HIPAA Privacy Policy

POLICY:

Beacon Health Solutions (collectively referred to herein as the “Beacon”) is committed to conducting business in accordance with all applicable laws and regulations related to the use and disclosure of Protected Health Information (“PHI”). It is the policy of the Organization to use or disclose PHI, only as permitted or required by a business associate contract or as required by law and to provide guidance to employees on the proper guidelines for uses and disclosures of PHI.

Security Rule

It is the policy of the Beacon to fully comply with the HIPAA Security Rule, including to;

  1. Ensure the confidentiality, integrity and availability of all electronic PHI (“e-PHI”) that is created, received, maintained or transmitted by the Organization;
  2. Protect against reasonably anticipated threats or hazards to the security or integrity of e-PID;
  3. Protect against reasonably anticipated uses or disclosures of e-PHI that are not permitted or required under HIPAA; and
  4. Ensure compliance with the HIPAA Security Rule by all employees.

Privacy Rule

It is the policy of the Beacon to fully comply with the HIPAA privacy rule. Beacon is responsible for:

  1. The development and implementation of privacy policies and procedures that are consistent with the Privacy Rule.
  2. Ensuring workforce members are trained on its privacy policies and procedures.
  3. Assisting Client/Organization with the investigation of privacy complaints.
  1. Assisting Client/Organization with the mitigation of any privacy violation.
  2. Providing Breach notification(s) to the Client/Organization or federal agencies as required.

PROCEDURE:

Training

Beacon Health Solutions (“Beacon”) has annual HIPAA training and education for all of its employees.

Use and Disclosure of PHI

All employees are authorized to access PHI to the extent performance of their job functions reasonably requires such access and where access is necessary in furtherance of legitimate, HIPAA-approved purposes of payment, treatment and health care operations. Employees may not access PHI except in accordance with the HIPAA policies and procedures and proper business-related activities consistent with the Organization’ s business associate agreement, or as required by law. Beacon may use and disclose protected health information (PHI) only as permitted or required by federal privacy law and relevant state laws, and in accordance with Beacon’s contracts with Clients/Organizations.

Beacon Health Solutions makes all reasonable efforts to limit the use and disclosure of PHI. Employees must abide by the HIPAA “Minimum Necessary” standard (i.e., that amount and type of PHI requested, accessed, used and/or disclosed shall be limited to information that is needed to accomplish the intended, authorized purpose of the use, disclosure, or request). Use and disclosure to other authorized associates will be made in accordance with the Minimum Necessary Standard.

Minimum Necessary does not apply to:

  • Disclosures to or requests by a health care provider for treatment;
  • Uses or disclosures made to the individual, as permitted or as required by HIPAA;
  • Uses or disclosures made pursuant to an authorization;
  • Disclosures made to the Secretary in accordance with HIPAA;
  • Uses or disclosures that are required by law; and
  • Uses or disclosures that are required for compliance with applicable requirements.

All staff limit their requests for PHI to the minimum necessary to accomplish the intended purpose of the request as specified in this and other related privacy policies. Each business unit/department develops and maintains role-based procedures to ensure that only workforce members with a need to know have access to protected health information. Such procedures include a list of the type or class of employee requiring access and the type of access needed to do the job.

Access to PHI

Beacon is responsible for fulfilling the Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting. Beacon Health Solutions abides by the terms specified in the business associate contract and makes such protected health information is available to the covered entity in order for the covered entity to provide an individual with access to the information. However, if the business associate contract specifies Beacon Health Solutions will provide access to

individuals, as may be appropriate given the PHI held by, and the functions of the Organization, Beacon Health Solutions will follow the procedures set forth below.

Except for Psychotherapy notes; information compiled in reasonable anticipation of, or for use, in a civil, criminal, or administrative action or proceeding; and protected health information maintained that is subject to CUA to the extent the provision of access to the member would be prohibited by law or exempt from CUA, HIPAA requires that individuals be afforded the opportunity to access certain PHI within a Designated Record Set. Depending on the type of PHI, members may submit request for access to PHI by phone, fax, email or mail.

  1. Verification of the individual requesting PHI – Reasonable steps must be taken to verify the identity and authority of all persons requesting access to PHI before making any disclosure. If the identity and authority of the person making the request is at all in question, associates are directed to contact Management or compliance designee. At a minimum, associates are expected to verify the following elements:
    1. Individual’s Name
    2. Individual’s Address
    3. Individual’s Phone Number
    4. Individual’s Date of Birth
  1. Use and Disclosure to Parent or Legal Guardian of Minor Child – Associatesmay disclose PHI to the parent or legal guardian of a minor child, so long as appropriate steps are taken to verify the identity of the person making the request and to confinn the relationship between the person and the minor child.
  1. Use and Disclosure to Third Parties – Associates may not disclose PHI in response to a request from a third-party claiming to have authorization from the individual unless sufficient written authorization has been verified and the disclosure has been approved by Management or compliance designee.
    1. Personal (Authorized) Representative: If a PHI disclosure request is made by an individual’s personal representative, associates will use internal system(s) to verify the authorized representative. If the associate is unable to validate, documentation will be request to confirm the individual’s authority.
    2. Use and Disclosure to Spouse, Family Member(s), or Friend(s): Associates may use or disclose PHI directly relevant to the individual’s care or payment related to the individual’s care to a spouse, family member, friend, or any other person identified by the individual, if the individual is present and the associate obtains the individual’s consent; or provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection. Otherwise, associates are not permitted to disclose PHI to an individual’s spouse, family member, or friend, absent express written authorization from the individual. All requests for the disclosure of PHI received from a spouse, family member, friend (excluding requests from the parent or legal guardian of a minor child) must be referred to management or compliance designee in order to ensure that proper authorization has been obtained before making the disclosure.
  1. Deceased Persons – A copy of the certified death certificate must accompany the documentation indicating the individual requesting the information acts as executor or the will.
  2. Disclosures to HHS, Law Enforcement or Other Administrative or Judicial Authorities – Requests for PHI in by HHS, law enforcement agents or other government or administrative authorities (including subpoenas, court orders, discovery requests, public health, criminal or civil investigations, etc.) are referred to Management or compliance designee.

Valid Authorization for Uses and Disclosures

Except as otherwise permitted or required by the Privacy Rule, the Organization may not use or disclose PHI without a valid authorization, the authorization must be written in “plain language”, and must contain all of the following elements, according to the HIPAA Privacy Rule in order for it to be considered valid.

  1. A specific and meaningful description of the information to be disclosed.
  2. The name or other specific identification of the person (or organization or class of persons) authorized to make the requested disclosure.
  3. The name or other specific identification of the person (or organization or class of persons) to whom the information will be disclosed.
  4. The purpose of the requested disclosure. (If the individual initiates the authorization, the statement “at the request of the individual” is a sufficient description of the purpose).
  5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
  6. Signature of the individual and date. If the authorization is signed by a personal representative, a description of such representative’s authority to act on behalf of the individual must also be provided.

In addition to the core elements, above, the authorization must contain statements regarding the following:

l. The individual undetstands they have the right to revoke the authorization in writing except to the extent that action has already been taken based on the authorization.

  1. The individual understands that signing the authorization is voluntary and their treatment, payment, enrollment or eligibility benefits will not be conditioned upon the individual’s authorization of disclosure.
  2. The individual understands that information disclosed under the authorization may be subject to redisclosure by the recipient, and may no longer be protected by federal or state law.
  3. If the Organization seeks an authorization for use and disclosure of PHI, the Organization must provide a copy of the signed authorization to the individual.

Requests for access will be reviewed and acted upon no later than 30 days after receipt of the request. If the Organization is unable to take an action within the timer required, the Organization may extend the time for such actions by no more than 30 days, provided that a written statement of the reasons for the delay and the date by which the Organization will complete its action on the request is provided.

If the Organization does not maintain the PHI that is the subject of the individual’s request, and the Organization knows where the requested information is maintained, the Organization will inform the individual where to direct the request for access.

If access is granted, in whole or in part, the Organization will inform the individual or the acceptance of the request in writing. The Organization will arrange a convenient time and place for the individual to inspect or obtain a copy of the PHI, or mail the copy of the PHI at the individual’s request.

  • If the individual’s request for access directs the Organization to transmit the copy of PHI directly to another person designated by the individual, the Organization will provide a copy to that individual. The request must be made in writing, signed, and identify the designated individual and where to send the copy of PHI.
  • The Organization will provide access to the PHI in the form or format requested, if it is readily producible in such form or format; or if not, in a readable hard coy form or such other form or format as agreed to by the Organization and the individual.
  • The Organization may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided, if:
    1. The individual agrees in advance to such a summary or explanation; and
    2. The individual agrees in advance to the fees imposed, if any, by the Organization for such summary or explanation.

If access is denied on a ground permitted by HIPAA, in whole or in part, the Organization will provide the individual with a written denial. The denial will be provided in plain language and contain:

  • The basis for the denial;
  • A statement of the individual’s review rights, including how the individual may exercise such review rights; and
  • A description of how the individual may complain to the Organization.
  • Beacon Health Solutions will deny a request for access without providing an individual an opportunity for review if the PHI is excluded from the right of access. This includes:
  • Psychotherapy notes;
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
  • Protected health information maintained that is subject to CLIA to the extent the provision of access to the individual would be prohibited by law or exempt from CUA; and
  • If the PHI is eligible for unreviewable grounds for denial as set forth by HIPAA.

Beacon Health Solutions may deny a request for access to PHI:

  • If a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
  • If the PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
  • The request for access is made by the individual’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision to access of such personal representative is reasonably likely to cause substantial harm to the individual or another person.

