Hopebound Mental Health, Inc. (“Company”) is subject to the Privacy Rule (as further identified below) as a “provider” and, indirectly, as a “business associate” of other “covered entities.”
“Individuals” for purposes of this Policy and the Use and Disclosure Procedures means, unless otherwise designated, (1) as provider, patients of Company. (Company is an “indirect provider” if the patients of another direct care provider are referred to Company for clinical psychology services; and (2) as employer/Plan sponsor, the employees of Company.
Members of the Company’s workforce may have access to the “protected health information” (as described below) of individuals (1) as a “provider” or “indirect provider”, (2) as a “business associate” of another “covered entity,” and (3) as “Plan” and “Plan Sponsor” on behalf of Company’s Welfare Benefit Plan (“Plan”). The Company intends to fully comply with the Health Insurance Portability and Accountability Act of 1996, as amended, (“HIPAA”) and its implementing regulations, including its final privacy regulation, at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”), as administered by the federal Department of Health and Human Services (“DHHS”). HIPAA restricts the Company’s use and disclosure of “protected health information” (“PHI” hereafter), as well as the use and disclosure by its “business associates”.
PHI means information that is created or received by Company or the Plan and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that tends to identify the individual directly or indirectly. PHI includes information concerning persons living or deceased.
PHI does NOT include individually identifiable health information (“IIHI”) that may be obtained and utilized in relation to Company employment matters and that is contained in Company employment records (not in health plan records). Also, PHI does NOT include individually identifiable health information which is generated and used in connection with Company employee benefits which are not included as “health plans”, hence as “covered entities”, under the Privacy Rule, including LTD, STD, Life Insurance and Workers’ Compensation Insurance.
Company adopts as a policy that all Privacy Rule issues arising in any of Company’s locations shall be referred to the Privacy Official (designated below) for resolution. Therefore, any other Company personnel receiving inquiries regarding the Notice of Privacy Practices or any related issue (whether from individuals, a hospital, or other third parties) shall not attempt to answer or address such inquiries but, rather, shall refer such inquiry to the Privacy Official.
COMPANY’S RESPONSIBILITIES AS COVERED ENTITY
I. Privacy Official
Christina Guilbeau, Chief Operating Officer of Company, will be the Privacy Official for Company.
II. Persons With Access; Workforce Training
Initially, Company has determined that the following positions (and their incumbents) will have access to PHI and will receive training:
All Company employed and contracted therapists and other practitioners; Company, chief executive officer Christina Guilbeau (the Privacy Official); the administrative assistant; the clerk.
Christina Guilbeau (the Privacy Official); business analyst.
III. Technical and Physical Safeguards and Firewalls
Hopebound Mental Health, Inc has established appropriate technical and physical safeguards and procedures to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements.
Technical safeguards include limiting access to information by creating computer firewalls: PHI contained in electronic form shall only reside on personal computers used by Persons With Access, and no other computers shall have access to such information through a network or otherwise; each such computer shall have password-protected access and automatic shut-off after nonuse; users shall use reasonable means to shield computer screens when accessing PHI to keep others from viewing the screen; and PHI shall not be e-mailed unless required or it is otherwise not feasible to use paper means.
Physical safeguards include keeping PHI stored in enclosed offices with the doors locked or in locked filing cabinets, all with limited access. No papers contained PHI shall be left unattended (such as left out on a desk) unless behind locked doors in offices with restricted access. Personnel shall conduct telephone conversations involving PHI in an enclosed office behind closed doors whenever possible and otherwise lower voices and take similar actions to avoid others from overhearing the conversation. Fax machines conveying PHI will be accessible only to Persons With Access.
Other procedures include limiting personnel who have use and disclosure of PHI to those Persons With Access of the respective sectors as set forth in Article II, above. As they are further developed and coordinated with implementation features under the HIPAA Security Standard, additional or revised safeguards including e-mail encryption if feasible, will be set forth in more detail by amendment of this section and the Use and Disclosure Procedures.
These safeguards are intended to ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for their functions, and that they will not further use or disclose PHI in violation of HIPAA’s Privacy Rule.
