Privacy Policy
PRIVACY POLICY STATEMENT
Visalia Family Practice
Breana Bergdorf , Practice Administrator (559) 625-9200
Purpose: The following privacy policy is adopted to ensure that Visalia Family Practice complies fully with all federal and state privacy protection laws and regulations. Protection of patient privacy is of paramount importance to this <organization>. Violations of any of these provisions will result in severe disciplinary action including termination of employment and possible referral for criminal prosecution.
Effective Date: This policy is in effect as of 01/01/2020
It is the policy of this Visalia Family Practice that we will adopt, maintain and comply with our Notice of Privacy Practices, which shall be consistent with HIPAA and California law.
Uses and Disclosures of Protected Health Information
HIPAA Regulation: 45 CFR §164.502(a) and 164.506(c)(4)
It is the policy of Visalia Family Practice that protected health information may not be used or disclosed except when at least one of the following conditions is true:
The individual who is the subject of the information has authorized the use or disclosure.
The individual who is the subject of the information has received our Notice of Privacy Practices and acknowledged receipt of the Notice, thus allowing the use or disclosure and the use or disclosure is for treatment, payment or health care operations.
The individual who is the subject of the information agrees or does not object to the disclosure and the disclosure is to persons involved in the health care of the individual.
The disclosure is to the individual who is the subject of the information or to HHS for compliance-related purposes.
The use or disclosure is for one of the HIPAA “public purposes” (i.e. required by law, etc.).
Notice of Privacy Practices
HIPAA Regulation: 45 CFR §164.520
The policy of this Visalia Family Practice is that a notice of privacy practices must be published, which describes in sufficient detail this medical practice’s privacy practices. It is the policy of this <organization> that this notice be provided to all subject individuals at the first patient encounter if possible, and reasonable faith efforts made to obtain a written acknowledgment of receipt, and that all uses and disclosures of protected health information be done in accord with this <organization’s> notice of privacy practices. It is the policy of this Visalia Family Practice to post the most current notice of privacy practices in our “waiting room” area and to have copies available for distribution at our reception desk. It is the policy to prominently post the notice of privacy practices on our website if one is in place.
It is the policy to revise the notice whenever there are material changes to our privacy practices including changes in law such as the Final HIPAA Omnibus Rule of 2013.
Assigning Privacy and Security Responsibilities
HIPAA Regulation: 45 CFR §164.308(a)(2) and 164.530(a)(1)(i)
It is the policy of this Visalia Family Practice that a specific individual or individuals within our workforce are assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security Rule’s requirements. Furthermore, it is the policy of this Visalia Family Practice that these individuals will be provided sufficient resources and authority to fulfill their responsibilities. At a minimum it is the policy of this <organization> that there will be one individual or job description designated as the HIPAA Privacy Official.
Restriction Requests
HIPAA Regulation: 45 CFR § 64.522(a)(1)(i), 164.502(c), & 164.522(a)(2)
It is the policy of Visalia Family Practice that consideration must be given to all requests for restrictions on uses and disclosures of protected health information as published in this <organization’s> Notice of Privacy Practices or otherwise in place. It is furthermore the policy of this <organization> that if a particular restriction is agreed to, then this <organization> is bound by that restriction.
Additionally, it is the policy of Visalia Family Practice that any request by a patient or their personal representative for a restriction on disclosure of protected health information to a health plan (to whom the patient is a subscriber or plan member) will be honored if the patient pays in full for the services rendered, and where otherwise disclosure is not required by law. Such requests may be rescinded for failure to make or maintain payment for services.
Workforce Access to Protected Health Information
HIPAA Regulation: 45 CFR §164.514(d)(2)
Visalia Family Practice's policy is that access to protected health information must be granted to each employee or contractor based on the assigned job functions of the employee or contractor. Visalia Family Practice's policy is that such access privileges should not exceed those necessary to accomplish the assigned job function.
Access to Protected Health Information by the Individual
HIPAA Regulation: 45 CFR § 164.524(a)(1), 164.524(b)(2)(i), 164.524(c)(1), 164.524(c)(2)(i), 164.524(c)(4), 164.524(d)(3), 164.524(e)(1)
It is the policy of Visalia Family Practice that access to protected health information must be granted to the person who is the subject of such information when such access is requested, or at the very least within the timeframes required by the HIPAA Privacy Rule or California law, which is more stringent. Access may be granted as physical or electronic copies or inspection based on the patient's preference. Visalia Family Practice's policy is to inform the person requesting access to the location of protected health information if we do not physically possess such PHI but have knowledge of its location.
The policy is to review all requests and determine that access does not create endangerment or is contrary to HIPAA or State law.
It is the policy to provide electronic copies of protected health information maintained electronically in one or more designated record sets in the form and format requested by the patient if these are readily reproducible and if not in a mutually agreeable form and format, or in paper form if a mutually agreeable form and format is not available.
It is the policy to provide electronic copies to third parties at the patient’s specific direction where such request is in writing.
It is the policy to provide by email, electronic copies to the patient or a third party at the patient’s specific direction using unencrypted email only after the patient has been advised of the risks of such use and has acknowledged in writing these risks.
It is the policy of this Visalia Family Practice that wherever possible we will encourage the patient to receive copies by th e use of encrypted transmission [Insert the type of technology you may have such as “encrypted email”, “patient portal” and so forth]. It is the policy of Visalia Family Practice that all other electronic transmissions will only be done using secure transmission technology including but not limited to email, text messaging and so forth.
It is the policy to only charge a reasonable cost-based fee to the patient for paper or electronic copies; where applicable this cost-based fee may include the cost of skilled labor to assemble and create an electronic copy and/or the cost of media requested by the patient for the copy.
Amendment of Incomplete or Incorrect Protected Health Information
HIPAA Regulation: 45 CFR §164.526(a)(1), 164.526(b)(2)(i), 164.526(b)(2)(i)(B), 164.526(c)(1), 164.526(c)(2), 164.526(c)(3), 164.526(d), 164.526(e), 164.526(f)
It is the policy of Visalia Family Practice that all requests for amendment of incorrect protected health information maintained by this <organization> will be considered in a timely fashion. If such requests demonstrate that the information is actually incorrect, this <organization> will allow amending language to be added to the appropriate document and this addition will be done in a timely fashion. It is also the policy of this <organization> that notice of such corrections will be given to any organization with which the incorrect information has been shared. It is the policy to deny amendment requests where the protected health information is accurate or has not been created by Visalia Family Practice. In cases of denial it is the policy to allow the patient the opportunity to provide a statement of denial that will be inserted in the medical record. [Note: Although it is not a specific HIPAA requirement, you may want to add text to the effect that no one is allowed to change, remove or strike through any original document that contains treatment or diagnosis related protected health information.]
Access by Personal Representatives
HIPAA Regulation: 45 CFR §(g)(1)-(4)
It is the policy of Visalia Family Practice that access to protected health information must be granted to personal representatives of individuals as though they were the individuals themselves, except in cases of abuse where granting said access might endanger the individual or someone else. We will conform to the relevant custody status and the strictures of state, local, case, and other applicable law when disclosing information about minors to their parents.
Confidential Communications Channels
HIPAA Regulation: 45 CFR § 164.522(b)(1)(i) and (ii)
It is the policy of Visalia Family Practice that confidential communications channels be used, as requested by the individuals, to the extent possible.
Disclosure Accounting
HIPAA Regulation: 45 CFR § 164.528(a)(1) and 164.528(b)
It is the policy of Visalia Family Practice that an accounting of all disclosures subject to such accounting of protected health information be given to individuals whenever such an accounting is requested and within the timeframes required by law.
Verbal Permission and Decedent Friends and Family Access
HIPAA Regulation: 45 CFR § 164.510(b) and 164.510(b)(3)
It is the policy of Visalia Family Practice that a patient may grant limited access to friends or family who are not legal personal representatives based upon verbal permission by the patient. Such verbal permission shall be documented and periodically confirmed with the patient.
It is the policy to provide friends and family of a deceased patient limited access to protected health information under the same circumstances that disclosures of this information would have been made when the patient was alive when these individuals were involved in payment or providing care for the patient and Visalia Family Practice is unaware of any expressed preference to the contrary.
Immunizations
HIPAA Regulation: 45 CFR § 164.512(b)
It is the policy of Visalia Family Practice to provide immunization data to a patient’s school where such data is required for admission and where the patient or their personal representative has provided an informal request for such release such as a verbal request. It is the policy to document in the medical record the date and time of such informal requests. It is the policy that such immunization data will be disclosed in a secure method.
Deceased Individuals
HIPAA Regulation: 45 CFR § 164.502(f), 164.502(g)(4) and 164.512(g)
It is the policy of this Visalia Family practice that privacy protections extend to information concerning deceased individuals including protection of a decedents protected health information for 50 years after the date of their death.
Minimum Necessary Use and Disclosure of Protected Health Information
HIPAA Regulation: 45 CFR § 164.502(b), 164.502(i), 164.506(c)(4), 164.512(j)(3), 164.514(d)(3)(i), 164.514(d)(3)(ii), 164.514(d)(5), 164.514(d)(4)(i), (ii), (iii)
It is the policy of this Visalia Family practice that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) for treatment purposes, 2) to or as authorized by the patient or 3) as required by law for HIPAA compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. It is also the policy that non-routine uses and disclosures will be handled pursuant to established criteria. It is also the policy of this <organization> that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request.
Verification of Identity
HIPAA Regulation: 45 CFR § 164.514(h)(1)(i) and (ii)
It is the policy of this Visalia Family practice that the identity of all persons who request access to protected health information be verified before such access is granted.
Judicial and Administrative Proceedings
HIPAA Regulation: 45 CFR § 164.512(e)(1), 164.512(e)(1)(i) and (ii)
It is the policy of Visalia Family Practice that information be disclosed for the purposes of a judicial or administrative proceeding only when: accompanied by a court or administrative order or grand jury subpoena; when accompanied by a subpoena or discovery request that includes either the authorization of the individual to whom the information applies, documented assurances that good faith effort has been made to adequately notify the individual of the request for their information and there are no outstanding objections by the individual, or a qualified protective order issued by the court. If a subpoena or discovery request is submitted to us without one of those assurances, we will seek to notify the individual, obtain his or her authorization, or obtain a qualified protective order before we disclose any information. We will not disclose information other than that required by the court order, subpoena, or discovery request.
De-Identified Data and Limited Data Sets
HIPAA Regulation: 45 CFR § 164.514(b), 164.514(e)(2)-(4)
It is the policy of Visalia Family Practice to disclose de-identified data only if it has been properly de-identified by a qualified statistician or by removing all the relevant identifying data. We will make use of limited data sets, but only after the relevant identifying data have been removed and then only to organizations with whom we have adequate data use agreements and only for research, public health, or health care operations purposes.
Marketing Activities
HIPAA Regulation: 45 CFR § 164.508(a)(3)(i)
It is the policy of this Visalia Family Practice that any uses or disclosures of protected health information for marketing activities will be done only after a valid authorization is in effect. It is the policy of this <organization> to consider marketing any communication intended to induce the purchase or use of a product or service where an arrangement exists in exchange for direct or indirect remuneration, or where this <organization> encourages purchase or use of a product or service directly to patients. This <organization> does not consider the communication of alternate forms of treatment, or the use of products and services in treatment, or a face-to-face communication made by us to the patient, or a promotional gift of nominal value given to the patient to be marketing, unless direct or indirect remuneration is received from a third party and the communication is not to a health plan enrollee concerning: 1) a provider’s participation in the health plan’s network, 2) the extent of covered benefits, or 3) the availability of more cost-effective pharmaceuticals. This <organization> may make remunerated communications tailored to individual patients with chronic and seriously debilitating or life-threatening conditions for the purpose of educating or advising them about treatment options or maintaining adherence to a prescribed course of treatment, without a signed patient authorization. If we do so, we will disclose in at least 14-point type the fact that the communication is remunerated, the name of the party remunerating us, and the fact the patient may opt out of future remunerated communications by calling a toll-free number. This <organization> will stop any further remunerated communications within 30 days of receiving an opt-out request.
Authorizations
HIPAA Regulation: 45 CFR § 164.508(a)(1), 164.508(a)(3)(ii), 164.508(b)(2) & (3) & (5), 164.508(c), 164.508(c)(4)
It is the policy of Visalia Family Practice that a valid authorization will be obtained for all disclosures that are not for: treatment, payment, health care operations, to the individual or their personal representative, to persons involved with the individual’s care, to business associates in their legitimate duties, to facility directories or for public purposes. This authorization will include all the mandatory elements and any authorizations generated from outside this <organization> will be checked to see if they are valid. It is the policy that where applicable conditioned and unconditioned authorizations for clinical research may be combined provided patients may opt-out of unconditioned research activity and that authorizations may encompass future research. It is the policy that patients will not be enrolled in any clinical research trial this <organization> conducts unless additional informed consents and specific authorizations are obtained.
Mental Health Records
HIPAA Regulation: 45 CFR § 164.508(a)(2)
It is the policy to require authorization for any use or disclosure of psychotherapy notes, as defined in the HIPAA regulations, except for treatment, payment or healthcare operations as follows:
A. Use by originator for treatment;
B. Use for training physicians or other mental health professionals as authorized by the regulations;
C. Use or disclosure in defense of a legal action brought by the individual whose records are in issue;
D. Use or disclosures as required by law, or as authorized by law to enable health oversight agencies to oversee the originator of the psychotherapy notes.
Complaints
HIPAA Regulation: 45 CFR § 164.530(a)(1)(ii)
It is the policy of this Visalia Family Practice that all complaints relating to the protection of health information be investigated and resolved in a timely fashion. Furthermore, it is the policy that all complaints will be addressed to <name or job title of person authorized to handle complaints < (i.e. Privacy Official)> who is duly authorized to investigate complaints and implement resolutions if the complaint stems from a valid area of non-compliance with the HIPAA Privacy and Security Rule.
Prohibited Activities-No Retaliation or Intimidation
HIPAA Regulation: 45 CFR § 164.508(b)(4), 164.522(b)(2)(iii), 164.530(g), 164.530(h)
It is the policy of this Visalia Family Practice that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of this <organization> that no employee or contractor may condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information except as expressly authorized under the regulations.
Responsibility
HIPAA Regulation: 45 CFR § 164.530(a)(1)(i)
It is the policy of this Visalia Family practice that the responsibility for designing and implementing procedures to implement this policy lies with the Privacy Official.
Mitigation
HIPAA Regulation: 45 CFR § 164.530(f)
It is the policy of this Visalia Family practice that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.
Safeguards
HIPAA Regulation: 45 CFR § 164.530(c)(1)
It is the policy of this Visalia Family practice that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. These safeguards will include physical protection of premises and PHI, technical protection of PHI maintained electronically and administrative protection. These safeguards will extend to the oral communication of PHI. These safeguards will extend to PHI that is removed from this <organization>.
Business Associates
HIPAA Regulation: 45 CFR § 164.308(b), 164.314(a)(2)(i), 164.502(e)1)(i), 164.504(e)(1)(ii), 164.502(e)(1)(iii), 164.502(e)(2)
It is the policy of this Visalia Family practice that business associates must be contractually bound to protect health information to the same degree as set forth in this policy. It is also the policy of this <organization> that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate. It is the policy to use business associate agreements that provide sufficient protection and communication in the event of a breach of unsecured protected health information, and that agreements contain sufficient language regarding the business associate’s agents and subcontractors’ similar protections.
Training and Awareness
HIPAA Regulation 45 CFR § 164.530(b)(1) & 164.308(a)(5)(i)
It is the policy of this Visalia Family practice that all members of our workforce have been trained by the compliance date on the policies and procedures governing protected health information and how this <organization> complies with the HIPAA Privacy and Security Rules. It is also the policy of this <organization> that new members of our workforce receive training on these matters within a reasonable (you may elect to enter the exact time frame) time after they have joined the workforce. It is the policy of this <organization> to provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time [you may elect to enter the exact time frame] after the policy or procedure materially changes. Furthermore, it is the policy of this <organization> that training will be documented indicating participants, date and subject matter.
Material Change
HIPAA Regulation: 45 CFR § 164.530(i)((2)
It is the policy of this Visalia Family practice that the term “material change” for the purposes of these policies is any change in our HIPAA compliance activities.
Sanctions
HIPAA Regulation: 45 CFR § 164.530(e)(1)
It is the policy of this Visalia Family practice that sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Such sanctions will be recorded in the individual’s personnel file.
Retention of Records
HIPAA Regulation: 45 CFR § 164.530(j)(2)
It is the policy of this Visalia Family practice that the HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this <organization’s> discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.
Regulatory Currency
HIPAA Regulation: 45 CFR § 164.530(i)(2) thru 164.530(i)(3)(4)(5) and 164.530(j)(1)(iii)
It is the policy of this Visalia Family Practice to remain current in our compliance program with HIPAA regulations.
Cooperation with Privacy Oversight Authorities
HIPAA Regulation 45 CFR § 160.310(b) and 160.310(c)(1)
It is the policy of this Visalia Family practice that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this <organization>. It is also the policy of this <organization> that all personnel must cooperate fully with all privacy compliance reviews and investigations.
Investigation and Enforcement
HIPAA Regulation: 45 CFR § 160.310(b), 164.502(a)(2)(ii) and 164.512(j)(2)
It is the policy of this Visalia Family Practice that in addition to cooperation with Federal or State authorities, this Visalia Family Practice will follow procedures to ensure that investigations are supported internally and that members of our workforce will not be retaliated against for cooperation with any authority. It is our policy to attempt to resolve all investigations and avoid any penalty phase if at all possible.