Effective Date: 4/14/03
It is the policy of Southampton Healthcare, Inc. (“Practice”) to preserve the integrity and confidentiality of protected health information (“PHI”) pertaining to its Patients and to comply with the privacy regulations (45 CFR Parts 160 and 164, “Privacy Regulations”) issued by the United States Department of Health and Human Services (“HHS”) under the Health Insurance Portability and Accountability Act (“HIP AA”) and to comply with other federal and state laws applicable to such PHI.
The purpose of this policy is to ensure that the Practice provides the highest level of service to its Patients while protecting the confidentiality of our Patients’ PHI. To that end, the general policy of the Practice is to protect the confidentiality of PHI and to provide a Patient, as permitted by law, access to the Patient’s PHI. In order to achieve these goals, the Practice will take the following steps (Note: Definitions are found at Tab 13).
The Practice will designate a HIP AA Privacy Officer (“Privacy Officer”). The Privacy Officer will be responsible for development and implementation of the Practice’s HIPAA privacy policies and procedures. The Privacy Officer is identified on Exhibit A, attached hereto and incorporated herein by reference. The Privacy Officer shall serve at the pleasure of the President or until such Privacy Officer resigns or is replaced by a successor Privacy Officer.
General Safety Guards:
The Practice will implement reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and to limit incidental uses or disclosures that may occur in connection with an otherwise permitted or required use or disclosure. These safeguards will be reasonably designed to protect PHI from any intentional, or unintentional use or disclosure that is in violation of the privacy Regulations. Such safeguards are intended to safeguard protected health information from intentional or unintentional use or disclosure. The Practice will implement and take reasonable measures to adhere to and to enforce the standards set forth in the Practice’s Notice of Privacy Practices. Such measures will permit the Practice to collect, use and disclose PHI only in conformance with applicable state and federal law and shall permit the Practice’s Patients to access their PHI in accordance with such laws.
Disclosure of Information to Family Members, Friends and Other Individuals Involved in Patient’s Care:
Unless a Patient objects or requests additional privacy restrictions or alternative communications that are accepted by the Practice, the Practice may, in the exercise of professional judgment, disclose to a Patient’s legal guardian, family member, other relative, or close personal friend, PHI directly relevant to such person’s involvement with the Patient’s care or payment related to such care. The Practice may reasonably infer from the circumstances surrounding the request, or otherwise utilize the professional judgment of its staff Members and its experience with common practice to make reasonable inferences of the Patient’s best interest in disclosing PHI to an individual on behalf of a Patient.
The Practice will train all Members of its workforce on the Practice’s privacy policies and procedures. All staff shall receive such training by no later than April 14, 2003. Thereafter, new Members of the workforce will receive such training within a reasonable time after joining the workforce. Periodic training will occur for all staff when there has been a material change in the policies, procedures, or law. The Practice’s training efforts will be documented and such documents will be retained by the privacy Officer. The Practice’s training program is more fully described in the Practice’s Staff Training and Sanctions Policy.
Notice of Practice’s privacy Practices:
The Practice will provide its Patients with a Notice of the Practice’s Privacy Policies (“Notice”). The Practice will provide the Notice to each Patient no later than the date of the first service delivery, including service delivered electronically, to such Patient after April 14, 2003. In the event of an emergency, the Practice will provide the Notice as soon as reasonably practicable. The Practice will promptly revise the Notice whenever there is a material change to the uses or disclosure of PHI, the Patient’s rights, the Practice’s legal duties, or other privacy practices stated in the Notice. The Practice will make the Notice available to Patients upon request on or after the effective date of the revision. A copy of the Notice will be posted in a clear and prominent location when it is reasonable to expect Patients to be able to read the Notice in all Practice locations. The Practice will make a good faith effort to obtain a written acknowledgment of receipt of the Notice. In the event such receipt is not obtained, the Practice will document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained. The Practice may provide a Patient with an electronic copy of the Notice, provided the Patient agrees to accept an electronic copy of the Notice. If Practice becomes aware that the transmission of the electronic Notice has failed, the Practice will mail a paper copy of the Notice to the Patient. A Patient is entitled to receive a paper copy of the Notice upon request, even if the Patient has agreed to accept an electronic copy of the Notice.
Patient Inquiries and Complaints:
No Waiver of Rights:
The Practice will not require Patients to waive any rights under HIP AA, the privacy Regulation, or the Practice’s privacy policies.
Breach of Policy and Employee Sanctions:
Unless otherwise required by applicable law, documents relating to implementation and compliance with the privacy Regulations and the Practice’s Privacy Policies and procedures shall be maintained for a minimum of six (6) years in accordance with the Practice’s HIP AA Document Retention Policy.
To the extent required by applicable law and in accordance with the Practice’s Authorization Policy, the Practice will obtain an authorization prior to disclosing any PHI, other than for treatment, payment or Health Care Operations purposes.
Access, Amendment and Accounting:
In accordance with the privacy Regulations and the Practice’s Policy governing Patient’s Rights to Protected Health Information, the Practice will implement a procedure to allow Patients to access their PHI within a reasonable time after filing a written request. The Practice acknowledges the right of its Patients to receive an accounting of disclosures of the Patient’s PHI by the Practice and the Practice will provide an accounting of such disclosures in accordance with applicable law. The Practice will also implement a procedure that permits a Patient to request an amendment to the Patient’s PHI in accordance with applicable law.
Additional Privacy Protections & Specific Communication Requests:
In accordance with applicable law and the Practice’s policy governing Patient’s Rights to Protected Health Information, the Practice will establish a procedure that permits a Patient to request that additional confidential treatment be accorded to the Patient’s PHI. Such procedures will permit the Patient to request that the Practice further restrict the use and/or disclosure of such Patient’s PHI, including restricting disclosure to specific individuals. The procedure will also permit the Patient to request that future communications concerning the Patient’s PHI be made in a particular manner or to a specific address. The Practice will respond to the Patient’s request for additional privacy requests within a reasonable time after receiving the written request from the Patient.
The Practice shall implement procedures governing permitted disclosures and requests for a Patient’s PHI to ensure such disclosures or requests comply with the Minimum Necessary Standard set forth in the Privacy Regulations. Such disclosures and requests shall be governed by the Practice’s Minimum Necessary Policy.
The Practice shall enter into business associate agreements with all third parties that meet the definition of “Business Associate” set forth in the Privacy Regulations. The Business Associate Agreement will require the third party to provide assurances with respect to the confidential treatment to be accorded PHI disclosed by the Practice and will prohibit the Business Associate from using or disclosing the PHI in any manner prohibited by the Privacy Regulations. The terms and conditions governing Business Associate relationships are more fully described in the Practice’s Business Associate Policy.
Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.
We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.
We will only retain personal information as long as necessary for the fulfillment of those purposes.
We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.
We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
We will make readily available to customers information about our policies and practices relating to the management of personal information.
We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.