NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY”
CONFIDENTIALITY OF CLIENT INFORMATION SECURITY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The Agency will maintain the sec until and confidentiality of all client information. The Agency will have in place a Notice of Privacy Practices and will adhere to all federal, state and other regulations pertaining to HIPAA. The Agency will provide all clients with a copy of a Notice of Privacy Practices at the first delivery of services and will make every effort to obtain a receipt from the client stating that they have been provided the Notice. Private Health Information or PHI is defined in the Privacy Rule as any health information. no matter what its form (electronic, paper, or oral), and is protected by HIPAA. All Business Associates will be required to enter into an agreement with the HHA and to provide satisfactory assurance that they will maintain the confidentiality of PHI and will only use and disclose it for the purposes for which it was provided. The Agency will designate a Privacy Official. Information may rot be released without the consent of the client or duly authorized representative for any reason other than what it is intended for, which is the appropriate delivery of client care. The Agency will limit access to all confidential client information including OASIS data In the event a vendor is used to transmit OASIS data. a written agreement that addresses the confidentiality by an entity contracted by the Agency will be in place. The Agency will have the ultimate responsibility for compliance with the confidentiality requirements and is responsible to see that the contractor meets the requirements.
For privacy and security reasons communication of OASIS information will be done in accordance with CMS policies on the communication of client-identifiable information. Access to and transfer and delivery of OASIS information will be limited to only authorized personnel. Only those authorized will maintain secure passwords for data encoding and transmission. In the event that a data entry staff responsible for encoding and transmission leaves employment with the Agency, new secure passwords will be assigned. All client information will be protected to reduce the risk of intentional or accidental misuse or loss of confidential information. The Agency will make every effort to protect confidential client information from unauthorized changes, destruction or disclosure whether accidental or intentional. Included but not limited to are all computers and telecommunication hardware, software, storage media, computer sign-on codes, and any information transmitted, stored, printed and or processed by a computer.
- Agency staff who uses Agency information resources in the performance of their job functions are responsible for effecting security on their workstation and complying with expected Agency confidentiality standards.
- Agency supervisory staff are responsible for ensuring that employees are knowledgeable with regard to security and confidentiality of client records and data, and will monitor practices and develop an action plan to address breaches of confidentiality or security of client information.
- Appointed individuals with an understanding and working knowledge of a system or application, or who are responsible for authoring access privileges will maintain the security and confidentiality of client information.
- Employees are expected to exercise care in maintaining their passwords used for accessing computer resources and should change passwords at least every 90 days, choose passwords that are difficult to guess, and not share passwords.
- Contractors and part-time personnel will be educated with regard to security and confidentiality of client information.
- All users who sign onto a computer system must sign off, lock or physically secure their terminal when leaving it unattended.
- Only authorized staff will make entries into the client’s medical record. Those individuals include all who provide direct care and applicable clerical and financial support staff as designated by the Administrator.
- All entries will authenticate with the signature and the first initial, last name, and discipline or computer key. Initials may be used on designated forms to indicate review, revisions or correction of an entry.
- Printed reports containing confidential information must be stored in a secure area which is inaccessible to unauthorized persons. Confidential reports will be rendered unreadable before being discarded. This includes information that is maintained on diskettes or other electronic media.
- If a computer key is authorized the employee will sign a document indicating that no other individual is allowed to use the key.
- Electronic signatures are used to authenticate or sign entries in the medical record. It is necessary that each provider who chooses to maintain records electronically develop, implement, and maintain policies and procedures that comply with state and federal regulation pertaining to electronic medical records, including safeguards for confidentiality and protection of information integrity and responsibility for enforcement of the policies,
- Agencies must have policies to include a process for documentation during computer downtimes and reconstruction of records in the event of a system failure.
- Client’s clinical records will be maintained in the agency with pertinent information maintained in the client’s residence as indicated and appropriate and will be available to administrative, service delivery and clerical staff who require the use of the records in the performance of Agency services or their job requirements. Such staff may use the records and make entries pertinent to the performance of their rob.
- Billing records will be maintained in the Agency and will be available to administrative, financial and clerical staff who require the use of the records in the performance of Agency services or their job requirements. Such staff may use the records and make entries pertinent to the performance of their job.
- The following staff may have access to and make entries in the clinical/clerical/billing record: 561, PT, LPTA, OT, COTA, MSW, SW Assistant Home Health Aide Clerical, Billing, Data entry staff.
- Records will be made available to properly authorized stare and federal representatives and accreditation agency representatives and third party payer for the purpose of audits, certification and licensure and or accreditation surveys.
- Records and information pertaining to persons with sensitive diagnoses will be handled in accordance with applicable state requirements and Agency policy.
- Non-confidential information or ‘non-privileged’ information can be released under appropriate circumstances without requiring the client’s written authorization. The reason for the -need to know’ will always be considered. Certain identification data obtained on admission is considered “non-privileged’ which means that this data may be given without violating the client’s right to privacy or the client/physician privilege. This data includes but is not limited to:
- Name of client
- Address of residence given on admission
- Sex, age and occupation of the client
- Date of admission and discharge
- Verification of hospitalization
- Name of attending physician
- Names of relatives/friends given on admission