HIPAA Privacy Policies and Procedures
Changes to Policies and Procedures
DOEA, as a covered entity, will change its policies and procedures as necessary and appropriate to comply with changes in the Privacy Rule law including the standards, requirements and implementation specifications, and other management and operational needs. Policies and procedures must be reasonably designed and take into account the size and type of activities that relate to Protected Health Information (PHI) undertaken by DOEA.
Changes in Law:
When changes in the law necessitate changes to DOEA’s policies or procedures, DOEA will:
1) Promptly implement the revised policy and procedure.
2) Promptly document the revised policy and procedure.
3) If the change in the law materially affects the content of DOEA’s Notice of Privacy Practices, the Agency must promptly make the appropriate revisions to the Notice and redistribute it.
Notice of Privacy Practices:
DOEA must promptly revise and distribute the Notice of Privacy Practices whenever there is a material change to the:
1) Uses or disclosures
2) Individual’s rights
3) DOEA’s legal duties
4) Privacy Practices listed in the Notice.
DOEA must retain all documentation for six (6) years from the date policies and procedures were created, or were last in effect, whichever is later.
Documentation will be written and electronic.
DOEA must mitigate, to the extent practicable, any harmful effect that is known of a use or disclosure of PHI by the Agency or a Business Associate, in violation of DOEA policies and procedures or the requirements of the Privacy Rule. A mitigation plan for any such disclosure will be developed by the HIPAA Security Administrator and approved by the Privacy Officer, Office of the General Counsel.
DOEA policies and procedures include accommodations for all reasonable requests from clients to receive communications at an alternative location or by an alternative means, in cases where the disclosure of information could endanger the client.
DOEA must permit a client to request a restriction of disclosures.
1) DOEA does not have to agree with the restriction.
2) If the Agency agrees to the restriction, both DOEA and its Business Associates must honor the restriction:
a) Until the restriction is terminated by either DOEA or the client. If the client terminates the restriction, DOEA may use and disclose PHI as permitted under the Privacy Rule. If DOEA terminates the restriction without the client’s agreement, it may only terminate the restriction with respect to PHI it creates or receives after it informs the client of the termination.
b) In the case of an emergency treatment situation, DOEA is allowed to release PHI to the health care provider. DOEA must request the provider not further use or disclose the PHI.
All restrictions will be approved by the HIPAA Security Officer and documented in the client file.
1) DOEA’s policies and procedures implement the minimum necessary standard, which apply to all uses and to many disclosures and requests for disclosures from other covered entities. These policies and procedures must:
2) Restrict access and use based on specific roles of members of DOEA’s workforce.
3) Established criteria to limit routing disclosures to minimum necessary to achieve the purpose of the disclosure.
4) Limited requests to other covered entities to what is reasonably necessary for the particular use or disclosure.
DOEA’s policies and procedures dictate when staff can request or disclose the entire medical record. There must be specific justification of the need for the entire medical record approved by the CARES supervisor or CDC program administrator.
DOEA will treat personal representatives as the client for the purposes of the Privacy Rule, with the following exceptions:
1) If a parent, guardian, or other person acting in loco parentis has authority under applicable law to act on behalf of an un-emancipated minor in making health care decisions, DOEA must treat such a person as a personal representative with respect to the Privacy Rule requirements.
2) Notwithstanding State law or any requirement of the personal representatives paragraph, DOEA may choose not to treat a person as the personal representative of the client if DOEA has reasonable belief that the client has been or may be subjected to domestic violence, abuse or neglect by such a person, or treating such a person as the personal representative could endanger the client.
DOEA protects the PHI of deceased clients in the same manner and to the same extent as required for the PHI of living clients, except for uses and disclosures for research purposes.
DOEA treats an executor, administrator, or other person who has authority to act on behalf of a deceased client as a personal representative with regards to PHI.
DOEA treats the personal representative of the client as the client.
If the PHI about the deceased person is relevant to the treatment of a family member, the family member’s health care provider may obtain that information from DOEA.
DOEA may disclose PHI about a deceased client:
1) To coroners and medical examiners for identification of a deceased client or to determine the cause of death.
2) To funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to a decedent. These disclosures may occur prior to and in reasonable anticipation of the client’s death.
Use and disclosure of PHI of deceased persons for research purposes is permitted without obtaining authorization from a personal representative and absent approval by privacy board if DOEA obtains the following from the researcher:
1) Representation that the use or disclosure is sought solely for research on the PHI of decedents.
2) Documentation, at DOEA’s request, of the death of such individuals.
3) Representation that the PHI for which use or disclosure is sought is necessary for research purposes.
Verification of Identity of Those Requesting PHI.
DOEA’s procedures must be reasonably designed to verify the identity and authority of the requestor where DOEA does not know the person requesting the PHI.
Where documentation, statements or representations, whether oral or written, from the person requesting the PHI is a condition of disclosure, this documentation must involve obtaining such documentation or representation.
DOEA is required to document policies and procedures either on paper or in electronic form. Any change to a policy, procedure or a practice must also be documented. In addition to policies and procedures, any authorization pertaining to the accounting of disclosures by DOEA must be documented.
The key to compliance with the Privacy Rule lies in documentation. All documentation must be maintained for six (6) years.
DOEA must maintain the policies and procedures required throughout the Privacy Rule in writing.
Any other communication, action, activity, or designation that must be documented by the Privacy Rule must be documented in writing.
Notice of Privacy Practices:
DOEA is required to provide adequate notice to clients of the uses and disclosures of PHI that it may make. The Agency must document its compliance with the notice requirements by retaining copies of the notices it issues.
Right to request restriction of use and disclosure of PHI:
a. DOEA must permit a client to request that DOEA restrict uses and disclosures of PHI about the client to carry out treatment, payment and health care operations.
b. DOEA does not have to agree to the restrictions. If DOEA does agree, it must document the restrictions.
Access of individuals to PHI:
a. A client has the right of access to inspect and obtain a copy of PHI about him/her in a designated record set, for as long as DOEA maintains the PHI in the designated record set.
b. DOEA must document the designated record sets that are subject to access by clients.
c. DOEA must document the titles of the persons or offices responsible for receiving and processing requests for access by clients.
Amendment of PHI:
a. A client has the right to have DOEA amend PHI about him/her in the designated record set, for as long as DOEA maintains the PHI in the designated record set.
b. DOEA must document the titles of the persons or offices responsible for receiving and processing requests for access by clients.
Accounting of disclosures of PHI:
A client has the right to receive an accounting of disclosures of PHI made by DOEA in the 6 years prior to the date on which the accounting is requested. DOEA must document and retain:
a. Date of disclosure.
b. Name of covered entity or individual who received the information and their address, if known.
c. Brief description of the information disclosed.
d. Brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure (or a copy of the client’s authorization or a copy of a written request for a disclosure for which authorization is not required.)
e. The written accounting provided to an individual requestor.
f. Titles of persons or offices responsible for receiving and processing requests for accountings of disclosures.
In addition to the documentation noted above, DOEA must maintain documentation for:
a. Any signed authorization.
b. All complaints received, and their disposition, if any.
c. All sanctions that are applied as a result of non-compliance.
d. Any use or disclosure of PHI for research without the individual’s authorization.
Violations must be reported to the DOEA Privacy Officer.
45 CFR 164.530(i)
Return to Top