Training

GUIDELINES FOR MEMBER COMMUNICATION AND PATIENT HIPAA AUTHORIZATIONS AND REQUESTS

 

You bear a great responsibility. As a member of Spoke’s team of patient concierges and/or provider liaisons, you are the face and voice of all of us at Spoke. Your prime directive is to service the needs of patients and collaborate with providers. A part of that responsibility is responding to patient requests regarding their personal information including protected health information (“PHI”).

This manual provides practical guidance for positively responding to those requests while also complying with the rules imposed by various federal and state regulations, as well as Spoke’s Security Policies industry best practices.

You are guided, also, by Spoke’s Security Policy (https://policy.spokehealth.com) and Employee Handbook (https://employees.spokehealth.com)

Regardless of whatever else is happening, we are guided by our motto:

 

HOW ARE YOUR PATIENTS DOING TODAY

 

Notifying Patient of Their Rights

Spoke provides a copy of the Notice of Privacy Practices to patients on the patient portal, and employees must alert patients to that fact as well as offering to share a copy of the Notice via email or fax.

Further, employee emails shall include a notice stating that

 

A copy of Spoke’s HIPAA Privacy Practices 

can be found at https://privacynotice.spokehealth.com

 

  1. Patients using Spoke’s online patient portal shall automatically digitally sign the Notice, indicating their receipt thereof. However, not all patients will use the patient portal. The employee must share the Notice with that patient in the most convenient manner as requested by the patient.
  2. At the time the Notice of Privacy Practices is provided, Spoke intake staff should make a good faith effort to obtain the signature of the person applying for services, the parent of a minor, legal guardian or personal representative on the Notice of Privacy Practices  – Acknowledgement of Receipt Form. The Notice of Privacy Practices – Acknowledgement of Receipt Form should be attached to the person’s official record.
  3. If the person applying for services, the parent of a minor, legal guardian or personal representative refuses or is otherwise unable to sign the Notice of Privacy Practices – Acknowledgement of Receipt Form, intake staff should ask them to verbally acknowledge that they have received a copy Notice of Privacy Practices and write “Verbal” on the appropriate signature line of the Acknowledgement of Receipt. Staff should then initial and date next to word “Verbal”. This document is then attached to the person’s official record.
  4. Spoke staff should provide a copy of the written Notice of Privacy Practices to persons served and to other persons upon request.
  5. The Privacy Officer should post a copy of the Notice of Privacy Practices in a clear and prominent location such as the entrance lobby at Spoke’ various offices and facilities.
  6. A current version of the Notice of Privacy Practices should be maintained on the Spoke’ website, and intranet.
  7. Whenever the Notice of Privacy Practices is revised, Spoke’ Privacy Officer should make the revised Notice of Privacy Practices available upon request on or after the effective date of the revision; and
    1. The revised Notice of Privacy Practices should be posted in a clear and prominent location.
    2. A copy of each Notice of Privacy Practices issued by Spoke should be maintained for at least six years from the date it was last in effect.
  8.  Any member of the workforce who has knowledge of a violation or potential violation of this Procedure should make a report directly to the Privacy Officer. (See the Procedure HIPAA-119 “Breach Notification Requirements”)

Authorizations required to release PHI

Employees can disclose PHI only as authorized by the patient or directed by Spoke’s Privacy Officer or Security Officer.