Patient records (“charts”) will be maintained in locked file cabinets. Website postings of daily schedules will limit PHI to the minimum necessary disclosure, and the web site will be accessible only to Persons with Access (by use of passwords). All medical consultations will be in closed rooms or partially enclosed rooms with privacy panels.
IV. Privacy Notice
The Privacy Official will maintain the Plan’s Notice of the Privacy Practices that describes the uses and disclosures of PHI that may be made by Company, the individual’s rights with respect to use and disclosure of PHI; and Company’s legal duties with respect to the PHI.
The Notice informs individuals whose PHI the Company uses or discloses, that the Company and certain third parties as described therein (insurers and third-party administrators) will have access to PHI in connection with the Company’s functions. The Notice also provides details of the Company’s complaint procedures specifically for HIPAA Privacy including the names and telephone numbers of the Privacy Official and Privacy Official for further information and assistance.
The Notice of Privacy Practices will be individually delivered to all employees no later than May 1st, 2020. The Notice will be delivered to direct patients at their first appointment on or after May 1st, 2020. The Privacy Official will be responsible for arranging such deliveries, acknowledgment of receipt and documentation respecting any patient who declines receipt, as required by the Privacy Rule. The Notice will be delivered on an ongoing basis after May 1st, 2020 at the time of an individual’s introduction to services involving his/her PHI; and within 60 days after a material change to the Notice. The Plan also will provide notice of availability of the Notice at least once every three years.
For individuals to whom Company is an “indirect” provider, Company will provide the Notice upon request by an individual or the direct provider. For patients referred by the [hospitals and surgical centers] in “organized health care arrangements”, the respective [hospitals and surgical centers] will be responsible for Notice distribution and documentation.
The Privacy Official is responsible for administering a process for individuals to lodge complaints about Company’s privacy procedures. A copy of the complaint procedure shall be provided to an individual upon request.
VII. Mitigation of Inadvertent Disclosures of Protected Health Information
Company shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of PHI which violates this Policy, either by another member of the Workforce or a third-party administrator or insurer, the employee may contact the Privacy Official so that the appropriate steps can be taken to mitigate the harm to the individual.
VIII. Breach Notification Requirements
The Plan will comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and its implementing regulations with respect to notifications in the event of a breach of unsecured PHI. As a result, if an employee becomes aware of a potential breach of unsecured PHI, the employee shall contact the Privacy Official. Promptly after a report of suspected breach of unsecured PHI, the Privacy Official shall direct and undertake an investigation to determine if a breach of unsecured PHI occurred and the scope of such breach. There is a reportable breach only if all of the following have occurred, as determined by the Privacy Official:
▪ There is a violation of the HIPAA Privacy Rules involving “unsecured” PHI.
▪ The violation involved unauthorized access, use, acquisition, or disclosure of unsecured PHI.
▪ The violation resulted in a significant risk of harm to the individual(s) whose unsecured PHI was involved.
▪ No exception applies under applicable law.
If the Privacy Official determines that there was not a significant risk of harm to the affected individual(s), the Plan will document the determination in writing and keep the documentation on file.
The Plan shall, following the discovery of a breach of unsecured PHI that is required to be reported, notify each individual whose unsecured PHI has been, or is reasonably believed by the Plan to have been, accessed, acquired, used, or disclosed as a result of such breach as well as the Secretary of DHHS.
For a breach of unsecured PHI involving 500 or more residents of a state or jurisdiction, the Plan shall notify prominent media outlets serving the state or jurisdiction.
For a breach of unsecured PHI involving 500 or more individuals, the Plan shall notify the Secretary of DHHS contemporaneously with the notice to affected individuals and in the manner specified on the DHHS website.
The above notices shall be provided without unreasonable delay and in no case later than 60 days after discovery of the breach and shall comply with the requirements of the HITECH Act and its implementing regulations with respect to the content and method of notification.
Breach Notification Definitions
▪ Breach. The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA and its implementing regulations which compromises the security or privacy of the PHI. For purposes of this definition, compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual. A use or disclosure of PHI that does not include the identifiers listed at 45 CFR § 164.514(e)(2), date of birth, and zip code does not compromise the security or privacy of the protected health information.
(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under HIPAA and its implementing regulations.
(ii) Any inadvertent disclosure by a Person With Access and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under HIPAA and its implementing regulations.
(iii) A disclosure of PHI where the Plan has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
▪ Unsecured PHI. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of DHHS in the guidance issued under Section 13402(h)(2) of the HITECH Act on the DHHS website.
IX. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.
No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.
X. Documentation and Document Retention
Company’s privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations), as well as to the implementation of the inter-related HIPAA Security Standard. Any changes to policies or procedures must promptly be documented.
If a change impacts the Notice, the Notice must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the Notice.
Company shall document certain events and actions (including direct patients’ declining the Notice, as well as authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights. The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. Company will maintain such documentation for at least six years, beginning May 1st, 2020.
POLICIES ON USE AND DISCLOSURE OF PHI
I. Use And Disclosure Defined
Company will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:
Disclosure and/or utilization of individually identifiable health information (“IIHI”) by any Persons With Access of Company by Company as a Business Associate or by a Business Associate (defined below) of Company.
II. Workforce Must Comply with Company’s Policy and Procedures
All Persons with Access must comply with this Policy and with Company’s HIPAA Use and Disclosure Procedures, which are set forth in a separate document.
III. Access to PHI Is Limited to Certain Employees
As set forth in Article II, above, only the Persons with Access (including the Privacy Official and others identified as Persons with Access) shall have regular access to and use of PHI.
On the Provider side, Persons with Access may use and disclose PHI for Company “treatment, payment or health care operations”. On the Plan side, Persons with Access may use and disclose PHI for Plan Administrative Functions, but the PHI disclosed must be limited to the minimum amount necessary to perform the Treatment, Payment and Health Care Operations (“TPO”) or Administrative Functions as defined in the Privacy Rule. Persons with Access may not generally disclose PHI to employees (other than other Persons with Access) unless an authorization is in place or the disclosure otherwise is following this Policy and the Company’s HIPAA Use and Disclosure Procedures.
IV. Permitted Uses and Disclosures: Treatment, Payment and Health Care Operations
See the Notice of Privacy Practices.
V. Mandatory Disclosures of PHI to Individual and DHHS
An individual’s PHI must be disclosed as required by HIPAA in two situations:
• The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Health Information and Requests for Amendment” below); and
• The disclosure is made to DHHS for purposes of enforcing HIPAA.
VI. Permissive Disclosures of PHI for Legal and Public Policy Purposes
PHI may be disclosed in the following situations without an individual’s authorization, when specific requirements are satisfied. Company’s HIPAA Use and Disclosure Procedures will describe specific requirements that must be met before these types of disclosures may be made, including prior approval of Company’s Privacy Official. The permissive disclosures as set forth in the Privacy Rule are:
• about victims of abuse, neglect or domestic violence;
• for judicial and administrative proceedings;
• for law enforcement purposes;
• for public health activities;
• for health oversight activities;
• about decedents;
• about crime on Company or organized health care arrangement premises;
• for cadaveric organ, eye or tissue donation purposes;
• for certain limited research purposes;
• to avert a serious threat to health or safety;
• for specialized government functions; and
• that relate to Workers’ Compensation programs.
VII. Disclosures of PHI Pursuant to an Authorization
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the individual. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. The Privacy Official will have the appropriate authorization form.
VIII. Complying With the “Minimum-Necessary” Standard
HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure, as determined by the Privacy Official case-by-case, or, in the instance of routine and recurring disclosures, as set forth in Company’s HIPAA Use and Disclosure Procedures.
The “Minimum Necessary” Standard does not apply to any of the following:
• uses or disclosures made to the individual;
• uses or disclosures made pursuant to a valid authorization;
• uses or disclosures required by law; and
• uses or disclosures required to comply with HIPAA.
Minimum Necessary When Disclosing PHI. The Use and Disclosure Procedures outlines policies and procedures respecting routine and recurring disclosures of PHI, designed to limit the amount disclosed which is reasonably necessary to accomplish the purpose for which the disclosure was requested. Company has analyzed routine and recurring disclosures to develop policies and procedures which it believes limit the amount disclosed to the minimum amount necessary.
Minimum Necessary When Requesting PHI. The Use and Disclosure Procedures outlines policies and procedures respecting routine and recurring requests for PHI, designed to limit the amount requested to that reasonably necessary to accomplish the purpose for which the disclosure is requested.
IX. Disclosures of PHI to Business Associates
Employees may disclose PHI to Company’s business associates and allow Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, employees first must obtain assurances from the business associate (in the form of written business associate agreements or addendums) that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate”, employees must contact the Privacy Official to verify that a business associate contract is in place.
A Business Associate is an entity or person who is not deemed a member of Company’s Workforce and who:
• performs or assists in performing a Company function or activity involving the use and disclosure of protected health information (including physical examinations, drug testing, other testing, claims processing or administration; data analysis, underwriting, etc.); or
• provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services to Company, where the performance of such services involves giving the service provider access to PHI.
Presently Company has identified Brentia Caldwell as a Business Associate and has entered a Business Associate Agreement with that firm.
X. Disclosures of De-Identified Health Information and Limited Data Sets
Company may freely use and disclose de-identified health information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers under the Privacy Rule.
POLICIES ON INDIVIDUAL RIGHTS
I. Access to Protected Health Information and Requests for Amendment
HIPAA gives individuals the rights to access and obtain copies of their PHI that Company (or its business associates) maintains in “designated record sets”. The Privacy Rule also provides that individuals may request to have their PHI amended. Company will provide access to PHI and it will consider requests for amendment that are submitted in writing by individuals as set forth in the Notice of Privacy Practices.
A “Designated Record Set” is a group of records maintained by or for Company that includes:
(1) the enrollment, payment, and claims adjudication record of an individual maintained by or for Company or its patients; or
(2) other protected health information used, in whole or in part, by or for Company.
An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last 6 years (but after April, 2003), other than disclosures:
• to carry out treatment, payment or health care operations;
• to individuals about their own PHI;
• incident to an otherwise permitted use or disclosure;
• pursuant to an authorization;
• for purposes of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;
• as part of a limited data set; or
• for national security or law enforcement purposes.
Company shall respond to an accounting request within 60 days. If Company is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the individual notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.
The accounting must include the date of the disclosure of the PHI, the name of the receiving party, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).
The first accounting in any 12-month period shall be provided free of charge. The Privacy Official may impose reasonable production and mailing costs for subsequent accountings.
III. Requests for Confidential Communications
Individuals or another covered entity on their behalf may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, individuals may ask to be called only at work rather than at home. Such requests shall be honored if, in the sole discretion of Company, the requests are reasonable.
However, Company shall accommodate such a request if the individual clearly provides information that the disclosure of all or part of that information could endanger the individual. The Privacy Official has responsibility for addressing requests for confidential communications.
IV. Requests for Restrictions on Uses and Disclosures of PHI
An individual or another covered entity on his/her behalf individual’s may request restrictions on the use and disclosure of the individual’s PHI. It is Company’s policy to attempt to honor such requests if, in its sole discretion, the requests are reasonable. The Privacy Official is charged with responsibility for addressing requests for restrictions.
V. Requests for Amendments
An individual or another covered entity on his/her behalf may request amendment of his/her PHI in a designated record set. It is Company’s policy to attempt to honor such a request if, in Company’s sole discretion, the request is reasonable.
No third-party rights are intended to be created by this Policy. Company reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon Company. This Policy does not address requirements under other federal laws or under state laws.
(1) Company reserves the right to amend or change this Policy (and the Use and Disclosure Procedures) at any time.
(2) No third parties rights (including, but not limited to rights of Plan participants, beneficiaries, covered dependents, or Business Associates) are intended to be created by this Policy or the Use and Disclosure Procedures.
(3) To the extent this Policy or the Use and Disclosure Procedures establish requirements and obligations beyond those required by HIPAA, the Policy and the Use and Disclosure Procedures shall be aspirational and not binding upon Company.
(4) This Policy and the Use and Disclosure Procedures do not address requirements under other Federal laws, or under state laws.