Privacy Policy Prototype

Privacy Policy for _________________, MD
                         [Address, City, State]

Purpose:

This privacy policy is adopted to ensure that Dr. (Name)                      and his/her staff protect patient privacy in this practice. Dr. (Name)                                and the staff consider it their duty to prevent the unlawful disclosure of protected health information (PHI) and to educate patients and/or their personal representatives (when authorized) about their privacy rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state confidentiality laws.

Effective date:   (Date)                   

Privacy Officer:

(Name)                      is the privacy officer. Duties of the privacy officer include: 

• Ensure that the Privacy Policy is in compliance with federal and state confidentiality laws;
• Ensure that the Privacy Policy is kept current;
• Train employees about the Privacy Policy; 
• Designate who will maintain the Non-routine PHI Disclosure Logs; 
• Together with the practice manager, maintain the Workforce Access to PHI list;
• Maintain Business Associate agreements; 
• Assist patients who wish to file a formal complaint if they believe their privacy rights have been violated;
• Sanction employees who violate the Privacy Policy.

Any questions about this practice’s Privacy Policy should be addressed to (Name)                   , privacy officer.

Staff training and awareness:

All physicians and members of the workforce will be trained on the policies and procedures governing Protected Health Information (PHI) and how this practice will comply with the Privacy Act. Staff and physician participation in the training will be documented (date and subject matter). New members of the staff will be trained as part of their orientation to the practice within a reasonable period of time (60-days from the date of hire). Should any policy or procedure materially change, the privacy officer will organize an inservice program to be attended by all physicians and staff.

Workforce Access: The "Minimum Necessary" rule:

Based upon the individual staff member’s duties and job descriptions, the practice manager and privacy officer will determine how much protected health information each employee will be authorized to access. The privacy officer and practice manager will maintain Workforce Access to PHI list. [See Attachment A: Workforce Access to PHI]

Sanctions for unintentional violations of the Privacy Policy:

If the privacy officer determines that an employee unintentionally released PHI, the privacy officer and employee will review the Policy and discuss the violation. The violation will be recorded in the individual’s personnel file. Dr. (Name) will establish the number of violations that would be grounds for dismissal.

Sanctions for intentional violations of the Privacy Policy:

An intentional violation of the Privacy Policy could be automatic grounds for dismissal. Dr.
(Name) will determine the severity of violations and decide whether the subsequent consequence will be an oral or written reprimand, dismissal, or an alternate remedy.

Reminder to physician-employers: Include sanctions for unintentional and intentional violations of the Privacy Policy in your office staff employment manuals(s).

Patients’ Protected Health Information (PHI): 
use and disclosure requirements

HIPAA and state confidentiality laws permit disclosure of protected health information (PHI) for purposes of treatment, payment and health care operations (TPO). PHI is the information gathered and created by the physician(s) and staff to provide medical care and treatment to patients; this information includes documentation of symptoms, examinations, test results, diagnoses, treatment, recommended future care and treatment (plan), and billing for services rendered. PHI must be stored, retrieved and destroyed in a confidential manner.

Verification of identity:

It is the policy of this practice that the identity of anyone who requests access to PHI will be verified before any disclosure of PHI is made.

Release of PHI: When patient authorization is NOT required:

A signed authorization form is not required for the use and disclosure of protected health information when requested for treatment, payment and operations (TPO) purposes. (Optional: Even though authorization is not required, it is Dr. (Name)                 ’s policy to ask patients to sign a general consent form to verify that they agree to treatment and agree that their PHI will be released for treatment, payment and operations. Treatment is not contingent upon the patients signing this form.)

“Treatment” refers to communications related to the provision, coordination, and management of health care and related services. This includes, but is not limited to:

• Coordination with co-treaters;
• Consultation between providers; and 
• Referrals to other providers. 

NOTE: There is no limitation to communication of PHI between co-treating entities for treatment purposes which necessitate full disclosure. 

“Payment” refers to those transactions required to obtain reimbursement for health care services, including but not limited to: 

• Determining eligibility;
• Billing claims management; 
• Medical necessity review; and
• Utilization review. 

“Operations” includes a wide variety of business activities essential to the ongoing management of a medical office practice, such as (but not limited to):

• Quality improvement; 
• Performance evaluations;
• Training programs;
• Licensing;
• Credentialing;
• Medical review;
• Professional liability services;
• Legal services as they apply to business practices; and
• Auditing by appropriate entities.

NOTE: Dr. (Name)                     and staff are required by HIPAA to make reasonable efforts to use or disclose the “minimum amount of confidential information necessary” to accomplish release of information for Payment and Operations.

Release of PHI: When patient authorization IS required:

A signed, written authorization is required for non-routine, non-TPO-related disclosures of protected health information. Written patient authorization is mandatory for release of PHI to: patients*, family members or personal representatives of patients who are not directly involved in the patients’ care, attorneys, employers, schools, and life insurance companies (or any insurance company that does not pay claims). Note: This is a partial list. If you have any questions or concerns about disclosure of PHI, ask the privacy officer.

What constitutes a valid authorization form?

To be a valid authorization, the form MUST be in plain language and include:

• The name(s) of the persons who are authorized to release the PHI;
• The name(s) of the persons to whom the PHI will be disclosed;
• A description of how the PHI will be used;
• An explanation that the authorization may be revoked, unless the original authorization has already been relied upon;
• An expiration date for the authorization; and
• The patient’s or personal representative’s signature.

Medical records staff will put a copy of the signed forms in the patients’ charts and provide the patients with a copy of the same. [See Attachment B: Authorization Form]

Update the Non-routine PHI Disclosure Log:

Whenever a patient has signed an authorization for non-routine disclosure of PHI, staff members given the responsibility to maintain the patients’ Non-routine PHI Disclosure Logs should document the request. This will ensure that the log is kept current. HIPAA allows patients to request a copy of their Non-routine PHI Disclosure Log. [See Attachment C: Disclosure Log]

Psychotherapy notes*:

It is this practice’s policy to require written patient authorization for the release of any documentation related to psychiatric care and treatment (Optional policy). Documentation includes: progress notes; medication orders and management; counseling session start and stop times; modalities and frequencies of treatment; clinical test results; and summaries of diagnoses, functional status, treatment plan, symptoms, prognosis and patient progress.

Records of deceased patients

It is the policy of this medical practice that privacy protections extend to medical information of deceased patients. When records of a deceased patient are requested, staff must determine if the requesting party is authorized to obtain a copy of the PHI. Some questions to ask include:

• Was the requesting party involved in the care of the decedent and on previous occasions given access to the decedent’s PHI? 
• Is the requesting party the executor or executrix of the decedent’s estate?
• Is the requesting party the decedent’s legal personal representative?
• Is the requesting party the decedent’s next-of-kin? (e.g., wife, only child)
• Did the requesting party have durable power of attorney for health care for the decedent?

Under the HIPAA Privacy Act, “personal representatives” stand in the shoes of the deceased patient whose PHI is protected. Accordingly, authorized personal representatives have the same right to inspect and receive a copy of the PHI as the decedent did. Note that the personal representatives have the same authority to authorize the disclosure of PHI as the deceased patient did.

Once staff has determined that the requesting party is authorized to receive a copy of the decedent’s protected health information, have the individual sign an authorization form; keep a copy in the deceased patient’s chart and give the requesting party a copy of the endorsed form.

Records of unemancipated minors:

A parent, guardian, or other person legally representing an unemancipated minor’s parents, have authority to make health care decisions on behalf of an unemancipated minor patient and are entitled to protected health information.

PHI should not be released to a parent, guardian or other representative if the minor can lawfully consent to his/her own health care; or if the parent, guardian or other representative assents to an agreement of confidentiality between the health care provider and unemancipated minor.

Staff should direct any questions about the release of an unemancipated minor’s records to the privacy officer.

[Note: Physicians should check their state-specific laws about minors, consent and disclosure of PHI related to minors, emancipated or dependent. MIEC defense counsel warn physicians to carefully consider the rights of the minor and/or parents on a case-by-case basis to avoid unlawful disclosure of PHI.]

Records requiring special written authorization:

[Check your state-specific laws regarding disclosure of HIV test results, AIDS or ARC information, in-patient psychiatric records, and records that pertain to state or federally funded alcohol or drug rehabilitation programs.]

Patients' right to revoke authorization:

Patients have the right to revoke authorizations for non-routine disclosure of PHI. The revocation should be in writing. This can be accomplished with a letter to the office [or by completing a revocation form]. The revocation will not affect any actions already taken by Dr. (Name)             or his/her staff based upon the original authorization. The patient cannot revoke the authorization if it was for the purpose of obtaining insurance coverage.

Minimum necessary use and disclosure of PHI:

It is the policy of this medical practice that the minimum amount of information needed to accomplish the purpose of the request will be used or disclosed. Exceptions to the “minimum necessary” rule are:

• PHI requested for treatment purposes;
• PHI provided to the patient or authorized by the patient; and/or
• PHI requested as required by law for HIPAA compliance.

Exceptions to disclosure for TPO and the need for authorization:

The Privacy Act names some exceptions, circumstances in which a physician may disclose PHI, that do not fall into the categories of TPO and DO NOT require patient authorization for disclosure. These include:

• State reporting requirements, such as the duty to warn individuals of imminent danger from a patient; child or elder abuse; domestic violence, etc.;
• State requirements for the release of information related to Workers Compensation claims;
• Public health activities;
• Health oversight activities;
• Judicial and administrative proceedings;
• Criminal investigation by law enforcement officials;
• Decedent information needed by coroners, medical examiners, and funeral directors;
• Information necessary for cadaver, organ, eye, or tissue donation;
• Certain types of research; 
• Necessity to disclose to avert serious health or safety threat; and
• Specialized government functions.

Physical safeguards of PHI:

It is the policy of this medical practice that physical safeguards will be in place to reasonably ensure that PHI will not intentionally or unintentionally be disclosed in violation of the Privacy Act. Safeguards will include physical protection of premises and PHI, and electronic as well as administrative protection of PHI. The physician and staff will extend this protection to oral communication of PHI.

Examples of how the physician(s) and staff will ensure reasonable safeguards for individuals’ health information include:

• Speak quietly when discussing a patient’s condition with family members in a waiting room or other public area;
• Avoid using patients’ names in public hallways and elevators;
• Avoid leaving test results or other confidential information on a patient’s answering machine. Staff will leave voice messages for patients only with their permission. Staff should leave only their name, the physician’s name and the office number on answering machines or voice mail;
• Post signs to remind employees to protect patient confidentiality;
• Avoid leaving charts open where PHI can easily be read by unauthorized personnel or other patients in the office; and
• Use passwords and screen savers on computers to protect PHI when staff members are away from their desks or work areas.
• Staff members will not remove PHI from the premises.
• Medical records will be stored in non-patient access areas; the doors to these areas will be locked at night.
• All doors to the office will be locked at the close of business. Employees working in the office after business hours will ensure that any and all doors to the premises are locked before leaving.
• Keys to the office will be given to a limited number of individuals (e.g., practice manager, privacy officer, department supervisors). Should the employment status of these staff members change, the practice manager or privacy officer will ensure that the keys have been returned.

Retention of records:

It is the policy of this medical practice that records be retained for a minimum of seven to eight years for adult patients and to the age of majority, as determined by state law, for minor patients. All records will be maintained in a confidential, safe manner that ensures access within a reasonable amount of time.

The HIPAA Privacy Act requires that written policies and procedure, the accounting of disclosures, and other documentation related to PHI be retained for six years; however, the six year retention period does not govern medical records per se.

Notice of Privacy for Protected Health Information:
what all staff must know

The Notice of Privacy for Protected Health Information (hereafter referred to as the “Notice”) will be published and posted in the reception area with copies available at the reception desk. [See Attachment D: Notice of Privacy Practices for Protected Health Information] Each new patient will receive a copy of the Notice, if possible, at the first patient visit. Established patients will receive a copy at their next office visit. Dr. (Name)                   or his/her assistant will ask the patient to sign the Acknowledgment of Receipt of Notice of Privacy Practices [See Attachment E: Acknowledgment form]. The medical assistant will place a copy of the signed Acknowledgment in the patient’s chart. 

Should a new patient or established patient refuse or be unable to sign the Acknowledgment, the physician or his/her assistant will complete the Documentation of Good Faith Efforts [See Attachment F: Good Faith Efforts form] and place a copy of the completed Good Faith Efforts form in the patient’s chart.

Patients' Rights as outlined in the Notice of Privacy for PHI:

The physician(s) and staff must be familiar with patients’ privacy rights and abide by all provisions outlined in the Notice. Any questions about the Notice should be directed to the privacy officer. Patients have a right to:

1. Receive a paper copy of the current Notice;
   
   
2. Request restrictions on disclosure of their PHI;
   
   Staff member’s responsibility: Inform patients that Dr. (Name)                     is not required to agree to their restriction request, but that if the doctor agrees, s/he must make the restriction within 60 days. Ask patients to submit their request for disclosure restrictions in writing to medical records personnel, who will ask Dr. (Name)                         to respond.
   
   
3. Receive confidential PHI communications via alternative means or locations (Example: They may ask that the practice send their bills to a post office box, rather than to their home mailing address; they may request faxed or e-mailed communication.);
   
   Staff member’s responsibility: Note patients’ request in their charts or in their billing information and accommodate patients’ requests. 
   
   
4. Inspect and obtain a paper copy of their PHI;
   
   Staff member’s responsibility: Patients should be told that their requests will be processed within 30 days (or less, if compelled to do so by state law), and that they will be charged a reasonable, cost-based fee for the copies. [Check state law re: “reasonable fee.”]
   
   Note: If a patient is unable to pay the copying fee, the practice cannot withhold the information. More importantly, Dr. (Name)                  cannot withhold care and treatment because a patient has not paid his/her bill for medical services provided. Staff should discuss unpaid bills and requests for copies with the physician or office manager.
   
   
5. Request an amendment of their PHI;
   
   Staff member’s responsibility: Inform patients that Dr. (Name)                is not required to agree to such a request, particularly if the PHI was generated by someone else, or if the PHI is accurate and complete. Ask patients to submit their requests to amend their PHI in writing and include the reason for the request. If a patient requests an amendment, and the physician denies his/her request, the patient may write an objection to the denial, and require that all related communication be documented and attached to future disclosures of the PHI [See Attachment G: Request to Amend Health Information and Attachment H: denial letter].
   
   
6. Receive a list of the disclosures of their PHI for non-routine, non-TPO uses, with the exception of those made in the interest of national security or a facility’s directory (usually a hospital’s list of admitted patients);
   
   Staff member’s responsibility: Inform the patient that the list will be compiled within 60 days of the request and will include the disclosure date, recipient’s name, a description of the disclosed PHI, the purpose of the release or a copy of the authorization.
   
   
7. Revoke previous authorizations for disclosure, except to the extent the information has already been disclosed as originally permitted;
   
   Staff member’s responsibility: Once the authorization for disclosure has been properly revoked, DO NOT release any additional information to the requesting party.
   
   
8. File a formal complaint if their privacy rights were violated. The Notice tells patients how to file a complaint and reassures them that no retaliatory action will be taken against them for doing so; 
   
   Staff member’s responsibility: If a patient files a complaint for an alleged violation of the Privacy Act, no one in the practice, in anyway, will retaliate against that patient.
   
   
9. View the Notice on any website this practice develops.
   

Patients' rights to file a complaint:

If patients have questions about the practice’s privacy policy, would like additional information, or want to report a privacy-related problem, direct them to the privacy officer. It is the policy of this medical practice to investigate and resolve in a timely manner all complaints relating to the protection of health information.

If patients believe their privacy rights have been violated, anyone on staff can advise them to draft a written complaint and give it to the privacy officer, or send it by USPS, or e-mail it to the Office of Civil Rights (OCR)/Health and Human Services (HHS). Complaints must be filed within 180 days of when the patients knew or should have known that the alleged violation occurred. The Secretary of HHS may waive this 180-day time limit if good cause is shown. OCR provides further information on the OCR website about how to file a complaint.

The physician(s) and staff cannot make patients waive the right to file a complaint with OCR as a condition of receiving treatment. The physician and staff cannot retaliate against or otherwise intimidate any patient for filing a complaint for violation of patient privacy rights.

Marketing Activities:

It is the policy of this practice that any uses or disclosures of PHI for marketing activities will be done only after a patient has signed a valid authorization. The Privacy Act defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 

This practice may not sell protected health information to a Business Associate or any other third party for that party’s own purposes. Moreover, this practice may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list. For example, it is “marketing” when: A drug manufacturer receives a list of patients from a covered health care provider, who provides remuneration to the provider, then uses that list to send discount coupons for a new anti-depressant medication directly to the patients.

Research:

[If the physician participates in any research studies, review the OCR’s guidance on “research” under the “What’s new?” section. Physicians must also be aware of state-specific laws or regulations as they apply to the use confidential health information for the purpose of research. Policies for practices that conduct research must be developed and written accordingly.]

De-identirying information for medical research:

Dr. (Name)                   occasionally contributes information to medical researchers. HIPAA allows physicians to disclose medical data only if the information has been “de-identified” (i.e., all identifiable information is removed before it is disclosed to researchers).

It is the policy of this practice that the privacy officer must review all information to be disclosed as part of a research study(ies). To de-identify PHI, the following information must be removed:

• Names;
• Street addresses;  
• Telephone and fax numbers;
• E-mail addresses; 
• Social security numbers;
• Vehicle identifiers and serial numbers; 
• Web addresses; 
• Biometric identifiers (e.g., finger-and voice-prints);
• Full face photographs and other comparable images;
• Medical record numbers, health plan beneficiary numbers, and other account numbers; and
• Device identifiers and serial numbers.

Business Associates:

Dr. (Name)                    comes into contact with and/or works with a number of persons or entities with whom he shares PHI to conduct health care operations; HIPAA considers these people or entities “Business Associates” (BA). Examples of some of this practice’s Business Associates are: the accountant, our billing company, our transcriptionist(s), our copying service, our professional liability carrier (MIEC) and our general liability insurance carrier.

It is the policy of this practice that Dr. (Name)                     and each Business Associate will enter into a Business Associate Agreement to ensure that the BAs are contractually bound to keep PHI confidential to the same degree the physician and his/her staff keep the information private. If a BA violates the signed agreement, Dr. (Name)                    will attempt to correct the problem; however, if his/her efforts fail, the agreement will be terminated and the practice will discontinue its professional relationship with the BA.

The privacy officer will maintain a list of this practice’s Business Associates. Any staff member who becomes aware of a BA’s breach of the Business Associate Agreement should notify the privacy officer immediately.

Appendix

Workforce Access to PHI  
Authorization form 
Non-routine PHI Disclosure Log  
Notice of Privacy Practices for Protected Health Information  
Acknowledgment form  
Good Faith Effort form  
Request to Amend Health Information  
Denial letter  
HIPAA Policies, Procedures and Documents: A Checklist for Providers  
Identify Your Business Associates: Guidance to Covered Entities  
Business Associate Agreement: A Checklist for Providers