Hipaa Policies Procedures PDF Details

Hipaa Policies Procedures is a vital part of any healthcare organization. It is important to have HIPAA policies and procedures in place that protect both the patients and the staff. Having HIPAA policies and procedures helps ensure that everyone understands their role in protecting patient information. It also helps ensure that everyone is aware of the consequences for not following protocol. HIPAA policies and procedures should be reviewed and updated on a regular basis to make sure they are still effective in protecting patient information.

This knowledge will help you grasp better the details of the hipaa policies procedures before you start filling it out.

QuestionAnswer
Form NameHipaa Policies Procedures
Form Length49 pages
Fillable?Yes
Fillable fields166
Avg. time to fill out22 min 43 sec
Other nameshipaa procedures sample, hipaa policies and procedures pdf, hipaa policies procedures template, hipaa policies manual

Form Preview Example

PEPPERDINE UNIVERSITY

HIPAA Policies Procedures and Forms

Manual

May 16, 2012

1

Table of Contents

I.

INTRODUCTION

4

A.

GENERAL POLICY

4

B.

SCOPE

4

II.

DEFINITIONS

5

III. GENERAL POLICIES AND PROCEDURES

9

A. AUTHORIZATION TO USE OR DISCLOSE PROTECTED HEALTH INFORMATION

9

 

1.

Policy

9

 

2.

Procedure

9

 

3.

Applicable Regulations

10

B.

BUSINESS ASSOCIATES

10

 

1.

Policy

10

 

2.

Procedure

11

 

3.

Applicable Regulations

11

C.

 

COMPLAINT

11

 

1.

Policy

11

 

2.

Procedure

11

 

3.

Applicable Regulations

12

D. DE‐IDENTIFICATION OF PROTECTED HEALTH INFORMATION

12

 

1.

Policy

12

 

2.

Procedure

12

 

3.

Applicable Regulations

13

E. LIMITED DATA SHEETS

13

 

1.

Policy

13

 

2.

Procedure

14

 

3.

Applicable Regulations

14

F. MINIMUM NECESSARY USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

14

 

1.

Policy

15

 

2.

Procedure

15

 

3.

Applicable Regulations

16

G. NOTICE OF PRIVACY PRACTICES

16

 

1.

Policy

16

 

2.

Procedure

16

 

3.

Applicable Regulation

17

H. PRIVACY OFFICIAL, SECURITY OFFICER, AND PRIVACY COORDINATORS

17

 

1.

Privacy Official

17

 

2.

Security Official

18

 

3.

Privacy Coordinators

18

 

4.

Applicable Regulation

20

I.

RECORDS RETENTION

20

 

1.

Policy

20

 

2.

Procedure

20

 

3.

Applicable Regulation

21

J.

RESEARCH

21

 

1.

Policy

21

 

2.

Procedure

21

 

3.

Applicable Regulations

23

May 16, 2012

2

K. RIGHT TO REQUEST ACCESS TO PROTECTED HEALTH INFORMATION

23

1.

Policy

23

2.

Procedure

23

3.

Applicable Regulation

26

L. RIGHT TO REQUEST AN ACCOUNTING OF DISCLOSURES

26

1.

Policy

26

2.

Procedure

27

3.

Applicable Regulation

28

M. RIGHT TO REQUEST AN AMENDMENT TO PROTECTED HEALTH INFORMATION

28

1.

Policy

28

2.

Procedure

28

3.

Applicable Regulation

30

N. RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION

30

1.

Policy

30

2.

Procedure

30

3.

Applicable Regulation

30

O.RIGHT TO REQUEST RESTRICTIONS ON THE USE AND DISCLOSURE OF PROTECTED HEALTH

INFORMATION

31

1.

Policy

31

2.

Procedure

31

3.

Applicable Regulation

31

P. SAFEGUARDING PROTECTED HEALTH INFORMATION

31

1.

Policy

31

2.

Procedure

32

3.

Applicable Regulation

32

Q. TRAINING

32

1.

Policy

32

2.

Procedure

33

3.

Applicable Regulation

33

HIPAA SAMPLE FORMS [SEE FOLLOWING PAGES]

34

A. ACCOUNTING FOR DISCLOSURES OF PROTECTED HEALTH INFORMATION

35

B. AUTHORIZATION TO USE/DISCLOSE PROTECTED HEALTH INFORMATION (HIPAA)

36

C. BUSINESS ASSOCIATE AGREEMENT

38

D. DENIAL OF REQUEST FOR AN AMENDMENT

44

E. DENIAL OF REQUEST FOR ACCESS

45

F.

PRIVACY COMPLAINT

46

G. REQUEST FOR ACCESS TO PROTECTED HEALTH INFORMATION

47

H. REQUEST FOR ACCOUNTING OF DISCLOSURES

48

I. REQUEST FOR AMENDMENT TO PROTECTED HEALTH INFORMATION

49

May 16, 2012

3

I.Introduction

A. General Policy

Pepperdine University is committed to protecting the privacy of individual health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations promulgated there under. These policies and procedures apply to protected health information created, acquired, or maintained by the designated covered components of the University after April 14, 2003. The statements in this Manual represent the University’s general operating policies and procedures. For further details regarding these policies and procedures see 45 C.F.R. Parts 160 and 164.

B. Scope

Pepperdine University is a hybrid entity as defined in 45 C.F.R. §164.103 and includes both covered and non‐covered components. These policies and procedures apply only to the University’s designated covered components, which include:

Student Health Center;

Athletic Training Center;

Student Counseling;

Pepperdine Psychology and Education Clinic;

Pepperdine Community Counseling Center;

Pepperdine Jerry B.H. Union Rescue Clinic; and

Center for Human Resources, Benefits Department.

Certain administrative and/or support offices may also be designated as covered components.

The designated covered components may not share protected health information with the non‐covered components of the University, unless specifically permitted by the privacy regulations. It is the responsibility of each designated covered component to assure that their employees, students, volunteers, etc. comply with these policies and procedures. A designated covered component may develop and incorporate additional policies and procedures if doing so is necessary and appropriate to comply with more stringent state laws.1 However, a designated covered component may not delete sections of these policies and procedures without first consulting the Privacy Official or the Security Official.

1HIPAA ensures a federal standard (a “floor”) of privacy protections. State privacy laws may be more stringent than the HIPAA privacy rule. In those cases, the more stringent state law will apply.

May 16, 2012

4

II.Definitions

Business Associate means a person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business Associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity. A member of a covered entity’s workforce is not one of its business associates. A covered entity may be a business associate of another covered entity. 45 C.F.R. § 160.103.

Covered Entity means a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard. 45 C.F.R. § 160.103.

Covered Functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. 45 C.F.R. § 160.103.

Designated Covered Components (or Covered Components) means a component or combination of components designated by the University, which is a Hybrid Entity. The designated covered components of the University are listed in Section I.B. of this Manual.

Designated Record Set means a group of records maintained by or for a covered entity that includes medical and billing records about individuals, or a group of records that are used in whole or in part by or for the covered entity to make decisions about individuals. 45 C.F.R. § 164.501.

Direct Treatment Relationship means a treatment relationship between an individual and a healthcare provider that is not an indirect treatment relationship. 45 C.F.R. § 164.501.

Disclosure means the release, transfer, access to, or divulging of information in any other manner outside the entity holding the information. 45 C.F.R. § 160.103.

Electronic Media means electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media.

May 16, 2012

5

Transmission media includes, for example, the Internet (wide‐open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial‐up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper via facsimile, and of voice via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission. 45 C.F.R. § 160.103.

HHS stands for the Department of Health and Human Services.

Health Care means care, services, or supplies related to the health of an individual, including (1) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, services, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. 45 C.F.R. § 160.103.

Health Care Clearinghouse means a public or private entity, including a billing service, re‐pricing company, community health management information system or community health information system, and “value‐added” networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. 45 C.F.R. § 160.103.

Health Care Operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) conducting quality assessment and improvement activities, population‐based activities, and related functions that do not include treatment; (2) reviewing the competence of qualifications of health care professionals, evaluating practitioner, provider, and health plan performance, conducting training programs where students learn to practice or improve their skills as health care providers, training of professionals that are not health care providers, accreditation, certification, licensing, or credentialing activities; (3) underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or benefits; (4) conducting or arranging for medical review, legal services, and auditing functions; (5) business planning and development, and (6) business management and general administrative activities of the entity. 45 C.F.R. § 164.501.

Health Care Provider means a provider of services (as defined in section 1861 (u) of the Act, 42 U.S.C. § 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. § 1395x(s)), and any other person or

May 16, 2012

6

organization who furnishes, bills, or is paid for health care in the normal course of business. 45 C.F.R. § 160.103.

Health Information means any information whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present for future payment for the provision of health care to an individual. 45 C.F.R. § 160.103.

Health Plan means, with certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. § 300gg‐91(a)(2)). 45 C.F.R. § 160.103.

Hybrid Entity means a single legal entity that is a covered entity, performs business activities that include both covered and non‐covered functions, and designates its health care components as provided in the Privacy Rule. 45 C.F.R. § 164.103.

Indirect Treatment Relationship means a relationship between an individual and a health care provider in which (1) the health care provider delivers health care to the individual based on the orders of another health care provider; and (2) the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual. 45 C.F.R. § 164.501.

Individually Identifiable Health Information means information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care of an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 160.103.

Person means any natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private. 45 C.F.R. § 160.103.

Protected Health Information (or PHI) means individually identifiable information transmitted or maintained in electronic media (ePHI), or transmitted or maintained in any form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. 45 C.F.R. § § 164.501, 160.103.

May 16, 2012

7

Psychotherapy Notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical records. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. 45 C.F.R § 164.501.

Research means a systematic investigation, including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge. 45 C.F.R. § 164.501.

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care provider relating to a patient; or the referral of a patient for health care from one health care provider to another 45 C.F.R. § 164.501.

Secretary means the Secretary of the U.S. Department of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated. 45 C.F.R. § 160.103.

Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information. 45 C.F.R. § 160.103.

Violation or violate means, as the context may require, failure to comply with an administrative simplification provision.

Workforce means employees, volunteers, trainees, or other persons whose conduct in the performance of work for a covered entity is under the direct control of such entity, whether or not they are paid by the covered entity. 45 C.F.R. § 160.103.

May 16, 2012

8

III.General Policies and Procedures

A.Authorization to Use or Disclose Protected Health Information

1.Policy

Pepperdine University will obtain an individual’s authorization to use or disclose protected health information in accordance with HIPAA and its regulations. Generally, designated covered components do not need to obtain an individual’s authorization when using and disclosing protected health information for routine purposes (e.g. treatment, payment, or health care operations), or for other limited purposes, as described in Pepperdine University’s Notice of Privacy Practices. Otherwise, designated covered components must obtain an individual’s valid authorization for the use or disclosure of protected health information.

2.Procedure

Authorization Form

A Sample Authorization may be found on page 36 of this Manual.

The authorization shall be written in plain language and shall contain the following information:

O A description of the PHI to be used/disclosed that identifies the information in a specific and meaningful fashion;

O A description of each purpose of the requested use or disclosure, for example, the statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;

O The name of the person or organization authorized to disclose the PHI;

O The name of the person or organization authorized to receive the PHI;

O A statement that the individual has the right to revoke the authorization in writing;

O A statement listing the exceptions to an individual’s right to revoke;

O A statement that information used or disclosed pursuant to the authorization may be subject to re‐disclosure by the recipient and no longer protected;

O A statement that the individual may refuse to sign the authorization;

O A statement that the covered component will not condition treatment, payment, enrollment or eligibility for benefits in a health plan, based on the individual providing authorization for the requested use or disclosure;

O An expiration date (or expiration event); and

May 16, 2012

9

OThe signature of the individual and date (or the signature of an individual’s personal representative).

The University must provide the individual with a signed copy of the authorization.

Psychotherapy Notes

The University will obtain an individual’s authorization to use or disclose psychotherapy notes, except in the circumstances listed below.

The University does not need to obtain an individual’s authorization to use or disclose psychotherapy notes:

O To carry out treatment, payment, or health care operations; O For use by the originator of the psychotherapy notes for

treatment;

O For use or disclosure by the designated covered component for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in counseling;

O For use or disclosure by the covered entity to defend itself in a legal action or proceeding brought by the individual; and

O For other limited uses and disclosures as described in 45 C.F.R. § 508(a)(2).

Revocation of Authorization

An individual may revoke an authorization at any time, provided that the revocation is in writing.

If the University has already taken action in reliance on the authorization, the University will stop providing the protected health information based on the revoked authorization with a reasonable period of time.

Documentation

The University must document and retain any signed authorization under this section.

3.Applicable Regulations

45 C.F.R. §§ 164.508, 164.512.

B. Business Associates

1. Policy

From time to time, covered components may share protected health information with external parties, known as business associates. Protected health information generally may only be shared with business associates pursuant to a valid Business Associate Agreement. A Business Associate Agreement can be in the form of a written amendment to an existing agreement.

May 16, 2012

10

How to Edit Hipaa Policies Procedures Online for Free

We were making our PDF editor with the notion of making it as simple to apply as it can be. Therefore the entire process of creating the hipaa policies manual will likely to be effortless carry out the next actions:

Step 1: Seek out the button "Get Form Here" and hit it.

Step 2: Now you are on the file editing page. You can edit, add information, highlight particular words or phrases, put crosses or checks, and put images.

You will have to enter the next information in order to fill out the file:

example of gaps in hipaa policies and procedures pdf

The system will require you to complete the Accounting section.

Entering details in hipaa policies and procedures pdf stage 2

It is important to include particular details within the field May.

hipaa policies and procedures pdf May fields to complete

The Information, HIP, A, A field will be your place to put the rights and responsibilities of both sides.

part 4 to entering details in hipaa policies and procedures pdf

End by looking at the following areas and filling in the suitable information: May.

hipaa policies and procedures pdf May blanks to fill out

Step 3: Select "Done". You can now upload the PDF file.

Step 4: It is safer to maintain copies of the file. There is no doubt that we will not distribute or view your data.

Watch Hipaa Policies Procedures Video Instruction

If you believe this page is infringing on your copyright, please familiarize yourself with and follow our DMCA notice and takedown process - click here to proceed .