RACHELS HOME CARE – DATA PROTECTION & HIPAA COMPLIANCE

CLICK HERE TO GO TO HOME PAGE

Effective Date of This Revision:September 01, 2020
HIPAA Chief Privacy OfficerResponsible Department: Compliance
Contact:Rachel Namutebi
642 West Street Wrentham MA, 02093
+1(617) 584-3822

 

Applies to:OfficersStaff/ FacultyStudent cliniciansVolunteers
Other agentsVisitorsContractors

 

I              PURPOSE

 

Provide guidance to Rachels Home Care Services regarding the release of protected health information (PHI) for purposes requiring an individual’s authorization. The individual has the right to revoke the authorization at any time.

 

“Rachels Home Care Services” may not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except under very limited circumstances,

 

II            POLICY

 

It is the policy of “Rachels Home Care Services” to compliance with all federal and state regulation regarding the use and disclosure of PHI and to allow disclosure of patient PHI without a patient authorization only for the purposes of treatment, payment and healthcare operations or as otherwise allowed by the Privacy Regulations or under other state and federal law

 

  1. Authorization Not Required:

 

Authorizations are not required for the following uses and disclosures. All other uses and disclosures require an authorization, unless other state or federal law mandates the specific use or disclosure.

 

o  Summary of Health Information to Plan Sponsor

o  Enrollment/Disenrollment information to Plan Sponsors

o public health

o  victims of abuse

o  health care oversight

o judicial and administrative proceedings,

o law enforcement,

o about individuals who have been deceased for over 50 years

o cadaveric organ, eye or tissue donation purposes

o research (under certain conditions) avert serious threat to health or safety

o specialized government functions

o  workers compensation

  1. Authorization Required

 

Authorizations are required for the following uses and disclosures. Some use and disclosure purposes also have specific individual requirements. Authorizations are not to be used to circumvent prohibited uses and disclosures, such as for the sale of PHI.

 

III PROCEDURE

“Rachels Home Care Services” must obtain a valid authorization for certain uses and disclosures and has adopted specific authorization forms for use when releasing or requesting PHI for purposes that require authorizations.

 

For disclosures made in response to a valid authorization, “Rachels Home Care Services” will disclose the information to the extent specified in the authorization. When requesting PHI that requires an authorization to use/disclose, “Rachels Home Care Services” will request the minimum amount of information needed to meet the purpose of the request.

 

  1. Authorizations
  1. “Rachels Home Care Services” may use and disclose PHI when a valid authorization is
  2. For requests for authorization initiated by “Rachels Home Care Services”, all units must use “Rachels Home Care Services” standardized authorization form, Authorization for Release of Information, which can be accessed at the following website: [insert] All sections must be complete. Changes or variations to the authorization forms must be approved by “Rachels Home Care Services” ‘s Privacy Officer. Treatment may not be conditioned on obtaining the authorization (unless related to approved research clinical trial). 
  3. If the authorization was received from the individual or third party, determine the validity of the authorization. The following elements must be present:
    1. A description of the specific information to be used or disclosed.
    2. Name of the specific person or entity authorized to disclose the information.
  1. The date, event or condition upon which the authorization will expire.
  2. The individual’s signature and date.
  3. A description of the personal legal representative’s authority to sign, if applicable.

 

  1. A statement that treatment may not be conditioned on obtaining the authorization, unless it is research related and disclosure of the information is for the particular research study. If for purposes of research, where treatment may be conditioned on obtaining the authorization, a statement about the consequences of refusing to sign the authorization.

 

  1. A statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law.
  1. If the authorization is for marketing purposes and the marketing is expected to result in direct or indirect remuneration to “Rachels Home Care Services” from a third party, a statement of this fact.
  1. Defective Authorizations

An “authorization” is not considered valid if it has any of the following defects:

  1. The expiration date has passed.
  2. The form has not been filled out completely.
  1. The form lacks any required element.
  2. The information on the form is known by “Rachels Home Care Services” to be false.
  1. Treatment was conditioned upon obtaining the authorization (except for research purposes).
  1. Legal Representatives

If the authorization is signed by a legal representative or other person authorized to act for the individual, the request must be accompanied by documentation of the representative’s legal authority to act on behalf of the individual.

  1. Revocation of Authorization

A patient who has executed an authorization for disclosure or use of individual health information may revoke the authorization at any time by sending a written notice to

“Rachels Home Care Services” as described in “Rachels Home Care Services” ‘s Notice of Privacy Practices.

  1. The written notice must refer to the specific authorization being revoked (e.g.,“my authorization of January 27, 2002”) and be signed and dated by the individual or his or her legal representative.
  1. The revocation becomes effective upon receipt by “Rachels Home Care Services”, with the exception of uses or disclosures made by “Rachels Home Care Services” prior to receipt.
  1. For Research-Related Health Information
  1. The core elements of an authorization as described below may be combined with the informed consent to participate in the research.
  1. An authorization for a research study may be combined with another authorization or other written permission for the same or another research study.
  1. “Rachels Home Care Services” may use and disclose for a specific research study, PHI that is created or received before and after HIPAA’s compliance date (April 14, 2003), and/or prior to the new authorizations being implemented, as long as some other express legal permission to use and disclose the information for the research study was obtained.
  1. Archived information may continue to be used and disclosed for the research study if an individual had originally signed an informed consent to participate in the research study, or IRB waived informed consent, in accordance with the Common Rule or FDA’s human subject protection regulations.
  1. An accounting of all disclosures made under an authorization must be documented and maintained. See “Rachels Home Care Services” policy, 00-01-15-20:00, Accounting of Disclosures of Health Information.
  1. Authorization for Release to Third Party:

If “Rachels Home Care Services” receives a request from a third party for release of PHI for other than treatment, payment, healthcare operations or as otherwise authorized by law or for public interest purposes exempted from authorization, the request will be routed to (specify position or department). The [specific “Rachels Home Care Services” authority] will review the request and determine if a specific authorization is needed.

  1. The (specify position or department) will review the request and determine if specific authorization is required.
  1. If specific authorization is required, the specify position or department) will contact the patient, plan member or authorized representative in a written letter explaining the nature of the request for release and send the appropriate authorization form with the letter.
  1. The letter will state that if authorization is granted by an authorized personal representative, the returned authorization form needs to be accompanied by appropriate documentation validating the personal representative has the authority to represent the patient or the member.
  1. If authorization is granted, the (specify position or department) will notify the third party requesting the information that authorization has been granted and will include requested information with the letter.
  1. If the patient, plan member or authorized personal representative denies release, the (specify position or department) will notify the third party requesting the information that authorization has been denied by the patient, plan member or authorized personal representative. Notification will be in writing.
  1. All letters and signed acknowledgement forms shall become part of the patient or plan member’s permanent record.

 

  1. “Rachels Home Care Services” Request for Third Party Release of Information:

If “Rachels Home Care Services” requires access to third party PHI for purposes other than treatment, payment, healthcare operations, as allowed by law or for public interest purposes exempted from authorization, the workforce member will first document the need and purpose for release.

  1. The appropriate authorization form will be mailed or transmitted to the third party specifying in as much detail as possible the PHI requested accompanied by a letter specifying the reason for the release of PHI.

 

  1. The “Rachels Home Care Services” authorized workforce member will follow up by phone with the third party if no response has been received within two weeks from the date of the request.

The phone call will be documented and become a part of the patient or plan member’s

permanent record.

  1. If the authorization is granted and the PHI forwarded to “Rachels Home Care Services” the released PHI shall only be used for the purposes documented. The authorization form received from the third party shall become part of the patient of plan member’s permanent record.
  1. If the authorization is denied, the request will be forwarded to (specify position or department) for review and to make a determination if “Rachels Home Care Services” intends to contact the specific patient or plan member to directly request authorization.
  1. If it is determined the PHI requested is critical, (specify position or department) will contact the patient or plan member in writing detailing the information requested and the reason for the release of PHI. The letter will be accompanied with the appropriate authorization form.
  1. If authorization is granted, (specify position or department), the third party will be contacted in writing. The letter to the third party shall be accompanied by a copy of the completed authorization request.
  1. If the authorization is denied, all documentation will become part of the patient or member’s permanent record and “Rachels Home Care Services” will be required to take appropriate action depending on the situation. This could include doing nothing, proceeding with the activity the information is to be released for without the requested PHI or, if the purpose of release is directly related to legal action, pursue obtaining a subpoena demanding release of specified information.
  1. “Rachels Home Care Services” Request for Individual Authorization to Release Information:

If “Rachels Home Care Services” requires access to an individual’s PHI for purposes other than treatment, payment, healthcare operations, as allowed by law or for public interest purposes exempted from authorization, the workforce member will first document the need and purpose for release.

  1. The appropriate authorization form will be mailed or transmitted to the individual specifying in as much detail as possible the PHI requested accompanied by a letter specifying the reason for the release of PHI.
  1. The “Rachels Home Care Services” authorized workforce member will follow up by phone with the individual if no response has been received within two weeks from the date of the request. The phone call will be documented and become a part of the patient or plan member’s permanent record.
  1. If the authorization is granted, “Rachels Home Care Services” shall only use the PHI requested for the purposes documented. The authorization form received from the individual shall become part of the patient or plan member’s permanent record.
  1. If the authorization is denied, the response will be forwarded to the original requester and this response will be recorded in the patient or plan member’s permanent record. No further action to obtain or use the information will be made by “Rachels Home Care Services”.
  1. Individual Authorization to Release Information:

 

An individual can request “Rachels Home Care Services” to release his/her own PHI to a third party for any purpose at any time. The individual must complete an authorization for this release, and “Rachels Home Care Services” must, in almost all cases, honor the request.

  1. The individual must complete the appropriate authorization form specifying in as much detail as possible the PHI requested. No reason for the release is required.
  1. Any PHI release authorized by the individual must be granted. “Rachels Home Care Services” (specify position or department) will send the PHI directly to the third party upon individual request. A letter to the third party shall be accompanied by the PHI and a copy of the completed authorization request. The authorization and response letter will be documented and become a part of the patient or plan member’s permanent record.

 

DEFINITIONS:

“Rachels Home Care Services” Privacy Officer: the individual appointed by “Rachels Home Care Services” to be the HIPAA Privacy Officer under s. 164.530(a)(1) of the HIPAA Privacy Rule.

HIPAA: Health Insurance Portability and Accountability Act of 1996

Electronic Protected Health Information (ePHI): Electronic health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. ePHI does not include Students records held by educational institutions or employment records held by employers, or records for persons deceased for over 50 years.

 

Individually Identifiable Health Information (IIHI): Information that is a subset of health information, including genetic information and demographic information collected from an individual, and:

Protected Health Information (PHI): Individually identifiable health information or health care payment information maintained or transmitted in any medium, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. PHI does not include students records held by educational institutions or employment records held by employers, or records for persons deceased for over 50 years.

Treatment: the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

 

Payment: the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

Operations: certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:

 

 

 

 

 

 

Related Policies:

Reference:

“Rachels Home Care Services” Confidentiality Agreement

HIPAA Final Privacy Rule, 45 CFR Parts 160 and 164, Department of Health and Human Services, https://www.hhs.gov/hipaa/for-professionals/privacy/index.html, August 14, 2002.

 

HIPAA Omnibus Rule, revisions to 45 CFR Parts 160, and 164, Department of Health and Human Services, http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf, January 25, 2013.

How We are dealing with The COVID-19 Pandemic
X
Skip to content