Review Rights

Individuals will be given an opportunity to have the denial reviewed by a licensed health care professional who is designated by the Client/Organization to act as an reviewing official and who did not participate in the original decision to deny the request for access to PHI. The designated reviewing official will determine, within a reasonable period of time, whether or not to deny the access requested.

Upon determination, the Organization will promptly provide a written notice to the individual of the determination of the designated reviewing official and take other action as required to carry out the designated reviewing official’s determination.

Amendments to PHI

Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting. With limited exceptions, HIPAA requires individuals to be afforded the opportunity to request amendment to protected health information. This includes information held by a business associate. Beacon Health Solutions abides by the terms specified in the business associate contract and makes such protected health information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. However, if the business associate contract specifies Beacon Health Solutions will receive and address requests for amendment on behalf of the covered entity, Beacon Health Solutions will follow the procedures set forth below.

Beacon Health Solutions may require individuals to submit requests for amendments or corrections to PHI in writing. Although individuals are not required to complete an Authorization Form, one will be made available to individuals upon request.

  • The request for amendment or correction must provide a reason to support the requested amendment.
  • These requests are reviewed and acted upon within 60 days after receipt. If the Organization is unable to act on the amendment within the time required, it may extend the time for such actions by no more than 30 days, provided that:
  1. The Organization, within the time limit set, provide the individual with a written statement of the reasons for the delay and the date by which the Organization will complete its action on the request; and
  2. The Organization may have only one such extension of time for action on a request for an amendment.

If the requested amendment is granted, in whole or in part, the Organization will take actions within the timeframe specified above.

  • The Organization will make the appropriate amendment to the protected PHI or record that is the subject of the request for amendment by, at minimum, identifying the records in the designated records set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
  • The Organization will inform the individual that the amendment is accepted and obtain the individual’s agreement to have the Organization notify the relevant person with which the amendment needs to be shared.
  • The Organization will attempt to inform the persons identified by the individual as have received PHI about the individual and needing the amendment as well as persons, including business

associates, that the Organization knows have the PHI that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual, in writing within a reasonable time.

Beacon Health Solutions may deny an individual’s request for amendment, if it determines that the PHI or record that is the subject of the request:

  • Was not created by the Organization, unless the individual provides reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;
  • Is not part of the designated record set;
  • Would not be available for inspection (excepted); or
  • Is accurate and complete.

If the requested amendment is denied on a ground permitted by HIPAA, in whole or in part, the Organization will provide the individual with a written denial. The denial is provided in plain language and contains:

  • The basis for the denial;
  • The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
  • A statement that, if the individual does not submit a statement of disagreement, the individual may request that the Organization provide the individual’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment; and
  • A description of how the individual may complain to the Organization or to the Client/Organization.

The Organization will identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, the Organization’s denial of the request, the individual’s statement of disagreement, if any, and the Organization’s rebuttal, if any, to the record set.

Written Statement of Disagreement

Individuals will be given an opportunity to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The Organization may prepare a written rebuttal to the individual’s statement of disagreement. Whenever a rebuttal is prepared, the Organization will provide the individual who submitted the statement of disagreement with a copy of the rebuttal.

Future Disclosures

If a statement of disagreement has been submitted by the individual, the Organization will include the material appended, or an accurate summary of any such information, with subsequent disclosures of the PHI to which the disagreement relates.

If the individual has not submitted a written statement of disagreement, the Organization must include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI on only if the individual has requested such action.

When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included with the disclosure, the Organization will separately transmit the material to the recipient of the standard transaction.

If the Organization is informed by a covered entity of an amendment to an individual’s PHI, the Organization will amend the PHI in designated record sets as required by HIPAA.

Accounting of Disclosures

Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information. This includes information held by a business associate. Beacon Health Solutions abides by the terms specified in the business associate contract and makes such protected health information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. However, if the business associate contract specifies Beacon Health Solutions will provide the accounting to individuals, as may be appropriate given the PHI held by, and the functions of the Organization, Beacon Health Solutions will follow the procedures set forth below.

An individual has a right to receive an accounting of disclosures of PHI made by the Organization in the six (6) years prior to the date on which the accounting is requested, except for:

  • Disclosures the individual has authorized.
  • Disclosures made earlier than six years before the date of the request.

■ Disclosures made for treatment, payment, and health care operation purposes except when required by law.

  • Certain other disclosures that are excluded by law.

The accounting will include:

  • The date of each disclosure;
  • The name of the entity or person who received the PHI and, if known, the address of such entity or person;
    • A brief description of the PHI disclosed; and
  • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.

Requests for accounting of disclosures are reviewed and acted upon within 60 days after receipt of such a request. If the Organization is unable to provide the accounting within the time required, it may extend the time for such actions by no more than 30 days provided that:

  • The Organization, within the time limit set, provide the individual with a written statement of the reasons for the delay and the date by which the Organization will provide the accounting; and
  • The Organization may have only one extension of time for action on a request for an accounting.

The Organization will document and maintain the following:

  • The information required to be included in an accounting for disclosures of PHI that are subject to an accounting;
  • The written accounting that is provided to the individual

The Organization may suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official, for the time specified by such agency or official, if such agency provides the Organization with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and specifying the time for which such suspension is required.

If the agency or official statement is made orally, the Organization will

  • Document the statement, including the identity of the agency or official making the statement
  • Temporarily suspend the individual’s right to the accounting of disclosures subject to the statement; and
  • Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time.

Fees

The organization may impose a reasonable, cost-based fee. Individuals will be informed in advance of the fee and will be provided an opportunity to withdraw or modify the request in order to avoid or reduce the fee. The organization’s cost-based fees include the cost of:

  • Labor for copying the PHI requested by the individual, whether in paper or electronic form;
  • Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;
  • Postage when the individual has requested the copy, or the summary or explanation to be mailed; and
  • Preparing an explanation or summary of the PHI

While the Organization provides the first accounting to an individual in any 12 month period without charge, the Organization may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period.

Complaints

Individuals may file a complaint with the Organization if they believe their privacy rights have been violated. To file a complaint, the individual may submit his/her concerns to Management or the compliance designee. The organization does not tolerate retaliation or retribution against employees who make good faith reports of potential or suspected violations. All information received is considered confidential and protected from retaliation. Individuals may also file a complaint with the US government at www.hhs.gov/ocr/hipaa/.

Potential Breach

All associates are expected to be vigilant with respect to guarding PHI, and will access, use, and disclose PHI only as permitted under HIPAA. In the event that a potential breach of PHI occurs, the following procedures must be followed:

  1. Discovery – A breach of PHI is deemed “discovered” as of the first day the Organization knows of the breach or, by exercising reasonable diligence, would or should have known about the breach. If a potential beach is discovered, it is very time sensitive and must be reported immediately.

Breach Excludes:

    • Any unintentional acquisition, access, or use of protected health information by an associate, if such acquisition, access, or use was made in good faith and within the scope of authority and odes not result in further use or disclosure in a manner not permitted.
    • Any inadvertent disclosure by a person who is authorized to access protected health information at the Organization to another person authorized to access protected health information within the Organization, by a business associate, or organized health care arrangement in which the Organization participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted.
    • A disclosure of protected health information where the Organization has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

An acquisition, access, use or disclosure of PHI in a manner not permitted by law is presumed to be a breach unless the Organization or business associate demonstrates there is a low probability that the PHI has been compromised based on a risk assessment of the following factors:

  • The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The authorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.
  1. Reporting
  1. The organization has implemented procedures and a system for promptly responding to a potential breach. Employees and/or business associates are educated on the mechanisms available for reporting a potential breach.
  2. The organization does not tolerate retaliation or retribution against any employee, who makes good-faith reports of potential or suspected violations. The individual(s) may remain anonymous, if they choose. All information received is considered confidential and protected from retaliation.
  3. Employees that believe a potential breach of PHI has occurred must immediately notify Management or the compliance designee. Reporting mechanisms have been established and are available 24 hours a day, 7 days a week. These mechanisms are covered in training and posted in all employee workstations.
  4. The employee is encouraged to provide all of the information available regarding the potential breach, including names, dates, the nature of the PHI potentially breached, the manner of the disclosure (fax, email, mail, verbal), names of employees involved, the recipient, all other persons with knowledge, and any associated written or electronic documentation that may exist.
  5. Notification and associated documentation may itself contain PHI and should only be given to Management or compliance designee.
  6. Employees are instructed not to discuss the potential breach with anyone else, and must not attempt to conduct an investigation.
  1. Investigation – Upon receipt of notification of a potential breach Management or compliance designee promptly conducts an investigation.
    • Research efforts include, but are not limited to, the collection of facts, review of regulatory guidance, and contact with members and/or providers, request(s) for information from the organization’s departments, and interviews with appropriate employees.
    • All research, inquiries, and other investigative activities are kept within the smallest number of individuals in order to ensure confidentiality whenever feasible.
    • Information obtained during an investigation is documented and included in the case file. Information obtained may include supporting documentation, such as: recorded interviews, written responses, copy of letters/claims, etc.
  • Actions taken, and factual information assembled, are documented in the case notes.
  1. Risk Assessment and Recommendation – Upon completing the investigation, Management or compliance designee performs and appropriately documents a Risk Assessment. The purpose of the Risk Assessment is to determine if a use or disclosure of PHI constitutes a breach.

A “reasoned judgment” standard is applied to the Risk Assessment, which is fact specific, and considers the following factors:

    • Did the disclosure involve Unsecured PHI in the first place?
  • Who impermissibly used or disclosed the Unsecured PHI?
  • To whom was the information impermissibly disclosed?
  • Was it returned before it could have been accessed for an improper purpose?
  • What type of Unsecured PHI is involved and in what quantity?
  • Was the disclosure made for any improper purpose?
  • Is there the potential for significant risk of financial, reputational, or other harm to the individual whose PHI was disclosed?
  • Was immediate action taken to mitigate any potential harm?
  • Do any of the specific breach exceptions apply?
  1. In the case of a breach which has been clearly demonstrated to be founded and supported by evidence, a corrective action is issued by Management or compliance designee.
  • The corrective action is designed to correct the underlying problem that resulted in program violations and to prevent future breach.
  • The corrective action may provide timeframes for specific achievements towards addressing the deficiency. Follow-up on all corrective actions are done by Management or compliance designee to ensure that the risk has been properly addressed.
  • If corrective actions are not properly implemented or corrected appropriately, disciplinary measures are taken including and up to termination of the employee.
  1. Notification To Individuals – Following the discovery of a breach of unsecured protected health information, Beacon will notify each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach. The Organization provides notification without reasonable delay and in no case later than 60 calendar days after the discovery of the breach.
    • The notification shall be written in plain language and must include, to the extent possible:
      • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
      • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date ofbirth, home address, diagnosis, or other types of information were involved).
      • Any steps individuals should take to protect themselves from potential harm resulting from the breach;
      • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
      • Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, Web site, or postal address.
  • The notification will be provided in the following form:
    • Written notice: Written notification will be sent by first-class mail to the individual at the last known address of the individual, or if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. If the individual is deceased, the notification will be sent by first-class mail to the next of kin or personal representative of the individual, if known.

1. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual will be provided. If the individual is deceased, substitute notice need not be provided in the case in which there is insufficient or out-of-date contact that precludes written notification to the next of kin or personal representative of the individual.

11. In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.

    1. In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice must:
      • Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
      • Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
      • In any case deemed by the organization to require urgency because of possible imminent misuse of unsecured PHI, information may be provided to individuals by telephone or other means as appropriate.
  1. Notification to the Media- For a breach of unsecured protected health information involving more than 500 individuals, the organization is required, following the discovery of the breach, to notify the affected individuals and prominent media outlets serving the State or jurisdiction. The organization provides notification without reasonable delay and in no case later than 60 calendar days after the discovery of the breach.
  1. Notification to the HHS Secretary – Following the discovery of a breach of unsecured protected health information, the Organization notifies the Secretary.
  • For breaches of unsecured protected health information involving 500 or more individuals, the organization shall provide the notification contemporaneously with the notification to the individual and in the manner specified on the HHS Web site.
  • For breaches of unsecured protected health information involving less than 500 individuals, the organization maintains a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provides the notification required for breaches discovered during the preceding calendar year, in the manner specified on the HHS Weh site.
  1. Notification by a Business Associate – A business associate is required, following the discovery of a breach of unsecured protected health information, to notify the organization of such breach.
  • A business associate must provide the required notification without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
  • The notification must include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.
  • A business associate is expected to provide the organization with any other available information that is required to include in the notification to the individual, at the time of the notification or promptly thereafter as information becomes available.

LO. Law Enforcement Delay – A delay in notification is permissible if a law enforcement official states that a breach notification would impede a criminal investigation or cause damage to national security.

  • In that event, the law enforcement statement must be in writing and must specify the length of the delay required.
  • If the request for a delay in notification is oral, the organization must document the statement, including the identity of the official and request written confirmation within 30

days. If no written request for a delay is received within that time, the organization must send notification of the breach.

Member Rights

The organization educates employees and business associates on the importance of member’s rights, including:

  1. Notice of Privacy Practices – An individual’s right to adequate notice of the uses and disclosures of protected health information that may be made by the organization or business associates and of the individual’s rights and the organization’s legal duties with respect to protected health information.

This notice is provided to members at the time of enrollment, to individuals currently covered by the organization annually and within 60 days of a material revision to the notice. The organization provides the revised notice and/or information on how to obtain a copy of the notice. Additionally, the notice is made available on the organization’s website and/or upon request. No less frequently than once every three years the organization notifies individuals covered by the organization of the availability of the notice and instructions on how to obtain the notice.

The Notice must be written in plain language and contain the following elements as set forth by HIPAA:

    1. Header: The notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
    1. Use and disclosures- The notice contains:
      • A description, including at least one example, of the types of uses and disclosures that the Organization is permitted to make for each of the following p111poses: treatment, payment, and health care operations.
      • A description of each of the other p111poses for which the covered entity is permitted or required to use or disclose protected health information without the member’s written authorization.
  • If a use or disclosure for any purpose described above is prohibited or materially limited by other applicable law, the description of such use or disclosure will reflect the more stringent law.
      • For each of the above, the description includes sufficient detail to place the member on notice of the uses and disclosures that are permitted or required.
      • A statement that other uses and disclosures will be made only with the member’s written authorization and that the member may revoke such authorization.
    1. Individual rights: The notice contains a statement of the individual’s rights with respect to protected health information and a brief description of how the member may exercise these rights, as follows:
      • The right to request restrictions on certain uses and disclosures of protected health information, including a statement that the covered entity is not required to agree to a requested restriction;
      • The right to receive confidential communications of protected health information
        • The right to inspect and copy protected health information
        • The right to amend protected health information
        • The right to receive an accounting of disclosures of protected health information
        • The right to receive a paper copy of the noticed upon request, when the member has agreed to receive the notice electronically
    2. Organization ‘s Duties- The notice includes:

A statement that the organization is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured PHI;

  • A statement that the organization is required to abide by the terms of the notice currently in effect; and
  • A statement that the organization reserves the right to change the terms of its notice and to make new notice provisions effective for all protected health information that it maintains. The statement will also describe how it will provide members with a revised notice.
    1. Complaints – The notice contains a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint, and a statement that the member will not be retaliated against for filing a complaint.
    2. Contact – The notice contains the name, title, and telephone number of a person or office to contact for further information.
    3. Effective date – The notice contains the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
  1. Confidential Communication – An individual has a right to receive confidential communications of PHI.
    1. Requests for confidential communication must be submitted in writing. Although members are not required to complete an Authorization Form, one will be made available to individuals via the organization’s website and/or upon request.
    2. The organization will accommodate reasonable requests by individuals to receive communications of protected health information by alternative means or at alternative locations, if the member clearly states that the disclosure of all or part of that information could endanger the member.
    3. The organization does not require an explanation from the member as to the basis for the request as a condition of providing communications on a confidential basis.
  1. Access to PHI – Except for Psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding HIPAA requires that members be afforded the opportunity to access certain PHI within a Designated Record Set. The Designated Record Set includes enrollment, payment, and claims adjudication records, and other PHI used by or for the Organization to make coverage decisions about an individual.
    1. Depending on the type of PHI, members may submit request for access to PHI by phone, fax, email, or mail.
    2. Requests will be reviewed and acted upon no later than 30 days after receipt of the request. If the Organization is unable to take an action within the time required, the Organization may extend the time for such actions by no more than 30 days, provided that the Organization provides the individual with a written statement of the reasons for the delay and the date by which the Organization will complete its action on the request.
    3. If the Organization does not maintain the PHI that is the subject of the individual’s request for access, and the Organization knows where the requested information is maintained, the Organization will inform the individual where to direct the request for access.
    4. The Organization will deny a request for access without providing the member an opportunity for review if the PHI is excluded from the right of access:
      • Psychotherapy notes;

  • Information compiled in reasonable anticipation of, or for use 1n, a civil,

criminal, or administrative action or proceeding; and

    1. The Organization may deny a member access to PHI:
  • If a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
  • If the PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that access requested is reasonably likely to cause substantial harm to such other person; or
  • The request for access is made by the individual’s personal representative and a licensed health care profession has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person
    1. If access is denied on a ground permitted by HIPAA, in whole or in part, the Organization will provide the member with a written denial.
      • The denial will be provided in plain language and contain:

1. The basis for the denial;

        1. A statement of the individual’s review rights, including how the individual may exercise such review rights;
          • The member will be given an opportunity to have the denial reviewed by a licensed health care professional who is designated by the Organization to act as a reviewing official and who did not participate in the original decision to deny.
  • If the individual requests a review of a denial, the designated reviewing official will determine, within a reasonable period of time, whether or not to deny the access requested.
  • Upon determination, the Organization will promptly provide a written notice to the individual of the determination of the designated reviewing official and take other action as required to carry out the designated reviewing official’s determination.
    • A description of how the individual may complain to the Organization or to the Secretary. The description includes the Privacy Officer’s name and telephone number.

The Organization will, to the extent possible, give the individual access to any other PHI requested, after excluding the PHI as to which the Organization has a ground to deny access.

    1. If access is granted, in whole or in part, the Organization will inform the individual of the acceptance of the request in writing. The Organization will arrange a convenient time and place for the individual to inspect or obtain a copy of the PHI, or mail the copy of the PHI at the individual’s request.
  • If the individual’s request for access directs the Organization to transmit the copy of PHI directly to another person designated by the individual, the Organization will provide a copy to that individual. The request must be made in writing, signed, identify the designated individual and where to send the copy of PHI.
  • The Organization will provide access to the PHI in the form or format requested, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agree to by the Organization and the individual.
  • The Organization may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided, if:
    • The individual agrees in advance to such a summary or explanation; and
    • The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation
  1. Amendments or corrections to PHI – HIPAA requires members to be afforded the opportunity to have the Organization amend PHI or a record about the member that is maintained in the designated record set. The Designated Record Set includes enrollment, payment, and claims adjudication records, and other PHI used by or for the Organization to make coverage decisions about an individual.
    1. The Organization may require individuals to submit requests for amendments or corrections to PHI in writing. Although members are not required to complete an Authorization Form, one will be made available to individuals via the Organization’s website and/or upon request.
    2. The request for amendment or correction must provide a reason to support the requested amendment.
    3. These requests are reviewed and acted upon within 60 days after receipt of such a request.
    4. If the Organization is unable to act on the amendment within the time required, it may extend the time for such actions by no more than 30 days, provided that:
  • The Organization, within the time limit set, provide the individual with a written statement of the reasons for the delay and the date by which the Organization will complete its action on the request; and
    • The Organization may have only one such extension of time for action on a request for an amendment.
    1. If the requested amendment is granted, in whole or in part, the Organization will take the actions within the timeframe specified above.
      • The Organization will make the appropriate amendment to the protected PHI or record that is the subject of the request for amendment by, at minimum, identifying the records in the designated records set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
      • The Organization will inform the individual that the amendment is accepted and obtain the individual’s identification of an agreement to have the Organization notify the relevant person with which the amendment needs to be shared.
      • The Organization will attempt to inform the persons identified by the individual as having received PHI about the individual and needing the amendment and persons, including business associates, that the covered entity knows have the PHI that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual, in writing within a reasonable time.
    1. The Organization may deny an individual’s request for amendment, if it determines that the PHI or record that is the subject of the request:
      • Was not created by the Organization, unless the individual provides a reasonable basis to believe that the originator or PHI is no longer available to act on the requested amendment;
      • Is not part of the designated record set;
      • Would not be available for inspection (excepted); or
      • Is accurate and complete.
    2. If the requested amendment is denied on a ground permitted by HIPAA, in whole or in part, the Organization will provide the member with a written denial.
      • The denial is provided in plain language and contains: o The basis for the denial
  • The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
  • The member will be given an opportunity to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement.
  • The Organization may prepare a written rebuttal to the individual’s statement of disagreement. Whenever a rebuttal is prepared, the Organization will provide the individual who submitted the statement of disagreement with a copy of the rebuttal.
      • A statement that, if the individual does not submit a statement of disagreement, the individual may request that the Organization provide the individual’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment; and

o A description of how the individual may complain to the Organization or to the Secretary. The description includes the Privacy Officer’s name, title, and telephone number.

  • The Organization will identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, the Organization’s denial of the request, the individual’s statement of disagreement, if any, and the Organization’s rebuttal, if any, to the record set.

1. If a statement of disagreement has been submitted by the individual, the Organization will include the material appended, or at the election of the Organization an accurate summary of any such information, with a subsequent disclosure of the PHI to which the disagreement relates.

  1. If the individual has not submitted a written statement of disagreement, the Organization will include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if the individual has requested such action.
  2. When a subsequent disclosure is made using a standards transaction that does not permit the additional material to be included with the disclosure, the Organization will separately transmit the material to the recipient of the standard transaction.
  • If the Organization is informed by another covered entity of an amendment to an individual’s PHI, the Organization will amend the PHI in designated record sets as required by HIPAA.
  1. Accounting of Disclosures – An individual has a right to receive an accounting of disclosures of PHI made by the Organization or business associate in the six (6) years prior to the date on which the accounting is requested, except for:
    • Disclosures the individual has authorized.
    • Disclosures made earlier than six years before the date of the request
    • Disclosures made for treatment, payment, and health care operations purposes except when required by law.
    • Certain other disclosures that are excluded by law.
  1. The accounting will include:
    • the date of each disclosure;
  • the name of the entity or person who received the PHI and, if known, the address of such entity or person;
    • a brief description of the PHI disclosed; and
  • a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or a copy of the written request for disclosure.
  1. Requests for accounting of disclosures are reviewed and acted upon within 60 days after receipt of such a request.
    • If the Organization is unable to provide the accounting within the time required, it may extend the time for such actions by no more than 30 days, provided that:

1. The Organization, within the time limit set, provide the individual with a written statement of the reasons for the delay and the date by which the Organization will provide the accounting; and

11. The Organization may have only one such extension of time for action on a request for an accounting.

  1. The Organization will document and maintain the following:
    • The information required to be included in an accounting for disclosures of PHI that are subject to an accounting;
    • The written accounting that is provided to the individual;
  2. The Organization may temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official, for the time specified by such agency or official, if such agency provides the Organization with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and specifying the time for which such suspension is required.
    • If the agency or official statement is made orally, the Organization will:
    • Document the statement, including the identity of the agency or official making the statement;
    • Temporarily suspend the individual’s right to the accounting of disclosures subject to the statement; and
    • Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time.
  3. The member has the right to file a complaint with the Organization or the US government (www.hhs.gov/ocr/hipaa/) if they believe their rights are being denied or their health information is not being protected.
  1. Request Restrictions – An individual has a right to request restrictions on certain uses and disclosures of PHI.
  1. Requests for restrictions to PHI must be submitted in writing. Although members are not required to complete an Authorization Form, one will be made available to individuals via the Organization’s website and/or upon request.
  1. Requests to restrict the use and disclosures are reviewed and acted upon receipt of such a request.
  1. If the Organization agrees to a restriction, it will not use or disclose Pill in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment, the Organization may use the restricted PHI, or may disclose such information to a health care provider, to provide such treatment to the individual.
    • If restricted PHI is disclosed to a health care provider for emergency treatment, the Organization will request that the health care provider not further use or disclose the information.
  • A restriction agreed to by the Organization is not effective to prevent uses or disclosures permitted or required by HIPAA.
  1. If the requested restriction is denied on a ground permitted by HIPAA, in whole or in part, the Organization will provide the member with a written denial.
  1. The Organization may terminate its agreement to a restriction, if:
  • The individual agrees to or requests the termination in writing;
  • The individual orally agrees to the termination and the oral agreement is documented; or
  • The Organization informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to PHI created or received after it has so informed the individual.

Fees

The Organization may impose a reasonable, cost-based fee; notification of the Organization’s policy regarding fees will be documented on the Privacy Notice.

  1. Fees assessed for Access to PHI
    1. Labor for copying the PHI requested by the individual, whether in paper or electronic form;
    2. Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;
    3. Postage when the individual has requested the copy, or the summary or explanation be mailed; and
    4. Preparing an explanation or summary of the PHI
  2. Fees assessed for Accounting of Disclosures
    1. The Organization provides the first accounting to an individual in any 12 month period without charge.
  3. The Organization may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period provided the Organization has informed the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.

Sanctions

The Privacy Officer or designee investigates suspected violations. Each action is considered on a case-by­ case basis and disciplinary actions are imposed on a fair and equitable basis and consistently applied. Appropriate sanctions are instituted against employees and/or business associates who fail to comply with the Organization’s HIPAA Privacy and Breach Notification Policies and Procedures contained herein.

The Organization maintains a separate policy and procedure for Disciplinary Actions.

Civil Penalties for HIPAA Privacy Rule Violations: The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the Privacy Rule and may conduct complaint investigations and compliance reviews. The Organization may be subject to civil

monetary penalties of $100 to $50,000 or more per violation up to an annual cap of $1,500,000. A to civil monetary penalty will not be imposed for violations in certain circumstances, such as if:

  1. the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or
  2. the Department of Justice has imposed a criminal penalty for the failure to comply.

Criminal Penalties for HIPAA Privacy Rule Violations: A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty ofup to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.

Record Retention and Documentation

The Organization will maintain copies of policies and procedures, established for compliance with HIPAA for the period of ten (10) years from inception or the date when it was last in effect, whichever is later. These include:

  1. Compliance with notice requirements, by retaining copies of the notices issued by the Organization, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment.
  2. Requests for access to PHI, request for confidential communication, requests for amendments or corrections to PHI, requests for accounting of disclosures, as well as requests for restrictions to use and disclosures of PHI and their disposition.
  3. All complaints received, detail phases of the investigation process, and their disposition, if any.
  4. All phases of the breach investigation process on a case-specific basis, in a manner sufficient to demonstrate that all appropriate steps were completed, including all supporting documentation associated with the potential breach.

DEFINITIONS:

Administrative Safeguards – Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.

Breach – the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI in that the disclosure of the information poses a significant risk of financial, reputational, or other harm to the individual.

Business Associate -A person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use of disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review and billing. The term Business Associates includes/also known as, FDRs (first-tier, downstream and related entities).

Covered entities – Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

  • Health Care Provider – Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
  • Organizations – Any individual or group organization that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Health Care Clearinghouses – A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.

Disclosure – any release, transfer, provision of access to, or divulging in any other manner of PHI to persons outside of the Organization.

Electronic PHI (“ePHI”) – a subset of PHI that is created, received, maintained or transmitted in electronic format. All ePHI is Protected Health Information and is subject to the HIPAA privacy, security and breach notification requirements.

Physical Safeguards – Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Protected Health Information (“PHI”) – means information, in any format, that is created or received by the Organization and relates to the past, present, or future physical or mental health or condition of a member; the provision of health care to a member; or the past, present, or future payment for the provision of health care to a member; and that identifies the member or for which there is a reasonable basis to believe the information can be used to identify the member.

Secured PHI – PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals by either encryption or destruction by a method approved by the National Institute of Standards and Technology.

Technical Safeguards – Means the technology and the policy and procedure for its use that protects electronic protected health information and control access to it.

Unsecured PHI – any PHI that is not secured using one of the HHS-approved technologies or methods (encryption or destruction).

Use – the sharing, employment, application, utilization, examination, or analysis of PHI, in oral, written, electronic or other format.

Workforce member – includes employees, volunteers, trainees and other persons whose conduct, in the performance of work for a Business Associate, is under the direct control of the Business Associate.

Contact

Phone:

888-502-8758

Address

208 S Hoover Blvd.
Tampa, FL 33609

Email

bhscontactus@beaconh.com

Request A Consultation

To learn more about how partnering with Beacon Health Solutions can help your organization grow, contact us today.
Request a Consultation

Join Our Team

With a mission as bold as ours, we are continuously seeking the best and brightest to join us.
CAREERS
© Copyright 2019. All Rights Reserved by Beacon Health Solutions | Privacy Policy
Designed By  design by creative