HIPAA Privacy Rules
PURPOSE: To ensure that Chugiak Senior Center is in compliance with the Privacy Rule standards of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
POLICY:Chugiak Senior Center is committed to protecting the privacy and security of health information for our clients. Although we acquire health information for only some of our clients, most of our employees will have contact with those clients at some time. Therefore, all employees must be aware of and practice procedures that protect individual health information.
- A Privacy and Security Officer will be assigned the responsibility of ensuring compliance with HIPAA requirements through training and oversight and to deal with clients and others on issues related to personal health information. Responsibilities will include maintaining the P&Ps, providing staff training, assisting staff when individuals have questions or want access to, accounting of, or amending of personal health information.
- A Privacy Notice will be provided to all clients for whom we acquire or maintain health information and who are required to receive such notice. A Privacy Notice will be posted on the Center website, in Assisted Living and Adult Day Service Public Areas and in Outreach Nurse’s office. Whenever the Privacy Notice is amended, all clients will be offered a copy of the amended notice.
- Disclosure and use of personal health information (PHI) will be limited to the minimum necessary to provide health care to clients or other purposes as permitted or required by law.
- A confidentiality agreement will be signed by each employee to ensure that employees understand and agree to protect confidential information. New employees will have orientation to HIPAA and other confidentiality requirements as part of the hiring process.
- All staff will be trained about privacy concerns and procedures when hired or when procedures are changed. This training will be documented in each staff’s employee file.
- Officer. Procedures will include keeping documentation in locked cabinets or rooms at each program location, secure handling of records in use, shredding and required storage of records for inactive clients and protection of electronic records. See the HIPAA Security P&P for details of handling electronic records.
- Individuals may request access to their records. This request should be in writing and given to the program director. The program director will verify identity, if not personally known, narrow the request, if possible, and advise the individual of the location of other records, if any. The program director will notify the Privacy and Security Officer of the request who will coordinate access to the other records, if any. The request will be kept in the client file.
- Authorizations for release of PHI are not always required. When they are required, use the Authorization for Release of Information form. Disclose only the minimum necessary information. Authorizations are not required for an individual or individual’s representative, for treatment and payment operations, within Chugiak Senior Citizens, for court orders or to report abuse or neglect, to report for health oversight, emergency, law enforcement, and by request of some federal and state agencies. Authorizations are required for any others who are not part of the individual’s treatment team. Keep a copy of the authorization in the individual’s file. Authorizations that are made for other than treatment, payment or operations should be noted on the Authorization log.
- Individuals may request changes to their PHI. The request must be in writing and clearly identify the change desired. The program director and privacy officer will review the request within 60 days of receipt. If the request is granted, the change will be made to our files and other users notified. If the request is denied, written notice with the reason will be given to the individual. The individual can provide written disagreement to be put into their file.
- Individuals may request restrictions on the uses and disclosures of PHI and may request confidential communications. The request must be in writing and will be reviewed by the program director and privacy officer. If the restriction is agreed to, appropriate staff will be informed and the request will be filed in the individual’s file. If not agreed to, the reason for the denial will be noted on the request and the request will be filed in the individual’s file.
- The identity of those requesting PHI should be confirmed. If the individual is personally known to you, note this on the disclosure. If not, request identification and verify that the individual is authorized for this information. For public officials, this may mean an employee badge or card, a phone call to their office, or legal documents.
- Private Health Information (PHI) is all individually identifiable health information about an individual in any form, whether paper, electronic, or oral. There are no restrictions on the use of de-identified PHI. PHI may be de-identified by removing all information that may identify the individual.
- Business Associate Agreements that protect PHI will be included in contracts with those who may have access to PHI. A Business Associate is a person or organization who performs certain activities involving PHI on our behalf.
- All written and electronic documents required by the HIPAA Privacy Rule must be retained for 6 years from date of creation or last use. This includes privacy policies and procedures, privacy notices, disposition of complaints and other actions as required. See the Records Retention Policy.
For more information please contact us at 907-688-2677
Chugiak-Eagle River Senior Center
22424 N Birchwood Loop
Chugiak, AK 99567
Phone: 907 688-2677
Or E-Mail us if you have questions about our HIPPA Policy