|
Privacy Statement
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
General Provisions of the Privacy Regulation
There are six general provisions in the Privacy Regulation that specify allowable uses or disclosures of protected health information. These six general provisions are described below.
1. Individual
In most cases, Access Community Health Centers (ACHC) is allowed to disclose protected health information to the individual who is subject of the information. For ACHC, and individual is mostly a patient.
For the purposes of the Privacy Regulation, personal representatives as defined in the state law are treated as the "individual". The only protected health information an individual does generally not have a right to access is information compiled in anticipation or use for a civil, criminal or administrative action.
2. Treatment, Payment or Operations
Use of Protected Health Information
In general the Privacy Regulation allows ACHC to use protected health information for our own treatment, payment or health care operations activities. This allows ACHC to see patients, generate bills, collect payments, and conduct all operational activities as listed below:
- Quality assessment and improvement
- Outcomes evaluation and clinical guidelines
- Protocol development
- Case Management
- Evaluation of Providers
- Accreditation, certification, licensing, credentialing
- Training Programs
- Medical review, legal, auditing
- Business planning and development
There are no "minimum necessary" restrictions on uses for treatment activities, however minimum necessary restrictions apply for all payment and operations activities.
Disclosures of Protected Health Information
The Privacy Regulation allows ACHC to disclose protected health information for the treatment, payment and health care operations of other covered entities with a few restrictions. Conversely, other covered entities are allowed to disclose protected health information to ACHC for these same purposes with the same restrictions.
Treatment - information is allowed to flow between covered entities for treatment purposes. This means there are no restrictions for a "minimum necessary" disclosure for treatment purposes, including consultations or referrals, or any other activities related to treating the individual (patient).
Payment - information is allowed to flow between covered entities, including providers (e.g. physicians' offices and hospitals) and health plans (e.g. HMOs) for payment purposes. The primary restriction on the flow of information is that only a "minimum necessary" amount of information may be share to accomplish the intended purpose.
Operations - information is allowed to flow between covered entities, including providers and health plans, for certain specified heath care operations. A first restriction on the flow of information is that only a "minimum necessary" amount of information can be shared to accomplish the intended purpose. A second restriction is that both covered entities must have some relationship with the individual (patient). A third restriction is that information can be shared for only specific operational activities as follows:
- Home health agency that provides care to you
- To other physicians who may be treating you
- A physician to whom you have been referred to, to ensure that the physician has necessary information to diagnose or treat you. Quality assessment and improvement.
3. Incidental uses or disclosures
An incidental use or disclosure of protected health information may occur as a result of performing our day-to-day activities. These uses or disclosures are generally considered "acceptable" if the following criteria are met:
- It is limited in nature
- It cannot be reasonably prevented
- It occurs as a by product of an allowable use or disclosure
In addition, for any incidental use or disclosure to be considered allowable, ACHC must make sure that only a "minimum necessary" amount of protected health information is used for our activities as required, and that we employ "reasonable security" for the storage and transmission of protected health information.
4. Authorization
In most other day-to-day situations at ACHC that involve the use or disclosure of protected health information that was not described above, an authorization from the patient is required. An authorization is a document that contains specific information, and is signed and dated by the individual (patient). The authorization must contain the following information:
- A description of the information to be used or disclosed
- Name of Requestor
- Name and date of birth of the individual (patient)
- Specific type of information to be released, including treatment and exam dates
- Expiration date or event
- Several other required statements
- Signature of the individual (patient) and/or legal guardian and date
5. Agreement or objection from individual
The HIPAA Privacy Regulation allows for the disclosure of information if the individual (patient) has an opportunity to either agree to, or object to the disclosure. This includes disclosures to family members, relatives and friends. In general there are two scenarios where this applies - either the individual is present, or not.
- If the individual is present he/she must be given the opportunity to agree or object to the disclosure, or the disclosure can be made if it can be inferred that the individual does not object. This includes allowing patient visitors in rooms, discussions with family members, and similar situations.
- If the individual is not present, the regulation requires that practitioners and other health care staff use professional judgment and common accepted practices.
The overriding factor in these situations is to consider what is in the best interest of the patient.
6. Other specific uses or disclosures
The Privacy Regulation lists other uses or disclosures that are allowed in specific circumstances:
- Required by Law
- Public Health
- Communicable Diseases
- Health Oversight
- Abuse or neglect
- Food and Drug Administration
- Legal proceedings
- Law Enforcement
- Coroners, Funeral Directors and Organ Donations
- Military Activity & National Security
- Inmates
- Required uses and disclosures
The application of these circumstances in day-to-day activities will vary depending on the employee's job duties. For more information contact one of the individuals listed at the bottom of this page.
Notice of Privacy Practices
Access Community Health Centers is required to provide a Notice of Privacy Practices to all patients and other individuals with whom we use or disclose protected health information.
The Notice must be provided to individuals no later than the first date of service that takes place on or after April 14, 2003. In addition, ACHC is required to make a good faith effort to obtain a written acknowledgement of the receipt of the notice. For clinical patient care, this will typically take place at the time of registration.
Minimum Necessary
ACHC must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of use or disclosure. This "minimum necessary" requirement may be met by policies and procedures for routine uses or disclosures, or by review on a case-by-case basis:
Minimum necessary does not apply for disclosures to the individual who is the subject of the information, for treatment purposes, or for disclosure made as a result of authorization.
An overriding factor to consider in many day-to-day situations for all payment and operations (and although the regulation does not require it, for treatment activities as well) is to ask "Is this health information necessary for the employee to do their job". If the answer is "yes", you probably are fulfilling the minimum necessary requirements and complying with this part of the Privacy Regulation.
Business Associates
A Business Associate is defined as any individual or organization that performs, or assists in the performance on behalf of ACHC a function or activity involving the use or disclosure of individually identifiable health information. Business Associates also are individuals or organizations that provide certain specific services involving the disclosure of individually identifiable health information from ACHC to the business associate. Examples of services that may make an individual or organization a Business Associate include consulting, data aggregation and transcription services.
It is important to note that a person or organization that provides services for ACHC, but is not paid for these services, may still be considered a Business Associate. It is the function of the individual or organization that determines whether there is a Business Associate relationship.
ACHC is required to have signed contracts with specific terms for all Business Associates.
Fund Raising Activities
Without an authorization from the patient, ACHC cannot use a patient's demographic information, condition, diagnosis, clinic name where services were received, or specialty of treating physician, to identify or assemble mailing lists for fundraising or promotional purposes.
The contents of the patient authorization are specific and unique to the Privacy Regulation.
State Law Preemption
The State of Wisconsin has always had stringent patient privacy laws. HIPAA law however preempts (replaces or overrides) State law, unless the State Law is "more stringent". For puposes of the Privacy Regulation, more stringent means:
- With respect to a use or disclosure, that the law which provides the greatest restrictions or prohibitions.
- With respect to patient rights, that law which provides greater access or amendment.
- With respect to information released to the patient, that law which provides the greater amount of information.
HIPAA sets a national privacy protection "floor". The comparison of State law to the federal HIPAA Privacy law is complicated and dependent on specific circumstances. Because Wisconsin has traditionally had relatively stringent privacy protection regulations, the impact of the federal HIPAA Privacy Regulation in Wisconsin will not be as great as in other states.
If you need additional information
Should you have questions on the information contained on this page, you may contact the Chief Operations Officer at 608-443-5500.
|
|
