified by such agency or official.
The agency or official should provide a written statement that such an
accounting would be “reasonably likely to impede” activities and the amount
of time needed for suspension. However,
the agency or official statement may be made orally, in which case I will
document the statement, temporarily suspend the accounting, and limit the
temporary suspension to no longer than 30 days, unless a written statement is
submitted
I may rely on certain persons or other entities, who or which are not my
employees, to provide services on my behalf.
These persons or entities may include accountants, lawyers, billing
services, and collection agencies. Where
these persons or entities perform services, which require the disclosure of
individually identifiable health information, they are considered under the
Privacy Rule to be my business associates.
I enter into a written agreement with each of my business associates to
obtain satisfactory assurance that the business associate will safeguard the
privacy of the PHI of my patients. I
rely on my business associate to abide by the contract but will take reasonable
steps to remedy any breaches of the agreement that I become aware of.
· It is very infrequent that I would use a Business Associate. However, if necessary, I will ask you to sign The Business Associate Agreement which establishes the uses and disclosures of PHI to the business associate and prohibits use and further disclosure, except to the extent that information is needed for the proper management and administration of the business associate or to carry out its legal responsibilities. The contract also provides that the business associate will—
· Use appropriate safeguards to prevent inappropriate use and disclosure, other than provided for in the contract,
· Report any use or disclosure not provided for by its contract of which it becomes aware,
· Ensure that subcontractors agree to the contract’s conditions and restrictions,
· Make records available to patients for inspection and amendment and incorporate amendments as required under the patient access and amendment of records requirements of the rule,
· Make information available for an accounting of disclosures,
· Make its internal practices, books, and records relating to the use and disclosure of PHI available to HHS for compliance reviews, and
·
At contract termination, if feasible, return or destroy all PHI.
·
If I discover or know of a pattern of activity or practice of a
business associate that constitutes a material breach or violation of the
agreement, I will take reasonable steps
· to cure the breach. If such steps are unsuccessful, I will terminate the contract, or if termination is not feasible, I will report the problem to HHS.
Policy
I
designate myself as the privacy officer, who is responsible for the development
and implementation of the policies and procedures to protect PHI, in accordance
with the requirements of the Privacy Rule.
As the contact person for my practice, the privacy officer receives
complaints and fulfills obligations as set out in notice to patients.
· I am the privacy officer for my practice who is responsible for the development and implementation of the policies and procedures to protect PHI, in accordance with the requirements of the Privacy Rule. I am the contact person for your office to receive complaints and fulfill obligations set out in notice to patients.
·
See box for description.
|
Privacy Officer Job
Description The
Privacy Officer is responsible for all ongoing activities related to the
development, implementation, maintenance of, and adherence to the
practice’s policies and procedures covering the privacy of and access to
patient’s PHI in compliance with federal and state laws. Reporting
Relationship: As applicable Qualifications:
Current knowledge of applicable federal and state privacy laws. The duties
of the Privacy Officer are as follows: 1. Develops, implements and maintains the practice’s policies and procedures for protecting individually identifiable health information. 2. Conducts ongoing compliance monitoring activities. 3. Works to develop and maintain appropriate consent forms, authorization forms, notice of privacy practices, business associate contracts and other documents required under the HIPAA Privacy Rule. 4. Ensures compliance with the practice’s privacy policies and procedures and applies sanctions for failure to comply with privacy policies for all members of the practice’s workforce and business associates. 5. Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the practices privacy policies and procedures. 6. Performs all aspects of privacy training for the practice and other appropriate parties. Conducts activities to foster information privacy awareness with the practice and related entities. 7. Ensures alignment between security and privacy practices. 8. Cooperates with the Office of Civil Rights and other legal entities in any compliance reviews or investigatio |
Administrative
Requirement—Training
As required by the Privacy Rule, I train all members of my staff, as necessary and appropriate to carry out their functions, on the policies and procedures to protect PHI. I have the discretion to determine the nature and method of training necessary to ensure that staff appropriately protects the privacy of my patients’ records.
The following provides guidance
for writing procedures to meet the staff training requirement:
·
I train all members of my staff, as necessary and appropriate to
carry out their functions, on the policies and procedures to protect PHI.
·
I will train new members of my staff within a reasonable time
after joining your staff. Also note
that you provide training to staff whose function is impacted by a material
change in the Privacy Rule within a “reasonable time” from the effective
date of the material change.
To
protect the privacy of the PHI of my patients, I have in place appropriate
administrative, technical, and physical safeguards, in accordance with the
Privacy Rule.
·
I have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of
PHI. Notes and PHI are locked up; I have a firewall and an anti-virus program in
my computer.
·
I reasonably safeguard PHI from
any intentional or unintentional use or disclosure that would violate the
Privacy Rule. I let no one see the PHI or psychotherapy notes, unless the law
allows it, or instructed to do so by the patient.
·
I reasonably safeguard PHI to
limit incidental uses or disclosures, by not allowing others to see the PHI
unless it is in accordance with the law.
Administrative
Requirement—Complaints
Policy
The
privacy of my patients’ PHI is critically important for my relationship with
my patients and for my practice. I
provide a process for my patients to make complaints concerning my adherence to
the requirements of the Privacy Rule.
Complaint Procedure
1. Patients may file privacy complaints by submitting them in one of the following ways:
a. In person, in written form.
b. By mail, in a letter containing the necessary information. All complaints should be mailed to:
Manjit K. Khalsa Ed.D.
166 Acorn Street
Millis, Ma 02054.
c. By telephone at 781
235-0009.
2.
All privacy complaints should be directed to the Manjit
K. Khalsa Ed.D.
3. The complaint must include the following information:
a. The type of infraction the complaint involves
b. A detailed description of the privacy issue
c. The date the incident or problem occurred, if applicable
d. The
mailing/email address where formal response to the complaint may be sent.
4. When a privacy complaint is filed by a patient the following process will be followed:
a. I will validate the complaint with the individual. If valid, the error ill be corrected
immediately.
b. If appropriate, attempt to correct any apparent misunderstanding of the policies and procedures on the patient’s part; if after clarification, the patient does not want to pursue the complaint any further, indicate that “no further action is required.” Record the date and time and file under dismissed complaints.
b. If not dismissed, log the complaint by placing a copy of the complaint form in both the complaint file and in the patient’s record
d. Investigate the complaint by reviewing the circumstances with relevant staff (if applicable).
e. If it is determined that the complaint is invalid, send a letter stating the reasons the complaint was found invalid. File a copy of the letter and form in an investigated complaints file.
f. If the investigative findings are unclear, get a second opinion either from your lawyer, the APA Insurance Trust, or the APA Practice Organization.
h. If it is determined that the complaint is valid and linked to a required process or an individual’s rights, follow the office sanction policy to the extent that an individual is responsible. If the complaint involves compliance with the standards that do not involve a single individual, then begin the process to revise current policies and procedures.
i. Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, send a letter explaining the findings and the associated response or intended response. Document the disposition of the complaint and file the letter and form in an investigated complaints file.
j. Place a copy of the complaint in the patient’s record.
k. Review both invalid and investigated complaint files periodically, to determine if there are any emerging patterns.
Administrative
Requirement—Sanctions
Policy
I have
and apply appropriate sanctions against a member of my staff who fails to comply
with the requirements of the Privacy Rule or my policies and procedures.
I may not apply sanctions against an individual who is testifying,
assisting, or participating in an investigation, compliance review, or other
proceeding.
If
I have a billing assistant and they knowingly discloses an entire patient record
to an insurer in violation of the minimum necessary standard, I will provide a
warning to the assistant. Repeated violations would lead to dismissal.
I mitigate, to the
extent possible, any harmful effect that I become knowledgeable of regarding my
use or disclosure, or my business associate’s use or disclosure, of PHI in
violation of policies and procedures or the requirements of the Privacy Rule.
If
I have a receptionist, and they inadvertently sent the wrong patient records to
an insurer for reimbursement, you might request the records back and inform the
patient of the error. Repeated violations would lead to termination of
employment.
Administrative
Requirement—Retaliatory Action and Waiver of Rights
Policy
I
believe that patients should have the right to exercise their rights under the
Privacy Rule. I do not take
retaliatory action against a patient for exercising his or her rights or for
bringing a complaint. Of course, I
will take legal action to protect myself, if I believe that a patient undertakes
an activity in bad faith.
I will not intimidate,
threaten, coerce, discriminate against, or take other retaliatory action against
a patient for exercising a right, filing a complaint or participating in any
other allowable process under the Privacy Rule.
I will not intimidate,
threaten, coerce, discriminate against, or take other retaliatory action against
a patient or other person for filing an HHS compliance complaint, testifying,
assisting, or participating in a compliance review, proceeding, or hearing,
under the Administrative Simplification provisions of HIPAA.
I will not
intimidate, threaten, coerce, discriminate against, or take other retaliatory
action against a patient or other person for opposing any act or practice made
unlawful under the Privacy Rule, provided that the patient or other person has a
“good faith belief” that the practice is unlawful and the manner of
opposition is reasonable and does not involve disclosure of PHI.
I will not require a
patient to waive his or her rights provided by the Privacy Rule or his or her
right to file an HHS compliance complaint as a condition of receiving treatment.
To ensure that I am in
compliance with the Privacy Rule, I have implemented policies and procedures to
ensure compliance with the privacy rule.
·
It is my sincere hope that my policies and procedures are a demonstration of my
compliance with the Privacy Rule.
·
I will make every effort to promptly change my policies and
procedures in accordance with changes to the Privacy Rule.
Notice provided to your patients will also be promptly changed to reflect
the change in policy and procedure, unless the change does not materially affect
the notice. The timing of the
change in notice and reliance on the change may depend on the terms for such
changes in the notice
I meet
applicable state laws and the Privacy Rule’s requirements regarding
documentation.
I
am aware that documentation is required throughout the Privacy Rule to
demonstrate implementation of certain requirements.
These documentation requirements include
· I
include the following in my procedures
·
I maintain policies and procedures in written and electronic form.\
·
All written communication required by the Privacy Rule is
maintained (as well as an electronic copy is maintained) as documentation.
· If an action, activity, or designation is required by the Privacy Rule to be documented, a written and electronic copy is maintained as documentation.
Documentation is maintained for a period of six years from the date of creation or the date when it last was in effect, whichever is later.