Condensed HIPAA Explanation and Policies
The HIPAA rules are designed to protect the Private Health Information (PHI) of our patients. There are several explanations and policies that, by law, you must know and agree to.
- We are prohibited from using (within the Company) or disclosing (outside of the Company) PHI without patient authorization unless such use or disclosure falls within an exception.
- THE MOST NOTABLE EXCEPTIONS ARE TO CARRY OUT TREATMENT, PURSUE PAYMENT, OR IMPROVE MANAGEMENT OF THE COMPANY.
- We are permitted to use and disclose a patient’s health information without obtaining the patient’s consent or authorization for the purposes set forth below.
Permitted Uses and Disclosures
- For the Company’s treatment, payment or health care operations.
- Required by law.
- Public health activities.
- Health oversight activities.
- Information regarding decedents.
- Cadaveric organ, eye or tissue donation purposes.
- Research
- To avert serious threat to health or safety.
- Specialized government functions.
Permitted Disclosures
- Subject to certain limitations, disclosures for the treatment, payment or health care operations of a third party.
- Victims of abuse, neglect or domestic violence.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Workers’s compensation.
- It is our policy to obtain a release of information from the patient at intake.
- Examples of inappropriate uses of patient private health information include:
- Health care professional accessing or using the health information of patients they are not treating or assisting others in treating.
- Accessing/using medical records or the Company’s computer system to determine whether an individual (e.g., coworker, relative, celebrity, etc.) is receiving treatment and there is no legitimate reason to have such knowledge.
- Using the medical record of a member of the Company’s personnel to verify they were really sick, had a worker’s compensation injury, etc.
- Others Involved in Patient’s Care. We may disclose to a family member, other relative or a close personal friend of the patient, or any other person identified by the patient, health information directly relevant to such person’s involvement with the patient’s care or payment related to the patient’s health care. We are permitted to orally inform the patient of, and obtain the patient’s oral agreement or objection to, the use or disclosure.
- Before releasing information to a person covered by this category, we must either obtain the patient’s agreement; or
- provide the patient with the opportunity to object to the disclosure, and the patient does not object to the disclosure; or
- reasonably infer from the circumstances, based on the exercise of professional judgment that the patient does not object to the disclosure.
- Examples of situations in which we can “reasonably infer from the circumstances” that the patient doesn’t object to the disclosure include:
- When a spouse is present when treatment is being discussed with the patient; or
- When a colleague or friend has brought the patient to us for treatment and the patient allows them to come into the examination room.
- Before releasing information to a person covered by this category, we must either obtain the patient’s agreement; or
- When we use or disclose PHI or an authorized person requests PHI, we must make reasonably efforts to limit the information to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
- THIS MINIMUM NECESSARY STANDARD, HOWEVER, DOES NOT APPLY TO, AMONG OTHER THINGS, DISCLOSURES TO, OR REQUESTS BY, OTHER HEALTH CARE PROVIDERS FOR TREATMENT.
- Clinical, billing, and management employees have rights to access the patient files in order to perform their work. However, employees must refrain from using or disclosing patient health data unless they are helping that patient.
- No employee is allowed to disclose (orally, or by fax or mail) PHI unless it is to the patient, the patient’s health care providers, the patient’s insurance company or designated payor, the patient’s legal caregiver, or direct family members of the patient (that are known to be involved in the patient’s care).
- No information can be disclosed to a patient’s employer without written authorization from the patient.
- If an unauthorized disclosure occurs-YOU MUST CONTACT THE PRIVACY OFFICER IMMEDIATELY. The privacy officer for McLain Surgical Arts is Sarah Jimerson: 256-429-3411
- All employees are responsible for keeping PHI secure-this includes all information in the medical record. Do not yell or broadcast PHI in or near the reception area.
- Patients are allowed to have copies of their file for a nominal photocopy fee. The file must first be reviewed by the treating practitioner and the Facility Manager.
- Patients have the right to place reasonable restrictions on disclosures of their information. All restrictions have to be approved and accepted by the Privacy Officer.
- If another health care provider’s office seems concerned about our HIPAA compliance, or we are concerned about another provider’s HIPAA compliance, the Privacy Officer can implement a signed Business Associate Contract with that other party to ensure HIPAA compliance is understood and agreed to.
- If we remotely access electronic PHI (EPHI) we will do so in a manner that is secure, and consistent with the permissions granted by the patient.