the dental clinic hipaa privacy...

1

THE DENTAL CLINIC HIPAA PRIVACY MANUAL

TABLE OF CONTENTS

Protection of Individual Health Information ................................................................................................................. 2

Use & Disclosure Policy ................................................................................................................................................. 4

Policy and Procedure for Notice of Privacy Practices for Health Information ............................................................... 8

Right to Request Restrictions On Certain Uses and Disclosures of Protected Health Information Policy ..................... 9

Procedure: ..................................................................................................................................................................... 9

Right to Request Amendment of Individual Health Information ................................................................................. 10

Procedure: ................................................................................................................................................................... 10

Right to Request Confidential Communications .......................................................................................................... 12

Identification Verification ............................................................................................................................................ 13

Accounting of Disclosures ............................................................................................................................................ 17

Use of HIPAA Authorization for Use and Disclosure .................................................................................................... 19

Right to Access, Inspect and Copy Protected Health Information ............................................................................... 20

Minimum Necessary Standard .................................................................................................................................... 22

Privacy Breach Notification Requirements .................................................................................................................. 22

Appendix A - Definitions .............................................................................................................................................. 26

2

PROTECTION OF INDIVIDUAL HEALTH INFORMATION

The Minnesota State University, Mankato (MSUM) Dental Clinic protects the privacy and

security of individual health information at the Dental Clinic in accordance with all applicable

state and federal laws. MSUM is designated as a hybrid entity for the purposes of compliance

with the Health Information Portability and Accountability Act of 1996 (HIPAA). MSUM has

designated health care components (The Dental Clinic) that are covered by HIPAA. Those

health care components provide health care services, or business/professional services that

require access to protected health information (PHI).

The Dental Clinic has adopted policies and procedures to protect the privacy of protected

health information, and has designated a Privacy Officer to oversee the implementation of the

Dental Clinic policies and procedures.

The Dental Clinic has established appropriate safeguards to protect PHI from inappropriate

disclosure; and provides training and education to members of its health care workforce

regarding policies, procedures and legal requirements related to the privacy of PHI.

The Dental Clinic will cooperate with the Secretary of the Department of Health and Human

Services (Secretary) as required for complaint investigation and compliance reviews.

The Dental Clinic will respond to questions and complaints regarding the privacy and security of

PHI at the Dental Clinic and will resolve the complaints as appropriate.

The Dental Clinic will not sanction and will not intimidate, threaten, coerce, discriminate

against, or take other retaliatory action against persons who file complaints with the Secretary,

persons who testify, assist or participate in an investigation, compliance review, proceeding or

hearing or a person opposing any act or practice that is unlawful provided the person had a

good faith belief that the practice complained about is unlawful, the manner of opposition is

reasonable and does not involve an unlawful disclosure of PHI.

When the Dental Clinic becomes aware of prohibited uses or disclosures of PHI, either through

routine administrative activities or through a complaint, it is the Dental Clinic’s responsibility to

investigate as needed and to take necessary actions to end and/or prevent the violation and

mitigate damages. Sanctions for violations of policy by workforce members include disciplinary

action up to and including termination.

The Dental Clinic is obligated to protect the privacy and security of PHI in accordance with

applicable law and all related Dental Clinic policies and procedures. All Dental Clinic employees

must be aware of and adhere to these obligations.

3

The Dental Clinic will use and disclose PHI in a manner consistent with the current Notice of

Privacy Practices. Reasonable efforts to limit use, disclosure and requests of PHI to the

minimum necessary to carry out the intended purpose of the use, disclosure or request will be

made whenever such standard is applicable.

The Dental Clinic will enter into a business associate agreement with outside parties as required

by HIPAA when the party performs business associate functions related to the Dental Clinic

provision of health care services. The Dental Clinic will sign a business associate agreement and

comply with all applicable regulations if it acts as a business associate of another covered

entity.

The Dental Clinic may create, use or disclose summary health data, from which all identifying

information has been removed, without reference to this policy.

The Dental Clinic will provide individuals with a Notice of Privacy Practices to access PHI;

request amendments to PHI; request restrictions on use and disclosure of PHI; and receive an

accounting of disclosures, as required by law.

The Dental Clinic will disclose PHI when requested and required by the Secretary for

compliance.

The Dental Clinic will maintain appropriate documentation to comply with federal or state law

related to PHI.

The Dental Clinic may define additional conditions and procedures related to the privacy of PHI.

Such additional conditions and procedures must be consistent with this overall policy, but may

provide additional detail, guidelines and/or restrictions, as appropriate.

The Dental Clinic employees whose job responsibilities require access to PHI are responsible to

understand their obligation to protect PHI and to comply with all relevant Dental Clinic policies

and procedures, as well as current state and federal laws. Persons who have access to PHI are

responsible for the following:

Comply with all Dental Clinic policies and procedures and state and federal laws related to the privacy and security of PHI.

Complete all required training on policies, procedures and state and federal laws related to the privacy and security of PHI.

Use or disclose PHI only as permitted or required by the Dental Clinic policies and procedures or state and federal law;

Disclose only PHI that is minimally necessary for the purpose of the disclosure;

Access and use only PHI that is minimally necessary to carry out the job function;

Verify the identity and authority of persons to whom PHI is disclosed;

4

If performing work for both a covered and non-covered component, not use or disclose PHI created or received in the course of work for the covered component in a prohibited manner;

Consequences of violations: Alleged violations of policy will be referred to the Dental Clinic Privacy Officer. Depending on the nature and severity of the offense, policy violations may result in loss of privileges, disciplinary action, up to and including termination of student and/or employee status, and referral for civil or criminal legal action.

USE & DISCLOSURE POLICY

The MSUM Dental Clinic will use and disclose protected health information (PHI) as permitted and required by state and federal law. The Dental Clinic will account for disclosures as required by law. [Refer to E.2.9 Accounting of Disclosures.] The terms Protected Health Information (PHI), Use, Disclosure, Treatment, Payment, Health Care Operations, Consent, and Authorization as used in this document have the meanings described in “Definitions” section. Procedure: 1. Notification and Acknowledgement of Notification of Privacy Practices– The Dental Clinic must provide a Notice of Privacy Practices at the first visit of each patient

and obtain written acknowledgement of notification. Refer to Notice of Privacy Practices and Policy and Procedures for the Notice of Privacy Practices for Health Information. Notification is not required in emergency situations that make notification or acknowledgement not possible.

2. For Purposes of Treatment, Payment, or Health Care Operations:

A. Written Permission NOT REQUIRED. PHI may be used or disclosed within the Dental Clinic and with its business associates (Refer to Business Associate Policy and Procedures) without written consent or authorization if the use or disclosure is for treatment, payment or health care operations, or to government agencies or disaster relief organizations conducting disaster relief actions.

B. Written Permission REQUIRED. Use or disclosure of PHI to entities outside the

Dental Clinic requires appropriate prior written consent under Minnesota law or valid authorization in most circumstances.

i. Consent – Minnesota Statute 144.293 requires that written consent be obtained

by a provider prior to the following:

Disclosure to a health care provider outside the Dental Clinic for the individual’s treatment;

5

Disclosure for health care operations purposes when those activities are conditioned on a relationship between the individual and the MSUM Dental Clinic and the receiving entity. If the information to be shared is related to that relationship, the information may be used:

a. to conduct quality assessment and improvement activities, including evaluation and development of clinical guidelines, population based activities to improve health or reduce health care costs, develop protocols, perform case management, care coordination and related functions that do not include treatment;

b. to review competence or qualifications of health care professionals; c. to evaluate practitioner and provider performance or health plan

performance; d. to conduct training for students, trainees or practitioners under

supervision to practice or improve their skills; e. to train non-health care professionals; f. for accreditation, certification or other credentialing activities; and g. for fraud and abuse detection and compliance.

ii. Authorization – A valid HIPAA compliant authorization is required for disclosures to entities outside the Dental Clinic for treatment, payment and health care operations purposes not listed above. (See Consent Form to Release Health Information.) In addition, authorizations are required for most non-routine uses and disclosures of PHI, such as those related to research and marketing. Neither a valid consent document nor a written acknowledgement of the Notice of Provider Privacy Practices is valid permission for a purpose that requires an authorization. Examples when a valid authorization is required:

Disclosure to family members, close friends, or other persons the patient identifies assisting in the patient’s care;

Disclosure of PHI to an employer for employment decisions;

Disclosure of PHI to a life insurer for underwriting/eligibility for insurance; and

Most fundraising, marketing, and research

3. Required Disclosures: The Dental Clinic is required to disclose PHI in the following instances: A. To the federal Department of Health and Human Services in their role to determine

compliance B. As otherwise required by state law, e.g. deaths reported to the state registrar or

occupational diseases to the Commissioner of Health. Other required instances are described below in paragraph 4.

4. Public Purpose Disclosures Permitted or Required by Law. PHI may be used or disclosed

without the individual’s written authorization and without notifying the individual in certain situations. Most of these situations serve a public purpose. Prior to disclosing

6

information in any of these situations, verify the authority of the person making the request and the purpose. (Refer to E.2.8 Identification Verification) If there is any uncertainty, consult the Dental Clinic Privacy Officer. Authorized disclosures include the following:

A. To a public health authority required to collect or receive PHI.

i. To collect or receive information to prevent disease, injury, or disability and to conduct surveillance, investigations or interventions;

ii. As authorized to receive reports of child abuse or neglect; iii. As subject to the jurisdiction of the federal Food and Drug Administration; iv. To a person who may have been exposed to a communicable disease or may be

at risk of contracting or spreading disease as specifically authorized in law; v. To an employer about a workforce member relevant to work-related illness or

injury, to comply with OSHA or similar laws, and if the workforce member has been given written notification of the disclosure.

B. Related to reports of abuse or neglect or domestic violence. The Dental Clinic may

disclose PHI as part of the mandated reporting obligations under Minnesota law. HIPAA requires the Dental Clinic to notify the individual or the individual’s legal representative of the report, unless the Dental Clinic reasonably determines that notification presents a risk of serious harm to the individual or the legal representative is causing the abuse or maltreatment.

C. To regulatory agencies for health oversight activities. The Dental Clinic may disclose

PHI to regulatory agencies where specifically authorized by state or federal law and related to audits, civil, administrative or criminal investigations, inspections, or licensure or disciplinary actions. Disclosure is also permitted for oversight of public benefit programs and compliance, including civil rights laws.

D. Judicial and administrative proceedings. Consistent with Minnesota law, PHI

maintained by the Dental Clinic may be disclosed for judicial and administrative proceedings only with individual written authorization or pursuant to court order valid in Minnesota, including a court ordered warrant. Consult the Dental Clinic Privacy Officer.

E. Related to law enforcement functions or victims of a crime. Consistent with

Minnesota law, in general, PHI maintained by the Dental Clinic may be disclosed for law enforcement purposes only with individual written authorization or pursuant to court order valid in Minnesota, including a court ordered warrant. Consult the Dental Clinic Privacy Officer or the Special Assistant to the President. There are enforcement situations that allow PHI to be released without permission, for example, suspected child abuse, suspicious injuries such as gunshot wounds, medical examiner investigations and emergency situations.

7

F. To avert a serious threat to health and safety. The Dental Clinic may disclose PHI, consistent with legal and ethical standards, if, a provider, in good faith believes that disclosure is necessary:

i. To prevent or lessen a serious and imminent threat to the health and safety of a

person or the public, and disclosure is made to persons able to lessen that threat, including the person against whom the threat is made, or

ii. To medical services personnel who may have been exposed to blood borne pathogens.

G. Specialized federal government functions. Disclosure must be mandated by federal

law and/or authorized by Minnesota law. The Dental Clinic should verify the regulatory language asserted. This provision permits disclosure involving veterans or military activities, national security, medical suitability determinations by the State Department, corrections or other law enforcement custodial situations, and government programs providing public benefits. Consult with the Dental Clinic Privacy Officer.

H. Employment functions. PHI related to a worker’s compensation claim may be

released with the individual’s consent to parties to the claim, or to the Commissioner of the Minnesota Department of Labor and Industry upon the commissioner’s written request. At the request of an employer, the Dental Clinic staff who evaluates an individual for a work related illness or injury or as part of a medical surveillance of the workplace may disclose information related to the evaluation to the employer who requested the evaluation with the employee’s consent. The provider must notify the employee that the information will be provided to the employer, and release the minimum necessary as legally required.

I. For cadaveric organ, eye, or tissue donation. Where there is a requirement for consent under Minnesota law (for example, when there is no will, driver’s license designation or health care directive) consent must be obtained to disclose individual health information to organ procurement organizations.

J. To coroners, medical examiners, and funeral directors as appropriate for a

decedent. Under Minnesota law, individual health information of a decedent must be treated the same as individual health information prior to death with certain exceptions: i. Individual health information may be used or disclosed to provide a coroner with

information about the death and as necessary for a coroner’s investigation; ii. Individual health information related to the fact of death and demographic

information may be disclosed to a funeral director or other person responsible for the body. Consent of the surviving spouse, parents or other legal representative is required prior to release of further information.

