text size A  A  A 

HIPAA Privacy Policies and Procedures
Administrative Requirements Standards

PERSONNEL DESIGNATIONS

POLICY

DOEA has designated a HIPAA Administrator who is responsible for the development and implementation of DOEA’s policies and procedures.

DOEA has designated a Security Officer, the General Services Manager.

DOEA designates a contact person or office responsible for receiving complaints and who is able to provide further information regarding the Notice (45 CFR 164.520). The contacts are the case manager for the CARES Program and the Program Administrator for the Consumer Directed Care (CDC) Program.

PROCEDURE

DOEA has designated contact persons or offices to be responsible for:

  1. Receiving complaints about the substance of the privacy policies and procedures adopted by the DOEA-Privacy Officer.
  2. Receiving complaints concerning DOEA’s compliance with their privacy policies and procedures or with the Privacy Rule, - the case manager, CDC program administrator or the HIPAA Administrator.
  3. Providing further information about matters covered by the Notice of Privacy Practices - the case manager or the Program Administrator or the HIPAA Administrator.
  4. For denied requests to access or amend PHI, the denial must contain the name, or title, and telephone number of the contact person or office. Only the Privacy Officer, the Office of the General Counsel can deny access or amendments.

The Privacy Rule does not prohibit combining these functions.

Violation of this or any other DOEA Privacy Policy, is to be communicated to the Privacy Officer, Office of the General Counsel.

Reference:

45 CFR 164.530(a)

TRAINING

DOEA trains all members of its current workforce on the policies and procedures with respect to Protected Health Information (PHI) no later than the compliance date, April 14, 2003. Each new member of the workforce will receive training within a reasonable time after the person joins DOEA’s workforce.

This policy applies to all DOEA employees, volunteers, agents and Business Associate that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

POLICY

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing a Training Program for HIPAA Privacy Awareness, to include an initial training module, refresher modules, and accountability.

Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, General Counsel.

PROCEDURE

DOEA trains all members of its workforce on its Privacy Policies and Procedures as necessary and appropriate for them to carry out their function within the Agency.

Training has been provided to each member of DOEA’s workforce, including volunteers, no later than April 14, 2003.

New DOEA employees are provided training within three (3) months of orientation.

Training is provided to each member of DOEA’s workforce whose functions are changed (i.e. Re-assignment, transfer, demotion, promotion), within 30 days of the material change becoming effective.

Volunteers are given training as part of their orientation.

DOEA documents that the training has been provided, in written or electronic form.

Training documentation will be retained for six (6)years.

DOEA ensures that all Business Associates uphold consistent privacy practices and training programs for employees. DOEA may include a training requirement in Business Associate contracts as means of protecting the PHI provided to them.

SAFEGUARDS

POLICY

DOEA has developed physical safeguard standards and access controls for PHI the Agency collects and maintains.

PROCEDURE

The following are minimum standards necessary for all employees to safeguard Protected Health Information (PHI):

- Clear desk or locked office door policy for staff reviewing client medical records.

- Locked file cabinets that are in unsecured locations with casual access possible.

- Activate password protected screen saver or turn monitor off when working with PHI when someone enters office that is not authorized to view PHI.

- Activate password protected screen saver or turn monitor off when leaving office.

- Cover or secure PHI on desk any time leaving office.

- Maintain fax machines and network printers out of common traffic areas, if Protected Health Information (PHI) is transmitted.

- Take reasonable precautions to safeguard PHI when out of the office on field or client visits.

Violations must be reported to the DOEA Privacy Officer, General Counsel.

SANCTIONS

POLICY

This policy applies to all DOEA employees, volunteers, agents and Business Associate that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing sanctions for breaches of confidentiality.

Violation of this policy or any other DOEA Privacy Policy is to be communicated to the designated Privacy Officer.

The HIPAA Privacy Rule establishes a standard for sanctions against members of DOEA’s workforce who fail to comply with its privacy policies and procedures.

PROCEDURE

The procedure describes specific sanctions for breaches of confidentiality, violations of the Privacy Rule and/or violations of DOEA’s privacy practices.

DOEA sanctions against members of its workforce who fail to comply, willfully and unlawfully disclose Protected Health Information (PHI) as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or who intentionally disregard DOEA’s policy for the disclosure of individually identifiable health information. The sanctions will be immediate and the violator will be subject disciplinary action consistent with the department’s disciplinary policy. The sanction may also include termination and reporting of such violation to the Office for Civil Rights (OCR).

Volunteers are subject to the same sanctions and are to be considered as members of DOEA’s workforce.

Business Associate engaged in performing services for DOEA, in addition to being subject to the same requirements of compliance with HIPAA Privacy Rules are subject to monitoring, corrective action and if necessary, cancellation of services for failure to comply.

Sanctions do not apply to whistleblowers, provided that:

  1. The workforce member or business associate believes in good faith that DOEA has engaged in conduct that is unlawful or otherwise violates professional or clinical standards.
  2. The care, services, or conditions provided by DOEA potentially endangers one or more clients, workers, or the public.
  3. Disclosure must be to:
    1. An appropriate oversight agency or public health authority,
    2. An appropriate healthcare accreditation organization, or
    3. An attorney for the purposes of determining the legal options with regard to the conduct of the workforce member or business associate

Sanctions do not apply to workforce members or volunteers who are victims of a criminal act who discloses PHI to a law enforcement official. The PHI must be about a suspected perpetrator of the criminal act and is limited to the following information:

  1. Name and address
  2. Date and place of birth
  3. Social Security Number
  4. ABO blood type and Rh factor
  5. Type of injury
  6. Date and time of treatment
  7. Date and time of death, if applicable
  8. Description of distinguishing physical characteristics

Violations must be reported to the DOEA Privacy Officer, General Counsel.

Reference

45 CFR 164.530(e)


Return to Top