HIPAA Privacy and Security Operational Guide

HIPAA Privacy and Security Operational Guide/August, 2016 CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING...

17 downloads 703 Views 425KB Size
Ensign Services, Inc. HIPAA Privacy and Security Operational Guide This guide has been created for Ensign-affiliated facilities and entities to serve as an overview of the daily operating policies and procedures with regard to maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA). This operational guide is intended to represent a simplified version of the company’s detailed policies and procedures and is to be used by workforce members and management as a quick reference to answer many of the daily questions that arise concerning HIPAA. The HIPAA Privacy Rule creates national standards to protect a patient’s or resident’s medical record and other personal health information. As healthcare providers we use and disclose sensitive individually identifiable information daily and it is our duty to protect that information. It is important we understand a few important concepts related to our handling of patient or resident information in order to protect their privacy rights afforded under the HIPAA privacy rule. An understanding of these concepts will also serve in implementation of policies and procedures. Protected Health Information (PHI) is defined as individually identifiable health information that is transmitted or maintained by a facility/entity in any form or medium. Individually Identifiable Information is defined as a subset of health information including demographic information collected from a patient or resident and is created or received by us and relates to the past, present, or future physical or mental health or condition of a patient or resident and can be used to identify the patient or resident. What Information Is Protected? - Information doctors, nurses, therapists, consultants, and other health care providers document in the medical record; both on paper and electronically - Conversations about patient or resident care with others - Billing and financial information - Contact information including email address - Photographs - Most other health information that includes individually identifiable information It is best to assume every piece of information is protected and to inquire as to whether or not it can be used or disclosed for your intended purpose. When in doubt, please ask.

HIPAA Privacy and Security Operational Guide/August, 2016

USING PATIENT/RESIDENT INFORMATION When we USE PHI we share, utilize, examine, and analyze information that remains WITHIN our facility/entity. Examples of use include; TREATMENT: discussing patient or resident care with physicians, during care conferences, with nurses/therapists PAYMENT: billing for services provided, collecting payment, verifying benefits HEALTHCARE OPERATIONS: collecting data for quality improvement activities, monitoring, and training activities. These are all permissible (allowed) uses of a patient’s or resident’s health information. Are we allowed to include patient/resident information in facility directories and post their name on the door of their room? Patients and residents receiving care in a SNF or ALF should be afforded the right to determine;  Whether or not their name is posted outside their room  If their information is shared with family and friends and identify those we may share information (also applies to hospice and home health)  Whether or not callers may be given information  Whether or not clergy may be given information At admission, ask the patient or resident to complete the Communication Method Request form as part of the Notice of Privacy Practices. Ensure staff are knowledgeable of the patient’s or resident’s preferred methods for communication. The following situations are NOT permitted when using PHI: - Discussing patient or resident care in open, public areas or with others that should not have the information - Sharing more information than necessary to provide treatment or bill for services - Accessing or copying records without a specific treatment, payment, or operational purpose What can you do to protect information while using it to care for our patients and residents?  Limit information to the minimum necessary to accomplish the intended purpose of the use  Discuss patient and resident care in private areas – when a private area is not available lower voice and be aware of those that may overhear  When discussing care with the patient or resident in a shared room ask the patient or resident if they object to the discussion - find a private location if an objection is expressed  Secure documents from public view  Access only those records/documents needed to accomplish the task of providing treatment, billing for services, or other operational functions

