It is the policy of Amherst Medical Associates that all physicians and staff preserve the integrity and the confidentiality of Protected Health Information (PHI) pertaining to our patients. The purpose of this policy is to ensure that our practice and its physicians and staff have the necessary medical and PHI to provide the highest quality medical care possible while protecting the confidentiality of the PHI of our patients to the highest degree possible. Patients should not be afraid to provide information to our practice and its physicians and staff for purposes of treatment, payment and healthcare operations (TPO), but must protect every patient’s PHI from improper or unauthorized disclosure. Recognizing that patients have a right to privacy, our practice will respect the patient’s individual dignity at all times, and will respect each patient’s privacy to the extent consistent with providing the highest quality medical care possible and with the efficient administration of the facility.
Adhere to the standards set forth in the Notice of Privacy Practices.
The latest revision of the Notice of Privacy Practices will be posted in our waiting rooms and on our web site, with copies available to all newly registering patients and to anyone who asks.
A genuine attempt will be made to provide the Notice of Privacy Practices to each patient when first registering in our office after a new version is releases, and to obtain a written acknowledgment of receipt. If unable to obtain acknowledgment, the reason will be documented.
Collect, use and disclose PHI only in conformance with state and federal laws and current patient covenants and/or authorizations, as appropriate.
All direct employees will have access to PHI, but only on an “as needed” basis to perform job duties or meet patient needs.
PHI must be accurate, timely, complete, and available when needed, and our practice will implement reasonable measures to protect the integrity of all PHI maintained about patients.
Whenever PHI disclosure is needed, only the “minimum necessary” information will be disclosed.
Our practice and its physicians and staff will not use or disclose PHI for uses outside of the practice’s TPO, such as marketing, employment, life insurance applications, etc. without an authorization from the patient. No PHI data will be disclosed unless the patient (or his or her authorized representative) has properly authorized the release, or the release is otherwise authorized by law.
The Patient Authorization form will be used to obtain instructions and authorization for disclosure of PHI for non-TPO purposes, and copies will be placed in the patient chart and given to the patient.
Treatment will not be conditioned on the patient signing an authorization.
Reasonable alternate means for communicating PHI, if requested and approved, will be allowed.
Use and disclose PHI to remind patients of their appointments unless they instruct us not to.
Treat all PHI data as confidential, in accordance with professional ethics, accreditation standards, and legal requirements. All physicians and staff of our practice will adhere to any restrictions concerning the use or disclosure of PHI that patients have requested and have been approved by our practice.
A log will be kept in the patient’s chart of all non-TPO disclosures (See Log to Track Disclosures of PHI form), and be made available to the patient upon written request.
Whenever possible and practical, PHI will be given directly to the patient rather than sent to a third party.
The practice “owns” the medical record, but the patient has the following rights: to inspect and obtain a copy of his/her PHI and to request an amendment to his/her medical record if he/she believes his/her information is inaccurate or incomplete. All such activities will be supervised by the Privacy Officer.
Permit patient’s access to their medical records in a private area, after their written requests is approved by our practice. If we deny their request, then we must inform the patients that they may request a review of our denial. In such cases, we will have an on-site healthcare professional review the patients’ appeals.
Provide copies of requested information, when appropriate allowed are fees paid.
Provide patients an opportunity to request the correction of inaccurate or incomplete PHI in their medical records in accordance with the law and professional standards.
All requests regarding PHI must be dealt with in a timely fashion, in 30 days or less, with full documentation of the request and action taken, using the forms provided. When a denial is issued, the Denial Letter format should be used, in which the patient is informed of the appeal process. Reasons for a denial include:
Requests for psychotherapy notes. (See glossary for definition.)
Requests for PHI that is being used in a civil, criminal or administrative action or proceeding.
Requests for PHI that is subject to or exempted from the Clinical Laboratory Improvements Amendments (CLIA) of 1988. CLIA states that clinical laboratories may provide clinical laboratory test records and reports only to “authorized persons” as defined primarily by state law. In some cases, the patient is not always included in the group of authorized persons. HIPAA does not preempt CLIA and therefore, covered entities that are subject to CLIA are not required to provide a patient access to their PHI if CLIA prohibits them from doing so. If your medical practice is not subject to CLIA, then this denial reason does not apply and should be disregarded.
Requests for PHI that was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
Requests for PHI that was/is being created or obtained in the course of ongoing research where the patient agreed to the denial of access when he/she consented to participate in the research.
Requests for PHI that is contained in records subject to the federal Privacy Act. This Act protects personal information about individuals held by the federal government. Covered entities that are federal agencies or federal contractors that maintain records that are covered by the Privacy Act not only must comply with the Privacy Rule’s requirements but also must comply with the Privacy Act.
Requests for PHI that the healthcare professional has determined in his/her professional judgment that access to the PHI is reasonably likely to endanger the patient’s life or physical safety or the life or physical safety of another person.
Requests for PHI that makes reference to another person and that a licensed healthcare professional has determined is reasonably likely to cause substantial harm to such person(s).
Requests for PHI where the request is made by the personal representative of the patient (who is the subject of the information) and a licensed healthcare professional decides, according to his/her professional judgment, that the PHI should not be provided.
A Business Associates Agreement will be executed and obtained from all Business Associates of the practice.
Complaints regarding the handling of PHI by the practice will processed on the Patient Complaint Form, and responded to in a timely fashion.
All authorizations, logs, and requests for PHI disclosures, inspection, limitations will be kept for a minimum of 6 years
The Privacy Officer will oversee the implementation, training and on-going administration of these privacy practices.
All physicians and staff of our practice must adhere to this policy. Our practice will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with our practice’s personnel rules and regulations.