The URL can be used to link to this page

Browse Search

Home My WebLink About20031123.tiff HIPAA COMPLIANCE PLAN FOR WELD COUNTY HUMAN SERVICES 2003-1123 aaa Assistance.Advocacy.Answers on Aging. Weld County Area Agency on Aging Weld County Area Agency on Aging's Health Insurance Portability and Accountability Act Policies and Procedures Weld County Area Agency on Aging Health Insurance Portability and Accountability Act Table of Contents Section 1 General HIPAA Policies and Procedures 1 HIPAA Notice of Privacy Practice 3 Acknowledgement of Receipt 9 Policy on Uses and Disclosures of Protected Health Information 10 Policy and Procedure on Patient's Right to Access Health Information 12 Authorization for Release of Information 16 Policy and Procedure on Patient's Right to Request Amendment to Health Information 20 Policy and Procedure to Request Restrictions on use and Disclosure of Protected health Information 23 Policy and Procedure on Requesting Confidential Handling of Information 25 Request for Confidential Handling of Health Information Form 27 Policy and Procedure on the Handling of Privacy Complaints 29 Privacy Complaint Form 32 Policy on Minimum Necessary Information 34 Office Role Directory 38 Policy and Procedure for Informing Individuals Concerning Opportunity to Accept/Reject Certain Uses and Disclosures 39 Policy and Procedure on Accounting for Disclosures 41 Request for Accounting for Disclosure of Health Form 43 Accounting for Disclosures 44 Job Description 45 Overview of Policies and Procedures on Privacy and Security 47 Employee Acknowledgement Form 52 Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality 53 Employee Acknowledgement Form 56 Policy and Procedure on Physical Security 57 Policy and Use of Electronic Mail, Internet and Facsimile Machines 60 3/28/03 Weld County Area Agency on Aging Section 2 ACS @ Weld County Privacy Policies and Procedures Table of Contents i Introduction 1 Section 1 2 Section 2 9 Section 3 18 Section 4 19 Section 5 29 Appendix 32 3/28/03 Weld County Area Agency on Aging GENERAL HIPPAA POLICIES AND PROCEDURES PHYSICAL AND TECHNICAL SAFEGAURDS: Weld County shall adopt and follow any policies,procedures or forms dealing with physical and technical safeguards for information technology systems promulgated by ACS, unless Weld County specially adopts a policy in-lieu of ACS for information technology systems. The physical and technical safeguards of ACS used by Weld County are: Application Development Security Clean Desk Policy Electronic Transmission ofDHI Encryption Facility Security Network Security Password Management Screen aver or Logoff Requirements At Home Workers E-mail Acceptable Use Fax machine Acceptable Use WELD COUNTY PERSONNEL POLICIES AND HIPPA: Weld County's Personnel policy on confidential information applies in addition to any HIPAA policies on 3reach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality apply in addition those cited in the Weld County Personnel Policies. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and Weld County Personnel Policies concerning discipline and grievance, Weld County Personnel Policies shall take precedence. PROGRAM POLICIES TAKE PRECEDENCE: Any policies,procedures, or forms promulgated by State of Colorado or federal health grant programs which are equal to or more stringent than Weld County's policies will take precedence over Weld County's. The Weld County policies in this HIPAA compliance document are the minimum standard which Weld County employees are held, however sate or federal grant programs may choose or require additional or alternative policies,procedures, or forms to accomplish the same HIPAA compliance requirement. In those cases to insure that grant requirements are met and to avoid redundant effort the state or federal grant policies,procedures, and forms may be used as long as they meet the county's minimum standards specified in this HIPAA compliance document. Alternative grant policies,procedures, and forms must be approved by the Health Department's HIPAA Privacy Officer. 3/28/03 Weld County Area Agency on Aging 1 of 60 HIPAA PROCEDURE AND POLICY PROMULGATION: The Privacy Officer responsible for the departmental HIPAA compliance shall amend and promulgate HIPAA policies and procedures as necessary by securing the department head's approval, and submitting them to the Director of Finance and Administration for review. The changes shall then be forwarded to the Board of Weld County Commissioners for review by the Board members signing off on a cover sheet. If approved by the Board of Weld County Commissioners on the sign off sheet the changes shall be placed upon the Board's consent agenda for final approval. All HIPAA policies shall be reviewed at least annually by the Privacy Officer of each plan for any necessary updates or amendments. HIPAAgeneralpOlicies 3/28/03 Weld County Area Agency on Aging 2 of 60 HIPAA Notice of Privacy Practices Effective Date: April 14, 2003 This notice describes how health information about you may be used and disclosed and how you can get access to this information. Please review it carefully. If you have any questions about this notice, please contact EVA JEWELL, Privacy Officer at (970) 353-3800 extension 3331. OUR PLEDGE REGARDING HEALTH INFORMATION We understand that health information about you and your health care is personal. We are committed to protecting health information about you. We create a record of the care and services you receive from us. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this health care practice, whether made by your personal doctor or others working in this office. This notice will tell you about the ways in which we may use and disclose health information about you. We also describe your rights to the health information we keep about you, and describe certain obligations we have regarding the use and disclosure of your health information. We are required by law to: • Make sure that health information that identifies you is kept private. • Give you this notice of our legal duties and privacy practices with respect to health information about you. • Follow the terms of the notice that is currently in effect. HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU The following categories describe different ways that we use and disclose health information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories. For Treatment: We may use health information about you to provide you with health care treatment or services. We may disclose health information about you to doctors, nurses, technicians, health students, or other personnel who are involved in taking care of you. They may work at our offices, at the hospital if you are hospitalized under our supervision, of at another doctor's office, lab, pharmacy, or other health care provider to whom we may refer you for consultation, to take x-rays, to perform lab tests, to have prescriptions filled, or for other treatment purposes. For example, a doctor treating you 3/28/03 Weld County Area Agency on Aging 3 of 60 for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian at the hospital if you have diabetes so that we can arrange for appropriate meals. We may also disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. For Payment: We may use and disclose health information about you so that the treatment and services you receive from us may be billed to and payment collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about your office visit so your health plan will pay us or reimburse you for the visit. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment. For Health Care Operations: We may use and disclose health information about you for operations of our health care practice. These uses and disclosures are necessary to run our practice and make sure that all of our patients receive quality care. For example, we may use health information to review our treatment and services and to evaluate the, performance of our staff in caring for you. We may also combine health information about many patients to decide what additional services we should offer, what services are not needed, whether certain new treatments are effective, or to compare how we are doing with others and to see where we can make improvements. We may remove information that identifies you from this set of health information so others may use it to study health care delivery without knowing the identity of our specific patients. Health-Related Services and Treatment Alternatives: We may use and disclose health information to tell you about health-related services or recommend possible treatment options or alternatives that may be of interest to you. Please let us know if you do not wish us to send you this information, or if you wish to have us use a different address to send this information to you. As Required By Law: We will disclose health information about you when required to do so by federal, state, or local law. To Avert a Serious Threat to Health or Safety: We may use and disclose health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. Military and Veterans: If you are a member of the armed forces or separated/ discharged from military services, we may release health information about you as required by military command authorities or the Department of Veterans Affairs as may be applicable. We may also release health information about foreign military personnel to the appropriate foreign military authorities. Workers' Compensation: We may release health information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness. Public Health Risks: We may disclose health information about you for public health _ activities. 3/28/03 Weld County Area Agency on Aging 4 of 60 These activities generally include the following: • To prevent or control disease, injury or disability. • To report births and deaths. • To report child abuse or neglect. • To report reactions to medications or problems with products. • To notify people of recalls of products they may be using. • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition. • To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law. Health Oversight Activities: We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested. Law-Enforcement: We may release health information if asked to do so by a law enforcement official: • In response to a court order, subpoena, warrant, summons or similar process • To identify or locate a suspect, fugitive, material witness, or missing person • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement • About a death we believe may be the result of criminal conduct • About criminal conduct at our facility • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description, or location of the person who committed the crime Coroners, Health Examiners and Funeral Directors: We may release health information to a coroner or health examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release hearth information about patients to funeral directors as necessary to carry out their duties. 3/28/03 Weld County Area Agency on Aging 5 of 60 National Security and Intelligence Activities: We may release health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. Protective Services for the President and Others: We may disclose health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations. Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release health information about you to the correctional institution or law enforcement official. This release would be necessary (1)for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution. YOUR RIGHTS REGARDING HEALTH INFORMATION ABOUT YOU You have the following rights regarding health information we maintain about you: Right to Inspect and Copy: You have the right to inspect and copy health information that may be used to make decisions about your care. Usually, this includes health and billing records. Right to Amend: If you feel that health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as we keep the information. To request an amendment, your request must be made in writing, submitted to Eva Jewell, Privacy Officer, and must be contained on one page of paper legibly handwritten or typed in at least 10-point font size. In addition, you must provide a reason that supports your request for an amendment. _ We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may dany your request if you ask us to amend information that: • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment • Is not part of the health information kept by or for our practice • Is not part of the information, which you would be permitted to inspect and copy • Is accurate and complete Any amendment we make to your health information will be disclosed to those with whom we disclose information as previously specified. Right to an Accounting of Disclosures: You have the right to request a list accounting for any disclosures of your health information we have made, except for uses and disclosures for treatment, payment, and health care operations, as previously described. 3/28/03 Weld County Area Agency on Aging 6 of 60 Right to an Accounting of Disclosures: You have the right to request a list accounting for any disclosures of your health information we have made, except for uses and disclosures for treatment, payment, and health care operations, as previously described. To request this list of disclosures, you must submit your request in writing to EVA JEWELL, Privacy Officer. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. We will mail you a list of disclosures in paper form within 30 days of your request, or notify you if we are unable to supply the list within that time period and by what date we can supply the list; but this date will not exceed a total of 60 days from the date you made the request. Right to Request Restrictions: You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we restrict a specified.nurse from use of your information, or that we not disclose information to your spouse about a surgery you had. We are not required to agree to your request for restrictions if it is not feasible for us to ensure our compliance or believe it will negatively impact the care we may provide you. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request a restriction, you must make your request in writing to Eva Jewell, Privacy Officer. In your request, you must tell us what information you want to limit and to whom you want the limits to apply; for example, use of any information by a specified nurse, or disclosure of specified surgery to your spouse. Right to Request Confidential Communications: You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail to a post office box. To request confidential communications, you must make your request in writing to Eva Jewell, Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this notice at any time. To obtain a copy, please request it from Eva Jewell, Privacy Officer. You may also ask that a copy of this notice be sent through electronic mail. If we know that the electronic message has failed to be delivered, a paper copy of the notice will be provided. 3/28/03 Weld County Area Agency on Aging 7 of 62 If the first service delivery is delivered electronically, other than by telephone, we provide electronic notice in the same medium, automatically and contemporaneously in response to a first request for service. CHANGES TO THIS NOTICE We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for health information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in our facility. The notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you register for treatment or health care services, we will offer you a copy of the current notice in effect. COMPLAINTS If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact Eva Jewell Privacy Officer. All complaints must be submitted in writing. You will not be penalized for filing a complaint. OTHER USES OF HEALTH INFORMATION Other uses and disclosures of health information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose health information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose health information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you. ACKNOWLEDGEMENT OF RECEIPT OF THIS NOTICE We will request that you sign a separate form or notice acknowledging you have received a copy of this notice. If you choose, or are not able to sign, a staff member will sign their name, date. I' 3/28/03 Weld County Area Agency on Aging 8 of 60 Acknowledgement of Receipt Weld County Area Agency on Aging HIPAA Notice of Privacy Practices (print name of client) have received a copy of Weld County Area Agency on Aging HIPAA Notice of Privacy Practices. I understand if I have questions or concerns regarding this notice I may contact the Weld County Area Agency on Aging at (970) 353-3800, extension 3325 and discuss my concerns with my case manager, Supervisor of Options for Long Term Care or the agency's Privacy Officer. Client Signature Date of Signature 3/28/03 Weld County Area Agency on Aging 9 of 62 Policy on Uses and Disclosures of Protected Health Information Overview of the Weld County Area Agency on Aging's policy on privacy Policy It is the policy of Weld County Area Agency on Aging to protect the privacy and confidentiality of patients' protected health information by following the requirements of federal and state law and Weld County Area Agency on Aging's polices and procedures. This policy provides the basics of Weld County Area Agency on Aging's privacy compliance framework. More detailed information is contained in the agency's policy and procedure manual. "Protected health information," (PHI) means individually identifiable information about the present, past, or future health care or payment for health care, maintained in any form or medium. Responsibility The Weld County Area Agency on Aging Privacy Official is responsible for developing and implementing privacy policies and procedures. The Privacy Official is Eva Jewell. She can be reached at (970) 353-3800, extension 3331 or ejewell@co.weld.co.us. It is the responsibility of each member of Weld County.Area Agency on Aging to understand and follow the privacy policies and procedures. Procedures A. Permissions needed Weld County Area Agency on Aging will use and disclose PHI only in accordance with Weld County Area Agency on Aging's notice of privacy practices and with the appropriate permission from the patient, or as otherwise permitted or required by law. See Authorization Policy and Notice of Privacy Practices. B. Permitted disclosures Weld County Area Agency on Aging may disclose a patient's PHI to the patient himself or herself, the patient's legally authorized personal representative, those involved with the person's care and treatment, to law enforcement personnel in appropriate situations, for public policy decisions as required by law, and for purposes of a patient's treatment, payment for services, or Weld County Area Agency on Aging's health care operations. Disclosure of PHI may also be made to business associates, or on the basis of and in accordance with a properly executed authorization. 1. Deceased individuals If an executor, administrator, or other person with authority to act on behalf of deceased patient or that person's estate, that_person should be treated as patient's personal representative. Weld County Area Agency on Aging may disclose PHI, without specific patient consent or authorization, to a coroner or medical examiner responsible for identification of the person, determination of the cause of death, or other duties authorized under state law. 3/28/03 Weld County Area Agency on Aging 10 of 60 Weld County Area Agency on Aging may also disclose PHI to a funeral director, as permitted by state law. 2. Personal representatives and minors If person has legal authority to act on a person's behalf in making decisions related to health care, this person is a personal representative and can receive PHI 3. Persons involved in care or treatment PHI may be disclosed to persons involved in the patient's care, as directly relevant to that care. If patient is present when PHI is to be disclosed, and has capacity, PHI can be disclosed to others present if it can reasonably be inferred that patient would not object. If patient is not present when PHI is to be disclosed, or patient is incapacitated, PHI may be disclosed if, in the exercise of reasonable professional judgment, disclosure is in best interests of patient and disclosure is limited to PHI directly relevant to person's involvement with the patient's care. D. Required disclosures Weld County Area Agency on Aging may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings, for certain law enforcement activities, to coroners or medical examiners. E. Privacy official The privacy official of Weld County Area Agency on Aging is Eva Jewell. This person is responsible for implementing Weld County Area Agency on Aging's privacy policies. F. Complaint personnel The persons responsible for handling complaints related to privacy are Eva Jewell and Sandra Hasch. All complaints related to privacy should be referred to these individuals. G. Unique restrictions on disclosures If a patient requests a particular restriction on the use or disclosure of his or her PHI, refer the request to Eva Jewell. Do not agree to any restriction prior to contacting the Privacy Officer. H. Potential violations If you believe that Weld County Area Agency on Aging has violated a policy or provision of law related to privacy issues, contact the Privacy Officer immediately. Weld County Area Agency on Aging will not retaliate against employees who report in good faith. Weld County Area Agency on Aging will take all reasonable steps to mitigate any damages caused by an improper use or disclosure of PHI. 3/28/03 Weld County Area Agency on Aging 11 of 60 Policy and Procedure on Patient's Right to Access Health Information Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: Supervisor for the Options for Long Term Care Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to inspect and obtain a copy of health information about them. General Policy It is our policy to provide our patients the right of access to inspect and obtain a copy of health information about them, for as long as we maintain the information in our designated record set, with exceptions permitted by law. Definitions Access: patients may inspect their medical records and billing records under the supervision of a staff member for which an inspection-fee is charged; or obtain a copy of all or a portion of their medical records and billing records for which a copying fee is charged. Designated record set: medical records and billing records that we use to make health care and payment decisions about patients. Procedure 1. Patients may request access to their medical records and/or billing records by submitting a request in writing on our Authorization fer Release of Information Form to our Supervisor for the Options for Long Term Care. This Form specifies that the access will be granted within 30 days of its receipt unless the patient is otherwise notified, and identifies the fees that will be charged for supervision of inspection, for copying all or portions of the record, or for summarizing the record. The request must state the type of access requested (inspection, copy, or if a summary will be accepted if there are reasons why a complete inspection or copy cannot be released, see step 3.b.), specify the dates and specific information requested, and be signed by the patient. 2. When a request for access to the medical record and/or billing record is made by a patient a. Obtain the patient's medical record and verify the patient's demographic information and signature on the Authorization for Release of Information Form with demographic information and signature on the consent for use and disclosure of health information, or other document signed by the patient contained within the medical record. If the authenticity of the patient cannot be verified, send a request to the patient to have a new Authorization for Release of Information Form notarized. 3/28/03 Weld County Area Agency on Aging 12 of 60 b. Review the medical record and/or billing record according to the request to determine if: 1) the information requested is excepted from the patient's right of access (see step 3. Exceptions to access), in which case access must be denied. Follow the procedure in step 4. for Denial of access. 2)the information requested is complete. If the information is not complete, inform the physician responsible for completion that a request for access has been made by the patient and the record will need to be completed within 30 days in order to comply with the patient's request or be found in non-compliance with HIPAA and subject to fines. If the record is not completed within 30 days, send a copy of the Authorization for Release of Information Form to the patient indicating that an extension to providing access will be required because the record is in the process of being completed and indicating the specific date on which access will be granted. This date must not exceed an additional 30 days. c. If access is not excepted and the information is complete and the patient requests inspection of the medical record and/or billing record or any portion thereof, schedule an appointment for the patient to visit the office. If the request is only for a portion of a record, remove that portion and place it in a separate folder for purposes of the inspection. Our Supervisor for the Options for Long Term Care must be present with the patient during the time the patient is inspecting the record(s). A charge of twenty dollars (20.00) per hour can be assessed for this inspection to cover the cost of supervision. During this time, the patient may not remove any documents from the record(s) or write any information in the record(s). If the patient wishes to make an amendment to the record(s), follow the Policy and Procedure for Patient's Right to Request Amendment of Health Information. If the patient has any questions concerning the information in the medical record, inform the patient that an appointment must be made with the physician to discuss the information. If the patient has any questions concerning the information in the billing record, refer the patient to the agency's Fiscal Officer. d. If access is not excepted and the information is complete and the patient requests a copy of any or all of the medical record and/or billing record, make the specified copies and mail the information to the patient via postal mail. If the patient requests this information to be mailed to a different address, mailed to a different individual, or be given to someone else who physically presents to our office, this information must be authorized through the Authorization for Release of Information Form. If another individual is designated to physically pick up the copy of the information, verify the individual's identity by requesting a photo identification card and match the name on the card to the name on the Authorization for Release of Information signed by the patient. Have the individual sign the Authorization for Release of Information as having received the information. 