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

DISCLOSING PATIENT/RESIDENT INORMATION We also DISCLOSE protected health information for treatment and payment purposes. Disclosure is the release, transfer, provision of access to, or divulging of PHI OUTSIDE the facility/entity in order for others to provide treatment or bill for services. These disclosures are permitted under the HIPAA rule and include; sending records with the patient or resident to the hospital or to an appointment, faxing PHI to a physician, and transmitting claims for payment. When disclosing PHI we must follow the Minimum Necessary standard. This standard is defined as making reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. Using or disclosing an entire medical record is not justified unless releasing it is reasonably necessary to accomplish the purpose of the use or disclosure. An example of reasonably necessary would be to release the entire record pursuant to a subpoena. How do we account for these disclosures? Use the Accounting of Disclosure log to document all disclosures of protected health information except those for; - For treatment, payment, and healthcare operations - To the patient/resident (or personal representative) - Pursuant to the patient’s/resident’s authorization - For the facility/entity directory - To persons involved in the patient’s/resident’s care - For national security or intelligence purposes - To correctional institutions or in law enforcement custodial situations When does Minimum Necessary NOT apply? You may disclose required PHI;  To healthcare providers for treatment purposes  To the patient or resident  Pursuant to a valid authorization  To the Secretary of the Department of Health and Human Services (DHHS)  As required by law There are times when, with good intention, we inadvertently disclose information to the wrong person. Examples of inadvertent disclosures to other HIPAA covered parties include;  Faxing PHI to the wrong physician  Sending one patient’s or resident’s PHI with another patient or resident to the hospital or to an appointment

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

What do we do when these inadvertent disclosures occur?  Notify Privacy Officer or contact the Compliance Hotline  Secure the PHI by contacting the person/entity to which the PHI was faxed or sent and inform them of the mistake  Notify the patient or resident, typically by writing and delivering a letter of apology assuring them the PHI was secured and procedures were implemented to prevent another mistake When is a disclosure NOT permitted? Ø Sharing information with family and/or friends Ø Posting any patient and resident information, including photographs, on social media sites Ø Sending PHI to others that do not have authorization to receive that information Ø Removing PHI from the facility/entity without it being secure and for a specific treatment or billing purpose ______________________________________________________________________________ When you become aware of any disclosure resulting in a compromise of patient or resident health or financial information report it immediately to the Privacy Officer or contact the Compliance Hotline. ______________________________________________________________________________ Breaches of PHI What is a breach? The everyday definition of breach is an infraction or violation of a law, obligation, or standard. HIPAA defines breach as the acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the PHI. Examples of possible breaches; - Lost or stolen mobile device, including computers - Sending/faxing/emailing PHI to someone other than a healthcare provider or authorized patient/resident representative - Stolen patient or resident documents from a home or car - Posting PHI, including pictures, on a social media site - Unsecured documents (not shredded, left open/unlocked) - Texting PHI - Discussing protected information with those that do not have a need to know

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

What must we do when we suspect a breach has occurred? When we use or disclose PHI in a manner not permitted under the HIPAA rule we must assume a breach has occurred (PHI has been compromised) and conduct a risk assessment to determine the extent to which the PHI has been compromised. In some cases the patient or resident must be notified through a sent letter and in others involving financial information, credit protection is offered to provide the patient or resident the ability to monitor suspicious activity. What is NOT a breach? A breach is not an acquisition, access, or use made in good faith and within the scope of the employee’s job function and does not result in further use or disclosure, such as; - Employee unintentionally accesses the wrong medical record – the employee was working within their job scope and did not use or disclose the information further - A fax containing PHI was accidentally faxed to the wrong physician’s office - the physician is a Covered Entity under HIPAA, therefore, must also abide by the HIPAA rule, and the office notified us of the misdirected fax and shredded the document(s) - Discussing care with family or friends involved in the patient’s or resident’s care and known to the facility/entity How do I protect our PHI from a possible breach?  Ensure all computers and mobile devices are encrypted by only accessing PHI from a device provided by the IT department  Do not save any PHI on an external drive  Lock PHI in a secure file bag in the trunk when transporting o Use the PHI in Transit Log to document PHI moving in/out of your facility/entity  Lock medication cart computers in cart when not in use  Use only Tiger Text or Secure Conversations in Point Click Care as a secure means of texting PHI and educate staff to use only Tiger Text or Secure Conversations in Point Click Care for texting PHI  When traveling with a computer lock in trunk when not in use  When sending emails containing PHI outside the network, encrypt by typing [ENCRYPT] in the subject like of the email  Lock the medical records room when unattended and overnight  Shred documents immediately  Remove documents from fax machines immediately after faxing  Verify fax numbers before sending a fax and call the recipient to ensure receipt  Check documents carefully prior to releasing them  Verify identity and authority of those requesting and accepting PHI  Use an approved fax cover sheet  Educate staff about using cell phones in patient and resident care areas within the facility/entity  Educate staff to refrain from taking photographs or videos of patients or residents  Obtain patient’s/resident’s written consent for all photographs and videos when used for approved facility/entity activities

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

How do I encrypt an email containing PHI sent outside the company’s network? In the subject line of the email type [ENCRYPT] Do not include any PHI in the subject line Patient/Resident Privacy Rights Afforded Under HIPAA Patients and residents have the right to make informed choices when seeking care and reimbursement for care and on how their personal health information may be used. They have the right to:  Ask to see and get a copy of their health records; including electronic records  Have corrections added to their health information  Receive a notice that tells them how their health information may be used and shared (this is call the Notice of Privacy Practices)  Give permission before their health information can be used or shared for certain purposes, such as for marketing  Revoke their permission to share their PHI  Request that healthcare providers communicate with them about medical matters in a certain way or at a certain location  Decide which friends and family members may have information related to their care  Receive a report on when and why their health information was shared for certain purposes (this is call an Accounting of Disclosures)  File a complaint with their provider, health insurer, or the Office for Civil Rights Does a patient or resident automatically have access to every document in their record? No, there are circumstances in which we can deny a patient or resident access to their information; o Psychotherapy notes o Information compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding o In cases where the facility or entity is acting under the direction of a correctional institution, deny the request of an inmate if such access would endanger the health or safety of the individual or anyone else o The information was obtained from someone under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information o A licensed health care professional, in the exercise of professional judgment, finds that access would likely endanger the life or physical safety of the patient/resident, or cause substantial harm to the patient/resident or another person o The information references another person (other than a health care provider) and the access would likely cause substantial harm to that person o The access request is made by a personal representative and the personal representative would likely cause harm to the patient/resident or another person

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Can the patient or resident appeal our decision to deny access? A patient or resident reserves the right to appeal our decision to deny them access to their PHI in the following circumstances; - A licensed health care professional, in the exercise of professional judgment, finds that access would likely endanger the life or physical safety of the patient/resident, or cause substantial harm to the patient/resident or another person - The information references another person (other than a health care provider) and the access would likely cause substantial harm to that person - The access request is made by a personal representative and the personal representative would likely cause harm to the patient/resident or another person A denial letter will be drafted by Compliance and must be provided to the patient or resident describing the reason for the denial. The patient or resident must be afforded the opportunity to appeal the denial by completing the Denial of Access to PHI and Appeal Form Please contact the Privacy Officer for guidance in these circumstances. How do I afford patients and residents their rights while in my care?  Designate a HIPAA Liaison within your facility/entity to serve as the contact for questions and requests  At admission, provide every patient and resident (or representative) a copy of our Notice of Privacy Practices  If you have a website, post the Notice of Privacy Practices there  Post the Notice of Privacy Practices for patients and residents in a visible location within your facility/entity (be sure this is at wheelchair height)  Provide copies of the Notice of Privacy Practices on request  At admission, complete the Communication Method Request form with the patient or resident to understand how and with whom they want their information shared o Ensure all staff are aware of the patient’s or resident’s wishes  Provide patients and residents access to their medical information, including electronic documents o Arrange a time and location with patient or resident  Provide patients and residents the right to request changes to their medical information when they believe it is incorrect (Request for Amendment of Records)  Allow patients and residents to exercise their right to receive confidential communications  Provide patients and residents the right to restrict the information we share  Provide patients and residents the right to know with whom we have shared their information (Accounting of Disclosures)  Be transparent with patients and residents on how to exercise their right to file a complaint when they believe their rights have been violated  Obtain a signed authorization from the patient or resident (or representative) prior to releasing records

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Are we permitted to charge the patient/resident (or there representative) to copy their record? Yes, you may charge a reasonable, cost-based fee for copying records. The fees may only be applied to the actual labor for copying, supplies, and postage when records are sent. You may not charge for the time it takes to locate the record. You may not default to state allowances. Fees must be calculated; - Per case (labor and supply costs dependent on size of record) - As an average and applied to all patients and residents, or - Defaulting to a charge of $6.50 for each case  You may not charge another healthcare entity when records are requested for continuity of care.  HIPAA does not override those State laws that provide patients and residents with greater rights of access to their health information than the HIPAA Privacy Rule does. If your state provides the patient or resident the right to receive their first copy free of charge, you must comply with the state’s allowance. What is an authorization? An authorization is a document obtained from the patient or resident granting us permission to release their PHI. The authorization must contain specific elements and be signed and dated by the patient or resident to be considered valid. A valid authorization form is available on the portal. When do I need authorization from the patient or resident?  To release psychotherapy notes (unless used for treatment or training purposes)  For marketing  To sell PHI  To release information to a third party at the patient’s or resident’s request When do I NOT need authorization from the patient or resident?  Treatment purposes: you may use or disclose PHI when providing treatment or discussing treatment with other healthcare providers  Payment purposes: you may use or disclose PHI when processing and submitting information to receive payment for services provided  Operational purposes: you may use PHI internally for activities such as; quality improvement, data analysis  Providing information to the Department of Health and Human Services (DHHS)  As required by law  Public health activities  Reporting abuse or neglect  Health oversight activities  Judicial and administrative proceedings  Disclosure for decedents  Disclosure for cadaveric organ, eye, or tissue donation purposes

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

 

Disclosure to avert serious threat to health or safety Disclosure for Worker’s compensation

Authorization is not requested of the patient or resident to gain access to or copy their PHI. This request is processed through the Request for Access to PHI form. How do I document compliance with the HIPAA Rule? When the patient or resident has designated a personal representative to act on their behalf, the personal representative must be granted the same rights as the patient or resident  At admission, ask the patient or resident (or representative) to acknowledge receipt of the Notice of Privacy Practices by signing the acknowledgement form  At admission, ask the patient or resident to complete the Communication Method Request form  Ask the patient or resident to complete and sign the Request to View and Copy PHI form with requests to access/inspect/copy records  Obtain a signed/dated authorization before disclosing PHI  When a patient or resident believes information in their record is incorrect and requests an amendment ask the patient or resident to complete and sign a Request For Amendment of Records form  When a patient or resident wishes to receive confidential communications in a specific method ask the patient or resident to complete and sign a Request for Confidential Communication form  Account for disclosures of PHI  Obtain written consent for all photographs and videos used for approved facility/entity purposes  Ask staff to complete the PHI in Transit log when transporting PHI  Ensure staff complete and attest to completing all HIPAA training  Complete the Breach log for all breaches and notify the Privacy Officer of all breaches  Document discipline provided in response to HIPAA violations  Provide patient or resident with copies of signed documents  File all documentation in the patient’s or resident’s medical record How do I store my closed medical records? HIPAA requires the physical security of medical records from fire or water damage, erroneous destruction and theft. Individual states also outline storage requirements to include; storage of records IN the facility, patient health record cannot be removed from the facility unless the record is being moved into an offsite storage facility, and medical records shall be stored safely to provide protection from loss, damage, unauthorized use and disclosure. Short-term storage: lock in a file cabinet in a locked office (double lock standard) Long-term storage: Catalog and send to a secure, off-site storage facility (example-Iron Mountain) Ø Storage sheds do not offer the protection needed to avoid damage or theft

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

What is a Business Associate? A business associate is a person who creates, receives, maintains, or transmits PHI on our behalf. They are a separate entity providing a contracted service for us. Includes those vendors that process claims, bill for services, analyze data, provide coding of documentation, transmit data, manage benefits, provide quality improvement analysis When do I need a Business Associate Agreement (BAA)? When anyone, other than a healthcare provider rendering treatment, that creates, receives, maintains, or transmits PHI on your behalf a BAA is required. How do I get a BAA? Email contracts at [email protected] Who is not a Business Associate? - A healthcare provider - A government agency for determining eligibility for or enrollment in a government health plan - A workforce member defined as employees, volunteers, students, medical residents, and trainees under direct control of the facility/entity, whether or not they are paid by the facility or entity If someone is a non-employee how are they granted access to my PHI? Non-employee workforce members must complete the HIPAA training in Ensign U and sign a User Agreement outlining their responsibilities related to accessing, using, and disclosing PHI as part of their function for the facility or entity. Once HIPAA training is complete and the user agreement signed IT will grant access to electronic systems consistent with the non-employee workforce member’s role. What can I do to help? Remind others to; o Never post patient or resident information to social media sites o Discuss patient or resident care in private areas or to lower voices in common areas o Use only encrypted computers and mobile devices o Avoid using personal devices in patient and resident care areas o Verify fax numbers prior to sending PHI via fax o Double check documents prior to releasing them to another person or facility o Verify we have permission from the patient or resident to release documents o Secure PHI at all times o Secure computers and mobile devices at all times o Never discuss patient or resident care outside of work o Report concerns with patient or resident privacy

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Are there fines associated with HIPAA violations? Fines may be imposed in the following manner; Violation Category Per Patient – per violation penalty Did not know $100 to $50,000 Reasonable Cause $1,000 to $50,000 Willful neglect $10,000 to $50,000 corrected Willful neglect - not $50,000 corrected

Annual cap for all violations of identical provision $1.5 million $1.5 million $1.5 million $1.5 million

What are my next steps? □ Print and make this operational guide available to your staff □ Ensure staff are familiar with all HIPAA policies, procedures, and forms available on the portal o You may print and make a HIPAA binder if you wish □ Designate a HIPAA Liaison for your facility/entity o Compliance can conduct training with this individual as requested □ Print your personalized Notice of Privacy Practice (NPP) from the portal and post in a public area within your facility/entity o Also post on website as applicable □ Remove all old versions of the NPP from admission documents and replace with the newest version □ Determine if texts containing PHI are being sent and ensure encryption through secure application □ Ensure staff understand encryption of email containing PHI sent outside the secure network □ Determine if staff are using phones in patient and resident care areas and educate to not using phones to take pictures or record videos of patients or residents □ Ensure all staff complete HIPAA training as assigned □ Ensure all active and closed medical records are secure □ Make secure shred bins readily available to all staff □ Determine your methodology for charging reasonable fees for copying records and educate staff to the process □ Ensure there is a process for maintaining all HIPAA-relevant documentation □ Make a list of all workforce members (employees, volunteers, students, medical residents, and trainees under direct control of the facility/entity, whether or not they are paid by the facility or entity) o If these workforce members have access to PHI, either on paper or electronically, ensure there is a signed user agreement in place o For employees, ensure HIPAA training is complete

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

□ Make a list of all business associates (anyone, other than healthcare providers rendering treatment, that creates, receives, maintains, or transmits PHI on your behalf) o Obtain a business associate agreement if one is not in place Where do I go with questions or for more information?  Become familiar with all HIPAA policies, procedures, and forms o These are found on the portal  Complete annual HIPAA training  Participate in other available training related to HIPAA  Contact IT at 949-540-1200  Contact the Privacy Officer, Shelley Johnson at 314-852-4143  Contact the Lead Compliance Partner, Casey Bastemeyer at 949-201-3395  Contact the Security Officer, Tyler Douglas at 949-285-2511  Contact the Chief Compliance Officer at 949-540-1212 How do I report a concern? Contact the Compliance Hotline – 866-256-0955 HIPAA today is so much more than just refraining from discussing patient/resident information in public areas and protecting passwords. Taking your knowledge of HIPAA to the next level is critical for ensuring we are following the numerous regulations. Please use this guide and other available resources to better understand your role and responsibility in protecting our patient’s and resident’s health information.

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Definitions and Acronyms This guide should be considered as a supplementary reference for understanding definitions and acronyms when using and understanding company policies and procedures associated with HIPAA. Office for Civil Rights (OCR) shall be defined as the branch of the DHHS that is responsible for federal oversight of the privacy regulations. Health Insurance Portability and Accountability Act (HIPAA) shall be defined as policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. Protected Health Information (PHI) shall be defined as individually identifiable health information that is transmitted or maintained by a Covered Entity in any form or medium. Electronic Protected Health Information (e-PHI) shall be defined as individually identifiable health information maintained in electronic form. Unsecured Protected Health Information shall be defined as protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or other methodology. Individually Identifiable Health Information (IIHI) shall be defined as a subset of health information including demographic information collected from an individual and is created or received by a health care provider and relates to the past, present, or future physical or mental health or condition of an individual. Disclosure shall be defined as the release, transfer, provision of access to, or divulging information outside the entity holding the information. Incidental Disclosure shall be defined as a secondary disclosure that occurs when disclosing other PHI. Use shall be defined as sharing, utilization, examination, or analysis of protected information within a covered entity that maintains such information. Access shall be defined as the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Confidentiality shall be defined as data or information is not made available or disclosed to unauthorized persons or processes. Encryption shall be defined as the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Administrative Safeguards shall be defined as administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. Physical safeguards shall be defined as physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. De-identification shall be defined as the removal of any individually identifiable data that may allow someone to connect the data in question with a specific person. Business Associate (BA) shall be defined as a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information or a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Business Associate Agreement (BAA) shall be defined as a contract that serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. Limited Data Set shall be defines as a set of data in which most individual identifiers have been removed. Minimum necessary shall be defined as making reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. Good faith shall be defined as the effort made, information given, or transaction done, honestly and without a deliberate intention to wrong another party

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Breach shall be defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI and is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. Covered Entity shall be defined as a healthcare provider who transmits any health information in electronic form. Workforce shall be defined as employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity, whether or not they are paid by the covered entity or business associate. Reasonable accommodation shall be defined as an adjustment made to accommodate an individual based on a proven need. Authorization shall be defined as permission given by the individual to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations. Designated record set (DRS) shall be defined as a group of records maintained by or for the facility/entity that consists of the medical and billing records created during care for a patient/resident and is used, in whole or in part, by or for the facility/entity to make decisions about the patient/resident. Record shall be defined as any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the facility/entity. Healthcare Operations shall be defined as activities of the company related to covered functions including, but not limited to; quality assessment/process improvement, development/evaluation of clinical guidelines, patient safety, protocol development, case management, care coordination, review of professional qualifications, evaluation of performance, training, accreditation/certification, medical reviews, legal services, compliance programming, business planning, business management, and audit functions. Payment shall be defined as activities undertaken by the company related to covered functions including, but not limited to; obtaining reimbursement for provision of healthcare services, billing, claims management, collections, and utilization review. Treatment shall be defined as activities of the company related to covered functions including, but not limited to; provision, coordination, and management of healthcare and related services, consultation, and referrals of a patient for healthcare.

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

HIPAA Privacy and Security Operational Guide/August, 2016

Personal representative shall be defined as someone with the legal authority to act on behalf of an incompetent adult patient/resident, a minor patient or a deceased patient/resident or the patient’s/resident’s estate in making health care decisions or in exercising the patient’s/resident’s rights related to protected health information. Health Care Agent shall be defined as someone who is appointed via a document signed by a patient giving the Agent the authority to communicate certain medical decisions in the event that the patient becomes incapable of making those decisions. A Health Care Agent’s authority is limited to communicating decisions about life support and comfort care measures. Therefore, the Health Care Agent’s access to the patient’s medical information is limited to the information needed to address these decisions. Health Care Representative shall be defined as someone appointed via a document signed by the patient and witnessed by two adults giving the Representative authority to decide any and all health care decisions including decisions about the withdrawal of life support and/or nutrition and hydration, and decisions to accept or refuse any treatment, service or procedure used to diagnose or treat the person’s physical or mental condition in the event that that patient becomes incapable of making such decisions. Legally Authorized Representative shall be defined as a person authorized either by state law or by court appointment to make decisions, including decisions related to health care, on behalf of another person.

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP