HIPAA Compliance Policies and Procedures Privacy …

1 HIPAA Compliance Policies and ProceduresPrivacy Standards:Policy Name: Protected Health InformationPolicy #: 1-01 Origination Date:Review Date: March 15, 2003 Approval:Reference: 45 CFR 164 Policy:Performance Physical Therapy will not use or disclose protected health information without theconsent or authorization of its patients for purposes other than treatment, billing or operations related totreatment and billing. All personnel will understand and be able to identify the elements of protected health information is any individually identifiable information contained in the patient smedical record or files. This includes the patient s name, address, diagnosis, chart notes, lab results,treatment plan, insurance or financial chart should contain a signed consent form from the patient that authorizes or prohibits thepractice from using or disclosing protected health information. The consent from must have beensigned within one year of the current may use and disclose protected health information for treatment, billing or operations relatedto treatment and billing without patient consent.

2 Any other use of protected health information must beauthorized by the patient and documented in the is expected that personnel who release protected health information for any reason will release onlythe minimum amount of information necessary based on the purpose of the request. For example, if aninsurance company requests chart notes for the purpose of reviewing a claim, only the notes specific tothat date of service and procedure under review should be protected health information is used or disclosed for any other purpose than treatment, billing oroperations related to treatment and billing, the information must be de-identified by removing anyand all information that would distinguish the individual s record from a Compliance Policies and ProceduresPrivacy Standards:Policy Name: Release of Information where Authorization Not RequiredPolicy #: 1-09 Origination Date:Review Date: March 15, 2003 Approval:Reference: 45 CFR :From time to time, Performance Physical Therapy will release patients health information withoutpatient consent or authorization.

3 Performance Physical Therapy will release the minimum amount ofinformation necessary to the extent that such release complies with the law and satisfies the patient s written authorization is not required for the following: judicial request; health oversight;law enforcement; public health activities; coroners and medical examiners and specialized governmentfunctions. Specialized government functions include veterans affairs, military activities, nationalsecurity and intelligence activities; protective services for the President and others; determination ofmedical stability; correctional institutions; for disclosure about victims of abuse, neglect or domesticviolence and to organ procurement information is requested by any of the above mentioned entities or for any of the reasonsindicated above, the Compliance Officer/Practice Administrator will verify that the request is comingfrom an appropriately empowered entity and verify that the individual to whom the information isreleased is acting on behalf of that will be released within two days of the request or after the Compliance Officer or PracticeAdministrator has sufficient evidence to verify that information is being released order to verify the identity of individuals requesting information for the purposes mentioned above,the Practice Administrator or Compliance Officer will ask for at least two of the following.

4 A written request on company letterhead indicating the purpose for which information will beused and the specific information requested Identification including badge or employee ID presented in person along with a driver slicense or other valid form of picture ID Contact information for the immediate supervisor or human resources department fortelephone verification of employmentHIPAA Compliance Policies and ProceduresPrivacy Standards:Policy Name: Patient Information Consent FormPolicy #: 1-03 Origination Date:Review Date: March 15, 2003 Approval:Reference: 45 CFR :Performancet Physical Therapy will require all patients to sign a consent form indicating that theyhave read and agree to the use and disclosure of protected health information for purposes outlined in thepractice s Notice of Information copy of the Notice of Information Practices will be provided to all new will be asked to review a copy of the Notice of Information practices and sign the PatientInformation Consent Form prior to beginning copy of the signed, dated consent form will be kept with the patient forms will be effective for one year from the date of signature.

5 If a consent form in the chart isover one year old, the patient should be asked to sign an updated who do not sign the consent form or who wish to have the use of their protected healthinformation restricted in any way will be asked to notify the practice in for restrictions on the use of protected health information will be considered by the PracticeAdministrator or Compliance Officer on a case by case basis using the following criteria: Is the restriction request reasonable Will the restriction negatively affect the practice s business cycle will it change thetimeline for payment Will the restriction interfere with the practice s ability to treat a patient Practice Administrator or Compliance Officer will notify the patient in writing of PerformancePhysical Therapy decision to accept or not accept the patient s requested restriction within fifteendays of receipt of the Compliance Policies and ProceduresDisciplinary Standards and Corrective Action InitiativesPolicy Name: Investigation of Issues, Complaints, and ProblemsPolicy #: 3-04 Origination Date:Review Date: March 15, 2003 Approval:Reference:Policy:The Compliance Officer will be responsible for implementation of investigations of reports or reasonableindications of suspected non- Compliance within thirty days of notification.

6 Investigations revealingcriminal or civil violations will be discussed with legal counsel and reported to the applicable authoritieswith 10 days of Investigation Compliance Officer may receive reports or indications of non- Compliance through the followingchannels:qCompliance Committee activities such as audits and report reviews;qDirect reports from employees;qAnonymous Compliance Officer will initiate a Compliance Investigation Report within 30 days of report Compliance Officer will investigate the allegations through any of the following methods:qReview of reports;qReview of claims;qReview of medical records and documentation;qReview of contracts or arrangements;qInterview with employees;qOnsite completion of the investigation, if possible criminal or civil violations have been identified, theoutcomes will be discussed with legal counsel. Any matter that could indicate violation of Federal orState law should be referred to counsel and reported to the applicable authority within 10 days ofInvestigation completion.

7 The Compliance Officer and Compliance Committee should review all Compliance Officer and Compliance Committee will work to formulate any disciplinary actions,corrective action plans, return of overpayments or process modification as indicated by the investigationoutcomes. HIPAA Compliance Policies and ProceduresStaff Training and TerminationPolicy Name: Training RequirementsPolicy #: 4-01 Origination Date:Review Date: March 15, 2003 Approval:Reference: 45 CFR 142, 164 Policy:Performance Physical Therapy will require all new and current employees and partners to attendinitial security and Privacy current employees and providers will be required to attend Compliance training offered by April11,2003 by Compliance Officer . To signify completion of training, all participants must complete apost-test and sign the attestation of attendance and Compliance new employees and providers will be required to complete the Compliance training module withinthirty (30) days of employment.

8 To signify completion of training, all participants must complete thepost-test and sign the attestation of completion and Compliance for new or current employees and physicians to complete the required any training may begrounds for training will be ongoing and continued participation is required. Training may occur instaff meetings, via newsletters, faxes or bulletin Compliance Policies and ProceduresPolicy Name: Monitoring and AuditingPolicy #: 3-01 Origination Date:Review Date: March 15, 2003 Approval:Reference:Policy:_Performance Physical Therapy will establish methodologies for monitoring activities related to theprivacy and security of protected health information. The practice will audit activities related to the privacyand security of protected health information at regular intervals throughout the practice will monitor the following:qUse, disclosure and release of protected health informationqComplaintsqAccess to system and medical recordsqSystem maintenance activitiesqDocument storage and disposal activitiesqHardware and is the responsibility of the Compliance Officer or designee to determine how the practice willmonitor the above mentioned activities.

9 It is expected that the monitoring will constitute at least thefollowing:qMaintenance of an information release/disclosure log with patient fileqMaintenance of a complaint registerqRecords of each time information is accessedqRecords of system maintenance activitiesqRecords of document storageqHardware and software is the responsibility of the Compliance Officer or designee to audit records for potential problems orviolations of practice Privacy and security Policies . Audits will be scheduled at least every six monthsand more frequent auditing could occur if a problem is problems are discovered, the Compliance Officer and the Privacy /Security committee memberswill determine the best course of action. This can include further training directed at solving theproblem or disciplinary actions for non-compliant staff or Compliance Policies and ProceduresPrivacy Standards:Policy Name: Notice of Information PracticesPolicy #: 1-02 Origination Date:Review Date: March 15, 2003 Approval:Reference: 45 CFR :Performance Physical Therapy will notify all patients of how it intends to use or disclose theirprotected health care information through a Notice of Information Practices.

10 Performance PhysicalTherapy will not use health information in any way beyond that which is stated in its Notice ofInformation Physical Therapy will develop and post a Notice of Information practices in a visible spotin its waiting area or lobby and in its exam rooms or treatment copy of the Notice of Information Practices will be provided to all new patients before they sign thepractice consent copy of the Notice of Information Practices will be provided to any patient who requests it at the Notice of Information Practices is updated, new copies will be posted and all patients who havereceived treatment within the past five years will be informed of the staff will be familiar with how the practice uses and discloses protected health information and beable to answer patients questions about the Notice of Information PracticesHIPAA Compliance Policies and ProceduresSecurity Standards:Policy Name: Data AuthenticationPolicy #: 2-08 Origination Date:Review Date: March 15, 2003 Approval:Reference: 45 CFR 142 Policy:Performance Physical Therapy will take steps to ensure the security of data that is transmitted over acommunications network to the extent that those steps are Physical Therapy will instigate integrity controls and message authentication.