3. Exceptions to access are limited to very specific situations. Certain exceptions are not subject to review, and for others we must permit the patient to request a review of our decision not to grant access. O Grounds not subject to review for denial of access include: 3/28/03 Weld County Area Agency on Aging 13 of 60 When the information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. When the patient's access to the information that is contained in the medical record or billing record is subject to the Privacy Act, 5 U.S.C. § 552a, if the denial of access under the Privacy Act would meet the requirements of that law. When the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. O Grounds for review of denial of access include: When a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person. When the information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access 'requested is reasonably likely to cause substantial harm to such other person. When the request for access is made by the patient's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. 4. Denial of access is a serious matter under the law. Before Sandra Hasch may make such a denial decision, it is our policy to conduct an internal review of that denial. Any such case should be given to Eva Jewell, who will authorize the denial. a. If access is denied for one of the reasons to deny access that are not subject to review, return a copy of the Authorization for Release of Information to the patient indicating that we are unable_to comply with the request for access due to the applicable reason. Retain a copy of the Authorization for Release of Information sent to the patient in the patient's medical record. b. If access is denied for one of the reasons that are subject to review, determine if a summary of the record may be made or portions of the record may be provided access such as to prevent the risk associated with denial. 1) If a summary or access to portions of the record would prevent risk, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason but would be able to provide a summary of information in the record or access to portions of the record. 2) If such a summary or access to portions of the record is not possible, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason. Indicate on this Form that the patient has the right to have this decision reviewed by another licensed health care professional. 3) If a request for review is received, give a copy of the Authorization for Release of Information Form, the medical record, and, if applicable, the billing record to the Chief Physician, who will make a final determination. 3/28/03 Weld County Area Agency on Aging 14 of 60 Upon its review and a determination, send a response to the patient indicating the result of the review and how the patient may file a complaint with our office or to the Secretary of Health and Human Services (HHS). 4) File a copy of the Authorization for Release of Information Form and other documentation received from the patient in his/her medical record. Place a copy of the Authorization for Release of Information in our Risk Management file. 5) If a request for access to the medical record or billing record is made and the person was not a patient of ours, return a copy of the Authorization for Release of Information Form to the individual indicating we have no records. If we do not have records on this individual but know where the requested information may be maintained (such as at a hospital or other physician's office), return the Authorization for Release of Information Form to the individual and provide the name and address of the location where we believe the records may be maintained. Keep a copy of the Authorization for Release of Information Form in our Risk Management file. 3/28/03 Weld County Area Agency on Aging 15 of 60 Page 1 Weld County Area Agency on Aging Authorization for Release of Information Patient: Last First MI Maiden or Other Name: Date of Birth: MO DAY YR SS#: - Medical Record Number#: Address: City: State: Zip Code: Day Phone: Evening Phone: I hereby authorize: (Print Name of Provider) to release information from my medical record as indicated below to: Name: - Address: City: State: Zip Code: Day Phone: Evening Phone: Fax#: E-mail Address: 3/28/03 Weld County Area Agency on Aging 16 of 60 Page 2 Authorization for Release of Information (con't) INFORMATION TO BE RELEASED Dates: I specifically authorize the release of information relating to: ❑ History and physical exam ❑ Progress notes ❑ Substance abuse (including alcohol/drug abuse) ❑ Lab reports ❑ Mental health (including psychotherapy notes)* ❑ X-ray reports i 0 HIV related information (AIDS related testing) ❑ Other: ❑ Marketing (except for face-to-face encounters or promotional gifts of nominal value) X SIGNATURE OF PATIENT OR LEGAL GUARDIAN DATE *Please note that if this authorization is used for the purpose of psychotherapy notes that it may not be combined with any other authorization(s) unless for the purpose of psychotherapy notes. 3/28/03 Weld County Area Agency on Aging 17 of 60 Page 3 Authorization for Release of Information (con't) Purpose of Disclosure: ❑ Changing Physicians ❑ Consultation/second opinion ❑ Continuing Care ❑ Insurance ❑ Legal ❑ Research ❑ School • ❑ Worker's Compensation ❑ Other (please specify): I understand that this authorization will expire days after I have signed the form. I understand that if this authorization is used for the purpose of research, that it will expire at the end of research study or indefinite date if the authorization is used for the creation or maintenance of a research database or repository. I understand that I may revoke this authorization at any time by notifying the providing organization in writing, and it will be effective on the date notified except to the extent action has already been taken in reliance upon it. I understand that information used or disclosed pursuant to this authorization may be subject to re-disclosure by the recipient and no longer be protected by federal or state privacy regulations. I understand that I am being requested to release this information by: (Print Name of Provider) for the purpose of: By authorizing this release of information, my health care and payment for my health care will not be affected if I do not sign this form. I understand I may see and copy the information described on this form if I ask for it (permitted by federal law or state law to the extent the state law provides greater access rights), and that I will get a copy of this form after I sign it. 3/28/03 Weld County Area Agency on Aging 18 of 60 Page 4 Authorization for Release of Information (con't) I have been informed that (Print Name of Provider): will not receive financial or in-kind compensation in exchange for using or disclosing the health information described above. I understand that in compliance with: (Print the state whose laws govern the Provider): statute, I will pay a fee of: $ 14 nn . There is no charge for medical records if copies are sent to facilities for ongoing care or follow up treatment. I understand that I may refuse to sign this authorization. SIGNATURE OF PATIENT DATE OR PARENT/LEGAL GUARDIAN/AUTHORIZED PERSON DATE RECORDS RECEIVED BY DATE RELATIONSHIP TO PATIENT FOR OFFICE USE ONLY DATE REQUEST FILED: BY: TYPE OF IDENTIFICATION PRESENTED AND EXPIRATION: FEE COLLECTED: $ 3/28/03 Weld County Area Agency on Aging 19 of 60 Policy and Procedure on Patient's Right to Request Amendment to Health Information Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: Supervisor of the Options for Long Term Care Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to request amendment to their protected health information. General Policy It is our policy to provide our patients the right to request amendment to their protected health information that we maintain in our designated record set, with exceptions permitted by law. Definitions Amendment: to add information to an existing record, which either provides additional information, clarifies or corrects existing information, or provides an alternative view with respect to information that we have compiled about the patient in the patient's designated record set. r Designated record set: Supervisor of the Options for Long Term Care and billing records that we use to make health care and payment decisions about patients. Procedure 1. A patient who believes there is an error in information in the medical record or billing record may approach the author of the entry, point out the error, and request the author to correct it. The author may accept any correction believed to be required, and will document the correction. This documentation must retain the original entry, state the correct information, and reflect the author's identity and date of correction. In electronic information system, the correction should be made in accordance with the vendor's specification for correcting errors such that an audit trail exists to show both the original entry and the new entry. In paper documents, a correction may be made in one of two ways: If an entry is simply erroneous and needs to be deleted, a line may be drawn through the erroneous information, initialed, and dated. If an entry is erroneous and requires correction, the entry should be noted as erroneous and correct information written in a separate note, which_must be signed and dated. The author should inquire of the patient if the correction of the error should be disclosed to anyone who may have received this information in the past. If so, the patient should be directed to complete the Form to Request Amendment. 2. A patient may also request that information be added to the medical record or billing record. This request must be made in writing, on our Form to Request Amendment, to Supervisor of the Options for Long Term Care. This Form serves as both 3/28/03 Weld County Area Agency on Aging 20 of 60 documentary evidence of the request and our response, as well as a tracking mechanism to ensure response within 60 days of request (with not more than one 30- day extension) and duty to supply others with the information. This form will be processed in the following manner: a. Request the patient to complete the Form to Request Amendment in triplicate. If this is not received in person, verify the patient's signature on the Form with a sample in the medical record. The patient should keep the last copy of the Form. b. Place the remaining two copies of the Form in the patients medical record or billing record, which ever is the subject of the amendment. Route the record to the author of the record. c. If the author accepts the patient's amendment, the author will sign and date the Form as amendment accepted and make a note at the site in the record to which the amendment applies that an amendment exists. The author may also add a comment to the Form. The second copy of the Form will be returned to the patient indicating that the amendment has been accepted. The original copy of the Form will be used to furnish copies of the amendment to those individuals or organizations the patient deems necessary. Such disclosures will be noted on the form as having been completed with the signature of the staff member who processed the disclosures. The original Form will be placed in the record. d. If the author rejects the patient's amendment, the author must indicate one of the following as reasons: 1) The information subject to amendment was not created by us 2) The information subject to amendment is not part of the designated record set 3)The information would not be available for access (see our policy on Patient's Right to Access Health Information) 4) The information contained in the existing record is accurate and complete The Form must be signed and dated, and the author must make a note at the site in the record to which the amendment applies that an amendment was requested. The second copy of the Form with this information will be returned to the patient. The original copy of the Form will be filed in the record. The patient may request that the request for amendment and the denial be disclosed with any future disclosures of the information that is the subject of the amendment. e. If this processing cannot occur within 60 days of receipt of the request, notify the patient in writing that a 30-day extension will be necessary to process the request. f. The patient may choose to submit a written statement disagreeing with the denial. This statement must be contained on not more than one handwritten or typewritten page of at least 10-point font. Any additional information beyond the one page will be discarded. When this statement of disagreement is received, it should be forwarded to the author, who will determine whether a rebuttal will be prepared. The statement of 3/28/03 Weld County Area Agency on Aging 21 of 60 disagreement and any rebuttal must also be filed in the record and accompany any future disclosures of the information that is the subject of the amendment. 3. If we are informed by another provider of an amendment to one of our patient's records Supervisor of the Options for Long Term Care will review its contents and advise the physician who attended the patient as to any information which appears to require our action. We will place the amendment information in our designated record set. • 3/28/03 Weld County Area Agency on Aging 22 of 60 Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: 1. It will be the responsibility of the Weld County Area Agency on Aging to receive requests for and agree to any restrictions on use and disclosure of protected health information. 2. It will be the responsibility of the Supervisor of the Options for Long Term Care Options to monitor any restrictions which the office agrees to follow. General Policy 1. We will supply any individual who requests restrictions placed on use and disclosure of protected health information a Form to Request Restrictions. 2. We will agree to requested restrictions if, in the judgment of a licensed health care professional, we believe the restriction will not limit our ability to provide quality health care treatment or manage our health care operations, and if our information management procedures and systems will permit us to comply consistently with the requested restrictions. We will also provide confidential communications by alternative means or to an alternative address provided by the patient if we obtain assurance that payment for our health care services will be handled and we receive specification of the alternative address or other method of contact. Procedure 1. When an individual requests restrictions, supply him or her with our Form to Request Restrictions. 