What is HIPAA and why was the law enacted?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996. One of the primary purposes of the law is to provide comprehensive protection for the privacy and security of patients’ health information. Generally, the HIPAA Privacy Rule:
● limits the use and disclosure of Protected Health Information (PHI), which generally includes health and demographic information concerning an individual;
● strives to protect against deliberate or inadvertent misuse or disclosure of PHI;
● provides individuals the right to view, copy and amend their health records;
● provides individuals the right to information about who has seen information in their records, in the form of an accounting of disclosures;
● provides individuals the right to receive notice of a breach of unsecured PHI; and
● provides a complaint mechanism for the public and permits the Federal government to impose penalties against violators of the HIPAA Privacy Rule.
The HIPAA privacy requirements became effective April 14, 2003 and were further modified by the 2009 enactment of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and the Privacy and Security Regulations (collectively referred to herein as “HIPAA”)
Protected Health Information (PHI): information (including demographic information) that:
● Is created or received by a health care provider and transmitted or maintained in any form or medium, including electronic media;
● Relates to the health or condition of an individual, the provision of health care to an individual; or the payment for the provision of health care to an individual; and ● Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Covered Entity: a health care provider who transmits any health information in electronic form in connection with a transaction. The Practice is a covered entity and therefore is subject to the privacy requirements.
Authorization: a detailed document that gives a covered entity permission to use PHI for a specified purpose(s) (which is generally other than treatment, payment, or health care operations), or to disclose PHI to a third party specified by the individual. An Authorization must comply with HIPAA requirements to be valid.
Consent: a document that gives health care providers permission to disclose a patient’s medical information for specified purposes, including treatment, payment, and health care operations. Under Massachusetts law, a Consent is required prior to most disclosures of medical information. A Consent for the disclosure of medical information is different from a patient’s consent to treatment.
Minimum Necessary: when using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the
minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This rule does not apply to disclosures to or requests by other health care providers for treatment, uses or disclosures made to the patient, or uses or disclosures made pursuant to an Authorization.
Treatment, Payment, or Health Care Operations (TPO): HIPAA permits a covered entity to use or disclose PHI for the purposes of TPO without first obtaining a patient Authorization. However, under Massachusetts law, the covered entity must first obtain a patient’s Consent prior to disclosing health information, even for TPO.
● Treatment. Without the patient’s Authorization or Consent, the Practice may use PHI to provide treatment and other services to the patient, for example, to develop a program specific to the patient’s needs. However, prior to disclosing a patient’s PHI, the Practice must obtain the patient’s Consent. For example, a Consent is required prior to disclosing a patient’s PHI to the patient’s specialist physician to ask for his/her opinion on the patient’s treatment.
● Payment. Without the patient’s Authorization or Consent, the Practice may use PHI to obtain payment for services provided to patients, for example, to identify claims for payment from a patient’s insurer. However, prior to disclosing PHI to obtain payment for services, the Practice must obtain the patient’s Consent. For example, a Consent is required prior to disclosing a patient’s PHI to file claims and obtain payment or to verify that an insurer will pay for services.
● Health Care Operations. Without the patient’s Authorization or Consent, the Practice may use PHI for health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care and customer service that the Practice delivers. For example, the Practice may use PHI to evaluate the quality of the services the Practice provides. However, prior to disclosing PHI for the health care operations of the Practice, the Practice must obtain the patient’s Consent. For example, a Consent is required prior to disclosing a patient’s PHI to resolve patient complaints.
Personal Representative: for a patient who is a minor (i.e., someone who is younger than 18 years old and not an emancipated minor), a Personal Representative is a parent with legal custody over the minor, a court-appointed guardian, or other person acting in loco parentis who has authority under Massachusetts law to act on behalf of the patient in making decisions related to health care (e.g., a foster parent, a representative of the Department of Social Services (to the extent that the Department of Social Services has custody over the minor), or a representative of the Department of Mental Health (to the extent the Department of Mental Health has custody over the minor)) (with some limited exceptions). For a patient who is an adult (i.e., at least 18 years old) or an emancipated minor, a Personal Representative is a person who has authority under Massachusetts law to act on behalf of the patient in making decisions related to health care (e.g., an individual who is a court-appointed guardian, a designated health care agent (pursuant to a valid health care proxy) of that individual, or a representative of the Department of Mental Health (to the extent the Department of Mental Health has custody over the individual)). As a general rule an individual’s Personal Representative is given the same rights as the individual for purposes of HIPAA (though there are some exceptions). A Personal Representative may only exercise rights on behalf of an individual if that individual is incompetent (due to physical incapacity, mental incapacity or because the individual is a minor and not an emancipated minor). In the case of a decedent, an appropriate Personal Representative includes the decedent’s personal representative, formerly known as an “executor.”
II. Compliance Officer
Melissa Sheldon is the Practice’s Compliance Officer and can be reached as follows:
Physical location: 480 Route 6A- East Sandwich, MA 02537
Mailing address: P.O. Box 725- East Sandwich, MA 02537
III. Notice of Privacy Practices
The Notice of Privacy Practices is made available electronically on the Practice’s web site. The Practice will have copies of the Notice of Privacy Practices that can be handed to patients in their homes. All patients treated by the Practice must be handed a Notice of Privacy Practices prior to or by their first service encounter.
IV. Confidentiality and Signature on File Form
The Confidentiality and Signature on File forms must be provided to and signed by each patient treated by the Practice. This includes a general consent that permits the Practice to disclose the patient’s information so that the Practice can treat the patient, seek payment from third parties for such treatment, and generally carry on the health care operations of the Practice. The form also includes a general consent that permits the Practice to disclose patient information to insurers and other providers when necessary for purposes of treatment, payment for that treatment, and their own health care operations.
All questions about whether an Authorization is required prior to using or disclosing PHI should be directed to the Compliance Officer.
V. Highly Confidential Information
The following types of information are considered to be highly confidential:
● information about a substance use disorder (alcohol or drug) from a program that is covered by 42 CFR Part 2
● information related to mental health community program records
● information about genetic testing
● information about family planning services
● information related to confidential communications with a psychotherapist, psychologist, social worker, sexual assault counselor, domestic violence counselor or other allied mental health professional or human services professional
● if the patient is an emancipated minor, certain information about his/her treatment and diagnosis
● information about research involving controlled substances
A. Minimum Necessary
The HIPAA Privacy Rule requires that all uses and/or disclosures of, and/or requests for, PHI be limited to the minimum amount necessary to accomplish the stated purpose. To the extent practicable, the PHI used/disclosed should exclude the following direct identifiers of the patient or of relatives, employers, or household members of the patient: (i) names; (ii) postal address information, other than town or city, State and zip code; (iii) telephone numbers; (iv) fax numbers; (v) electronic mail addresses; (vi) social security numbers; (vii) patient record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) web universal resource locators (URLs); (xiv) internet protocol (IP) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images.
Uses and disclosures for treatment, payment or health care operations, and disclosures pursuant to an Authorization are exempt from the minimum necessary requirement.
B. Disclosures to Family, Friends and Others
The Practice understands that patients often wish for family members, other relatives, close personal friends, and/or other persons involved in the patient’s care and/or involved in payment related to the patient’s care (in addition to the patient’s Personal Representative) (“Recipient”) to be able to learn information about the patient. As a result, the Practice will disclose a patient’s PHI to a Recipient where the patient agrees in advance to the disclosure. More specifically, where a patient is present and capable of consenting to a disclosure, Practice staff may disclose PHI to a Recipient in any of the following situations:
1. The patient agrees to the disclosure; or
2. The patient does not express an objection when given the opportunity; or
3. If staff can reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object. Example of reasonable inference: if a patient’s grandparent is in the same room as the patient during an appointment, staff can infer that disclosures to that grandparent are appropriate.
Any disclosure made to a Recipient pursuant to this Section VII.B must be limited to PHI directly relevant to the Recipient’s involvement in the patient’s care or payment related to the patient’s care.
C. Operational Matters
Members of the Practice staff are required to take the following actions for the purpose of safeguarding PHI:
● keep computer passwords secure
● turn computer screens/devices so that they do not face the general public ● not leave a computer/device unattended when PHI is visible or accessible without a password
● keep phone conversations about PHI private
● keep oral conversations about patient and PHI as private as possible and do not discuss patient information outside of the Practice
● refrain from reading patient files unless required to fulfill his or her job responsibilities
● use care when faxing information to ensure that the information is sent to the correct recipient
● secure patient files so that they are not left in plain sight
● position files so that they cannot be read by unauthorized individuals (e.g., if you have files for multiple patients with you when you visit a client, keep files for the other patients in a secure location in your bag)
● ensure that doors and cabinets that have locks for protecting PHI are in working order and under key control
● transport the minimum amount of information necessary to accomplish the task ● Place information in a locked file box in a vehicle trunk. In general, The Program Book and identifying materials should remain in the home or be transported between locations along with the patients. For all exceptions, when necessary and agreed upon, the program book and materials will be transported in a locked box in the trunk (rear area) of the car. The car must remain locked when the materials are inside. Notify the office if items transported in your car require a locked file box.
● Employees must have reliable, independent transportation to and from session locations. Employees may not have their own family members or friends transport to and from sessions. Public transportation including the use of buses, taxis, and ubers are acceptable provided the nature of the work is not disclosed to the driver.
● Photos/video storage and transmission- In the event that photos and/or videos are requested by a supervisor to support treatment, all must be transmitted via the identified HIPAA compliant communication system. At no time will a photo or video be taken, accessed, transmitted or stored in any other manner. Photos and videos may not be downloaded or stored on personal devices except within the designated secure communication system. All photo and video consent agreements will be followed. Current Video and Photo Permission Forms are found in each patient’s program book. Photo and video requests from anyone other than the supervisor will be forwarded to the supervisor.
● Communication will occur through the secure platform and email account provided to you solely for business purposes with Reach Coastal ABA. ● Access to the secure platform on personal mobile devices will require a two-part authentication process. In the event of a loss or theft of a mobile device containing the secure email platform, please report the loss as soon as possible. The email will be rendered immediately and permanently inaccessible and a new email will be issued.
● If applicable, PHI must be safeguarded within the your home at all times so as to not be accessible and/or viewable
● PHI and all related paperwork will be secured at the Reach Coastal ABA office. All documents that are no longer current will be promptly returned to the office for secure storage
● Upon discharge of a patient, all programming documents and materials will be returned to the Reach Coastal ABA office.
D. Business Associates
Generally, in the event that the Practice needs to disclose PHI to a person or entity that will perform a function for or on behalf of the Practice, the Practice must enter into a Business Associate Agreement with that person or entity. A billing service is an example of a Business Associate that requires a Business Associate Agreement. The Practice shall ensure that Business Associate Agreements are in place when needed. The Business Associate Agreement sets forth the limitations on how the business associate may use and disclose PHI.
VII. Breach Notification
A. What is a breach of PHI?
Generally, a breach of PHI is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI. In the event of a privacy incident, the Practice will investigate and assess the incident and determine whether the incident constitutes a breach of unsecured PHI in accordance with the Practice’s Breach Notification Policy. In the event of a breach of unsecured PHI, the Practice will comply with applicable notification requirements (e.g., patient notification, government notification, and, in some cases, media notification) in accordance with the Practice’s Breach Notification Policy.
B. Incident Reporting
Members of the Practice’s staff are not responsible for determining whether an incident is a breach of PHI. Members of the Practice’s staff are responsible, however, for notifying the Compliance Officer of all incidents involving PHI (e.g., accidental disclosure of PHI to the wrong patient, lost patient records, inappropriate use or disclosure of PHI by a Business Associate, etc.). In the event that a member of the Practice’s staff becomes aware of a potential incident, he or she is responsible for notifying the Compliance Officer immediately. Failure to do so could result in the Practice taking disciplinary action, up to and including termination of employment or engagement.
C. Determining Whether An Incident is a Breach of PHI
In the event of an incident involving PHI, the Practice (together with legal counsel, as needed) shall determine whether the incident is a breach that triggers notification requirements. The Compliance Officer will conduct (or coordinate) an investigation and risk assessment of the incident to determine whether there has been a breach of PHI. Every member of the Practice’s staff is responsible for cooperating with any such investigation. In the event that the Practice determines that there has been a breach of PHI, the Practice will fulfill its notification obligations, as required by law and any applicable policies the Practice has in place at that time.
VIII. Disposal of PHI
PHI (including old records and any other information that connects a patient’s name with a prescription or other PHI) must be disposed of as follows:
● paper documents must be redacted, burned, pulverized or shredded so that the information cannot practicably be read or reconstructed
● electronic media and other non-paper media must be destroyed or erased so that the information cannot practicably be read or reconstructed (e.g., clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding)
PHI in paper records, on electronic media, or other forms of PHI will not be placed in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons, unless first treated in the manner described above. PHI can, however, be maintained for disposal in a secure area if the Practice has made arrangements with a disposal vendor (who is a business associate of the Practice), to pick up and shred or otherwise appropriately destroy the PHI.
A. Access and Copies
A patient may request access to his/her patient record and billing records maintained by the Practice in order to inspect and request copies of the records. All requests for access must be made in writing. Under limited circumstances, the Practice may deny the patient access to his/her records. The Practice may charge patients for copies (as limited by the HIPAA Privacy Rule and Massachusetts law) and also for postage costs if the patient requests that the copies be mailed. In the event that a patient seeks the patient records of his/her minor child, the Practice (together with legal counsel if necessary) will determine whether state law permits the parent to be the Personal Representative of the minor child, permitting access to the minor’s designated record set. Generally, the Practice must respond to a patient’s access request within 30 days of receiving the request.
A patient has the right to request that the Practice amend PHI maintained in his/her patient record or billing records. Requests to amend PHI must be submitted in writing to the Practice. The Practice will comply with the patient’s request unless the Privacy Officer believes that the information that would be amended is accurate and complete or other special circumstances apply (e.g., the information was not created by the Practice and the originator of the information is still available). Generally, the Practice must act on a patient’s request for amendment no later than 60 days after receiving the request. All questions concerning whether an amendment should be made as requested and/or about procedures for denying an amendment request should be directed to the Privacy Officer.
C. Accounting of Disclosures
Upon written request, a patient may obtain an accounting of certain disclosures of PHI made by the Practice to a recipient external to the Practice during any period of time prior to the date of the patient’s request, provided such period does not exceed six years. The Practice is not required to account for disclosures made for purposes of treatment, payment, or health care operations, or certain other disclosures (e.g., disclosures made to the patient or pursuant to the patient’s Authorization). If a patient requests an accounting more than once during a twelve (12) month period, the Practice may charge the patient for the accounting statement (as limited by the HIPAA Privacy Rule). A request for an accounting must be in writing.
To the extent that the Practice uses or maintains information in an electronic designated record set, a patient also has a right to receive an accounting of disclosures made for purposes of treatment, payment, and/or health care operations during a period of time up to three years prior to the date of the patient’s request. All requests for access reports must be in writing.
The accounting provided by the Practice must include provide the following information: 1. the date of the disclosure;
2. the name of the entity or person who received the PHI and, if known, the address of such entity or person;
3. a brief description of the PHI disclosed; and
4. one of the following, as applicable:
(a) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or
(b) a copy of a written request (if any) obtained in accordance with the HIPAA Privacy Rule concerning uses and disclosures of PHI for purposes of public policy; or
(c) a copy of a written request (if any) from the Secretary of Health and Human Services to investigate or determine the Practice’s compliance with HIPAA.
Generally, the Practice must respond to a patient’s request for an accounting within 60 days of receiving the request.
A patient has the right to request restrictions on certain uses and disclosures of PHI. The Practice will consider each request but the Practice is not required to agree to the restriction (with one limited exception relating to disclosures to a health plan where the client has paid out of pocket in full for the item or service). Requests for restrictions must be submitted in writing to the Practice.
E. Confidential Communications
A patient has the right to receive confidential communications of PHI from the Practice by alternative means or at alternative locations. The Practice is required to accommodate any reasonable request a patient makes. Requests must be submitted in writing to the Practice.
F. Notice of a Breach
A patient has a right to receive a breach notification that complies with applicable Federal and State laws and regulations in the event of a breach of unsecured PHI. The Practice shall provide such notice in accordance with the Practice’s Breach Notification Policy and all applicable laws.
If a patient wishes to make a complaint concerning the Practice’s privacy policies, procedures, or violations thereof, the patient will be asked to submit the complaint in writing to the Practice for investigation and resolution. Patients also can file complaints with the Federal Office for Civil Rights.
H. Retaliation and Waiver
Neither the Practice nor any member of its staff may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who exercises his/her privacy right. In addition, neither the Practice nor any member of its staff may require an individual to waive his/her privacy rights in order to receive treatment, or otherwise in connection with his/her payment, enrollment in a health plan or eligibility for benefits.
X. Training and Enforcement
Pursuant to HIPAA, the Practice is required to train its staff on privacy requirements, policies and procedures. To this end, each current member of the Practice’s staff, and each new hire of the Practice (within a reasonable period of time after the person joins the Practice) must read these Policies and complete and sign the Practice Staff Acknowledgement Form attached at the end upon hire. The Acknowledgment Form will be maintained by the Practice to help demonstrate its HIPAA compliance. In the event that the functions of a staff member are affected by a material change in the policies and procedures required by the HIPAA Privacy Rules, the Practice will train such individual(s) within a reasonable period of time after the material change becomes effective.
In the event that a member of the Practice’s staff violates any Federal or State privacy requirement or any policy or procedure of the Practice, the Practice will take appropriate action, which may include disciplinary action against the individual, up to and including termination of employment or engagement.
With respect to a patient who is a minor under Massachusetts law, all rights and responsibilities set forth in these Policies and under HIPAA shall be exercised and fulfilled by the patient’s Personal Representative, rather than by the patient him/herself.