This practice is committed to complying with the HIPAA rules. This HIPAA Privacy Policy includes a “good faith” effort to reduce health care administrative costs, implement standard claims formats and code sets, limit access to patient electronic health information, and protect patient protected health information (PHI) from inappropriate use and disclosure, and to ensure access to health records as described in the Rule. It will be updated or revised as needed.

This manual is designed to serve as a source of information concerning our HIPAA implementation approach, to document our policies and procedures, and to provide documentation tools. Not all the information contained in this manual will be applicable to each employee or every situation that the practice might encounter. 

· We require all employees, contractors, Business Associates, and their subcontractors to adhere to or be consistent with all applicable elements of our HIPAA Policies and Procedures.

This practice intends to preserve the integrity, confidentiality and appropriate access of patient protected health information. The primary objective of the practice is to provide quality health care while protecting the patient’s rights. The provider(s) and staff will adhere to the intent of the established policies. 

1. The practice’s Privacy Officer will stay abreast of changing Privacy requirements and practice compliance.

2. The practice shall conduct a periodic “Gap Review” of the current operations to identify areas needing attention in order to comply with the Privacy requirements as they are understood and as they evolve. The results of this Review will be used by the practice as a checklist for monitoring improvements in the practice’s compliance efforts. This responsibility may be outsourced.

3. This practice will establish and maintain a current Business Associate listing. The practice will establish a Business Associate Agreement that addresses the HIPAA requirements for Business Associates and their subcontractors and that is consistent with the requirements of the Privacy Rule. All Privacy Rule commitments that affect the Business Associates will be included in the Agreement. This Agreement will be updated as the regulations and guidance change.

4. This practice’s Notice of Privacy Practices (NPP) will comply with the current requirements, will be offered to each patient, and will be posted in an accessible area within the practice as specified in the Privacy Rule. Each revised NPP will also be posted on the practice’s website (if applicable). The NPP will include how the practice may use the patient’s protected health information (PHI) and the patient’s rights concerning their PHI. The patient’s rights are covered in detail in Chapter 4. 

5. This practice will follow appropriate policies and procedures to guide the practice providers and staff in meeting the details of Privacy Rule requirements.

6. The practice will provide appropriate Privacy Rule training for all levels of the practice workforce. The practice will provide standard staff training on the practice’s Privacy policies and procedures. This will include periodic refresher and update training, as well as new employee training on the Privacy requirements. Training will be modified when appropriate, and specialized training will be utilized as needed. Training may involve formal classroom sessions, read-and-sign training, computer-based training, distance learning (webcasts, teleconference) or a combination of these methods. 

7. All members of our workforce will be required to sign our practice’s HIPAA-mandated Nondisclosure/Confidentiality Agreement.

8. We will endeavor to verify fax numbers prior to faxing any PHI and will always use a HIPAA-compliant coversheet such as the example included in the HIPAA Documentation Kit manual. We will fax to employers and schools at the request of the patient or the patient’s personal representative only if we have an authorization signed by the patient or the patient’s personal representative. Immunization records required by law may be released with verbal authorization.

9. When electronic communications (emails) include PHI, we will use an appropriate confidentiality statement, similar to those used on fax cover sheets. We will inform the patient requesting electronic communications if the communications may not be secure. 

10. We respect the privacy of our employees and will make a good faith effort to protect their information, including health-related matters as well as financial information. This includes adherence to the “Minimum Necessary” requirement of the Privacy Rule. Exceptions: OSHA and Workers’ Compensation issues.

11. In order to protect health information, we will adhere to the following policies as much as feasible:

a. Keep voices low when discussing PHI.

b. Limit discussions within the practice to the minimum necessary.

c. Close windows at the front desk as much as possible and keep conversations to a minimum.

d. Close doors to exam or treatment rooms before discussing PHI.

e. Discuss financial issues in an area that offers privacy.

f. Limit traffic in the clinical areas.

g. Escort individuals who are not part of our workforce while they are in clinical areas.

h. Position terminals and written PHI so that unauthorized individuals may not readily access it.

i. Place any papers in chart holders in such a manner as to protect any patient identifiers or health information from unauthorized individuals. This may mean placing the papers in the holders backwards, using only opaque holders, or placing opaque paper in front of the health information.

j. Cover schedules or place them where unauthorized individuals cannot see them.