In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), our office must ensure the confidentiality, integrity and availability of all the protected health information (“PHI”) it creates, receives, maintains or transmits. Our office must also protect against any reasonably anticipated hazards to the security and integrity of PHI. The following information and guidelines should provide all employees the information needed to properly handle and maintain PHI.

What Is Protected Health Information?

PHI is generally identifiable information that is transmitted or maintained by electronic, oral, or paper-based, that relates to an individual’s physical or mental health, treatment, payment for services or healthcare operations. To be PHI, the information must identify the individual or provide a reasonable basis for identifying the individual.

Example:

• Full name, address, social security numbers, or birthdate.
• Health records including past, present, or future physical or mental health conditions.
• Payment records related to individual’s healthcare.

Who Is Authorized to Access Confidential PHI?

Any information our office collects or creates that relates to patient health or patient care can only be used in limited ways without patient authorization. Patient authorization is not required when doctors, nurses and others use information about patients to determine what services they should receive or to review quality of their care. PHI may also be used without patient authorization to bill patient (or their insurance companies) for the services they received or to fulfill other necessary administrative/support functions.

Disclosure is also permitted without authorization in a number of other situations. A few examples are below.

Example:

• Healthcare providers can share health information to contribute to the public good, such as public health and research. Certain situations such as: preventing disease, reporting adverse reactions to medications, reporting suspected abuse, neglect , or domestic violence, etc.
• Courts have the right to order healthcare providers to release patient information with appropriate court orders.
• Under limited circumstances, healthcare providers may disclose PHI to police (such as reporting certain wounds or injuries, or to comply with a court-ordered warrant or grand jury subpoena).
• Healthcare providers report information to coroners and funeral directors in cases where the patients pass away.

For many other uses and disclosures of PHI, our office must get a signed authorization from the patient.

Principles of the “Minimum Necessary” Rule

Access to PHI within our facility is governed by the “minimum necessary” rule, ensuring that only essential information is accessed for specific purposes. This minimizes unnecessary exposure of patient data. Personnel are permitted to interact with PHI strictly for job-related activities and are encouraged to employ discretion when handling sensitive information.

Substance Use Disorder Records

We may maintain records related to the diagnosis, treatment, or referral for treatment of a substance use disorder. These records are protected by federal law (42 CFR Part 2) in addition to HIPAA.

Substance use disorder records may be used and disclosed for treatment, payment, and health care operations as permitted by law. These records may not be used or disclosed for law enforcement purposes or in civil, criminal, administrative, or legislative proceedings against you without proper legal authority.

Substance Use Disorder Records Continued

Federal law also prohibits the use or disclosure of substance use disorder records for employment, housing, education, or access to social services without your consent or as otherwise permitted by law. Recipients of substance use disorder records are prohibited from redisclosing this information unless permitted by federal law.

You have the right to:

• Request restrictions on certain uses and disclosures of your substance use disorder records
• Request an accounting of disclosures, as required by law
• File a complaint if you believe your rights under 42 CFR Part 2 have been violated

You will not be retaliated against for filing a complaint.

What Rights Under HIPAA Do You Have?

• Right to Receive a Copy of the “Notice of Privacy Practices.”: This notice informs patients of their HIPAA rights and how to exercise them.
• Right of Access: Patients may request to inspect their medical records and request copies, including electronic records.
• Right to Request an Amendment: Patients may file a request to make an amendment to their medical records they may feel are incorrect or incomplete.
• Right to an Accounting of Disclosures: Patients have the right to receive a list (accounting) of the times a facility has shared their health information for up to six years prior to the date asked.
• Right to Request Restrictions: Patients have the right to request restrictions on how we will communicate with the patient or release information.
• Right to Receive Notice of a Security Breach: Patients have the right to be notified if their health information has been breached.

Potential HIPAA Violations

Recognizing and responding to HIPAA violations is a critical responsibility of all staff members. If a potential breach or non-compliance act is witnessed, it is crucial to report to a supervisor or our designated HIPAA Privacy Officer without delay.

If you ever feel we have violated your rights. Please contact us or file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by the methods below:

• Sending a letter to: 200 Independence Avenue, S.W., Washington, D.C. 20201
• Calling 1-877-696-6775
• Visiting www.hhs.gov/ocr/privacy/hipaa/complaints/

Please note we will not act against you for filing a complaint.

Our Responsibilities

• Our facility is required by law to maintain the privacy and security of your protected health information.
• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
• We must follow the duties and privacy practices described on this sheet and give you a copy.
• We will not use or share your information other than as described unless you tell us in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

DOWNLOAD: HIPPA Notice of Privacy Practives

FOR MORE INFORMATION SEE: WWW.HHS.GOV/OCR/PRIVACY/HIPAA/UNDERSTANDING/CONSUMERS/NOTICEAPP.HTML