|
SCHOHARIE COUNTY CHAPTER, NYSARC
PRIVACY POLICY
SCOPE OF POLICY
This
policy applies to all agency staff members.
Agency staff members include all employees, trainees, volunteers,
consultants, contractors and subcontractors at the agency.
STATEMENT OF POLICY
The
agency is committed to protecting the privacy and confidentiality of health
information about its consumers. “Protected
health information” (as defined below) is strictly confidential and should be
used and disclosed only for those purposes authorized under the agency’s
policies or applicable law.
IMPLEMENTATION OF
POLICY
A.
Protected Health Information
For
purposes of this policy, the term “protected health information” means any
consumer information that
1.
relates to the past, present, or future physical or mental health or
condition of an individual, the provision of health care to an individual, or
the past, present, or future payment for the provision of health care to an
individual, and
2.
either identifies the individual or could reasonably be used to identify
the individual.
Some
examples of protected health information are:
§
information about the consumer’s
health condition (such as a condition the consumer may have);
§
information about health care
services the consumer has received or may receive in the future (such as PT or
OT);
§
information about the consumer’s
health care benefits under an insurance plan (such as whether a prescription is
covered); and
§
information about whether a
consumer is receiving health care services from our agency or any other health
care provider;
when
combined with:
§
demographic information (such as
the consumer’s name, address, race, gender, ethnicity or marital status);
§
geographic information (such as
where the consumer lives or works);
§
unique numbers that may identify
the consumer (such as a social security number, medical record number, telephone
number, or driver’s license number); or
§
other types of information that may
identify who the consumer is.
This
policy applies to protected health information in any form, including spoken,
written or electronic form.
It is the
responsibility of every agency staff member to preserve the privacy and
confidentiality of all protected health information and to ensure that protected
health information is used and disclosed only as permitted under the agency’s
policies and applicable law. This
includes, but is not limited to, compliance with the protective procedures
below.
B.
Uses and Disclosures for Treatment, Payment and Health Care
Operations (TPO)
Unless
the agency has received a specific written authorization from the consumer for,
or applicable law otherwise requires or permits, a particular use or disclosure
of protected health information, protected health information may only be used
or disclosed for purposes of (i) our agency’s treatment activities, payment
activities, and health care operations, and (ii) certain treatment activities,
payment activities, and health care operations of other health care providers
and of health plans.
Treatment
For
purposes of this policy, the term “treatment” means providing, coordinating
or managing the consumer’s health care and any related services.
Some examples of treatment activities involving the use or disclosure of
protected health information are:
·
using protected health information
about a consumer’s disease or condition to diagnose or provide care to the
consumer;
·
disclosures of protected health
information to other health care providers who are involved in taking care of
the consumer;
·
disclosures of protected health
information to another health care provider in order to obtain advice about how
best to diagnose or provide care to the consumer; and
·
disclosures of protected health
information to another health care provider to whom the consumer has been
referred to ensure that this health care provider has the necessary information
to diagnose or provide care to the consumer.
Payment
For
purposes of this policy, the term “payment” generally means the activities
undertaken by the agency to obtain or provide reimbursement for the provision of
health care. Some examples of payment activities involving the use or
disclosure of protected health information are:
·
disclosing the consumer’s
protected health information to a health insurance plan to determine whether it
will provide coverage for the consumer’s treatment;
·
disclosing the consumer’s
protected health information to obtain pre-approval before providing a treatment
or service, such as admitting the consumer to the agency for a particular type
of surgery; and
·
disclosing the consumer’s
protected health information to his or her health insurance plan to obtain
reimbursement after the agency has treated the consumer.
Uses
and disclosures of protected health information for the agency’ payment
purposes are subject to the HIPAA Privacy Regulations’ "minimum
necessary" standard
Health Care Operations
For
purposes of this policy, the term “health care operations” generally refers
to those general business and administrative functions of the agency that are
required in order to operate and perform its health care functions.
Some examples of uses and disclosures of protected health information for
health care operations are:
·
uses and disclosures of protected
health information for quality assurance and utilization review purposes;
·
uses and disclosures of protected
health information for education and training of students and other trainees;
·
uses and disclosures of protected
health information to recommend possible treatment options or alternatives, or
health-related benefits or services, that may be of interest to the consumer;
·
uses and disclosures of protected
health information for legal services, business planning, and other business
management and general administrative activities; and
·
uses and disclosures of protected
health information to raise funds for the benefit of the agency.
Uses
and disclosures of protected health information for the agency’s health care
operations are subject to the HIPAA Privacy Regulations’ "minimum
necessary" standard.
Disclosure for Other
Persons’ TPO
Our
agency also may disclose protected health information to others for their
treatment, payment and health care operations as follows:
·
Our agency may disclose protected
health information to another health care provider for its treatment activities.
·
Our agency may disclose protected
health information to a health plan or another health care provider for its
payment activities.
·
Our agency may disclose protected
health information to a health plan or another health care provider for its
health care operations, but only if
o
(i) both our agency and the other
party have, or had, a relationship with the consumer whose information is being
disclosed;
o
(ii) the protected health
information being disclosed pertains to that current (or previous) relationship;
and
o
(iii) the disclosure is for certain
limited health care operations activities, including conducting quality
assurance and/or quality improvement activities, education or training of
students and other staff, reviewing the competence or qualifications, or the
performance, of health care professionals, accreditation, licensing,
credentialing, and fraud and abuse detection or compliance activities.
Disclosures
of protected health information for others’ payment activities or health care
operations are subject to the HIPAA Privacy Regulations’ minimum necessary
standard.
C.
De-identified Information Not Subject to TPO Restriction
Protected
health information is considered “de-identified” when all elements that have
the potential to identify the consumer have been removed.
Protected health information will be deemed de-identified when (i) a
person with appropriate knowledge and experience in scientific and statistical
principles for de-identifying information has determined that there is a very
small risk that that the information can be used to identify the consumer and
has documented the analysis that justifies that decision, or (ii) certain
specific identifying elements regarding the consumer and his or her relatives,
employers and household members have been removed and the remaining information
cannot be used to identify the consumer.
The
elements that must be removed include the following:
- names;
- all
geographic subdivisions smaller than a state, including street address,
city, county, precinct, zip code and their equivalent geocodes;
- all
elements of dates (except year) for dates directly related to the
individual, including birth date, admission date, discharge date, date of
death; and all ages over 89 and all elements (including year) indicative of
such age, except that ages and elements may be aggregated into a single
category of 90 or older;
- telephone
numbers;
- fax
numbers;
- electronic
mail (e-mail) addresses;
- Social
Security numbers;
- medical
record numbers;
- health
plan beneficiary numbers;
- account
numbers;
- certificate/license
numbers;
- vehicle
identifiers and serial numbers, including license plate numbers;
- device
identifiers and serial numbers;
- World
Wide Web Universal Resource Locators (URLs);
- internet
protocol (IP) address numbers;
- biometric
identifiers, including finger and voice prints;
- full
face photographic images and comparable images; and
·
any other unique identifying
number, characteristic or code.
Because
de-identified information is no longer considered protected health information,
such de-identified information is not subject to the TPO restriction and
generally may be used and disclosed without limitation.
However, agency staff must obtain approval from Peggy Himes, Privacy Officer that protected health information has
been appropriately de-identified prior to treating such information as
de-identified information.
D.
Uses of Protected Health Information for Reasons Other Than TPO
Agency
staff are instructed to consult their department supervisors if they are unsure
whether a particular use or disclosure satisfies the definition of TPO, or if
they believe they need to use or disclose protected health information for
reasons other TPO and they are unsure whether an exception applies or if the
agency has obtained an authorization for that particular use or disclosure.
The department supervisors will be responsible for providing guidance or
directing the individual to the agency staff member or the department better
able to provide the necessary guidance.
VIOLATIONS
The
agency’s Privacy Officer has general responsibility for implementation of this
policy. Members of our agency staff
who violate this policy will be subject to disciplinary action up to and
including termination of employment or contract with Schoharie
County Chapter, NYSARC. Anyone
who knows or has reason to believe that another person has violated this policy
should report the matter promptly to his or her supervisor or the agency’s
Privacy Officer. All reported
matters will be investigated, and, where appropriate, steps will be taken to
remedy the situation. Where
possible Schoharie County Chapter, NYSARC will make every effort to handle the
reported matter confidentially. Any
attempt to retaliate against a person for reporting a violation of this policy
will itself be considered a violation of this policy that may result in
disciplinary action up to and including termination of employment or contract
with Schoharie County Chapter, NYSARC
QUESTIONS
If you
have questions about this policy, please contact the agency’s Privacy Officer
immediately. It is important that
all questions be resolved as soon as possible to ensure protected health
information is used and disclosed appropriately.
Effective
Date: April 15, 2003
|
