TARRY HOUSE, INC.

 

Subject:  HIPAA Policy

 

Procedure Number:  M.L. 06

Site:  Tarry House & Tarry House Respite

 

Issued By: Executive Director

Effective: 4/09/03

Approved By: The Board of Trustees

Revised: 5/31/06; 1/28/08

Reference Policy:  H.R. 03

Reviewed: 4/09/04; 5/18/05; 5/31/06; 1/28/08

 

Standards Reference:

CARF: Section

ODMH: 5122-30

 

 

 

The Health Insurance Portability and Accountability Act (HIPAA) is widely considered the most significant federal health care legislation since the creation of the Medicare and Medicaid programs and, therefore, we must be aware of the following compliance deadlines:

 

1.      Transactions and Code Sets Rule --- October 16, 2002

2.      Privacy Rule --- April 14, 2003

3.      Security Rule --- 24 months after the final rule is adopted

 

POLICY:

 

HIPAA requires covered entities to implement “industry best practices” to preserve and safeguard protected health information. The HIPAA Privacy regulations directly affect the use and disclosure of protected information.  For this reason, it is imperative to identify all such uses and disclosures of PHI (Protected Health Information) and to determine if the “minimum necessary” use and disclosure to accomplish the intended purpose is being provided.  Procedures and safeguards should be implemented to limit the use or disclosure of PHI to the minimum necessary for each job function or activity.

 

“Minimum Necessary” as defined by this agency, is only the amount of information used or disclosed to accomplish the intended purpose.  Before releasing any health related information, all staff/volunteers must get authorization from the agency Privacy Officer or his/her designee.  At no time is any information to be given that has not been specifically requested.

 

Below is a list of areas impacted by HIPAA and specific HIPAA requirements.

 

1.      All uses and disclosures of Protected Health Information must be closely scrutinized.  Confidential communications – HIPAA implicates all methods of communications including email, fax, ordinary mail, etc.

 

2.      Uses and disclosures must be the “minimum necessary” use or disclosure to accomplish the intended purpose.  For example, if a use requires access to only the name and address of a person served, staff or volunteer, then only this information should be provided and all other health information should either not be disclosed or should be de-identified.

 

a.       Each job position has been examined to determine its need for access to protected health information.  Procedures and safeguards have been implemented to limit the use or disclosure of Protected Health Information to the minimum necessary for each job function or activity.

 

 

b.      Minimum disclosure does not apply to:

 

i.                     Disclosures required by law,

ii.                   Disclosure to the individual (with exceptions for health and safety reasons),

iii.                  Disclosure to the Secretary of DHHS, and

iv.                 Disclosures to health care providers for treatment purposes.

 

3.      A properly identified and authorized personal representative or guardian should be treated the same as the individual for purposes of the Privacy regulations.  For example, personal representatives of adults, minors, or the deceased.

 

a.       However, a person should not be treated as a personal representative where there is a reasonable belief that the personal representative has abused the individual (i.e. domestic violence, abuse or neglect) or that the personal representative may endanger the individual.

 

Under HIPPA, a deceased person is treated the same as a living person.  Unless otherwise authorized by law, a covered entity must first have authorization from the personal representative of the deceased to release any Protected Health Information of the deceased.

 

PROCEDURE:

 

Upon receipt of a request for Protected Health information, either in writing or verbally, the person receiving the request must:

 

1.      Document the name of the person and the organization making the request.

2.      Specifically document what information is being requested.

3.      Verify if an Information Restriction Request is on file.

4.      Verify if a Release of Information is one file if appropriate. (Persons served)

5.      Get authorization from the agency Privacy Officer or his/her designee before information is released.

6.      Release only the “minimum necessary” information as per agency guidelines and Information restriction request.

 

All trainees, staff associates, volunteers and persons served will receive a copy of the NOTICE OF PRIVACY PRACTICES.  All shall sign off on the acknowledgement page which will be retained in their individual files for 6 years.

 

All trainees, staff and volunteers will sign a confidentiality statement to be maintained in their employment file.

 

 

 

 

_______________________________________                                          _____________________

 Michael S. Bullock,   Executive Director                                                          Date