2. The Weld County Area Agency on Aging will review the Form to Request Restrictions and determine whether we are able to accept the restrictions. The Weld County Area Agency on Aging will complete and sign the Form to Request Restrictions, supply the individual a copy, place the original in the individual's permanent health record and file a copy in our Risk Management file. The Weld County Area Agency on Aging will also make the necessary postings to the individual's health record and/or billing record to enable the restrictions to be carried out. 3. If the individual makes the request for restrictions in our office, we will attempt to complete the Form to Request Restrictions during the time the individual is present in our office, but no later than 30 days after receipt. 4. If at any time we find that we cannot carry out the restrictions requested by an individual, we will prepare a written notice to send to him or her terminating our agreement, which will be applicable only to information created or received after such notice has been sent to the individual. 5. We will accept a written request from the individual to terminate the restrictions at any time or will document any oral request to terminate restrictions from the 3/28/03 Weld County Area Agency on Aging 23 of 60 individual. If an oral request is received, this will be documented on the original Form to Request Restrictions, a copy of which will be supplied to the individual. • 3/28/03 Weld County Area Agency on Aging 24 of 60 Policy and Procedure on Requesting Confidential Handling of Information Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: Supervisor of the Options for Long Term Care Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to inform our patients of their right to request confidential handling of their protected health information when it is sent to them. General Policy It is our policy to accommodate reasonable requests regarding the confidential handling of protected health information, and to maintain that the use of Protected Health Information be consistent with the patient's request. Definitions and Regulatory Requirements Protected health information: Individually identifiable health information, including information that is maintained in our medical records and billing records. A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. Conditions on providing confidential communications: 1. A covered entity may require the individual to make a request for a confidential communication in writing. 2. A covered entity may condition the provision of a reasonable accommodation on: - a. When appropriate, information as to how payment, if any, will be handled; and b. Specification of an alternative address or other method of contact. 3. A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. Procedure 1. Patients may request confidential handling of health information by submitting a request in one of the following ways: a. In person, on our Request for Confidential Handling of Health Information Form 3/28/03 Weld County Area Agency on Aging 25 of 60 b. By mail, either on our Request for Confidential Handling of Information Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Area Agency on Aging P.O. Box 1805 Greeley, Colorado 80632 Determine what forms of communication your office will accept to request confidential handling of patient information — in writing or by fax, telephone, and/or e-mail. Include information regarding each method you will accept in your policy. All requests should be directed to the Supervisor of the Options for Long Term Care. The request must supply the following details about the protected health information the individual wants confidentially handled: a. The type of information, specifying if the request is limited to a particular illness or treatment or all health information exchanges b. The time period for which the request applies c. The manner in which payment will be received, if confidential handling of billing matters pertaining to the type of information is also requested d. The manner in which the patient wishes to receive confidential communications, with any alternate information necessary to deliver information in the requested manner 2. When a patient makes a request for confidential handling of their PHI: a. Validate the request with the individual. If the request is received by mail or e- mail, call existing contact phone number and ask to speak with the patient to confirm the request. If the request is made in person, request confirmation of identity, if needed. b. If the request involves billing information, confirm that the commitment for payment will be satisfied and hold confidential mailing until any payment due is received. For future billing, ensure that an agreement to pay at the time of visit is signed. Place a prominent note in the file or have a flag in your scheduling system that payment is required at the time of visit. c. If the request is for an alternate address, enter the address into the patient's address file as the required confidential address. d. If the request is to pick-up the confidential information in person, highlight the requirement for easy recognition by staff handling correspondence. e. If the request is time limited, flag the end date for confidential handling of information in the appropriate files and systems. f. Place a copy of the Request for Confidential Handling of Information Form in the patient's medical record. Determine if your office wishes to track requests for confidential handling of information for risk management purposes 3/28/03 Weld County Area Agency on Aging 26 of 60 Page 1 Request for Confidential Handling of Health Information (print name), request confidential handling of correspondence regarding my health information for the period: From: To: This request applies to health information involving: Please be as specific as possible, e.g., treatment regarding a given illness or diagnosis. Do you wish confidential handling of billing matters pertaining to the information described above? 0 Yes 0 No If yes, please read and sign the following: I agree to pay all charges at the time of my visits. If for any reason the bill remains unpaid for 30 days, then I understand the following organization will bill the original fiscally responsible individual on record. SIGNATURE OF PATIENT DATE I have selected to receive confidential communications in the following way: ❑ Patient will pick up communications at the provider's office. ❑ Patient will receive any information at an alternate mailing address. ❑ Patient will receive any information through secure e-mail. Please use the following mailing address for all health information communications that fit in the description provided above. (Please Print) Mailing Address: City: State: Zip Code: 3/28/03 Weld County Area Agency on Aging 27 of 60 Page 2 Request for Confidential Handling of Health Information If you have any questions concerning this confidential handling, please contact: Signature (Person responsible for handling information) Title Print Name Phone Number O PLEASE SEND CONFIDENTIAL INFORMATION VIA E-MAIL E-mail Address: Determine if your office will send confidential communications to patients via e-mail. If yes: Determine if you will use secure e-mail, and if so, what type of encryption will be required for the patient's browser. (Include the following statement in your policy only if answer is "yes") I understand that if I choose to receive confidential communications through e-mail, I am responsible for secure access to my e-mail and computer and will not hold the provider's office responsible for any breach that may occur on the receiving end of this transmission. I also understand that in order to receive this confidential communication securely I must have a browser that supports 128 bit, currently supported by version 5.50 of Microsoft Internet Explorer. SIGNATURE OF PATIENT DATE t 3/28/03 Weld County Area Agency on Aging 28 of 60 Policy and Procedure on the Handling of Privacy Complaints Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: Supervisor of the Options for Long Term Care Program, (970) 353- 3800, extension 3325 Purpose The purpose of this policy is to comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to file a complaint, have the complaint investigated and, if appropriate, receive the disposition of the complaint pursuant to the HIPAA privacy rules and our implementing policies and procedures. General Policy It is our policy to keep a record of all complaints and to investigate all valid complaints'to determine the circumstances surrounding any concerns our patients raise regarding privacy. If a patient's privacy rights have been infringed upon in any way, or there is evidence that our staff or associates have not adhered to the privacy standards or our policies and procedures, we will take actions consistent with the HIPAA regulations and our Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and document these actions accordingly. The HIPAA privacy regulations give all individuals the right to file complaints to Weld County Area Agency on Aging and the Office of the Secretary in the Federal Department of Health and Human Services. Under no circumstances will the fact that an individual has filed a complaint affect the services provided to that individual. Any staff found to be treating any individual differently in light of a complaint will be sanctioned. Any retaliation is prohibited by law. Procedure _ 1. Patients may file privacy complaints by submitting them in one of the following ways: a. In person, on our Privacy Complaint Form; b. By mail, either on our Privacy Complaint Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Area Agency on Aging P.O. Box 1805 Greeley, Colorado 80632 All privacy complaints should be directed to the Sandra Hasch, Supervisor of Options for Long Term Care The complaint must describe the privacy concern in as much detail as possible including when the infraction of the standards or mishandling of protected health information was believed to have occurred, and who, if known, was believed to have acted inappropriately with respect to protected health information or an individual's privacy rights. The complaint must include the following information: 3/28/03 Weld County Area Agency on Aging 29 of 60 a. The type of infraction the complaint involves (i.e. inappropriate handling of PHI, appropriateness of privacy policies and processes) b. A detailed description of the privacy issue c. The date the incident or problem occurred, if applicable d. The mailing address 2. When a patient files a privacy complaint: a. Validate the complaint with the individual. If the complaint is received by mail, phone, fax or e-mail, call existing contact phone number and ask to speak with the patient to confirm the complaint. If the complaint is made in person request confirmation of identity, if needed, and validate the facts of the complaint. b. If the complaint appears to be a misunderstanding of the requirements or your policies and procedures, contact the patient and determine if, based on a more in depth discussion of the concern, the individual still wants to file a complaint. Be as courteous as possible. UNDER NO CIRCUMSTANCES SHOULD A PATIENT FEEL PRESSURED OR COERCED EVEN IF YOU BELIEVE THEY ARE STILL MISUNDERSTANDING THE RULES OR POLICIES. If the individual does not want to pursue the complaint any further, indicate "no further action required based on clearer understanding", record the date and time, and file under dismissed complaints. c. Once validated and if not dismissed, log the complaint by placing a copy of the complaint form in the complaint file and the patient's medical record. d. Investigate the complaint by reviewing the circumstances with the relevant staff and reviewing any audit and monitoring logs that may have relevance to the complaint. If the complaint involves any issues with an individual's rights that have attendant documentation (e.g., consent or authorization processes or confidential requests), pull all relevant forms. Complete the complaint investigation section of the complaint form with a summary of your findings. e. If you determine the complaint is invalid, draft a letter stating the reasons the complaint was found invalid. Initially, an impartial, knowledgeable staff person or lawyer should review all letters for tone and rationale. Standard letters will likely emerge over time. File a copy of the letter and form in the investigated complaints file. f. If you are uncertain about your findings, get a second opinion from your HIPAA privacy committee or your lawyer. g. If you determine the complaint is valid and linked to a required process or an individual's rights, follow your office sanction policy to the extent that an individual is responsible. If the complaint involves your office's compliance with the standards that do not involve a single individual (e.g., policies and procedures themselves versus adherence to them), then begin the process to revise your current policies and procedures. h. Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, draft a letter explaining the findings and the associated response or intended response. Use the same review process as for the invalid complaint letter in item e in the list • 3/28/03 Weld County Area Agency on Aging 30 of 60 above. Document the disposition of the complaint on the complaint form and file the letter and form in the investigated complaints file. i. Place a copy of the complaint form in the patient's medical record. 