  1. Disclosure upon authorization
    1. If the request for disclosure is not accompanied by a written authorization, the Privacy Officer or his/her designated Records staff should notify the requestor that Spoke is unable to provide the PHI requested. The requestor should be supplied with an Authorization to Use or Disclose PHI form.
    2. The Privacy Officer or his /her designated Records staff should make reasonable attempts to verify the identity and the authority of a person/entity making a request for the disclosure of PHI, if the identity or authority of such person is not known. Further, the Privacy Officer or his/her designated Records staff should request from the person/entity seeking disclosure of PHI such documentation, statement or representation, as may be required by the privacy Rule, prior to a disclosure.
      1. Spoke may rely on required documentation, statements or representations that, on their face, meet the verification requirements, if the reliance is reasonable under the circumstances. If there are concerns as to the requirements, the Privacy Officer should contact Spoke legal counsel.
    3. If the request for disclosure is accompanied by a written authorization, the Privacy Officer, or his/her designated Records staff, should review the authorization to assure that it is valid. The authorization form should be fully completed, signed and dated by the person served, their parent (if a minor), legal guardian or personal representative before the PHI is used or Disclosed.
      1. The authorization should be written in a language understood by the person signing the authorization. If a person served needs interpretation, they should notify Spoke staff for assistance.
      2. If the authorization is lacking a required element or does not otherwise satisfy the HIPAA requirements, the Privacy Officer should notify the requestor, in writing, of the deficiencies in the authorization. No PHI should be disclosed unless and until a valid authorization is received.
      3. If the authorization is valid, the Privacy Officer or his/her designated Records staff should disclose the requested PHI to the requester. Only the PHI specified in the authorization should be disclosed.
    4. Each authorization should be filed in the official record of the person applying for or receiving services.
    5. Other Spoke staff members may not release master records without the approval of the Privacy Officer, except in case of emergency (e.g., person served or legal guardian is unable at point in time to verify, and the person served faces risk of negative outcome if information is not shared), or as a result of a specifically approved program area function.
      1. After hours and on weekends, release of information for instances that include, but are not limited to, emergency transfer, crisis intervention or similar urgent situation is allowed.
      2. Emergency release of information should be documented in primary information systems to the justification.
    6. In specific program instances whereby a Multi-Agency Authorization to Release Protected Health Information is utilized, the completed form should not accompany the PHI, as it could identify other agency providers and violate confidentiality.
  2. Responding to specific types of disclosure
    1. Media
      • No PHI should be released to the news media or commercial organizations without the authorization of the person served or his/her personal representative.
    2. Telephone Requests
      • Staff receiving requests for PHI via the telephone should make reasonable efforts to identify and verify that the requesting party is entitled to receive such information (for example, calling the professional contact information of the person requesting information to verify their official capacity).
  3. Disclosures to individuals involved in the care of a person serve
    1. Spoke may disclose PHI to a family member, other relative, close friend, or any other individual identified by the person served:
      1. That is directly relevant to that individual’s involvement in the care, or payment for care, of the person served; or,
      2. To notify such individual of the location, general condition or death of a person served.
    2. If the disclosure is sought by individuals involved in the care of a person served and it is relevant to the requesting party’s involvement in the care, Spoke may rely on reasonable professional judgment in verifying the identity and authority of the individual seeking disclosure.
      1. Spoke staff, interns and volunteers should take reasonable steps to confirm the identity of a family member or friend of the person served. Spoke is permitted to rely on the circumstances as confirmation of involvement in care. For example, the fact that a person served lives at home with family is sufficient confirmation of the family’s involvement in the care of the person served.
    3. Prior to a permitted disclosure, if the person served is present for, or otherwise available, then Spoke staff, interns and volunteers may use or disclose the PHI if they:
      1. Obtain the agreement of the person served;
      2. Provides the person served with an opportunity to object to the disclosure, and the person served does not express an objection (this opportunity to object and the response may be done orally); or
      3. Based on the exercise of professional judgment, reasonably infer from the circumstances that the person served does not object to the disclosure.
  4. Revocation of authorization
    1. The person served may revoke his/her authorization at any time. The authorization may be revoked verbally or in writing. If the person served, parent of a minor, legal guardian or personal representative informs Spoke staff that he/she wants to revoke the authorization, Spoke employees, subcontractors, interns or volunteers should obtain a copy of the official authorization (hardcopy or printed electronic) and complete the shaded area at the bottom of the form:                                  “NOTE: This Authorization was revoked on (DATE) ___________Signature of Staff: ____________________”
    2. Upon receipt of a written revocation, Spoke may no longer use or disclose the PHI of the person served, pursuant to the authorization.
    3. Each printed or electronic revocation formally completed by employees, subcontractors, interns or volunteers should be filed in the official record of the person served.
    4. The Privacy Officer will track and maintain a log of these requests.

 

Communications with non-patients

In this document, the definition of “patient” includes the parent of a minor, legal guardian or personal representative.

Employees cannot communication with a person other than the patient until the employee has received written confirmation the relationship between the person and patient falls under the legal definitions of parents of minors, legal guardian or personal representative.

 

Use of PHI for marketing

Spoke obtains the written consent of a person served, their parent (if a minor), legal guardian or personal representative prior to using confidential information and/or a photograph of a person served in marketing or communication materials.

  1. The Privacy Rule defines marketing as a communication and/or disclosure of PHI that encourages an individual to use or purchase a product or service, except under the following conditions:
    1. Communications made directly by Spoke to describe the services it provides;
    2. Communications made for care or treatment of the individual;
    3. Communications for case management or care coordination for the person served, the parent of a minor, legal guardian or personal representative;
    4. Communications to direct or recommend alternative treatments, therapies, and care  providers or settings of care; and,
    5. Face to face communications made by Spoke representatives to an individual.
  2. Marketing staff should obtain a valid, completed Authorization to Use or Disclose Protected Health Information form, or other approved forms designed to confirm consent of use, prior to using or disclosing PHI for purposes that meet the HIPAA definition of marketing (paragraph A above) and do not qualify for any of the exceptions listed in items 1-5 above.
    1. The authorization should conform to procedures outlined in Spoke’s “Uses and Disclosures.”
    2. If direct or indirect remuneration to Spoke from a third party is involved, the authorization should state the nature of such third party remuneration.
    3. Spoke should make reasonable efforts to verify that individuals who decide to opt out of any use of their Protected Health Information is documented appropriately and honored by Spoke staff or its business associates.
  3. No authorization is required in the following situations:
    1. When communications are directed at an entire population (not to a targeted individual) that promote health or services in a general manner and do not endorse a specific product or service.
    2. When PHI is not disclosed in a marketing communication (such as a newspaper advertisement).
  4. In the event a planned marketing activity involves payment to Spoke (e.g., cash, referral, gifts, etc.), anti-kickback, inducement, self-referral and general fraud and abuse statutes and regulations may apply. These should be considered prior to implementation of the marketing activity.
  5. Business associates and other third parties:
    1. Spoke may engage a marketing firm to conduct permitted marketing activities on Spoke’ behalf. Should the marketing activities require the use or disclosure of PHI to the marketing firm, then a business associate relationship would exist and a BA Agreement would be required.
    2. Spoke may not sell or disclose PHI to a third party to help the third party market its own products or services without a signed authorization from the person served, the parent of a minor, legal guardian or personal representative.

 

Use of PHI for fundraising

  1. When fundraising for its own benefit, Spoke may use or disclose without authorization the following PHI to a Business Associate, a foundation or consultant to act on Spoke’ behalf:
    1. Demographic information relating to an individual, and
    2. Dates of service provided to an individual.
    3. Spoke’ Notice of Privacy Practices should inform the person served, the parent of a minor, legal guardian or personal representative that PHI may be released to raise funds for Spoke and that the person served, the parent of a minor, legal guardian or personal representative may opt out of receiving any fundraising communications.
  2. Any fundraising materials Spoke or its agent sends to an individual should describe how the individual may opt out of receiving any further fundraising communications.
  3. If the fundraising is not for Spoke’ benefit or includes more than demographic or dates of service information, an authorization from the individual is required.
  4. Spoke should make reasonable efforts to verify that individuals who decide to opt out of receiving future fundraising communications are not sent such communications

 

Verbal communication of PHI

All employees, subcontractors, Business Associates, vendors, interns and volunteers are responsible for the privacy and security of PHI of persons receiving services. Rocky Mountain Human Services’ Privacy and Security Officers are responsible for periodically monitoring to ensure that uses and disclosure of PHI complies with applicable Federal, State and/or local law or regulation, and these policies.

Reasonable measures should be taken so that unauthorized persons do not overhear conversations involving PHI.

 

Written communication of PHI

  1. Storing Written PHI
    1. Active and inactive hardcopy records are filed in a systematic manner in a location that safeguards the privacy and security of the information.
    2. Only the minimum number of staff necessary to assure that records are secured yet accessible shall have keys. Employees with keys shall keep them in a secure place so, determined by Spoke’s Security Officer.
    3. Use of “shadow” or “working copy” records or files is not permitted.
    4. Hardcopy master records should be returned to the File Room at the end of each work day. Exceptions may be made if there is a valid need to keep the record for a longer period of time.
    5. In the event that the confidentiality or security of PHI stored in an active or inactive master record has been breached, the Privacy Officer should be notified immediately.
  2. Using printers, copiers or scanners
    1. Spoke’s locates printers, copiers and scanners are to be in areas not easily accessible to unauthorized persons.
    2. Authorized employees, subcontractors, interns and volunteers may view documents generated on printers, copiers or scanners. Access to such documents by unauthorized persons is prohibited.
    3. Employees will promptly remove documents containing PHI from the printer and or copier/scanners and placed in an appropriate and secure location.
  3. Destruction of written PHI
    1. Acceptable methods of destruction include shredding, incineration, pulverization and use of a bonded recycling company. Records containing PHI must not be thrown into an insecure trash receptacle.
    2. A destruction log should be maintained by the Privacy Officer or his/her designee to identify the destroyed records. At a minimum, the destruction log should capture the following Information:
      • The date of destruction.
      • The name of the individual responsible for destroying the records.
      • The name of the person who witnessed the destruction.
      • The method used to destroy the records.
      • Information about the person served (full name, social security number, date of admission, date of discharge).
      • Prior to destruction of boxed items, the Privacy Officer shall verify the retention period has Expired.
      • If the records are destroyed off-site through a destruction company, a Certificate of Destruction should be obtained attesting to destruction of the records.

