It is the policy of all NPT facilities to fully comply with all provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA).
The purpose of this policy is to protect any and all personally identifiable information that NPT facilities receive about a member.† HIPAA requirements mandate that NPT facilities protect confidential patient information and to take reasonable precautions to minimize the chance of inadvertent disclosures to other parties.
Administrative and Documentation Requirements
1. †NPT facilities will maintain all records and changes to those records for a period of six years.
2. NPT facilities will make every effort to obtain a written acknowledgement of the receipt of the Notice to Privacy Practice form from an individual before the facility uses or discloses their protected health information (PHI) for treatment or to obtain payment for said procedures.
3. NPT facility members have the right to restrict the use and disclosure of their PHI for a treatment, healthcare operations or payment.
4. NPT facility members have the right to access their PHI.† They may inspect and obtain a copy of their patient file at any time.† They may access this information from the facilityís designated privacy officer who will receive and process their request for access.
5. NPT facility members have the right to amend their PHI for as long as the PHI is maintained in their patient record. †They may also amend this information by submitting the request to the facilityís designated privacy officer who will be responsible for receiving and processing the request for amendment.
6. A NPT facility member has the right to receive a record of disclosures of PHI made by any organizations or groups during the six year retention of records.
7. NPT facilities will maintain documentation of the following forms:
a. All signed authorizations
b. All complaints received and how they were handled
c. Any sanctions that were applied as a result of non-compliance
d. Any use or disclosure of PHI for research without the facility memberís authorization
1. †NPT facilities will promptly notify any facility member of a breach of PHI within 24 hours of discovery.
Changes in Law
1. †NPT facilities will promptly revise documented policies and procedures within 90 days of notification of a change in law.
2. NPT facilities will implement revised documented policies and procedures within 60 days after the facility has revised its documented policies and procedures per the changes in law.
3. NPT facilities will notify facility members in writing, whenever there is a change in policy or procedure within 90 days and will obtain written verification that the changes are understood and will be complied with.
4. NPT facilities will maintain individual verification of policy and procedure change sin facility patients, employees or vendor files.
Designation of Privacy Official and Contact Person
1. †NPT facilities will appoint a Privacy Officer.
2. The Privacy Officer will be responsible for implementing HIPAA policies and procedures for the facility.
Disciplinary Actions for Individuals who Violate HIPAA Policies and/or NPT Facilities Office Privacy and Security Policies
1. †NPT facilities will follow a discipline policy for individuals who violate facility policies and procedures, any privacy rule or other applicable federal or state privacy laws.
2. Individuals who violate facility policies and procedures, any privacy rule or other applicable federal or state privacy law will be subject to disciplinary action up to and including termination.
Training for Staff
1. †The NPT facility Privacy Officer will train facility staff in privacy policies and procedures that are applicable to their position so they can carry out their functions.
2. All new staff members will be trained within 30 days after hire.
3. Any policies and procedure changes will be trained, to affected facility staff within 30 days of revised policy or procedure.
4. All facility staff will acknowledge in writing that they have received and read a copy of the facilityís policies and procedures.
5. Such acknowledgement will be placed in the facility employee file for a period of no less than six years.
1. †NPT facilities will act in accordance with all federal and state laws as are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
2. When appropriate the facility will obtain written authorization from a patient (or patientís representative) before the facility uses or discloses a memberís PHI for any purpose, except for treatment, to obtain payment for that treatment or for the facilityís operations.
3. When NPT facilities use a written authorization form, the facility will always act in accordance with that authorization.
4. A facility member may revoke an authorization at any time by written notice to the facilityís Privacy Officer.
5. NPT facilities will not use any authorization known to have been revoked.
6. NPT facilities will use and disclose PHI when the facility receives a valid authorization form from another healthcare provider.
7. NPT facilities will depend on the authorization form from another provider to have requested only the minimum necessary PHI.
8. NPT facilities will not use any authorization known to have expired.
9. NPT facilities will maintain and coument all signed authorizations and revocations in the memberís file for a period of no less than six years.
1. †NPT facilities act in accordance with all federal and state laws as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
2. NPT facilities have designated an individual responsible for receiving, documenting and maintaining complaints regarding privacy practices.
3. All complaints will be maintained in the memberís file for a period of no less than six years.
4. If NPT facilities deny an individual access to their PHI or deny to amend their medical record, they can file a complaint in writing within 180 days of the occurrence.† The complaint must contain the time the individual became aware of the violation, how long the facility violated the privacy practice and the privacy rule violated.† The individual may file this complaint to the facilityís Privacy Officer or directly to the Secretary of Health and Human Services.
Accounting of Disclosures to Individuals
1. †NPT facilities will track disclosures of PHI made outside the parameters of treatment, payment or health care operations in the event that this information is requested.
2. NPT facilities will maintain this information for a period of no less than six years and will keep a record of disclosures in each member file.
3. NPT facilities will also create a duplicate tracking of disclosures of PHI outside the above mentioned parameters on a master log.
4. NPT facilities will provide an accounting of disclosures to members for no more than six years.
5. NPT facilities will provide disclosures within 60 days of the request.
6. NPT facilities have the right to temporarily suspend accounting of disclosure for regulatory agencies or law enforcement officials when providing this disclosure would impede an investigation that involves the individual in question.† NPT facilities will allow either of these groups to submit a statement orally that includes a timeframe for the exclusion period.† The suspension is limited to 30 days unless appropriate written documentation is submitted within 30 days.† Although NPT facilities accounting of disclosures Is not being released during this time, the facility will continue to track and log the information for release at a later date.
7. A NPT facility member has the right to request, free of charge, once every12 months, an accounting of disclosures.† However, the facility retains the rights to charge a reasonable fee for more frequent requests.
8. The NPT facility Privacy Officer will be the person responsible for receiving, processing, documenting and maintaining all accounting requests.
Memberís Rights to Inspect and Copy their PHI
1. †The NPT facility Privacy Officer will be the person responsible for receiving, process, commenting and maintaining all requests from a member to inspect and copy their PHI.
2. The NPT facility Privacy Officer retains the right to deny access to PHI information for the following reasons:
a. For records subject to the Privacy Act, 5 U.S.C., Section 552a, if the access meets the requirements of that act; and if the PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and the requested access would more than likely expose the source of the information, the facility will deny the request.
b. Psychotherapy notes.
c. Information gathered for a criminal, civil or administrative action or suit.
d. PHI information b the facility is subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C., 263a, when granting access to the individual would be a prohibition by law; or exempt for Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CRF 493,(a)(2).
e. PHI information created or gathered during research that cosnists of treatment can be suspended for as long as the research is in progress.
f. If the information needs to be provided to a correctional institution and if it would jeopardize safety, health or securing.
3. NPT facilities retain the right to deny access in the following situations; however, facility patients have the right to have the denial reviewed by submitting in writing, a complaint to the facility Privacy Officer or the Secretary of HSS.† The facility will follow the complaint process as set above.
a. When a facility provider feels that giving such information would endanger the life or safety of the individual or another person.
b. When the PHI makes mention of another person and is likely to endanger the life or safety of that individual.
c. When the request is made by a memberís personal representative and when the facility provider feels that providing such information is likely to endanger the life or safety of that member or another person.
A Memberís Right to Request Amendment
1. †The facilityís Privacy Officer will be the person responsible, processing, documenting and maintaining all for receiving requests from a member to amend their PHI.
2. NPT facilities will respond to a request for amendment no later than 60 days after receiving the request for amendment.
3. If the facility decides to grant the request for amendment, the facility will:
a. Identify all the information or files that will have to be amended and will make the amendment.
b. If the facility denies the request for amendment, the facility will follow the complaint policy process outlined in the section above.
c. NPT facilities will make amendments to a patientís PHI when a Business Associate informs the facility of an amendment and informs the member that such an amendment has been made.
A Memberís Right to Request Confidential Communications
1. †The NPT facilityís Privacy Officer will be the person responsible for receiving, processing, documenting and maintaining all requests from an individual to evoke their right for alternative communication.
2. NPT facilities will comply with all requests for alternative communications as long as the administrative burden is not unreasonable and the request does not endanger the safety or life of the individual or another person.
3. NPT facilities will supply our Business Associates of our decision to accommodate such a request and provide them with the minimum necessary information to comply with the request for alternative communication.
A Memberís Right to Request Restriction of Disclosures
1. †NPT facilityís Privacy Officer will be the person responsible for receiving, processing, documenting and maintaining all requests from an individual to request restriction of disclosure.
2. NPT facility members have the right to request restriction of the use and disclosure of their PHI, including treatment, payment or healthcare operations.
3. NPT facilities will comply with requests that are reasonable and will inform all Business Associates of such a restriction.
4. NPT facilities will temporarily suspend restriction in an emergency situation when the information provided will be used for emergency treatment.
5. NPT facilities and NPT facility members retain the right to terminate the restriction.† If the NPT facility decides to terminate the restriction, they will do so in writing and inform all relevant individuals or groups.† NPT facilities will also maintain a record of such termination in the memberís file.
1. †NPT facilities will make all reasonable efforts to only release minimum necessary patient PHI information to accomplish the intended purpose of the use, disclosure or request.
2. NPT facilities will follow our routine for recurring requests for disclosure procedures.
3. For all non-routine requests or disclosures of† PHI, the facility will not release any information until the Privacy Officer has reviewed the request on a patient-by-patient basis to assure that only the minimum necessary information is being released for the purpose of the request or disclosure.
4. NPT facilities will not release an entire record except as permitted by the facilityís policies and procedures.
5. Each facilityís staff member will only use the minimum necessary information to perform routine duties.
1. †NPT facilities will obtain verification that itís Business Associates will safeguard and limit the use and disclosure of PHI information supplies by the facility.
2. The facilityís Business Associates Agreement contains the terms that federal law requires in each Business Associates contract.† Business Associates Agreement requirements are exempt when the facility discloses information to a healthcare provider for treatment purposes.
3. If NPT facilities become aware that the Business Associate has violated their agreement to safeguard and limit the use and disclosure of PHI information, the facility will take prompt, reasonable steps to see that the violation is eliminated and not repeated.
4. If the Business Associate does not promptly eliminate the violation and it occurs again, the facility will immediately terminate its contract† with that Business Associate.
5. If, for whatever reason, the contract with the Business Associate cannot be terminated, the facility will immediately report that Business Associate to the US Department of Health and Human Services.
1. †NPT facilities will treatment personal representatives as the member and give them the same access to PHI that the facility would to the individual themselves.
2. NPT facilities will treat a deceased personís executor, administrator or other person with authority as the deceased personís personal representative.
3. NPT facilities will treat a person who has the legal authority to act on the behalf of an emancipated minor or adult as a person representative.
4. NPT facilities will treat the legal parent, guardian or other person acting in loco parentis, on behalf of an unemancipated minor as a personal representative.
5. NPT facilities will not disclose PHI to a personal representative that the facility feels may be abusive to a patient if that information will lead to further abuse and harm.
6. NPT facilities retain the right to disclose, at its discretion, relevant PHI to family members, relatives, close friends, and others who are assisting the medical care of the patient.
Requirements for Individual Consent
1. †NPT facilities will obtain consent from the member before the facility uses PHI or discloses it to another party outside the facilityís office when carrying out treatment, payment or healthcare operations.
2. If consent cannot be obtained, the facility will document that we have tried to obtain consent and why we could not.† The documentation of such an event will be kept in the patientís file and reviewed by the facilityís Privacy Officer.
Resolving Conflicting Consents and Authorizations
1. †If NPT facilities find that there are two or more consents about the memberís disclosure of PHI, the facility will follow the consent with the most restrictions.
2. NPT facilities will work in resolving the conflict between the consents with the member or their personal representative.
3. NPT facilities will document the memberís preference, file it in their patient file and adhere it to the new consent.
Use and Disclosure for Deceased Individuals
1. †NPT facilities will protect a deceased memberís PHI, as would a living patientís for as long as the facility maintains patient information.
2. NPT facilities will treat a personal representative of an individual as the individual per the section above.
3. NPT facilities reserve the right to disclose a deceased memberís PHI to a facilityís participating provider treating a family member when the family memberís healthcare provider requires the information for treatment.
Use and Disclosure Provisions to Those Assisting in the Healthcare of a Member
1. †NPT facilities will not require that the identity of the member is verified because the memberís act of including the other person in his or her care suffices as verification of their identity.
2. NPT facilities will disclose PHI to notify or assist in notifying the family members, personal representatives or other persons responsible for the member in regards to the memberís location, condition or death.
3. NPT facilities will only disclose the minimum information necessary when the facility obtains verbal authorization from the member.
4. NPT facilities will not assume that a memberís agreement at one time to disclose PHI to relative or other person(s) assisting in the memberís care suggests an agreement to disclose PHI indefinitely.† The facility will consistently seek verbal authorization from members to whom PHI should be disclosed.
Use and Disclosure When an Individual is Present
1. †NPT facilities will disclose PHI to a third party involved in the memberís care, such as a family member, spouse, friend or other person, when the member agrees to such disclosure.
2. NPT facilities will give the member the opportunity to object about disclosure to a third party.† However, if the member does not express an objection, the facility will disclose relevant PHI.
3. NPT facilities will disclose PHI when circumstances imply that the patient does not object to an individual receiving PHI about their care.
Use and Disclosure When an Individual is Not Present
1. †NPT facilities will disclose information that is ďfunctionalĒ such as mobility limitations.
2. PHI will not be disclosed to an individual that is a suspected abuser.
3. NPT facilities will not disclose PHI if it can cause the member embarrassment.
4. NPT facilities will disclose PHI to authorized lawful agencies and/or during disaster relief activities.
5. NPT facilities will use its best professional judgment and experience with common practices and when it is in the best interest of the patient, the facility will make a reasonable decision to release PHI to an individual that is involved in the healthcare of a member.
Use and Disclosure Verification of Identify of Those Requesting PHI
1. †NPT facilities will establish and use the following written policies and procedures that are designed to verify the identity and authority of the memberís whom the facility does not know.
2. NPT facilities will verify public officialís identity.† If the request is made in person, the facility will ask to see the official credentials, id badge or proof of government status.† If the request is made in writing, the appropriate government letterhead must be used.† If the disclosure is to someone acting on behalf of a public official, a written statement on appropriate government letterhead or other evidence must be supplied (ie contract for services, memorandum of understanding or a purchase order), something that specifically establishes that this person is acting on behalf o a public official.
3. The following may also be considered verification:
a. A written statement of authority
b. A warrant, subpoena, order, or other legal process issued by a grand jury, court of law or other legal tribunal.
4. Verification is not required when there is an imminent threat to the safety of the public or a member if disclosure is made to a† person reasonably able to lessen or prevent the threat.
5. NPT facilities will require verification in the following forms:
a. Driverís license
b. Photo ID
c. Power of attorney for personal representatives
Whistleblowers Reporting Violations of Protected Health Information
1. †NPT facilities will educate its staff members regarding violations of HIPAA regulations.† The education will include periodic video-taped presentations on HIPAA policies and procedures.
2. Staff members acting ďin good faithĒ will not be punished for reporting violations of HIPAA.
3. Any disclosures of suspected violations must be made to the proper authorities.