Privacy Policy

PATIENT PRIVACY RIGHTS
Policy No. 6-004

PURPOSE

To encourage awareness of patient privacy rights and CARE MOUNTAIN legal duties with respect to these rights and the use and disclosure of protected health information (PHI).

POLICY

CARE MOUNTAIN will respect and safeguard all protected health information of the patients it serves.

Each patient will be provided with information about his/her privacy rights at the time of admission to CARE MOUNTAIN.

To assist with fully understanding patient privacy rights and responsibilities, all policies will be available to the organization personnel, patients, and their representatives as well as other organizations and the interested public.

Definition:

Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual in ANY form (verbal, written, electronic). This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Examples of identifiers are: names, all geographical identifiers smaller than a state (except for the initial three digits of a zip code), dates (other than year) directly related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, Health insurance beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers including license plate numbers, device identifiers and serial numbers, web Uniform Resource Locators (URLs), Internet Protocol (IP) address numbers, biometric identifiers, including finger, retinal and voice prints, full face photographic images and any comparable images, and any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

PROCEDURE

  1. The patient will be provided with information about his/her privacy rights in the organization’s Notice of Privacy Practices, which will be given to the patient during the admission visit. The patient’s privacy rights include:
    1. A right to adequate notice of the uses and disclosures of protected health information that may be made by CARE MOUNTAIN. (See “Notice of Privacy Practices” Addendum 6-004.A.)
    2. A right to request privacy protection for protected health information. (See “Patient Requests for Privacy Restrictions” Policy No. 6-011 and “Patient Requests for Confidential Communication” Policy No. 6-012.)
    3. A right of access to inspect and retain a copy of his/her protected health information. (See “Patient Requests for Access to PHI” Policy No. 6-013.)
    4. A right to request that the organization amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set. (See “Patient Requests to Amend PHI” Policy No. 6-014.)
    5. A right to receive an accounting of disclosures of protected health information made by CARE MOUNTAIN in the six (6) years prior to the date on which the accounting is requested. (See “Patient Requests for Accounting of PHI Disclosures” Policy No. 6-015.)
  2. CARE MOUNTAIN will make a good faith effort to obtain the patient’s written acknowledgment of receipt of this notice. A separate signature/initials line for this acknowledgment may be located on the consent form. If an acknowledgment cannot be obtained, the admitting clinician will document his/her efforts to obtain the acknowledgment and the reason why it was not obtained in the clinical note.
    1. The notice will be promptly revised and distributed whenever there is a material change to the uses or disclosures, the individual’s rights, organization’s legal duties, or other privacy practices stated in the notice. A material change to any term of the notice will not be implemented prior to the effective date of the revised notice, unless required by law.
    2. CARE MOUNTAIN will prominently post the notice and make the notice available through its website.
    3. The patient’s legal representative may exercise the patient’s rights when a patient is incompetent or a minor.
    4. When a patient has questions about his/her privacy rights, requests additional information, or would like to exercise one (1) of these rights, he/she will be referred to the appropriate individual or office designated by CARE MOUNTAIN on the Notice of Privacy Practices.
  3. Interactive home telehealth patients will be assured of the following:
    1. Patient will not be viewed through video or heard through audio without his/her knowledge and prior written consent.
    2. When other staff members enter the telehealth viewing area, the patient will be immediately informed and his/her verbal consent obtained in order for the additional staff member to participate or view the interactive home telehealth encounter.
    3. In the event that an additional remote site is participating in the interactive telehealth encounter, the patient will be made aware of and approve the participation of the additional site.
    4. Patient photographs will not be utilized without the patient’s specific permission. Patient will sign a consent to photograph.

ADDENDUM 6-004.
A NOTICE OF PRIVACY PRACTICES

GUIDELINES FOR DEVELOPMENT OF A NOTICE OF PRIVACY PRACTICES

A Notice of Privacy Practices should be written in plain language and contain the following elements:

  1. The following statement placed as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

  2. Information regarding uses and disclosures:

    1. A description, including at least one (1) example, of the types of uses and disclosures that the organization is permitted to make for each of the following purposes: treatment, payment and health care operations *

    2. A description of each of the other purposes for which the organization is permitted or required to use or disclose protected health information without the patient’s consent or authorization *
      *Note: When use or disclosure for any purpose in 2A or 2B is prohibited or materially limited by any other applicable law, the notice will reflect the more stringent law.

      The descriptions will include sufficient detail to put the patient on notice of the uses and disclosures that are permitted or required by applicable law.

    3. A statement that other uses and disclosures will be made only with the patient’s or legal representative’s written authorization and that the patient may revoke the authorization at any time. (See “Authorization for Use or Disclosure of PHI” Policy No. 6-008.)

  3. Separate statements of uses and disclosures related to the following activities:

    1. That the organization may contact the patient to raise funds for the organization

    2. That the organization may contact the patient to provide appointment reminders or information about treatment alternatives or other related benefits and services that may be of interest to the patient

  4. A statement of the patient’s rights with respect to protected health information and a brief description of how the patient may exercise those rights:

    1. The right to request restrictions on certain uses and disclosures of protected health information, including the statement that CARE MOUNTAIN is not required to agree to a requested restriction

    2. The right to receive confidential communications of protected health information

    3. The right to inspect and copy protected health information

    4. The right to amend protected health information

    5. The right to receive an accounting of disclosures of protected health information

    6. The right to opt out of receiving fundraising communications

    7. The right to restrict disclosures of protected health information to a health plan where the individual paid out of pocket in full

    8. The right to obtain a paper copy of the notice upon request (see “Patient Privacy Rights” Policy No. 6-004)

  5. A statement of the organization’s duties with respect to maintaining privacy of protected health information:

    1. That the organization will, as required by law, maintain the privacy of protected health information and to provide patients with notice of its legal duties and privacy practices.

    2. The organization will notify affected individuals following a breach or unsecured protected health information.

    3. That the organization will abide by the terms of the notice currently in effect.

    4. That the organization reserves the right to change the terms of its notice and make the new notice provisions effective for all protected health information that it maintains. The notice will describe how the new notice will be provided to individuals.

  6. A statement that the patient may complain to CARE MOUNTAIN and to the Secretary of the Department of Health and Human Services if he/she believes his/her privacy rights have been violated, instructions on how to file the complaint, and a statement that the patient will not be retaliated against for filing a complaint

  7. The name, or title, and telephone number of a person or office to contact to file a complaint or to obtain further information about matters covered in the notice

  8. The date on which the notice is first in effect, which will not be earlier than the date on which the notice is printed or otherwise published

MINIMUM NECESSARY USES OF PHI
Policy No. 6-005

PURPOSE

To assure that patients’ right to privacy is protected by limiting the protected health information (PHI) available to personnel for use.

POLICY

To assure that patients’ right to privacy is protected by limiting the protected health information (PHI) available to personnel for use.

POLICY

CARE MOUNTAIN personnel will only have access to the minimum necessary protected health information to accomplish the intended purpose of the use.

PROCEDURE

  1. CARE MOUNTAIN will identify those personnel or classes of personnel who need access to protected health information to carry out their duties.
  2. CARE MOUNTAIN will specify in writing the category or categories of protected health information to which access is needed for personnel or classes of personnel. CARE MOUNTAIN will also specify any conditions for access.
  3. CARE MOUNTAIN will not permit personnel or classes of personnel to access an entire clinical record, except when the entire clinical record is specifically justified as the amount that is reasonably necessary to carry out their duties.
  4. Personnel will receive training related to the protected health information they may access and any conditions to that access. Training will be provided during orientation, whenever job duties change requiring access to different categories of protected health information, and at other times, as needed.
  5. Reasonable efforts will be made to ensure that personnel access only the minimum necessary information needed to carry out their duties.

MINIMUM NECESSARY DISCLOSURES OF PHI
Policy No. 6-006

PURPOSE

To assure that patients’ right to privacy is protected by limiting the protected health information (PHI) disclosed.

POLICY

CARE MOUNTAIN will limit the amount of protected health information, which is disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

PROCEDURE

  1. For all disclosures, CARE MOUNTAIN will:

    1. Develop criteria to limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

    2. Review requests on an individual basis in accordance with the criteria.

  2. CARE MOUNTAIN may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for a stated purpose when:

    1. Making permitted disclosures to public officials, if the public official represents that the information requested is the minimum necessary for the stated purpose(s).

    2. The information is requested by another covered entity.

    3. The information is requested for the purpose of providing professional services by a professional who is a member of the organization’s workforce or a business associate and the professional represents that the information requested is the minimum necessary for the stated purpose(s).

    4. Making disclosures for research purposes, as permitted by law.

  3. CARE MOUNTAIN will not disclose an entire clinical record, except when the entire clinical record is specifically justified as the amount that is reasonably necessary to achieve the purpose of the disclosure.

USES AND DISCLOSURES OF PHI
Policy No. 6-007

PURPOSE

To safeguard protected health information (PHI) against unauthorized use.

POLICY

Protected health information will be used and disclosed according to the guidelines set forth in the organization’s Notice of Privacy Practices. (See “Patient Privacy Rights” Policy No. 6-004 and “Notice of Privacy Practices” Addendum No. 6-004.A.)

PROCEDURE

  1. CARE MOUNTAIN may:
    1. Use or disclose protected health information to the patient.
    2. Use or disclose protected health information to carry out its own treatment, payment or health care operations.

      1. Patients will not be discussed by clinical or non-clinical personnel outside of the context of professional conversation regarding patient’s condition and care.

      2. Comments and conversations relating to patients made by physicians, nurses or other organization personnel will be made in confidential settings. It will be standard, acceptable and necessary practice to share information with other members of the care team. The decision to share information can be aided by considering the intent of the discussion.

      3. Patient information and clinical record documents will not be left in open, public areas during business hours and will be secured after business hours. (See “Safeguarding/Retrieval of Clinical Record” Policy No. 6-020.)

    3. Disclose protected health information for treatment activities of a patient’s health care provider.
    4. Disclose protected health information to another covered entity or health care provider for its payment activities.
    5. Disclose protected health information to another covered entity for health care operations activities of the entity or for the purpose of health care fraud and abuse detection or compliance. Each entity must either have or had a relationship with the patient who is the subject of the protected health information being requested and the protected health information pertains to such relationship.
    6. A patient may request a restriction of uses and disclosures of his/her protected health information. (See “Patient Requests for Privacy Restrictions” Policy No. 6-011.)

  2. CARE MOUNTAIN will obtain a valid authorization from the patient to use or disclose protected health information. (See “Authorization for Use or Disclosure of PHI” Policy No. 6-008):

    1. In psychotherapy notes

    2. For marketing activities

    3. For other uses and disclosures as required by law

  3. Law enforcement inquiries

    1. Police or investigative agencies’ requests for information will not be complied with unless the patient or his/her legal representative has given specific authorization for release of information or a court order or subpoena is presented.

    2. Exception: If CARE MOUNTAIN is acting as an organization of the police department to assist them in gathering data or treating a patient they have referred.

  4. Request for original record by the court under subpoena

    1. The Clinical Records Supervisor will designate a staff member to carry the original record to the court designated location. The staff member will stay with the record at all times. The court will copy the record and the staff member will return to organization with the original record.

AUTHORIZATION FOR USE OR DISCLOSURE OF PHI
Policy No. 6-008

PURPOSE

To delineate the process for obtaining patient authorizations to use or disclose protected health information (PHI). To ensure that CARE MOUNTAIN use or disclosure of protected health information is consistent with the authorization obtained.

POLICY

PROCEDURE

  1. The designated organization personnel will prepare the Authorization For Use or Disclosure of Information Form.

  2. A valid authorization will contain the following elements and will be written in plain language:

    1. A description of information to be used or disclosed that identifies information in a specific and meaningful way

    2. Name or other specific identification of the person(s) or class of person(s), authorized to make the requested use or disclosure

    3. Name or other specific identification of the person(s) or class of person(s), to whom the organization may make the requested use or disclosure

    4. A description of each purpose of the requested use or disclosure

    5. An expiration date or expiration event that relates to the patient or the purpose of the use or disclosure

    6. Signature of the patient and date. If the authorization is signed by a personal representative of the patient, a description of the representative’s authority to act for the patient must also be provided

    7. A statement of the ability or inability of the organization to condition treatment, payment, admission or eligibility for benefits on the authorization

  3. The clinician will explain the authorization form to the patient and family/caregiver, or legal representative.

  4. The patient and family/caregiver, or his/her legal representative will be asked to sign and date the authorization.

  5. The authorization form will be filed in the patient’s clinical record and a copy will be given to the patient.

  6. The patient has the right to refuse to sign the authorization form. If the authorization form is not signed, the clinician will document his or her efforts to obtain the signature and the reason why it was not obtained in the clinical note.

  7. The clinician will notify the Clinical Supervisor whenever the patient refuses to sign the authorization form.

  8. The designated organization personnel will carefully review the signed authorization form prior to each use or disclosure of protected health information to ensure that planned use or disclosure is consistent with the authorization.

  9. The patient may revoke in writing an authorization at any time. The revocation will be effective for uses or disclosures on or after the date of the revocation.

MINIMUM NECESSARY REQUESTS FOR PHI
Policy No. 6-009

PURPOSE

POLICY

CARE MOUNTAIN will limit the amount of protected health information, which is requested to the amount reasonably necessary to achieve the purpose for which the request is made.

PROCEDURE

  1. For all requests, CARE MOUNTAIN will:
    1. Develop criteria to limit the protected health information that is requested to the amount reasonably necessary to achieve the purpose for which the request is made.
    2. Review requests on an individual basis in accordance with the criteria.
  2. CARE MOUNTAIN will not provide an entire clinical record, except when the entire clinical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the request.
  •  

PRIVACY OF HEALTH INFORMATION
OF DECEASED INDIVIDUALS
Policy No. 6-010

PURPOSE

To assure that the deceased patient’s rights to privacy of protected health information is safeguarded.

POLICY

PROCEDURE

  1. CARE MOUNTAIN will treat an executor, administrator, or other person who has the authority to act on behalf of a deceased patient or his/her estate, under applicable law, as a personal representative with respect to protected health information.
  2. The organization is permitted to disclose decedent’s PHI to a family member or other individual who was involved in the care or payment for care of the decedent prior to death so long as the disclosure is not inconsistent with any prior expressed preference of the decedent of which the covered entity is aware.
  3. The deceased patient’s personal representative will have the same privacy rights as all other patients.
  4. CARE MOUNTAIN will limit the amount of protected health information, which is used or disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
  5. Health information regarding a person who has been deceased for more than 50 years is excluded from the definition of PHI.

  6. CARE MOUNTAIN may disclose protected health information to:

    1. Funeral directors, as necessary and consistent with applicable law, for them to carry out their duties with respect to the decedent. The protected health information may be disclosed prior to and in reasonable anticipation of the patient’s death when this is necessary for funeral directors to carry out their duties.

    2. A coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.

    3. A law enforcement official if CARE MOUNTAIN has a suspicion that the death may have resulted from criminal conduct.

  7. When a deceased patient’s personal representative has questions about his/her privacy rights, requests additional information, or would like to exercise one (1) of these rights, he/she will be referred to the appropriate individual designated by CARE MOUNTAIN.
  •  

PATIENT REQUESTS FOR PRIVACY RESTRICTIONS
Policy No. 6-011

PURPOSE

To delineate the process for patients to request a restriction of uses and disclosures of protected health information. To ensure that CARE MOUNTAIN use or disclosure of protected health information is consistent with the restrictions to which it has agreed.

POLICY

CARE MOUNTAIN will permit a patient to request restrictions on the uses and disclosures of protected health information to carry out treatment payment or healthcare operations. The patient may also request restrictions on information shared with family members, other relatives, other persons responsible for the patient’s care and any other person identified by the patient.

CARE MOUNTAIN will ensure that it adheres to the restrictions to which it has agreed, except in any case where the restricted information is needed to provide emergency treatment. CARE MOUNTAIN will document all restrictions to which it has agreed.

PROCEDURE

  1. All requests for restrictions to uses and disclosures of protected health information will be made in writing to the position or office designated by Organizations Name.
  2. The request will be reviewed to assess what impact it will have on the organization’s ability to carry out treatment, payment and health care operations. CARE MOUNTAIN is not required to agree to a restriction. Exception: If a patient pays for treatments out of pocket and requests the organization not to share protected health information with their health plan the organization will comply with that request.
  3. All agreements to restrictions will be documented in the patient’s clinical record.
  4. The organization personnel responsible for authorizing the restriction will communicate the agreement to the Clinical Supervisor responsible for the patient’s care.
  5. CARE MOUNTAIN may terminate its agreement to a restriction under the following circumstances:
    1. The patient agrees to or requests the termination in writing.

    2. The patient verbally agrees to the termination and the agreement is documented in the clinical record by a designated employee or contractor of CARE MOUNTAIN.

    3. CARE MOUNTAIN informs the patient that it is terminating its agreement to a restriction. The termination of an agreement will only be effective with respect to protected health information created or received after it has informed the patient.

  6. In the event that a patient requires emergency treatment, CARE MOUNTAIN will disclose only the restricted protected health information needed by the treating health care provider. CARE MOUNTAIN will request that health care provider not further use or disclose the restricted protected health information.

  7. A disclosure of restricted protected health information for emergency treatment will be included in any accounting of disclosures of protected health information provided to the patient. (See “Patient Requests for Accounting of PHI Disclosures” Policy No. 6-015.)

  8. Upon request, the organization will agree to restrict disclosure of protected health information about the individual to their health plan if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law; and the protected health information pertains solely to a healthcare item or service for which the individual, or person other than the health plan on behalf of the individual, has paid for in full.

  9. The patient’s legal representative may exercise the patient’s rights when a patient is incompetent or a minor.

PATIENT REQUESTS FOR CONFIDENTIAL COMMUNICATIONS
Policy No. 6-012

PURPOSE

To delineate the process for patients to request to receive communications of protected health information by alternative means or at alternative locations.

POLICY

CARE MOUNTAIN will permit a patient to request to receive confidential communications of protected health information by alternative means or at alternative locations. CARE MOUNTAIN will accommodate reasonable requests if the patient clearly states that the disclosure of all or part of that information could endanger him/her.

PROCEDURE

  1. All requests to receive confidential communications of protected health information by alternative means or at alternative locations will be made in writing to the position or office designated by Organizations Name. Requests will specify the alternative address or alternative method of communication.
  2. The request will be reviewed to determine whether a reasonable accommodation can be made.
  3. A description of the authorized accommodation will be documented in the patient’s clinical record.
  4. The organization personnel responsible for authorizing the restriction will communicate the agreement to the Clinical Supervisor responsible for the patient’s care. The Clinical Supervisor will communicate the restriction to personnel involved in the patient’s care.
  5. The patient’s legal representative may exercise the patient’s rights when a patient is incompetent or a minor.

PATIENT REQUESTS FOR ACCESS TO PHI
Policy No. 6-013

PURPOSE

To delineate the process for patients to request to inspect and obtain a copy of their protected
health information (PHI) to delineate CARE MOUNTAIN legal responsibilities.

POLICY

CARE MOUNTAIN will permit patients to request to inspect and obtain a copy of his/her protected health information in a designated record set, for as long as the information is maintained in the designated record set.

CARE MOUNTAIN will provide timely access to the protected health information in the form or format requested by the patient whenever possible. CARE MOUNTAIN reserves the right to deny the patient access to all or part of his/her protected health information, as required or permitted by law.

PROCEDURE

  1. All requests by a patient to inspect and obtain a copy of protected health information will be made in writing to the position or office designated by CARE MOUNTAIN. The titles of the persons or offices responsible for receiving and processing requests for access by patients will be documented.
  2. The request will be reviewed by designated organization personnel to determine whether it will be approved or denied, in accordance with all applicable laws.
  3. CARE MOUNTAIN reserves the right to deny access to protected health information, without providing the patient an opportunity for review in the following circumstances:
    1. The information is contained in psychotherapy notes.

    2. The information is compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

    3. The information was received from someone other than a health care provider under a promise of confidentiality and access would be reasonably likely to reveal the source of information.

    4. Other circumstances permitted by law.

  4. CARE MOUNTAIN reserves the right to deny a patient access to protected health information, with the right to a review of the denial, in the following circumstances:

    1. A licensed health care professional determines that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person.
    2. The protected health information makes reference to another person, other than a health care provider, and the access requested is reasonably likely to cause substantial harm to such other person.
    3. The request for access is made by the patient’s personal representative and a licensed health care professional has determined that access is reasonably likely to cause substantial harm to the patient or another person.
    4. Other circumstances permitted by law.

  5. CARE MOUNTAIN will act on the patient’s request for access no later than 30 days after receipt of the request.

    1. When the organization grants the request for access, in whole or in part, it will:

      1. Inform the patient of the acceptance of the request.

      2. Provide the patient with access to the protected health information. If the protected health information is maintained electronically and the individual requests an electronic copy the organization must provide the individual with access to the protected health information in the electronic form and format requested, if it is readily reproducible in that form or format, or, if not, in a readable hard copy form or other form or format mutually agreed upon by CARE MOUNTAIN and the patient.

      3. Provide the patient with a summary of the protected health information requested in lieu of providing access or provide an explanation of the protected health information to which access has been provided. The patient must agree to the summary and/or explanation and agree in advance to any fees charged by CARE MOUNTAIN to prepare the summary or explanation.

      4. Arrange with the patient to inspect or obtain a copy of the protected health information during normal business hours or to mail a copy of the information at the patient’s request. CARE MOUNTAIN will impose a reasonable, cost-based fee for copying and postage, as allowed by law.

    2. When the organization denies the request for access, in whole or in part, it will:

      1. Provide the patient with a timely denial written in plain language that contains:

        1. The basis for the denial.

        2. A statement of the individual’s review rights, if applicable, and how the patient can exercise his/her review rights.

        3. A description of how the patient may complain to CARE MOUNTAIN, including the name or title and telephone number of the person or office designated in CARE MOUNTAIN Notice of Privacy Practices. (See “Notice of Privacy Practices” Addendum 6-004.A.)

      2. Provide the patient, to the extent possible, with access to any other protected health information requested, after excluding the information which Organization has grounds to deny access.
      3. If CARE MOUNTAIN does not maintain the protected health information that is the subject of the patient’s request for access, and CARE MOUNTAIN knows where the requested information is maintained, it will inform the patient where to direct the request for access.

  6. If the requested protected health information is not maintained or accessible to CARE MOUNTAIN on-site, the organization will take action by no later than 60 days from the receipt of the request.

  7. If CARE MOUNTAIN is unable to act on the patient’s request for access to protected health information in the time lines specified above, it will provide the patient with a written statement that includes the reasons for the delay and the date by which CARE MOUNTAIN will complete its action on the request. CARE MOUNTAIN may extend the time for such actions by no more than 30 days.

  8. If the patient requests a review of a denial for access to protected health information, CARE MOUNTAIN will designate a licensed health care professional, who was not directly involved in the denial, to review the decision to deny access.

    1. CARE MOUNTAIN will promptly refer the request for review.

    2. The designated reviewer will determine, within a reasonable period of time, whether or not to deny access based on applicable laws.

    3. CARE MOUNTAIN will promptly provide a written notice to the patient of the designated reviewer’s determination and take other action, as required by the determination.

  9. The patient’s legal representative may exercise the patient’s rights when a patient is incompetent or a minor.

  10. If the patient requests access to only their clinical record, the clinical record will be made available to the patient, free of charge, upon requests at the next home visit, or within 4 business days (whichever comes first).

PATIENT REQUESTS TO AMEND PHI
Policy No. 6-014

PURPOSE

To delineate the process for patients to request amendments to their protected health information (PHI) maintained in their designated record sets. To delineate the legal responsibilities of Organizations Name.

POLICY

CARE MOUNTAIN will permit a patient to request amendments to his/her protected health information maintained in his/her designated record set. CARE MOUNTAIN will provide prompt action to a patient’s request for amendment of protected health information.

CARE MOUNTAIN reserves the right to deny the patient’s request for amendment, in whole or in part, as required or permitted by law.

PROCEDURE

  1. All requests for amendments to protected health information will be made in writing to the position or office designated by Organizations Name. The patient will provide a reason to support the requested amendment.
  2. The request will be reviewed by designated organization personnel to determine whether it will be approved or denied, in accordance with all applicable laws.
  3. CARE MOUNTAIN reserves the right to deny a request for an amendment to protected health information, if the protected health information:
    1. Was not created by CARE MOUNTAIN

    2. Is not part of the designated record set

    3. Cannot be accessed by the patient (See “Patient Requests for Access to PHI” Policy No. 6-013.)

    4. Is accurate and complete

  4. CARE MOUNTAIN will act on the patient’s request for access no later than 60 days after receipt of the request. If CARE MOUNTAIN is unable to act on the patient’s request for access to protected health information in the time lines specified above, it will provide the patient with a written statement that includes the reasons for the delay and the date by which CARE MOUNTAIN will complete its action on the request. CARE MOUNTAIN will extend the time for such actions by no more than 30 days.

    1. When the organization grants the request for an amendment, in whole or in part, it will:

      1. Make the appropriate amendment to the protected health information or record.

      2. Inform the patient of the acceptance of the request and obtain the patient’s identification of and agreement to have CARE MOUNTAIN notify relevant persons with which the amendment needs to be shared.

      3. Make reasonable efforts to inform and provide the amendment within a reasonable time to:

        1. Persons identified by the patient as having received protected health information about the individual and need the amendment.

        2. Persons including business associates, that CARE MOUNTAIN knows have the protected health information that is the subject of the amendment and that may have relied, or could potentially rely, on the information to the detriment of the patient.

    2. When the organization denies the request for access, in whole or in part, it will:

      1. Provide the patient with a timely, written denial in plain language which contains:

        1. The basis for the denial.

        2. The patient’s right to submit a written statement disagreeing with the denial and where to file the statement.

        3. A statement that, if the patient does not submit a statement of disagreement, the patient may request that CARE MOUNTAIN provide the individual’s request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment.

        4. A description of how the patient may complain to CARE MOUNTAIN, including the name or title and telephone number of the person or office designated in CARE MOUNTAIN Notice of Privacy Practices. (See “Patient Privacy Rights” Policy No. 6-004 and “Notice of Privacy Practices” Addendum 6-004.A.)

  5. CARE MOUNTAIN will permit the patient to submit a written statement, of reasonable length, disagreeing with the denial of all or part of the requested amendment and the basis for such disagreement.

  6. CARE MOUNTAIN may prepare a written rebuttal to the patient’s statement of disagreement. When a rebuttal is prepared, a copy will be provided to the patient.

  7. CARE MOUNTAIN will, as appropriate, identify the protected health information in the designated record set that is the subject of the disputed amendment and will append or otherwise link the patient’s request for an amendment, CARE MOUNTAIN denial of the request, the patient’s statement of disagreement, if any, and the CARE MOUNTAIN rebuttal, if any.

  8. When CARE MOUNTAIN provides subsequent disclosures of the protected health information to which the disagreement relates, it will:

    1. Include the material appended or an accurate summary of the information if the patient submitted a statement of disagreement.

    2. Include the patient’s request for an amendment and CARE MOUNTAIN’s denial if the patient has not submitted a statement of disagreement.

  9. CARE MOUNTAIN will amend a patient’s protected health information in its designated record set when it is informed by another covered entity of an amendment.

  10. The patient’s legal representative may exercise the patient’s rights when a patient is incompetent or a minor.

PATIENT REQUESTS FOR ACCOUNTING OF PHI DISCLOSURES
Policy No. 6-015

PURPOSE

To delineate the process for patients to request and receive an accounting of disclosures of protected health information (PHI) made by CARE MOUNTAIN and to delineate CARE MOUNTAIN legal responsibilities.

POLICY

CARE MOUNTAIN will provide patients with a timely, written accounting of disclosures of their protected health information made by CARE MOUNTAIN in the six (6) years prior to the date on which the accounting is requested. CARE MOUNTAIN retains the right to exclude disclosures from an accounting, as required or permitted by law.

PROCEDURE

  1. All requests by a patient for an accounting of disclosures of protected health information made by CARE MOUNTAIN will be made in writing to the position or office designated by Organizations Name. The titles of the persons or offices responsible for receiving and processing requests for an accounting of disclosures will be documented.
  2. A patient may request an accounting of disclosures for a period of three (3) years or less. CARE MOUNTAIN is not required to provide an accounting of disclosures that occurred prior to April 14, 2003.

  3. The request will be reviewed by designated organization personnel and acted upon, in accordance with all applicable laws.

    1. CARE MOUNTAIN will provide the patient with the accounting requested no later than 60 days after receipt of the request.

    2. If CARE MOUNTAIN is unable to act on the patient’s request for an accounting of protected health information in the time lines specified above, it will provide the patient with a written statement that includes the reasons for the delay and the date by which CARE MOUNTAIN will complete its action on the request. CARE MOUNTAIN will extend the time for such action by no more than 30 days.

  4. The written accounting of disclosures will include:

    1. The date of the disclosure

    2. The name of the entity or person who received the protected health information and, if known, the address of the entity or person

    3. A brief description of the protected health information disclosed

    4. A brief statement of the purpose of the disclosure
    5. Any other information required by law
  5. CARE MOUNTAIN will provide the first accounting to the patient in any 12-month period
    without charge. CARE MOUNTAIN may impose a reasonable cost-based fee for each subsequent request in the same 12-month period.
  6. CARE MOUNTAIN will maintain a copy of the written accounting provided to the patient for a period of three (3) years.
  7. The patient’s legal representative may exercise the patient’s rights when a patient is incompetent or a minor.

PRIVACY TRAINING
Policy No. 6-018

PURPOSE

To assure that organization personnel understand the organization’s policies and procedures with respect to protected health information.

POLICY

CARE MOUNTAIN will train all of its personnel on its policies and procedures related to protected health information.

All personnel will be required to sign a Confidentiality Agreement that will include reference to the confidentiality, privacy and security of patient and organizational information.

PROCEDURE

  1. All personnel will receive training during orientation, as necessary and appropriate to carry out his/her assigned duties.
  2. All personnel whose duties are affected by a material change in the organization’s privacy and security policies and procedures will receive additional training within a reasonable period of time.
  3. All personnel who have a material change in their duties will receive additional training appropriate to carry out their new duties.
  4. All training provided to organization personnel will be documented and documentation will be maintained for a period of six (6) years.

For Security Training Requirements, see “Security Awareness and Training” Policy No. 6-030.

SANCTIONS FOR PRIVACY AND SECURITY VIOLATIONS
Policy No. 6-019

PURPOSE

To assure that appropriate sanctions are applied for failure to comply with privacy and security policies and procedures.

POLICY

CARE MOUNTAIN will apply appropriate sanctions against organization personnel who fail to comply with its privacy and security policies and procedures.

PROCEDURE

  1. Any occurrence of failure to comply with the organization’s privacy and security policies and procedures will be documented and forwarded to the individual or office designated by CARE MOUNTAIN.
  2. The designated individual will review the complaint, undertake further investigation, as needed, and recommend appropriate sanctions, including possible termination. There are three levels of violations:
    1. Level 1: Carelessness
      1. This level of violation occurs when an employee or contractor unintentionally or carelessly accesses, modifies, destroys or discloses to another person an individual’s PHI and there is not a legitimate reason for such access or disclosure. Examples included are not limited to:
        1. Discussing an individual’s PHI in a public place
        2. Leaving a copy of an individual’s PHI in a public area
        3. Leaving a computer unattended in an accessible are with an individual’s PHI unsecured
        4. Disregarding the guidelines for remote or wireless access
      2. Carelessness does not include accessing PHI by mistake.
      3. Employee or contractor will be subject to sanctions based on the severity and past incidence of HIPAA policy violations. Sanctions may range in severity from a written warning for a first or second offense to termination for repeated offenses
    2. Level 2: Intentional and unauthorized accessing of PHI
      1. This level of violation occurs when an employee or contractor intentionally accesses PHO for purposes other than conducting work on behalf of the organization or other authorized purpose. Examples included are not limited to:
        1. Accessing and reviewing a public personality’s record
        2. Accessing the medical record of a friend, relative or co-worker without proper authorization
        3. Using another employee or contractor’s user ID and password
        4. Writing a user ID or password in an exposed area
      2. Employee or contractor will be subject to sanctions based on the severity and past incidence of HIPAA policy violations. Sanctions may range in severity from a final written warning for a first offense, to an unpaid suspension or termination of employment for second or repeated offenses.
    3. Level 3: Intentional and unauthorized disclosure or destruction of patient information
      1. This level of violation occurs when an employee or contractor accesses and discloses PHI without required authorization or maliciously destroys PHI. Examples include but are not limited to:
        1. Introducing viruses within the organization’s information systems with malicious intent
        2. Destroying or altering PHI without authorization
        3. Accessing an individual’s PHI for personal gain, regardless of whether any PHI was disclosed, for example, compiling a mailing list for personal use or to be sold
      2. Employee or contractor will be subject to appropriate sanctions based on the severity of the violation e.g. the significance of the disclosure, whether PHI was disclosed to an outside entity, etc.), whether there is a past incidence of HIPAA policy violations. Violations of HIPAA [policies at this level may result in immediate termination of employment.
      3. The Executive Director/Administrator will be responsible for applying appropriate sanctions.
      4. All sanctions that are applied will be documented and documentation will be maintained for a period of six (6) years.
      5. Depending on the nature of the violation, the employee or contractor may be subject to civil and/or criminal penalties.