 

Transmitting PHI through email

The transmission of PHI through email is discouraged but an employee may do so only by complying with the processes described in this section and in accordance with the policies contained in Spoke’s Security Policy.

The following procedures must be strictly followed:

  • before sending an email containing PHI, employees must first obtain either a signed “Authorization to Send Communications via Email” or a signed “Request for Alternative Communication Methods” that specifically identifies email;
  • employees must verify the recipient’s email address by sending a test email to the recipient and waiting for a reply phone call from the recipient verifying his/her receipt of the test message and verbally confirming his/her authorization to communicate PHI via email;
  • the amount of PHI disclosed via email is to be limited to the minimum necessary;
  • an email that contains PHI must be encrypted using software pre-installed by Spoke;
  • the same applies when an employee needs to forward an email containing PHI;
  • highly sensitive PHI such as information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes should not be sent via email;
  • employees must purge email messages as directed by Spoke’s Security Officer but no later than the time at which an email is no longer required to serve the purpose for which it was sent;
  • copies of emails, and any attachments, may be printed and, if so, must be treated as Written PHI;
  • unencrypted email messages, regardless of content, are not secure or private; and
  • employee’s emails, regardless of content or intended recipient, must include the following:

DELETE THIS EMAIL AND CONTACT THE SENDER…

if you are not the intended recipient or if you are not certain why you are receiving the included information.

This email may contain information protected by law, which subjects recipients

to civil and/or criminal actions for unauthorized inspection.

Persons becoming aware of a violation of this policy must immediately report the incident to their supervisor and/or Spoke’s Security Officer.

 

Transmitting PHI through facsimile (fax)

Employees may communicate PHI via fax to persons served, their parent (if a minor), legal guardian, personal representatives or providers of service. Care should be taken that the PHI transmitted via fax is safeguarded from inappropriate use, disclosure or access.

Communications via fax are to be treated with the same care and caution as if it were being transmitted by email (see section titled, “Transmitting PHI via email”).

Transmissions via fax to providers is a standard practice and do not require the patient’s authorization to do so.

Employees must, however, receive written authorization from a patient prior to sending a fax to the patient, regardless of its content. The relevant forms are titled, “Authorization to Send Communications via Fax” or a signed “Request for Alternative Communication Methods” that specifically identifies fax.

Further, the employee shall send a test fax prior to sending a fax containing a patient’s information, regardless of its contents and waiting for a phone call from the patient verifying the fax number is correct and verbally confirming his/her authorization to communicate PHI via fax.

Finally, best practices require employees immediately contact the recipient to verify the fax was received;

Additional policies specific to transmission via fax are:

  • employees must immediately remove transmitted and received faxed pages from the fax machine and follow the procedures outlined in the section titled, “Written PHI”;
  • PHI sent via fax will contain only the minimum necessary to meet the requestor’s needs and/or communicate information about the needs or situation of the patient;
  • highly sensitive health information should not be sent by fax (e.g., information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes).
  • when transmitting information, a cover page should be attached to any facsimile document that includes PHI. The cover page should include:
    • destination of the fax, including name, fax number and phone number;
    • name, fax number and phone number of the sender;
    • date;
    • number of pages transmitted; and
    • The following statement conspicuously placed on the cover page:

IMMEDIATE SHRED AND DISCARD THIS FAX AND CONTACT THE SENDER…

if you are not the intended recipient or if you are not certain why you are receiving the included information.

This fax may contain information protected by law, which subjects recipients to civil and/or criminal actions for unauthorized inspection.

  • if a fax transmission fails to reach a recipient or if the sender becomes aware that a fax was misdirected, the employee must first fax a letter to the receiver and ask that the material be returned or destroyed and then notify Spoke’s Privacy Officer of misdirected fax.

Certain employees may be provided with digital faxing software on their workstation.

Persons becoming aware of a violation of this policy must immediately report the incident to their supervisor and/or Spoke’s Security Officer.

