Privacy Policies and Procedures Manual
- Restrictions & Requests for Changes to a Patient Record
- Internal Security for Patient Information
- Health Care Information Limits
- Patients’ Right to Access Their Health Records
- Disclosure of Patient Health Records
- Requests to Send Information to Another Address
- Deceased Patients
- Patient Complaints
- Changes to Our Notice
- HIPAA Disciplinary Guidelines
We are committed to maintaining the complete confidentiality of our patients’ health care information. As part of our commitment to patient confidentiality:
We will not discuss the names of our patients with anyone that is not part of our practice.
All information about our patients and their health conditions will be used within our practice in a professional manner.
Patient information will never be used for marketing unless we have the appropriate authorization signed by the patient.
Should we ever inadvertently make a mistake regarding the confidentiality of a patient’s health information, we will immediately do everything possible to correct the error.
There are many rules regarding the confidentiality of patient information. While our policies and procedures try to anticipate how to comply with these rules, please remember that our first and most important responsibility is to the health needs of the patient.
Prior to seeing the doctor on the patient’s initial visit, the patient will complete all of our patient intake forms. When the patient has completed the forms, the Patient facilitator will explain and have the patient sign the following forms:
- Informed Consent Form
- HIPAA Notice
- Appointment Reminder Authorization Form
The patient will be given a copy of the Notice of Privacy Practices. In the event the patient refuses to sign our privacy notice, a record will be made of the reason the patient refused to sign and we will treat the patient as we would anyone else. In the case of an emergency where the patient is seen by the doctor before he/she does not have the opportunity to complete their administrative paperwork before receiving services, we will attempt to have the consent and authorization forms signed and dated before that patient leaves the office.
3. Restrictions & Requests for Changes to a Patient Record
A patient may occasionally ask us not to send his or her health care information to certain health care providers or third party payers. A patient might also ask us to make changes in their health care records. If the patient requests that we restrict distribution of their records or place a limitation on other uses of their health care information we will:
- Ask that the patient write down his or her request. It is necessary to make sure that we know exactly what the patient wants so that the doctor can decide whether or not to honor the request.
- The doctor must review the request before he or she can agree to it. The law has special requirements when a patient asks for a such a restriction. We will let the patient know as soon as possible whether or not we can honor his or her restriction request.
If we must deny the patient’s request for restrictions or to amend his or her file, we must give the patient a written explanation, by the doctor, for the denial.
Documentation of any request from a patient is absolutely critical. All of the written information we receive from the patient should be immediately placed in the patient’s file. If we receive verbal requests from a patient, the date, time, and content of the patient’s instructions should be written down and placed in the patient’s file. Any information in the patient’s file that concerns privacy must be retained for six years from the date it was created.
We must have our patients sign authorizations for all of the following activities:
- Calling patients to remind them of appointment times.
- Using the patient’s name in any type of testimonial.
- Using a picture of a patient or child.
- Sending marketing materials to a patient.
- Patient treatment that is part of a research project.
We cannot include the patient in any activity listed above unless we have a signed and dated authorization.
5. Internal Security for Patient Information
All patient information will be properly stored when it is not being used for clinical or administrative purposes. The “front desk” will always have a staff member in attendance. This includes those occasions when a staff person is away from his or her desk for lunch, or steps away from a work area to perform another task. The last person to leave at night will verify that all data is stored properly and that the building is properly locked.
While we are all part of a team, the law does not allow each member of our team to have complete access to all of the information about a patient. Internal communications about patients and their health conditions should be limited to those individuals whose job descriptions entitle them to have this information. We do everything possible to respect the privacy of our patients when discussing health information on the phone, with patients, or with other members of the staff when others are present. Patient health care and billing information will be discussed with the patient in a private area.
All of our computer data is backed up as part of our closing procedures each day. Backup data will be stored in a secure, fireproof container onsite, offsite, and in HIPAA compliant encrypted cloud storage facility.
6. Health Care Information Limits
We must always limit the amount of a patient’s health care information that is disclosed to the “minimum necessary” to accomplish the intended purpose. When another provider requests the patient’s health care records, the “minimum necessary” rule does not apply and the entire clinical record may be sent. When an insurance company requests records, it is likely that they will specify the dates for which they require records. If the insurer is specific as to the dates of information they would like, we do not have to verify that this is the “minimum necessary” information. If the insurance company does not specify the dates they need to review then only the clinical records that are related to the patient’s current problem should be sent.
Before any records are released to an attorney, we must have a signed release from the patient. Because the HIPAA privacy laws require us to send the “minimum necessary” health information, the authorization from the patient must specifically state the dates for which records should be sent.
The “minimum necessary” rules apply to us internally as well. If a staff person is only entitled to have access to certain parts of the patient’s health information we must honor that restriction. Our staff members are given access to a patient’s health information based on their job responsibilities. If you have questions about what health information may be given to another staff person, please ask the doctor or the office manager.
7. Patients’ Right to Access Their Health Records
Patients have the right to copies of their health records at any time – even if they have unpaid balances on their account. Patients may not, however, take the originals of their records or x-rays because the law requires that we retain them for seven years after the last visit in the office.
We will do everything possible to comply with a patient’s request for a copy of his or her records within state law guidelines. If we cannot give him or her a copy within a reasonable timeframe, we will explain the reason for the delay and let the patient know when his or her records can be picked up or when they will be mailed by us.
We reserve the right to charge a patient for any record copy requests per state guidelines.
8. Disclosure of Patient Health Records
Patients have the right to ask us for information regarding the disclosures that have been made of their health information for the previous six years (after the compliance date) from the date of their request. The most important thing to remember is that this does not include disclosures related to their treatment or disclosures made to insurance companies or other third party payers. This would primarily concern disclosures made to attorneys, for marketing purposes, or if we engaged in fund raising.
9. Requests to Send Information to Another Address
We will do everything possible to accommodate patient requests to send information to someplace other than home or, to fax statements rather than mail them.
10. Deceased Patients
All of the privacy rules apply to deceased patients. We must have authorization from the deceased patient’s personal representative before we can release any of his or her information.
11. Patient Complaints
- The complaint must name the doctor or staff person and describe what the patient believes the person did improperly.
- By law, all complaints must be in writing.
- The complaint must be filed within 180 days of when the patient knew the problem occurred.
- Any and all complaints should be given to a doctor immediately.
If a patient should file a complaint, we will do everything possible to resolve the problem.
12. Changes to Our Notice
Whenever we change our notice we will immediately replace the notice that is on public display and make the notice available to patients on request. We will retain a copy of each of our notices for the six years required by the law.
13. HIPAA Disciplinary Guidelines
It is unfortunate, but it may be necessary to discipline an employee that violates a patient’s right to privacy or does not follow these policies and procedures.
Our disciplinary actions can include:
- Warnings (oral)
- Reprimands (written)
- Temporary suspension
- Discharge of employment
- Restitution of damages
- Referral for criminal prosecution
Any disciplinary action will be documented in the employment file of the staff person. The file will contain specific information including:
- The date of incident
- The name of the reporting party
- The name of the person responsible for taking action
- The follow-up action taken
Should you have any questions or concerns regarding our privacy notice or its content, please do not hesitate to contact us.