Privacy Policy

HIPAA PRIVACY POLICY

Introduction

Buettner Insurance Agency, Inc (the “Business Associate”) provides services to a number of covered entities, as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Members of the Business Associate’s workforce may have access to the individually identifiable health information of the covered entities’ participants (1) on behalf of the covered entities; or (2) on behalf of the employer who sponsors covered entities, for administrative functions of the covered entities.

HIPAA as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and its implementing regulations restrict the Business Associate’s’ ability to use and disclose protected health information (PHI) and. Substance Use Disorders (‘SUD”) records for these covered entities.

Protected Health Information.  Protected health information means information that is created or received by the covered entities and relates to the past, present, or future physical or mental health or condition of a participant of these covered entities; the provision of health care to a participant of a covered entity; or the past, present, or future payment for the provision of health care to a participant of a covered entity; and that identifies the participant of a covered entity or for which there is a reasonable basis to believe the information can be used to identify the participant.  Protected health information includes information of persons living or deceased.

Substance Use Disorder (SUD) Records (42 CFR Part 2) Records received from an SUD treatment program (“Part 2 Program”) are protected by federal law. We will not share your SUD treatment records unless we have your written consent or it is permitted by 42 CFR Part 2. If you consent to share your Part 2 records with us, we may further disclose those records to our business associates or other providers for Treatment, Payment, and Healthcare Operations purposes as allowed under HIPAA. We will not use or disclose your Part 2 records (or testimony) in legal proceedings against you, unless you consent in writing or in response to a specific court order.

It is the Business Associate’s policy to comply fully with HIPAA’s requirements.  To that end, all members of the Business Associate’s workforce who have access to PHI and SUD Records must comply with this Privacy Policy and Procedures.  For purposes of this Policy, the Business Associate’s workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the Business Associate, whether or not they are paid by the Business Associate.  The term “employee” includes all of these types of workers.

Additionally, any subcontractors that provide services to the Business Associate which involve the creation, receipt, maintenance, or transmission of private health information on behalf of the Business Associate to fulfill its contractual duties, must comply fully with HIPAA’s requirements. 

No third-party rights (including but not limited to the rights of covered entities’ participants, beneficiaries, covered dependents, or other business associates) are intended to be created by this Policy.  The Business Associate reserves the right to amend or change this Policy at any time (and even retroactively) without notice.  To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon the Business Associate.  This Policy does not address requirements under other federal laws or under state laws. To the extent that this policy is in conflict with the HIPAA,

the HIPAA privacy rules shall govern.

Business Associate’s Responsibilities

I. Compliance Official and Contact Person

Brett Buettner, President, will be the Compliance Official for the Business Associate.

The Compliance Official will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and any other use and disclosure procedures.  The Compliance Official will also appoint those employees who will serve as the contact persons for participants of the covered entities who have questions, concerns, or complaints about the privacy of their PHI and. SUD records.

The Compliance Official is responsible for the development and implementation of the organization’s security responsibilities.  The Compliance Official shall be assigned the responsibility to manage and supervise the execution and use of security measures to protect the Business Associate’s data and to manage and supervise personnel in relation to the protection of this data.  The Compliance Official shall develop procedures as appropriate for these responsibilities.  These responsibilities include:

• An oversight process for systems certification. 

• A coordinated contingency plan. 

• A process to oversee information access control standards.

• Monitor internal audit controls of system records activity and respond to variances. 

• Maintenance of personnel authorization controls and clearance records. 

• A process to oversee Security Configuration Management.

• A process to oversee Security Incident Procedures.

• A process to oversee the Security Management Process including Risk Analysis and Risk Management provisions.

• Coordinate termination and/or modification of access to information systems.

• Provide technical assistance for universal security awareness training.

• Process to oversee Media Controls.

The Business Associate will maintain strict physical access controls to its information systems at all times and under all conditions.  This includes the physical security of electronic and paper data.  The Compliance Official is responsible for maintaining procedures to address these controls.  Physical access controls include the following:

• Disaster recovery.

• Emergency mode operation. 

• Equipment and media control.

• A facility security plan and procedures for verifying access authorizations prior to granting physical access.