3/28/03 Weld County Area Agency on Aging 31 of 60 Page 1 Weld County Area Agency on Aging Privacy Complaint Form I (print name), am registering a formal complaint regarding (Organization Name) The complaint involves: ❑ Issue relating to (Organization's Name) privacy policies and processes ❑ Specific concern regarding the handling of my protected health information ❑ Other A detailed description of the privacy issue involved in the complaint is provided below: The incident or problem occurred on (month/day/year), if applicable I can be reached at (please provide day-time number) Patient Signature: Please use the following mailing address for a formal response to this complaint. MAILING ADfRESS (Please Print): City: State: Zip Code: If you would like to follow up on the status of your complaint, please contact: X [TITLE AND PHONE NUMBER OF PERSON RESPONSIBLE FOR ACCESS TO HEALTH INFORMATION] 3/28/03 Weld County Area Agency on Aging 32 of 60 Page 2 i Weld County Area Agency on Aging Privacy Complaint Form (con't) FOR OFFICE USE ONLY Dismissed O Investigated O Invalid O Has Merit O Summary of Investigation Response to Complaints with Merit: Staff Involved in Review: Name: Date: Name* Date: Name* Date. Name' Date* 3/28/03 Weld County Area Agency on Aging 33 of 60 Policy on Minimum Necessary Information Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: It is crucial that every staff member understands the minimum necessary policy for use, disclosure and request of protected health information. Health care providers and staff are entitled to use protected health information (PHI) consistent with their roles in this organization. Each staff member must also understand that with this role comes certain responsibilities such as limiting the viewing, use, disclosure and requesting of PHI to only that data necessary for patient treatment, reimbursement for treatment and health care operations. It is considered a breach of policy and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to ensure our patients' rights to the minimum necessary use and disclosure of their protected health information. General Policy 1. When using or disclosing protected health information or when requesting protected health information from another covered entity, each staff member of Weld County Area Agency on Aging must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This requirement does not apply to disclosures to a health care provider for treatment, uses or disclosures made to the individual, uses or disclosures made pursuant to an authorization for release signed by the patient or the patient's representative, disclosures made to the Secretary of Health and Human Services, disclosures that are required by law (as described by Sec. 164.512(a) of the privacy regulations) and uses or disclosures that are required for compliance with the privacy regulations. 2. It is necessary that the different roles in Weld County Area Agency on Aging be defined so that each staff member understands their own roles and responsibilities with regard to handling PHI. Office Role Categories Direct Health Care Provider—A licensed health care professional who provides direct or indirect patient care or consulting services. 3/28/03 Weld County Area Agency on Aging 34 of 60 Direct Support Staff—Staff who work within the office providing a variety of professional and direct administrative support that involves the delivery of patient care or billing operations. Data Access Categories Full Health Information Access —Access to full health information as needed for health, payment or health operations. Staff in this category may access and read all appropriate information. Summary Data Access —Access to summary data with treatment or diagnostic codes as needed to function. Staff in this category should confine the use of protected health information to the absolute minimum required and should not access or read full medical records. Minimum Information Access—Access to patient demographic data with only minimum reference to treatment or diagnostic information as needed to function. Emergency Information Access —Access to any individually identifiable health information should not be granted except in emergency situations. Usage Assignments Data Access Categories are assigned in accordance with the operational requirements for minimum necessary use. Each staff member has a separate access category. Choose whether they have: a. Full health information access b. Summary data access c. Minimum information access d. Emergency information access Direct Health care Providers have access to full health information with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Direct Support Staff have access to full health information with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Indirect Support Staff have access to minimum information with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Weld County Area Agency on Aging will maintain a current office role directory that lists every defined position within the office. This will ensure that each position will be granted the correct access authorization as defined in the Usage Assignments section of this policy. It is incumbent on every staff member to report any observed violation of these usage rules to the Medical Records Manager or another senior staff member. Every staff member must be trained in their roles and responsibilities with reference to the minimum use and access to patient data policy. It is considered a breach of organization policies and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. 3/28/03 Weld County Area Agency on Aging 35 of 60 In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Disclosures for Treatment, Payment or Health Operations The regulations establish that routine and recurring disclosures of protected health information can be made for treatment, payment or health operations without specific patient authorization. The minimum necessary requirements still pertain to all of these disclosures. Minimum necessary determinations will be made for all routine and recurring disclosures for all categories (other than those that are excepted); these categories will include, for example, additional medical information for medical necessity determination, sample records for accreditation and audits, records review for protocol adherence, patient information for participation in a clinical trial, paper claims, phone referral certification information and other categories as determined necessary. Full health information will be provided to routine and recurring requests from: • Attending physicians • Home Health Care agencies • Hospitals • Home and Community Based Medicaid Providers • Rehabilitation Facilities • Long Term Care Facilities Summary data with treatment and/or diagnostic codes will be provided to routine and recurring requests from: • Do not anticipate a need to release this type of information since we currently do not bill for services Minimum information - patient demographic data with only minimum reference to treatment or diagnostic information - will be provided to routine and recurring requests from: • Community services agencies such as Meals on Wheels that will be able to meet the clients needs Every effort will be made to comply with these disclosure categories except where the cost of extracting information is not reasonable and the risk of breach of patient privacy is considered low. In all situations, the requestor will be informed of their responsibilities towards this data and appropriate agreements entered into. All non-routine and/or non-recurring requests will be considered on a case-by-case basis and determination of the level of response will take into account the minimum necessary requirements. Requests for Information { The regulation establishes that for routine and recurring requests, the responsibility for determining the minimum necessary data falls on the requestor. In all situations where 3/28/03 Weld County Area Agency on Aging 36 of 60 data are requested, staff members must ensure that minimum necessary evaluation is made. In situations where the determination has not been made, questions should be directed first to the Supervisor of the Options for Long Term Care and then to the Director of the Area Agency on Aging. Minimum necessary determinations will be made for all routine and recurring requests for all categories. These categories will include, for example: Reason for visit Vital medical stats Medical records for referral Referral authorization, if non-standard Test results Patient messages from an answering service 3/28/03 Weld County Area Agency on Aging 37 of 60 Office Role Directory Weld County Area Agency on Aging The following is a current list of all Weld County Area Agency on Aging staff positions. They are listed according to the office role category (as defined in the Policy on Minimum Necessary Information) to which they belong. The office role category determines the type of information access each position requires to perform its functions. Direct Health care Providers: Agency Director Options Supervisor Options Lead Case Managers Options Case Managers Direct Support Staff: Administrative Assistant/Community Outreach 3/28/03 Weld County Area Agency on Aging 38 of 60 Policy and Procedure for Informing Individuals Concerning Opportunity to Accept/Reject Certain Uses and Disclosures Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell. Director,Weld County Area Agency on Aging Responsibility It will be the responsibility of the Supervisor of Options for Long Term Care to exercise professional judgment to use or disclose information where consent or authorization is not required. The individual, however, must be given an opportunity to agree or object to the use or disclosure. General Policy Our Notice of Privacy Practices will identify the circumstances in which we may use or disclose protected health information for which consent or authorization is not required, but the individual must be given an opportunity to agree or object. These circumstances include: 1. Uses and disclosures of protected health information that we believe in our professional judgment to be.in the individual's best interest for purposes of care or for notification of the individual's general condition, location, or death. Such disclosures may include making health information directly relevant to the individual's care or payment related to care available to a family member, other relative, close personal friend, or any other person identified by the individual as involved in care or payment of care. We may disclose health information to notify a family member, personal representative, or another person responsible for the individual's care concerning the individual's general condition, location, or death. We may also disclose health information about the individual to an entity assisting in a disaster relief effort so that the individual's family can be notified about the individual's general condition, location, or death. 2. Using and disclosing protected health information to contact the individual as a reminder that the individual has an appointment. We must give the individual the right to request that such confidential communication be sent to an alternative location or by an alternative means. 3. Using and disclosing protected health information to tell the individual about non- health-related products or services. Such marketing communications must indicate whether we are being paid for the marketing. Procedure 1. When an individual is present or otherwise available prior to a use or disclosure for which a consent or authorization is not required but the individual must be given an opportunity to agree or object, we may obtain the individual's oral agreement, inform him/her of our intent and provide the individual the opportunity to object, or reasonably infer from the circumstances that the individual does not object to the disclosure. For example, if we request an individual to complete an appointment reminder post card, we may infer from the individual's completion of the card that there is no objection to this disclosure. If we plan on calling the individual, however, 3/28/03 Weld County Area Agency on Aging 39 of 60 we will inform him/her that a call will be made and ask if there is any objection or alternative telephone number for us to call. 2. If the individual is not present or the opportunity to agree or object cannot practicably be provided because of the individual's incapacity or an emergency circumstance, we may exercise professional judgment to determine whether the disclosure is in the best interest of the individual. If so, we will disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. For example, we will infer there is no objection if a person is acting on behalf of the individual to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of protected health information. However, if a known family member, other relative, close personal friend, or other person involved in the individual's care is present in our office and does not volunteer to act on behalf of the individual, we will not infer that there is no objection to disclosing protected health information and we will not disclose such information. 3. If the individual is sent any marketing or fundraising communications for which we do not have specific restrictions on file, we will ensure they meet the requirements set forth in HIPAA's privacy rule and will include a description of how the individual may-opt out of receiving any further such communications. 