8

K. For research purposes, in very limited situations. In general, the use and disclosure

of PHI for research purposes is extremely limited without a specific authorization from each patient/participant. At a minimum, assurances of de-identification and/or IRB approval are required. The Dental Clinic should consult with the Dental Clinic Privacy Officer to ascertain all requirements have been met in preparation of the research proposal.

POLICY AND PROCEDURE FOR NOTICE OF PRIVACY PRACTICES FOR HEALTH INFORMATION

The purpose of this policy is to implement the Dental Clinic’s principles according to the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. The MSUM Dental Clinic will comply with the requirements of the national, state and organization framework for health information privacy protection by making available a Notice of Privacy Practices. Individuals have a right to receive a copy of the Notice of Privacy Practices explaining how their information will be used and what their individual rights are. The notice will describe the Dental Clinic practices regarding use of patient information and the practices of:

1. Any health care professional authorized to enter information into a patient’s chart or medical record.

2. All departments and units of the facilities, clinics or physician’s offices a patient may visit.

3. Any member of a training group allowed to help the patient while in the facility. 4. All employees, staff and other personnel who may need to access the patient’s

information. Procedure: 1. The Dental Clinic will:

a. Provide notice to each patient at their initial visit or subsequent visit if they have not received it previously;

b. Have copies of the notice available at the clinic and post in a conspicuous location; c. Post notice on the web and make notice available electronically; d. Attempt to obtain an individual’s written signature acknowledging the provisions of the

Dental Clinic Notice of Privacy Practices at time of first service e. File a copy of acknowledgement in the patient’s medical record.

(1) If an individual refuses to provide written acknowledgement, the Dental Clinic will document the attempt and individual’s refusal. The Dental Clinic will thereafter use and disclose the individual’s protected health information for treatment, payment and health care operations.

(2) No written acknowledgement will be required in emergency circumstances. The Notice of Privacy Practices follows specific required elements according to state and federal law. The notice may not be modified, except to add the appropriate Dental Clinic logo and any necessary telephone numbers.

9

RIGHT TO REQUEST RESTRICTIONS ON CERTAIN USES AND DISCLOSURES OF PROTECTED

HEALTH INFORMATION POLICY

Individuals age 18 years or older have the right to request restrictions on use and/or disclosure of their protected health information (PHI). If the requestor is under age 18, the Privacy Officer will be consulted to determine applicability of Minn. Rule 1205.0500, subp. 3 (describing minor’s control of their records.) Individuals may request restrictions on: (1) disclosure of health information to a relative or other person who is involved in the patient’s care; and (2) disclosures related to treatment, payment or health care operations. The Dental Clinic is not required to agree to the individual’s requested restriction. If the Dental Clinic does agree, it will abide by those restrictions, unless required for the individual’s emergency treatment, and it will document and retain the restriction as required by law. If a patient requests a restriction on disclosures of his/her PHI to a health plan for purposes of carrying out payment or health care operations, and the PHI pertains to an item or service for which the practice has been paid out-of-pocket in full by the patient, the requested restriction must be honored. Procedure: 1. Patient requesting restriction will be asked to complete the Request for Restriction form. 2. The Dental Clinic may use the request as an opportunity to explain its use of information,

including the best interests of the individual. 3. The patient’s provider and the Dental Clinic HIPAA compliance officer will have designated

authority to decide on the patient’s request for restrictions to PHI. 4. The Dental Clinic is not required to agree to a restriction, unless it pertains to an item or

service for which the practice has been paid out-of-pocket in full by the patient (see #9). Factors that may be considered include, but are not limited to, whether: a. The restriction will or may adversely affect the quality of the patient’s care or services;

or b. The restriction limits or prevents the provider from making or obtaining payment for

services. 5. PHI will only be disclosed when the information is necessary for emergency treatment of the

individual. If the Dental Clinic discloses PHI to a health care provider for emergency treatment purposes, it must request that the information not be further used or disclosed by the provider. Agreement to a restriction by the Dental Clinic is effective only to uses and disclosures made by the Dental Clinic.

Agreed upon restrictions are not effective to limit uses or disclosures as permitted or required to the Secretary of the US Department of Health and Human Services for compliance, or for disclosures made for a public purpose.

6. Patients must be notified in writing within a reasonable time of acceptance or denial of request. Patients must be informed of their right to complain about a denial to the Director of the Dental Clinic, the Privacy Officer, and the Secretary of the US Department of Health

10

and Human Services. Requests for restrictions for which the practice has been paid out-of-pocket in full by the patient will not require notification of acceptance in writing.

7. If the request is granted, the Dental Clinic is bound by the agreed upon restriction and must: a. Document any agreed upon restriction. Documentation must be in patient’s current

record and any other location(s) to assure appropriate processing of the restriction. b. Retain documentation for at least six years or until written agreement from the patient

to terminate the restriction. 8. The Dental Clinic may terminate an agreement to a restriction if the patient agrees to or

requests termination of the restriction in writing or the patient orally agrees to, or requests termination of the restriction, in which case the oral agreement and termination request will be placed in the patient’s file. The patient must then be informed in writing that the Dental Clinic is terminating the agreement to the restriction. Terminations for requests for restrictions for which the practice has been paid out-of-pocket in full by the patient must be received at least 30 days prior the timely filing limitation of the patient’s health plan. These terminations will not require notification to patient in writing.

9. Should the Dental Clinic receive a request for restriction on disclosure for an item or service for which the practice has been paid out-of-pocket in full by the patient, the Dental Clinic shall: a. Obtain a Request for Restrictions on Use and Disclosure of Protected Health Information

form signed and dated by the patient; b. Determine if any follow-up treatment might be required (it will be difficult to obtain

payments from the health plan for follow-up treatment if they lack information regarding the original service/procedure). It should be explained to the patient that follow-up treatments may also require payment out-of-pocket in full;

c. Flag the information to ensure it is not inadvertently disclosed by making screen notes.

RIGHT TO REQUEST AMENDMENT OF INDIVIDUAL HEALTH INFORMATION

The MSUM Dental Clinic will honor an individual’s right to request an amendment of their individual health information if they feel that the information is incomplete or inaccurate, as required by law. Accurate means the information is reasonably free from error. Complete means that the information describes all the subject’s transactions with the health care component in a reasonable way.

Note: This policy and procedure does not apply to demographic information that can be changed.

Procedure: 1. Any patient requesting an amendment of their health information will be asked to complete

the Amendment Request Form. 2. The patient’s provider or the Director, in collaboration with the Dental Clinic HIPAA

Compliance Officer, will have designated authority to decide on the amendment request. 3. Request for amendment may be denied if the information requested to be amended:

a. is accurate and complete b. was not created by the MSUM Dental Clinic

11

c. is not part of the individual’s health record d. is not accessible to the individual because federal and state law do not permit it

4. The written request will be date stamped when received. The Dental Clinic must act on the individual’s request for amendment within 30 days after receipt of the amendment.

5. If the request is granted, in whole or in part: a. The Dental Clinic must amend inaccurate or incomplete data within 30 days of the

request: 1. Create an addendum on the visit note. 2. Inform the individual that the amendment is accepted. 3. Obtain the individual’s identification of and agreement to have the Dental Clinic

notify the relevant persons with whom the amendment needs to be shared (see Request form).

4. Make reasonable efforts to provide the amendment to persons identified by the individual, and persons, including business associates, that the MSUM Dental Clinic knows have individual health information that is the subject of the amendment and that may have relied on or could foreseeably rely on the information to the detriment of the individual.

6. If the request or any part is denied, the Dental Clinic must provide the individual with a written denial within 30 days of the request that contains the following: a. The basis for the denial. b. The individual’s right to submit a written statement disagreeing with the denial and how

the individual may file such a statement. c. A statement that the individual may request that the Dental Clinic provide the

individual’s request for amendment and the denial with any future disclosures of the protected health information that was the subject of the request.

d. A description of how the individual may complain to the Secretary of the US Department of Health and Human Services or the Commissioner of the Minnesota Department of Administration (within 60 days)

e. The name or title and the telephone number of the designated contact person who handles complaints for the Dental Clinic and email address of [email protected].

7. The Dental Clinic must permit the individual to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such agreement. The Dental Clinic may reasonably limit the length of a statement of disagreement.

8. The Dental Clinic may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the Dental Clinic must provide a copy to the individual who submitted the statement of disagreement.

9. The Dental Clinic must, as appropriate, identify the individual health information that is the subject of the disputed amendment and append or otherwise link the individual’s request for amendment, the Dental Clinic denial of the request, the individual’s statement of disagreement, if any, and the Dental Clinic rebuttal, if any. In addition, if requested include material appended to the statement of disagreement or an accurate summary of such information, with any subsequent disclosure of the individual health information to which the disagreement relates.

12

10. If the individual has not submitted a written statement of disagreement, the Dental Clinic shall include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of protected health information only if the individual has requested such action.

11. When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, the Dental Clinic must separately transmit the material required.

12. When the Dental Clinic receives notification from another health care provider or health plan that an individual’s health information has been amended, the Dental Clinic must: a. Amend the information in written or electronic form. b. Ensure that the amendment is appended to the health record. c. Inform its business associates that may use or rely on the information of the

amendment (as agreed to in the business associate contract) so that they may make the necessary revisions based on the amendment.

RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS

Individuals age 18 years or older have the right to request restrictions on how and where their protected health information (PHI) is communicated. If the requestor is under age 18, the Privacy Officer will be consulted to determine the applicability of Minn. Rule 1205.0500, subp. 3. (Describing how minor may control access to records.) The Dental Clinic will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations.

Procedure: 1. The Dental Clinic may require that patient requests to receive communications of PHI by

alternative means or at alternative locations be made in writing. The requirement to provide a written request must be documented in the Notice of Privacy Practices. If oral requests are permitted, staff must document in writing.

2. Patients may request prospectively to receive communications of PHI by alternative means or at alternative locations at the time of visit, or at any time during the course of their care to any member of the Dental Clinic staff.

3. The Dental Clinic should respond to a request as soon as practicable. All communications related to the request must be documented on paper or electronically and documentation retained for six years, or longer under applicable record retention policy.

4. The Dental Clinic must accommodate requests that are reasonable. A request is “reasonable” based solely on the administrative difficulty of accommodating the request. The Director of the Dental Clinic has authority to make the final accommodation decision for the Dental Clinic.

5. Patients may not be required to give a reason for their request. If given, the patient’s reason for making a request cannot be used to determine whether the request is reasonable.

6. The Dental Clinic may deny patient requests if:

The patient does not specify an alternative address or other method of contact.

The patient does not provide information as to how payment, if applicable, will be handled.

13

7. If the Dental Clinic grants a patient’s request:

The decision must be documented by maintaining a written or electronic record of the action taken;

Retain in a location appropriate to assure follow through; and

Provide appropriate staff with the communication requirements and require staff to adhere to them.

8. If the Dental Clinic denies a request:

The decision must be documented and maintained for at least six years, or longer under applicable record retention policy;

Provide written response that includes a brief explanation for the denial and complaint procedures.

IDENTIFICATION VERIFICATION

The Dental Clinic will maintain patient confidentiality by verifying the identity of all persons, including patients, requesting the use and/or disclosure of protected health information (PHI). The Dental Clinic will obtain patient consent or authorization, as may be required, before disclosing PHI. Appropriate identification will be obtained prior to allowing access to protected health information. Procedure: 1. Verify that patient consent or authorization has been obtained, or opportunity to object

provided, if required. 2. Verify the identity of persons requesting any protected health information prior to

allowing access to it by following one of the verification steps outlined below. Consult MSUM Privacy Officer before making any disclosure if uncertain whether or not sufficient verification has been obtained.

Person to Identify In-Person Encounter

Telephone Encounter

Request in Writing (Fax, mail, hand-delivered)

Attorney Presents with business card and photo identification (i.e. drivers license or organization ID badge), and:

Presents with an authorization for release of information signed by the patient or

Previously provided a signed authorization for release of information signed by the patient or personal representative; or

Previously provided a warrant, court

Presents with business card and photo identification (i.e. drivers license or organization ID badge), and:

Presents with an authorization for release of information signed by the

14


Telephone Encounter


personal representative; or

Presents with a warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal

order, or other legal process issued by a grand jury or a judicial or administrative tribunal

patient or personal representative; or

Presents with a warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal

Patient Patient provides name and date of birth and/or student ID; or

Acquainted with patient

Patient provides name and date of birth and/or student ID

Patient provides name and date of birth and/or student ID. Next verify the patient’s signature with signature on file or on driver’s license.

Personal Representative (legal guardian) for the Patient

Personal Representative provides patient’s name and date of birth and/or student ID, and verifies (via appropriate legal documentation) own relationship to patient; or

Acquainted with personal representative as being such

Personal Representative provides patient’s name and date of birth and/or student ID, and verifies (via appropriate legal documentation) own relationship to patient; or

Acquainted with personal representative as being such

Personal Representative provides patient’s name and date of birth and/or student ID. Next verify the personal representative’s signature with signature on file or on driver’s license.

Persons involved in the patient’s immediate care (consent or

Patient actively involves this person in his/her care; or

Patient actively involves this person in his/her care; or

Verify same as above. (Permitted by Minn. Stat. 144.335, subd.3a,

15


Telephone Encounter


opportunity to object required, unless emergency) release only PHI relevant to the patient’s current care

-blood relative, -spouse, -domestic partner, -roommate, -boy/ girl friend, -neighbor, -colleague

In your best professional judgment, the disclosure is in the patient’s best interest and patient unavailable to consent

If a medical emergency and patient unavailable to consent

In your best professional judgment, the disclosure is in the patient’s best interest and patient unavailable to consent

If a medical emergency and patient unavailable to consent

only in limited circumstances re: patient with mental illness.)

Power of Attorney (POA) for the Patient

Presents with a photo ID and a copy of the POA. Verify the patient’s signature with one on file

Acquainted with power of attorney as being such

Previously obtained a copy of the POA and verified the patient’s signature with one on file

Acquainted with power of attorney as being such

Obtain a copy of the POA and verify the patient’s signature with one on file

Provider from another facility

Acquainted with provider as a treatment provider;

Provider is wearing a photo badge from his/her facility; or

Patient/personal representative introduces provider to you

Acquainted with provider as a treatment provider; or

Call the requestor back through the main switchboard number at that facility (instead of through the direct number)

Recognize name of facility and address on letterhead as a treatment facility; or

Call the requestor through the main switchboard number at that facility (instead of through the direct number)

16


Telephone Encounter


Public Official -CIA -Court Order -FBI -Law Enforcement Officer -OCR (Office of Civil Rights) -OIG (Office of the Inspector General) -Public Health Agency Official

Presents an agency identification badge;

Presents with a written statement of legal authority;

Presents with a written statement of appointment on appropriate government letterhead;

Presents with a warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal;

Presents with a contract for services or purchase order; or

Official states release is necessary to prevent or lessen the threat to the health or safety of a person/public

Official states release is necessary to prevent or lessen the threat to the health or safety of a person/public

Written statement of legal authority;

Written statement of appointment on appropriate government stationary;

Warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal; or

Contract for services or purchase order

Vendor who helps with treatment, payment, or health care operations. Examples include, but are not limited to the following:

Recognize requestor/ organization; or

Photo identification with organization

Recognize requestor/ organization

Recognize requestor/ organization; or

Call the requestor through the main switchboard number at that facility (instead of through the direct number)

17


Telephone Encounter


-Accreditation organization -Durable medical equipment companies -Insurance company -Pharmacy vendor with whom the Dental Clinic has a rebate agreement -Software vendor -Statement vendor

ACCOUNTING OF DISCLOSURES

The Dental Clinic will provide individuals with an accounting of disclosures of their protected health information as required by HIPAA. Accountings described at 45 CFR 164.528 are not retroactively required for disclosures made before April 14, 2003. Minnesota law requires providers to document in the patient’s health record any release of health records without patient consent.

Procedure: 1. A patient may request an accounting in writing by submitting the Request for Accounting of

Disclosures form. a. An accounting is not required of disclosures for purposes of treatment, payment or

health care operations for which the patient has given consent or for other disclosures authorized by the patient.

b. A patient may authorize in writing that the accounting of disclosures be released to another individual or entity. The request must clearly identify all information required to carry out the request (name, address, phone number, etc.).

2. Under HIPAA and Minnesota law, all disclosures for which patient consent or authorization has NOT been obtained must be provided in the written accounting. These include disclosures: a. required by law (e.g. mandated reporting under state law); b. for public health activities and reporting;

18

c. about victims of abuse, neglect, or domestic violence; d. for health oversight activities (e.g. licensure actions); e. in response to a court order; f. in response to a subpoena or discovery request for law enforcement purposes; g. to a medical examiner, funeral director, or cadaveric organ donation; h. for certain specialized government functions (e.g. regarding armed forces personnel); i. as required to comply with workers’ compensation laws; j. to business associates or subsequently by business associates ( if not related to

treatment, payment or health care operations for which the patient has given consent); k. for national security or intelligence purposes; l. to correctional institutions or law enforcement officials about an inmate or other

individual in legal custody; m. for certain research purposes (Consult Privacy Officer); n. to the Secretary of the U.S. Department of Health and Human Services; and o. any disclosures not permitted or required by law.

3. Individuals do not have the right to obtain accounting of disclosures made: a. to carry out treatment, payment, or health care operations (with patient consent); b. to the individual or the individual’s personal representative; c. pursuant to an authorization; d. disclosures incidental to a permitted disclosure; e. to persons (e.g. family) involved in the individual’s care; f. as part of a limited data set with a data use agreement; g. as de-identified information;

4. Disclosures subject to accounting include written, verbal, or electronic PHI. 5. Information that must be maintained (tracked) and included in an accounting:

a. Date of disclosure. b. Name of individual or entity who received the information and their address, if known. c. Brief description of the protected health information disclosed. d. Brief statement of the purpose of the disclosure or a copy of the individual’s written

request for disclosure. e. Multiple disclosures to the same party for a single purpose may have a summary entry.

A summary entry includes all information described in this paragraph for the first disclosure, the frequency with which disclosures were made, and the date of the last disclosure.

Disclosures may be tracked by a variety of internal processes that are both practical and ensure accurate and complete accounting of disclosures. For example:

Manual logs with one log per patient maintained in the patient’s health record.

Authorization forms maintained in the patient’s health record.

Computerized tracking systems that have the ability to sort by individual and/or date. 6. Maintain an accounting of disclosures of individual health information for each patient for

at least six years, or longer as required by the Dental Clinic record retention policy. 7. Provide the individual with an accounting of disclosures as soon as possible, but within 60

days after receipt of the request.

19

a. If the accounting cannot be completed within 60 days after receipt of the request, provide the individual with a written statement of the reason for the delay and the expected completion date. Only one extension of time, 30 days maximum, per request is permitted.

b. Requests can cover a period of up to six years prior to the date of the request. c. Respond in writing. Content must include elements listed in paragraph 5 above. May

provide copy of log(s). 8. The Dental Clinic will provide one accounting annually to an individual without charge. The

Dental Clinic may charge for subsequent accountings provided within the year.

USE OF HIPAA AUTHORIZATION FOR USE AND DISCLOSURE

A HIPAA compliant authorization (“authorization”) is required for uses or disclosures of protected health information (PHI) except : 1) treatment, payment, and health care operations for which a consent valid under Minnesota law (“consent”) has been given; and 2) as otherwise expressly permitted or required by state and federal law. When a HIPAA authorization is required, The Dental Clinic will ascertain that the form is valid and includes the elements required by the Privacy Regulations. (See paragraph A below.) The Dental Clinic will document and retain all signed authorizations and provide an accounting upon request, as required by law. Relationship with Minnesota Law: In general, a consent to disclose personal health information for treatment, payment, or health care operations is valid under Minnesota law if it is signed and dated by the individual or the individual’s legal representative and is effective for no more than one year. Procedure: 1. The Dental Clinic will accept and use a valid authorization form when required by law, which

contains at least the following elements: a. It is written in plain language; b. Identifies the individual authorizing the disclosure by name and other identifiers; c. Identifies the information to be disclosed in a specific and meaningful manner; d. Identifies the person or class of persons authorized to use or disclose; e. Names The Dental Clinic, or other specific person at The Dental Clinic, as the source of

the information requested; f. A statement of purpose for the disclosure. “At the request of the individual” is sufficient

if that is the case; g. An expiration date or event that relates to the purpose of the information; h. Signature of the individual, or the individual’s legal representative, and date; i. A statement of the individual’s right to revoke the authorization in writing and further

description of how to revoke; j. A statement regarding whether or not there are conditions placed on the authorization

related to treatment, payment or eligibility or enrollment for benefits;

20

k. A statement that information used or disclosed to a recipient who is not covered by HIPAA may be subject to re-disclosure and not protected by HIPAA.

2. The Dental Clinic will use a valid authorization form for any use or disclosure of PHI for any purpose not related to: 1) treatment, payment, or health care operations for which the person has signed a valid consent; or 2) other disclosure of PHI permitted or required by law without individual permission. The authorization must be completed and signed by the individual or the individual’s legal representative. A valid authorization must be used only for the specific purpose(s) stated in the authorization and only by the personnel listed in the authorization.

3. The Dental Clinic may not restrict treatment, payment, enrollment, or eligibility for benefits on provision of an authorization except as follows: a. The provision of health care is solely for the purpose of creating PHI to disclose to a

third party for which an authorization is required. 4. An individual may revoke an authorization at any time. The revocation must be in writing.

The revocation is effective for actions taken by the Dental Clinic after the revocation is signed. Revocation does not apply to information already created or disclosed while the authorization was valid and in effect.

5. The Dental Clinic must document and retain the signed authorization form for at least six years, or longer if required by record retention policy, from the date of its creation or from the date it was last in effect, whichever is later.

RIGHT TO ACCESS, INSPECT AND COPY PROTECTED HEALTH INFORMATION

The Dental Clinic will honor individual’s right of access to inspect and obtain a copy of protected health information (PHI) as required by HIPAA and Minnesota law. Minnesota law requires a provider to supply to the individual complete and current information concerning any diagnosis, treatment and prognosis of the patient in terms and language the individual can reasonably be expected to understand. Procedure: 1. The Dental Clinic will require requests for access to be in writing. Copy of request will be

placed in the patient’s health record or otherwise tracked and retained. 2. Verify identity of the requestor, as appropriate. [See Identity Verification policy and

procedures.] 3. Individuals have the right to inspect and obtain a copy of all PHI maintained by the Dental

Clinic, including complete and current information concerning any diagnosis, treatment and prognosis of the patient, with the following exceptions: a. Information that is not maintained by the Dental Clinic; b. Health information, if the provider reasonably determines, based on professional

judgment that the information is detrimental to the physical or mental health of the patient, or is likely to cause the patient to inflict harm to self or others and the provider specifies the information to be denied and the grounds for denial prior to receipt of the request for access.

21

c. Information created or compiled in anticipation of or for use in a civil, criminal or administrative action or proceeding.

4. Under Minnesota law, the Dental Clinic must respond immediately or within 10 working days after receipt of the request.

5. Document and retain the following for six years or as required by the applicable record retention policy: a. The titles or offices responsible for receiving and processing requests for access; b. Requests for access or other documentation of individual request c. Any response to accept, deny or other. d. Any determination by a designated reviewing health care professional.

6. The individual and the Dental Clinic will arrange a mutually convenient time and place for the individual to inspect and/or obtain a copy of the requested PHI, unless access is denied. Inspection and/or copying of PHI will be carried out within the Dental Clinic with staff assistance.

7. The individual may request the information in a specified form or format to receive the information. If the information is not readily producible in the requested form or format, the Dental Clinic must provide the individual with a readable hard copy, or other form as agreed. If the information is maintained in more than one form or location, the provider need only provide access to one copy of the information. a. If the individual requests a copy of the PHI, the Dental Clinic will provide copying

services. (See paragraph 9 re: copy costs) The individual may request that this copy be mailed.

8. Upon request, the Dental Clinic may create a summary of the requested PHI. 9. Minnesota law requires providers to give individuals a copy of PHI at no cost for purposes of

reviewing complete and current information concerning any diagnosis, treatment and prognosis. The Dental Clinic may otherwise charge a reasonable fee for the production of copies, or the creation of summary information, if the individual has been informed of such charge and is willing to pay the charge. For allowed copy costs see www.health.state.mn.us/divs/hpsc/dap/maxcharge.pdf; Minn. Stat. 144.335, subd. 5.

10. If upon inspection of the PHI, the individual feels it is inaccurate or incomplete, he/she has the right to request an amendment. The Dental Clinic shall process requests for amendment as outlined in the policy and procedures Request Amendment of Individual Health Information.

11. If access is denied to the PHI, the Dental Clinic must provide a written denial to the individual. (See sample letter “denying request”) The denial must be in plain language and must contain: a. The basis for the denial; b. A statement, if applicable, of the individual’s review rights; and c. A description of how the individual may complain to the Dental Clinic or to the Secretary

of Health and Human Services.

If access is denied because the Clinic Dental does not maintain the PHI that is the subject of the request, and the Dental Clinic knows where that information is maintained, it should inform the individual where to direct their request for access.

http://www.health.state.mn.us/divs/hpsc/dap/maxcharge.pdf

22

12. If access is denied because the provider has determined the requested information is or could be detrimental (See paragraph 3b above), the individual has the right to have the denial reviewed by a licensed health care professional designated by the Dental Clinic to act as a reviewing official. This health care professional must not have participated in the original decision to deny.

13. If the individual has requested a review, the Dental Clinic must provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time. The Dental Clinic must promptly provide written notice to the individual of the determination of the reviewing professional.

MINIMUM NECESSARY STANDARD

The Dental Clinic must make reasonable efforts to limit protected health information (PHI) to the “minimum necessary” with regard to internal uses of PHI, external disclosures, and requests made of others for such information. The Dental Clinic staff will apply professional judgment to reasonably ensure that only the minimum amount of PHI necessary to accomplish the intended purpose is used, released, or requested. Exceptions to this standard:

Disclosures to a health care provider for treatment purposes;

Disclosures to an individual of their own PHI;

Uses or disclosures under a valid authorization;

Disclosures to the federal Department of Health and Human Services for compliance or enforcement purposes; or

Other uses or disclosures required by law. Procedure: 1. Review workforce responsibilities and identify what access to PHI is needed to carry out the

responsibilities. 2. For non-routine uses and disclosures, develop reasonable criteria for making a

determination and apply the minimum necessary standard to the specific purpose. 3. Any request for disclosure of an entire medical record will be granted after consideration,

consistent with professional judgment. 4. Develop and implement on-going training on obligations of employees to use or disclose

PHI only for work-related purposes, to limit uses and disclosure to the minimum necessary to achieve those work purposes, and otherwise protect the PHI under their control.

PRIVACY BREACH NOTIFICATION REQUIREMENTS

An additional rule to the Health Insurance Portability and Accountability Act (HIPAA) requires notification to ensure that affected persons (i.e., patients) will be informed, in a timely manner and method, of any breach of unsecured protected health information (PHI). DEFINITIONS:

23

Breach-An unauthorized acquisition, access, use, or disclosure of unsecured PHI (that compromises the security or privacy of such information) by a member of the practice’s workforce, person working under the authority of the practice, or a business associate of the practice. Breach Exceptions-Exceptions to this definition include disclosures where the recipient of the information would not reasonably have been able to retain the information, certain unintentional acquisition, access, or use of information by employees or persons acting under the authority of a covered entity or business associate, as well as certain inadvertent disclosures among persons similarly authorized to access protected health information at a business associate or covered entity. Discovery of a Breach-For the purposes of the breach notification requirements, a breach shall be considered discovered as of the first day on which a breach is made known to the practice, or, by exercising reasonable diligence would have been known to any person, other than the person committing the breach, who is a workforce member or agent of the practice. Individual-For privacy and breach notification purposes, the term individual means a patient and or his/her authorized representative. Law Enforcement Official-An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian Tribe, who is empowered to (a) investigate or conduct an official inquiry into a potential violation of the law; or (b) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of the law. Media-Used to identify “prominent media outlets” for a specific geographical area. Media notification requires notice of a breach being sent to a general interest newspaper with circulation in the area where the individuals involved in the breach may reside. Notification-The term notification shall apply to appropriate notices to individuals, Health and Human Services (HHS), media, and from business associates regarding breaches of unprotected PHI. Unsecured PHI- Covered entities and business associates must provide the required notification if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified. PROCEDURE: 1. Upon discovery of an impermissible use or disclosure of PHI, the Dental Clinic will begin, and

document, a complete risk assessment, to confirm if PHI has been compromised, identify

24

the cause, eliminate any recurrence, and gather information it needs to provide to the individuals affected by the breach.

2. After the risk assessment is completed, The Dental Clinic will contact the campus’s Data Practices Compliance Officer (DPCO). See http://www.ogc.mnscu.edu/dataprivacy/index.html for more information.

3. Should a risk assessment identify that the PHI was secured or that there was a low probability that PHI was compromised, there is no requirement to provide any notification.

4. Should a risk assessment confirm a breach, notification must be provided to all individuals involved as soon as is reasonable, but no later than 60 calendar days after the discovery of a breach. The notification must include:

A brief description of what happened, the date of the breach (if known) and the date of discovery of the breach;

A description of the types of unsecured PHI that were involved in the breach (i.e., individual’s full name, date of birth, home address, account number, diagnosis, and other types of PHI).

Any steps an individual should take to protect themselves from potential harm resulting from the breach (i.e., recommendations for an individual to contact credit bureaus and how to make contact if credit card information was involved);

A brief description of what the Dental Clinic is doing to investigate the breach, to limit harm to individuals, and to protect against any further breaches, including the imposition of employee sanctions, if appropriate; and

Contact procedures (i.e., the Dental Clinic’s Compliance or Privacy Officer contact information) for individuals to ask questions or learn additional information, which will include a toll-free number, an email address, website, or postal address.

Breach notification requirements specify that the notice to individuals must be in plain language that the individual can easily understand.

5. Notification to individuals must be made by first-class mail to the last known address of the individual. If the Dental Clinic knows that the individual is deceased and has the address of the next of kin or personal representative, written notification by first-class mail shall be made to the next of kin or personal representative.

6. In cases where there is insufficient or out-of-date contact information that precludes written notification to an individual, a substitute form of notice must be provided as soon as possible after the Dental Clinic becomes aware that it has insufficient or out-of-date contact information.

7. The substitute notice can be sent by alternative methods that include electronic mail or telephone. The Dental Clinic should ensure that no sensitive information is left on answering machines or voice mail when using telephone contact as an alternative means for providing notification.

8. In cases where there is insufficient or out-of-date information for 10 or more individuals, the substitute notice must be in the form of a conspicuous posting for a period of 90 days on the home page of the Dental Clinic website, or conspicuous notice in major printed media or broadcast media in geographic areas where the individual’s affected by the breach are likely to reside. The substitute notice must also include a toll-free number that remains

http://www.ogc.mnscu.edu/dataprivacy/index.html

25

active for at least 90 days where an individual can learn whether his/her unsecured PHI was included in the breach.

9. In any breach situation that the Dental Clinic identifies as urgent because of possible misuse of unsecured PHI, the Dental Clinic may provide information to individuals by telephone or other means, as appropriate to ensure immediate notification to individuals.

10. If a breach involves 500 or more residents of a State or jurisdiction, the Dental Clinic is required to provide additional notification to media along with notice to individuals. Notification shall be made to the media as soon as is reasonable, but no later than 60 calendar days after the discovery of a breach. The content of a notification to media is the same as with individuals.

11. The Dental Clinic is required to notify Health and Human Services (HHS) of all confirmed breaches. For breaches of 500 or more individuals, notification to HHS must be made concurrently with the notification to individuals. HHS will provide a posting on its website (www.hhs.gov) regarding the method for immediate notification.

12. The Dental Clinic must maintain an annual log of all confirmed breaches. A copy of the log must be submitted to HHS no later than 60 calendar days after the end of each calendar year using the method specified on the HHS website. Copies of annual privacy breach logs must be maintained for a minimum of six years.

13. A business associate (BA) of the practice that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured PHI must immediately notify the Dental Clinic when it discovers a breach of such information. Notification of a breach by the BA can be reported to the Dental Clinic by fax, electronic mail, or telephone.

14. BA’s must provide notification of breaches as soon as is reasonable, but no later than 10 calendars days after the discovery of a breach by the BA. Upon notification of a breach by the BA, the Dental Clinic must make appropriate notifications to individuals and HHS. The Dental Clinic must make notice to individuals within 60 days of the discovery of the breach by the BA.

15. A BA is required to provide the Dental Clinic with as much information about the breach as is possible including, if available, the identification of each individual and any other information that the Dental Clinic is required to include in its notification to individuals.

16. Should a law enforcement official notify the Dental Clinic or BA that a notification, notice, or posting required by the regulation would impede a criminal investigation or cause damage to national security, the Dental Clinic or BA shall:

If the statement is in writing and specific the time for which a delay is required, delay notification, notice, or posting for the period of time specified by the official; or

If the statement is made orally, document the statement, including the identity of the official making the statement, and delay notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement is submitted during the 30-day time period.

17. In the event of a breach of unsecured PHI, the Dental Clinic or BA shall have the burden of demonstrating that all notifications were made as required, or that the discovered use or disclosure did not constitute a breach. The Dental Clinic will maintain a file for all documentation of reported potential breaches (including those that are not determined a

http://www.hhs.gov/

26

breach) to meet the burden of proof that required actions were taken. All records pertaining to a breach or potential breach must be maintained for a minimum of six years.

18. The breach notification requirements also require the Dental Clinic to ensure continued compliance with the Privacy Rule and Security Standard.

19. The Dental Clinic must provide training to all members of its workforce on the policies and procedures with respect to notification in the case of breach of unsecured PHI as necessary and appropriate for the members of the workforce to carry out their functions within the practice.

21. The Dental Clinic may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by that individual of any right established or for participation in any process for notifications in cases of an unsecured PHI breach, including the filing of a complaint. The Dental Clinic may not require individuals to waive their rights to file a complaint with the Dental Clinic or HHS as a condition of the provision of treatment or payment of services from the Dental Clinic.

APPENDIX A - DEFINITIONS

The following definitions apply to the Dental Clinic policies and procedures implementing HIPAA: Authorization –A valid authorization is required to share data for purposes other than treatment, payment, and health care operations, or where state and federal HIPAA laws allow otherwise. In order to be valid, the document must contain certain prescribed elements. Patient consent obtained under Minnesota law is not sufficient for purposes under HIPAA that require an authorization. Business Associate – A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity’s work force. A person or organization outside MSUM, who on behalf of MSUM performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, including claims administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, or any other related activity or function; or who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where the provision of the service involves the disclosure of individually identifiable health information from the covered entity, from another business associate of the covered entity, to the business associate. A covered entity may be a business associate of another covered entity. Consent – Minnesota law requires patient consent to disclose information from an individual’s health record for most purposes, including treatment, payment, or health care operations. This permission must be renewed annually.

27

Covered Entity – For purposes of HIPAA, a covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form to carry out financial or administrative activities related to health care. Disclosure – Release, transfer, provide access to or divulge PHI outside the covered entity. Health Care Component – Units of MSUM that provide health care and are designated by MSUM as health care components covered under HIPAA. Health Care Operations – Any of the following activities or functions of the covered entity: Conducting quality assessment or improvement activities, including outcomes evaluation and development of clinical guidelines, but excluding research to obtain generalizable knowledge. Population-based activities to improve care or reduce health care costs are included, as is case management and care coordination, protocol development, and related functions that do not include treatment; Reviewing the competence or qualifications of health care professionals, evaluating provider performance, training programs for students, trainees, or practitioners under supervision, accreditation, certification, licensing or credentialing activities; Health Care Provider –A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business and who transmits information in electronic form to carry out financial or administrative activities related to health care. Hybrid Entity – A single legal entity that is a covered entity, performs business functions that are both covered and non-covered, and designates health care components. Individual - The person who is the subject of PHI. Individual Health Information - Protected health information covered by HIPAA and health records protected by Minnesota Statutes 144.293, governing access to health records. As applied in HIPAA, the term “record” means any item, collection, or grouping of information that includes health information and that is maintained collected, used, or disseminated by or for a covered entity. Under state law, a patient’s “health record” includes, but is not limited to, “laboratory reports, x-rays, prescription, and other technical information used in assessing the patient’s health condition.” Minnesota law further requires a patient’s Consent prior to disclosure of any information in the patient’s health record, including treatment, payment, and health care operations. Payment – Activities undertaken by a health plan to obtain premiums or for coverage determinations and/or responsibilities by a provider or health plan to obtain or provide reimbursement.

28

Privacy Officer - Person and associated office designated by the Dental Clinic to carry out and coordinate activities related to privacy and security of health information as required by HIPAA. Protected Health Information (“PHI”) - Health information transmitted or maintained in any form or medium that:

identifies or could be used to identify an individual;

is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and

relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

The following records are exempted from the definition of PHI: student records maintained by an educational institution; treatment records about a post-secondary students meeting the requirements of 20 U.S.C. §1232(a)(4)(B)(iv) (accessible only by provider for on-going treatment); and employment records held by a covered entity in its role as employer. Secretary - Secretary means the Secretary of the Department of Health and Human Services or designee. Trainee - Person involved in an educational program at a Minnesota State University or College that provides for the development of additional skills and the opportunity to learn new techniques and acquire experience in the given professional field or in the conduct of research. Treatment – The provision, coordination, or management of health care and related services by one or more providers, including coordination and management of care by provider with third party consultation between providers about a patient, or referrals. Use – To employ, apply, utilize, examine or analyze PHI maintained within the entity of the Dental Clinic. Volunteer - Individual who performs uncompensated services for MSUM under the direction and control of the Dental Clinic. Workforce - All employees, volunteers, trainees and other persons whose conduct, in the performance of work for the MnSCU University or College, is under the direct control of the Minnesota State University or College, whether or not they are paid by the Minnesota State University or College. A comprehensive Glossary can be found by going to www.mncounties.org

http://www.mncounties.org/

the dental clinic hipaa privacy...

Documents