• Maintenance records. 

• Sign-in procedure for visitors to sensitive areas, and escorts if appropriate. 

• Testing and revision of physical access control covered entities periodically.

II. Workforce Training

It is the Business Associate’s policy to train all members of its workforce on its privacy policies and procedures.  The Compliance Official is charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions within the Plan.

All members of the Business Associate’s workforce, including temporary staff, students and volunteers, will receive training in the policies and procedures that apply to their jobs, including maintenance of the privacy and security of PHI.  New members of the workforce will receive training as a part of orientation to their jobs within a reasonable time of joining the workforce.  All members of the workforce will receive additional training as policies and procedures are changed, to the extent that the changes affect their jobs.

Attendance and testing at training sessions will be documented to demonstrate that each member of the workforce has received and understood training in accordance with this policy.  The documentation must be retained for seven years.

Training sessions will include the following:

• Awareness training:  threats to the privacy and security of PHI and SUD records, how failure to protect against these threats can harm individuals, and the importance of each member of the workforce in the privacy and security posture of the Business Associate.

• Details of applicable policies and procedures:  how privacy and security policies affect the job of each member of the workforce, and how the Business Associate defines what is expected of each of these workers.

• Periodic reminders.

• Timely information about changes in policies and procedures.

• Information about sanctions:  how members of the workforce may be sanctioned under the Business Associate’s policy, and under state and federal law, for breaches of privacy and security policies.

• Testing:  to measure comprehension and retention of the material.

The Business Associate will also ensure that any subcontractors that create, receive, maintain, or transmit protected health insurance on behalf of the Business Associate agree to comply with the same HIPAA restrictions, conditions, and requirements that apply to the Business Associate.

III. Administrative, Technical and Physical Safeguards and Firewall

The Business Associate will establish on behalf of the covered entities appropriate administrative technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards including procedures for use and disclosure of PHI and SUD records . Technical safeguards include limiting access to information by creating computer firewalls.  Physical safeguards include locking doors or filing cabinets.

Firewalls will ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI and SUD records necessary for plan administrative functions, and that they will not further use or disclose PHI and SUD records in violation of HIPAA’s privacy rules.

IV. Privacy Notice

The Compliance Official is responsible for developing and maintaining a notice of the Business Associate’s privacy practices that describes:

•          the uses and disclosures of PHI and SUD records that may be made by the Business Associate;

•          the individual’s rights under the HIPAA privacy rules;

•          the Business Associate’s legal duties with respect to the PHI; and

•          other information as required by the HIPAA privacy rules.

The privacy notice will inform employees that the Business Associate will have access to PHI in connection with its administrative functions with clients. The privacy notice will also provide a description of the Business Associate’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The notice of privacy practices will be individually delivered to all employees of the Business Associates:

•          at the time of an individual’s hire date; and

•          within 60 days after a material change to the notice.

The Business Associate will also provide notice of availability of the privacy notice (or a copy of the privacy notice) at least once every three years in compliance with the HIPAA privacy regulations.

V. Complaints

Brett Buettner, President, (714) 840-4213, and Jennifer Williams, Chief Operations Officer, (714) 840-4093, will be the Business Associate’s contact persons for receiving complaints.

The Compliance Official is responsible for creating a process for individuals to lodge complaints about the Business Associate’s privacy procedures and for creating a system for handling such complaints.  A copy of the complaint procedure shall be provided to any participant upon request.

VI. Sanctions for Violations of Privacy Policy

Sanctions for using or disclosing PHI and SUD records in violation of this HIPAA Privacy Policy will be imposed in accordance with the Business Associate’s policy/procedures.  Violations that jeopardize the privacy or security of PHI are particularly serious.  This seriousness will be reflected in the nature of the disciplinary action, up to and including termination of employment.

• All members of the workforce will be treated fairly and equitably in the imposition of sanctions for privacy and security violations.

• Sanctions will be integrated into the Business Associate’s overall employee discipline policy/procedures.

• Disciplinary actions due to breaches of privacy or security of PHI and SUD records will be documented, and the documentation must be retained for seven years.  Disclosure of PHI and SUD records in violation of policy is reportable under the Policies on Individual Rights, Accounting section of this policy.

VII. Mitigation of Inadvertent Disclosures of PHI and  SUD records

The Business Associate shall mitigate, to the extent possible, any harmful effects that become known to it of  use or disclosure of an individual’s PHI and SUD records in violation of the policies and procedures set forth in this Policy.  As a result, if an employee becomes aware of a disclosure of PHI, either by an employee of the Business Associate or an outside consultant/contractor, that is not in compliance with this Policy, immediately contact Brett Buettner and Jennifer Williams so that the appropriate steps to mitigate the harm to the participant can be taken.

VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

IX. Documents or Agreements

All documents or agreements shall include provisions to describe the permitted and required uses and disclosures of PHI  and SUD records by the Business Associate for administrative purposes.  Specifically, any documents or agreements shall require the Business Associate to:

• Not use or further disclose PHI or SUD records than as permitted by the documents or as required by law;

• Ensure that any agents or subcontractors to whom it provides PHI and SUD records received from the Business Associate agree to the same restrictions and conditions that apply to the Business Associate;

• Not use or disclose PHI and SUD records for employment-related actions or in connection with any other employee benefit plan;

• Report to the designated contact persons of the covered entities any use or disclosure of the information that is inconsistent with the permitted use or disclosure and, if necessary, report such use or disclosure to the Department of Health and Human Services (“HHS”), as required by HITECH and subsequent regulations;

• Make PHI and SUD records available to covered entities, consider their amendments and, upon request, provide them with an accounting of PHI and SUD records disclosures;

• Make the Business Associate’s internal practices and records relating to the use and disclosure of PHI and SUD records received from the covered entities available to the DHHS upon request;

• If feasible, return or destroy all PHI and SUD records received from the covered entities that the Business Associate still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and.

• Provide access to electronic PHI and SUD records to an individual, his/her designee or a covered entity.

All documents or agreements must also require the Business Associate to (1) certify to the Compliance Official that the documents or agreements have been amended to include the above restrictions and that the Business Associate agrees to those restrictions; and (2) provide adequate firewalls.

X. Documentation

The covered entities’ and the Business Associate’s privacy policies and procedures shall be documented and maintained for at least six years.  Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations).  Any changes to policies or procedures must promptly be documented.

If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available.  Such change is effective only with respect to PHI and SUD records created or received after the effective date of the notice.

The covered entities and the Business Associate shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights.

The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form.  Covered entities must maintain such documentation for at least six years.

Policies on Use and Disclosure of PHI and SUD Records

I. Use and Disclosure Defined

The Business Associate and the covered entities will use and disclose PHI only as permitted under HIPAA.  The terms “use” and “disclosure” are defined as follows:

• Use.  The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Business Associate, or by the Business Associate (on behalf of the covered entities).

• Disclosure.  For information that is PHI, and SUD records disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the Business Associate.

II. Workforce Must Comply With Business Associate’s Policy and Procedures

All members of the Business Associate’s workforce (described at the beginning of this Policy and referred to herein as “employees”) must comply with this Policy and with any relevant procedures.

III. Access to PHI and SUD Records Is Limited to Certain Employees

The following employees (“employees with access”) have access to PHI and SUD records :

• Any employee who performs functions directly on behalf of the covered entities; and

• Officers, Managing Partners, Account Managers, and Account Coordinators who have access to PHI and SUD records on behalf of the Business Associate for its use in “plan administrative functions” of the covered entities.

The same employees may be named or described in both of these two categories.  These employees with access may use and disclose PHI and SUD records for plan administrative functions, and they may disclose PHI and SUD records to other employees with access for plan administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the plan administrative function).  Employees with access may not disclose PHI and SUD records to employees (other than employees with access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy and any associated procedures. For purposes of this Policy, “plan administrative functions” include the payment and health care operation activities described in this section of this Policy.

IV. Permitted Uses and Disclosures: Payment and Health Care Operations

and SUD records

PHI may be disclosed for the covered entities’ own payment purposes, and PHI may be disclosed to another business associate for the payment  or administrative purposes of that covered entity. 

Payment.  Payment includes activities undertaken to obtain covered entities’ contributions or to determine or fulfill the covered entities’ responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care.  Payment also includes:

• eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;

• risk adjusting based on enrollee status and demographic characteristics;

• billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing; and

• any other payment activity permitted by HIPAA regulations

PHI and SUD records may be disclosed for purposes of the covered entities’ own health care operations.  PHI and SUD records may be disclosed to another business associate for purposes of the other business associate’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other business associate has (or had) a relationship with the participant and the PHI  and SUD records requested pertains to that relationship.

Health Care Operations.  Health care operations means any of the following activities to the extent that they are related to the covered entity’s administration:

• Conducting quality assessments and improvement activities;

• Reviewing health plan performance;

• Underwriting and premium rating;

• Conducting or arranging for medical review, legal services and auditing functions;

• Business planning and development;

• Business management and general administrative activities;

• To de-identify the information in accordance with HIPAA Privacy Rules as necessary to perform those services required; and

• Any other payment activity permitted by the HIPAA privacy regulations

A participant may provide one single consent for all future uses or disclosures for treatment, payment and health care operations purposes (TPO) for SUD records and your rights with regards to revoking such consent.

V. No Disclosure of PHI and SUD Records for Non-Health Plan Purposes

PHI and SUD records may not be used or disclosed for the payment or operations of an employer’s “non-health” benefits (e.g., disability, workers’ compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

VI. Mandatory Disclosures of PHI and SUD Records: to Individual and HHS

A participant’s PHI and SUD records must be disclosed as required by HIPAA in three situations:

• The disclosure is to the individual who is the subject of the information);

• The disclosure is required by law; or 

• The disclosure is made to HHS for purposes of enforcing of HIPAA.

VII. Permissive Disclosures of PHI and SUD Records: for Legal and Public Policy Purposes

PHI may be disclosed in the following situations without a participant’s authorization, when

specific requirements are satisfied.  The requirements include prior approval of the Business Associate’s Compliance Official.  Permitted are disclosures:

• About victims of abuse, neglect or domestic violence;
• For judicial and administrative proceedings;
• For law enforcement purposes;
• For public health activities;
• For health oversight activities;
• About decedents;
• For cadaveric organ, eye or tissue donation purposes;
• For certain limited research purposes;
• To avert a serious threat to health or safety;
• For specialized government functions; and
• That relate to workers’ compensation programs.

VIII. Disclosures of PHI and SUD Records Pursuant to an Authorization

PHI and SUD records may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant.  All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

IX. Complying With the “Minimum-Necessary” Standard

HIPAA requires that when PHI and SUD records are used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure.

The “minimum-necessary” standard does not apply to any of the following:

• Uses or disclosures made to the individual;
• Uses or disclosures made pursuant to a valid authorization;
• Disclosures made to HHS;
• Uses or disclosures required by law; and
• Uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI and SUD records.  For making disclosures of PHI and SUD records that are routine and recurring, such policies and procedures will be in place that limit the amount disclosed to the minimum amount necessary.

All other disclosures must be reviewed on an individual basis with the Compliance Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI and SUD records   For making requests for disclosure of PHI and SUD records from any disclosing business associate for purposes of requests that are routine and recurring, such policies and procedures shall be designed to limit the amount requested to the amount reasonably necessary to accomplish the purpose for which the disclosure is requested.

All other requests must be reviewed on an individual basis with the Compliance Official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

X. Disclosures of PHI and SUD Records to Other Business Associates or Vendors

Employees of the Business Associate may disclose PHI and SUD records to the covered entities’ other business associates and allow the covered entities’ other business associates to create or receive PHI and SUD records on its behalf.  However, prior to doing so, the covered entities must first obtain assurances from the other business associates that it will appropriately safeguard the information.  Before sharing PHI and SUD records with outside consultants or contractors who meet the definition of a “business associate,” employees of the Business Associate must contact the Compliance Official and verify that a business associate contract is in place.

Other business associates are a business associate that:

• Performs or assists in performing a business associate function or activity involving the use and disclosure of PHI and SUD records (including claims processing or administration, data analysis, underwriting, etc.);

• Provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, and SUD records where the performance of such services involves giving the service provider access to PHI and SUD records;

• Health information organizations;

• E-prescribing gateways;

• Other entities that provide data transmission services with respect to PHI to a covered entity and that requires routine access to PHI and SUD records;

• Entities that offer a personal health record to one or more individuals on behalf of a covered entity; and

• Entities that maintain PHI and SUD records, whether or not the entities actually review the PHI.

XI. Disclosures of De-Identified Information

The Business Associate may freely use and disclose de-identified information.  De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.  There are two ways a business associate can determine that information is de-identified: either by professional statistical analysis, or by removing specific identifiers.

XIl. Prohibited Use and Disclosure of PHI and SUD Records

1. Prohibition on Sale of PHI and SUD Records. The Business Associate will not sell PHI in a manner not permitted by the privacy rule without the authorization of each covered entity;

2. Prohibition Related to PHI and SUD Records That Constitutes Genetic Information. The Business Associate  will not use or disclose genetic information for underwriting purposes;

XIIi. Physical Access Controls/Guidelines to Guard PHI and  SUD Records

The Business Associate will maintain strict physical access controls to its information systems at all times and under all conditions.  This includes the physical security of electronic and paper data. 

The Business Associate will terminate access to information systems and other sources of PHI and SUD records, including access to rooms or buildings where PHI and SUD records is located, when an employee, agent or contractor ends his/her employment or engagement.  The Business Associate will terminate access to specific types of PHI and SUD records when the status of any member of the workforce no longer requires access to those types of information. 

Cleaning personnel:

Cleaning personnel do not need PHI to accomplish their work.  Whenever reasonably possible, PHI and SUD records will be placed in locked containers, cabinets or rooms before cleaning personnel enter an area.  When it is not reasonably possible to lock up PHI, it must be removed from sight before cleaning personnel enter an area and a supervisor must be present.

Computer Screens:

Computer screens at each workstation must be positioned so that only authorized users at that workstation can read the display.  When screens cannot be relocated, filters, hoods, or other devices may be employed.  Computer displays will be configured to go blank, or to display a screen saver, when left unattended for more than a brief period of time.  The period of time will be determined by the Compliance Official.  Wherever practicable, reverting from the screen saver to the display of data will require a password.  Computer screens left unattended for longer periods of time will log off the user.  The period of time will be determined by the Compliance Official.

Conversations:

Conversations concerning individual care or other PHI and SUD records must be conducted in a way that reduces the likelihood of being overheard by others.  Wherever reasonably possible, barriers will be used to reduce the opportunity for conversations to be overheard.

Copying medical records and other PHI:

When PHI is copied, only the information that is necessary to accomplish the purpose for which the copy is being made, may be copied.  This may require that part of a page be masked.

Desks and countertops:

Provider reports and other documents which may display identifiers and other “keys” to information should be placed face down on counters, desks, and other places where individuals or visitors can see them.  Wherever it is reasonably possible to do so, medical reports and other documents containing PHI will not be left on desks and countertops after business hours.  Supervisors will take reasonable steps to provide all work areas where PHI and SUD records are used in paper form with lockable storage bins, lockable desk drawers or other means to secure PHI during periods when the area is left unattended.  In areas where locked storage after hours cannot reasonably be accomplished, PHI and SUD records must be kept out of sight.  A supervisor must be present whenever someone who is not authorized to have access to that data is in the area.

Disposal of paper with PH and SUD Records

Paper documents containing PHI and SUD records must be shredded when no longer needed.  If retained for a commercial shredder, they must be kept in a locked bin.

Home office:

Any member of the workforce who is authorized to work from a home office must assure that the home office complies with all applicable policies and procedures regarding the security and privacy of PH and SUD records I, including these guidelines.

Key policy:

The Compliance Official will develop a list of which personnel, by job title, may have access to which keys.  This includes keys to storage cabinets, storage rooms and buildings.  All keys must be signed out.  Keys must be surrendered upon termination of employment.  The Compliance Official will ensure that locks are changed whenever there is evidence that a key is no longer under the control of an authorized member of the workforce, and its loss presents a security threat that justifies the expense.

Phones and Laptops:

The privacy and security policies apply to any PHI and SUD records that is stored on a phone or laptop.  Users of phone and laptops are responsible for assuring that the PHI or SUD records  their devices is kept secure and private.  Any loss or theft of a phone or laptop thought to contain PHI must be reported to the Compliance Official immediately.  Users of phones who store PHI on their devices will receive special training in the risks of this practice, and measures that they can take to reduce the risks (such as use of passwords).

Printers and Fax Machines:

Printers and fax machines must be located in secure areas, where only authorized members of the workforce can have access to documents being printed. 

Records carried from one building to another: 

When PHI and SUD records are carried from one building to another, they must be signed out and signed in.  When a member of the workforce transports PHI and SUD records from one building to another, it may not be left unattended unless it is in a locked vehicle, in an opaque, locked container.  Locking the vehicle alone is not sufficient.

Record Storage:

Areas where records and other documents that contain PHI and SUD records are stored must be secure.  Wherever reasonably possible, the PHI and SUD records will be stored in locking cabinets.  Where locking cabinets are not available, the storage area must be locked when no member of the workforce is present to observe who enters and leaves and no unauthorized personnel may be left alone in such areas without supervision.

Workforce Vigilance:

All members of the workforce are responsible for watching for unauthorized use or disclosure of PHI and SUD records, to act to prevent the action, and to report suspected breaches of privacy and security policies to their supervisor, or to the Compliance Official (example of a breach:  individual or visitor looking through PHI and SUD records left on a counter). 

Visitors:

Visitors to areas where PHI and SUD records are being used must be accompanied by a member of the Business Associate’s workforce.

XIV. Breach Notification Requirements

The Business Associate will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected covered entities and the media (when required) if they discover a breach of unsecured PHI and SUD records .

Policies on Individual Rights

I. Access to Protected Health Information and Requests for Amendment

HIPAA gives participants of covered entities the right to access and obtain copies of their PHI and SUD records (or electronic copies of PHI and SUD records) that the covered entities (or the Business Associate) maintain in designated record sets.  HIPAA also provides that participants may request to have their PHI and SUD records amended.  The Business Associate will provide access to PHI and SUD records, and it will consider requests for amendment that are submitted in writing by participants from the covered entities.

Designated Record Set is a group of records maintained by or for the covered entities, the sponsoring employers, or the Business Associate that includes:

• The enrollment, payment, and claims adjudication record of an individual maintained by or for the covered entities; or

• Other PHI used, in whole or in part, by or for the covered entities to make coverage decisions about an individual.

II. Accounting

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI.  This right to an accounting extends to disclosures made in the last six years, other than disclosures:

• To carry out treatment, payment or health care operations;
• To individuals about their own PHI and SUD records;
• Incident to an otherwise permitted use or disclosure;
• Pursuant to an authorization;
• For purposes of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;
• As part of a limited data set;
• For other national security or law enforcement purposes; or
• Disclosures that occurred prior to the compliance date.

The covered entities shall respond to an accounting request within 60 days with cooperation of the Business Associate.  If the covered entities are unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12-month period shall be provided free of charge.  The Compliance Official of the Business Associate may impose reasonable production and mailing costs for subsequent accountings from the covered entities.

III. Requests for Alternative Communication Means or Locations

Participants  of a covered entity may request to receive communications regarding their PHI and SUD records by alternative means or at alternative locations from the covered entities.  For example, participants may ask to be called only at work rather than at home.  Such requests may be honored if, in the sole discretion of the covered entities, the requests are reasonable.

However, a covered entity shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant.  The Compliance Official of the Business Associate has responsibility for administering requests for confidential communications from the covered entities.

IV. Requests for Restrictions on Uses and Disclosures of PHI and SUD Records

A participant of a covered entity may request restrictions on the use and disclosure of the participant’s PHI and SUD records.  It is the covered entities’ policy to attempt to honor such requests if, in the sole discretion of the covered entity if the requests are reasonable.  The covered entities are charged with responsibility for administering requests for restrictions and shall communicate any restrictions to the Compliance Official of the Business Associate.