4. If the individual has filed a Form to Request Restrictions that cover any of the above disclosures of protected health information, we will accept such restrictions and take every measure practicable to not disclose such information. • 3/28/03 Weld County Area Agency on Aging 40 of 60 Policy and Procedure on Accounting for Disclosures Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell. Director, Weld County Area Agency on Aging Responsibility: Supervisor of the Options for Long Term Care (970) 353-3800, extension 3325 Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to request and receive an accounting of disclosures we make concerning their health information. General Policy It is our policy to keep an accurate accounting of all applicable disclosures that we make of our patients' protected health information; and to provide an accounting of those disclosures to patients who may request an accounting, as permitted by law. Definitions Disclosure —the release, transfer, provision of access to, or divulging in any other manner of information outside of this office. Applicable disclosure — refers only to those disclosures of patients' protected health information made for reasons other than: • to carry out treatment, receive reimbursement, or carry out our operations • to the patients themselves • to persons involved in a patient's care • for national security or intelligence purposes (as specified in our policy on Authorization for Release of Information) • to correctional institutions or law enforcement officials under certain circumstances (as specified in our policy on Authorization for Release of Information) • those that occurred prior to April 14, 2003 Protected health information— individually identifiable health information, including that information maintained in our medical records and billing records. Procedure 1. Patients may request an accounting of disclosures by submitting a request in writing on our Request for Accounting for Disclosures Form to our Supervisor of the Options for Long Term Care (970) 353-3800, extension 3325. The request must state the time period for which the accounting is to be supplied, which may not be longer than six years and may not include dates before April 14, 2003. Determine if your office will allow disclosure to be sent through electronic mail (Include the following statement only if answer is "yes"). The request must state whether the patient wishes to be sent the accounting via postal mail or electronic mail. 3/28/03 Weld County Area Agency on Aging 41 of 60 2. When a request for an accounting of disclosures is made by a patient: a. Obtain the patient's medical record. b. Review the medical record to determine if it contains a written statement from a health oversight agency or law enforcement official that such an accounting to the patient must be suspended because such an accounting would impede the agency's activities. If such a statement exists, review the time period of the suspension. If the suspension is for less than 60 days from the date of receiving the request, hold the request until the suspension period has ended and then process the request. If the suspension is for more than 60 days from the date of receiving the request, send the Accounting for Disclosures Form indicating that we are temporarily unable to process the accounting due to a suspension required by law, but will comply with the request when the suspension has been lifted, and specify the date on which the suspension will be lifted. If the time period for suspension has passed, proceed to process the request. c. Review the section of the medical record that contains authorizations and requests for disclosures to determine which disclosures are applicable to the accounting (see Definitions above) and within the time period being requested. d. Complete the Accounting for Disclosures Form to supply the date(s) of disclosure(s), name(s) and address(es) of organizations or persons to whom the disclosure(s)were made, a brief description of the protected health information disclosed, the purpose of the disclosure(s), and the name of our Supervisor of the Options for Long Term Care (970) 353-3800, extension 3325 and date the form was mailed. e. Send the Accounting for Disclosures Form to the patient within 60 days of receiving the request. If we are unable to complete this process within 60 days, send the Accounting for Disclosures Form to the patient indicating we will need a 30-day extension to complete the process, indicate the date on which we will supply the accounting, and check off the reason for the delay. f. Place a copy of the Accounting for Disclosures Form in the patient's medical record. Determine if your office wishes to track accountings for disclosures for risk management purposes Place a copy of the Accounting for Disclosures Form in our Risk Management file. 3. We will provide the first accounting to a patient in any 12-month period without charge. For any subsequent request within the 12-month period, we will charge twenty dollars (20.00) per hour as specified on the Request for Accounting for Disclosures Form. (A patient who does not wish to pay for subsequent accountings may withdraw the request and no accounting will be made.) t 3/28/03 Weld County Area Agency on Aging 42 of 60 Page 1 f Request for Accounting for Disclosures of Health I, (print name), request an accounting for disclosures of my health information for the period: From: To: I understand that this accounting for disclosures will include disclosures made only to those organizations or persons other than: • to those for whom use and disclosure of my health information was made to carry out • my treatment, process,payment for my health care, or carry out your operations • to myself or persons involved in my care for national security or intelligence purposes • (as specified in your Notice of Privacy Practices) • to correctional institutions or law enforcement officials under certain circumstances (as specified in your Notice of Privacy Practices) that occurred prior to April 14, 2003 ❑ I understand that I may receive the first accounting for disclosures within a 12-month period at no charge. ❑ I understand that I am requesting a second or subsequent accounting in a 12-month period and will pay the charge of$30.00 for this accounting. Send this accounting to: (Please Print) Mailing Address: City: State: Zip: Determine if your office will allow disclosure to be sent through electronic mail (Include the following statement only if answer is yes') ❑ CHECK HERE IF YOU WISH THE ACCOUNTING TO BE SENT TO YOUR E-MAIL E-mail Address. SIGNATURE OF PATIENT DATE 3/28/03 Weld County Area Agency on Aging 43 of 60 Page 2 Accounting for Disclosures ❑ There were no applicable disclosures made of your health information for the period you specified. ❑ Disclosures of your health information were made by this office to: Date Name and Address to I Description of Purpose of of Disclosure Whom Disclosed Information Disclosed Disclosure We are temporarily unable to process the accounting for disclosures you have requested due to: ❑ a suspension required by law ❑ other: but will comply with your request by the date of: If you have any questions concerning this accounting for disclosures, please contact: X Signature of person responsible for handling Date requests for access to health information Phone Number Print Name of person responsible for handling requests for access to health information FOR OFFICE USE ONLY LAST PAID 3/28/03 Weld County Area Agency on Aging 44 of 60 Job Description Job Title: Privacy Officer Summary The Privacy Officer oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the practice's policies and procedures covering the privacy of and access to patients' protected health information in compliance with federal and state laws and the practice's information privacy practices. Duties 1. Identifies need for, develops, implements, and maintains the practice's policies and procedures for protecting individually identifiable health information, in coordination with the Weld County Area Agency on Aging. 2. Performs information privacy/security risk assessment and conducts related ongoing compliance monitoring activities in coordination with the practice's other compliance and operational assessment functions. 3. Works with the practice's personnel office and legal counsel to develop and maintain appropriate consent forms, authorization forms, notice of privacy practices, business associate contracts, and other documents required under HIPAA's standards for the privacy and security of individually identifiable health information. 4. Ensures compliance with the practice's privacy/security policies and procedures and consistent application of sanctions for failure to comply with these policies for all members of the practice's workforce (as defined in HIPAA's Standards for Privacy of Individually Identifiable Health Information) and business associates. 5. Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the practice's privacy/security policies and procedures. 6. Oversees, directs, delivers, or ensures delivery of, including the tracking of attendance, information privacy/security training for the practice and other appropriate parties. Initiates, facilitates, and promotes activities to foster information privacy/security awareness within the practice and related entities. 7. Reviews all information system-related security plans to ensure alignment between security and privacy practices. 8. Cooperates with the Office of Civil Rights, other legal entities, and Weld County Personnel Department in any compliance reviews or investigations. 9. Serves as a member of the practice's privacy board, which it has constituted for the purpose of overseeing use of individually identifiable health information without the individual's authorization or with an altered form of authorization for purposes of research. - Reporting Relationship For this function, the Privacy Officer reports to the Director of the Division of Human Services. Qualifications _ 3/28/03 Weld County Area Agency on Aging 45 of 60 • Experience in the administration and functions of a Director of the Area Agency on Aging • Current knowledge of applicable federal and state privacy laws and accreditation/licensure standards pertaining to health care • Familiar with advancements in information privacy strategies and technologies to ensure practice adaptation and compliance • Experience in health information access controls, release of health information, and health information release control strategies and technologies • Demonstrated organization, facilitation, communication, and presentation skills 3/28/03 Weld County Area Agency on Aging 46 of 60 Overview of Policies and Procedures on Privacy and Security Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Purpose A copy of this document should be given to each staff member. While there are many policies directed at singular aspects of privacy and confidentiality, this overview is directed at developing a simple overall guideline for the understanding of the relationship between the staff and the clients of Weld County Area Agency on Aging. The electronic and paper record resources of Weld County Area Agency on Aging are provided for the singular purpose of facilitating patient care and business processes. Any person who uses Weld County Area Agency on Aging's paper records and/or computing resources for non-business or unauthorized purposes may be subject to disciplinary action, up to and including termination, and civil or criminal legal action. Management at all levels is responsible for monitoring the actions of its staff and enforcing the intent of this overview. All questions, concerns or infractions should be directed to the Privacy Officer. Prohibited Activities The following are examples of prohibited activities: 1. Using Weld County Area Agency on Aging computing systems or data for personal business or gain; 2. Specific violations of Weld County Area Agency on Aging electronic mail, Internet and facsimile machine policy; 3. Unauthorized browsing of patient, personnel, financial, or other records for the purpose of personal curiosity or with the intent of improperly disclosing the information contained in those records; 4. Interfering with the operation of any of Weld County Area Agency on Aging computing systems or using a Weld County Area Agency on Aging computer to disrupt any external computing system 5. Altering or deleting any of Weld County Area Agency on Aging data or software, except when performing authorized business functions; and 6. Installing unauthorized or illegally-copied software on any of Weld County Area Agency on Aging computer terminals. Responsibilities 1. Every staff member is accountable for all computing activities he/she performs. 2. Users shall take the following precautions to safeguard systems and data: • Staff will maintain client data in secure folders on the M drive. Only staff required to have access to client information will be given clearance to have access to the secure folders. 3/28/03 Weld County Area Agency on Aging 47 of 60 3. User identification codes are not to be shared, except under special circumstances approved by the Privacy Officer or the Supervisor of the Options for Long Term Care. 4. Passwords shall not be divulged, orally or in writing 5. Workstations and terminals to be left unattended shall be logged off or locked up 6. All suspected or known breaches of confidentiality or computer security shall be reported to the Privacy Officer or another member of management immediately Organizational Policies and Training The management of Weld County Area Agency on Aging will instruct users in Information Confidentiality, Privacy, and Security policies, standards and procedures, as well as in the principles of information confidentiality and computer security. Management of Weld County Area Agency on Aging shall make written policies on the management of private patient information and other protected data that is readily available to staff. Behavior in Interacting with Patients Staff or volunteers of Weld County Area Agency on Aging are obligated to make sure that patient information is not disclosed inappropriately, accidentally or negligently. In order to do this we must take appropriate precautions to safeguard medical information, as described below. 1. Do not allow medical information on terminals to be visible to patients. 2. Keep patient charts and encounter forms face down. Never leave them out where others can see them. 3. Use confidential trash bins when disposing of patient information. Any document with a patient's name, insurance number or a partial patient record is considered protected health information. 4. Place patient record charts and other patient information outside exam rooms or clinical offices so that they face the door or wall. 5. Speak softly over the phone and try to avoid excessive use of the patient's name. 6. Do not discuss patient information with anyone in a social conversation. 7. Make a habit of speaking to patients in private offices and exam rooms only. 8. Do not discuss the reason for a patient's visit in the waiting area or in front of others. 9. Anticipate patient privacy needs when giving out test results, setting up appointments and obtaining or explaining referrals. 3/28/03 Weld County Area Agency on Aging 48 of 60 General Areas for Consideration Patient's Rights 1. Right to be Informed of their Rights. Responsibilities for implementing procedures for ensuring that the patient is informed of the policies related to patient information should be defined. 2. Right to Privacy. Relevant patient information may only be disclosed to those directly involved in the care of the patient, for the protection of the public health as provided by law, for the payment of services as authorized by the patient, to assist researchers as authorized by the patient, or for any other purposes required by law or authorized by the patient. These rights are defined in the Policy and Procedure on Uses and Disclosures of Protected Health Information. 3. Right to Review Information. Patients are entitled to know which information about them is in the possession of the organization and are entitled to review that information. Any category of information that may be withheld from the patient in accordance with the law should be defined in the Policy and Procedure on Patient's Right to Access Health Information. 4. Right to Clear and Complete Presentation of Information. Policies related to making information from the computer-based patient record available to the patient in a clear, logical, understandable format should be developed. Any policies for presenting information in a format not maintained by the organization should be defined. The organization's policies related to the costs associated with presentation of information should also be defined. 5. Right to Amend Correct Information. Information cannot be deleted, but erroneous information can be marked as such and correct information amended. The rights of the patient to provide supplemental information or an appendix should also be defined in the Policy and Procedure on Patient's Right to Request Amendment of their Health Information. 6. Right to Restrict the Use and Disclosure of Specific Information. The patient's rights to segment information and block the release of specific information should be clearly stated in the Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information. The rights of the organization to identify and explain any consequences of such blockage should also be included. 7. Right to an Accounting for Disclosures of Information. The patient's rights to know which individuals, organizations, and government agencies have authority to access, and have actually gained access to, specific information identified with the patient should be clearly defined in the Policy and Procedure on Accounting for Disclosures. 8. Right to Protection of Information Released to Third Parties. The policy should define the commitment for protection required from a third party prior to the release of information to that organization. The policy may also specify the responsibility for monitoring these commitments. 9. Right to Integrity and Availability. Records must be protected from unauthorized modification and destruction. The patient has the right to expect that the organization will take reasonable precautions to protect the information from destruction by accident or vandalism, and by fire, flood, earthquake, or other disasters. Policies requiring that provisions be made for the patient records to survive the organization in the event of mergers, bankruptcy, and similar events should be established. 3/28/03 Weld County Area Agency on Aging 49 of 60 Protection of Caregiver Information 1. Privacy. The caregivers' personal privacy should be preserved. Relevant caregiver information may only be disclosed for the protection of the public health as provided by law, for any other purposes as required by law, or as authorized by the caregiver. 2. Review of Information. The caregiver is entitled to know which information about the caregiver is in the possession of the organization. Caregivers' are also entitled to know which information they have a legal right to review. Caregivers should have the right to review information they have placed in the patient's record. 3. Clear and Complete Presentation of Information. Information about the caregiver and patient information authorized to the caregiver should be made available in a clear, logical, understandable format. 4. Right to Append Corrected Information. The caregivers' rights to identify erroneous information and append correct information pertaining to their employment or contractual arrangements should be defined. 5. Release of Specific Information. The caregiver may be granted the right to segment information and block the release of specific information where permitted by law. 6. Notification of Disclosure of Information. The caregiver is entitled to know which individuals, organizations, and government agencies have authority to access and have actually gained access to information about the caregiver. 7. Protection of Information Released to Third Parties. The policy should define the commitment for protection required from a third party prior to the release of information to that organization. 8. Integrity and Availability of Records. Records must be protected from unauthorized modification and destruction. The caregiver has the right to expect that the organization protect the information from destruction by accident or vandalism, and by fire, flood, earthquake, or other disasters. Provisions must be made for the records to survive the organization in the event of closure, mergers, bankruptcy, and similar events. 9. Responsibility to Protect Information. The caregivers' responsibility for the protection of the information to which the caregiver has access should be stated. The Release of Data Although the requirements for release of some patient information are defined by law, Weld County Area Agency on Aging has policies addressing the responsibilities and determining the methods of complying with these laws. The organization's policies related to complying with the law for the release of patient, caregiver, and institutional information to public health authorities should be defined. Factors to consider in the release and sharing of information include: • Which information may be released? • To whom may information be released? • What responsibility does the institution have regarding the protection of information it has released from its custody? 3/28/03 Weld County Area Agency on Aging 50 of 60 Data should never be released without the express, specific, written consent of the patient or a court order. In all cases, where there is any question as to the • appropriateness of the release of data, the Privacy Officer, Eva Jewell, or a member of management, must be contacted for a decision before any data is released. 3/28/03 Weld County Area Agency on Aging 51 of 60 ACKNOWLEDGEMENT I have received a copy of Weld County Area Agency on Aging Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and Overview of Policies and Procedures on Privacy and Security. I agree to keep all Weld County Area Agency on Aging patient information, as outlined in the above documents, strictly confidential. I understand that a breach in patient confidentiality, as defined in the above documents, will result in disciplinary action, up to and including termination of employment. X Date: • 3/28/03 Weld County Area Agency on Aging 52 of 61 Policy and Procedure on Personnel Discipline for Breach of Privacy or { Confidentiality Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director of the Area Agency on Aging Responsibility: Privacy Officer Purpose This plan provides guidance for the appropriate response to breaches in patient privacy and confidentiality at Weld County Area Agency on Aging. This guidance is intended to ensure that staff and management understand the appropriate seriousness of any breach and the stated penalties and actions. Weld County Area Agency on Aging has a very strong commitment to protecting the confidentiality of its patients' records and clinical information. To ensure compliance with the policy by all staff and to ensure consistency in the discipline and actions taken upon evidence of breach in patient confidentiality by staff, Weld County Area Agency on Aging has adopted the disciplinary process set forth below. General Policy Weld County Area Agency on Aging and its staff are entrusted with information regarding our patients and we recognize that the patient record is highly confidential and must be treated with great respect and care by all staff. Any breach in patient confidentiality by a staff person is subject to formal disciplinary action as delineated in this policy. A breach in patient confidentiality occurs when a member of the Weld County Area Agency on Aging staff: a. Views or accesses private patient health information for any reason not related to the provision of care and treatment or another authorized purpose; b. Discusses with or reveals to any individual(s), private patient health information for purposes not related to patient care and treatment or another authorized purpose; or c. Violates the provisions of Weld County Area Agency on Aging policy on the confidentiality of private patient health information as stated in the general overview policy as provided to the staff. For any breach in patient confidentiality, the staff member shall be subject to disciplinary actions as set forth in the "Procedures" section below. Every staff member should receive and read a copy of this document and "Overview of Policies and Practices in Privacy and Security." Procedures 1. Review. The Privacy Officer is responsible for the content and administration of this policy. The policy shall be reviewed and evaluated one year from its effective date with specific focus on the Disciplinary Process section, and then every two ff years thereafter. l._ 3/28/03 Weld County Area Agency on Aging 53 of 61 2. Level of Breach. Breaches in patient confidentiality have been divided into the following three levels, with the corresponding disciplinary actions for each level of breach. A. Level 1 —Carelessness This level of breach occurs when a member of the Weld County Area Agency on Aging staff unintentionally or carelessly accesses, reviews or reveals patient information to him/herself or others without a legitimate need to know the patient information. Disciplinary Sanctions: 1. Depending upon the facts, counseling, oral warning, written warning, final written warning or suspension, documented in writing and maintained in the employee's personnel record, or termination 2. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 3. Level 1 disciplinary sanctions shall be administered in a progressive manner 4. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate B. Level 2— Curiosity or Concern (no personal gain) This level of breach occurs when an employee intentionally accesses or discusses patient information for purposes other than the care of the patient or other authorized purposes, but for reasons unrelated to personal gain. Disciplinary Sanctions: 1. First offense: Depending upon the facts, oral or written warning documented and maintained in the employee's personnel record 2. Second offense: Depending upon the facts, a final written warning and suspension for 3-30 days without pay, documented and maintained in the employee's personnel record, or termination 3. Third Offense: Termination 4. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 5. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate. C. Level 3— Personal Gain or Malice This level of breach occurs when an employee accesses, reviews or discusses patient information for personal gain or with malicious intent. Disciplinary Sanctions: 1. First offense: Termination 2. Report to applicable professional licensing board 3. Disciplinary Process. The following process must be followed when an employee breaches, or is suspected of breaching, patient confidentiality. A. Initial Reporting 3/28/03 Weld County Area Agency on Aging 54 of 61 1) An individual who observes or is aware of a breach reports it to his/her immediate supervisor, who in turn should report this incident to the Privacy Officer 2) The Privacy Officer reports this to his/her reporting authority, who consults management as appropriate 3) Failure to report a breach of which one has knowledge will result in appropriate disciplinary action 4) Reporting of a breach in bad faith or for malicious reasons will result in appropriate disciplinary action B. Activity Upon Clear Evidence of Breach of Confidentiality 1) The incident shall be reported to the Privacy Officer who shall investigate the incident and report the matter to appropriate management. C. Reporting and Filing Requirements 1) All incidents should be reported to your immediate supervisor and the Privacy Officer D. Imposition of Appropriate Discipline 1) Based upon the severity of the breach management shall take the appropriate disciplinary actions provided under the employer's personnel policies. For all levels of breach, after final resolution, the initial report and all written documentation relating to the breach shall be filed in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. 4. Upon investigation of a level 2 breach, or higher, the following actions should be taken. a. The Privacy Officer should ensure that the access of the accused employee to any paper or electronic medical records is immediately suspended. b. The Privacy Officer should retrieve keys and/or badges from the accused employee that allow access to secure areas where patient records are kept. c. The Privacy Officer should inform all appropriate supervisors about the suspension or removal of the access privileges of the accused employee. d. The Privacy Officer should include a written report of all actions in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. After reading this policy, sign and date the lower portion of this page and return it to your immediate supervisor. Detach the acknowledgement and retain the policy for your records. (. 3/28/03 Weld County Area Agency on Aging 55 of 61 ACKNOWLEDGEMENT I have received a copy of Weld County Area Agency on Aging Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and Overview of Policies and Procedures on Privacy and Security. I agree to keep all Weld County Area Agency on Aging patient information, as outlined in the above documents, strictly confidential. I understand that a breach in patient confidentiality, as defined in the above documents, will result in disciplinary action, up to and including termination of employment. X Date: • 3/28/03 Weld County Area Agency on Aging 56 of 61 Policy and Procedure on Physical Security Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: Privacy Officer Purpose A Physical Security policy document should exist detailing the measures taken to protect buildings in regard to disasters (flooding, fire, earthquakes, explosions, power outage), theft, physical access, computer rooms and wiring cabinets. General Policy All Weld County Area Agency on Aging staff should understand and support the control of access to the public, clients, general staff and staff with specific access privileges. Upon observation or detection of any breach of physical access, staff members should implement provisions of the procedures below according to their best judgment, but in all instances a follow-up report should be made to the Information Security Officer for action and record. The Privacy Officer has overall responsibility for physical security and for oversight of procedures listed below. In the event that the Privacy Officer is unavailable, the Supervisor of the Options for Long Term Care will assume responsibility for the procedures in this policy. Procedures 1. Definition of Areas Zone 1: Areas open to the public Zone 2: Areas not open to the public, open to company clients and staff Zone 3: Areas not open to the public, not open to company clients, open to staff only Zone 4: Protected areas, only accessible with identification, access strictly controlled 2. Warning Signs Signs clearly identifying the right of access to an area should be placed at every juncture between zones. All staff should be clearly aware of requirements and should not hesitate to challenge inappropriate persons. Specific badges and or actual tokens may be issued to validate authorized entry into different areas. 3. Emergency Telephone Numbers Emergency telephone numbers for private security, police, plumber, etc., should be placed at all telephone handsets. If possible, incidents or disasters should be managed by the Privacy Officer, but in emergency situations, any available staff member should make the call. In all instances, follow-up reports should be made to the Privacy Officer or the Supervisor for the Options for Long Term Care for recording in a confidential file. 3/28/03 Weld County Area Agency on Aging 57 of 61 4. Response to Physical Intrusion or Any Disaster a. When staff, clients and/or patients are present: 1) Staff should take the immediate, appropriate action to safeguard the clients and/or patients, confidential patient information and the physical and electronic infrastructure. 2) The Privacy Officer, the Supervisor of the Options for Long Term Care or the most available staff member should call the appropriate authorities to respond to the situation. 3) In all instances, follow-up reports should be made to the Privacy Officer or the Supervisor of the Options for Long Term Care for recording in a confidential file. b. Detected outside of hours of operation: 1) If immediate action is necessary, arrangements should be made for the office's security service to contact the Privacy Officer, or the Supervisor of the Options for Long Term Care in the event that the Privacy Officer is unavailable, who should contact the appropriate authorities and take any necessary steps to secure the premises until a complete evaluation of the damage can be made. 2) In all instances,follow-up reports should be made to the Privacy Officer for recording in a confidential file. 3) If no immediate action is necessary to mitigate the loss, reports should be made to the Office Manager for action and for recording in a confidential file. 5. Routine Destruction of Paper Records Paper records with protected health information printed on them should not be discarded as regular trash. All paper that has protected health information printed on it should be segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 6. Routine Destruction of Defective Confidential Disks and Tapes Disks, tapes or any other storage medium with protected health information contained on it should not be discarded as regular trash. All storage mediums that have private health information contained on them should be segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 7. Repair and/or Access to Computer Equipment Access to protected patient information by any service technician should be minimized either by direct supervision or by securing the information source. If possible, business associate contracts should be in place for each type of service technician. 8. Prevention a. Clear instructions on the right of access to an area should be posted at all junctures between zones. 3/28/03 Weld County Area Agency on Aging 58 of 61 b. All staff should be proactive about monitoring access to restricted zones. c. Access to restricted zones for repair or delivery should be minimized and those entrants should understand Weld County Area Agency on Aging confidentiality requirements. d. Any support contracts that involve on-site, non-staff personnel should include standard Business Associate Contract language on privacy, confidentiality and security. e. Staff identification and/or badges should be implemented, if not already in use. f. Procedure on locking doors and windows should be clearly understood by all staff members. While all staff members should enforce the procedure, it is the responsibility of the Privacy Officer to monitor these physical security actions. In the event of the absence of the Privacy Officer the Supervisor of the Options for Long Term Care will assume responsibility for monitoring these physical security procedures. g. Upon termination of a staff member for any cause, all office keys/badges should be retrieved from the departing staff member. h. Key registers and logs should be maintained by the Privacy Officer. i. Keys that are marked "Do Not Duplicate" should be issued to staff members to avoid their making unauthorized copies of office keys. 9. Work Station Use a. Workstations should be placed, as much as possible, so that the screens are not seen by unauthorized persons. b. Systems should be configured so that monitors time out after 30 minutes of non-use and require a password to re-enter. c. If there is no automatic screen shut down within the system configuration, users should logout of the computer system if the user leaves the terminal unattended. d. If the configuration of the workstations vary across the system, signage should be used to indicate the preferred mode of behavior at each station. 10. Record Handling a. Records should not be left on desks or cabinets unattended. b. Records pulled from cabinets for future treatment session should be left in a secured area until needed by staff members. c. All staff should pro-actively gather up unattended records and return them to a secured area. 3/28/03 Weld County Area Agency on Aging 59 of 61 Policy on Use of Electronic Mail, Internet and Facsimile Machines Weld County Area Agency on Aging Date: April 14, 2003 Authority: Eva Jewell, Director, Weld County Area Agency on Aging Responsibility: Privacy Officer Purpose This plan provides guidance for the appropriate use of electronic mail, Internet and facsimile machines at Weld County Area Agency on Aging. This guidance is intended to ensure the privacy and confidentiality of patient data at Weld County Area Agency on Aging. General Policy Never forward patient-identifiable data to a third party without the patient's express permission. Material that is sexually explicit, obscene, embarrassing, fraudulent, hostile, harassing, or otherwise inappropriate or unlawful shall not be forwarded or sent by electronic communication or displayed on or stored on Weld County Area Agency on Aging's computer resources. Users receiving or viewing this kind of information shall immediately report the incident to the Privacy Officer. Unless expressly authorized by the Privacy Officer, downloading, sending, transmitting, or otherwise disseminating proprietary information, trade secrets or other sensitive privacy act information is strictly prohibited. 1. Electronic Mail Weld County Area Agency on Aging owns the electronic mail service, and considers electronic mail private, direct communication between sender and recipient(s) or recipient(s)' designee(s); however, employees cannot expect absolute confidentiality. The contents will not be monitored, observed, viewed, displayed or reproduced in any form by anyone other than the sender and recipient(s) or recipient(s)" designee(s) unless specifically authorized by the Privacy Official, a law enforcement representative or the Information Security Officer. Electronic mail is considered official correspondence of Weld County Area Agency on Aging, and users must avoid the inclusion of inappropriate or derogatory language in their messages. Electronic mail is maintained in computer systems and on backup media for varying lengths of time and may be recovered subsequent to deletion. The messages may be disclosed in the same manner as paper records. Reasons for recovery of electronic mail messages may include legal discovery, external investigations by law enforcement personnel and internal security investigations. Work-related mail is forwarded to the most appropriate employee in the case of employment termination or when an employee is absent for an extended period of time. A recipient may designate another employee to receive and read work-related mail for business reasons. Personal messages are forwarded to the intended recipient. If _ 3/28/03 Weld County Area Agency on Aging 60 of 61 that is not possible, they are destroyed. Messages are not examined further than is necessary to determine the category into which they fall. In anticipation of the finalization of the security regulation of HIPAA, no protected health information should be sent by public or private electronic networks without adequate safeguards against interception and/or misuse. 2. Internet Standard use of the Internet, via the office network, must be primarily for Weld County Area Agency on Aging business or professional development. Limited personal use is acceptable but discretion is necessary to ensure that individuals do not degrade Weld County Area Agency on Aging public image through their activities or adversely affect the availability of network resources. 3. Facsimile Machines All staff shall take precautions when using facsimile (fax) machines to transmit documents. Facsimile machines shall not be located in areas accessible to the general public, unless the facsimile machine is intended for public use. In this case the publicly available facsimile machine should not be used by staff members to send or receive faxes containing patient information of any kind. Staff shall not use Weld County Area Agency on Aging facsimile machines for transmitting personal documents. Facsimile machine cover pages shall include the following information: a. The sender's name, business address, business phone number, and business facsimile machine number b. The recipient's name, business address, business phone number, and business facsimile machine number c. Transmission time and date (if not stamped by facsimile machine or computer) d. Classification of the document (CONFIDENTIAL documents) Staff shall verify the facsimile machine number of the recipient before transmitting. A recipient of a document containing CONFIDENTIAL information (e.g., for the recipient's eyes only or containing protected health information) must be notified by phone before the document is transmitted. If at all possible, this type of document should not be faxed. All pages, including the cover page of CONFIDENTIAL documents to be faxed, must be marked "Confidential" before they are transmitted. Time, date, sender, recipient and sender or recipient phone number for all materials sent and received by facsimile machine should be documented in a facsimile machine log to be kept with the facsimile machine. It is crucial that no protected health information be explicitly revealed in this log. 3/28/03 Weld County Area Agency on Aging 61 of 61 Hello