Helping individuals find the services they need.
HARK AT ENDEAVOR FOUNDATION
HIPAA PRIVACY POLICIES
Hark at Endeavor Foundation
General Background and Confidentiality
I. Business Associate Designation.
Hark at Endeavor Foundation (“Hark”) serves in the capacity of a business associate to various covered entities for purposes of compliance with the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E (the “HIPAA Privacy Rule”); the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C (the “HIPAA Security Rule”); and the standard relating to Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and D (the “Breach Notification Rule”).
II. Policy of Compliance.
A. Hark intends to comply with HIPAA and its regulations.
B. This set of HIPAA policies addresses Hark’s compliance with the HIPAA Privacy Rule, as required by its Business Associate Agreements with covered entities (as such term is defined in the Policy and Procedure titled, “BUSINESS ASSOCIATES”). Another set of HIPAA policies addresses Hark’s compliance with the HIPAA Security Rule and the Breach Notification Rule. Nonetheless, certain policies in each set could relate to topics primarily addressed in the other set; therefore, the sets should be read and followed in conjunction with the other.
III. Staff Commitment to Patient Privacy.
A. The information concerning the health and identity of the patients of Hark’s Covered Entities is highly sensitive and requires thoughtful and attentive management by those who have access to it. Hark’s workforce shall be committed to protecting patients’ right to privacy and safeguarding this information.
B. Hark will protect patients’ right to privacy by adhering to these policies. The policies pertain to all information (oral, paper-based, and electronic) related to the services Hark provides to its Covered Entities.
C. These policies apply to Hark’s workforce. Hark’s workforce includes management staff and other persons whose conduct, in the performance of work for Hark, is under the direct control of Hark, whether or not they are paid by Hark (collectively, the “Hark Workforce”). In performing work for Hark, the Hark Workforce will acquire medical, familial, financial, and other types of private information about patients of covered entities. The Hark Workforce will divulge such information only to authorized persons and for authorized purposes as required. Each Hark Workforce member is individually responsible for seeking answers to questions and/or issues he or she does not understand in these policies, including bringing ambiguous, incomplete, or erroneous policies and practices to the attention of Hark management. Hark management will create and promote a climate for maintaining the confidentiality of patient information.
IV. Policy of Safeguarding Patient Information.
A. All members of the Hark Workforce have a responsibility to safeguard all protected health information (“Protected Health Information” or “PHI”) about patients. The Hark Workforce may use or disclose Protected Health Information only as necessary in the provision of services on behalf of its covered entities or as allowed by business associate agreements entered by Hark and for other authorized purposes specified in these Privacy Policies.
B. The Hark Workforce may not gain access to Protected Health Information concerning patients, except for legitimate clinical and business purposes and in accordance with Hark’s Privacy Policies or Security Policies. Any uncertainty about what constitutes a legitimate clinical or business purpose should be discussed with the Hark Privacy Officer.
C. Unauthorized access, use, or release of Protected Health Information to unauthorized individuals is strictly prohibited. Violation of the Privacy or Security Policies will be grounds for disciplinary action, up to and including termination.
V. Clarification of General Policy.
This general policy is subject to clarification by more specific policies and/or procedures.
DESIGNATION OF PRIVACY/CONTACT OFFICER
It is the policy of Hark to comply with the HIPAA Privacy Rule by designating appropriate personnel to fill the position of Privacy Officer.
Designation. The following individual is designated as the Privacy Officer (the “Privacy Officer”) for Hark:
[ Sara Allbright ]
[ 800 Founders Park Drive]
[ Springdale, AR 72704t ]
[ firstname.lastname@example.org ]
I. Duties. The duties of the Privacy Officer shall include, but not be limited to:
A. Developing and implementing programs designed to train the Hark Workforce and any other individuals with access to Protected Health Information concerning the privacy policies;
B. Receiving reports from the Hark Workforce and any other individuals with access to Protected Health Information concerning violations of privacy policies;
C. Investigating and remedying ongoing violations of Hark’s privacy policies, including administering sanctions to the Hark Workforce and any other individuals with access to Protected Health Information, when appropriate, for violations of privacy policies;
D. Suggesting amendments to privacy policies and all other forms, provisions within forms, contracts, or other documents that affect the privacy of Protected Health Information;
E. Receiving reports from all sources regarding Hark’s Business Associates’ compliance with applicable privacy policies and terminating contracts with Subcontractors when necessary to ensure continued compliance with laws and regulations governing the use and disclosure of Protected Health Information;
F. Cooperating with, and coordinating to the extent possible, any audits of the Secretary of the Department of Health and Human Services (“HHS”) or any other governmental or accrediting organization concerning compliance with state or federal privacy laws or regulations;
G. Following the terms of business associate agreements with respect to situations in which a patient’s health information has been used or disclosed in violation of privacy practices;
H. Following the terms of business associate agreements with respect to situations in which the Unsecured Protected Health Information of a patient has been breached in accordance with the Breach Notification Rule and applicable provisions of these policies;
I. Responding to suggestions and complaints regarding privacy practices;
J. Providing clarifications regarding privacy practices;
K. Responding to requests for access to Protected Health Information;
L. Responding to requests for amendment of Protected Health Information;
M. Responding to requests for accountings of disclosures;
N. Performing any other assigned functions; and
O. Documenting, in writing, the actions taken in compliance with A. through N. above.
II. Board Approval. The policies and procedures developed and the methods of implementation chosen by the Privacy Officer are subject to final approval of Hark’s Board of Directors (the “Board”), or an appropriate committee thereof, and the Board or such committee will have such other responsibilities as specified herein.
III. Term of Service of Privacy Officer. The Privacy Officer shall serve until removed by the Board, or until he or she resigns from the position.
PREEMPTION OF STATE LAWS
Hark will follow all state laws relating to the use and/or disclosure of Protected Health Information unless they are preempted by HIPAA.
I. State Laws Not Preempted. The following state laws are not preempted by the HIPAA Privacy Rule:
A. State laws that are more stringent than the HIPAA Privacy Rule;
B. State laws that require or prohibit the disclosure of minors’ records to parents;
C. State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation or intervention;
D. State laws that require health plans to report, or provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals; and
E. State laws for which the Secretary of HHS has granted an exemption based upon a finding by HHS that the law is necessary to prevent health care fraud and abuse, to ensure appropriate state regulation of insurance, for state reporting on health care delivery costs, or for the purpose of serving a compelling need related to public health, safety or welfare. The Secretary may also exempt statutes whose principal purpose is the regulation of controlled substances. Those statutes receiving an exemption from the Secretary will not be preempted by the HIPAA Privacy Regulations. Accordingly, they must be followed even if they conflict with the Privacy Regulations.
II. Guidance to Staff. If any member of the Hark Workforce has a question or concern regarding whether a state law is applicable or preempted, he or she should contact the Privacy Officer.
LIMITED DATA SET/MINIMUM NECESSARY USES AND DISCLOSURES
Except as otherwise provided in this Policy and Procedure, Hark shall limit its uses and disclosures of, and requests for, PHI, to the extent practicable, to the limited data set (as such term is defined in the Policy and Procedure titled, “DE-IDENTIFICATION OF PHI AND LIMITED DATA SETS”) or, if needed by such entity, to the minimum necessary to accomplish the purpose of the use, disclosure, or request. Hark shall follow any future guidance issued by the Secretary of HHS with respect to what constitutes the “minimum necessary” uses and disclosures of PHI.
I. Exceptions to the Minimum Necessary Requirement. The limited data set/minimum necessary requirement does not apply to the following types of uses and disclosures:
A. Uses and/or disclosures for treatment purposes;
B. Uses and/or disclosures of PHI requested by the patient to whom the PHI belongs;
C. Uses and/or disclosures required for compliance with standardized HIPAA transactions;
D. Required disclosures to HHS for enforcement purposes;
E. Uses and/or disclosures made pursuant to a patient’s written authorization; or
F. Uses and/or disclosures that are required by law.
II. Hark Workforce Access.
A. Certain members of the Hark Workforce have been identified as those who need access to Protected Health Information in the performance of their duties. Only those members of the Hark Workforce who have need for such information shall have access, and access shall be limited to that information that is necessary in order for the particular member of the Hark Workforce to carry out his or her duties.
B. The matrix on the next page identifies members of the Hark Workforce and others who require access to PHI, the categories of PHI they require access to, and the justification for access.
Management (including Hark’s Privacy or Security Officers)
All records, to the extent relevant to an issue being addressed by an individual manager
Enabling effective management, including addressing complaints, and avoiding or addressing legal issues
[Any other staff categories that will require access to PHI]
III. Routine Disclosures of Protected Health Information on Behalf of Covered Entities. Other than as required by law, Hark shall disclose Protected Health Information only to the extent such disclosures are permitted or required by Hark’s Business Associate Agreements with covered entities.
Subpoenas and Court Orders. Disclosures made in response to subpoenas and court orders shall be handled in accordance with state law and the Policy and Procedure titled “COURT ORDERS, SUBPOENAS OR OTHER LEGAL PROCESS”.
IV. Non-Routine Disclosures of Protected Health Information by Hark. All non-routine disclosures will be reviewed on an individual basis to determine that they comply with the minimum necessary standard. The following criteria will be utilized in determining the minimum amount of PHI to be disclosed:
A. Can the purpose for the use or disclosure be accomplished through disclosure of a limited data set?
B. How much PHI will be used or disclosed?
C. To what extent would the use or disclosure increase the number of persons with access to the PHI?
D. What is the likelihood of further uses or disclosures?
E. How important is the use or disclosure?
F. Can substantially the same purpose be achieved using de-identified information?
G. Is there technology available to limit the amount of PHI used or disclosed?
H. What is the cost, financial or otherwise, of limiting the use or disclosure?
V. Good Faith, Reasonable Belief that Minimum Necessary Standard Met. In the following circumstances, personnel may rely on the reasonable belief that the PHI requested from Hark is the minimum amount necessary to accomplish the purpose of the request:
A. The disclosure is to an entity or agency for health related purposes and does not require consent, authorization, or opportunity to agree or object, and the requesting official represents that the information is the minimum necessary (for instance, disclosures to the coroner or the Harks for Disease Control). When in doubt, contact the Privacy Officer.
B. The disclosure is to a covered entity.
C. The disclosure is to a member of the Hark Workforce or a business associate and is for the purpose of providing professional services, if the person making the request has represented that he or she has requested the minimum amount necessary.
D. The disclosure is to a researcher who has provided appropriate documentation from an Institutional Review Board (“IRB”) or Privacy Board. When in doubt, contact the Privacy Officer.
TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
In compliance with the HIPAA Privacy Rule and if permitted by the Business Associate Agreements, the Hark Workforce may use and disclose Protected Health Information on behalf of covered entities for Treatment, Payment and Health Care Operations (“TPO”) without obtaining patient consent, authorization or other permission.
A. Treatment includes the following activities by one or more health care providers:
1. Provision of health care related services;
2. Coordination or management of health care related services by health care providers;
3. Coordination or management of health care by a health care provider with a third party;
4. Consultation between health care providers relating to a patient;
5. Referral of a patient for health care from one health care provider to another.
B. Uses and disclosures for treatment are not subject to the Policy and Procedure titled “LIMITED DATA SET/MINIMUM NECESSARY USES AND DISCLOSURES.”
II. Payment includes any activities undertaken either by a health plan or by a health care provider to obtain premiums, determine or fulfill its responsibility for coverage and the provision of benefits, or obtain or provide reimbursement for the provision of health care. These activities include but are not limited to:
A. Determining eligibility, and adjudication or subrogation of health benefit claims;
B. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care processing;
C. Review of healthcare services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
D. Utilization review activities, including pre-certification and preauthorization services, concurrent and retrospective review of services; and
E. Disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement.
III. Health care operations are any one of the following activities to the extent the activities are related to providing health care:
A. Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting patients with information about treatment alternatives, and related functions that do not involve treatment;
B. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
C. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care;
D. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
E. Business planning and development, such as conducting cost management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or covered policies; and
F. Business management and general administrative activities, including management activities related to HIPAA compliance, customer service, resolution of internal grievances, due diligence, activities designed to de-identify health information and fundraising activities for the benefit of the institution.
Communications concerning products or services that encourage recipients to purchase or use the product or service are considered health care operations only if:
A. The communication (i) describes products or services, (ii) concerns the treatment of the individual, or (iii) relates to case management services or care coordination; and
B. Hark does not receive direct or indirect remuneration, except where (i) the communication describes only a drug or biologic currently being prescribed for the recipient of the communication and any payment received by Hark on behalf of covered entities is reasonable in amount; (ii) the communication is made by Hark and Hark obtains from the recipient of the communication an authorization that complies with the Policy and Procedure titled “PATIENTAUTHORIZATION”; or (iii) the communication is made by a business associate of Hark, and the communication is consistent with Hark’s written contract with the business associate.
All other communications concerning products or services encouraging the recipient to purchase or use the products or services are marketing communications, which shall be conducted only in accordance with the Policy and Procedure titled “MARKETING”.
IV. Psychotherapy Notes Are Not To Be Disclosed for TPO. Psychotherapy notes are not to be included as PHI that may be disclosed for treatment, payment, or health care operations pursuant to this Policy and Procedure. For information regarding proper uses and disclosures for Psychotherapy notes, see the Policy and Procedure titled “PSYCHOTHERAPY NOTES”.
If permitted by the Business Associate Agreements, Hark may use or disclose psychotherapy notes on behalf of covered entities only with appropriate authorization in accordance with this Policy and Procedure.
I. Psychotherapy Notes Defined.
A. Psychotherapy notes are:
1. Notes recorded in any form,
2. By a health care provider who is a mental health professional,
3. Documenting or analyzing the contents of a conversation that occurred during a private, joint, group, or family counseling session, and
4. Maintained separately from the rest of the patient’s medical record.
B. Psychotherapy notes do not include:
1. Medication and prescription monitoring;
2. Counseling session start and stop times;
3. Modalities or frequencies of treatment furnished;
4. Results of clinical tests; or
5. Summaries of diagnoses, functional status, treatment plans, symptoms, prognoses, and progress to date.
II. Written Authorization Required for Use or Disclosure of Psychotherapy Notes.
A. A patient’s written authorization shall be obtained prior to using or disclosing any psychotherapy notes related to such patient’s care or treatment.
B. The form of the authorization must satisfy all requirements of the Policy and Procedure titled “PATIENT AUTHORIZATION.”
III. Authorization Not Required. A patient’s authorization is not required for use or disclosure of psychotherapy notes in the following circumstances:
A. The psychotherapy notes will be used:
1. By the originator of the notes, for treatment purposes;
2. By covered entity, in its own training programs in which students, trainees, or mental health practitioners learn under supervision to practice or improve their counseling skills; or
3. By covered entity, to defend legal action or other proceeding brought by an individual patient; or
B. The use or disclosure is:
1. Required by the Secretary of HHS to determine Hark’s compliance with the HIPAA Privacy Rule;
2. Required by law, and the disclosure is compliant with and limited to the relevant requirements of such law;
3. To a health oversight agency, for oversight activities authorized by law related to the originator of the psychotherapy notes;
4. To a coroner or medical examiner, to assist with their official duties; or
5. Necessary to prevent or lessen a serious, imminent threat to the health or safety of a person or the public, and the use or disclosure is to a person reasonably able to prevent or lessen such threat.
To the extent the Business Associate Agreements permit or require Hark to communicate with patients of covered entities, Hark shall treat a person as the personal representative of a patient if the person is, under applicable state or other law, authorized to act on behalf of the patient in making decisions related to health care.
I. “Patient” or “Individual” Includes Authorized Personal Representative.
A. Except as otherwise provided in these Policies and Procedures, personal representatives shall be treated as the patient.
B. When reading these Policies and Procedures, the word “patient” or “individual” (when used to refer to a patient) shall be understood to include both the patient and his or her personal representative, if any, to the extent of such personal representative’s authority to act on the patient’s behalf.
II. Personal Representative Defined.
A. A personal representative is any adult that has decision-making capacity and who is willing to act on behalf of a patient. A personal representative would include an individual who has authority, by law or by agreement from the individual receiving treatment, to act in the place of the individual.
B. Personal representatives may include parents, legal guardians or properly appointed agents, like those identified in documents like a Durable Power of Attorney for Healthcare, or individuals designated by state law.
III. Requirement to Recognize Personal Representative. Hark must recognize a personal representative as the individual responsible for providing authorization for any use or disclosure of PHI.
IV. Personal Representatives of Adults and Emancipated Minors.
1. An adult is a legally competent person over eighteen (18) years of age.
2. An emancipated minor is a person under eighteen (18) years of age who has been legally emancipated. A minor has been legally emancipated when he/she:
(a) Has been emancipated by court order; or
(b) Is otherwise emancipated under applicable state law.
B. Personal Representatives. Hark shall treat a person as a personal representative of an adult or a legally emancipated minor if the person is authorized under other applicable law to act on behalf of the individual in making decisions related to health care and the use and disclosure of PHI.
V. Personal Representatives of Unemancipated Minors.
A. Unemancipated Minor Defined. An unemancipated minor is an individual under the age of eighteen (18) who has not been legally emancipated.
B. Personal Representatives. If a parent, guardian, or other person has authority by law to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, Hark will recognize such person as a personal representative.
C. Non-Custodial Parents’ Rights. In the case of an unemancipated minor, either parent (regardless of which parent has physical custody of the child) may obtain access to their minor child’s medical records unless the parent has been denied custody rights or visitation rights by the court or the parent’s right to such access has been limited by a court order. Hark may request a copy of a court order establishing custody in order to ensure compliance with this requirement.
D. Minors Who Are Legally Able To Consent To Own Treatment.
1. If a minor does not require the consent of an adult and may consent to treatment on his or her own, the minor will be treated as an individual and may provide a HIPAA authorization for release of PHI.
2. If a minor does not require the consent of an adult and may consent to treatment on his or her own, the minor will be treated as emancipated for purposes of such treatment and the PHI related to such treatment. In this case, the parent has no right to the minor’s PHI and no right to act for the minor with regard to his PHI.
VI. Personal Representative With Limited Authority. The personal representative’s authority is limited by the HIPAA Privacy Rule and Arkansas law where a minor consents to his or her own treatment. In such cases, Hark may not disclose information to the personal representative if such information exceeds the boundaries of the personal representative’s authority.
DISCLOSURE OF PHI TO FRIENDS AND FAMILY
Hark’s Business Associate Agreements with its covered entities do not permit or require Hark to disclose PHI to a patient’s friends or family or to other individuals involved in the patient’s care.
PUBLIC HEALTH DISCLOSURES
To the extent permitted by the Business Associate Agreements, it is the policy of Hark to disclose Protected Health Information for the public health activities and purposes described below.
I. Public Health Authority Defined. Public health authority is an agency or authority of the United States, any State, or a political subdivision of any State, or a person or entity acting under a grant of authority from or contract with such a public agency.
II. Disclosures to Prevent or Control Disease, Injury or Disability.
A. The Hark Workforce will disclose PHI for the purpose of preventing or controlling disease, injury, or disability to a Public Health Authority authorized by law to collect or receive information for this purpose or, at the direction of an authorized Public Health Authority, to an official of a foreign government agency that is acting in collaboration with the Public Health Authority.
B. These disclosures may include disclosures for the following purposes:
1. Reporting diseases or injuries;
2. Reporting births or deaths; or
3. Making reports to assist with public health surveillance, public health investigations, and public health interventions.
III. Child Abuse or Neglect Reporting. To the extent permitted by the Business Associate Agreements, the Hark Workforce will disclose PHI to a Public Health Authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
IV. Disclosures to FDA-Regulated Persons or Entities. To the extent permitted by the Business Associate Agreements, the Hark Workforce may disclose PHI to a person or entity subject to regulation by the FDA if:
A. The disclosure is related to an FDA-regulated product or activity for which that person or entity has responsibility; and
B. The disclosure is made for the purpose of activities related to the quality, safety or effectiveness of the FDA-regulated product or activity. These purposes include:
1. Collecting or reporting adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
2. Tracking FDA-regulated products;
3. Enabling product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
4. Conducting post marketing surveillance.
C. Hark may identify the party or parties responsible for an FDA-regulated product from the product label, from written material that accompanies the product, or from sources of labeling, such as the Physician’s Desk Reference.
V. Disclosures Regarding Communicable Diseases. To the extent permitted by the Business Associate Agreements, the Hark Workforce may, on behalf of a covered entity, disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.
PHI OF DECEASED PATIENTS
It is the policy of Hark to protect PHI generated during the life of an individual from disclosure for a period of fifty (50) years after the death of the individual, unless disclosure is on behalf of a covered entity for treatment, payment, or health care operations. To the extent permitted by the Business Associate Agreements, Hark may disclose such PHI as provided in this Policy and Procedure.
I. No Disclosure of PHI Except According to Request of Personal Representative. Hark generally will not release PHI regarding a deceased individual unless a valid personal representative has been established, and the individual has requested the PHI through the proper authorization process.
A. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, Hark shall recognize such person as a personal representative under this Policy and Procedure.
B. Absent an executor, administrator or other court-appointed representative for the deceased individual’s estate, Hark shall follow state law to determine who has authority to authorize the release of PHI. The Hark Workforce should consult with the Privacy Officer, who will consult with Hark’s legal advisors as necessary, in making this determination.
II. Exceptions to the General Rule of Non-Disclosure. There are three exceptions to the general rule of non-disclosure set forth in paragraph I. They are:
A. Coroners and Medical Examiners. Hark may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
B. Funeral Directors. Hark may disclose PHI to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, Hark may disclose the PHI prior to, and in reasonable anticipation of, the individual’s death.
C. Organ Procurement. Hark may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaver organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.
III. Disclosures after 50 Years. Hark may use or disclose information regarding an individual once the individual has been deceased for a time period of fifty (50) years.
USES AND DISCLOSURES REQUIRED BY LAW
Hark may use or disclose PHI to the extent such use or disclosure is required by law, if the use or disclosure complies with and is limited to the relevant requirements of such law.
I. Applicability of this Policy and Procedure. This Policy and Procedure is inapplicable to uses or disclosures covered by the following policies:
A. The Policy and Procedure titled “DISCLOSURES FOR LAW ENFORCEMENT WITHOUT SUBPOENA OR ORDER” shall apply to all “law enforcement” related disclosures. A disclosure is for “law enforcement” purposes when the information disclosed is intended or likely will be used against the individual patient who is the subject of the PHI.
B. The Policy and Procedure titled “COURT ORDERS, SUBPOENAS, OR OTHER LEGAL PROCESS” shall apply to all disclosures pursuant to a subpoena, court order, administrative request, or other legal process.
II. Specific Legal Provisions. Hark may be legally required to disclose PHI to certain state agencies, as well as the HHS, Office for Civil Rights. Any disclosure of PHI “required by law” is subject to the approval of the Privacy Officer.
III. Documentation of Disclosures. All disclosures “required by law” will be documented in the Disclosure Log as specified in the Policy and Procedure “TRACKING OF DISCLOSURES OF PHI”.
COURT ORDERS, SUBPOENAS OR OTHER LEGAL PROCESS
Hark shall release PHI in compliance with court orders, subpoenas and other legal process only as set forth in this Policy and Procedure, provided that Hark will follow any provision of Business Associate Agreements entered by Hark.
I. Notification of Privacy Officer. Any Hark Workforce member who receives a court order, subpoena, discovery request, or other legal document requesting Protected Health Information maintained by Hark shall immediately contact the Privacy Officer. Hark shall respond to such requests as set forth in this Policy and Procedure.
II. Court Orders And Similar Directives.
A. PHI requested in the below types of documents, regardless of whether they were issued for law enforcement or some other purpose, shall be released, subject to the approval of the Privacy Officer:
1. Court orders
2. Search warrants
3. Grand jury subpoenas
4. Subpoenas or summons issued by a judge or magistrate
5. Administrative orders issued during the course of an administrative proceeding
B. The information provided in response to these documents shall be limited to that required to comply with the order or directive in question.
III. Administrative Requests or Demands for Law Enforcement Purposes.
A. This paragraph III applies to administrative requests or demands such as administrative subpoenas/summons, civil investigative demands or similar process authorized by law that are not:
1. Administrative orders described in paragraph II.A.5. above; or
2. Requests for information by “health oversight agencies,” which shall be handled in accordance with the Policy and Procedure titled “DISCLOSURES FOR LAW ENFORCEMENT WITHOUT SUBPOENA OR ORDER”.
B. The PHI requested by the above documents may be disclosed only if Hark determines, based on the information contained in the administrative request or accompanying documentation, that:
1. The information sought is relevant and material to a legitimate law enforcement inquiry;
2. The request is reasonably specific and limited in scope in light of the purpose for which the Protected Health Information is sought; and
3. De-identified information could not reasonably be used.
C. The Limited Data Set/Minimum Necessary standard applies to disclosures made pursuant to this paragraph III. Only the minimum amount of information necessary to achieve the purpose of the request shall be disclosed.
IV. Subpoenas and Requests Not Accompanied by a Court or Administrative Order.
A. This paragraph IV applies to subpoenas, discovery requests, and other lawful process:
1. Issued in the course of a judicial or an administrative proceeding; and
2. Not accompanied by an order of a court or administrative tribunal.
B. The PHI requested by the above documents may be disclosed only if Hark satisfies one of the following conditions:
1. Hark receives satisfactory assurances from the party seeking a patient’s Protected Health Information that the patient has received notice of the request. “Satisfactory assurances” are a written statement from the party seeking the information stating that it has written to the patient and described the reason for seeking his or her Protected Health Information, and the patient either has not objected or his or her objections have been resolved.
2. Hark receives satisfactory assurances from the party requesting a patient’s Protected Health Information that the requesting party has sought a qualified protective order to prevent the information from being disclosed outside of the lawsuit or proceeding in question.
(a) “Satisfactory assurances” are a written statement from the party seeking the information and appropriate documentation that a request for a protective order has been presented to the court or administrative tribunal with jurisdiction over the dispute, or has been agreed to by the parties.
(b) The qualified protective order must: (i) prohibit the parties from using or disclosing the Protected Health Information for any purpose other than the litigation or proceeding for which the records have been requested, and (ii) require the return to Hark or the destruction of the Protected Health Information (including all copies) at the end of the litigation or proceeding.
3. Hark provides notice to the patient that his or her Protected Health Information has been requested and the patient does not object to the disclosure of such information or any objections are resolved.
4. Hark obtains a qualified protective order satisfying the requirements of paragraph IV.B.2.(b) above from the court or administrative tribunal with jurisdiction over the dispute.
DISCLOSURES FOR LAW ENFORCEMENT WITHOUT SUBPOENA OR ORDER
To the extent permitted by the Business Associate Agreements, Hark may disclose Protected Health Information for law enforcement purposes without patient authorization in the absence of a court order, subpoena or other legal process in the circumstances set forth below.
I. Applicability and Definitions.
A. Applicability. This Policy and Procedure applies only to disclosures for law enforcement purposes.
1. A law enforcement official is an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to:
(a) Investigate or conduct an official inquiry into a potential violation of law; or
(b) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law
2. A “request by a law enforcement official” may be written or oral, and include requests made on behalf of law enforcement officials. Media appeals for assistance, “wanted” posters, and other public announcements qualify as oral requests.
II. Child Abuse and Neglect Situations. As stated in the Policy and Procedure titled “PUBLIC HEALTH DISCLOSURES”, the Hark Workforce will disclose PHI to a Public Health Authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
III. Adult Abuse and Neglect Situations.
A. Disclosure. Hark shall disclose Protected Health Information about an adult individual whom Hark believes is a victim of abuse, neglect or domestic violence to a government agency authorized by law to receive such disclosures, provided that one of the following conditions is satisfied:
1. The disclosure is required by law (in such cases, the disclosure shall be limited to the extent necessary to comply with the law in question);
2. The individual agrees to the disclosure;
3. The disclosure is permitted by law, and Hark believes the disclosure is necessary to prevent harm to someone; or
4. In situations in which the individual is unable to agree to the disclosure because of incapacity, the disclosure is permitted by law and a public official states that the disclosure is necessary for an immediate enforcement activity against someone other than the individual in question.
B. Victim Notification. Disclosures of Protected Health Information about adult victims of abuse, neglect or domestic violence must be reported promptly to the victim, unless Hark believes that such notification would pose a risk of harm to the victim.
IV. Health Oversight Activities. Hark may disclose Protected Health Information to “health oversight agencies.”
A. Health Oversight Agencies Defined.
1. Health oversight agencies are government agencies overseeing or investigating alleged violations involving the following:
(a) The health care system;
(b) Government benefit programs for which health information is necessary to determine eligibility;
(c) Government regulatory programs for which health information is necessary to determine compliance; or
(d) Civil rights laws for which health information is necessary to determine compliance.
2. The following agencies, to the extent they are performing the functions above, may be health oversight agencies:
(a) Federal Bureau of Investigation (“FBI”)
(b) HHS, Office of Inspector General (“OIG”)
(c) State licensure boards
3. An agency is not acting as a health oversight agency if it is investigating an individual and the investigation is not directly related to the receipt of health care or a claim for public benefits related to health. In such cases, any request for Protected Health Information must satisfy the criteria set forth in the Policy and Procedure titled “COURT ORDERS, SUBPOENAS OR OTHER LEGAL PROCESS”.
V. Identification of Suspects, Witnesses, and Missing Persons. Hark may disclose Protected Health Information in response to a law enforcement official’s request for such information to assist in identifying or locating a suspect, fugitive, material witness, or missing person.
A. Disclosures under this paragraph V may not be initiated by the Hark Workforce. Such disclosures are authorized by this Policy and Procedure only in response to a request by a law enforcement official.
B. Only Certain Information Disclosed. In making such disclosures, Hark may disclose only the following information:
1. Name and address;
2. Date and place of birth;
3. Social security number;
4. ABO blood type and Rh factor;
5. Type of injury;
6. Date and time of treatment and/or death; and/or
7. Distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.
C. No DNA Information Disclosed. Hark shall not disclose Protected Health Information related to an individual’s DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.
VI. Victims of a Crime.
A. Hark may disclose Protected Health Information in response to a law enforcement official’s request for information about an individual who may be the victim of a crime:
1. If the individual agrees to the disclosure; or
2. If the individual is unable to agree to the disclosure because of incapacity, a law enforcement official states that disclosure is necessary for an immediate law enforcement action, the information will not be used against the individual, and Hark determines that disclosure is in the best interests of the individual.
B. Disclosures under this paragraph VI may not be initiated by the Hark Workforce. Such disclosures are authorized by this Policy and Procedure only in response to a request by a law enforcement official.
C. Agreement Defined.
1. An individual’s agreement to release Protected Health Information may be oral, and does not need to satisfy the requirements of an authorization.
2. If an individual is both a victim and a suspect (for example, an individual who was injured in a drug-related shooting), Hark shall treat the individual as a suspect, and release only the Protected Health Information set forth in paragraph V above.
D. This provision does not apply to victims of child abuse or adult victims of abuse, neglect, or domestic violence. These circumstances are subject to paragraphs II and III above.
VII. Suspicious Deaths. Hark may disclose Protected Health Information about an individual who has died to a law enforcement official for the purpose of alerting the law enforcement official about the death if Hark suspects that the death may have resulted from criminal conduct.
VIII. Crime on Premises. Hark may disclose Protected Health Information to a law enforcement official if Hark believes that it constitutes evidence of criminal conduct that occurred on its premises.
IX. Averting Serious Threats to Health or Safety. Hark may use or disclose Protected Health Information if it believes that such use or disclosure:
A. Is necessary to prevent a serious threat to a person or the public. In such cases, the use or disclosure shall be directed to a person able to prevent the threat, including the target of the threat; or
B. Is necessary for law enforcement authorities to apprehend an individual who either admitted participating in a violent crime or has escaped from a correctional institution or other lawful custody.
1. A statement made by an individual admitting participation in a violent crime cannot be the basis of a disclosure to law enforcement authorities if the statement was made while the individual was in a course of therapy or counseling, or was in the process of requesting such therapy or counseling.
2. A disclosure made based on a statement by an individual admitting participation in a violent crime shall be limited to the statement itself and the information set forth in this Policy and Procedure.
X. Disclosures Concerning Inmates. Hark may disclose Protected Health Information about an inmate to a correctional institution or to a law enforcement official having lawful custody of the inmate if the disclosure of such information is necessary for the health of the inmate, other inmates, correctional employees, and the security and good order of the correctional institution.
SPECIALIZED GOVERNMENT FUNCTIONS
If permitted by its Business Associate Agreements, Hark may use or disclose PHI without authorization for specialized government functions as set forth below.
I. Armed Services Personnel.
A. Hark may use and disclose the PHI of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published notice in the Federal Register the following information:
1. Appropriate military command authorities; and
2. The purposes for which the PHI may be used or disclosed.
B. Hark may use and disclose the PHI of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the same guidelines that apply to U.S. Armed Forces.
II. Intelligence, Counter-Intelligence and National Security.
A. Hark may disclose PHI to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by law.
B. These disclosures are exempt from the accounting requirement.
III. Protection of the President or Other Officials.
A. Hark may disclose PHI to authorized federal officials for the protection of the President or other people entitled to protection under 18 U.S.C. § 3056 or foreign heads of state or other people entitled to protection under 22 U.S.C. § 2709(a)(3). These people include the Vice President, President-elect, Vice President-elect, former Presidents, distinguished foreign visitors to the United States, official representatives of the United States performing special missions abroad, major Presidential and Vice Presidential candidates, official representatives of a foreign government, and certain family members of the foregoing.
B. Hark may disclose PHI to authorized federal officials for in conjunction with the investigation of threats against the President, President-elect, Vice President or certain other dignitaries.
IV. Safety of Inmates or Correctional Officers or Institutions. Hark may disclose PHI to a correctional institution or a law enforcement official with lawful custody of an inmate if necessary for the health and safety of such individual, other inmates, officers or other employees at the correctional institution, or persons responsible for such inmate’s transportation or otherwise for the administration and maintenance of the safety, security, and good order of the correctional institution.
Any marketing activities conducted by Hark on behalf of covered entities must comply with this Policy and Procedure, must be in accordance with the provisions of the business associate agreements entered by Hark and must be approved in advance by the Privacy Officer.
I. Marketing Defined.
A. Marketing is a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
B. Marketing includes an arrangement under which Hark discloses PHI to another entity so that the other entity can use the PHI to try to sell the other entity’s own product or service.
II. Communications Not Considered Marketing. The following activities are not included in the definition of marketing:
A. A communication made to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed to the individual, but only if any financial remuneration received by Hark in exchange for making the communication is reasonably related to Hark’s cost of making the communication.
B. A communication is not marketing if it describes a health-related product or service (or the terms of payment for such product or service) that is either provided by Hark or included in a plan of benefits of Hark, unless Hark receives financial remuneration in exchange for making the communication. This includes communications about (i) the entities participating in a health care provider network or health plan network, (ii) replacement of, or enhancements to, a health plan, and (iii) health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
Example: It is not marketing to advise an individual whether a certain provider is part of a network or whether payment will be provided for services rendered by that provider.
C. A communication is not marketing if it is made for purposes of treatment of an individual, unless Hark receives financial remuneration in exchange for making the communication. This includes communications about case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
Example: It is not marketing to use PHI as part of a discussion with an individual about the products and services of a health care provider, to further the treatment of the individual.
D. A communication is not marketing if it is for case management or care coordination, contacting of individuals with information about treatment alternatives and related functions to the extent these activities fall within the definition of treatment, unless Hark receives financial remuneration in exchange for making the communication.
III. Written Authorization Required for Use or Disclosure of PHI for Marketing.
A. Except as set forth in paragraph IV below, a patient’s written authorization shall be obtained prior to using or disclosing a patient’s PHI for marketing purposes.
B. The form of the authorization must satisfy all requirements of the Policy and Procedure titled “PATIENT AUTHORIZATION”, and in addition, if Hark is to be paid (directly or indirectly) for PHI to be used for marketing by a third party, the authorization from the patient must state that such payment is involved.
IV. Authorization Not Required. A patient’s authorization is not required if the marketing is in the form of:
A. Face-to-face communication between Hark, on behalf of a covered entity, and the patient; or
B. A promotional gift of nominal value provided by Hark.
Hark’s use and disclosure of PHI in research, if permitted by the Business Associate Agreements, must have the appropriate authorizations and safeguards in place. No member of the Hark Workforce may access electronic, paper, or any other form or medium of PHI for research purposes except in accordance with this Policy and Procedure and in accordance with applicable Business Associate Agreements.
I. Research Defined. Research is defined as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
A. Generalizable knowledge is knowledge that can be applied to populations outside of the population served by the covered entity even if a research study uses only the PHI held within a covered entity.
B. The development of research repositories and databases for future research and the recruitment of patients for research studies are considered research for the purposes of the HIPAA Privacy Rule and this Policy and Procedure.
II. General Rule: Authorization Required. Unless the use or disclosure falls within an exception listed under paragraph III below, Hark shall obtain and/or be provided with an authorization for uses and disclosures of PHI for all research purposes.
III. Exceptions to the Authorization Requirement. Patient authorization is not needed to use or disclosure PHI in the following instances:
A. The PHI requested is that of deceased patients and is for use in research, as long as certain written assurances are provided;
B. The PHI is requested preparatory to research, as long as certain written assurances are provided;
C. The researcher has been granted a full or partial waiver of the patient authorization requirement by an appropriate IRB or Privacy Board as stated below;
D. The PHI is de-identified (see the Policy and Procedure titled “DE-IDENTIFICATION AND LIMITED DATA SET”); or
E. The PHI requested is de-identified except as to the listing of town, city, state, zip code, age, sex, and the researcher enters into an appropriate limited data set agreement.
IV. Prior Permission Required. All members of the Hark Workforce are required to obtain prior permission from the Privacy Officer for any and all research-related access to or use or disclosure of PHI.
A. Any member of the Hark Workforce wishing to use or disclose PHI for research purposes must contact the Privacy Officer, who, in consultation with the physician undertaking the research (the “Researcher”) shall determine which of the following procedures should be followed:
1. Use and Disclosure with Patient Written Authorization: The Researcher must obtain and provide to the Privacy Officer a signed patient authorization for release of PHI for research purposes that complies with the Policy and Procedure titled “PATIENT AUTHORIZATION” and the following criteria:
(a) The authorization must include a specific description of the extent to which PHI will be used or disclosed in the study.
(b) The expiration date or expiration event for use or disclosure of the PHI may be “none,” “end of research study,” or similar language for a research-related authorization.
(c) In cases where the use or disclosure is for research that includes treatment of individuals, the authorization must contain a description of the PHI that will not be used, unless the use or disclosure of this information is required by law.
(d) The provision of research-related treatment may be conditioned on receipt of a signed authorization for the use or disclosure of PHI for the research. (Note that this is not true for other authorizations. See Policy and Procedure titled “PATIENT AUTHORIZATION”.)
(e) The authorization may be combined with any other type of written permission for the same research study, such as the informed consent for participation in the research.
2. Use and Disclosure Process Options When Patient Authorization Is Not Obtained:
(a) For use and/or disclosure preparatory to research, the Researcher must provide written representation to the Privacy Officer prior to obtaining access to the PHI that: (i) the review is solely to prepare a research protocol or for similar purposes preparatory to research purposes; (ii) no PHI is to be removed from Hark by the Researcher in the course of the review; and (iii) all requested PHI for which use or access is sought is necessary for the research preparation purposes.
(b) For use and disclosure of PHI of deceased patients for research, the Researcher must provide a written representation that: (i) the use or disclosure sought is solely for research purposes on the PHI of the deceased patients; and (ii) all requested PHI is necessary for the purpose of research. In addition, the researcher must provide the Privacy Officer with documentation of the death of the individual(s) whose PHI is being sought.
3. Waiver of Authorization By IRB or Privacy Board: The Researcher must provide to the Privacy Officer documentation from an IRB, which has been established in accordance with applicable federal law, or a Privacy Board meeting the requirements set forth below, of an alteration to or waiver of the individual patient authorization normally required for such use or disclosure.
(a) The documentation must be signed by the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable and must include:
(i) the date on which the alteration or waiver of authorization was approved and a statement that the alteration or waiver satisfies waiver criteria as defined under federal law (including 45 C.F.R. § 164.512);
(ii) a statement that the use or disclosure involves no more than a minimal risk to the privacy of individual based upon the existence of an adequate plan to protect any identifiers from improper use or disclosure, an adequate plan to destroy any identifiers at the earliest opportunity consistent with the conduct of the research unless there is a health or research justification for retaining the identifiers or is required by law, and adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law or for authorized oversight of the research study;
(iii) a brief description of the PHI for which use, access or disclosure has been determined to be necessary and a statement that the research could not practicably be conducted without the waiver or alteration, or without access to and use of the PHI; and
(iv) a statement that the alteration or waiver has been properly reviewed and approved under either normal or expedited procedures by the IRB, following the requirements of the Common Rule as specified in 45 C.F.R. § 164.512(i)(2)(iv)(A); or the Privacy Board, following the requirements of the HIPAA Privacy Rule at 45 C.F.R. § 164.512(i)(2)(iv)(B) and (C).
(b) A “Privacy Board” must have members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests; must include at least one member who is not affiliated with Hark, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with Hark or any entity conducting or sponsoring the research; and must not include any member who has a conflict of interest.
Except in the circumstances listed by the HIPAA Privacy Rule and/or described in these Policies and Procedures, Hark will not use or disclose a patient’s Protected Health Information without first obtaining the patient’s written authorization.
I. Applicability. This Policy and Procedure applies to uses and/or disclosures of PHI not authorized by Hark’s other HIPAA Policies and Procedures.
II. Authorization Forms. When an authorization to release PHI is needed, members of the Hark Workforce shall use the authorization forms that have been developed by Hark. These authorization forms shall not be altered in any way.
A. Core elements. Authorizations shall be written in plain language contain all of the following core elements:
1. Specific description of the information to be used or disclosed;
2. Person(s) or class of persons authorized to use or disclose the PHI;
3. Person(s) or class of persons authorized to receive the PHI;
4. Specific description of each purpose of the requested use or disclosure, unless the patient is initiating the authorization, in which case the patient may decline to offer a purpose and the purpose may be described as “at the request of the individual”;
5. Specific expiration date, or alternatively, a specific expiration event that relates to the patient or the purpose of the use or disclosure;
7. Signature of the patient or personal representative; and
8. If signed by a personal representative of the patient, a description of the representative’s authority to act for the patient.
B. Required notifications. In addition to the core elements, authorizations must contain all of the following notifications:
1. Statement of the patient’s right to revoke the authorization in writing;
2. A description of the exceptions to the right to revoke, plus a description of how to revoke;
3. Either a statement that Hark may not condition treatment, payment, enrollment or eligibility for benefits on the signing of the authorization; or a statement of the consequences of a refusal to sign the authorization when Hark can condition treatment or eligibility for benefits on the signing of the authorization; and
4. A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule.
5. If Hark is obtaining an authorization to use or disclose protected health information for marketing and the marketing involves financial remuneration, the authorization must state that such remuneration is involved.
6. If Hark is obtaining an authorization in relation to the sale of an individual’s protected health information, the authorization must contain a statement that the disclosure will result in remuneration to Hark.
C. Non-required elements. Valid authorizations may also contain non-required elements, so long as those additional elements are not inconsistent with the required elements.
D. Defective authorizations. An authorization is not valid if it has any of the following defects:
1. The expiration date has passed or the expiration event is known by Hark to have occurred.
2. The required elements of the authorization have not been filled out completely.
3. The authorization is known by Hark to have been revoked.
4. The authorization lacks a required element.
5. The authorization violates the rule on compound authorizations, as set forth in paragraph III below.
6. Any material information in the authorization is known by Hark to be false.
III. Compound Authorizations. With regard to compound authorizations (i.e., forms that authorize more than one use or disclosure of PHI), authorization forms that authorize the use or disclosure of psychotherapy notes will only be combined with authorizations for other uses and disclosures of psychotherapy notes.
IV. Revocation of Authorization.
A. A patient or personal representative may revoke an authorization at any time, but the revocation must be in writing.
B. Revocations become effective when received, except if Hark has already taken action in reliance on an authorization, the revocation is not effective with respect to those actions.
A. If any party seeks the disclosure of a patient’s Protected Health Information for any purpose for which an authorization is required, a member of the Hark Workforce shall provide the requesting party with a Hark Authorization Form to be completed by the patient or personal representative.
B. Upon receipt of the completed form, an authorized member of the Hark Workforce shall review the form and make the disclosure, if appropriate. A copy of the completed form will be provided to the patient. If the form is not complete, the clerk shall contact the patient to notify him or her that additional information is needed. The clerk shall file the authorization form in the patient’s medical record.
Hark shall take reasonable measures to prevent incidental disclosures of PHI; however, incidental disclosures described below do not violate these HIPAA Policies and Procedures.
I. Incidental Disclosures Defined. Incidental disclosures are disclosures of Protected Health Information that occur as a by-product of a permissible use or disclosure, are limited in nature, and cannot be prevented through the use of reasonable measures.
II. Permitted Incidental Disclosures. Incidental disclosures do not violate these HIPAA Policies and Procedures as long as:
A. Reasonable measures were taken to prevent the incidental disclosure; and
B. The disclosure resulted from a use or disclosure that is otherwise permissible under these HIPAA Policies and Procedures.
III. Prevention of Incidental Disclosures. The following measures (as well as the safeguards listed in the Policy and Procedure titled “CONFIDENTIALITY SAFEGUARDS”) shall be followed in order to prevent incidental disclosures:
A. Compliance with the Policies and Procedures for transmitting PHI via facsimile, telephone and e-mail.
B. When discussing Protected Health Information in any non-private area (e.g., a waiting room, reception area, hall, etc.), all conversations should be kept as low as reasonably possible. Private areas should be used for such discussions whenever reasonably possible. If Protected Health Information will be communicated via sign language, reasonable efforts should be made to move the discussion out of plain view of passersby.
C. Password protected screen savers should be set to appear on the monitors of the Hark Workforce if the monitor is unused for fifteen (15) minutes.
D. Any patient list and/or record that includes Protected Health Information, which is designed for display, whether on paper or on a white-board, shall include only the minimum necessary patient identifying information and shall not contain diagnosis or treatment-related information.
Hark will enter into approved business associate agreements with each covered entity (the “Business Associate Agreements”), as provided below. Likewise, in the event Hark enters into an arrangement with any person or entity to which Hark delegates any function, activity, or service, other than in the capacity of a member of Hark’s Workforce (a “subcontractor”), Hark will share PHI with such subcontractor pursuant to an approved business associate agreement as provided below.
I. Business Associate Defined.
A. There are two types of business associates.
1. A business associate is a person or entity that, performs or assists in the performance of functions or activities involving the use or disclosure of PHI on behalf of a covered entity. If the answer to both of the following questions is “yes,” then the person is a business associate under this provision:
(a) Does the person perform, or assist in the performance of, an activity that involves the use or disclosure of individually identifiable health information?
(b) Does the person perform the functions or activities as covered entity’s representative, for covered entity’s benefit, and/or in covered entity’s interest and at its request?
2. A business associate is a person or entity that provides certain specified services to a covered entity where the provision of services involves the disclosure of PHI. If the answer to both of the following questions is “yes,” then the person is a business associate under this provision:
(a) Does the person perform one of the following services for the covered entity: (a) legal; (b) actuarial; (c) accounting; (d) consulting; (e) data aggregation; (f) management; (g) administrative; (h) accreditation; or (i) financial?
(b) Does Hark, or one of its other business associates, disclose individually identifiable health information to that person?
B. A Health Information Exchange Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to Hark and that requires access on a routine basis is a business associate.
C. A subcontractor that creates, receives, maintains or transmits PHI on behalf of a business associate of Hark or on behalf of Hark is considered a business associate.
D. A person that offers a personal health record to one or more individuals on behalf of Hark is a business associate.
E. The following persons are not considered business associates:
1. Members of the Hark Workforce;
2. Health care providers to whom Hark discloses PHI for the purpose of providing treatment to the patient.
II. Procedures. All members of the Hark Workforce must strictly observe the following standards relating to business associates:
A. No PHI shall be disclosed to a business associate until a business associate agreement is entered.
B. The business associate agreement shall be in the format provided by the Privacy Officer.
C. The business associate agreement shall establish the permitted and required uses and disclosures of PHI by the business associate. The business associate agreement may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of the HIPAA Privacy Rule, if done by Hark or the covered entity, except that the covered entity (or Hark if Hark has permission under the business associate agreement with the covered entity) may permit the business associate to use and disclose PHI for the proper management and administration of the business associate under certain conditions.
D. The business associate agreement shall allow termination in the event that the business associate breaches a material term, and it shall state that the business associate will:
1. Not use or further disclose the information other than as permitted or required by the contract or as required by law;
2. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
3. Where applicable, comply with the Security Rule with respect to electronic PHI to prevent use or disclosure of the information other than as provided for by its contract;
4. Report to Hark (or the Covered Entity if Hark is the business associate) (i) any use or disclosure of the information not provided for by its contract of which it becomes aware, (ii) any Security Incident (as defined in the HIPAA Security Rule) of which it becomes aware in accordance with Part II of these HIPAA Policies and Procedures; and (iii) any breach of Unsecured PHI of which it becomes aware in accordance with the Policy and Procedure titled “BREACH POLICY”.
5. Ensure that any subcontractor that creates, receives, maintains or transmits PHI on behalf of Hark, agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
6. Make PHI available to patients;
7. Make available PHI for amendment and incorporate any amendments to PHI;
8. Make available the information required to provide an accounting of disclosures in accordance with the Policy and Procedure titled “ACCOUNTING OF DISCLOSURES OF PHI”;
9. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created by or on behalf of Hark, available to HHS for purposes of determining Hark’s compliance;
10. Ensure that Hark complies with the requirements of the HIPAA Privacy Rule in the performance of an obligation of covered entity under the HIPAA Privacy Rule, and to the extent the business associate is to carry out an obligation of Hark under the HIPAA Privacy Rule, ensure that the business associate complies with the requirements of the HIPAA Privacy Rule in the performance of such obligation; and
11. At termination of the contract, if feasible, return or destroy all PHI received from, or created by or on behalf of, Hark that the business associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
E. Business associate agreements, where required, shall be promptly amended to comply with any additional or modified legal requirements.
III. Remedying Business Associate Violations. Hark is not liable for privacy violations of its business associates and is not required to actively monitor or oversee the means by which its business associates carry out safeguards, or the extent to which the business associates abide by the requirements of the contract. However, Hark will act if it becomes aware of a practice or pattern that constitutes a material breach of this Policy and Procedure.
A. In the event Hark becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, Hark shall take reasonable steps to cure the breach or to end the violation, as applicable.
B. In the event that the business associate cannot or will not remedy the practice or pattern, Hark must terminate the contract if feasible. Where termination is not feasible, members of the Hark Workforce shall contact the Privacy Officer.
DE-IDENTIFICATION OF PHI AND LIMITED DATA SETS
To the extent permitted or required by the Business Associate Agreements, Hark may use or disclose de-identified health information or a limited data set that satisfies the requirements of this Policy and Procedure.
I. De-identified Information.
A. De-identified Information Defined. Health information is considered de-identified (i.e., not individually identifiable) under the HIPAA Privacy Rule if it does not identify a patient and Hark has no reasonable basis to believe it can be used to identify a patient.
B. HIPAA Privacy Rule Inapplicable. De-identified information is not PHI and therefore the requirements of the HIPAA Privacy Rule do not apply to such information.
C. De-identifying information. Hark may de-identify information in two ways:
1. If a person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable makes a determination, and documents the analysis, that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify a subject of the information; or
2. If Hark removes a list of specified identifying information about the individual or his or her relatives, employers, or household members, and Hark has no actual knowledge that the information could be used alone or in combination to identify a subject of the information. The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed to de-identify the patient:
(b) All geographic subdivisions smaller than a State, including street address, city, county, precinct, and zip code;
(c) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and/or date of death;
(d) Telephone and/or facsimile numbers and electronic mail addresses;
(e) Social Security Numbers, medical record numbers, health plan beneficiary numbers, account numbers and certificate/license numbers;
(f) Vehicle identifiers and serial numbers, including license plate numbers;
(g) Device identifiers and serial numbers;
(h) Web Universal Resource Locators (URLs) and Internet Protocol (IP) address numbers;
(i) Biometric identifiers, including finger and voice prints;
(j) Full face photographic images and any comparable images; and
(k) Any other unique identifying number, characteristic, or code, except that a code may be assigned to allow the information to be re-identified as long as the code does not come from individual specific information and the code is not disclosed.
D. Use of PHI to create de-identified information. Hark may use PHI to create de-identified information, or may disclose PHI to a business associate for such purpose, whether or not the de-identified information will be used by Hark.
E. Re-identification Subjects the Information to HIPAA Privacy Rule. If de-identified information is re-identified at some point by Hark, it becomes subject to the HIPAA Privacy Rule again and may only be used or disclosed in compliance with the HIPAA Privacy Rule and Hark’s HIPAA Policies and Procedures.
II. Limited Data Sets.
A. Limited Data Set Defined. A limited data set is a subset of PHI that excludes the direct identifiers listed below for the individual patient and his or her relatives, employers, or household members:
2. Postal address information, other than town or city, state, and zip code;
3. Telephone and facsimile numbers and electronic mail addresses;
4. Social Security Numbers, medical record numbers, health plan beneficiary numbers, account numbers and certificate/license numbers;
5. Vehicle identifiers and serial numbers, including license plate numbers;
6. Device identifiers and serial numbers;
7. Web Universal Resource Locators (URLs) and Internet Protocol (IP) address numbers;
8. Biometric identifiers, including finger and voice prints; and
9. Full face photographic images and any comparable images.
B. Use of PHI to Create Limited Data Set: Hark may use PHI to create a limited data set or disclose PHI to a business associate in order to create a limited data set.
C. Permitted Purposes for Disclosure of Limited Data Set: Hark may use or disclose a limited data set only for the purposes of research, public health, or health care operations.
D. Data Use Agreement: Hark may use or disclose a limited data set only if there is a data use agreement that:
1. Establishes the permitted uses and disclosures of the limited data set, consistent with the listed Permitted Purposes above;
2. Identifies those who are permitted to use or receive the limited data set;
3. Prohibits the recipient from using or further disclosing the information other than as permitted by the data use agreement or required by law;
4. Requires the use of appropriate safeguards to prevent unauthorized or improper use or disclosure of the information;
5. Requires the recipient to report any unauthorized or improper use or disclosure of the information;
6. Requires that any agents or subcontractors to whom it provides the limited data set agree to the same restrictions and conditions with respect to such information; and
7. Prohibits re-identification of the information and contact with the individuals.
E. Violations by Limited Data Set Recipients: If Hark knows of a pattern of activity or practice of the limited data set recipient that constitutes a material breach or violation of the data use agreement, Hark shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, discontinue disclosure of Protected Health Information to the recipient and report the problem to the Secretary of HHS.
III. Exemption from Accounting Requirements. Disclosures of de-identified PHI and limited data sets are exempt from the Policy and Procedure titled “ACCOUNTING OF DISCLOSURES”.
VERIFICATION OF IDENTITY
With the exception of disclosures made pursuant to valid authorizations, prior to disclosing PHI, members of the Hark Workforce must obtain appropriate identification and, if the person is not the patient, evidence of authority.
I. Appropriate Identification.
A. Examples of appropriate identification include, without limitation, photographic identification card, government identification card or badge, appropriate document on government letterhead.
B. The Hark Workforce may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of PHI is to a public official or a person acting on behalf of the public official:
1. If the request is made in person, pursuant to presentation of an agency identification badge, other official credentials, or other proof of government status.
2. If the request is in writing, the request is on the appropriate government letterhead.
3. If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
II. Appropriate Proof of Authority.
A. Examples of appropriate proof of authority include, without limitation and as reasonable for the situation, identification as parent, guardian, or executor, power of attorney, or other evidence of appropriate relationship with the individual, a warrant, subpoena, order or other legal process issued by a grand jury, a court or administrative tribunal, a written statement of legal authority.
B. The Hark Workforce may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of Protected Health Information is to a public official or a person acting on behalf of the public official:
1. A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority.
2. If a request is made pursuant to legal process, a warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal.
III. Prior Knowledge of Identity. Verification of identity may take the form of prior knowledge of: (i) a known place of business; (ii) a known address; (iii) a known phone or fax number; or (i) a known human being.
IV. Disclosures to HHS. When Protected Health Information is requested by the Secretary of HHS for compliance purposes, the covered entity must verify the same information that is required for any other law enforcement or oversight request for disclosure.
V. Documentation of Verification. The Hark Workforce should document the information relied upon, including any oral representation, and maintain the documentation in the patient record and on the Disclosure Log, if applicable. If there is a doubt or question about whether sufficient verification has been obtained, the Hark Workforce should consult the Privacy Officer before making any disclosure.
VI. When Verification Is Not Required. If there is an imminent threat to safety, it is lawful to disclose private health information to prevent or lessen a serious and imminent threat to the health or safety of a person or the public if disclosure is made to a person reasonably able to prevent or lessen the threat. If these conditions are met, no further verification is needed. In such emergencies, the covered entity is not required to demand written proof that the person requesting the Protected Health Information is legally authorized. Reasonable reliance on verbal representations is appropriate.
TRACKING DISCLOSURES OF PHI
Hark shall track disclosures of PHI in order to provide a patient with an accounting of disclosures for the six (6) years prior to the date of their request. In addition, as of the date required by the HITECH Act, in the event Hark makes disclosures of PHI, on behalf of a covered entity, through an electronic health record for TPO purposes, Hark shall track such disclosures in order to provide a patient with an accounting of such disclosures for the three (3) years prior to the date of his or her request. To accommodate this requirement, the following tracking mechanism and reporting process will be followed.
I. Disclosure Log.
A. Except as provided in paragraph II below, all disclosures of PHI will be noted in the Disclosure Log contained in each patient’s medical record.
B. Any Hark Workforce member who makes a disclosure (other than a disclosure listed under “Exceptions” below) of the Protected Health Information maintained about a patient in a medical or billing record shall record the following information regarding that disclosure in the Disclosure Log in the medical record:
1. The date of the disclosure;
2. The name of the entity or person who received the disclosure, and, if known, that entity or person’s address;
3. A brief description of the information disclosed (e.g., Discharge Summary);
4. A brief statement of the purpose of the disclosure that would reasonably inform a reader of the basis for the disclosure; and
5. Any other information required as a result of regulations adopted under the HITECH Act.
II. Exceptions. The following disclosures of PHI are excluded from the tracking requirement:
A. Disclosures made for TPO purposes, unless the disclosure was made through an electronic health record on or after the date Hark is required to begin tracking such a disclosure made through an electronic health record;
B. Disclosures made to the individual;
C. Disclosures made to persons involved in the individual’s care;
D. Disclosures made for national security or intelligence purposes;
E. Disclosures to correctional institutions or law enforcement officials.
III. Oral Disclosures Included. Disclosures are not limited to hard-copy information but any manner that divulges information, including verbal release.
In compliance with the HIPAA Privacy Rule, the Hark Workforce shall implement reasonable safeguards to ensure the confidentiality of PHI and to safeguard PHI and Hark systems and data.
I. Protection of Information on Computers.
A. Hark shall comply with the HIPAA Security Rule and Hark’s Security Policies to ensure that Hark’s electronic PHI is stored securely.
B. All Hark Workforce members shall comply with the HIPAA Policies and Procedures relating to security, including without limitation the Security Policy and Procedure titled “SYSTEM ACCESS POLICY” in order to protect PHI on computers.
II. Protection of Paper Records.
A. Confidential trash bins shall be used when disposing of any documents containing PHI and such documents shall be shredded prior to disposal.
B. Electronic documents containing protected health information shall not be printed.
C. Documents containing patient information shall be kept face down or covered and shall not be left where passersby can see their contents.
D. Physical access to fax machines and printers shall be limited to authorized Hark Workforce members.
E. Confidential information shall not be left on an unattended printer, photocopier or fax machine, unless these devices are in a secure area.
III. Protection from Oral Disclosure.
A. To the extent possible, phone conversations shall be held in areas where confidential information cannot be overheard. When speaking on the telephone, the Hark Workforce shall avoid excessive use of the patient’s name.
B. The Hark Workforce shall not make calls to patients, engage in face-to-face discussions with patients or discuss patient matters in areas where such conversations can be overheard by other Workforce members or visitors to the office.
C. The Hark Workforce will not discuss patient information with anyone in a social conversation.
D. The Hark Workforce will not reveal to a third party (including a spouse, employer, friend or stranger) that a patient is, has been, or will be treated by a covered entity or client of Hark unless such disclosure is authorized by another Policy and Procedure.
E. Answering machines are turned down so information being left cannot be overheard by other staff or visitors.
IV. Overall Safeguards.
A. Confidential information shall remain in the medical record. Medical records may be removed from Hark only by the covered entity that owns the medical record. Other confidential information should not be copied or removed in any form from the medical records storage areas without appropriate approval.
B. Visitors must be appropriately escorted at all times to ensure they do not access staff areas, and must never be permitted in areas that may contain confidential information.
C. Release of confidential information shall be done by staff specifically authorized to do so.
D. When a Hark Workforce member with access to protected health information is terminated, all future access of such member to PHI shall be denied, the terminated member shall immediately returns all keys, access cards and documents containing protected health information, and passwords will be changed immediately to prevent unauthorized access via Hark’s computer systems.
TRANSMISSION OF PHI VIA ELECTRONIC MAIL
The Hark Workforce shall follow appropriate standards for secure and effective use of Hark’s electronic mail system.
I. Applicability. This Policy and Procedure applies to all usage of email systems where electronic Protected Health Information of patients is or may be transmitted. It applies to all users including, but not limited to, the Hark Workforce and subcontractors of Hark.
II. User Responsibilities.
A. Generally, email users should restrict their use of email to proper business and should transmit PHI using email only when necessary.
B. Email users have an obligation to use email appropriately and must be aware that electronic communications may be forwarded, intercepted, printed and stored by others.
C. Email communications sent outside of Hark’s network must be encrypted as set forth in Hark’s HIPAA Security Policies and Procedures, specifically the Policies and Procedures titled “SYSTEM ACCESS POLICY,” “DATA INTEGRITY POLICY” and “MEDIA DISPOSAL POLICY”. Email sent within Hark’s network may be unencrypted, provided users utilize discretion and confidentiality protections equal to or exceeding that which is applied to written documents.
D. When using email, the Hark Workforce must limit the information transmitted to the minimum necessary to meet the requester’s needs and use de-identified PHI whenever applicable.
E. All external disclosures of PHI through email must be in compliance with all other Policies and Procedures, including, without limitation, those titled “PATIENT AUTHORIZATION” and “ACCOUNTING OF DISCLOSURES OF PHI”.
F. Use of electronic mail is to be in compliance with all applicable state and federal statutes and Hark policies and procedures.
G. Prohibited usage of electronic mail system includes, but is not limited to:
1. Transmission of information to individuals inside or outside Hark who do not have a legitimate business need for the information.
2. Transmission of highly confidential or sensitive information, such as HIV status, mental illness or chemical dependency.
3. Auto forwarding of email.
This list is not considered all-inclusive. Further questions regarding appropriate use of electronic mail should be directed to the Privacy Officer.
III. Safeguards. Hark workforce must utilize discretion and confidentiality protections equal to or exceeding that which is applied to written documents. When email is used for communication of confidential or sensitive information, specific measures must be taken to safeguard the confidentiality of the information. These safeguards are as follows:
A. The Hark Workforce must comply with applicable provisions of Hark’s HIPAA Security Policies and Procedures, specifically the Policies and Procedures titled “SYSTEM ACCESS POLICY,” “DATA INTEGRITY POLICY” and “MEDIA DISPOSAL POLICY”.
B. A notation referring to the confidential or sensitive nature of the information should be made in the subject line.
C. Confidential or sensitive information is to be distributed only to those with a legitimate need to know.
D. Use of unsecured wireless email communication is prohibited when sending ePHI.
E. Email senders of PHI should routinely check and re-check email addresses of recipients before transmission.
F. Contact the receiver and ask that the material be returned or destroyed if the sender becomes aware that an email was misdirected.
G. Each outgoing e-mail message should contain a confidentiality statement substantially similar to the following:
“IMPORTANT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is confidential or privileged, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this information is strictly prohibited. If you have received this message by error, please notify us immediately by replying to this email and delete and destroy the related message.”
TRANSMISSION OF PHI VIA FACSIMILE
The Hark Workforce shall follow appropriate standards for secure and effective facsimile transmission of PHI.
I. Use Facsimile to Transmit PHI Only When Other Means of Communication Infeasible. PHI shall be transmitted by facsimile only when other means of transmission are not feasible. Minor inconvenience shall not constitute infeasibility. As the need arises, the Privacy Officer shall offer guidance on this issue.
II. Sensitive Protected Health Information Not to be Communicated via Facsimile. Sensitive Protected Health Information shall not be faxed except in circumstances constituting a medical emergency. Sensitive Protected Health Information includes, but is not necessarily limited to, information concerning mental health, gender identity, drug or alcohol dependence, sexually transmitted diseases, plagues, and HIV. In situations where Sensitive Protected Health Information is going to be transmitted via fax, the prior approval of the Privacy Officer shall be obtained, if possible. In any event, the Privacy Officer shall be provided written notice that sensitive Protected Health Information has been received or transmitted via fax within twenty-four (24) hours of any such transmission. It shall be the responsibility of the individual who sends any such fax to ensure that appropriate notice is provided to the Privacy Officer. That individual shall also be responsible for documenting receipt of fax verification in the patient record and placing a follow-up telephone call to the fax recipient to ensure that the fax was properly routed.
III. Location and Monitoring of Fax Machines and Messages.
A. Fax machines used for transmission and receipt of PHI shall be located in low traffic areas that are less accessible to persons who are not permitted to access Protected Health Information.
B. Fax machines used for sending or receiving PHI shall be checked by a designated Hark Workforce member at least once every hour or more frequently if fax volume is high.
1. The Hark Workforce member shall sort the fax messages in a manner that prevents the necessity of each individual Hark Workforce member from accessing the in-box to rummage through its entire contents.
2. Facsimile messages containing PHI will be kept secure in a locked area to prevent unauthorized access.
3. When a fax machine used for transmission and receipt of PHI will be unsupervised during an extended period of time (e.g., at night), it shall be turned off (or the print mode should be turned off) so that papers containing Protected Health Information do not accumulate in the fax tray.
IV. Fax Coversheets. A standard fax cover sheet will be developed by the Privacy Officer and shall be maintained on hand near the designated fax machines. It shall be used for every transmission that includes Protected Health Information and shall be filled in completely prior to a transmission.
V. Faxing Procedures. Except in emergency situations, the following faxing procedures shall be followed:
A. The sender of a fax containing Protected Health Information shall confirm the recipient’s proper fax number.
B. If Protected Health Information is frequently faxed to a person or organization, that recipient’s fax number shall be programmed into the designated fax machine to prevent typographical errors.
C. The confirmation fax shall be stapled or otherwise attached to the document that was faxed and included in the medical record.
D. The disclosure via fax shall be documented as a disclosure, in the same manner as all other Protected Health Information, for the purposes of accounting of disclosures to the patient. The fax transmission shall be documented in the patient’s medical record.
E. Upon learning that a fax containing Protected Health Information has been misrouted, the sender of the fax shall contact the unintended recipient and request either the return or destruction of the document. Steps shall be taken to remedy the problem that caused the misdirection. The sender shall provide written notice to the Privacy Officer that a misrouting has occurred. Each of these steps shall be documented in writing by the sender of the fax.
F. Faxes that contain Protected Health Information and are received by Hark Workforce members or other individuals allowed to access Protected Health Information shall be shredded once the recipient is finished using them for their intended purpose. This requirement does not apply when the transmitted information is to be maintained in the patient’s medical record or another appropriate, secure area.
TRANSMISSION OF PHI VIA TELEPHONE
The Hark Workforce shall follow appropriate standards for secure and effective transmission of PHI by telephone.
I. Release of PHI by Telephone. Protected Health Information may be released over the telephone in the same manner that it may be released in person, in accordance with these HIPAA Policies and Procedures.
II. Placement of Telephones. Telephones that will be used to receive, transmit, and discuss Protected Health Information shall be located away from main thoroughfares and gathering areas, when possible. As the functioning of Hark’s operations permits, telephones shall be located in areas where Protected Health Information can be discussed without being overheard by persons not designated to receive that information.
III. Voicemail Services. Hark’s voicemail system will be password protected to prevent unauthorized access to voicemail messages containing Protected Health Information. Any breach of this security feature shall be immediately reported to the Privacy Officer.
IV. Access to Telephones. Unauthorized individuals shall not be granted access to telephones that are utilized for the purpose of receiving patient calls.
V. Telephone Directories.
A. Patient or personal representative contact telephone numbers shall not be programmed into phones.
B. Written and electronic directories of patient-contact information will be restricted to authorized individuals only. Hark Workforce members or any other individual authorized to access patient-contact directories shall not share the information in the directory, in whole or part, with any unauthorized individual.
C. Electronic directories of patient information shall not remain displayed on a computer screen while not in use.
D. Written directories shall not be left open, in plain sight of unauthorized individuals, while not in use.
VI. Conducting Calls.
A. Maintain Privacy. Calls shall be conducted in a manner that preserves patient privacy to the greatest extent possible. Doors, windows, and other partitions should be shut when possible.
B. Verify Identity.
1. The individual handling a call that concerns Protected Health Information shall make efforts to ensure the identity of the caller prior to transmitting Protected Health Information.
2. To help ensure the confidentiality of Protected Health Information, each incoming caller purporting to be the patient or the patient’s representative shall be asked to state the patient’s birth date, social security number, dates of service, etc., prior to releasing Protected Health Information to the caller.
The Hark Workforce shall follow appropriate standards for secure and effective remote access to Hark’s computer systems containing PHI.
I. Prior Approval Required. Hark Workforce members, contractors and business associates that require electronic access to Hark’s records and other information from remote locations must obtain prior approval from the Privacy Officer and the Security Officer.
II. Staff Access.
A. Remote access is granted to authorized Hark Workforce members.
B. All remote access requests must be reviewed and approved by the Security Officer, in accordance with the HIPAA Security Policies, specifically the “EMPLOYEES POLICY”.
C. Remote access to ePHI will be limited to read-only or inquiry-only access. Exceptions to this policy must be approved in writing by the Security Officer and the Privacy Officer.
D. The Security Officer will maintain a list of all remote access users.
III. Requirements. As further set forth in the “SYSTEM ACCESS POLICY” and the “EMPLOYEES POLICY”, remote access connections must meet the following requirements:
A. Remote access systems which utilize dial-up modems must be expressly configured to provide secure network access. Access to Hark’s internal network from outside shall be controlled by access controls, including a unique User ID and password.
B. Remote access is only allowed from Hark-approved computer systems. These systems must meet the same guidelines as Hark systems, including antivirus protection, secure storage, and physical security.
C. Remote systems must utilize a firewall or other packet filtering technology on their Internet connections.
D. Unless approved in writing by the Security Officer and Privacy Officer, data will not be transferred to the remote system.
E. Remote access connections will be logged, monitored, and audited at least annually to verify compliance.
IV. Vendor Access.
A. Vendors may be provided access to systems in order to troubleshoot issues or apply updates. Vendor access will be closely monitored at all times. All access must be approved in advance by the Security Officer.
B. In addition to the requirements set forth in the HIPAA Security Policies, generally, vendor connections are required to meet the following requirements:
1. Access will be limited to only necessary systems.
2. Access is configured to remain disabled when not in use.
3. Access is logged and a complete description of work performed will be provided by the vendor.
4. Prior to granting access, a member of the Hark Workforce must first call the vendor under a pre-established, published number to verify the identity of the individual requesting access.
5. All access will be logged and monitored.
V. Audits. Logs of all outside access into Hark’s internal network shall be maintained in accordance with Hark’s HIPAA Security Policies and the “AUDITING POLICY”. IT personnel shall regularly review these logs, or use automated intrusion detection systems to inform them of suspicious activity.
AUDITS OF DISCLOSURES
Subject to the terms of the business associate agreements, Hark shall provide patients and/or their appropriately authorized personal representatives an accounting of the disclosures of the PHI maintained on behalf of covered entities, as set forth in this Policy and Procedure. Prior to making any accounting of disclosures in accordance with this policy, Hark Workforce or Privacy Officer shall review any business associate agreements with covered entities and shall make any such accountings in accordance with the terms of the business associate agreement. Hark shall cooperate with the covered entities in requests for an accounting of disclosures.
I. Accounting of Disclosures for Past Six Years. Except as specifically limited by this Policy and Procedure, a patient shall be given, upon request, an accounting of all disclosures of the Protected Health Information maintained in his or her medical or billing records made during the six (6) years preceding the patient’s request. This shall include disclosures of that information by Hark, or on behalf of Hark, by a subcontractor or business associate.
II. Disclosures Not Subject to Accounting. An accounting will not be provided to the patient for disclosures:
A. For TPO purposes, except as noted under paragraph III below;
B. To the patient requesting the accounting;
C. To persons involved in the patient’s care, or for the purpose of notifying the patient’s family or friends about the patient’s whereabouts, provided such disclosures are in compliance with the DISCLOSURE OF PHI TO FRIENDS AND FAMILY Policy and Procedure;
D. For national security or intelligence purposes;
E. Upon the request of and to a correctional institution or law enforcement official who had the patient in lawful custody at the time of disclosure;
F. Prior to the launch date of the applicable Hark Product;
G. Pursuant to an authorization signed by the patient;
H. Pursuant to a data use agreement for purposes of research, public health or health care operations; or
I. Under the INCIDENTAL DISCLOSURES OF PHI Policy and Procedure.
IV. Suspension of Accounting Rights. Hark shall comply with a request by a health oversight agency or law enforcement official to temporarily suspend a patient’s ability to receive an accounting of the disclosures made to the agency and/or official only if:
A. The agency or official provides a written statement that an accounting of the disclosures that have been or are being made to the agency or official would be reasonably likely to impede the agency or official’s activities, and states a time period for which the suspension will be effective; or
B. The agency or official provides an oral statement that an accounting of the disclosures that have been or are being made to the agency or official would be reasonably likely to impede the agency or official’s activities, so long as the oral statement (including the identity of the agency or official making the statement) is documented by the Hark employee or agent who takes the statement. Oral suspensions of accountings are effective only for thirty (30) days and may not be renewed with another oral request.
V. Patient Charges for Accounting. Hark will provide the first accounting in the twelve (12)-month period preceding his or her request free of charge. Otherwise, the patient will be charged a reasonable, cost-based fee for each additional accounting in any one twelve (12)-month period. Patients will be informed of and billed for this charge prior to, or at the time of, the second request for an accounting. At that time, the patient may withdraw or modify his or her request in order to avoid the charge.
VI. Procedure for Responding to Requests.
A. Inquiries Handled by Privacy Officer. All patients who inquire about obtaining an accounting of disclosures shall be directed to contact the Privacy Officer. The Privacy Officer, or his or her designee, shall inform the patient that requests for accountings must be made in writing and shall provide the patient with a Patient Request for Accounting of Disclosures form.
B. Action on Requests. Upon receiving a written request for an accounting, the Privacy Officer or his or her designee shall:
1. Contact all business associates who have received the Protected Health Information of the patient in question and request a copy of the business associate’s accounting log and research disclosures log regarding the patient, unless the accounting is for disclosures for TPO made through an electronic health record and the Privacy Officer elects to provide a list of business associates who have made such disclosures rather than an accounting of disclosures made by such business associates;
2. Within sixty (60) days of the patient’s request, review all relevant accounting logs and the patient’s request in accordance with this Policy and Procedure and shall either provide the accounting requested or notify the patient that an extension of time is needed, explain the reason for the delay and state the date on which the accounting will be available. This extension shall not be longer than thirty (30) days and shall be utilized only once for any given request.
C. Contents of the Accounting.
1. For each disclosure included in the accounting, the information set forth in the Policy and Procedure titled “TRACKING DISCLOSURES OF PHI” shall be included. For disclosures of PHI not made through an electronic health record, the Privacy Officer, or his or her designee, may accomplish this by providing the patient with a copy of the accounting log and/or research disclosures log for the time period that the accounting is requested (up to six (6) years preceding the request).
2. The Privacy Officer, or his or her designee, may accomplish this by providing the patient with a copy of the accounting log and/or research disclosures log for the time period that the accounting is requested (up to six (6) years preceding the request).
3. A summary accounting may be provided if multiple disclosures are made to HHS during a single investigation or audit for determining compliance with the HIPAA Privacy Rule or multiple disclosures are made to the same person or entity over a period of time for a single purpose, if the disclosures fit within one of the categories below:
(a) Required by law.
(b) For public health activities.
(c) About victims of abuse, neglect or domestic violence.
(d) For health oversight activities.
(e) For judicial and administrative proceedings.
(f) For law enforcement purposes.
(g) About decedents requested by coroners and medical examiners as well as funeral directors.
(h) For cadaveric organ, eye or tissue donation purposes.
(i) To avert a serious threat to health or safety.
(j) For specialized government functions, such as military activities and national security/intelligence activities.
(k) For worker’s compensation.
4. If a summary accounting is authorized, a full accounting as described in paragraph 1 above shall be made for the first disclosure made during the accounting period, even if that was not the first of the multiple or periodic disclosures. In addition, the accounting shall indicate the frequency or number of disclosures made during the accounting period as well as the last date that a multiple or periodic disclosure was made to the person or entity.
D. Disclosures for Research Purposes.
1. Whenever a disclosure of PHI from fifty (50) or more patient records is made for the purposes of a research project or activity for which the authorization requirement has been waived, the information shall be logged in a chronologically-organized research disclosures log. Hark will not account for disclosures for such research projects or activities. Instead, the following information about each research project to which the patient’s health information may have been disclosed shall be provided:
(a) The name of the protocol or other research activity;
(b) A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records;
(c) A brief description of the type of PHI that was disclosed;
(d) The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;
(e) The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and
(f) A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.
2. If it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, Hark shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.
VII. Recordkeeping. All correspondence regarding requests for accountings, suspensions of accountings by health oversight agencies and law enforcement officials, as well as accountings themselves, shall be maintained in the patient’s record for a minimum of six (6) years.
PATIENT REQUESTS FOR RESTRICTIONS ON USE AND DISCLOSURE OF PHI
Hark will abide by any restrictions on the use and disclosure of PHI to which its covered entities have agreed.
PROHIBITATION AGAINST SALE OF PHI
Except in the circumstances described below, Hark shall not directly or indirectly receive remuneration in exchange for any PHI of a patient, unless Hark has received the authorization of the patient in accordance with the Policy and Procedure titled “PATIENT AUTHORIZATION”.
The following disclosures of PHI do not constitute the sale of PHI:
PRIVACY PRACTICES TRAINING
The Hark Workforce will receive detailed training about the policies, procedures and methods of safeguarding the security and confidentiality of patient records.
I. All Staff Shall Receive Training. Each member of the Hark Workforce shall be instructed regarding privacy policies and practices in a manner that is tailored to address the specific functions that the individual receiving that education performs.
II. Initial Training. Each individual who joins the Hark Workforce shall be trained as soon as practicable after joining the Hark Workforce in accordance with a timeframe determined by the Privacy Officer.
III. Continuing Education.
A. A continuing education program shall be administered for all Hark Workforce members, including annual reviews, and periodic reminders, alerts, and distribution of other written materials.
B. A thorough review of the policies, procedures and methods of safeguarding the security and confidentiality of paper-based and electronic health records will occur at least one time per year as part of Hark’s continuing compliance program.
IV. Manual. All Hark Workforce members will receive a manual containing these HIPAA Policies and Procedures, and additional copies of the manual will be stored at Hark’s offices and on any intranet system maintained by Hark. The manual will be updated as necessary with no fewer than one complete review every three (3) years.
V. Training On Updated Policies and Procedures. Whenever a material change is made to privacy practices, including these HIPAA Policies and Procedures, each member of the Hark Workforce affected by the change shall be trained regarding the change within a reasonable period of time, as determined by the Privacy Officer.
VI. Documentation of Training. The completion of training required by this Policy and Procedure shall be documented by either the individual who offered the training or the Privacy Officer acting upon a credible report from the individual who offered the training. This documentation shall be retained for at least six (6) years from the date of its creation.
VII. Oversight and Enforcement.
A. The Privacy Officer shall implement and oversee all training required by this Policy and Procedure. To accomplish this task, the Privacy Officer shall have the authority to consult with and delegate authority, as well as appoint committees to develop and perform training activities.
B. If the Privacy Officer believes that a Hark Workforce member’s failure to attend or participate in the designated training required by this Policy and Procedure is purposeful and not reasonably justified, he or she shall report the information supporting that belief, in writing, to the Board, or an appropriate committee thereof, who shall take further action as may be warranted.
Any individual who believes the rights granted by the HIPAA Privacy Rule or any other state or federal laws dealing with privacy and confidentiality have been violated may file a complaint regarding the alleged privacy violation.
I. All Complaints Considered.
A. All complaints regarding privacy policies and practices and compliance with those policies and practices will be accepted and considered.
B. Hark shall not require any patient to waive their rights to file a complaint as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits, to the extent applicable.
II. Required Reporting. Hark Workforce members who have a reasonable basis to believe that a breach of confidentiality or a violation of the HIPAA Privacy Rule has occurred must report the incident as soon as possible to the Privacy Officer. Any such member who fails to make this required report is subject to corrective action.
III. Submission of Complaints.
A. Complaints must be in writing and may be submitted directly to the Privacy Officer or through a secure and confidential incident reporting method established for reporting such incidents (e.g., drop box, hotline, email address designated for incident reporting).
B. Any privacy-related complaint made by a patient, Hark Workforce member, or volunteer at any time must be forwarded to the Privacy Officer.
C. Hark’s Policy and Procedure titled “NON-RETALIATION AND NON-INTIMIDATION” shall be followed at all times.
IV. Investigation of Complaints.
A. The Privacy Officer will investigate the alleged privacy violations, whether by patients regarding alleged breaches of their privacy or by Hark Workforce members who believe fellow members have violated patient privacy standards. The Privacy Officer, or his or her designee, shall review all complaints within a reasonable period not to exceed fifteen (15) days.
B. If the complaint seeks a response, and provides contact information, the Privacy Officer (or designee) shall prepare and deliver a written response to the individual who lodged the complaint within thirty (30) days. If the complaint does not seek a response, or does not provide contact information, the Privacy Officer (or designee) shall prepare a written statement of any action taken with regard to the complaint within thirty (30) days. That statement shall be attached to, and filed with, the complaint.
C. If during the course of investigation an individual is found to be in violation of a Policy and/or Procedure, he/she will be subject to appropriate sanctions.
NON-RETALIATION AND NON-INTIMIDATION
Hark shall not retaliate against any person or entity as a result of the submission of a privacy- or security-related complaint by such person or entity. Hark shall not take actions that may intimidate any person or entity and prevent such person or entity from filing a privacy- or security-related complaint.
I. Workforce Compliance Communications.
A. All Hark Workforce members shall be allowed to freely discuss and raise questions to Hark management, the Privacy Officer, the Security Officer or other appropriate personnel about situations they feel are in violation of federal and state law, a policy or procedure of Hark, and/or regulatory requirements.
B. In addition, all Hark Workforce members have a personal obligation to report any activity that appears to violate applicable laws, regulations, rules, policies or procedures through the processes set forth in these policies and procedures.
II. No Retaliation or Intimidation.
A. Hark Workforce members will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals and others for asserting their rights under the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule.
B. Any intimidation of or retaliation against patients, families, friends, or other participants in the complaint process is prohibited. Hark Workforce members who violate this Policy and Procedure are subject to disciplinary action, up to and including termination.
III. Investigation and Enforcement. The Privacy Officer or his/her designee will review any allegation of retaliation and will ensure that a proper investigation is conducted as appropriate. All supervisors and managers are responsible for enforcing this Policy and Procedure. Individuals who violate this Policy and Procedure will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal.
SANCTIONS FOR HIPAA VIOLATIONS
Hark Workforce members shall be subject to sanctions for violations of the HIPAA Privacy Rule, the HIPAA Security Rule, the Breach Notification Rule, and these HIPAA Policies and Procedures.
I. Compliance Expected. All Hark Workforce members are required to comply with all HIPAA Policies and Procedures. In addition, Hark Workforce members are expected to report known or suspected violations of HIPAA Policies and Procedures by others.
II. Supervision. Managers and supervisors may be sanctioned for failure to adequately instruct their subordinates, or for failing to detect non-compliance with applicable HIPAA Policies and Procedures, where reasonable diligence on the part of the manager or supervisor would have led to the discovery of any problems or violations and provided an opportunity to correct them earlier.
III. Investigations. Investigations of reported violations shall be handled according to either the Policy and Procedure titled “PRIVACY RELATED COMPLAINTS” or the Policy and Procedure titled “INCIDENT RESPONSE POLICY”, as appropriate.
IV. Sanctions. Sanctions for Hark Workforce members who violate these HIPAA Policies and Procedures may include, but are not limited to:
B. Verbal warnings;
C. Written warnings;
D. Paid and unpaid suspensions;
E. Exclusion from the premises;
F. Loss of practice privileges, if applicable;
G. Loss of employee privileges and/or benefits;
H. Demotion; and/or
V. Exceptions to the Sanctions Policy.
A. Whistleblowers. No sanctions or retaliatory actions shall apply to members of Hark Workforce who believe in good faith that Hark has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by Hark potentially endanger patients, workers, or the public and who disclose Protected Health Information to the following individuals or entities:
1. a health oversight agency or public health authority authorized by law to investigate or oversee the conduct or conditions of Hark so long as the purpose of the disclosure was to report the allegation regarding Hark’s failure to meet the relevant legal or professional standards;
2. a health care accreditation organization, so long as the purpose of the disclosure was to report the allegation regarding Hark’s failure to meet the relevant legal or professional standards; or
3. an attorney retained by or on behalf of the Hark Workforce member for the purpose of determining the legal options that the member has with regard to the illegal or unprofessional conduct.
B. Individuals who oppose actions that violate HIPAA Policies and Procedures. No sanctions or retaliatory actions shall apply to any individual for the following:
1. Filing a truthful complaint with the Secretary of HHS, or other governmental agency, regarding a privacy violation;
2. Testifying, assisting, or participating in any official investigation, compliance review, proceeding, or hearing under the Administrative Simplification provisions of the Social Security Act (including the HIPAA Privacy Rule, the HIPAA Security Rule, the Breach Notification Rule, and Transaction Code Standards); or
3. Opposing any act or practice that violates the HIPAA Privacy Rule, the HIPAA Security Rule, or the Breach Notification Rule Regulations, as long as the individual doing so believes in good faith that the act or practice is unlawful, and the manner of the opposition is reasonable and does not involve making a disclosure of Protected Health Information that violates these HIPAA Policies and Procedures.
To the extent practicable, Hark will mitigate any harmful effect that becomes known to Hark as a result of the use or disclosure of PHI in violation of Hark’s HIPAA Policies and Procedures or applicable law.
I. Mitigation Efforts. The need for mitigation will be assessed on a case-by-case basis by the Privacy Officer or Security Officer, as applicable, in consultation with Hark management, as necessary. Mitigation actions may include, but shall not be limited to, the following:
A. Taking operational and procedural corrective measures to remedy violations;
B. Taking employment actions to re-train, reprimand, or discipline Hark Workforce members as necessary, up to and including termination;
C. Addressing problems with subcontractors once Hark is aware of a breach of the HIPAA Privacy Rule, the HIPAA Security Rule, and/or the Breach Notification Rule;
D. Terminating agreements with business associates or subcontractors who violate the assurances set forth in such agreements;
E. Retrieving wrongly disclosed information;
F. Disclosing of a violation to the patient;
G. Preventing any future breach;
H. Correcting system errors that caused the breach; and
I. Educating Staff on wrongful disclosure.
II. Accounting. Because any unlawful use or disclosure falls outside of use, payment or routine operations, a record of an unlawful use or disclosure should be recorded and maintained.
PRINTING AND COPYING PHI
In compliance with the HIPAA Privacy Rule, the Hark Workforce shall implement reasonable safeguards to ensure the confidentiality of PHI.
I. Safeguards. All Hark Workforce members must strictly observe the following standards relating to the printing and copying of PHI:
A. PHI in hardcopy format must be disposed of in accordance with Records Retention schedules, and the Policy and Procedure titled “MEDIA DISPOSAL POLICY”.
B. Printed versions of PHI should not be copied indiscriminately or left unattended and open to compromise.
C. Printers and copiers used for printing of PHI should be in a secure, non-public location. If the equipment is in a public location, the information being printed or copied is required to be strictly monitored.
D. PHI printed to a shared printer should be promptly removed.
E. Media and hardcopy containing PHI must have access controls during transportation and disposal.
II. Monitoring. Hark management shall be responsible for monitoring Hark Workforce members to ensure compliance with this Policy and Procedure.
STORAGE OF PHI
Hark Workforce members shall store PHI to guard against accidental release to an outside party.
I. Storage Standards. All Hark Workforce members must strictly observe the following standards relating to the storage of PHI:
A. Outside of regular working hours, Hark Workforce members must clean desks and working areas such that all PHI is properly secured, unless the immediate area can be secured from unauthorized access.
B. When not in use, PHI must always be protected from unauthorized access. When left in an unattended room, such information must be appropriately secured.
C. If PHI is to be stored on the hard disk drive or other internal components of a personal computer or PDA (Personal Digital Assistant), it must be protected as specified in the Policy and Procedure titled “SYSTEM ACCESS POLICY”, “MEDIA DISPOSAL POLICY” and “DATA INTEGRITY POLICY”. When not in use, this media must be secured from unauthorized access.
D. Storage on diskettes, CD-ROM or other removable data storage media shall be governed by the Policy and Procedure titled “MEDIA DISPOSAL POLICY”.
II. Monitoring. Hark management shall be responsible for monitoring Hark Workforce members to ensure compliance with this Policy and Procedure.
DISPOSAL OF PHI
Hark Workforce members shall dispose of PHI by means that guard against an accidental release to an outside party.
I. Disposal Standards. All Hark Workforce members must strictly observe the following standards relating to disposal of hardcopy and electronic copies of PHI:
A. PHI must not be discarded in trash bins, unsecured recycle bags or other publicly-accessible locations. Instead, Hark will provide special waste disposal containers that are clearly marked to dispose of paper containing PHI.
B. Printed material and electronic data containing PHI shall be disposed of in a manner that ensures confidentiality.
C. It is the individual’s responsibility to ensure that the document has been secured or destroyed. And it is the responsibility of Hark’s managers and supervisors to ensure that their employees are adhering to this Policy and Procedure.
II. Destruction of Paper Containing PHI. Hark shall provide users with access to shredders or secured waste disposal containers for proper disposal of papers containing PHI. Reports, documents, and printed material that include PHI shall be deposited in the appropriate disposal container for shredding.
III. Bulk Destruction. Secure methods will be used to dispose of hard copy and electronic data and output. PHI printed material shall be shredded and recycled by a firm specializing in the disposal of confidential records or be shredded by an employee of Hark authorized to handle and personally shred the PHI. Microfilm or microfiche must be cut into pieces or chemically destroyed. An appropriately qualified and certified contractor shall conduct the destruction of electronic data and output in accordance with applicable laws and regulations. After documents have reached their retention period, all PHI must be securely destroyed under Hark’s record retention process governing destruction of records. If hard copy PHI (paper, microfilm, microfiche, etc.) cannot be shredded, it must be incinerated.
IV. Disposal of Resources. Retired storage media (tapes, disks, CD’s) shall be directed to the Security Officerfor destruction. The Security Officer shall ensure that the hard drives or other storage media of retired computer equipment and all removable storage media such as floppy disks and compact discs are appropriately wiped clean of data before the equipment leaves Hark’s premises.
V. Documentation of Destruction. To ensure that it is in fact performed, either a member of the Hark Workforce or a bonded destruction service must carry out the destruction of PHI. If a Hark Workforce member undertakes the destruction of the records, he or she must document such destruction. If a bonded shredding company undertakes the destruction, the bonded shredding company must provide Hark with the document of destruction that contains the following information: (i) date of destruction; (ii) method of destruction; (iii) description of the disposed records; (iv) inclusive dates covered; (v) a statement that the records have been destroyed in the normal course of business; (vi) the signatures of the individuals supervising and witnessing the destruction. The Privacy Officer will maintain destruction documents permanently.
Hark Terms and Conditions of Access and Use
Hark Portal Services
The following services are offered through the Hark Portal:
ANY AND ALL SERVICES YOU REQUEST FROM A HEALTHCARE PROVIDER THROUGH THE HARK PORTAL MAY BE SUBJECT TO CERTAIN RESTRICTIONS OR LIMITATIONS OF YOUR INSURANCE PROVIDER AND, UNLESS EXPRESSLY IDENTIFIED AS PRO BONO SERVICES, YOU WILL BE RESPONSIBLE FOR ALL CHARGES BY ANY COMMUNITY PROFESSIONAL FOR SERVICES RENDERED THAT ARE NOT COVERED BY YOUR INSURANCE PROVIDER.
Your Account Profile, User ID and Password
Use Rights and Restrictions
User Submission of Information
By clicking the box below, and to the extent you submit information and content (“User Information”) through the Hark Portal while accessing and using the Hark Portal, You represent that You have the full legal right to provide the User Information and that use of the User Information by the Center and all other persons and entities will not (a) infringe any intellectual property rights of any person or entity or any rights of publicity, personality, or privacy of any person or entity, including, but not limited to, as a result of Your failure to obtain consent to post personally identifying or otherwise private information about a person; (b) violate any law, statute, ordinance, or regulation; (c) be defamatory, libelous or trade libelous, unlawfully threatening, or unlawfully harassing; (d) be obscene, child pornographic, indecent, or embarrassing, or harm minors in any way, or disclose to any third person any private or personal matters concerning any person, all of which User Information shall be determined by the Center in its sole discretion; (e) violate any community or Internet standard; (f) contain any viruses, Trojan horses, worms, time bombs, cancelbots, or other computer programming routines that damage, detrimentally interfere with, surreptitiously intercept, or expropriate any system, data or personal information; (g) result in product liability, tort, breach of contract, personal injury, death, or property damage; (h) constitute misappropriation of any trade secret or know-how; (i) post, transmit, or distribute advertisements, promotions, or solicitations without the prior written approval of the Center; or (j) constitute disclosure of any confidential information owned by any third party.
The Center may remove, in the Center’s sole discretion, any User Information from the Hark Portal for any reason or no reason, including (without limitation) User Information that is libelous, incorrect, spiteful, or otherwise inappropriate. The Center shall not be responsible for changes, modifications, or removal of any User Information that You submit to the Hark Portal. If You believe that any content or postings on the Hark Portal violates Your intellectual property or other rights, please submit a complaint to email@example.com.
To the extent permitted by applicable law, You grant to C3 a non-exclusive, perpetual, enterprise-wide, royalty-free, enterprise-wide license and in all forms and all media (including derivative works), to use the User Information submitted by You in such manner that is consistent with this Agreement, the Hark Portal services and to permit C3 to comply with applicable law.
All works of authorship, information, content, functional components, and material appearing on or contained in the Hark Portal (“Portal Materials”) are protected by law, including, but not limited to, United States copyright law. Except as explicitly stated on the Hark Portal, the entirety of the Portal Materials (including, but not limited to, data, illustrations, graphics, audio, video, photographs, pictures, illustrations, recordings, images, text, forms, and look and feel attributes) are the Center’s copyrighted works, all rights reserved, or the copyrighted works of the Center’s affiliates, licensors, or suppliers. Removing or altering any copyright notice or any other proprietary notice on any Portal Materials is strictly prohibited. Any commercial use of any Portal Materials, in whole or in part, without the prior written consent of the Center, is prohibited. Any reproduction, distribution, performance, display, preparation of derivative works based upon, framing, capturing, harvesting, or collection of, or creating of hypertext or other links or connections to, any Portal Materials or any other proprietary information of the Center, without the Center’s advance written consent, is prohibited. All names, trademarks, service marks, symbols, slogans, and logos appearing on the Hark Portal are proprietary to the Center or its affiliates, licensors, or suppliers. Use or misuse of these trademarks is expressly prohibited and may violate federal and state trademark law.
To the extent permitted by applicable law, You grant to C3 a non-exclusive, perpetual, enterprise-wide, royalty-free, enterprise-wide license and in all forms and all media (including derivative works), to use the User Information submitted by You in such manner that is consistent with this Agreement, to provide you services through the Hark Portal and to allow C3 to comply with applicable law.
ANY INFORMATION CONTAINED IN THE HARK PORTAL OR PROVIDED THROUGH THE HARK PORTAL IS PROVIDED ON AN "AS IS" AND “AS AVAILABLE” BASIS. THE CENTER WILL REGARD ALL ACCESS TO AND USE OF THE HARK PORTAL AS VOLUNTARY AND AT YOUR SOLE RISK. EXCEPT AS OTHERWISE PROVIDED HEREIN, WE DO NOT MAKE ANY EXPRESS OR IMPLIED WARRANTIES OF ANY KIND WHATSOEVER (INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE OR NONINFRINGEMENT, OR ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE) WITH REGARD TO THE SERVICES, OR WITH RESPECT TO ANY INFORMATION, PRODUCT, SERVICE, MERCHANDISE, APPLICATION OR OTHER MATERIAL PROVIDED ON OR THROUGH THE HARK PORTAL PROVIDED BY A COMMUNITY PROFESSIONAL. WE DO NOT WARRANT OR GUARANTEE THE ACCURACY, AVAILABILITY, COMPLETENESS, CORRECTNESS, TIMELINESS OR USEFULNESS OF ANY INFORMATION, PRODUCTS, SERVICES, MERCHANDISE, APPLICATION OR OTHER MATERIAL PROVIDED BY USING THE HARK PORTAL GENERALLY. EXCEPT AS OTHERWISE EXPRESSLY STATED HEREIN, WE DISCLAIM AND MAKE NO WARRANTY OR GUARANTEE THAT THE HARK PORTAL WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE.
YOU UNDERSTAND THAT COMMUNITY PROFESSIONALS LISTED IN THE HARK PORTAL ARE GEOGRAPHICALLY LIMITED TO THE BENTON, WASHINGTON, MADISON AND CARROLL COUNTIES OF ARKANSAS. WE DO NOT WARRANT OR GUARANTEE THE COMMUNITY PROFESSIONALS WILL BE AVAILABLE OUTSIDE OF THE FOREGOING 4 COUNTIES OR WILL PROVIDE SERVICES ELECTRONICALLY THROUGH TELEMEDICINE/TELEHEALTH OR OTHER MEANS.
Limitations of Liability
THE CENTER HAS NO RESPONSIBILITY FOR ANY ACTION TAKEN BY YOU, INCLUDING, BUT NOT LIMITED TO, ANY HEALTH CARE RECEIVED BY YOU IN RELIANCE OF ANY COMMUNICATION FACILITATED BY USE OF THE HARK PORTAL AND THE APPLICATIONS MADE AVAILABLE THEREIN; UNAUTHORIZED ACCESS TO OR USE OF THE HARK PORTAL FROM YOUR ELECTRONIC DEVICES; THE UNAUTHORIZED DISCLOSURE OF PATIENT INFORMATION BY ANYONE ACCESSING OR USING YOUR DEVICE OR COMPUTER(S); OBTAINING PROPER CONSENTS, RELEASES AND/OR AUTHORIZATIONS FOR YOU TO USE THE HARK PORTAL, AND TO FACILITATE ELECTRONIC COMMUNICATION OF PERSONALLY IDENTIFIABLE PATIENT INFORMATION BETWEEN YOU AND A COMMUNITY PROFESSIONAL.
By clicking the box below, and while accessing and using the Hark Portal, You authorize communication of patient or other identifiable or non-identifiable information through use of the Hark Portal from and with any and all individuals and entities, including Community Professionals, that You connect, communicate or interact with while using the Hark Portal. The Center does not guarantee that any request for assistance or to connect with Community Professionals will be accepted or acted upon by a Community Professional. You acknowledge that the Hark Portal is intended for communication and interaction between You and Community Professionals; that any unintended or unauthorized use by You to communicate confidential patient information may compromise the security of the patient information; and that You will be responsible and liable for any such unauthorized disclosure.
YOU SHOULD NOT USE THE HARK PORTAL TO COMMUNICATE WITH A COMMUNITY PROFESSIONAL IN URGENT SITUATIONS. FOR ALL URGENT MEDICAL MATTERS, CONTACT YOUR PHYSICIAN'S OFFICE DIRECTLY, OR GO DIRECTLY TO AN EMERGENCY ROOM OR CALL 911.
In the event SMS messaging services are offered through the Hark Portal, You can opt in to receive SMS messages (e.g., text messages) on Your mobile device regarding certain activities, including the scheduling of appointments, in connection with Your account. There are no premium charges for receiving SMS messages; however, standard message and data rates may apply.
To opt-out of receiving messages from the Hark Portal, you must log into Your Hark Portal account and follow the instructions therein. If You have sent a command in the Hark Portal to opt-out and have questions about whether it has been processed, please send an e-mail to firstname.lastname@example.org.
The Center welcomes Your feedback and suggestions about how to improve the Center’s services and the Hark Portal, including, without limitation, the feedback and suggestions and all other information, data, material, or other content (collectively, “Submissions”). Such Submissions can be sent to info@Harknwa.com. C3 alone (and its licensors, where applicable) will retain all intellectual property rights relating to Submissions, which are hereby assigned to C3. Further, the Center is free to use any ideas, concepts, methods, know-how, techniques, and processes contained in any Submission for any purpose whatsoever, including, but not limited to, creating and marketing products, information, or services using such information.
Use of the Hark Portal may (i) require compatible devices (e.g., personal computer, mobile phone, tablets and other consumer electronic devices), Internet access or Wi-Fi, certain software and wireless plans with necessary wireless data features; (ii) require periodic updates; and (iii) be affected by the performance of the factors set forth herein. Your use of mobile device features may result in increased charges from Your wireless carrier.
Modifications and Updates
Rights, Remedy, and Termination
Parties other than the Center, including Community Professionals, may provide information, products or services on the Hark Portal. Use of the Hark Portal and the Portal Materials and any other material or content on and made available through the Hark Portal is entirely at Your own risk. The Center expressly disclaims any and all responsibility for or related to the information, products or services provided by or advertised by these third parties or the transactions You conduct or enter into with these third parties. Additionally, the Hark Portal may, from time to time, contain links to other Internet Web sites for the convenience of users in locating information, products, or services that may be of interest. The Center expressly disclaims any and all responsibility for the content, the accuracy of the information, or quality of products or services provided by or advertised on these third party sites. The Center reserves the right, in its sole discretion at any time, to deny any request, or rescind any permission granted, to link to the Hark Portal and to require termination of any such link to the Hark Portal. The availability of links from the Hark Portal to third party sites are not, and should not be construed as, an endorsement of these third party sites.
Complaints, Comments and Questions
Complaints, comments or questions regarding the Hark Portal should be sent to:
This HARKNWA Emergent Events Policies and Procedures for Individuals was adopted 10/19/2017
Emergent events included but are not limited to: suicidal plans or ideation, homicidal plans or ideation, domestic violence incidents, feeling threatened or not safe, incidents of rape and sexual assault. If you become aware of an emergent event, please follow the process below.
In the case of an emergent situation:
This HARKNWA Emergent Events Policies and Procedures for Providers was adopted 10/19/2017.
Emergent events included but are not limited to: suicidal plans or ideation, homicidal plans or ideation, domestic violence incidents, feeling threatened or not safe, incidents of rape and sexual assault. If you become aware of an emergent event, please follow the process below.
In the case of an emergent situation: