HIPAA POLICIES AND PROCEDURES FOR ONSITE AUDIOLOGY, LLC

INTRODUCTION

​

The Health Insurance Portability and Accountability Act was enacted into law in 1996 with specific implications for health care providers. The law affects all healthcare organizations and providers, which includes public health authorities, insurers, clearinghouses, billing agencies, information system vendors, service organizations, universities, and physicians.

All employees of Onsite Audiology, LLC are required to participate in annual training to ensure compliance with HIPPA policies and procedures and are mandated to implement HIPPA compliance in daily operations. 

 

REFERENCES:

​

HIPAA: Title II, Subtitle F, Sections 261 through 264 of the Health Insurance Portability and Accountability Act of 1996.

Records, Computers, and the Rights of Citizens; Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, H.E.W., July 1975.

Various State and Federal Laws and regulations, a list of which can be obtained from the Department of Human Resources Office of Evaluation and Research.

​

ONSITE AUDIOLOGY POLICY OF CONFIDENTIALITY

 

PURPOSE

​

The purpose of this policy is to protect and insure confidentiality and protection of client’s health information. Confidentiality is an ethical and legal issue. All employees of Onsite Audiology, LLC must be extremely vigilant about protecting the client’s records. Federal Law protects the client’s right to privacy.

It is the policy of the company to respect and acknowledge the privacy and confidentiality of its clients.  Furthermore, it is policy that client information and records are company information and records and as such, may be shared with authorized staff on a need-to-know basis.  Confidential client information may be released to persons or entities outside the company with proper authorizations that will be provided to patients, customers or partners as needed.

 

GENERAL POLICY

​

All client health information is confidential and will not be released or communicated by any employee to anyone other than the client, without valid written permission or as specified in the Privacy Notice, in a court order signed by a judge or in a life-threatening situation.   Release to appropriate “third parties” must have documented evidence of reasonable steps taken to verify the identity of the person receiving the PHI. No individually identifying information will be transmitted to any individual or outside agency that is not a business associate without an authorized release of information signed by the client or the client’s legal guardian.

Information (such as audiograms) shall be released to employees, law enforcement agencies or judicial systems with a written authorization signed by the client or legally responsible agent which  specifies the person or agency to whom the information to be sent and the purpose for sending such information. Verbal information about clients is often exchanged between service providers of different agencies to make referrals or to provide continuity of care.  This information must be treated with the same concern as written information.  It is not necessary, however, to obtain a written authorization, provided it is done to further the health and welfare of the client and there is no risk that the shared information will result in harm to the client.  Casual conversation outside of the company about clients must be always avoided.

 

Federal or State regulations, which are more restrictive than this company policy, shall take precedence.

 

ONSITE AUDIOLOGY POLICY ON THE UNAUTHORIZED RELEASE OF PROTECTED HEALTH INFORMATION

 

PURPOSE

​

The purpose of this policy is to protect and insure confidentiality and protection of client’s health information. Confidentiality is an ethical and legal issue. Employees of Onsite Audiology, LLC, especially those working with confidential health information must be extremely vigilant about protecting the client’s records. Federal Law protects the client’s right to privacy.

 

It is the policy of Onsite Audiology, LLC to respect and acknowledge the privacy and confidentiality of its clients.  Furthermore, it is the policy that the client information and records are company information and records and as such, may be shared with authorized staff on a need-to-know basis. A need-to-know basis is outlined in the Privacy Notice given to each client. Confidential client information may be released to persons or entities outside the company with proper authorizations or as specified in the Privacy Notice given to each client.

 

GENERAL POLICY

 

Our patient’s privacy is a high priority, and we take unauthorized release of our patients’ personal health information seriously.  If you observe or have knowledge of any unauthorized release of protected health information from Onsite Audiology, LLC, you must immediately report this release to the Founder.  Failure to do so may result in disciplinary action as an accomplice to the unauthorized release.

 

POLICY ON DISCLOSURE AUTHORIZATIONS/LIMITATIONS

 

PURPOSE

 

The purpose of this policy is to protect and insure confidentiality and protection of client’s health information. Confidentiality is an ethical and legal issue. Employees of Onsite Audiology, LLC, especially those working with confidential health information must be extremely vigilant about protecting the client’s records. Federal Law protects the client’s right to privacy.

 

It is the policy of Onsite Audiology, LLC to respect and acknowledge the privacy and confidentiality of its clients.  Furthermore, it is the policy that the client information and records are company information and records and as such, may be shared with authorized staff on a need-to-know basis. A need-to-know basis is outlined in the Privacy Notice given to each client. Confidential client information may be released to persons or entities outside the company with proper authorizations or as specified in the Privacy Notice given to each client.

 

GENERAL POLICY

​

The patient has the right to authorize a release of information pertaining to their treatment or payment to other providers or entities.  The patient also has the right to put limits on what information can or cannot be released and to whom that applies.

 

PROCEDURES

​

Authorized Release

​

Before releasing any protected health information, the patient must fill out a Release of Medical Information Request form and it must be signed.

 

If the entire medical record is to be disclosed, a written explanation why the entire medical record may be disclosed is required.

 

If an expiration of the authorization date is known, it must be indicated on the form or the authorization will be in effect until written revocation of the authorization is received by the Founder.

​

The Authorization will be noted as to the disclosure date, the person distributing the protected health information, and how it was distributed (fax, mail, etc.).

​

The Authorization will be added to the medical record and the date it is added will be recorded on the authorization form.

​

If/when a letter of revocation is received, it will be attached to the authorization form and the date and time the revocation is processed will be noted on the authorization form in the patient’s record.

​

POLICY ON PATIENTS WHO REFUSE AUTHORIZATION

 

There may be times when you ask a patient for his or her authorization and they refuse to grant such an authorization.  When this occurs, you should inquire why the patient does not want Onsite Audiology, LLC to use his or her protected health information in the manner set forth in the authorization.  Your response to the patient’s reason(s) will vary depending on the situation; however, you may never condition treatment or other activity at Onsite Audiology, LLC on the patient’s willingness to sign an authorization.

​

If the patient refuses to sign the authorization, ask if the patient understands the use(s) as listed on the authorization form.  Inform the patient that Onsite Audiology, LLC is limited to those uses; any use outside the explanation on the form is a violation of federal regulation.  You may also explain to the patient the benefit(s) to Onsite Audiology, LLC for using that information.  However, you should not harass the patient into signing the form.  Remember, if at any time you need assistance in explaining the authorization to the patient, find the Privacy Officer and ask him or her to help you.

​

Even after your explanations, the patient may still refuse to sign the authorization form.  If you believe further discussion would not change the patient’s mind, simply note your attempt to have the patient sign the authorization form on the form itself (including date, time, and your name) and pass the unsigned form to the Founder.

 

POLICY ON HANDLING PHI IN THE OFFICE/CLINIC

 

PURPOSE
 

To ensure the confidential and appropriate handling of protected health information (PHI) in public and non-public areas of the office/clinic where patients and other unauthorized persons are found.

 

GENERAL POLICY

​

The company shall utilize reasonable effort to protect privacy and limit disclosure of such information.  Generally, if the information identifies the individual and relates to his or her health status (or the payment for health services), the information is considered PHI.  Reasonable effort does not imply a mandate for major reconstruction or changes that are cost prohibitive to the clinic/facility. Reasonable effort may include restructuring and/or reorganizing clinic/information flow in areas where information is collected from and given to patients; improving personnel practices and habits in day to day activities to better prevent random disclosure of PHI; initiating stricter practices to safeguard patient records stored/utilized in public/non-public areas; and incorporating more opportunities to allow patient choice in how and where they give and receive protected health information. The following procedures address these areas and are to be followed in limiting disclosure of protected health information.

 

Mobile Media

​

Personal Digital Assistants (PDA’S) containing PHI must be password protected so that a password is required to boot the PDA.

 

Laptop computers containing PHI must be physically secured when not in use, or when left unattended.  This may be accomplished by placing the laptop in a locked cabinet/closet, leaving the laptop in a locked office, or use of a cable and lock type security system that allows the laptop to be secured to furniture.

​

As an additional means of protection, it is highly recommended that a file system encryption technology be used to encrypt files containing PHI.  This technology would require the use of a key, PIN, or both to gain access to the information in the file.

 

POLICY ON MAIL DISTRIBUTION

 

PURPOSE

 

To assure every effort is made for adherence to the Health Insurance Portability & Accountability Act of 1996 and the Open Records Act, OCGA § 50-18-70 et seq., and the Open Meetings Act, OCGA § 50-14-1 et seq. Amendments effective July 1,1999.

 

GENERAL POLICY

​

Adherence to the Onsite Audiology Policy of Confidentiality is expected when receiving and distributing mail containing protected health information. Properly completed and signed authorizations must be obtained to release protected health information.

 

POLICY ON FAXING PROTECTED HEALTH INFORMATION

 

PURPOSE

To provide guidelines for receipt, use and dissemination of protected health information by facsimile.

 

GENERAL POLICY

​

Adherence to Onsite Audiology’s Policy of Confidentiality is expected with the use of facsimile when transmitting patient health information. Properly completed and signed authorizations must be obtained to release patient information.  An authorization transmitted via fax machine is acceptable, with verification for signature. In medical emergencies, the information may be released without authorization when the provider or business associate requesting the information is required by law to treat the individual or when there are substantial communication barriers or threats to the health of the public.  When using faxed duplicates instead of the original medical record, destroy the copied material once the use is completed. Fax users must be instructed on the proper procedures for handling of confidential information. It is recommended that specific patient healthcare information be faxed only when the data are to be used for patient care. HIPAA provisions allow facsimile of data for treatment, payment, and healthcare operations without an authorization. Use of the fax for these reasons should only occur when the original document or mail-delivered photocopies will not serve the purpose. Fax machines must be in a secure area that is protected from public view and available only to those employees legitimately entitled to access protected health data.

​

POLICY ON E-MAIL REGARDING PROTECTED HEALTH INFORMATION

 

PURPOSE

​

To assure that client Protected Health Information (PHI) confidentiality and privacy is maintained in accordance with the Health Insurance Portability and Accountability Act of 1996.

 

GENERAL POLICY

​

Our clients’ PHI is considered private and confidential and as such should always remain secure.  Whereas every attempt is made to provide security for our e-mail system it is not considered to be a completely secure environment. Therefore, every attempt should be made to de-identify PHI, and adhere to the minimum necessary rule when sending PHI through email.

 

AFFINITY HEARING POLICY ON PATIENT ACCESS TO PROTECTED HEALTH INFORMATION

 

PURPOSE

 

To protect and insure confidentiality of our patients’ protected health information.

 

GENERAL POLICY

 

The HIPAA Privacy Rule requires a health care organization to give a patient access to (inspect and obtain a copy of) the protected health information it keeps on that patient in a “designated record set”, for as long as it is maintained in the “designated record set”.

Patients have a right to protected health information that is used to make decisions about such things as their healthcare and insurance claims. According to the Privacy Rule, the protected health information must be provided with 30 days of the request.

 

The Georgia Open Records Act, (OCGA § 50-18-70(b), provides that medical records are exempt if their disclosure would be an invasion of privacy.  Since a patient’s access to their own medical records would not be an invasion of privacy, all requests by patients to access their own protected health information shall be permitted, under the Georgia Open Records Act.  Furthermore, access to the protected health information will be permitted within 3 business days, as required by the Act.

​

ONSITE AUDIOLOGY’S POLICY FOR PATIENT REQUESTS FOR PHI BY OTHER THAN PATIENTS, THEIR TREATMENT PROVIDERS OR THEIR PERSONAL REPRESENTATIVE

 

PURPOSE

 

To protect and insure confidentiality of our patients’ protected health information.

 

GENERAL POLICY

 

It is the policy of Onsite Audiology that the identity and authorization of all persons requesting protected health information are confirmed prior to release of any information.