WIXLIB

When those with professional functions that do not involve the use of Protected Health Information might have inadvertent contact with such information or act as a conduit for the information. (See UWM’s recommended Accounting of Disclosures Log.) 4. These templates are very thorough and complete. These should include appropriateadministrative, technical, and physical safeguards to reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of this policy.At a minimum, Covered Departments should comply with the following: Oral Communications Covered Department staff must exercise due care to avoid unnecessarydisclosures of Protected Health Information through oral communications. To Those Involved in the Patient’s Care. Telephone Messages Telephone messages and appointment reminders may be left on answering machines and voice mail systems, unless the patient has requested an alternative means of communication. The templates do hit all of theHIPAA guidelines, but remain flexible, allowing you to model your security plan after the templates we provide. View Components of HIPAA Security Policy Template Suite View sample HIPAA Security policy Developing or revising your organization’s security policies and procedures is a major task that takes time and attention to detail. EmployeesAn employee who violates this policy may be subject to discipline. Covered Departments should contact UWM’s Office of Legal Affairs for a copy of UWM’s form Business Associate Agreement. HIPAA Security Compliance The HITECH Act required all Business Associates to be HIPAA compliant. All faxes of Protected Health Information should beaccompanied by a cover sheet that includes a confidentiality notice. These directories also may include a patient’s religious affiliation so that providers may share it with clergy. For example, office servicepersons such as plumbers, electricians and photocopy repair agents as well as transporters of Protected Health Information (e.g., the U.S. PostOffice, UPS, or Ameritech) are not Business Associates. In addition, documentation of the sanction should be forwarded to the applicable Privacy Officer, who shall maintain it in a confidential file. Psychotherapy Notes Unless psychotherapy notes are used by their originator for treatment, used in the provider’s own training program, or disclosedpursuant to a court order, use or disclosure of psychotherapy notes requires a separate authorization. These sanctions may include a decreased grade, a written reprimand, suspension, or expulsion. Features of templates for HIPAA Security Policies The HIPAA law requires HIPAA Security policies and procedures manual should be created byhealthcare organizations and their business associates. Authorization for Use or Disclosure of PHI (45 C.F.R. § 164.508) HIPAA requires that Covered Departments obtain patient authorization in writing for any use or disclosure of Protected Health Information, other than those described in Section G above, where authorization is not required.Students A student who violates this policy may be subject to appropriate sanctions under either the Academic Disciplinary Procedures (found at Wisconsin Administrative Code Ch. UWS 14) or Nonacademic Disciplinary Procedures (found at Wisconsin Administrative Code Ch. UWS 17). The Privacy Officer shall make a recommendation for a responseand corrective action, if applicable, to the Dean or Division Head of the school, college, or division in which the Covered Department is located, with a copy to the Office of Legal Affairs. Complaints (45 C.F.R. § 164.530(d)) Any individual who believes the rights granted by these policies and procedures, the HIPAA privacy regulations, or by any otherstate or federal law concerning confidentiality or privacy have been violated may file a complaint regarding the alleged privacy violation. Methods of Transmission The Notice of Privacy Practices may be mailed to the patient prior to, or handed to the patient at the first appointment after, April 14, 2003. If de-identified information is re-identified, thatinformation is PHI subject to all the protections of HIPAA. The unit transmits any PHI (see definition above) in Electronic Form in connection with a Transaction. For any further request in a 12-month period, the Privacy Officer may charge a reasonable, cost-based fee, but only if the Privacy Officer informs the individual in advance of the fee andprovides the individual with an opportunity to withdraw or modify the request in advance to avoid or reduce the fee. Denying the AmendmentIf the amendment is denied, in whole or in part, the Privacy Officer and/or Covered Department must: Inform the patient in writing of the denial or partial denial, with reasons; Permit the patient to submit awritten statement disagreeing with the denial; and If the patient has submitted a written statement disagreeing with the denial, append to the applicable record the request, the denial, and the patient’s response to the denial; If the patient has not submitted a written statement disagreeing with the denial, append to the applicable record the requestand the denial only if the patient so requests. If a Limited Data Set is not practicable, the Covered Departments may still rely on the general minimum necessary rule. Acknowledgement of Receipt Covered Departments must make a good faith effort to obtain a written acknowledgement that patients have received a copy of the Notice of PrivacyPractices prior to receiving health care services. Our template suite can help you with any aspect of the HIPAA Security Compliance and HIPAA Security Rule while remaining flexible enough to be customized to your business needs. Any individual who believes that a form of retaliation or intimidation is occurring or has occurred should report theincident to the Privacy Officer. (See UWM’s recommended Authorization Form and Authorization Form for Research. If the Covered Department receives payment in exchange for such marketing, the authorization form must disclose that fact. Faxes Prior to sending a fax containing Protected Health Information, the sender should contact therecipient to verify the fax number and notify the recipient of the transmission, and the sender should confirm immediately after that the transmission was received. Uses or disclosures requiring written authorization often fall into one of five categories: uses or disclosures related to marketing, uses or disclosures in connection with the sale ofProtected Health Information, uses or disclosures related to research, the use or disclosure of psychotherapy notes, and miscellaneous disclosures requested by the patient. Maintaining the Request for Amendment in the Patient’s RecordsDocumentation of the amendment process as described above, must be maintained in the patient’s medical recordfor a minimum of six (6) years. Changes to the Policy (45 C.F.R. §154.530(j)) UWM will change the Policies and Procedures for the Protection of Patient Health Information and its recommended forms, including the model Notice of Privacy Practices, as necessary and appropriate to comply with changes in the law or to accommodate changes inUWM’s structure or operation. HIPAA rule has very specific requirements with regard to creating, implementing, or changing policies and procedures. The report should include all of the following information, to the extent immediately available: A brief description of what happened, including the date of the breach and discovery of the breach; Whoimpermissibly used the information and/or to whom the information was impermissibly disclosed; A description of the types of and amount of unsecured PHI involved in the breach; Whether the PHI was secured by encryption, destruction, or other means; Whether any intermediate steps were taken to mitigate an impermissible use or disclosure;Whether the impermissibly disclosed PHI was returned prior to being accessed for an improper purpose; and If the PHI was provided to UWM under a Business Associate Agreement, a copy of the Business Associate Agreement. Inspecting and Copying Records (45 C.F.R. § 164.524, 42 U.S.C. § 17935) Patients of Covered Departments have the rightto inspect and obtain a copy of their Protected Health Information. Verification of IdentityThe Privacy Officer must obtain verification of the requestor’s identity before granting access to the record. Among other things, Business Associates: Must notify the Covered Department or covered entity of any breach; Are required to terminate BusinessAssociate Agreements for material violations of the contract by the Covered Department or covered entity; May be required to account directly for disclosures it makes on behalf of the Covered Department or covered entity. Making the RequestPatients should make a request for an amendment of their Protected Health Information in writing anddirect it to the Privacy Officer for the Covered Department. Protocols Related to the Minimum Necessary Rule Covered Departments shall develop their own individual protocols with regard to implementation of the minimum necessary standard. Access by Students The access granted to students must be determined on a case-by-case basis dependingon the nature of the educational activity. Generally, the Covered Department must ensure that any Business Associate enters into a Business Associate Agreement. UWM’s information Security Office will follow UWM’s Information Incident Response Procedure. Definition of “Breach” The HITECH act of 2009 established new requirements for notifyingpatients when their PHI has been “breached.” For the purposes of HITECH, a “breach” occurs when there has been an acquisition, access, use or disclosure of PHI that compromises the security or privacy of the information. Each security policy must set the foundation for the individual departmental procedures needed to support and implement thepolicy. (See UWM’s recommended Permission to Use E-mail). Promotional information about the Covered Department’s own practices is not considered marketing under HIPAA. Telephone messages should never be left that include particularly sensitive health information, such as medical test results. Reference to Another Person The informationrefers to another person and access is reasonably likely to cause substantial harm to the other person. Health care providers may share with a patient’s friends, family or others involved in the patient’s care information related to that patient’s location or general condition. Not only have they been established on the best industry practices, but theywere created by HIPAA compliance officers with practical knowledge of HIPAA compliance, security experts with healthcare experience. Other Safeguards Covered Departments are responsible for developing and establishing safeguards to protect the confidentiality of Protected Health Information. These policies are intended to be a summary of theHIPAA privacy and security regulations. The following Covered Departments are considered part of UWM’s Health Care Component for the purposes of HIPAA: Provider Units: UWM Audiology Clinic (College of Health Sciences) Administrative Units UITS Selected Support Staff (Division of Finance & Administrative Affairs) Other (Non-UITS) ITpersonnel serving Covered Departments Accounts Payable Accounts Receivable Office of Legal Affairs (Division of Finance & Administrative Affairs) Risk Management (Division of Finance & Administrative Affairs) C. d. A consultant hired to review the accuracy of a Covered Department’s billing and coding practices. A revised Notice of PrivacyPractices must be posted on the Covered Department’s web site and a paper copy must be provided to patients upon request. Maintaining the Request for Confidential CommunicationsRequests for confidential communications should be maintained with the responses to such requests in the patient’s medical record for a minimum of six (6) years. 7.Verification of IdentityThe Privacy Officer must obtain verification of the requestor’s identity before considering an amendment to the record. HIPAA Security Policies templates Rated 4.8/5 based on 1274 reviews These policies and procedures were created to help UWM comply with the privacy and security regulations established pursuant to theHealth Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of 2009. The primary purpose of HIPAA’s privacy and security regulations is to protect the confidentiality of Protected Health Information which is generated or maintained by entitiescovered by HIPAA in the course of providing health care services. The patient may also direct the Privacy Officer to transmit a copy of the information in electronic format to any other entity or person, provided that the request is clear and specific. Research Patient authorization must be obtained if a Covered Department wishes to use or allow use ofa patient’s Protected Health Information in research studies, unless the Department has received explicit permission to forego an authorization by UWM’s Institutional Review Board (IRB) or by a special board authorized by UWM to handle privacy matters. The disclosures listed above are explained in greater detail in the Notice of Privacy Practices.If a further investigation is required, the presumption is that the Privacy Officer will play a significant role in conducting or assisting with the investigation under the direction of UWM officials detailed in the above mentioned procedure. The level of a particular student’s access shall be determined by and monitored by his or her advisor or relevantinstructor. Covered Departments are encouraged to adopt policies and procedures that are stricter than the parameters set forth above, in order to maximize the protection of Protected Health Information in light of the Covered Department’s unique circumstances and practices. When business associates use our templates to build better businesspractices, they encourage their clients to have confidence in the way the company is run. De-identification of PHI (45 C.F.R. 164.502(d), 164.514(a)-(c)) Use of De-identified PHI Covered Departments may use PHI to create de-identified information without patient authorization. Retention of DocumentationAll documentation regarding complaint andthe response, including any sanctions applied or corrective action, must be retained for at least 6 years. Requesting an Accounting of Disclosures (45 C.F.R. § 164.528, 42 U.S.C. § 17935) Patients may request an accounting of disclosures, maintained pursuant to Section K above. Accounting of Disclosures Log: PDF , Word Acknowledgement of Receiptof Notice of Privacy Practices: PDF , Word Application for IRB Waiver of Authorization or Altered Authorization under the HIPAA Privacy Rule: PDF , Word Authorization Form for the Use and Disclosure of PHI: PDF , Word Authorization Form for the Use and Disclosure of Psychotherapy Notes: PDF , Word Attachment to the Authorization Form for theUse and Disclosure of Psychotherapy Notes: PDF , Word Certification for Research on the PHI of Decedents: PDF , Word Complaint Report Form: PDF , Word Data Use Agreement for Disclosures of Limited Data Sets: PDF , Word List of Privacy Officers: Webpage , PDF , Word Notice of Privacy Practices: PDF , Word Permission to Use E-mail: PDF ,Word Use of PHI in Activities Preparatory to Research Certification: PDF , Word Authorization Form for the Use and Disclosure of PHI for Research Purposes: PDF , Word Retention of Accountings Submitted to PatientsThe Privacy Officer must retain copies of any accountings submitted to an individual patient pursuant to an accounting request.Accounting Methodology for Research Studies Encompassing More than 50 Patients If the patient information was disclosed pursuant to a study using health information of more than 50 patients, the accounting requirement can be met by providing individuals with the following information: The name of the research study; A plain-languagedescription of the research; A brief description of the type of PHI used; The time period during which the disclosures occurred for the research study; The name, address and telephone number of the entity sponsoring the research, if applicable; and The name, address and telephone number of the researcher. Receiving Confidential Communications(45 C.F.R. § 164.522(b)) Patients of Covered Departments may request receipt of communications of Protected Health Information by alternate means or at alternate locations. Requirements for De-identification PHI may be considered de-identified if all of the following identifiers are removed for the patient, relatives, employers, or householdmembers of the patient: Names; Geographic subdivisions smaller than a state (i.e. county, town or city, street address, and zip code) (except that the initial 3 digits of a zip code may be disclosed where the area covered by those 3 digits contains more than 20,000 people); All elements of dates except year for dates that are directly related to anindividual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note that ages may be aggregated into a single category of age 90 or older); Phone numbers; Fax numbers; Email addresses; Social security number; Medical record number; Health plan beneficiary number; Accountnumber; Certificate/license number; Vehicle identifiers and serial numbers; Device identifiers and serial numbers; URLs; Internet protocol addresses; Biometric identifiers (e.g. fingerprints, DNA); Full face photographic and any comparable images; Any other unique identifying number, characteristic, or code; and Any other information about whichthe Covered Department has actual knowledge that it could be used alone or in combination with other information to identify the individual. Electronic PHI includes PHI that is stored on hard drives or portable memory media (disks and CDs) as well as PHI that is transmitted by e-mail or the internet. UWM will determine whether notification isrequired and, if so, the specifics of the required notification, pursuant to this procedure. If it is not readily producible, the Covered Department must offer to produce it in at least one readable electronic format as agreed to by the Covered Department and the individual. When the disclosure is to a researcher for research purposes, as long as the rulesgoverning the use of Protected Health Information in research are met. If the Covered Department has made multiple disclosures to the same person or entity for a single purpose, the accounting may, with respect to those disclosures, provide: The information required above; The frequency or number of disclosures made during the accountingperiod; and The date of the last such disclosure during the accounting period. (See UWM’s recommended Permission to Use E-mail.) Sign In Sheets Sign in sheets should not contain information about the patient’s condition. UWM Departments Covered by these Policies and Procedures (UWM’s Health Care Component) (45 C.F.R. § 164.103, 105)UWM is a “Hybrid Entity” under HIPAA. Disclosure of a code is the same as disclosure of PHI. View Components of HIPAA Security Policy Template Suite View HIPAA Security Policy Template’s License Cost: 495 (Opens in New Window) If you have any questions, please feel free to contact us at Bob@training-hipaa.net or call on (515) 865-4591Testimonials for HIPAA Security Policies This product made the daunting task of documenting our policies much more manageable. Emergency Situations In the event of an emergency, the Notice of Privacy Practices must be given to the patient as soon as reasonably practicable, and an Acknowledgement of Receipt is not required. This means thatUWM’s business activities include both covered and non-covered functions, and that UWM has designated those departments or units that properly form its “Health Care Component” for the purpose of HIPAA coverage. “Health Care” means care, services, or supplies related to the health of an individual, and includes: preventative, diagnostic,therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body, and the sale or dispensing of a drug, device, equipment, or other item in accordance with aprescription. FeesThe Privacy Officer must provide the first accounting to a particular individual within any 12-month period without charge. Retention of Documentation (45 C.F.R. § 154.530(j), 42 U.S.C. § 17932) The Privacy Officer for each Covered Department shall retain, for at least 6 years, the following documents: Copies of any standard formsused by the Department, including notices of privacy practices, authorizations, consents, etc.; All patient requests for access or amendment to medical records or accounting of disclosures; Forms, correspondence and all other documentation related to complaints; Processes for, and content of, workforce training with respect to HIPAA; and Completereports regarding suspected breaches of PHI and the outcome of any related investigations, including any completed notifications. Original records should not be removed from the Covered Department’s premises unless necessary to provide care or treatment or as required by law. General Safeguards to Protect PHI Minimum Necessary Rule (45C.F.R. §§ 164.502(b), 164.514(d); 42 U.S.C. § 17935(b)) General Rule Covered Departments must make reasonable efforts to limit the use and disclosure of Protected Health Information to the minimum extent necessary to accomplish the use or disclosure’s intended purpose.Until additional guidance is issued by the Secretary of Health and HumanServices, Covered Departments should use a Limited Data Set (as defined in Section J), if practicable to accomplish the intended purpose of the use or disclosure. Who should use our HIPAA Security Policy Template Suite? “Protected Health Information” (or “PHI”) is defined under HIPAA as information relating to (1) the past, present, or futurephysical or mental health condition of an individual, (2) the provision of health care to an individual, or (3) the past, present, or future payment for the provision of health care to an individual. However, even if a communication falls within one of these exceptions, if a Covered Department is paid (directly or indirectly) by an outside entity to send acommunication to a patient, the Covered Department is deemed to be marketing unless the communication concerns a currently prescribed drug and the payment received is “reasonable in amount” (as determined with reference to HIPAA regulations). 5. Making the RequestPatients should make a request for alternate communications in writing anddirect it to the Privacy Officer for the Covered Department. 4. The Dean shall make a decision on any corrective action with respect to the Covered Department’s procedures and practices. Responding to the Request/TimelinessThe Privacy Officer must act on an individual’s request for an accounting no later than 60 days after the receipt of such arequest in one of two ways: The Privacy Officer may provide the individual with the accounting requested; OR The Privacy Officer may exercise a one-time 30-day extension of the 60-day deadline, provided that within the initial 60 days the individual is provided with a written statement of the reasons for the delay and the date by which the accountingwill be provided. Similarly, if applicable, providers may release PHI to disaster relief organizations. ProcedurePrivacy-related complaints must be forwarded to the Covered Department’s Privacy Officer. The above responsibilities will be accomplished, in part, by the provision of “Security Guidelines” for use by Covered Departments. Response to theComplainantThe Privacy Officer shall provide a written response to the complainant within 30 days from the date of his or her receipt of the complaint, describing briefly the factual findings, and if applicable, the extent of corrective action.The Privacy Officer shall not disclose any recommendations regarding disciplinary action to the complainant.Ifthe complainant is not the patient who is the subject of the Protected Health Information at issue, the Privacy Officer will not disclose any Protected Health Information to the complainant. HIPAA establishes two such categories of uses and disclosures: uses and disclosures that do not require health care providers to inform the patient of the use or

disclosure, and uses and disclosures that require health care providers to inform the patient of the use or disclosure and give the patient an opportunity to refuse to allow such use or disclosure. Making the RequestPatients should make a request to inspect and/or obtain a copy of their Protected Health Information in writing and direct it to thePrivacy Officer for the Covered Department. What to Do in the Event of Potential Breach Any individual working in or for a Covered Department or a Business Associate who suspects that there has been an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA shall immediately and simultaneously reportthe circumstances of the suspected breach to the individual’s supervisor and the Privacy Officer for the Covered Department The Privacy Officer should immediately gather any available facts about the incident and report the incident to UWM’s Information Security Office. Can you meet the challenge of creating an enterprise-wide HIPAA Securitycompliance policy? All e-mails of Protected Health Information should contain a prominent confidentiality notice. The nature of such discipline will be determined by the employee’s classification and the applicable disciplinary policies and procedures. Each policy must specifically reflect the Security regulations’ complex requirements, yet be wordedsimply enough to be understood and applied across the entire organization. Destruction Standards Protected Health Information must be discarded in a manner that protects the confidentiality of that information. To grow your client base, you’ll need to prove that you want to surpass the HIPAA requirements, not just scrape by. The CoveredDepartment’s fax machines must be located in secure areas not readily accessible to visitors and patients. Computer/Work Stations Computer monitors must be positioned away from common areas to prevent unauthorized access or observation. Covered Departments may also disclose PHI to a Business Associate for the purpose of creating deidentified information without patient authorization. Volunteers A volunteer who violates this policy may be subject to appropriate sanctions, including dismissal as a volunteer. Retaliation and Intimidation Are Prohibited (45 C.F.R. § 164.530(g)) It is a violation of this policy for a Covered Department or UWM to intimidate, threaten, coerce,discriminate against, or take any retaliatory action against: 1. The efforts should be documented in the space provided at the bottom of the Acknowledgement of Receipt. below) an “accounting of disclosures,” which is a listing of certain disclosures of a patient’s health information made by the Covered Department or its Business Associates to anyoneoutside of that Department since April 14, 2003, or during the preceding 6 years, which ever period is shorter. The screens on unattended computers must be returned to the main menu or use a password protected screen saver. Sanctions for Failure to Comply (45 C.F.R. § 160.530(e)) Individuals who violate the provisions in this policy may besubject to sanctions, as described below. Both the Provider Units and the Administrative Units are collectively referred to as “Covered Departments” under these policies and must comply with all of the policies and procedures outlined in this manual. If the Notice is delivered by e-mail, no Acknowledgment of Receipt is required so long as the patienthas completed the Permission to Use E-mail. The duties and responsibilities of each Privacy Officer (with respect to the Covered Department(s) assigned to that Privacy Officer) include: Monitoring the Covered Department(s) to ensure that it meets the criteria provided above and is appropriately designated as part of UWM’s Health Care Componentunder these policies (see Section B above); Ensuring that each existing and new employee within Covered Departments complete online HIPAA training at the time of hire and then no less than once every 2 years (Privacy Officers may establish a requirement for more frequent training depending on the need of the Covered Department); Ensuring thatCovered Departments are working with the Security Officer and his or her designees to comply with security regulations (see Section D below); Monitoring Covered Departments to ensure that they have adopted safeguards to protect patient information (see Section E below); Monitoring Covered Departments to ensure that they are properly usingthe Notice of Privacy Practices and Authorization to disclose patient information, including for any research purposes (see Sections F and H below); Monitoring Covered Departments to ensure that they are properly disclosing information when an Authorization is not required (see Section G below); Monitoring Covered Departments to ensure thatthey are properly maintaining an Accounting of Disclosures (see Section K below); Responding to patient requests

HIPAA guidelines, but remain flexible, allowing you to model your security plan after the templates we provide. View Components of HIPAA Security Policy Template Suite View sample HIPAA Security policy Developing or revising your organization's security policies and procedures is a major task that takes time and attention to detail. Employees