HIPAA Overview and Policy for Distribution of Notice of Privacy Practice

HIPAA stands for Health Insurance Portability and Accountability Act.

HIPAA covers two main areas: Privacy Regulations and Security Regulations.

HIPAA covers Protected Health Information (PHI) which includes name, address, telephone number, e­mail address, medications, medical conditions, identity of treating providers, written information received from other sources concerning medical conditions, billing information.

21st Century Rehab, P.C. has a HIPAA Compliance Committee consisting of Michelle Cassabaum, Steve Cassabaum, and Jason Horras (HIPAA Privacy Officer).

Any questions regarding HIPAA policies or requests for information need to be addressed to Jason Horras (HIPAA Privacy Officer) at (515) 382-3366. 

21st Century Rehab will maintain patient records for a period of 6 years as outlined under HIPAA guidelines. Chart information greater than 6 years will be shredded maintaining PHI confidentiality. 

21st Century Rehab, P.C. will maintain policies as stated in the Notice of Privacy Practice that will be distributed to all patients the first time they are seen beginning April 14, 2003. Each time a new patient is seen at a 21st Century Rehab clinic they will be given a Notice of Privacy Practice which may be denied by patient if they bave previously received one and no revisions have been made since that time. During registration, each patient will sign an acknowledgement form that will be kept in their patient chart stating that the patient has received this notice.

Authorizations for release of information must be written except for release to family/friends who are present during treatment and will be assisting with the patient's care. Verbal permission is ok to release PHI for family and friends and must be documented in chart. 

Our Responsibilities. Federal law imposes certain obligations and duties upon us as a covered health care provider with respect to your Protected Information. Specifically, we are required to: 

  • Provide you with notice our legal duties and our facility's policies regarding the use and disclosure of your Protected Information;
  • Maintain the confidentiality of your Protected Information in accordance with state and federal law;
  • Honor your requested restrictions regarding the use and disclosure of your Protected Information unless under the law we are authorized, in which case you will be notified within a reasonable period of time;
  • Allow you to inspect and copy your Protected Information during our regular business hours;
  • Act on your request to amend Protected Information within sixty (60) days and notify you of any delay which would require us to extend the deadline by the permitted thirty (30) day extension;
  • Accommodate reasonable requests to communicate Protected Information by alternative means or methods; and 
  • Abide by the terms of this notice

Your Rights: Federal law grants you certain rights with respect to your Protected lnformation. Specifically, you have the right to: 

  • Receive notice of our policies and procedures used to protect your Protected Information;
  • Request that certain uses and disclosures of you Protected Information be restricted; provided, however, if we may release the information without your consent or authorization, we have the right to refuse your request;
  • Access to your Protected Information; provided however, the request must be in writing and may be denied in certain limited situations;
  • Request that your Protected Information be amended;
  • Obtain an accounting of certain disclosures by us of your Protected Information for the past six years;
  • Revoke any prior authorizations or consents for use or disclosure of Protected Information, except to the extent that action has already been taken; and 
  • Request communications of your Protected Information are done by alternative means or at alternative locations.

Policy for Requests for Amendment of Chart, Individual Access to Patient Chart, Alternative Methods of Communication, and Restriction on Disclosure 
As stated in the Your Rights section of the Notice of Privacy Practice document, requests for amendment of chart, alternative methods of communication, restriction on uses/disclosures, and individual access to 
patient chart information can be made to the front office person at each office. All attempts will be made at that clinic to comply with these requests. 21st Century Rehab, P.C. has the right to refuse these requests. Denials must be returned to patient in timely manner with clear reason for denial. This information will forwarded to the HIPAA Privacy Officer at the 21st Century Rehab, P.C. corporate office in Nevada, IA. 
 

Policy for Accounting for Disclosures of PHI 
An accounting log will be kept at each office that will be turned in monthly to HIPAA Privacy Officer and stored at the 21st Century Rehab, P.C. corporate office in Nevada, IA for all release of infonnation not 
related to treatment, payment, or health care operations. Additionally, minimum necessary standard will be followed for all release of information. 

Policy for Refrain from Retaliatory Acts 
21st Century Rehab will not retaliate against individuals filing HIPAA complaints against any employees or the corporation.

 
Policy for Business Associate Contracting 
All business associates shall have a signed Privacy and Confidentiality Agreement that will be enforced with failure to comply resulting in possible immediate termination of contract. Included in this agreement is an indemnification provision stating that business associate will be responsible for legal costs and other ramifications associated with violation of this agreement. 

Policy for Contractor Confidentiality Agreement 
All contractors shall have a signed Contractor Confidentiality Agreement that will be enforced with failure to comply resulting in possible termination of services with 21st Century Rehab, P.C. Included in this 
agreement is an indemnification provision stating that business associate will be responsible for legal costs and other ramifications associated with violation of this agreement. 

Policy for Employee Training and Employee Confidentiality Agreement 
All employees will receive initial HIP AA training before April 13, 2003. Follow-up training will be provided on an as needed basis. Each employee will have an Employee Training Form that will be used to record initial and follow-up training. A copy of this form shall be kept in each employee's personnel file and another copy will be kept by HIPAA Privacy Officer. All new employees will receive HIPAA training within 30 days of hire. 

Each employee of 21st Century Rehab, P.C. will sign an Employee Confidentiality Agreement immediately following their initial training. A copy of this agreement will be kept in each employee's personnel file and another copy will be kept by HIPAA Privacy Officer. Initial violations of HIPAA policies, non-intentional, will be remedied with follow-up HIPAA training. Subsequent violations of HIPAA policies, non­-intentional, may be grounds for immediate tennination. Any intentional violation of HIPAA policy will result in immediate termination. There can be severe fines for each violation of HIPAA.

Policy for Uses/Disclosures of PHI authorized by law

How Your Protected Information may be Used and Disclosed: Generally, your Protected Information may be used and disclosed by us only with your express written authorization. However, there are some exceptions to this general rule. 

Policy for Uses/Disclosures of PHI to Friends or Family

Notification and Communications to Individuals Involved in Your Care: Unless you have informed us otherwise, your Protected Information may be used or disclosed by us to notify or assist in notifying a family member or other person responsible for your care. In most cases, Protected Information disclosed for notification purposes will be limited to your name, location, and general condition. In addition, unless you have informed us otherwise, Protected Information may be released to a family member, relative or close personal friend who is involved in your care to the extent necessary for them to participate in your care. In the event you wish for any of these uses or disclosures to be limited, please contact facility personnel. 

Policy for Uses/Disclosures for Treatment, Payment, and Health Care Operations

How Your Protected Information may be Used and Disclosed: Generally, your Protected Information may be used and disclosed by us only with your express written authorization. However, there are some may be used and disclosed by us only with you exceptions to this general rule. 

Treatment, Payment, or Health Care Operations.

Treatment Purposes: We may use or disclose your Protected information for treatment purposes. During your care at our facility, it may be necessary for various personnel involved in your care to have access to your Protected Information in order to provide you with quality care. In addition, we may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services which may be of interest to you. Situations may also arise when it is necessary to disclose your Protected Infmmation to health care providers outside our facility who may also be involved in your care. For example, we may inform your physician of medications you are currently taking. 
 

Payment Purposes: Your Protected Information may also be used or disclosed for payment purposes. It is necessary for us to use or disclose Protected Information so that treatment and services provided by us may be billed and collected from you, your insurance company, or other third party payer. For example, we may disclose your Protected Information to your health insurance carrier to obtain prior approval for a service. We may also release your Protected Information to another health care provider or individual or entity covered by the HIPAA privacy regulations that has a relationship with you for their payment activities. For example, we may disclose information to your health insurance carrier upon its request for additional information necessary for it to determine whether a service is covered. 
 

Health Care Operations: Your Protected Information may also be used for health care operations, which are necessary to ensure our facility provides the highest quality of care. For example, your Protected 
Information may be used for quality assurance or risk management purposes or disclosed to our accountant for auditing purposes. We may at time remove information which could identify you from record so as to prevent other from learning who the specific patients are. In addition, we may release your Protected Information to another individual or entity covered by the HIPAA privacy regulations that has a relationship with you for their fraud and abuse detection or compliance purposes, quality assessment and improvement activities, or review, evaluation or training of health care professionals or students. For example, we may disclose information to another health care provider involved in your care if the provider requests the information is necessary for its evaluation of one of its medical students. 

Policy on Minimun Nccessary Standard and Reasonable Safeguards

21st Century Rehab, P.C. utilizes a minimum necessary standard by defining who in the organization has access to PHI and to what extent. Employees will use this information only to perform job functions. 

Therapists (Physical, Occupational, Speech), Certified Assistants, Rehab Aides, Front Office Staff, and Billing Office Staff will have full access to PHl as it is necessary to fulfill all aspects of patient care and billing from information provided in patient chart. Additionally, students doing internships will have access to all PHI for patient care as it appears in patient chart. 

Marketing director will not have access to patient charts except in efforts for QA or internal marketing and will be limited to name, age, address, phone number, date of service, and diagnosis and referral source. 
President and Vice-Presidents will have access to chart information as it is necessary to perform job functions including QA and chart reviews for administrative tasks. 

Minimum Necessary Standard applies to requests from insurance carriers, workman's compensation, or other individuals seeking any PHI. Employees will request and only release the minimal amount of 
information necessary to complete their assigned task such as number of visits or copies of notes. When theses requests are received, 2 Ist Century Rehab, P.C. will specifically ask requestor to define their 
minimum necessary information for each situation. 

Reasonable safeguards are in place to limit access to PHI by employees who do not need this information and all non-employees. These safeguards include the following: 

  • Signs posted at all front desk areas indicating this area for staff only and by enforcing this policy at all times.
  • All patient charts will be labeled only with patient first name and first I or 2 letters of last name.
  • Charts in patient care areas will be closed and never left unattended.
  • All charts are to remain in clinic unless to be used for a home health visit, chart review with medical director, QA work for corporation, or being sent to corporate office to be filed.
  • Soft voices will be used when discussing information with patient related to their care. Pt will be asked if it is ok to talk about information in a non-private location if needed.
  • Don't pass along infonnation you overhear.
  • Avoid discussing information in public areas.
  • Use first name only.

Information should be de-identified as much as possible to limit disclosures of PHI. Examples include using initials, first names only, etc. 
 

Incidental disclosures are disclosures that cannot be reasonably prevented, is limited in nature and occurs as a by-product of permitted use or disclosure. We must be able to show that all reasonable measures were taken to protect patient information from disclosure. Incidental disclosures will not result in disciplinary actions. 

imposed against 21st Century Rehab, P.C. and the individual who commits the violation. Violations or HIPAA policies should be reported to HIPAA Privacy Oflicer at (515) 382-3366. 

Policy for Marketing Uses/Disclosures

21st Century Rehab, P.C. may contact former patients in the forms of newsletters or other mail correspondence. Individuals may request to be removed f om 21st Century Rehab, P.C. mailing list at any time by contacting a local office and this information will be forwarded to the marketing director. Patient perspective forms will not be posted in Patient Perspective book without patient signature. 

More news...