imagine! protected health information procedures 2015 …...with individuals not entitled to...
TRANSCRIPT
1
Procedures for Protecting the Rights of Privacy of Individual’s Protected Health Information
Approved by Imagine! Executive Director 4-1-86
Revised: 4-21-88: 3-24-89; 6-13-89 Revised: 5-1-93; 8-1-01, 4-14-03. 8-23-11, 7-1-15, 3-24-16
I. Protection of Health Information Pursuant to C.R.S. 27-10.5-120 as amended: Part 42 of the Code of Federal Regulations (42 CFR 442.502); the Family Education Rights and Privacy Act, 20 U.S.C. Section 1232(q); and the rules and regulations established by Developmental Disabilities Services, the Board of Directors of Imagine! adopts the policy to protect the rights of privacy of individuals with regard to how protected health information is collected, maintained, used and/or disclosed by Imagine!. All information and photographs collected or prepared in the course of determining eligibility or providing services or supports to an individual seeking or receiving services/supports shall not be public records, shall be kept confidential and are subject to the evidentiary privileges established by law. The Imagine! Executive Director appoints a Privacy Officer for Imagine!. The Privacy Officer is the Director of Corporate Strategy. The Privacy Officer is responsible for overseeing the acquisition, use and release of protected health information maintained by Imagine!. The Privacy Officer is also responsible for processing requests to access and to amend protected health information maintained by Imagine!. The Privacy Officer is also responsible for developing, implementing, updating and maintaining the current Imagine! Notice of Privacy Practices, and policies and procedures so that they are in compliance with the HIPAA rule regarding the use and disclosure of protected health information. Written or electronic documentation of this appointment will be maintained for 6 years from the date of appointment. Protected health information regulated by this policy is any information that could reasonably be expected to identify the individual seeking or receiving services/supports or their family or contact persons. This information includes but is not limited to name, Social Security Number, Medicaid number, any other identifying number or code, street address, telephone number, photograph, fax number, e-mail address, finger or voice prints or any distinguishing marks. Identifying numbers assigned and used internally within Imagine! are excluded. All information maintained by Imagine! is considered to be individually identifiable information until it has been de-identified by the Imagine! Privacy Officer or designee (generally Case Management support staff or the Case Manager/Service Coordinator for the individual), as outlined in Section II below. At Intake, the individual or personal representative will be advised of the type of information collected and maintained; who collects the information and how; storage and maintenance of
2
the information; the anticipated use and routine disclosure of the information. This policy applies to personal information in any format including, but not limited to individual records; correspondence or other written material; verbal communication; photographs; and electronically stored data.
The Imagine! Intake Case Manager or Service Coordinator, as part of the intake process, will provide the applicant, their family, guardian, or personal representative with a copy of the Imagine! Notice of Privacy Practices regarding maintenance, use, and release of protected health information. Employees of Imagine! shall not discuss identifying information about an individual seeking or receiving services/supports in public, i n public areas of Imagine! offices, nor with individuals not entitled to protected health i nformation. Protected health information, in both written and electronic form, concerning individuals seeking or receiving services/supports is the property of Imagine!. Imagine! is responsible for maintaining and safeguarding this information. Case Managers/Service Coordinators and administrative support staff are responsible for ensuring that the record of each consumer in the caseload is maintained in accordance with all applicable laws and regulations including the Rules and Regulations of the Division for Intellectual Developmental Disabilities Services and Imagine! policies and procedures. Case Management administrative support staff and the Records Room Administrative Assistant will be responsible for opening, compiling, and maintaining each consumer file under the direction of the Case Management staff and the Director of Client Relations. Identifying information will be maintained in as few locations as possible, inaccessible to the general public and restricted from access by unauthorized individuals.
1. A single case record will be maintained in Imagine! Records Room, and will be designated as the primary file.
2. All active computer files regarding consumers will be inaccessible without a password. 3. All inactive computer files stored on USB drives will be kept in a locked drawer. 4. All other archived files will be kept in a designated area that is inaccessible to the
general public which can include an off-site location. Case records of consumers will contain, in paper and/or electronic form, at minimum the following:
1. A face sheet outlining the contents of the file. 2. Consumer identification data including name; birth date; street address; telephone
number; parent/guardian and emergency contact information. Consumer/Guardian addresses and telephone numbers must be updated on the face sheet of the file within three business days of receipt of the new information.
3. Required releases and consent forms including: a. Statement of responsibility which includes acknowledgement of receipt of due
process procedures. b. Statement of rights agreement signed by the consumer/guardian on a yearly
basis.
3
c. Consent to release records to specific individuals/agencies current within one year.
d. Consent to request records from specific persons/agencies or copies of consent forms sent to obtain records. Unused forms are valid only one year from date of signature and must have the name of the person or agency the request will be sent to. Each request must be signed by the consumer or personal representative, as appropriate.
e. Personal representative form for adult consumer if necessary. f. Release of Liability. g. Consent for developmental and/or psychological evaluation current within one
year. h. Parental consent for ongoing assessment of a child current within one year. i. Documented evidence that consumer/personal representative has received
information about service agencies appropriate to meet the needs of the individual.
j. Application for service/support form. k. Medical history. l. Developmental history for child; as required by regulation for adult consumers. m. Immunization record and/or copy of certificate of immunization for children and
for adults living in/receiving residential services or supports. n. Intake summary completed by Intake Case Manager and updated as needed or
required by Imagine! procedures. o. Medical reports including a physical exam completed upon entry into program
and as required by applicable regulations thereafter. p. Evaluation reports including but not limited to psychological (intellectual and
projective as applicable); adaptive behavior; speech therapy; occupational therapy; vocational and/or residential skill assessments; program area evaluations, etc.; COPAR as required for specific services/supports; health and safety assessments.
q. Progress reports from service/support providers. r. Original IPs and ISSPs; written Comprehensive Life Review and functional
analysis as required for Restrictive Procedures Addendum to ISSP. s. Reports of case reviews, special meetings, conferences, etc. t. Copies of required notices for meetings, or of specific actions taken. u. Copy of Social Security and Medicaid cards for adults and children receiving
Medicaid funded services/ supports. v. Copy of eligibility determination notification. w. Copy of personal representative papers as appropriate. x. Copies of correspondences related to significant changes in program funding or
supports. y. Discharge summaries and notifications as appropriate. z. Copies of HCB-DD Enrollment Request form; County and Client notification
forms; stamped UTLC-100 and LTC-102 notice of Medicaid Eligibility; and/or copy of Medicaid Authorization Card; termination notices; notices to DIDD of status changes, etc., in separate section of file for recipients of HCB-DD services.
aa. Copies of IFSPs, expenditure documentation and other forms as required by DDS, a special section of the file for families in the Family Support Service Program.
bb. Incident reports. cc. Case Management case notes.
4
dd. Copies of referral forms for the HRC as appropriate and copies of actions recommended as part of HRC reviews.
Residents of Medicaid residential facilities will also have established on the site of the facility a record which may contain all of the above mentioned information as applicable and which must contain the following:
1. Name, address and birth date of consumer. 2. Name, address and telephone number of legal guardian, if applicable; Emergency
contact information; Physician; Case Manager. 3. Special diet needs. 4. Allergies. If a consumer has an allergy to any substance, a notice will be placed in a
conspicuous place on the consumer’s record. 5. Behavioral summary and results of any comprehensive behavioral assessment
performed in the last twelve months. 6. Comprehensive medical assessment within the last twelve months. 7. Record of prescriptions and administration of medications within the past twelve months. 8. Dates and descriptions of illnesses, accidents, and treatments for the past twelve
months. 9. Immunizations for the past twelve months. 10. Summary of hospitalizations, including recommendations for follow-up and treatment for
the past twelve months. 11. Height and weight records for twelve months. 12. A record of the use of the consumer’s funds. 13. Current photo of the person. 14. Description of the general physical characteristics of the consumer. 15. Date, time, and circumstances of the consumer’s death, if applicable.
All permanent entries to the record will be written on a computer, typed, or written in ink, dated and signed by the individual preparing the re port or making the entry.
II. De-Identification of Health Information Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information. Before any member of Imagine!’s workforce treats any information as being de-identified, it must be submitted to the Privacy Officer. Whether or not health information has been de-identified will be determined by the Privacy Officer. The Privacy Officer may find that health information has been de-identified only if one of the following two conditions are met:
1. Condition 1: Statistical and Scientific Principles
A person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
a. Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably
5
available information, by an anticipated recipient to identify an individual who is subject to the information; and,
b. Documents the methods and results of the analysis that justify such determination. Such documentation shall be in accordance with the requirements stated in Section XIV of these privacy policies.
2. Condition 2: Removal of Identifiers
The following identifiers of the individual or of relatives, employers, or household members of the individual are removed and Imagine! does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information:
1. Names; 2. All geographic subdivisions smaller than a State, including street addresses, city, county,
precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicity available data from the Bureau of the Census:
a. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
b. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Telephone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and, 18. Any other unique identifying number, characteristic, or code, except as permitted by
Section III of these privacy policies.
III. Requirements for Re-Identification
A code or other means of record identification may be assigned to allow information de-identified to be re-identified by Imagine! provided:
1. The code or other means of record identification shall not be derived from or related to information about the individual and shall not otherwise be capable of being translated
6
so as to identify the individual; and, 2. The code or other means of record identification shall not be used or disclosed for any
other purpose and the mechanism for re-identification shall not be disclosed. Whether or not information shall be coded for re-identification and be re-identified shall be determined by the Privacy Officer. If information is re-identified, the Privacy Officer shall oversee the process of doing so.
7
IV. Access to Protected Health Information Except when access is denied under “Reasons for denial that may not be reviewed are” or “Reasons for denial that are subject to review are” sections below, an individual shall have a right of access to inspect and obtain a copy of protected health information about the individual for as long as the protected health information is maintained in that record set except for:
1. Psychotherapy notes; 2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding; and There are four ways to access protected health information:
1. Viewing the information in the record. 2. Electronic or mechanical duplication of the information in the record. 3. Responding to telephone inquiries about the consumer and/or about information in the
record. 4. Participating in meetings where identifying information is discussed.
With the exception of the consumer or the consumer’ s personal representative, persons who have access to identifying information should h ave access only to the minimum necessary which is needed to enable them to perform their designated functions. Reasonable safeguards will be in place to prevent t he incidental use or disclosure of protected health information during an authorized u se or disclosure of such. Access to identifying information shall be limited to:
1. The individual applying to receive or receiving services. 2. The parents of a minor or a Court appointed guardian. 3. The personal representative. 4. Designated employees of Imagine!, the Department of Human Services, the Department
of Health Care Policy and Financing, and service agencies whose duties require access. 5. Designated persons or agencies providing services under contract to Imagine! whose
duties require access. 6. Appointed members of Imagine! committees who require access in order to perform the
assigned responsibilities of the committee. Access will be limited to only the information needed to perform the designated function of the committee.
7. Employees of authorized external agencies whose responsibility it is to license, to accredit, to monitor, to approve or to conduct other functions related to administration. Access to identifying information will be limited to only the information needed to perform the designated function.
8. Physicians, psychologists, and professional persons treating an individual in an emergency situation which precludes obtaining consent. In such an instance:
a. Documentation of this access shall be entered in the consumer’s record. The Case Manager/Service Coordinator shall ensure that the documentation is completed.
b. This documentation shall contain the date and time of the disclosure, the information disclosed, the names of the persons by whom and to whom the information was disclosed and the nature of the emergency.
9. Other persons or agencies authorized by law or for whom the consumer has given consent.
8
10. The agency designated as the protection and advocacy system for Colorado (Disability Law Colorado) when:
a. A complaint has been received by the protection and advocacy system from or on behalf of a person with intellectual developmental disabilities.
b. Such person does not have a legal guardian or the State or designee of the State is the legal guardian of such person.
The Imagine! staff person who discloses information in accordance with these procedures will verify the identity of the person requesting the disclosure and will obtain in writing any conditions on the disclosure from the requesting person or entity prior to completing the disclosure. This would include verification of the authority of personal representatives to access information such as guardianship papers or power of attorney. Any requests for disclosure which are not covered by the above stated situations shall be reviewed by the Privacy Officer on an individual basis. The following criteria will be used to determine the extent of the disclosure to be made:
1. Whether or not the information requested is reasonably related to the purpose of the request;
2. Whether or not the information requested will assist in the accomplishment of the purpose of the request;
3. Whether or not the purpose of the request can be achieved without the information; 4. Whether or not the purpose of the request can be met with information that is not
protected health information. An individual qualified to interpret the contents of the record will remain with the record at all times during the examination of the record. This individual will assist in the interpretation and clarification of the record and will safeguard its contents. The Privacy Officer will make the designation of the person qualified to interpret the consumer’s file based upon the specifics of the request to review a record. In most instances the designee will be the Case Manager/Service Coordinator. Imagine! requires that anyone examining a consumer’s file is properly authorized, and that they make an entry into the file documented on the access log located in the front jacket pocket of the file binder. Documentation shall include:
1. The requestor’s name. 2. The agency or organization represented or the relationship to the consumer. 3. The date of the review or when the record was released. 4. The purpose for accessing the record.
The consumer file shall not be removed from Imagine! under normal circumstances.
1. A record may be removed if a subpoena specifically states that the record file is to be presented in Court. The record can be presented as evidence but not shown to anyone outside of the Court. The individual accompanying the record must remain with the file at all times, including photocopying. Imagine! retains custody of the file.
2. Subpoenas to present records to a place other than a Court of law, unless accompanied by a signed release from the consumer or personal representative, will not be honored.
3. Records may not be kept overnight in a staff person’s home.
9
4. The Privacy Officer must approve any exceptions to these restrictions. Records will be made available for review at Imagine! to authorized persons within thirty (30) working days of the request. If the requested information is not readily accessible to Imagine! (For example, in storage off site) that timeline may be extended to no more than 45 days. The requesting party will be notified of the reasons for the delay. If the individual is granted access, in whole or in part, to protected health information, Imagine! shall provide the access requested by the individual, including inspection and obtaining a copy, or both, of the protected health information about the individual in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the protected health information will only be produced once in response to a request for access. The protected health information will be provided to the individual in the form or format requested by the individual, if it is readily producible in that form or format. If it is not readily producible in that form or format, it shall be provided in a readable hard copy form or such other form or format as agreed to by the Privacy Officer and the individual. The individual may be provided a summary of the protected health information requested, in lieu of providing access to the protected health information, or may be provided an explanation of the protected health information to which access has been provided, if:
1. The individual agrees in advance to such a summary or explanation; and, 2. The individual agrees in advance to the fees imposed, if any, by Imagine! for such
summary or explanation. Access shall be provided in a timely manner as stated above, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy to the individual at the individual’s request. The Privacy Officer may discuss the scope, format and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access. If the individual requests a copy of the protected health information, or agrees to a summary or explanation of such information, Imagine! shall impose charges as set forth in Appendix B to these privacy policies. Reasons for denial that may not be reviewed are:
1. Information is exempted, such as psychotherapy notes, information compiled in anticipation of, or use in, a civil, criminal, or administrative action or proceeding, information gathered in the process of an investigation as required by rule and statute in response to allegations of mistreatment, abuse, neglect, and exploitation;
2. Inmates: If it has been determined by a correctional institution that access to, or provision of a copy of protected health information to an inmate would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates, or the safety of any officer, employee, or other person at the correctional institution.
3. Research: Access to protected health care information created or obtained by Imagine! during the course of research involving treatment may be temporarily suspended for the course of the research project provided that the individual had previously consented to
10
the denial of access as part of the consent to participate in the research, and Imagine! informs the individual that access will be reinstated at the completion of the research project.
4. Information Obtained from Others: information obtained from another entity other than a health care provider that was obtained under a promise of confidentiality and the access requested would likely reveal the source of the information.
Reasons for denial that are subject to review are:
1. A licensed health care professional has determined, in the exercise of professional judgement, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
2. The protected health information makes reference to another person and a licensed health care professional has determined, in the exercise of professional judgement, that access is reasonably likely to cause substantial harm to such other person, or;
3. The request is made by the personal representative of an individual and a licensed health care professional has determined, in the exercise of professional judgement, that the provision of access to the representative is reasonably likely to cause substantial harm to the individual or another person.
If a request for access is denied in full or in part, the requesting person will receive written documentation of the denial, including the reasons(s) for denial. The documentation will also contain the complaint process if the individual wishes to have the denial reviewed. If access is denied on a ground permitted under “Reasons for denial that are subject to review are”, above, the individual shall have the right to have the denial reviewed by a licensed health care professional who is designated by the Privacy Officer to act as a reviewing official and who did not participate in the original decision to deny. The individual’s request for review shall be promptly referred to that designated reviewing official. The designated reviewing official shall then determine, within a reasonable period of time, whether or not to deny the access requested based on the standards stated in, “Reasons for denial that are subject to review are”, of these privacy policies. The Privacy Officer shall then promptly provide written notice to the individual of the determination of the designated reviewing official and implement the designated reviewing official’s determination. If Imagine! does not have the requested information, and that is the reason for denial, and Imagine! staff knows the source of that information, that information will be provided in the notification of denial. At no time may a person examining a record remove anything from the file or make changes to the file without following the procedure stated below:
. If an individual receiving or seeking services/supports or their personal representative objects to any information in a file, within the scope of their authority, she or he may submit a written, signed and dated request for changes, corrections, deletions, or other modifications to the Imagine! Privacy Officer who will make the decision regarding the request. The request must be acted upon by the Privacy Officer within sixty (60) days of receipt of the request. If The Privacy Officer is unable to take an action on the request within that sixty (60) day period, the Privacy Officer may extend the time for the action by no more than thirty (30) calendar days, provided:
1. Within that sixty (60) day period, the Privacy Officer shall provide the individual with a written statement of the reason(s) for the delay and the date by which Imagine! will complete its action on the request; and,
11
2. Only one such extension shall be permitted on a request for amendment.
If the request is denied, the Privacy Officer will inform the requesting party of the decision in writing stating the reasons for the full or partial denial of the request. Any changes to the record will be made on the original document, and be initialed and dated by the individual making the change. Original content is not to be obscured or made unreadable. In addition, Imagine! staff will inform other entities identifie d by the individual or the guardian or authorized representative, or of busine ss associates known to have the information changed, and that may have or will rely on the uncorrected information to the detriment of the individual. If the request is denied the requestor has the right to have a statement regarding their request for changes entered into the file. The Privacy Officer or designee may then prepare or have cause to prepare a statement of rebuttal to the statement of disagreement that will also be placed in the file. The denial of amendment in whole or in part will be documented in writing to the requesting party. The reason for denial will be included in the notification, as will the complaint process if the individual wishes to have the decision reviewed. Permissible reasons for denial include that the information:
1. Was not created by Imagine! unless the requestor is able to provide a reasonable basis
to believe that the originator of the protected health information is no longer available on the requested amendment;
2. Is not part of the designated record set; 3. Would not be available for inspection; or 4. Is accurate and complete.
All documentation of this process will be placed in the individual file. When disclosure of the contested information is requested at a later date the appended material, or an accurate summary of that information, will be included in the disclosed information. If the transaction of the information does not permit the transmission of the appended information, it will be separately transmitted to the requesting party.
V. Use and Disclosure of Only the Minimum Necessary Information. Except as stated in Section 1, below, when using or disclosing protected health information, members of Imagine!’s workforce shall make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use or disclosure.
1. Exceptions to Minimum Necessary Requirement.
The preceding general rule concerning limiting use and disclosure of protected health information to the minimum necessary does not apply to:
a. Disclosures to a health care provider for treatment. b. Uses or disclosures made to the individual.
12
c. Uses or disclosures made pursuant to an authorization written in accordance with these privacy policies.
d. Disclosures made to the Secretary of Health and Human Services in accordance with the HIPAA privacy rule.
e. Uses or disclosures that are required by law. f. Uses or disclosures that are required for Imagine!’s compliance with the HIPAA
privacy rule.
2. Routine and Recurring Disclosures.
For any type of disclosure that is made on a routine and recurring basis, the Privacy Officer shall from time to time develop and implement standard protocols that limit the protected health information requested to the amount that is reasonably necessary to accomplish the purpose for which the disclosure is made.
3. Other Disclosures.
Any disclosures that are not covered by an established protocol, shall be reviewed by the Privacy Officer on an individual basis using the following criteria to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought. The criteria to be applied are:
a. Whether or not the information requested is reasonably related to the purpose of the
request. b. Whether or not the information requested will assist in the accomplishment of the
purpose of the request. c. Whether or not the purpose of the request can be accomplished without the
information requested. d. Whether or not the purpose of the request can be met with information that is not
protected health information.
4. Permitted Reliance. If the reliance is reasonable under the circumstances, members of Imagine!’s workforce may rely on a requested disclosure as the minimum necessary for the stated purpose when:
a. Making disclosures to public officials that are permitted under Section XIX
“Documentation of Uses and Disclosures for which Authorization or an Opportunity to Agree or Object is Not Required” of these privacy policies, if the public official represents that the information is the minimum necessary for the stated purpose(s);
b. The information is requested by another covered entity; c. The information is requested by a professional who is a member of Imagine!’s
workforce or a business associate of Imagine! for the purpose of providing professional services to Imagine!, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or,
d. Documentation or representations that comply with the applicable requirements of Section XIX.9 “Uses and Disclosures for Research Purposes” of these privacy policies have been provided by the person requesting the information for research purposes.
13
The basis for reliance under this Section V.4 shall be documented by the Privacy Officer.
5. Identification of Workforce Members’ Access To Protected Health Information.
Attached to these privacy policies as Appendix A is an identification of those classes of Imagine!’s workforce who need access to protected health information to carry out their duties and, for each of those classes, the category or categories of protected health information to which access is needed and any conditions appropriate to that access. Failure of a member of the workforce to comply with that access or those conditions will result in disciplinary action up to and including termination of employment.
At least annually, the Privacy Officer shall cause a review of the identification and categories stated in Appendix A and make such changes to Appendix A as the Privacy Officer determines is necessary or desirable to keep Appendix A current.
VI. Release of Protected Health Information Protected health information may be released in one of the following ways and only contain the minimum necessary PHI as outlined in Section V above:
1. To obtain services/supports for an individual, to obtain payment for services, or to perform health care operations.
2. A written authorization signed by an individual authorized to release information that: a. Is dated; b. Is in effect no longer than one year c. Is specific in the type of information to be released d. States the purpose(s) for which the information is to be released e. States to whom the information will be released f. A statement of the individual’s right to revoke the authorization in writing; this
revocation statement is to be submitted to the Privacy Officer. Documentation of such will be kept in the “releases” section of the individual file and such documentation will be maintained for 6 years from the date of effectiveness.
g. A statement that Imagine! staff may not condition treatment or payment for treatment on whether the individual signs the authorization. An exception to this may be provision of research related treatment without a signed authorization;
h. A copy of the signed authorization will be provided to the individual who signed the authorization.
3. When a verbal request is received for identifying information, standard procedures should include obtaining written authorizations before releasing the information unless it is an emergency situation.
4. A Court order specifying release of information expressly required by the Court. 5. Identifying information to be released from records may be photocopied or duplicated,
provided: a. The authorization for the release of information specifically allows for duplication
of information. b. Documentation shall be entered into the record stating what information was
copied, the date on which it was copied, and to whom it was released. c. A fee for duplication shall not exceed fifty (50) cents per page for the first ten (10)
or fewer pages and twenty-five (25) cents per page for each additional page.
14
d. The consumer may receive one free copy of any information contained in the record.
Use of photographs within or by Imagine! will adhere to all confidentiality and privacy considerations.
1. Photographs or videotapes of individuals may not be displayed or released without a written authorization from the individual or their personal representative.
2. Photos displayed for general purposes within Imagine! should use the consumer’s first name only or their initials depending on where the photo is displayed.
3. Photos, slides, or videotapes used by Imagine! in public presentations may not have identifying information associated with them in either text or verbal explanation. Whenever the photo or videotape is used, appropriate authorization must first be obtained.
4. Photos or videotapes taken for use in general circulation must be accompanied by appropriate authorization prior to publication or broadcast.
All Imagine! employees will receive documented training in procedures for the release of protected health information. The Case Manager/Service Coordinator and/or administrative support staff will document in a log in the jacket of each file, the release of protected health information regarding the specific individual. VII. Release of Non-Identifying Information The consumer or their personal representative does not need to consent to nor acknowledge the collection or release of non-identifying information. Requests for existing, previously compiled, non-identifying information may be honored if the request is for documented reasons for evaluation, statistical or research purposes. A charge for duplication may be imposed and a written request may be required. General information concerning the types and use of non-identifying information must be furnished to the consumer or their personal representative upon request. If the information requestor, in order to secure the required non-identifying data, must have access to identifying information the following procedures must be followed:
1. Prior to access, the request must be submitted in writing and shall include the
requestor’s name, the agency that she or he represents, and the purpose of the inquiry. 2. Prior to access to any identifying information, authorization to do so must be obtained
from the consumer or their personal representative, where appropriate. 3. The Imagine! Privacy Officer will approve or disapprove the request. 4. If the request is approved, a staff member will be designated to accompany the
requestor at all times to ensure that only non-identifying information is gathered. In the event that the requestor wishes to duplicate information in any way, the designated staff member must eliminate any identifying information beforehand.
15
All Imagine! employees will receive documented training in the release of non-identifying information. VIII. Requesting Information from Other Agencies an d Professionals When information is to be requested from other agencies or professionals, the consumer or the consumer’s personal representative will be asked to sign an Authorization for Request Form. The form will specify what information is to be requested, the purpose for which it will be used, the name of the agency or individual from whom the information is to be requested, and the time period for which the request is effective, not to exceed one year from the date of the signature. Under no circumstances are individuals to be asked to sign forms lacking the specified information, and no such forms are to be kept in consumer’s files. Administrative support staff will ensure that copies of signed releases are filed appropriately. The Records Room Administrative Assistant will maintain a log of the following:
1. Name of consumer for whom records have been requested. 2. Name of agency or professional from whom records have been requested, and a brief
description of the type of records requested. 3. Date of request. 4. Name or initials of person requesting records.
Upon receipt of records requested, the Records Room Administrative Assistant will place such records in the appropriate file, and notify the staff person requesting the records of their arrival and location. An individual Authorization for Request Form shall be signed by/for each entity from whom information is being requested even when information is being requested for more than one family member from the same entity. When written information, whether generated by Imagine! staff or requested by Imagine! staff makes reference to non-pertinent person(s); this information must be deleted before being filed in individual files. All Imagine! employees will receive documented training in procedures for requesting information from other agencies/persons. IX. Management of Records of Individuals Receiving or Applying to Receive
Services/Supports Records containing protected health information should be stored in a place inaccessible to the general public. At a minimum, they should be in a locked cabinet or room. This applies to all files, whether they are for current service recipients, persons waiting for services, or persons who have been terminated from services.
1. Staff members wishing to remove records from the Records Room will sign the files out and sign them in on the designated form upon their return.
16
2. If staff members take records to their work area, the file may be kept in their office for no longer than two (2) working days. The file must be stored in a locked desk or cabinet when not in use.
3. The Records Room Administrative Assistant is responsible for monitoring the checkout and return of records.
4. Service/support staff members may maintain working files for individuals receiving services in their designated program area. Those files may include but not be limited to the following:
a. Copies of the IP and ISSP. b. Relevant medical information. c. Names, telephone numbers and addresses of parents, guardians, authorized
representatives and or emergency contacts. d. Attendance data. e. Behavioral observations and measurement data. f. Progress charts/ notes. g. Copies of incident reports. h. Additional information felt by the staff member to be helpful or necessary to
provide services/service. 5. Working files will be kept in such a manner that they are not accessible by the general
public. They must be kept in a locking desk or cabinet when not in use. 6. For staff whose duties require that they travel between locations, and who must
transport working files with them, such files should be carried in the locked trunk of the vehicle in which they travel. If the vehicle does not have a trunk the files should be carried in a locked container such as a briefcase. If this is not feasible the files should be carried in a closed container such as an envelope, file folder or notebook which does not identify the contents of the container, and placed in the vehicle in such a way that the opportunity for public viewing is minimized.
7. If traveling staff must occasionally keep files in their homes they must be stored in such a manner that they are not accessible to other members of the household.
8. All computers must have screen savers that activate after a period of inactivity. The screen saver may only be deactivated by an employee’s password.
9. If protected health information is to be removed from Imagine! on a USB drive, the USB drive will be encrypted.
10. All trash that contains protected health information must be placed in the designated receptacles to be shredded. The receptacles must be locked or located in offices/rooms that can be locked when the Imagine! offices are closed.
11. Fax machines and collectively used printers will be located in areas that are not accessible to the general public. When faxes are received, or documents are printed, the Case Management Administrative Assistant, Imagine! Receptionist, or other designated staff will periodically remove documents from the respective machines, if they have not been claimed by the person for whom the document is intended, and place them in the mail folders or mailboxes designated for each staff person.
12. When protected health information is being provided to Imagine! staff in designated mailboxes, or is being sent to service providers from designated mailboxes the information should be contained in envelopes or other containers that protect the confidentiality of that information.
17
X. Violations of Privacy Policies and Procedures
It is expected that Imagine! staff will report violations of the Privacy Policies and Procedures or of requirements of the HIPAA Privacy Policy to the Privacy Officer.
1. Staff who fail to abide by Imagine! privacy policies and procedures, and by the HIPAA privacy statement will be disciplined according to Imagine! Personnel Policies and Procedures. Refer to the Employee Handbook. Written documentation of the offense and sanctions applied will be maintained by the Director of Human Resources for 6 years from the date of application of the sanctions.
2. If there is a use or disclosure of protected health information by staff of Imagine! or of a business associate of Imagine! in violation of Imagine!’s privacy policies or the requirements of the HIPAA privacy rule, the Privacy Officer will attempt to mitigate, to the extent possible, any harmful effects of the violation.
3. Neither Imagine! nor any employee of Imagine! may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual exercising any right under, or for participation in any process established by Imagine!’s privacy policies or the HIPAA privacy rule, including filing a complaint under the HIPAA privacy rule or Imagine!’s privacy policies. To file a complaint with Imagine! contact Rebecca Novinger, Director of Corporate Strategy, Imagine!, 1400 Dixon St., Lafayette, CO 80026 or e-mail her at [email protected]. Her phone is 720-399-4190. All complaints must be submitted in writing.
4. No staff member of Imagine! may require an individual to waive the individual’s rights under Imagine!’s privacy policies or the HIPAA privacy rule as a condition of provision of services and supports or payment for services and supports.
The Director of Information Technology will assume the responsibilities of the Privacy Officer in the absence of that Officer. He can be contacted at [email protected] or 303-926-6441. Written documentation of this appointment will be maintained for 6 years following the date of appointment. XI. Purging or Destruction of Protected Health Info rmation
1. Records containing protected health information should be retained in accordance with
regulation and policy that applies to the type of record (fiscal, HCB-DD, medical, etc.). Where no regulation or policy applies, files should be purged and destroyed when no longer applicable. The files must be destroyed in a manner that minimizes the ability to reconstruct the documents. In most cases the file will be processed for shredding.
2. Generally, complete records will be maintained at Imagine! until the individual has not received any services or supports for a period of seven years.
3. The Privacy Officer and the Records Room Administrative Assistant will review the closed files annually to determine which files can be destroyed. No file will be destroyed without the approval of the Privacy Officer and until a card has been completed and filed in the closed file card catalog and must contain the following:
a. Name of consumer. b. Date of birth. c. Date of entry to services/supports. d. Date of termination from services or supports.
18
e. A list of services or supports received f. A notation if the consumer is deceased. g. Note if and when file is destroyed.
4. Information must be destroyed at the request of the consumer or the consumer’s personal representative, if the consumer is no longer receiving services or supports from Imagine!. A permanent record of the consumer’s name, their address, telephone number, IPs and list of services provided may be maintained indefinitely.
XII. Community Contract Management System (CCMS)
Case Management Responsibilities: 1. Case Management staff will complete all DIDD and Imagine! required elements of
CCMS at the time of eligibility determination. 2. Status changes will be documented and submitted to the appropriate Case Management
staff within three (3) working days of the status change. The status on CCMS must correspond with the status indicated by service/support staff on all enrollment and attendance forms.
3. Case Managers will review and revise all other CCMS information on all active consumers on their Case Management status annually at the time of the IP meeting.
4. Case Managers will review and revise CCMS information on Case Management status at least annually.
5. Case Managers will review and revise CCMS on all Waiting List consumers annually; this includes an update of the service timelines.
6. Changes from Waiting List to Active status must be made within three (3) working days of the change.
XIII. Changes to Imagine!’s Privacy Policies and Pr ocedures The Privacy Officer will make changes to Imagine!’s Privacy Policies and Procedures, and/or to Imagine!’s Privacy Notice as changes in law materially affect such documents. Needed changes will be documented and implemented promptly. These changes may apply to protected health information created or received prior to the implementation of the change. Changes in the Privacy Notice will be posted at all Imagine! program sites, on the Imagine! web site, and mailed to persons on waiting lists. Changed notices will be provided to persons actively receiving services at annual IP or IFSP meetings.
19
XIV. Documentation The Privacy Officer (or designee) shall take the following actions regarding documentation:
1. Maintain privacy policies and procedures in written or electronic form; 2. If a communication is required to be in writing by these privacy policies and procedures
or by the privacy rule, maintain that communication in writing or electronic form. 3. If an action, activity, or designation is required by these privacy policies and procedures,
or by the privacy rule, maintain a written or electronic record of that action, activity or designation.
4. This documentation shall be retained for 6 years from the date of its creation, or the date it was last in effect, whichever is latest.
XV. Psychotherapy Notes Psychotherapy notes shall be maintained by the ment al health professional who prepared the notes in a locked file in his/her offi ce. Imagine! has a co-located mental health therapist a t the Imagine! office. This therapist is an employee of the Mental Health Center of Boulder County, and the records maintained by this therapist are the property of the Mental He alth Center. An authorization to release information signed by the individual receiving serv ices, a guardian or other authorized representative will be required to obtain these rec ords. XVI. Staff Training Employees of Imagine! will receive training on the requirements of policies and procedures for the acquisition, use and disclosure of protected health information during orientation and on a regular basis thereafter.
XVII. Notice of Privacy Practice: Procedures A Notice of Privacy Practices was developed to become effective April 14, 2003, and most recently revised September 2013, in compliance with the HIPAA rule. That Notice was mailed to all individuals receiving services and on waiting lists to receive services, or to their personal representatives. All new applicants for services will receive a copy of the Notice as part of their Intake Packet. In the rare instance that services begin prior to completion of the Intake process, the Notice will be provided at the first date of service. Documentation of Receipt
1. A Notice of Privacy Practices will be posted at each program site, in a prominent and
accessible place, and each program site will maintain a supply of notices to be provided upon request;
2. An individual or personal representative may agree to accept a Notice by e-mail. This transmission is to be done by the Privacy Officer or designee (generally the Case Manager/Service Coordinator, or Case Management Administrative Assistant). If the
20
transmission fails, a paper copy of the Notice will be provided. An individual who receives an e-mail copy of the Notice may also receive a paper copy upon request to the Privacy Officer.
3. The Notice of Privacy Practices will be posted on the Imagine! web site and will be made electronically available through the web site.
4. Accompanying the Notice of Privacy Practices in any format is a form to be signed that acknowledges that the individual has received the Notice. The signed forms are to be returned to the Privacy Officer.
5. If the Notice is provided by regular mail or e-mail, and a signed acknowledgement form is not returned, the Privacy Officer, or designee will follow-up via phone or registered mail to attempt to obtain the acknowledgement form. Such activities will be documented in writing.
6. For the initial and any subsequent mailings, a list will be developed to indicate to whom a Notice was mailed, and from who signed acknowledgements were received. The signed acknowledgements, and evidence of “good faith efforts” to obtain such, will be filed in the “Releases” section of the individual file.
7. For individuals to whom the Notice was provided in-person at Intake or at the initial time of service, signed acknowledgement forms, or documentation of non-receipt of the form will be provided to the Privacy Officer or designee. This information will be added to the list in #6 above. The signed form or documentation of a “good faith effort” to obtain a signed form will be filed in the “Releases” section of individual files.
8. All documentation, written or electronic, related to receipt of the acknowledgement form will be maintained in the individual record for 6 years from the date the Notice was last in effect.
9. When there is a material change in the use or disclosure of protected health information, individual rights, Imagine!’s legal duties, or other privacy practices stated in the Notice, the Privacy Officer shall promptly revise the Notice of Privacy Practices to be made available on request, to post in program areas and on the Imagine! Web site. Except as may be required by law, a material change in the Notice shall not be implemented prior to the effective date of the Notice in which the change is reflected.
10. A copy of each Notice of Privacy Practices will be maintained in writing or in electronic form for 6 years from the date that a specific notice was last in effect.
XVIII. Documentation of Individual Agreement or Obj ection to the Permissible Use or Disclosure of Protected Health Information:
If an individual objects to the permissible use or disclosure of protected health information, as stated in Imagine!’s Notice of Privacy Practices, the objection should be made known to the Privacy Officer. A phone request will be honored, but for the purpose of accurate documentation, a written request will also be requested. The opportunity to object must be provided to individuals in the following circumstances:
1. Notification of Persons Involved in the Individual’s Care 2. Notification of the Location, Condition or Death of the Individual 3. Disaster Relief
If the individual is present in any of these situations they should be given the opportunity to object to any use or disclosure. The disclosure may proceed with the individual’s agreement; if the individual does not voice an objection; or if staff present know the individual well enough to be able to interpret the behavior of the individual to demonstrate agreement or objection. Staff
21
should document the agreement or objection in an incident report or case notes, as appropriate to the situation. This documentation should be provided to the Privacy Officer. If the individual is not present in these situations, or is unable to respond due to incapacity or an emergency circumstance staff present may, in the exercise of professional judgement, determine if the use or disclosure is in the best interests of the individual, and if so, disclose only the protected health information that is directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s health care. Disclosure of the individual’s PHI shall be limited to a family member, other relative, personal representative, or a close personal friend of the individual or any other person identified by the individual. Staff should document their actions in an incident report or case notes, as appropriate to the situation, and provide that documentation to the Privacy Officer. XIX. Documentation of Uses and Disclosures for Whic h Authorization or an
Opportunity to Agree or Object is Not Required To the extent permitted by this Section XIX, an authorized member of Imagine!’s workforce may use or disclose protected health information without the authorization of the individual or the opportunity of the individual to agree or object, in the situations described in this Section XIX. When Imagine! is required by any of these situations to inform the individual of a use or disclosure permitted by this Section XIX or when the individual may agree to a use or disclosure required by this Section XIX, Imagine!’s information and the individual’s agreement may be given orally. However, if given orally, the Imagine! workforce member involved shall document the giving of the information or the agreement by entering a note in the consumer’s file.
1. Uses and Disclosures Required by Law
a. Informing the Privacy Officer
Any member of Imagine!’s workforce who receives a request, or who proposes, to use or disclose protected health information for a use or disclosure required by law must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. Permitted Uses and Disclosures
Imagine! may use or disclose protected health information to the extent that the use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law.
Imagine! will meet the requirements of the following sections of these privacy policies, as applicable, for uses and disclosures required by law:
1) Section XIX.3 “Uses and Disclosures About Victims of Abuse, Neglect or
Domestic Violence” 2) Section XIX.5 “Disclosures for Judicial and Administrative Proceedings” 3) Section XIX.6 “Disclosures for Law Enforcement Purposes”
22
2. Uses and Disclosures for Public Health Activities
a. Informing the Privacy Officer
Any member of Imagine!’s workforce who receives a request, or who proposes, to use or disclose protected health information for public health activities must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. Permitted Disclosures
An authorized member of Imagine!’s workforce may disclose protected health information for the public health activities and purposes described below:
1) A public health authority that is authorized by law to collect or receive such
information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury and vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of the public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.
2) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect
3) A person subject to the jurisdiction of the United States Food and Drug Administration (FDA) with respect to an FDA -regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: a) To collect or report adverse events (or similar activities with respect to food or
dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
b) To track FDA-regulated products; c) To enable product recalls, repairs, or replacement, or lookback (including
locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
d) To conduct post marketing surveillance. 4) A person who may have been exposed to a communicable disease or may
otherwise be at risk of contracting or spreading a disease or condition, if Imagine! or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.
5) An employer, about an individual who is a member of the workforce of the employer, if: a) Imagine! provides health care to the individual at the request of the employer:
i. To conduct an evaluation relating to medical surveillance of the workplace; or,
ii. To evaluate whether the individual has a work-related illness or injury. b) The protected health information that is disclosed consists of findings
concerning a work-related illness or injury or a work-related medical surveillance;
c) The employer needs such findings in order to comply with its obligations
23
under 29 CFR Parts 1904 through 1928 (concerning occupational safety and health), 30 CFR parts 50 through 90 (concerning mine safety and health), or similar sate law, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and,
d) Imagine! provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed by the employer:
i. By giving a copy of the notice to the individual at the time the health care is provided; or,
ii. If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.
3. Uses and Disclosures About Victims of Abuse, Neglect or Domestic Violence.
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or who proposes, to use or disclose protected health information about a victim of abuse, neglect or domestic violence must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. General Rule
Except for reports of child abuse or neglect that are permitted by Section XIX.2.b(2) “Permitted Disclosures” of these privacy policies, an authorized member of Imagine!’s workforce may disclose protected health information about an individual that workforce member reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect or domestic violence:
1) To the extent the disclosure is required by law and the disclosure complies with
and is limited to the relevant requirements of that law; 2) If the individual agrees to the disclosure; or, 3) To the extent the disclosure is expressly authorized by statute or regulation and:
a) The Imagine! workforce member, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victim; or,
b) If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that:
i. The protected health information for which disclosure is sought is not in-tended to be used against the individual; and,
ii. An immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.
c. Informing the Individual.
24
If a member of Imagine!’s workforce makes a disclosure permitted by XIX.3.b “General Rule”, above, the Privacy Officer shall promptly inform the individual that such a report has been or will be made, except if: 1) The Privacy Officer, in the exercise of professional judgment, believes informing
the individual would place the individual at risk of serious harm; or 2) The Privacy Officer would be informing a personal representative, and he or she
reasonably believes the personal representative is responsible for the abuse, neglect or other injury, and that informing that person would not be in the best interests of the individual as determined by Imagine!, in the exercise of professional judgment.
4. Uses and Disclosures for Health Oversight Activities.
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or who proposes, to use or disclose protected health information for purposes of a health oversight activity must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. General Rule
An authorized member of Imagine!’s workforce may disclose protected health information to a health oversight agency, e.g., state department of health, CMS, for oversight activities authorized by law, including: audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or other actions; or, other activities necessary for appropriate oversight of: 1) The health care system; 2) Government benefit programs for which health information is relevant to
beneficiary eligibility; 3) Entities subject to government regulatory programs for which health information
is necessary for determining compliance with program standards; or, 4) Entities subject to civil rights laws for which health information is necessary for
determining compliance.
c. Exceptions For purposes of the disclosures permitted by Section XIX.4.b “General Rule”, above, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to: 1) The receipt of health care; 2) A claim for public benefits related to health; or, 3) Qualification for, or receipt of, public benefits or services when a patient’s health
is integral to the claim for public benefits or services.
d. Joint Activities or Investigations Notwithstanding the exceptions stated in Section XIX.4.c, above, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint
25
activity or investigation is considered a health oversight activity for purposes of this section.
5. Disclosures for Judicial and Administrative Proceedings.
a. Delivery to Privacy Officer Any member of Imagine!’s workforce who receives an order of a court or administrative tribunal or a subpoena, discovery request, or other lawful process must promptly deliver or otherwise communicate the document to the Privacy Officer prior to the disclosure being made. The Privacy Officer will then oversee the disclosure for compliance with these privacy policies. The disclosure should not occur until it has been approved by the Privacy Officer.
b. General Rules
Imagine! will disclose protected health information in the course of any judicial or administrative proceeding: 1) In response to an order of a court or administrative tribunal, provided Imagine!
will disclose only the protected health information expressly authorized by the order; or,
2) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: a) Imagine! receives satisfactory assurance, as described below, from the party
seeking the information that reasonable efforts have been made by that party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or,
b) Imagine! receives satisfactory assurance, as described below, from the party seeking the information that reasonable efforts have been made by that party to secure a qualified protective order that meets the requirements stated below.
c) Notwithstanding (a) and (b), above, Imagine! may disclose protected health information in response to a subpoena, discovery request or other lawful process that is not accompanied by an order of the court or administrative tribunal, without satisfactory assurance, if Imagine!, itself:
I. Makes reasonable efforts to provide notice to the individual sufficient to meet the requirements stated below for satisfactory assurance of such a notice; or ,
II. Seeks a qualified protective order sufficient to meet the requirements stated below for a qualified protective order.
c. Satisfactory Assurance
1) That Individual Has Received Notice. Imagine! will be considered to have received “satisfactory assurance” from a party seeking protected health information that the individual has received notice if Imagine! receives from that party a written statement and accompanying documentation demonstrating that: a) The party requesting the information has made a good faith attempt to
provide written notice to the individual (or, if the individual’s location is un-known, to mail a notice to the individual’s last known address);
b) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and,
26
c) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:
i. No objections were filed; or, ii. All objections filed by the individual have been resolved by the court or
the administrative tribunal and the disclosures being sought are con-sistent with that resolution.
2) That Qualified Protected Order Sought. Imagine! will be considered to have received “satisfactory assurance” from a party seeking protected health information that a qualified protected order has been sought if Imagine! receives from that party a written statement and accompanying documentation demon-strating that: a) The parties to the dispute giving rise to the request for information have
agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or,
b) The party seeking the protected health information has requested a qualified protected order from that court or administrative tribunal.
3) Meaning of “Qualified Protective Order”. A “qualified protective order” means an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: a) Prohibits the parties from using or disclosing the protected health information
for any purpose other than the litigation or proceeding for which the information was requested; and,
b) Requires the return to Imagine! or destruction of the protected health information (including all copies made) at the end of the litigation or proceed-ing.
d. Not Limitation on Other Uses and Disclosures.
The provisions of this section dealing with disclosures for judicial and administrative proceedings do not supersede other provisions of these privacy policies that otherwise permit or restrict uses of disclosures of protected health information.
6. Disclosures for Law Enforcement Purposes
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or proposes, to disclose protected health information for law enforcement purposes must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. Pursuant to Process and As Otherwise Required by Law
An authorized member of Imagine!’s workforce may disclose protected health information: 1) As required by law including laws that require the reporting of certain types of
wounds or other physical injuries, except: a) For laws concerning a public health authority or other appropriate
government authority authorized by law to receive reports of child abuse or neglect (see, Section XIX.2.b.1 “Permitted Disclosures”); or,
b) To the extent the disclosure is pursuant to a mandatory reporting law concerning reporting of abuse, neglect, or domestic violence and the
27
disclosure complies with and is limited to the relevant requirements of that law (see, Section XIX.3.b)
2) In compliance with and as limited by relevant requirements of: a) A court order or court-ordered warrant, or a subpoena or summons issued by
a judicial officer; b) A grand jury subpoena; or, c) An administrative request, including an administrative subpoena or summons,
a civil or an authorized investigative demand, or similar process authorized under law, provided that:
i. The information sought is relevant and material to a legitimate law enforcement inquiry;
ii. The request is specific and limited in scope to the extent reasonably practical in light of the purpose for which the information is sought; and,
iii. De-identified information could not reasonably be used.
c. Limited Information for Identification and Location Purposes Except for disclosures required by law as permitted by XIX.6.b, above, an authorized member of Imagine!’s workforce may disclose protected health information in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that: 1) Imagine! may disclose only the following information:
a) Name and address; b) Date and place of birth; c) Social security number; d) ABO blood type and rh factor; e) Type of injury; f) Date and time of treatment; g) Date and time of death, if applicable; and, h) A description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence of absence of facial hair (beard or moustache), scars, and tattoos.
2) Except as stated in (1), above, a member of Imagine!’s workforce may not disclose for the purposes of identification or location under this section any protected health information related to the individual’s DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.
d. Victims of a Crime
Except for disclosures required by law as permitted by XIX.6.b, above, an authorized member of Imagine!’s workforce may disclose protected health information in response to a law enforcement official’s request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to Section XIX.6 and Section XIX6.c, if: 1) The individual agrees to the disclosure; or, 2) Imagine! is unable to obtain the individual’s agreement because of incapacity or
other emergency circumstance, provided that: a) The law enforcement official represents that such information is needed to
determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;
b) The law enforcement official represents that immediate law enforcement activity that depends on the disclosure would be materially and adversely
28
affected by waiting until the individual is able to agree to the disclosure; and, c) The disclosure is in the best interests of the individual as determined by
Imagine!, in the exercise of professional judgment.
e. Decedents An authorized member of Imagine!’s workforce may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if Imagine! has a suspicion that such death may have resulted from criminal conduct.
f. Crime on the Premises
An authorized member of Imagine! may disclose to a law enforcement official protected health information that he or she believes in good faith constitutes evidence of criminal conduct that occurred on the premises of Imagine!.
g. Reporting Crime in Emergencies
If Imagine! is providing emergency health care in response to a medical emergency, other than on the premises of Imagine!, an authorized member of Imagine!’s work-force may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to: 1) The commission and nature of a crime; 2) The location of such crime or of the victim(s) of such crime; and, 3) The identity, description, and location of the perpetrator of the crime. If the member of Imagine!’s workforce believes the medical emergency is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, the preceding does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to Section XIX.6.c of these privacy policies.
7. Uses and Disclosures About Decedents.
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or proposes, to use or disclose protected health information to a coroner, medical examiner, or funeral director must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy procedures. The use or disclosure may not occur until it has been approved by the Privacy Officer.
b. Coroners and Medical Examiners
An authorized member of Imagine!’s workforce may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
c. Funeral Directors
An authorized member of Imagine!’s workforce may disclose protected health infor-mation to funeral directors consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry
29
out their duties, Imagine! may disclose the protected health information prior to, and in reasonable anticipation of, the individual’s death.
8. Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation.
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or proposes, to use or disclose protected health information for purposes of cadaveric organ, eye or tissue donation must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy procedures. The use or disclosure may not occur until it has been approved by the Privacy Officer.
b. Permitted Uses and Disclosures
An authorized member of Imagine!’s workforce may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking or transplantation of cadaveric organs, eyes or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.
9. Uses and Disclosures for Research Purposes
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or proposes, to use or disclose protected health information for research purposes must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy procedures. The use or disclosure may not occur until it has been approved by the Privacy Officer.
b. Permitted Uses and Disclosures
An authorized member of Imagine!’s workforce may use or disclose protected health information for research, regardless of the source of funding for the research, provided that: 1) Board Approval of a Waiver of Authorization. Imagine! obtains documentation
that an alteration to or waiver, in whole or in part, of the individual authorization required by these privacy procedures for use and disclosure of protected health information has been approved by either: a) An Institutional Review Board (IRB) established in accordance with the
federal regulations set forth in the HIPAA privacy rule; or, b) A privacy board that meets the requirements of the HIPAA privacy rule, see,
45 CFR §164.512(i)(1)(i)(B). The documentation must include all of the information required by the HIPAA privacy rule, see, 45 CFR §164.512(i)(2).
2) Reviews Preparatory to Research. Imagine! obtains from the researcher representations that: a) Use or disclosure is sought solely to review protected health information as
necessary to prepare a research protocol or for similar purposes preparatory to research;
b) No protected health information will be removed from Imagine! by the researcher in the course of the review; and,
30
c) The protected health information for which use or access is sought is necessary for the research purposes.
31
Research on Decedent’s Information. Imagine! obtains from the researcher: a) Representation that the use or disclosure is sought solely for research on the
protected health information of decedents; b) Documentation, at the request of Imagine!, of the death of such individuals;
and, c) Representation that the protected health information for which use or
disclosure is sought is necessary for the research purposes.
10. Uses and Disclosures to Avert a Serious Threat to Health or Safety.
a. Delivery to Privacy Officer Any member of Imagine!’s workforce who receives a request, or proposes, to use or disclose protected health information to avert a serious threat to health or safety must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure may not occur until it has been approved by the Privacy Officer.
b. Permitted Uses and Disclosures
An authorized member of Imagine!’s workforce may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the member of Imagine!’s workforce, in good faith, believes the use or disclosure: 1) Serious and Imminent Threat
a) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and,
b) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
2) Law Enforcement. Is necessary for law enforcement authorities to identify or apprehend an individual: a) Because of a statement by an individual admitting participation in a violent
crime that Imagine! reasonably believes may have caused serious physical harm to the victim; or,
b) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.
c. Uses and Disclosures Not Permitted
A use or disclosure pursuant to Section XIX.10.b.2.a, above, concerning a statement of an individual may not be made if the information described in that section is learned by Imagine!: 1) In the course of treatment to affect the propensity to commit the criminal conduct
that is that basis for the disclosure under that section, or counseling or therapy; or,
2) Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in Section XIX.10.b.2.a, above.
A disclosure made pursuant to Section XIX.10.b.2.a, above, shall contain only the statement described in that section and the protected health information described in Section XIX.6.c.1 “Limited Information for Identification and Location Purposes”.
11. Uses and Disclosures for Specialized Government Functions.
32
a. Delivery to Privacy Officer. Any member of Imagine!’s workforce who receives a request, or proposes, to use or disclose protected health information for purposes of a specialized government function described in this Section XIX.11 must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the use or disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure may not occur until it has been approved by the Privacy Officer.
b. Military and Veterans Activities
1) Armed Forces Personnel. An authorized member of Imagine!’s workforce may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: a) Appropriate military command authorities; and, b) The purposes for which the protected health information may be used or
disclosed. 2) Foreign Military Personnel. An authorized member of Imagine!’s workforce may
use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register.
c. National Security and Intelligence Activities
An authorized member of Imagine!’s workforce may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act, 50 U.S.C. 401 et seq and implementing authority, e.g., Executive Order 12333.
d. Protective Services for the President and Others
An authorized member of Imagine!’s workforce may disclose protected health information to authorized federal officials for the provision of protective services to the President of the United States or other persons authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or to for the conduct of investigations authorized by 18 U.S.C. 871 and 879.
e. Correctional Institutions and Other Law Enforcement Custodial Situations
1) Permitted Disclosures. An authorized member of Imagine!’s workforce may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: a) The provision of health care to such individuals; b) The health and safety of such individual or other inmates; c) The health and safety of the officers or employees of or others at the
correctional institution; d) The health and safety of such individuals and officers or other persons
responsible for the transporting of inmates or their transfer from one
33
institution, facility, or setting to another; e) Law enforcement on the premises of the correctional institution; and, f) The administration and maintenance of the safety, security, and good order of
the correctional institution. 2) No Application After Release. For purposes of this provision, an individual is no
longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in lawful custody.
12. Disclosures for Workers’ Compensation
a. Delivery to Privacy Officer
Unless the use or disclosure has previously been approved by the Privacy Officer, a member of Imagine!’s workforce who receives a request, or proposes, to disclose protected health information to comply with laws relating to workers compensation or other similar programs, must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. Permitted Disclosures
An authorized member of Imagine!’s workforce may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illnesses without regard to fault.
13. Disclosure to the Secretary of Health and Human Services
a. Delivery to Privacy Officer
Any member of Imagine!’s workforce who receives a request, or proposes, to disclose protected health information to the Secretary of Health and Human Services must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the disclosure being made. The Privacy Officer will then oversee the disclosure for compliance with these privacy policies. The use or disclosure should not occur until it has been approved by the Privacy Officer.
b. Permitted Disclosures
Acting through its Privacy Officer, Imagine! will permit access by the Secretary of Health and Human Services during normal business hours to its facilities, books, re-cords, accounts and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable requirements of the HIPAA privacy rule. If the Secretary of Health and Human Services determines that exigent circumstances exist, such as when documents may be hidden or destroyed, Imagine! will permit access by the Secretary of Health and Human Services at any time and without notice. If any information required of Imagine! under this section is in the exclusive possession of any other agency, institution, or person and that other agency, institution or person fails or refuses to furnish the information, the Privacy Officer will so certify and set forth what efforts Imagine! has made to obtain the information.
34
14. Disclosures by Whistleblowers A member of Imagine!’s workforce or a business associate may disclose protected heath information, provided that: a. The workforce member or business associate believes in good faith that Imagine!
has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by Imagine! potentially endangers one or more individuals, workers, or the public; and,
b. The disclosure is to: 1) A health oversight agency or public health authority authorized by law to
investigate or otherwise oversee the relevant conduct or conditions of Imagine! or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Imagine!; or,
2) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in Section a., above.
The disclosure does not need to be approved by the Privacy Officer before it is made.
15. Disclosures by Workforce Members Who are Victims of a Crime
A workforce member who is the victim of a criminal act may disclose protected health information to a law enforcement official, provided that: a. The protected health information disclosed is about the suspected perpetrator of the
criminal act; and, b. The protected health information disclosed is limited to the following information:
1) Name and address; 2) Date and place of birth; 3) Social security number; 4) ABO blood type and Rh factor; 5) Type of injury; 6) Date and time of treatment; 7) Date and time of death, if applicable; and, 8) A description of distinguishing physical characteristics, including height, weight,
gender, race, hair and eye color, presence of absence of facial hair (beard or moustache), scars, and tattoos.
The disclosure does not need to be approved by the Privacy Officer before it is made.
16. Disclosures to Business Associates
a. Delivery to Privacy Officer
Unless the use or disclosure has previously been approved by the Privacy Officer, any member of Imagine!’s workforce who receives a request, or proposes, to disclose protected health information to a business associate of Imagine! must promptly deliver or otherwise communicate the request or proposal to the Privacy Officer prior to the disclosure being made. The Privacy Officer will then oversee the use or disclosure for compliance with these privacy policies. The use or disclosure may not occur until it has been approved by the Privacy Officer.
35
b. Permitted Disclosures Authorized members of Imagine!’s workforce may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on Imagine!’s behalf, if Imagine! has a written contract with the business associate that meets the requirements of the HIPAA privacy rule.
XX. Uses and Disclosures for Marketing
1. General Rule Except as stated in section XIX.2, a member of Imagine!’s workforce may not use protected health information for marketing without an authorization that meets the applicable requirements of Section VI of these privacy policies. Any use of protected health information for marketing without an authorization must be approved in advance by the Privacy Officer.
2. Exceptions
An authorization does not need to be obtained if Imagine! uses or discloses protected health information to make a marketing communication to an individual that is in the form of: a. A face-to-face communication made by Imagine! to an individual; or, b. A promotional gift of nominal value provided by Imagine!.
If the marketing involves direct or indirect remuneration to Imagine! from a third party, the authorization must state that such remuneration is involved.
3. “Marketing” Defined
“Marketing” means: a. To make a communication about a product or service that encourages recipients of
the communication to purchase or use the product or service, unless the communication is made: 1) To describe a health-related product or service that is provided by the covered
entity making the communication; or, 2) For treatment of the individual; or, 3) For case management or care coordination for the individual, or to direct or
recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
b. An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase that product or service.
XXI. Uses and Disclosures for Fundraising
1. General Rule An authorized member of Imagine!’s workforce may use, or disclose to a business associate or to an institutionally related foundation, the following protected health
36
information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of Section VI of these privacy policies: a. Demographic information relating to an individual; and, b. Dates of health care provided to an individual.
Any use of protected health information for the purpose of raising funds for Imagine!’s benefit without an authorization must be approved in advance by the Privacy Officer.
2. Opting Out
Any fundraising materials Imagine! sends to an individual must include a description of how the individual may opt out of receiving any further fundraising communications. Imagine! must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications are not sent future communications.
XXII. Limited Data Set
1. General Rule Imagine! may use or disclose a limited data set that meets of the requirements of Section XXII.3 “Limited Data Set Defined” , below, if Imagine! enters into a “data use agreement” with the limited data set recipient. Prior to Imagine! using or disclosing any protected health information as part of a “limited data set”, both the limited data set and the data use agreement must be approved by the Privacy Officer as meeting the requirements of Section XXII.
2. Permitted Uses
a. A limited data set may be used and disclosed only for the purposes of research, public health, or health care operations.
b. Imagine! may use protected health information to create a limited data set or disclose protected health information to a business associate of Imagine! for that purpose, whether or not the limited data set is to be used by Imagine!.
3. “Limited Data Set” Defined
A “limited data set” is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: a. Names; b. Postal address information, other than town or city, State, and zip code; c. Telephone numbers; d. Fax numbers; e. Electronic mail addresses; f. Social security numbers; g. Medical record numbers; h. Health plan beneficiary numbers; i. Account numbers; j. Certificate/license numbers; k. Vehicle identifiers and serial numbers, including license plate numbers; l. Device identifiers and serial numbers; m. Web Universal Resources Locators (URLs); n. Internet Protocol (IP) address numbers; o. Biometric identifiers, including finger and voice prints; and
37
p. Full face photographic images and any comparable images.
4. Data Use Agreement A data use agreement between Imagine! and the limited data set recipient must: a. Establish the permitted uses and disclosures of the limited data set by the limited
data set recipient consistent with the permitted uses stated above. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of these policies or the HIPAA privacy rule if done by Imagine!;
b. Establish who is permitted to use or receive the limited data set; and, c. Provide that the limited data set recipient will:
1) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
2) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
3) Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
4) Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and,
5) Not identify the information or contact the individuals.
XXIII. Verification of Identity and Authority.
1. General Rule Prior to any disclosure of protected health information, the authorized member of Imagine!’s workforce who is making the disclosure must: a. Except with respect to disclosures under VI, “Release of Protected Health
Information” of these privacy policies, verify the identity of a person requesting protected health information and the authority of that person to have access to protected health information under these privacy policies, if the identity of that person is not known to Imagine!; and,
b. Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under these privacy policies.
2. Personal Representatives
Unless the person and his or her authority is known to Imagine!, the authorized member of Imagine!’s workforce who is making a disclosure to an individual’s personal representative shall verify the person’s identity by way of a government issued document with a picture (e.g., a driver’s license, passport) and verify the person’s authority (e.g., requiring a copy of a power of attorney, asking questions to establish relationship to a child.)
3. Conditions on Disclosures
If a disclosure is conditioned by these privacy policies on particular documentation, statements, or representations form the person requesting the protected health information, the authorized member of Imagine!’s workforce who is making the disclosure may rely, if such reliance is reasonable under the circumstances, on
38
documentation, statements, or representations that, on their face, meet the applicable requirements.
In this regard: a. The conditions in Section XIX.6.b.2.c under “Disclosures for Law Enforcement
Purposes” of these privacy policies may be satisfied by the administrative subpoena or similar process or by a separate written statement that, on its face, demonstrates that the applicable requirements have been met.
b. The documentation required by Section XIX9.b.1, “Board Approval of a Waiver of Authorization” of these privacy regulations, may be satisfied by one or more written statements provided that each is appropriately dated and signed in accordance with the HIPAA privacy rule, 45 CFR §164.512(i)(2)(i)&(v).
4. Identity of Public Officials
Imagine! may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of a public official: a. If the request is made in person, presentation of an agency identification badge,
other official credentials, or other proof of government status; b. If the request is made in writing, the request is on the appropriate government
letterhead; or, c. If the disclosure is to a person acting on behalf of a public official, a written statement
on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
5. Authority of Public Officials
Imagine! may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of a public official: a. A written statement of the legal authority under which the information is requested,
or, if a written statement would be impractical, an oral statement of such legal authority;
b. If a request is made pursuant to legal process, warrant, subpoena, order or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.
6. Exercise of Professional Judgment
The verification requirements of this section are met if a member of Imagine!’s workforce relies on the exercise of professional judgment in making a use or disclosure in accordance with Section VI, “Release of Protected Health Information” of these privacy policies or acts on a good faith belief in making a disclosure in accordance with Section XIX.10, “Uses or Disclosures to Avert a Serious Threat to Health or Safety” of these privacy policies.
39
XXIV. Prior Authorizations
1. General Rule Notwithstanding other sections of these privacy policies, Imagine! may use or disclose protected health information, consistent with Section XXIV.2 and Section XXIV.3, below, pursuant to an authorization or other express legal permission obtained from an individual permitting the use or disclosure of protected health information, informed consent of the individual to participate in research, or a waiver of informed by an Institutional Review Board.
2. Effect of Prior Authorization for Purposes Other Than Research
Notwithstanding any provisions of Section IV “Access to Protected Health Information” of these privacy policies, Imagine! may use or disclose protected health information that it created or received prior to April 14, 2003, pursuant to an authorization or other express legal permission obtained from an individual prior to April 14, 2003, provided the authorization or other express legal permission specifically permits such use or disclosure and there is no agreed-to restriction in accordance with Section XXV “Right to Request Privacy Protection” of these privacy policies.
3. Effect of Prior Permission for Research
Notwithstanding any provisions in Section IV “Access to Protected Health Information” of these privacy policies and Section XIX.9 “Uses and Disclosures for Research Purposes” of these privacy policies, Imagine! may, to the extent allowing by one of the following permissions, use or disclose, for research, protected health information that it created or received either before or after April 14, 2003, provided there is no agreed-to restriction in accordance with Section XXV “Right to Request Privacy Protection” of these privacy policies, and Imagine! has obtained prior to April 14, 2003, either: a. An authorization or other express legal permission from an individual to use or
disclose protected health information for the research; b. The informed consent of the individual to participate in the research; or, c. A waiver, by an institutional Review Board, of informed consent for research in
accordance with the requirements of the HIPAA Privacy Rule, see, 45 CFR §164.532(c)(3), provided that Imagine! must obtain authorization as required by Section IV “Access to Protected Health Information” of these privacy policies, if, after April 14, 2003, informed consent is sought from an individual participating in the research.
XXV. Right to Request Privacy Protection An individual or their personal representative has the right to request that Imagine! restrict uses or disclosures of PHI about the individual to carry out treatment, payment, or healthcare operations. The Privacy Officer will be the person to agree to, or to deny the request. If Imagine! agrees to the restriction, the protected health information shall not be used or disclosed in violation of the restriction unless the individual in question is in need of emergency treatment and the restricted information is needed to provide that treatment. The health care provider to whom the disclosure was made must be requested not to make further disclosure of the information.
40
Written or electronic documentation of the decision to restrict or not to restrict use and disclosure of protected health information will be maintained for 6 years from the effective date of the agreement or denial. The restriction may be terminated if the individual or personal representative agrees to or requests a termination in writing; the individual or personal representative orally requests or agrees to the termination, and the oral agreement is documented and; Imagine! informs the individual or personal representative, in writing, that Imagine! is terminating the agreement. In the latter case, only information created or received after this notification will be covered by the termination of the restriction. An individual or their personal representative may request that communication regarding protected health information occur by alternative means or at alternative locations from home or work. The request must be in writing and specify where or how the contact is to be made. Imagine! will not ask for a reason why the request is being made. If honoring the request will involve additional expense on the part of Imagine!, the request should include how the expense will be covered.
XXVI. Right to Accounting of Disclosures An individual, or the guardian or authorized representative of the individual may request an accounting of the disclosures Imagine! has made of protected health care information in the 6 years prior to the date of the request, but not prior to the initial effective date of the Imagine! Privacy Practices of April 14, 2003. An accounting of these disclosures will be maintained in the file of the individual in question. Exceptions to the information that is required to be disclosed include:
1. To carry out treatment, payment and health care operations; 2. Disclosures to the individual; 3. Incidental disclosures they occur as the result of the disclosure of permitted information; 4. Disclosures authorized by the individual or guardian or authorized representative; 5. To correctional institutions or law enforcement officials; 6. As part of a limited data set.
The accounting will contain the following information:
1. Date of disclosure; 2. Name of the entity or person who received the information, and the address of the
person or entity; 3. A brief description of the information disclosed; 4. A brief description of the reason for the disclosure; 5. If multiple disclosures are made to the same person or entity for the same purpose over
a period of time the dates of disclosure may be listed with a single explanation of what and purpose;
6. The title of the person or position responsible for compiling and providing the requested accounting.
The right to request an accounting of disclosure may be temporarily suspended if so requested by a health oversight agency or a law enforcement agency if the agency provides Imagine! with
41
a written statement that such an accounting would impede the agency’s activities and which specifies a timeline for which the suspension would be needed. The requested accounting of protected health information disclosures will be provided to the requesting party no later than 60 days from the time of receipt of the request. The Case Management Administrative Assistant or the Case Managers/Service Coordinators will be responsible for providing the accounting. The initial accounting in any 12-month period will be provided to the individual free of charge. For any additional requests during that time period the requesting individual will be informed by the Privacy Officer of any charge to allow the requestor to withdraw or revise the request to avoid or reduce the fee.
42
APPENDIX A Identification of Workforce Members’ Access To Prot ected Health Information.
1. Chief Executive Officer/Executive Director: The Chief Executive Officer/Executive Director must have access to all protected health information maintained by Imagine!. There are no conditions applicable to that access.
2. Chief Financial Officer:
The Chief Financial Officer must have access to any and all financial information concerning individuals served or supported by Imagine!. There are no conditions applicable to that access.
3. Nursing Staff and Administrative Assistant:
Nursing Staff or the Administrative Assistant must have access to all clinical information of individuals to whom she/he is providing services. There are no conditions applicable to that access. She/he must have access to billing information concerning an individual if the Billing Staff must discuss billing matters concerning that individual with the Nursing Staff or Administrative Assistant.
4. Case Management Staff: Case Management Staff must have access to all health/clinical information of individuals whom she/he supports. There are no conditions applicable to that access.
5. Direct Support Staff, Department Directors and Department Supervisors:
Direct Support Staff, Department Directors and Department Supervisors must have access to all health/clinical information of individuals whom she/he supports. There are no conditions applicable to that access. She/he must have access to billing information concerning an individual if the Billing Staff must discuss billing matters concerning that individual with the Direct Support Staff, Department Directors or Department Supervisors.
6. Human Resources Staff:
Human Resources Staff must have access to all protected health information maintained by Imagine!. There are no conditions applicable to that access.
7. Business Office and Billing Staff:
The Business Office and Billing Staff must have access to all billing and payment information concerning the individual. There are no conditions applicable to that access. Staff must have access to health/clinical information concerning the individual to the extent necessary to bill for services provided to the individual.
43
8. Information Technology Staff:
The Information Technology Staff must have access to all protected health information maintained by Imagine!, provided that this access is needed to support another member of the workforce.
9. Receptionists:
The Receptionist must have access to the names of all individuals and of their personal representatives. There are no conditions applicable to that access.
10. Janitorial/Maintenance Staff:
The Janitorial/Maintenance Staff does not need access to any protected health information concerning any individual Imagine! serves.
44
APPENDIX B Fees for Copies of Protected Health Information If an individual requests a copy of PHI, Imagine! may charge a reasonable, cost–based fee for the copying, including the labor and supply costs of copying. • If hard copies were made, this would include the cost of paper and not exceed:
o Fifty cents ($.50) per page for the first 25 pages; o Twenty-five cents ($.25) per page for the next 26 – 500 pages; and o Ten cents ($.10) per pages for pages greater than the first 500 copies.
• If electronic copies were made to a USB drive this would include the cost of the USB drive and not exceed fifteen dollars ($15.00) per USB drive.
• Imagine! may not charge any fees for retrieving or handling the information or for processing the request.
• If an individual requests that the information be mailed, the fee may include actual cost of postage.
• If an individual requests an explanation or summary of the information provided, and agrees in advance to any associated fees, Imagine! may charge for preparing the explanation or summary.