 

Patient’s requests for alternate communication methods

Persons served, their parent (if a minor), legal guardian or personal representative have the right to request communication about their PHI in a variety of ways, such as through phone calls, emails, or in writing. A person served, their parent (if a minor), legal guardian or personal representative also have the right to inspect and obtain a copy of PHI in his or her designated record set, except for information compiled in reasonable anticipation of, or for, use in a civil, criminal or administrative action or proceeding.

When a person served notifies Spoke staff of their preferred method of communication, or requests that Spoke communicate with him or his/her personal representative by some alternate means, Spoke should provide the person served with a copy of a Request for Communications by Alternative Means form. A request should not be evaluated until this request form is completed and signed by the person served or personal representative. Reasonable requests should be honored by Spoke staff.

If the person served would like to communicate by email, it is recommended that an “Email Communication Consent Form” be utilized.

The Privacy Officer, or his/her designee, should review the completed Request for Communications by Alternative Means form to determine if it is a reasonable request. The Privacy Officer or his /her designee should not require an explanation for the request. The Privacy Officer or his /her designee should generally accommodate a request determined to be reasonable.

The Privacy Officer or his/her designee should complete the response section of the Request for Communications by Alternative Means form to inform the person served of Spoke’ decision.

The Privacy Officer should maintain requests and responses in the appropriate location in the official record of the person served.

 

Patient’s request to limit disclosure of PHI

The person served, their parent (if a minor), legal guardian or personal representative are notified of their right to request restrictions on the use and disclosure of PHI in Spoke’ Notice of Privacy Practices. Specifically, the person served may request restrictions on:

  • The use and disclosure of PHI for treatment, payment or healthcare operations; or
  • The disclosures to family, friends or others for involvement in care and notification purposes.

Persons served, their parent (if a minor), legal guardian or personal representative should make their request in writing. The Privacy Officer or his/her designee should provide a Request to Restrict Use and Disclosure of Protected Health Information form to the individual asking to make a restriction.

The Privacy Officer manages requests for restrictions. A request for restriction should not be reviewed until the Request to Restrict form is completed and signed by the person served. The Privacy Officer may assist the person served in completing the form, if necessary.

A current version of the form should be maintained on the Spoke and intranet.

The Privacy Officer or his/her designee should review the request in consultation with Spoke staff providing care or case management to the person served in order to determine the feasibility of the request. Spoke should give primary consideration to the need for access to the PHI for service and payment purposes in making its determination.

If Spoke agrees to the requested restriction, the Privacy Officer or his/her designee should document the restriction on the Request to Restrict Use and Disclosure of Protected Health Information form, provide the individual making a request with a copy and send the original to the master record of the person served. The Privacy Officer or his/her designee should also notify appropriate Spoke employees, subcontractors, interns or volunteers of the restriction.

Spoke employees, subcontractors should abide by the accepted restriction with the following exceptions:

  • Spoke may use the restricted PHI, or may disclose such information to an authorized provider if the person served is in need of emergency services or treatment. In this case, Spoke staff should release the information, but ask the emergency provider not to further use or disclose the PHI of the person served.
  • Spoke may disclose the information to the individual who requested the restriction.
  • Spoke may use and disclose the restricted PHI when statutorily required to use and disclose the information under the Privacy Rule. If Spoke declines the request for restriction, the Privacy Officer should complete the “Facility Response” section of the Request to Restrict Use and Disclosure of Protected Health Information form and provide a copy to the individual making the request. The Request and documentation associated with the request should be placed in the master record of the person served, and retained for a period of time no less than six years from receipt.

Terminating Restrictions on Uses/ Disclosures Of PHI

  • If the person served, the parent of a minor, legal guardian, or personal representative wishes to terminate the accepted restriction they may do so in writing or verbally. If the person served, the parent of a minor, legal guardian, or personal representative verbally terminates the restriction, Spoke staff should document the verbal agreement in the record of the person served.
  • The Privacy Officer or his/her designee should notify the appropriate program and/or case management staff of the termination of the restriction.
  • The Privacy Officer or his/her designee should document the termination of the restriction on the Request to Restrict Use and Disclosure of Protected Health Information form, provide the person served with a copy and maintain the documentation in the record of the person served.
  • Termination of a restriction is effective for PHI created or received by Spoke.
  • There may be situations that occur in which Spoke wishes to terminate the restriction without the agreement of the person served, parent of a minor, legal guardian or personal representative.
    • The Privacy Officer or his/her designee should inform the person served, the parent of a minor, legal guardian, or personal representative that the restriction is being terminated.
    • If by mail
      • If the person served, the parent of a minor, legal guardian, or personal representative is informed by mail that Spoke is terminating the restriction, the notification should be sent via certified mail, return receipt requested. Spoke should maintain a copy of the notification and of the return receipt with the Request to Restrict Use and Disclosure of Protected Health Information form. Spoke should not terminate the restriction until it receives confirmation that the person(s) listed above have received thenotification.
    • If by telephone
      • If the person served, the parent of a minor, legal guardian, or personal representative is informed by telephone, this action should be documented on the Request to Restrict Use and Disclosure of Protected Health Information form. In addition, an email, or alternately a letter should be sent to the appropriate individual listed above. Letters should be sent via certified mail, return receipt requested. The termination should be effective as of the date the appropriate individual listed above is informed by telephone.
    • If by email
      • If the person served, the parent of a minor, legal guardian, or personal representative is informed by email, this action should be documented on the Request to Restrict Use and Disclosure of Protected Health Information form. In addition, a letter should be sent via encrypted email, to a verified email account of the appropriate person listed above. The termination should be effective as of the date of the email.
    • Such termination is only effective with respect to PHI created or received after Spoke has informed the person served, the parent of a minor, legal guardian, or personal representative is informed that it is terminating the restriction. Spoke should continue to abide by the restriction with respect to any PHI created or received before it informed the person(s) listed above about the termination of the restriction.

 

Patient access to PHI

Only Spoke’s Security Officer or Privacy Officer can respond to a patient’s request to access his/her PHI. Under certain circumstances patients have the right to inspect their PHI in Spoke’s possession. The process for managing a request is fraught with complexities and employees will immediately alert the Security Officer or the Privacy Officer of the patient’s request and shall assist the Officer as requested.

The employee shall respond to a patient request by explaining:

  • Spoke takes the greatest precautions to protect each patient’s information to the greatest extent possible and that direct access to that information demands the strictest controls;
  • Spoke follows a precise process that is managed by Spoke’s Security Officer and Privacy; and
  • one of those officers will contact the patient within 24 hours to support the patient’s request.

The employee may provide the patient with the authorization form titled, “Access to Protected Health Information,” which is required by law. The employee can send that form via fax or encrypted email.

 

Requests to amend PHI

Persons served, their parent (if a minor), legal guardian or personal representative should be notified of the right to amend his or her electronic as well as hard copy PHI in the Notice of Privacy Practices.

  1. Evaluating a request for amendment of PHI
    1. The Privacy Officer should process all requests for amendment of PHI.
    2. Upon receiving an inquiry from a patient regarding the right to amend his/her PHI, the Privacy Officer should provide the patient with a copy of an Amendment of Protected Health Information form. A request for amendment should not be evaluated until the request form is completed and signed by the patient.
    3. The Privacy Officer should date stamp or write the date received and initial the Amendment of PHI form.
    4. The Privacy Officer should consult with the Chief Financial Officer (CFO) and appropriate staff concerning the validity of the requested Amendment.
    5. The Privacy Officer should act on the request for amendment no later than 60 days after receipt of the request.
      1. If the amendment is accepted, the Privacy Officer or his/her designee should make the amendment and inform the patient within 60 days of the written request.
      2. If the amendment is denied, Spoke should notify the patient in writing of the denial within 60 days of the written request.
    6. If Spoke is unable to act on the request for amendment within 60 days of receipt of the request, it may have one extension of no more than 30 days. The Privacy Officer should notify the patient in writing of the extension, the reason for the extension and the date by which action should be taken.
  2. Accepting a request for amendment of PHI
    1. If the Privacy Officer, in consultation with the CFO, appropriate department director and/or staff, determines that the request for amendment should be accepted, in whole or in part, the Privacy Officer should:
      1. Place a copy of the amendment in the records of the person served, or provide a reference to the location of the amendment within the body of the master record.
      2. The person served or the parent of a minor, legal guardian or personal representative may indicate providers or entities with whom the amendment should be shared (as identified on the original Amendment of PHI form.
      3. This notification should occur within a reasonable period of time.
    2. The Privacy Officer should also identify other persons, including business associates, that he/she knows have the PHI and that may have relied on, or could foreseeably rely on, such information to the detriment of the person served. The Privacy Officer should determine whether the patient wishes for Spoke to notify such other persons or organizations of the amendment.
      1. If the patient wishes for Spoke to notify these individuals, the Privacy Officer should obtain a signed Authorization to Release PHI form.
      2. This notification should occur within a reasonable period of time.
  3. Denying a request for amendment of PHI
    1. Spoke may deny the request for amendment in whole or in part if:
      1. The PHI was not created by Spoke (e.g., a physical examination, dental record, agency assessment). An exception may be granted if the patient provides a reasonable basis to believe that the creator of the PHI is no longer available to act on the requested amendment and it is apparent that the amendment is warranted. (Note: This should rarely be the case.)
        • Every other avenue should be explored before an amendment is made to information that was not created by Spoke.
      2. The PHI is not part of the designated record set (i.e., information gathered on worksheets or contact notes that do not become a part of the master record).
      3. The PHI would not be available for inspection under the HIPAA Privacy Rule.
      4. The PHI that is subject to the request for amendment is accurate and complete.
    2. If the Privacy Officer, in consultation with the CFO, appropriate department director and/or staff, determines that the request for amendment should be denied in whole or in part, the Privacy Officer should provide the patient with a timely amendment denial letter. The denial should be written in plain language and should contain:
      • The basis for the denial;
      • A statement that the patient has a right to submit a written statement disagreeing with the denial and an explanation of how to file such a statement;
      • A statement that, if the patient does not submit a statement of disagreement, they may request that Spoke includes the request for amendment and the denial with any future disclosures of the PHI; and
      • A description of how the patient may file a complaint with Spoke or to the Secretary of the U.S. Department of Health and Human Services. The description should include the name or title and telephone number of the contact person for complaints.
    3. If the patient submits a written statement of disagreement, Spoke may prepare a written rebuttal to the statement. Spoke should provide a copy of the written rebuttal to the patient who submitted the statement.
    4. The following documentation should be appended (or otherwise linked) to the PHI that is the subject of the disputed amendment:
      • The patient’s Amendment of PHI form;
      • Spoke’ amendment denial letter;
      • The patient’s statement of disagreement, if any; and
      • Spoke’ written rebuttal, if any.
    5. If the patient submitted a statement of disagreement, Spoke should disclose information listed in Item D above or an accurate summary of such information with future disclosures of the PHI to which the disagreement relates.
      1. If the patient did not submit a statement of disagreement, and if the patient has requested that Spoke provide the Amendment of PHI form and the amendment denial letter with any future disclosures, Spoke should include these documents (or an accurate summary of that information) with future disclosures of the PHI to which the disagreement relates.

 

Responding to patient HIPAA complaint

Any concerned individual has the right to file a formal complaint concerning privacy issues without fear of reprisal. Such issues could include, but are not limited to, allegations that:

  • PHI that was used/disclosed improperly;
  • Access or amendment rights were wrongfully denied; or
  • Spoke’ Notice of Privacy Practices does not reflect current practices accurately.

Spoke uses the Notice of Privacy Practices form to notify persons receiving services, parent(s) of a minor, legal guardians or their personal representatives of their right to complain to Spoke, or the Department of Health and Human Services about privacy issues.

All concerns/complaints should be directed to the Privacy Officer, by telephone, fax, mail, email, or in person. The person making the complaint should put their complaint in writing, either through a letter, or email. The Privacy Officer should document the complaint in the log of complaints regarding privacy issues.

Once the complaint form and log are completed correctly, the Privacy Officer should submit the complaint to the Chief Financial Officer (CFO), who determines whether an investigation is warranted. The CFO should assemble an Investigative Team, as needed, composed of appropriate individuals based upon the circumstances of the complaint.

Following completion of the investigative team’s review, the Privacy Officer should be notified of the substance of their findings and decision. The Privacy Officer should:

  • Document the outcome of the complaint.
  • Complete the log of complaints by entering the resolution and any required follow-up actions.

The Privacy Officer should maintain documentation of complaints received and their disposition for a period of at least six years (from the date of creation) in accordance with Federal regulations.

Employees, subcontractors, interns and volunteers may not intimidate, threaten, coerce, discriminate against or take any other retaliatory action against the patient or any other person filing a complaint.

 

Unfair, Deceptive, or Abusive Acts and Practices

The purpose of this Policy is to establish compliance with the highest standards of consumer interactions and to ensure that Spoke’s business is conducted in a socially responsible manner.

Spoke and its employees (“we”) must be diligent in moderating our communications and activities when working with health plan members and consumers generally. We are in a unique position to impact individuals during a time when they are facing difficult health care and financial decisions, imbuing us with a level of authority in the eyes of consumers.

