HIPPA Policies & Procedures
Administrative Requirements Documentation of Complaints
Policy:
CANM must provide a process for individuals to make complaints concerning CANM’s policies and procedures or its compliance with such policies and procedures. [45 CFR § 164.530(d)]
Procedures:
- CANM must document all complaints received, and their disposition, if any, and retain the documentation for at least six years from the date of its creation or the date when it was last in effect, whichever is later.
References: CANM Compliance Program, CANM Policy #776
POLICY DESCRIPTION: Administrative Requirements Documentation of Complaints
POLICY #: 774
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Policies and Procedures
Policy:
CANM must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy Rule. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by CANM, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of the Privacy Rule. [45 CFR § 164.530(i)]
Procedures:
-
- a. CANM must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of the Privacy Rule.
b. When CANM changes a privacy practice that is stated in its Notice of Privacy Practices, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if CANM has included in the Notice a statement reserving its right to make such a change in its privacy practices.
c. CANM may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with # 4. below.
- Whenever there is a change in law that necessitates a change to CANM’s policies or procedures, CANM must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of its Notice of Privacy Practices, CANM must promptly make the appropriate revisions to the Notice.
- a. To implement a change, CANM must:
- Ensure that the policy or procedure, as revised to reflect a change in CANM’s privacy practice as stated in its Notice, complies with the standards, requirements, and implementation specifications of the Privacy Rule;
- Document the policy or procedure, as revised, and retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later; and
- Revise the Notice to state the changed practice and make the revised Notice available. CANM may not implement a change to a policy or procedure prior to the effective date of the revised Notice.
- Such change is effective only with respect to protected health information created or received after the effective date of the Notice.
- a. CANM must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of the Privacy Rule.
b. If CANM has not reserved its right to change a privacy practice that is stated in its Notice, CANM is bound by the privacy practices as stated in the Notice with respect to protected health information created or received while such Notice is in effect. CANM may change a privacy practice that is stated in the Notice, and the related policies and procedures, without having reserved the right to do so, provided that:
-
- Such change meets the implementation specifications set forth above; and
- CANM may change, at any time, a policy or procedure that does not materially affect the content of its Notice, provided that:
- The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of the Privacy Rule; and
- Prior to the effective date of the change, the policy or procedure, as revised, is documented and retained for at least six years from the date of its creation or the date when it was last in effect, whichever is later.
Reference: CANM Policy #100
POLICY DESCRIPTION: Administrative Requirements Policies and Procedures
POLICY #: 778
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Privacy Officer and Contact Person
Policy:
CANM has a designated Privacy Officer/contact person who is responsible for the development and implementation of policies and procedures for information privacy, and for receiving complaints and provide information as required under the Notice of Privacy Practices. (Also, CANM has a designated Security Officer who with reliance on NMHS Security Officer, is responsible for the development and implementation of policies and procedures for information security.) [45 CFR § 164.530(a)]
Procedures:
- CANM documents the personnel designations and retains such documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.
- The responsibilities of the Privacy Officer/contact person include:
- Developing and implement policies and procedures and updating same when needed for a HIPAA Privacy compliance program.
- Developing, coordinating and implementing an employee training program for current and new employees.
- In conjunction with the Security Officer, design and implement appropriate administrative, technical and physical safeguards for the protected health information.
- Setting up and administering an office in which patient complaints are addressed and resolved.
- In conjunction with Compliance Committee, developing and implementing a sanction and disciplinary process for employees who violate the policies and procedures of the HIPAA privacy compliance program. CANM will apply appropriate sanctions following the communication and enforcement elements currently in place under our compliance programs for employees who fail to comply with HIPAA requirements.
- Developing and implementing a HIPAA document retention and destruction system.
- Developing and implementing a system for patients rights.
- Developing and implementing a system for uses and disclosures of protected health information.
References: CANM HIPAA Policies & Procedures
POLICY DESCRIPTION: Administrative Requirements Privacy Officer and Contact Person
POLICY #: 771
APPROVED: March 19, 2003
REVISION DATE: May 16, 2012
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Refraining from Retaliatory Acts
Policy:
CANM may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against: (1) any individual for the exercise by the individual of any right under, or for participation by the individual in any process established by the Privacy Rule, including the filing of a complaint; (2) any individual or other person for: (a) filing of a complaint with the Secretary of the Department of Health and Human Services; (b) testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing; or (c) opposing any act or practice made unlawful by the Privacy Rule, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of the Privacy Rule. [45 CFR § 164.530(g)]
Procedure:
- All suspected violations or questionable practices should be reported to the Privacy Officer/Compliance Committee.
- No retaliatory action will be taken against any person filing a complaint in good faith.
References: CANM Compliance Program, CANM Policy #774
POLICY DESCRIPTION: Administrative Requirements Refraining from Retaliatory Acts
POLICY #: 776
APPROVED: March 19, 2003
REVISION DATE:
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Retention
Policy:
CANM must: (1) maintain its policies and procedures in written or electronic form; (2) if a communication is required to be in writing, maintain such writing, or an electronic copy, as documentation; and (3) if an action, activity, or designation is required to be documented, maintain a written or electronic record of such action, activity, or designation. [45 CFR § 164.530(j)]
Procedures:
- CANM must retain the documentation for at least six years from the date of its creation or the date when it last was in effect, whichever is later.
References: CANM Compliance Program
POLICY DESCRIPTION: Administrative Requirements Retention
POLICY #: 779
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Safeguards
Policy:
CANM must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. [45 CFR §164.530(c)]
Procedures:
- CANM must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of the Privacy Rule.
- CANM must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
References: CANM Policy #150, CANM Policy #300, CANM Policy #550, CANM Policy #552
POLICY DESCRIPTION: Administrative Requirements Safeguards
POLICY #: 773
APPROVED: March 19, 2003
REVISION DATE: November 10, 2020
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Sanctions and Mitigation
Policy:
CANM must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of CANM or the requirements of the Privacy Rule. CANM must mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of the Privacy Rule by CANM or its business associate. [45 CFR § 164.530(e) & (f)]
Procedures:
- This standard does not apply to a member of CANM’s workforce with respect to actions that are covered by and that meet the conditions for disclosures by whistleblowers and workforce member crime victims or for refraining from intimidating or retaliatory acts.
- CANM must document the sanctions that are applied, if any, and retain the documentation for at least six years from the date of its creation or the date when it was last in effect, whichever is later.
References: CANM Compliance Program
POLICY DESCRIPTION: Administrative Requirements Sanctions and Mitigation
POLICY #: 775
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Training
Policy:
CANM must train all members of its workforce on the policies and procedures with respect to protected health information, as necessary and appropriate for the members of the workforce to carry out their function within CANM. [45 CFR § 164.530(b)]
Procedures:
- CANM must provide privacy training as follows:
- To each new member of the workforce within a reasonable period of time after the person joins CANM’s workforce; and
- To each member of CANM’s workforce whose functions are affected by a material change in the required policies or procedures, within a reasonable period of time after the material change becomes effective.
- All employees who will be granted access to NMHS network database will receive mandatory privacy training by hospital legal counsel.
- CANM must document that the training has been provided and retain the documentation for at least six years from the date of its creation or the date when it was last in effect, whichever is later.
Reference: CANM Compliance Program, CANM Policy #160
POLICY DESCRIPTION: Administrative Requirements Training
POLICY #: 772
APPROVED: March 19, 2003
REVISION DATE: July 8, 2008
July 15, 2016
EFFECTIVE DATE: April 1, 2003
Administrative Requirements Waiver of Rights
Purpose:
45 CFR § 164.530(h) provides that a covered entity may not require individuals to waive their rights under § 160.306 or the HIPAA Privacy Rule as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Policy:
CANM may not require individuals to waive their rights under § 160.306 of HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. [45 CFR § 164.530(h)]
Procedure:
An individual will not be required to waive any of his/her HIPAA rights as a precondition of treatment or payment.
POLICY DESCRIPTION: Administrative Requirements Waiver of Rights
POLICY #: 777
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Authorization & Opportunity to Agree or Object Not Required
Policy:
Personnel may use and disclose protected health information for other than treatment, payment or health care operations without the authorization of the applicable individual for the following public purposes: (1) as required by law; (2) for public health activities; (3) when disclosing victims of abuse, neglect or domestic violence; (4) for health oversight activities; (5) for judicial or administrative proceedings; (6) to a law enforcement agency or official request; (7) for research; (8) to avert serious threat to health or safety; (9) for specialized government functions; or (10) for including workers compensation. (45 CFR § 164.512)
Procedures:
- As Required by Law.
a. CANM may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
b. CANM must meet the requirements described in # 3., # 5. and # 6. for uses or disclosures required by law.
- Public Health Activities.
a. CANM may disclose protected health information for the public health activities and purposes below to:
- A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
- A public health authority or other appropriate government authority authorized by law to receive reports of patient abuse or neglect;
- A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA- regulated product or activity. Such purposes include:
- To collect or report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
- To track FDA-regulated products;
- To enable product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
- To conduct post marketing surveillance;
- A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if CANM or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or
- An employer, about an individual who is a member of the workforce of the employer, if:
- CANM is a covered health care provider who is a member of the workforce of such employer or who provides health care to the individual at the request of the employer:
- To conduct an evaluation relating to medical surveillance of the workplace; or
- To evaluate whether the individual has a work-related illness or injury;
- The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
- The employer needs such findings in order to comply with its obligations, under the HIPAA Privacy Rule, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and
- The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:
- By giving a copy of the notice to the individual at the time the health care is provided; or
- If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided
- CANM is a covered health care provider who is a member of the workforce of such employer or who provides health care to the individual at the request of the employer:
- Victims of Abuse, Neglect and Domestic Violence.
a. Except for reports of patient abuse or neglect as discussed below, CANM may disclose protected health information about an individual whom CANM reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence:
- To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;
- If the individual agrees to the disclosure; or
- To the extent the disclosure is expressly authorized by statute or regulation and:
- CANM, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
- If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.
b. CANM when making such a disclosure must promptly inform the individual that such a report has been or will be made, except if:
- CANM, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or
- CANM would be informing a personal representative, and CANM reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by CANM, in the exercise of professional judgment.
- Health Oversight Activities.
a. CANM may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
- The health care system;
- Government benefit programs for which health information is relevant to beneficiary eligibility;
- Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
- Entities subject to civil rights laws for which health information is necessary for determining compliance.
b. A health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:
- The receipt of health care;
- A claim for public benefits related to health; or
- Qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services.
c. However, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity.
- Judicial or Administrative Proceedings.
a. CANM may disclose protected health information in the course of any judicial or administrative proceeding:
- In response to an order of a court or administrative tribunal, provided that CANM discloses only the protected health information expressly authorized by such order; or
- In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
- CANM receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or
- CANM receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order.
- CANM receives satisfactory assurances from a party seeking protecting health information if CANM receives from such party a written statement and accompanying documentation demonstrating that:
- The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual’s location is unknown, to mail a notice to the individual’s last known address);
- The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and
- The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:
- No objections were filed; or
- All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.
- CANM receives satisfactory assurances from a party seeking protected health information, if CANM receives from such party a written statement and accompanying documentation demonstrating that:
- The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or
- The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.
- A qualified protective order means an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:
- Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and
- Requires the return to CANM or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.
- CANM may disclose protected health information in response to lawful process without receiving satisfactory assurance, if CANM makes reasonable efforts to provide notice to the individual or to seek a qualified protective order
b. The above stated provisions do not supersede other provisions contained in this Policy that otherwise permit or restrict uses or disclosures of protected health information.
- Law Enforcement.
a. CANM may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions set forth below are met, as applicable. CANM may disclose protected health information:
- As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws in which a public health authority or similar agency receives reports of patient abuse or neglect or for disclosures about victims of abuse, neglect or domestic violence; or
- In compliance with and as limited by the relevant requirements of:
- A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;
- A grand jury subpoena; or
- An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
- The information sought is relevant and material to a legitimate law enforcement inquiry;
- The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
- De-identified information could not reasonably be used
b. Except for disclosures required by law as permitted pursuant to process as described above, CANM may disclose protected health information in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:
- CANM may disclose only the following information:
- Name and address;
- Date and place of birth;
- Social security number;
- ABO blood type and rh factor;
- Type of injury;
- Date and time of treatment;
- Date and time of death, if applicable; and
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
- Except for disclosures required by law as permitted above, CANM may disclose protected health information in response to a law enforcement official’s request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are set forth in # 2. and # 3., if:
- The individual agrees to the disclosure; or
- CANM is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that:
- The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;
- The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and
- The disclosure is in the best interests of the individual as determined by CANM, in the exercise of professional judgment
c. CANM may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if CANM has a suspicion that such death may have resulted from criminal conduct.
d. CANM may disclose to a law enforcement official protected health information that CANM believes in good faith constitutes evidence of criminal conduct that occurred on the premises of CANM.
e. CANM providing emergency health care in response to a medical emergency, other than such emergency on the premises of CANM, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to:
- The commission and nature of a crime;
- The location of such crime or of the victim(s) of such crime; and
- The identity, description, and location of the perpetrator of such crime
However, if CANM believes that the medical emergency is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, any disclosure to a law enforcement official for law enforcement purposes is subject to # 3. above.
- Research.
a. CANM may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:
- CANM obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required for use or disclosure of protected health information has been approved by either:
- An Institutional Review Board (IRB);
- A privacy board that:
- Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;
- Includes at least one member who is not affiliated with CANM, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and
- Does not have any member participating in a review of any project in which the member has a conflict of interest.
- CANM obtains from the researcher representations that:
- Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;
- No protected health information is to be removed from CANM by the researcher in the course of the review; and
- The protected health information for which use or access is sought is necessary for the research purposes.
- A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved;
- A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:
- The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the protected health information
- A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or privacy board has determined, that the research could not practically be conducted without access to and use of the protected health information;
- A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:
- An IRB must follow the requirements of the Common Rule, including the normal review procedures;
- A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in a. above, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure;
- A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and
- The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board, as applicable.
- CANM obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required for use or disclosure of protected health information has been approved by either:
- To Avert a Serious Threat to Health or Safety.
a. CANM may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if CANM, in good faith, believes the use or disclosure:
- Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
- Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or
- Is necessary for law enforcement authorities to identify or apprehend an individual:
- Because of a statement by an individual admitting participation in a violent crime that CANM reasonably believes may have caused serious physical harm to the victim; or
- Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.
b.A use or disclosure that is necessary for law enforcement authorities to identify or apprehend an individual (because of a statement by an individual admitting participation in a violent crime that CANM reasonably believes may have caused serious physical harm to the victim) may not be made if such information is learned by CANM:
- In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the such disclosure, or counseling or therapy; or
- Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy to affect the propensity to commit the criminal conduct that is the basis for the disclosure.
c. A disclosure that is necessary for law enforcement authorities to identify or apprehend an individual (because of a statement by an individual admitting participation in a violent crime that CANM reasonably believes may have caused serious physical harm to the victim) shall contain only the statement described in such disclosure and the protected health information described in # 6.b.above.
d. If CANM uses or discloses protected health information to avert a serious threat to health or safety, it is presumed to have acted in good faith with regard to a belief in preventing or lessening such threat or use or disclosure it believes is necessary for law enforcement to apprehend the individual, if the belief is based upon CANM’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.
Coroners, Medical Examiners and Funeral Directors: CANM may disclose medical information to a coroner, medical examiner, or funeral director so that they can carry out their duties.
- Specialized Government Functions.
a.CANM may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information:
- Appropriate military command authorities; and
- The purposes for which the protected health information may be used or disclosed.
b. CANM may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to a. above.
c. CANM may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333).
d. CANM may disclose protected health information to authorized federal officials for the provision of protective services to the President or other persons, or to foreign heads of state or other persons, or to for the conduct of investigations of threats to the President, former Presidents and others.
e. CANM may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for:
- The provision of health care to such individuals;
- The health and safety of such individual or other inmates;
- The health and safety of the officers or employees of or others at the correctional institution;
- The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another;
- Law enforcement on the premises of the correctional institution; and
- The administration and maintenance of the safety, security, and good order of the correctional institution.
- Workers Compensation. CANM may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
References: Disclosure Form 1, Disclosure Form 2, Disclosure Form 3, Miscellaneous Form 2, CANM Policy #306, CANM Policy #308, CANM Policy #350
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Authorization & Opportunity to Agree or Object Not Required
POLICY #: 758
APPROVED: March 19, 2003
REVISION DATE: December 6, 2005
September 4, 2013
EFFECTIVE DATE: April 1, 2003
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
Policy:
Cardiology Associates of North Mississippi (“CANM”) intends to make all efforts to comply with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Procedures:
I. THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (“HIPAA”)
In 1996, Congress passed HIPAA, then known as the “Kennedy/Kassabaum bill,” which was named after its bipartisan senatorial sponsorship. The principal thrust of the legislation was to prevent health care fraud and to provide continuity of health insurance for workers who change jobs. However, before enactment, it was amended to include an “Administrative Simplification” provision addressing electronic health care transactions.
Picking up on an industry initiative to end the hundreds of different formats and coding requirements of different health care payers, the legislation mandates the adoption by everyone in the industry of common electronic formats and coding when performing electronically the most common health care transactions. The objective is to encourage health care participants to realize the efficiencies of converting from cumbersome, time-consuming and labor-intensive paper-based processes to uniform, streamlined electronic transactions.
Placing patient information where it can be accessed electronically, however, also heightens the risk of unauthorized intrusion into files containing personal information that many people consider private. Thus, the push to electronic health care transactions has been accompanied by mandates that providers and payers adopt security protections and privacy procedures to protect the confidentiality of that information.
The HIPAA Privacy Policies and Procedures and Forms address the privacy portion of HIPAA. The HIPAA Security Rule, which is separate from the Privacy Rule, requires the adoption of additional security practices and procedures to protect health care information as it is stored and transmitted electronically. HIPAA Security Policies and Procedures address the security portion of HIPAA.
II. PRIVACY PROTECTION AS A CLINIC COMMITMENT
Proper health care depends on absolute candor between the patient and his or her health care provider. That candor will come only if the patient has confidence that the information that is imparted will remain confidential. In a paper-based records system, patient information can be controlled by placing protections around physical access to those records. However, in an electronic system, the potential for unauthorized access to patient information is substantially increased. Thus, while realizing the efficiencies inherent in an electronic system, health care providers also must commit to privacy and security principles in order to maintain the integrity of health care delivery. This will require a day-to-day sensitivity by those working with patient information to the fact that each patient is unique and each patient has a concern about the privacy of his or her own health information. HIPAA’s objective is to instill such sensitivity at all levels of health care by requiring that providers adopt practices and procedures designed to protect the privacy of patient information.
III. HIPAA APPLIES IF THE CLINIC ENGAGES IN AN ELECTRONIC TRANSACTION
Although the provisions of HIPAA apply without condition to health care plans and clearinghouses, they apply to a health care provider, such as a clinic, only if the provider engages directly or indirectly through a clearinghouse, in one of the electronic transactions that are the subjects of the HIPAA Transactions Format and Code Sets Rule. Those transactions are:
- · Health Care Claims or Equivalent Encounter Information
- · Eligibility for a Health Plan
- · Referral Certification and Authorization
- · Health Claim Status
- · Enrollment and Disenrollment in Health Plan
- · Health Care Payment and Remittance Advice
- · Health Plan Premium Payments
- · Coordination of Benefits
CANM carries out transactions electronically and therefore is subject to the requirements of the HIPAA Privacy Rule and the Security Rule.
IV. PROTECTED HEALTH INFORMATION (“PHI”)
The HIPAA Privacy Rule is designed to maintain the confidentiality of “protected health information,” frequently referred to as “PHI”.
Protected health information is information that is created or received by the clinic relating to the past, present or future physical or mental health or condition of an individual, or to the provision of health care to the individual, or to the past, present or future payment for the provision of health care to an individual.
Electronic Protected health information (“ePHI”) pertains to the security of health information stored in an electronic format.
Protected health information does not include certain educational records and employment records held by a provider in its role as an employer.
In determining whether or not to characterize medical information as PHI or as part of employment records, the clinic must remain cognizant of its dual roles as an employer and as a health care provider. Health information created, received, or maintained by a provider in its health care capacity is protected health information. It does not matter if the individual is a member of the provider’s workforce or not. In addition, medical information needed for an employer to carry out its obligations under the Family and Medical Leave Act (“FMLA”), the Americans with Disabilities Act (“ADA”), and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the clinic in its role as an employer.
V. “USE” OR “DISCLOSURE” HIPAA COVERAGE
The HIPAA Privacy Rule applies to the “use” or “disclosure” of PHI. “Use” refers to how the protected health information is handled within the entity that maintains it. “Disclosure” refers to any release of such information outside of the entity that maintains it. The Rule applies to uses or disclosures regardless of the form in which the information occurs, be it paper, electronic or merely oral.
VI. PROOF OF COMPLIANCE IS IN DOCUMENTATION; RETENTION PERIOD FOR DOCUMENTS
In some cases, the HIPAA Privacy Rule requires that a document be prepared and properly filled out. In other cases, the Rule is silent as to the form certain actions must take. The Rule requires that the covered entity maintain a copy of the form in some instances and is silent about documentation in others. However, the clinic should operate under the premise that, unless compliance can be demonstrated, it will be deemed not to have happened. The clinic should not get into a “he said–she said” controversy with an individual. If the Rule requires that a certain action be taken, the best evidence of compliance is a document that demonstrates the fact that it did take place. Our HIPAA Privacy Policies and Procedures and forms will place the clinic in a position to demonstrate its compliance with each of the requirements of the Privacy Rule.
As for those actions that the Rule requires to be documented and retained by the provider, the Rule requires that they be held for a period of at least six (6) years from the date of the document’s creation or the date it was last in effect, whichever is later. That is a good rule-of-thumb for all HIPAA documentation. However, other statutes and regulations may call for retention periods longer than six (6) years.
VII. PROVIDING COPIES OF DOCUMENTS TO THE INDIVIDUAL
If the HIPAA Privacy Rule require that a copy of a document be provided to the individual, there will be a caption at the bottom saying “PROVIDE A COPY TO THE INDIVIDUAL.” It is a good policy to provide the individual upon request with a copy of any form the individual is asked to sign.
VIII. APPOINTING A PRIVACY OFFICER, SECURITY OFFICER, AND A CONSUMER CONTACT PERSON
The HIPAA Privacy Rule requires that the clinic appoint a “Privacy Officer” who is responsible for developing and implementing the clinic’s privacy policies and procedures. In addition, the clinic has designated a Privacy Officer and Compliance Committee that is responsible for receiving complaints or inquiries relating to privacy issues. The Privacy Officer is familiar with medical records issues and with the details of the Privacy Rule. Also, a Security Officer has been appointed to handle any security related issues.
IX. TRAINING REQUIREMENTS
The clinic will train members of its workforce on the appropriate HIPAA Privacy policies and procedures so that they may carry out their jobs in compliance with HIPAA. New employees must be trained within a reasonable period of time after commencement of employment. All training should be documented.
X. DUTY TO IMPLEMENT SECURITY SAFEGUARDS
In addition to obtaining the various permissions and observing the HIPAA patient rights covered in our HIPAA Privacy Policies and Procedures, the clinic has an over-all obligation to put in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information that it maintains. It is not expected that the clinic’s safeguards will guarantee the privacy of PHI against all potential risks. Rather, reasonable safeguards vary from entity to entity depending upon the size of the entity, the nature of its business and other variable factors.
In implementing reasonable safeguards, the clinic will analyze its own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy. The clinic will also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards. As an example, the Privacy Rule expressly does not require doctors’ offices to be retrofitted, nor does it require clinics to provide soundproof rooms. Clinics are also not required to encrypt wireless or other emergency medical radio communications which can be intercepted by scanners or to encrypt telephone systems.
CANM makes efforts to reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. While the provisions of the HIPAA Security Rule address these requirements in detail with regard to the security of electronic systems and transmissions, the Privacy Rule requires such protections for paper and oral communications as well.
XI. ADDRESSING COMPLAINTS, SANCTIONS AND MITIGATION
There is a process in place for individuals to make complaints concerning the clinic’s policies and procedures. Of course, these complaints and their disposition should be documented. HIPAA privacy and/or security concerns are addressed following the same processes as outlined in the compliance plan. Appropriate guidelines are in place to address failure to comply with the Privacy Rule and the Security Rule. Moreover, the clinic mitigates, to the extent it can, improper uses or disclosures of protected health information.
XII. REFRAINING FROM INTIMIDATING OR RETALIATORY ACTS AND WAIVER OF RIGHTS
An individual must be able to exercise his or her rights under the Privacy Rule and the Security Rule, including filing a complaint, without fear of retaliation by the clinic. In addition, the clinic does not require an individual to waive any of his or her HIPAA rights as a precondition of treatment or payment.
XIII. IMPLEMENTING POLICIES AND PROCEDURES
CANM implements reasonable and appropriate policies and procedures in order to comply with the Privacy Rule and the Security Rule. These policies and procedures are updated to reflect changes in the law and a Notice of Privacy Practices will be changed accordingly.
XIV. EFFECTIVE DATE AND CHANGES IN THE RULE
The date on which the Privacy Rule became effective was April 14, 2001. The date by which compliance by clinics was required was April 14, 2003.
The HIPAA Privacy Rule also is subject to amendment following appropriate notice and an opportunity for public comment. Thus, it is the responsibility of the clinic to stay abreast of regulatory developments under HIPAA.
The date by which compliance with the Security Rule was required was April 20, 2005.
In 2013, the Department of Health and Human Services (HHS) released the “Omnibus Rule” which amends a wide range of privacy and security requirements under the HIPAA and HITECH Act with a compliance date of September 23, 2013.
XV. PENALTIES FOR PRIVACY RULE VIOLATIONS
The Health Insurance Portability and Accountability Act of 1996 creates monetary civil penalties for violations of the Act and the rules promulgated under the Act. In addition, it creates criminal penalties for those who knowingly violate its provisions.
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA privacy and security rules. If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice (DOJ) for investigation.
Also, under the Health Information Technology for Economic and Clinical Health (HITECH) Act, each state’s attorney general is authorized to bring civil actions against persons who violate HIPAA in some circumstances.
POLICY DESCRIPTION: Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
POLICY #: 750
APPROVED: March 19, 2003
REVISION DATE: March 2, 2005
July 8, 2008
July 8, 2009
May 16, 2012
September 4, 2013
July 13, 2021
EFFECTIVE DATE: April 1, 2003
Patient Rights Access of Individuals to PHI
An individual has the right to access his/her own protected health information contained in CANM’s records, except for psychotherapy notes, information compiled in reasonable anticipation of, or for use in a judicial or administrative procedure, or because of the Clinical Laboratory Improvements Amendment, pursuant to 42 CFR 493.3(a)(2) (addresses testing in laboratory settings). [45 CFR § 164.524]
Procedures:
- 1. CANM may deny an individual access without providing the individual an opportunity for review, in the following circumstances.
- The protected health information is excepted from the right of access as set forth in the policy statement above;
- CANM, acting under the direction of the correctional institution may deny, in whole or in part, an inmate’s request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.
- An individual’s access to protected health information created or obtained by CANM in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and CANM has informed the individual that the right of access will be reinstated upon completion of the research.
- An individual’s access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. § 552a (information held by a federal [executive branch] agency, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.
- An individual’s access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
- CANM may deny an individual access, provided that the individual is given a right to have such denials reviewed, in the following circumstances:
- A CANM physician has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
- The protected health information makes reference to another person (unless such other person is a health care provider) and a CANM physician has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
- The request for access is made by the individual’s personal representative and a CANM physician has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
- If access is denied on a ground permitted above, the individual has the right to have the denial reviewed by the physician who is serving as CANM President (or the CANM Secretary in absence of CANM President) as the licensed health care professional who is designated by CANM to act as a reviewing official and who did not participate in the original decision to deny. CANM must provide or deny access in accordance with the determination of the reviewing official.
- CANM must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set including an electronic copy. CANM may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.
- Except as provided below, CANM must act on a request for access no later than 30 days after receipt of the request as follows:
- If CANM grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested.
- If CANM denies the request, in whole or in part, it must provide the individual with a written denial.
- If the request for access is for protected health information that is not maintained or accessible to CANM on-site, CANM must take the required action no later than 60 days from the receipt of such a request.
- If CANM is unable to take an action within the required time, as applicable, CANM may extend the time for such actions by no more than 30 days, provided that:
- CANM, within the time limit set above, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which CANM will complete its action on the request; and
- CANM may have only one such extension of time for action on a request for access.
- If CANM provides an individual with access, in whole or in part, to protected health information, CANM must comply with the following requirements.
- CANM must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, CANM need only produce the protected health information once in response to a request for access.
- CANM must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by CANM and the individual.
- CANM may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if:
- The individual agrees in advance to such a summary or explanation; and
- The individual agrees in advance to the fees imposed, if any, by CANM for such summary or explanation.
- CANM must provide the access as requested by the individual in a timely manner as required above, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual’s request. CANM may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access.
- If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, CANM may impose a reasonable, cost-based fee. CANM may calculate the allowable fees for providing individuals with copies of their PHI:
(1) by calculating actual allowable costs (as listed below), or
-
-
- Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;
- Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
- Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by above.
-
(2) by using a schedule of costs based on average allowable labor costs; or
(3) alternatively, in the case of requests for a copy of PHI maintained electronically, charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies and postage).
CANM has chosen to charge the flat fee of $6.00 for patient requests.
10. If CANM denies access, in whole or in part, to protected health information, CANM must comply with the following requirements:
-
- CANM must, to the extent possible, give the individual access to any other protected health information requested, after excluding the protected health information as to which CANM has a ground to deny access.
- CANM must provide a timely, written denial to the individual. The denial must be in plain language and contain:
- The basis for the denial;
- If applicable, a statement of the individual’s review rights, including a description of how the individual may exercise such review rights; and
- A description of how the individual may complain to CANM or to the Secretary of the Department of Health and Human Services. The description must include the name, or title, and telephone number of the contact person or office.
11. If CANM does not maintain the protected health information that is the subject of the individual’s request for access, and CANM knows where the requested information is maintained, CANM must inform the individual where to direct the request for access.
12. CANM must document the following and retain the documentation:
-
- The designated record sets that are subject to access by individuals include the medical record and billing record; and
- Health Information Services is responsible for receiving and processing requests for access by individuals.
- References: Access Form 1, Access Form 2, Access Form 3, Access Form 4, CANM Policy #766
POLICY DESCRIPTION: Patient Rights Access of Individuals to PHI
POLICY #: 765
APPROVED: March 19, 2003
REVISION DATE: September 4, 2013
July 15, 2016
EFFECTIVE DATE: April 1, 2003
Patient Rights Accepting the Amendment
Policy:
If CANM accepts the requested amendment, it will make the necessary changes in the record set that is affected, appending or otherwise providing a link to the location of the amendment. [45 CFR § 164.526(c)]
Procedures:
- If the request for amendment is granted by the physician, CANM must make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
- CANM must timely inform the individual that the amendment is accepted and obtain the individual’s identification of and agreement to have CANM notify the relevant persons with which the amendment needs to be shared in accordance with # 3. below.
- CANM must make reasonable efforts to inform and provide the amendment within a reasonable time to:
- Persons identified by the individual as having received protected health information about the individual and needing the amendment; and
- Persons, including business associates, that CANM knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.
References: Amendment Form 5, CANM Policy #767
POLICY DESCRIPTION: Patient Rights Accepting the Amendment
POLICY #: 768
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Patient Rights Accounting for Disclosures
Policy:
An individual has a right to receive an accounting of disclosures (45 CFR § 164.528) of protected health information made by CANM in the six years prior to the date on which the accounting is requested, except for disclosures: (1) to carry out treatment, payment and health care operations (§ 164.506) ; (2) made to the individual (§ 164.506) ; (3) incident to an already permitted use or disclosure (§ 164.502); (4) for which authorizations have been obtained (§ 164.508); (5) to persons involved in the individual’s care, including clergy (§ 164.510); (6) for national security or intelligence purposes [§ 164.512(k)(2)] ; (7) to correctional institutions or law enforcement custodial officials [§ 164.512(k)(5)]; or (8) as part of a “limited data set” for the purposes of research, public health or health care operations [§ 164.514(e)]; or (9) that occurred prior to the compliance date of CANM (April 14, 2003).
Procedures:
- CANM must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official, for the time specified by such agency or official, if such agency or official provides CANM with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required. If the agency or official statement is made orally, CANM must:
- Document the statement, including the identity of the agency or official making the statement;
- Temporarily suspend the individual’s right to an accounting of disclosures subject to the statement; and
- Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time.
- An individual may request an accounting of disclosures for a period of time less than six years from the date of the request.
- CANM must provide the individual with a written accounting that meets the following requirements:
- Except as otherwise provided above, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual) prior to the date of the request for an accounting, including disclosures to or by business associates of CANM.
- Except as otherwise provided below, the accounting must include for each disclosure:
- The date of the disclosure;
- The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
- A brief description of the protected health information disclosed; and
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure to the Secretary of the Department of Health and Human Services or uses and disclosures for which neither an authorization or an opportunity to agree or object is not required, if any.
- If, during the period covered by the accounting, CANM has made multiple disclosures of protected health information to the same person or entity for a single purpose to the Secretary of the Department of Health and Human Services or uses and disclosures for which neither an authorization or an opportunity to agree or object is not required, the accounting may, with respect to such multiple disclosures, provide:
- The information required by the second bullet of # 3. above for the first disclosure during the accounting period;
- The frequency, periodicity, or number of the disclosures made during the accounting period; and
- The date of the last such disclosure during the accounting period.
- If, during the period covered by the accounting, CANM has made disclosures of protected health information for a particular research purpose for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide:
- The name of the protocol or other research activity;
- A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;
- A brief description of the type of protected health information that was disclosed;
- The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;
- The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and
- A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.
- If CANM provides an accounting for research disclosures, in accordance with # 5. above, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, CANM shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.
- CANM must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request, as follows.
- CANM must provide the individual with the accounting requested; or
- If CANM is unable to provide the accounting within the required, CANM may extend the time to provide the accounting by no more than 30 days, provided that:
- CANM, within the time limit set above, provides the individual with a written statement of the reasons for the delay and the date by which CANM will provide the accounting; and
- CANM may have only one such extension of time for action on a request for an accounting.
- CANM must provide the first accounting to an individual in any 12 month period without charge. CANM may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that CANM informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.
- CANM must document the following and retain the documentation:
- The information required to be included in an accounting for disclosures of protected health information that are subject to an accounting;
- The written accounting that is provided to the individual; and
- The Privacy Officer and Health Information Services will be responsible for receiving and processing requests for an accounting by individuals.
References: Accounting Form 1A, Accounting Form 1B, Accounting Form 2, Accounting Form 3, CANM Policy #350
POLICY DESCRIPTION: Patient Rights Accounting for Disclosures
POLICY #: 770
APPROVED: March 19, 2003
REVISION DATE: May 16, 2012
EFFECTIVE DATE: April 1, 2003
Patient Rights Amendment of Protected Health Information
Policy:
CANM must provide the patient with the right to request amendment of his or her protected health information maintained by CANM for as long as the protected health information is maintained in the designated record set. [45 CFR § 164.526(a)]
Procedures:
- CANM may deny an individual’s request for amendment, if it determines that the protected health information or record that is the subject of the request:
- Was not created by CANM, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment;
- Is not part of the designated record set;
- Would not be available for inspection (access); or
- Is accurate and complete.
- CANM must permit an individual to request that it amend the protected health information maintained in the designated record set. CANM may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements.
- CANM must act on the individual’s request for an amendment no later than 60 days after receipt of such a request, as follows:
- If CANM grants the requested amendment, in whole or in part, it must:
- make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment; and
- timely inform the individual that the amendment is accepted and obtain the individual’s identification of and agreement to have CANM notify the relevant persons with which the amendment needs to be shared.
- If CANM denies the requested amendment, in whole or in part, it must provide the individual with a written denial.
- If CANM grants the requested amendment, in whole or in part, it must:
- If CANM is unable to act on the amendment within the time required above, CANM may extend the time for such action by no more than 30 days, provided that:
- CANM, within the time limit set above, provides the individual with a written statement of the reasons for the delay and the date by which CANM will complete its action on the request; and
- CANM may have only one such extension of time for action on a request for an amendment.
- CANM that is informed by another provider of an amendment to an individual’s protected health information, must amend the protected health information in designated record sets.
- The Privacy Officer will be responsible for receiving and processing requests for amendments by individuals; documentation will be retained.
References: Amendment Form 1, Amendment Form 2, Amendment Form 3, Amendment Form 4, Amendment Form 5, CANM Policy #768, CANM Policy #769
POLICY DESCRIPTION: Patient Rights Amendment of Protected Health Information
POLICY #: 767
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Patient Rights Denying the Amendment
Policy:
CANM shall notify the patient if it determines to deny the requested amendment. [45 CFR § 164.526(a)(2)]
Procedures:
- If the request for amendment is denied by the physician, the patient will be notified. The denial must use plain language and contain:
- The basis for the denial;
- The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
- A statement that, if the individual does not submit a statement of disagreement, the individual may request that CANM provide the individual’s request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and
- A description of how the individual may complain to CANM or to the Secretary of the Department of Health and Human Services. The description must include the title and telephone number of the contact person or designated office.
- CANM must permit the individual to submit to it a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. CANM may reasonably limit the length of a statement of disagreement.
- CANM may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, CANM must provide a copy to the individual who submitted the statement of disagreement.
- CANM must, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, CANM’s denial of the request, the individual’s statement of disagreement, if any, and CANM’s rebuttal, if any, to the designated record set.
- If a statement of disagreement has been submitted by the individual, CANM must include the material appended in accordance with the immediately preceding bullet, or, at the election of CANM, an accurate summary of any such information, with any subsequent disclosure of the protected health information to which
the disagreement relates. - If the individual has not submitted a written statement of disagreement, CANM must include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action in accordance with the third bullet of # 1. above.
- When a subsequent disclosure described in # 5. and # 6. is made using a standard transaction that does not permit the additional material to be included with the disclosure, CANM may separately transmit the required material, as applicable, to the recipient of the standard transaction.
References: Amendment Form 2, CANM Policy #767
POLICY DESCRIPTION: Patient Rights Denying the Amendment
POLICY #: 769
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Patient Rights Designated Record Set
Policy:
CANM, when providing access to protected health information or providing the right to have CANM amend protected health information or a record, shall only provide the individual access to protected health information about the individual “in a designated record set” maintained by CANM or shall only provide the individual with the right to have CANM amend protected health information or a record about the individual “in a designated record set” maintained by CANM. A designated record set is defined as a group of records maintained by or for CANM that: (1) constitutes the medical records and/or billing records about the individual, or (2) are used, in whole or part, by CANM “to make decisions about individuals.” (The term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for CANM. ) [45 CFR § 164.524(a)]
Procedures:
- Personnel shall identify such designated record sets of CANM. Designated record sets include medical records and billing.
- Patients shall only have access to or amend records in designated record sets.
References: CANM Policy #765
POLICY DESCRIPTION: Patient Rights Designated Record Set
POLICY #: 766
APPROVED: March 19, 2003
REVISION DATE: July 8, 2008
EFFECTIVE DATE: April 1, 2003
Patient Rights Notice of Privacy Practices
Policy:
Each patient, except for an inmate, will be provided with a Notice of Privacy Practices that provides information as to what uses and disclosures will be made of his/her protected health information. [45 CFR § 164.520]
Procedures:
- The Notice should be provided to the patient no later than the first delivery of service, or, in an emergency situation, as soon as practicable after the emergency.
- Except in an emergency, there must be a good faith attempt at obtaining an acknowledgment of receipt of the Notice. If Personnel are unable to obtain the acknowledgment they should document their attempt. No form of acknowledgement is mandated.
- The Notice should be posted in a clear and prominent place on site in CANM’s offices.
- The Notice should be posted on the web site and be made available electronically. If the patient agrees, the Notice may be provided to the patient electronically. However, it is highly recommended that a paper Notice also be delivered to the individual.
- The Notice should incorporate and give the individual notice of his/her rights under HIPAA and the permitted uses and disclosures and contain the following required elements and be written in plain language:
- Header. The Notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
- Uses and Disclosures. The Notice must contain:
- A description, including at least one example, of the types of uses and disclosures that CANM is permitted to make for each of the following purposes: treatment, payment, and health care operations.
- A description of each of the other purposes for which CANM is permitted or required to use or disclose protected health information without the patient’s written authorization.
- If a use or disclosure for any purpose is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law.
- For each such purpose, the description must include sufficient detail to place the patient on notice of the uses and disclosures that are permitted or required and other applicable law.
- A statement that other uses and disclosures will be made only with the patient’s written authorization and that the patient may revoke such authorization.
- Separate Statements for Certain Uses or Disclosures. The description required above must include a separate statement that CANM may contact the patient to provide appointment reminders or information about treatment alternatives or other heath-related benefits and services that may be of interest to the patient.
- Individual Rights. The Notice must contain a statement of the patient’s rights with respect to protected health information and a brief description of how he or she may exercise these rights, as follows:
- The right to request restrictions on certain uses and disclosures of protected health information, including a statement that CANM is not required to agree to a requested restriction (will honor request where the information pertains solely to an item or service we provided for which the patient paid in full);
- The right to receive confidential communications of protected health information, as applicable;
- The right to inspect and receive a copy of protected health information (including electronic copy);
- The right to amend protected health information;
- The right to receive an accounting of disclosures of protected health information; and
- The right to be notified of a breach of protected health information in any form which is not electronically encrypted; and
- The right of a patient, including a patient who has agreed to receive the Notice electronically when applicable, to obtain a paper copy of the notice from CANM upon request.
- Additional Patient’s Rights. The Notice must contain:
- A statement that CANM is required by law to maintain the privacy of protected health information and to provide individuals with Notice of its legal duties and privacy practices with respect to protected health information;
- A statement that CANM is required to abide by the terms of the Notice currently in effect; and
- For CANM to apply a change in a privacy practice that is described in the Notice to protected health information that CANM created or received prior to issuing a revised Notice, a statement that it reserves the right to change the terms of its Notice and to make the new Notice provisions effective for all protected health information that it maintains. The revised version will be posted and made available to anyone who requests it.
- Complaints. The Notice must contain a statement that patients may complain to CANM and to the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated, a brief description of how the patient may file a complaint with CANM, and a statement that the patient will not be retaliated against for filing a complaint.
- Contact. The Notice must contain the title and telephone number of a person or office to contact for further information.
- Effective Date. The Notice must contain the date on which it is first in effect, which may not be earlier than the date on which the Notice is printed or otherwise published.
- CANM must promptly revise and distribute upon request its Notice whenever there is a material change to the uses or disclosures, the patient’s rights, CANM’s legal duties, or other privacy practices stated in the Notice. Except when required by law, a material change to any term of the Notice may not be implemented prior to the effective date of the Notice in which such material change is reflected.
- North Mississippi Medical Center (NMMC) has an Organized Health Care Arrangement with its medical staff. The medical staff consists of physicians and allied health professionals who are credentialed to be on the medical staff of NMMC. When using PHI that is obtained at an NMMC facility for treatment, payment or health care operations, our physicians will follow the NMMC privacy practices. At our private offices, they will follow the CANM privacy practices.
References: Notice of Privacy Practices, CANM Policy #200, CANM Policy #202, CANM Policy #252, CANM Policy #254, CANM Policy #364, CANM Policy #368, CANM Policy #372, CANM Policy #602, CANM Policy #604
POLICY DESCRIPTION: Patient Rights Notice of Privacy Practices
POLICY #: 762
APPROVED: March 19, 2003
REVISION DATE:September 4, 2013
EFFECTIVE DATE: April 1, 2003
Patient Rights Right to Request Confidential Communications
Policy:
CANM shall allow individuals the right to request (and shall accommodate reasonable requests) receiving communications by alternative means or at alternative locations. [45 CFR § 164.522(b)]
Procedures:
- CANM may require the individual to make a request for a confidential communication in writing.
- CANM may condition the provision of a reasonable accommodation on:
- When appropriate, information as to how payment, if any, will be handled; and
- Specification of an alternative address or other method of contact.
- CANM may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.
References: Restriction Form 3, CANM Policy #200, CANM Policy #202, CANM Policy #252, CANM Policy #254,CANM Policy #364, CANM Policy #368, CANM Policy #372, CANM Policy #602, CANM Policy #604
POLICY DESCRIPTION: Patient Rights Right to Request Confidential Communications
POLICY #: 764
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Patient Rights Right to Request Privacy Protection for Protected Health Information
Policy:
CANM shall allow an individual to request that it restrict uses and disclosures of protected health information for treatment, payment or health care operations, as well as those permitted for involvement in the individual’s care and for notification purposes. [45 CFR § 164.522(a)]
Procedures:
- CANM is not required to agree to a restriction.
- CANM will honor such a request where (1) the disclosure is made to a health insurer to carry out payment or health care operations and is not required by law, and (2) the information pertains solely to an item or service provided for which payment in full has been made.
- If CANM agrees to such a restriction it may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, CANM may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.
- If restricted protected health information is disclosed to a health care provider for emergency treatment, CANM should request that such health care provider not further use or disclose the information.
- CANM may terminate its agreement to a restriction, if :
- The individual agrees to or requests the termination in writing;
- The individual orally agrees to the termination and the oral agreement is documented; or
- CANM informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to protected health information created or received after it has so informed the individual.
- If CANM agrees to a restriction it must document the restriction.
References: Restriction Form 1, Restriction Form 2, Restriction Form 3
POLICY DESCRIPTION: Patient Rights Right to Request Privacy Protection for Protected Health Information
POLICY #: 763
APPROVED: March 19, 2003
REVISION DATE: September 4, 2013
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Authorization for Marketing
Policy:
CANM should obtain an authorization for any use or disclosure for marketing, except if the communication is face-to-face or is a promotional gift of nominal value provided by CANM. [45 CFR § 164.508(a)(3)]
Procedures:
- If the marketing involves direct or indirect remuneration to CANM from a third party, the authorization must state that such remuneration is involved.
- An authorization is not necessary if a communication is made by CANM (1) to describe CANM’s health-related product or service, or payment thereof or, (2) for treatment of the patient; or (3) to direct or recommend alternative treatments, therapies, health care providers, or settings of treatment.
- CANM must document and retain a signed authorization, as well as any communication with the patient.
References: CANM Authorization Form
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Authorization for Marketing
POLICY #: 755
APPROVED: March 19, 2003
REVISION DATE:
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Business Associates
Policy:
CANM may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if CANM obtains satisfactory assurance, in the form of a business associate agreement, that the business associate will appropriately safeguard the information. [45 CFR § 164.502(e)]
Procedures:
- This requirement does not apply with respect to disclosures by CANM to another health care provider concerning the treatment of an individual.
- CANM will not be deemed in compliance, if it knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the business associate agreement, unless CANM took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
- Terminated the contract or arrangement, if feasible; or
- If termination is not feasible, reported the problem to the Secretary of the Department of Health and Human Services.
- a. The business associate agreement must:
- Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of the Privacy Rule, if done by CANM, except that:
- The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate; and
- The contract may permit the business associate to provide data aggregation services relating to the health care operations of CANM.
- Provide that the business associate will:
- Not use or further disclose the information other than as permitted or required by the contract or as required by law;
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
- Report to CANM any use or disclosure of the information not provided for by its contract of which it becomes aware;
- Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, CANM agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
- Make available protected health information for access;
- Make available protected health information for amendment and incorporate any amendments to protected health information;
- Make available the information required to provide an accounting of disclosures;
- Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, CANM available to the Secretary of the Department of Health and Human Services for purposes of determining CANM’s compliance; and
- At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, CANM that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
- Authorize termination of the contract by CANM, if CANM determines that the business associate has violated a material term of the contract.
b. If a business associate is required by law to perform a function or activity on behalf of CANM or to provide a service to CANM, CANM may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the business associate requirements of the Privacy Rule, provided that CANM attempts in good faith to obtain satisfactory assurances as required if CANM and the business associate are both governmental entities, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.
c. CANM may omit from its other arrangements the required termination authorization, if such authorization is inconsistent with the statutory obligations of CANM or its business associate. - Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of the Privacy Rule, if done by CANM, except that:
- The business associate agreement may permit the business associate to use the information received by the business associate in its capacity as a business associate to CANM, if necessary:
- For the proper management and administration of the business associate; or
- To carry out the legal responsibilities of the business associate.
- The business associate agreement may permit the business associate to disclose the information received by the business associate in its capacity as a business associate for the purposes described in number 4 above, if:
- The disclosure is required by law; or
- The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and
- The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.
References: Business Associate Agreement, CANM Policy #789
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Business Associates
POLICY #: 759
APPROVED: March 19, 2003
REVISION DATE: March 2, 2005
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information De-Identification
Policy:
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information and may be used and disclosed by CANM. [45 CFR § 164.514(a)]
Procedures:
- CANM may determine that health information is not individually identifiable health information only if:
- A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
- Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
- Documents the methods and results of the analysis that justify such determination; or
- The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
- Names;
- All geographic subdivisions smaller than a State, i.e., zip codes.
- All elements of dates (except year) for dates directly related to an individual, including birth date, date of service,
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code, except as permitted by pursuant to # 2. below; and
- CANM does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
- A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
- CANM may assign a code or other means of record identification to allow information de-identified to be re-identified by CANM, provided that:
- The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
- CANM does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information De-Identification
POLICY #: 760
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Limited Data Set
Policy:
In order to use or disclose a “limited data set” for research, public health or health care operations purposes CANM must enter into a “data use agreement” with the “limited data set” recipient. [45 CFR § 164.514(e)]
Procedures:
- 1. A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Names;
- Postal address information, other than the town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
- CANM may use or disclose a limited data set only for the purposes of research, public health, or health care operations.
- CANM may use protected health information to create a limited data set, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by CANM.
- CANM may use or disclose a limited data set only if CANM obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the protected health information for limited purposes.
- Each CANM study has a specific agreement with the individual sponsor. Therefore, the data use agreement may not be needed. If used, a data use agreement between CANM and the limited data set recipient should:
- Establish the permitted uses and disclosures of such information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of the Privacy Rule, if done by CANM;
- Establish who is permitted to use or receive the limited data set; and
- Provide that the limited data set recipient will:
- Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
- Report to CANM any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
- Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
- Not identify the information or contact the individuals.
- CANM is not in compliance with the limited data set standards if it knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless CANM took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
- Discontinued disclosure of protected health information to the recipient; and
- Reported the problem to the Secretary of the Department of Health and Human Services.
- If CANM is a limited data set recipient and violates a data use agreement it will be in noncompliance with the standards, implementation specifications, and requirements of the limited data set requirements.
Reference: CANM Policy #350
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Limited Data Set
POLICY #: 761
APPROVED: March 19, 2003
REVISION DATE:
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Minimum Necessary
Policy:
When using or disclosing protected health information or when requesting protected health information from another covered entity, CANM shall make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Personnel shall take reasonable steps to limit protected health information uses or disclosures (whether requesting or providing) to the minimum necessary to accomplish the purpose. [45 CFR § 164.502(b)]
Procedures:
- 1. The minimum necessary requirement does not apply to:
- Disclosures to or requests by a health care provider for treatment;
- Uses or disclosures made to the individual;
- Uses or disclosures made pursuant to an authorization;
- Disclosures made to the Secretary of the Department of Health and Human Services;
- Uses or disclosures that are required by law; and
- Uses or disclosures that are required for compliance purposes.
- CANM must identify:
- Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
- For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.
- CANM must make reasonable efforts to limit the access of such persons or classes identified above to protected health information consistent with that described above.
- For all other disclosures, CANM will:
- Review requests for disclosure on an individual basis to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought.
- CANM may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:
- Making disclosures to public officials that are permitted without an authorization, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);
- The information is requested by another covered entity;
- The information is requested by a professional who is a member of its workforce or is a business associate of CANM for the purpose of providing professional services to CANM, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or
- Documentation or representations that comply with applicable requirements have been provided by a person requesting the information for research purposes.
- CANM must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.
- CANM may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.
References: CANM Policy #306, CANM Policy #550, CANM Policy #552
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Minimum Necessary
POLICY #: 752
APPROVED: March 19, 2003
REVISION DATE: May 16, 2012
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Regulatory Permission
Policy:
The personnel may use and disclose protected health information, without an authorization or permission, for (1) CANM’s own treatment, payment, and health care operations, (2) disclosure to another health care provider for treatment, (3) disclosure to another covered entity for the payment activities of the entity receiving the payment, and (4) disclosure to another covered entity for health care operations of the entity receiving the protected health information if each has/had a relationship with the individual, the protected health information pertains to the relationship and the purpose is for certain aspects of health care operations* or for fraud and abuse detection/compliance. (45 CFR § 164.506)
Procedures:
- CANM shall obtain consent of the individual to use or disclose protected health information to carry out treatment, payment or health care operations.
- Consent will not be effective to permit a use or disclosure of protected health information when an authorization is required or when another condition must be met for such use or disclosure to be permissible.
*The referenced aspects of health care operations are:
Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
References: General CANM Consent Form
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Regulatory Permission
POLICY #: 751
APPROVED: March 19, 2003
REVISION DATE:
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Required Authorization
Policy:
Except as otherwise provided, CANM may not use or disclose protected health information without a valid authorization. When CANM obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. [45 CFR § 164.508(a)(1) and (b)]
Procedures:
- A valid authorization is a document that meets the requirements in # 6. and # 7. below, as applicable. It may contain elements or information in addition to the required ones, provided that such additional elements or information are not inconsistent with the required elements.
- An authorization is not valid, if the document submitted has any of the following defects:
- The expiration date has passed or the expiration event is known by CANM to have occurred;
- The authorization has not been filled out completely, with respect to a core element or requirement, if applicable;
- The authorization is known by CANM to have been revoked;
- The authorization violates the compound authorization requirements and the prohibition on conditioning of authorizations, if applicable;
- Any material information in the authorization is known by CANM to be false.
- An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows:
- An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research;
- An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes;
- An authorization, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when CANM has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of one of the authorizations.
- CANM may not condition the provision to an individual of treatment or payment on the provision of an authorization, except:
- It may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research;
- It may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
- CANM must document and retain any signed authorization.
- A valid authorization must contain at least the following elements:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of the person(s), or class of persons, to whom CANM may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
- If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
- In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
- The individual’s right to revoke the authorization in writing, and either:
- The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
- To the extent that information concerning exceptions to the right to revoke is included in the Notice of Privacy Practices.
- The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected.
- The individual’s right to revoke the authorization in writing, and either:
- The authorization must be written in plain language.
- If CANM seeks an authorization from an individual for a use or disclosure of protected health information, CANM staff will offer the individual a copy of the signed authorization.
References: Notice of Privacy Practices, CANM Authorization Form, CANM Policy #302
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Required Authorization
POLICY #: 753
APPROVED: March 19, 2003
REVISION DATE: July 13, 2021
July 11, 2023
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Required Opportunity to Agree Or Object; Involvement in Care And Notification
Policy:
So long as it provides the individual with opportunity to agree or object, CANM may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s health care. So long as it provides the individual with opportunity to agree or object, it also may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death. [45 CFR § 164.510]
Procedures:
- If the individual is present for, or otherwise available prior to, a permitted use or disclosure and has the capacity to make health care decisions, CANM may use or disclose the protected health information if it:
- · Obtains the individual’s agreement;
- · Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or
- Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure.
- If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, CANM may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. CANM may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual.
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Required Opportunity to Agree Or Object; Involvement in Care And Notification
POLICY #: 756
APPROVED: March 19, 2003
REVISION DATE: May 16, 2012
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Required Opportunity to Agree Or Object; Disaster Relief
Policy:
CANM may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities uses or disclosures of protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death. The requirements for providing an individual with the opportunity to agree or object, as well as determining when the disclosure is in the individual’s best interests, apply to such uses and disclosures to the extent that CANM, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. [45 CFR § 164.510(b)(4)]
Procedures:
- If the individual is present for, or otherwise available prior to, a permitted use or disclosure and has the capacity to make health care decisions, CANM may use or disclose the protected health information if it:
- Obtains the individual’s agreement;
- Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or
- Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure.
- If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, CANM may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care.
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Required Opportunity to Agree Or Object; Disaster Relief
POLICY #: 757
APPROVED: March 19, 2003
REVISION DATE: May 16, 2012
EFFECTIVE DATE: April 1, 2003
Uses and Disclosures of Protected Health Information Revocation of Authorization
Policy:
An individual may revoke an authorization at any time except to the extent CANM has relied upon it. [45 CFR § 164.508(b)(5)]
Procedures:
- CANM must document and retain a signed revocation of authorization, as well as any communication with the individual.
- CANM should notify an individual of any qualification to the applicability of a revocation.
References: CANM Authorization Form, CANM Policy #302
POLICY DESCRIPTION: Uses and Disclosures of Protected Health Information Revocation of Authorization
POLICY #: 754
APPROVED: March 19, 2003
REVISION DATE:
July 11, 2023
EFFECTIVE DATE: April 1, 2003