  1. Scope
    • This Policy applies to all Spoke employees and Business Associates.
  2. Policy Statements
    • At no time shall a Spoke employee make any communication or engage in any practice that does not accurately reflect (a) the benefits or value of Spoke’s services or (b) the process, cost or burden of engaging Spoke or following an employee’s suggestion.
    • At no time shall a Spoke employee make any communication or engage in any practice that suggests (a) Spoke possesses expertise beyond those expressed in Spoke’s marketing materials or (b) the employee personally has expertise or insights beyond those expressly authorized by Spoke.
    • At no time shall a Spoke employee make any communication or engage in any practice that could be interpreted as applying undue pressure on a consumer to engage Spoke’s services or follow an employee’s suggestion. A general guidepost is not making statements that suggest exaggerated negative consequences for not engaging Spoke or following to a suggestion, for example:
      • If you do not engage Spoke’s services, you will be overbilled; or
      • If you do not engage Spoke’s services, you will receive poor quality of care.

 

Sanctions for violating these policies

Employees, subcontractors, interns or volunteers should report coworkers who violate HIPAA Privacy and Security Rules. Employees, subcontractors, interns or volunteers who violate HIPAA Privacy and Security rules may be subject to disciplinary actions up to, and including, termination of employment or the relationship with RMHS.

  • The sanctions imposed depends on a variety of factors, including, but not limited to, the severity of the violation, whether it was intentional or unintentional, and whether the violation indicates a pattern of improper use, disclosure or release of PHI and/or misuse of computing resources.
  • The degree of discipline may range from a verbal warning up to and including termination of the employment or the relationship with RMHS and/or restitution in accordance with RMHS policies. The following three (3) levels of violations should be utilized in recommending the disciplinary action and/or corrective action to apply:

Level 1

An individual inadvertently or mistakenly accesses PHI that he/she had no need to know in order to carry out his/her responsibilities for RMHS, or carelessly accesses or discloses information to which he/she has authorized access. Examples of level 1 HIPAA violations include, but are not limited to, the following:

  • Leaving PHI in a public area;
  •  Mistakenly sending emails or faxes containing PHI to the wrong recipient;
  • Discussing PHI in public areas where it can be overhead, such as elevators, cafeteria, restaurants, hallways, etc.;
  • Leaving a computer accessible and unattended with unsecured PHI;
  • Loss of an unencrypted electronic device containing unsecured PHI;
  • Improperly disposes of PHI in violation of RMHS policy; or
  • An individual fails to report that his/her password has been potentially compromised (e.g., has responded to email spam and given out their password).

Level 2

An individual intentionally accesses, uses and/or discloses PHI without appropriate authorization. Examples of level 2 HIPAA violations include, but are not limited to, the following:

  • Intentional, unauthorized access to their own, friends, relatives, coworkers, public personality’s or other individual’s PHI (including searching for an address or phone number);
  • Intentionally assisting another individual to gain unauthorized access to PHI. This includes, but is not limited to, giving another individual a user name and password to access electronic PHI;
  • Disclosing patient condition, status or other PHI obtained as a employees, subcontractors, intern or volunteer to a co-worker who does not have a legitimate need to know; 16.2.11 Obtaining PHI under false pretenses;
  • Failure to properly verify the identity of individuals requesting PHI which results in inappropriate disclosure, access or use of PHI;
  • Failure to promptly report any violation of RMHS’ privacy or security policy or procedure or to the Privacy or Security Officer;
  • Logging into the RMHS network resources (including electronic medical records) and allows another individual to access PHI;
  • Connects devices to the network and/or uploads software without having received authority from IT; or
  • Second occurrence of any level 1 violation (it does not have to be the same offense).

Level 3

An individual intentionally uses, accesses and/or discloses PHI without any authorization for personal or financial gain; causes physical or emotional harm to another person; or causes reputational or financial harm to the institution. Examples of level 3 HIPAA violations include, but are not limited to, the following:

  • Unauthorized intentional disclosure and/or delivery of PHI to anyone;
  • Intentionally assisting another individual to gain unauthorized access to PHI to cause harm. This includes, but is not limited to, giving another individual your unique user name and password to access electronic PHI;
  • Accessing or using PHI for personal gain (i.e., lawsuit, marital dispute, custody dispute);
  • Disclosing PHI for financial or other personal gain;
  • Uses, accesses or discloses PHI that results in personal, financial or reputational harm or embarrassment to the person served; or
  • Second occurrence of any level 2 violation (it does not have to be the same offense) or multiple occurrences of any level 1 violation.
  • The Director of Human Resources should document the sanctions that are applied, if any. This documentation should be kept in written or electronic form for six (6) years after the date of its creation or the date when it is last in effect, whichever is later.

Comments

So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar