I.        Introduction

What is HIPAA and why was the law enacted?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996.  One of the primary purposes of the law is to provide comprehensive protection for the privacy and security of patients’ health information.  Generally, the HIPAA Privacy Rule:

·      limits the use and disclosure of Protected Health Information (PHI), which generally includes health and demographic information concerning an individual;

·      strives to protect against deliberate or inadvertent misuse or disclosure of PHI;

·      provides individuals the right to view, copy and amend their health records;

·      provides individuals the right to information about who has seen information in their records, in the form of an accounting of disclosures;

·      provides individuals the right to receive notice of a breach of unsecured PHI; and

·      provides a complaint mechanism for the public and permits the Federal government to impose penalties against violators of the HIPAA Privacy Rule.

The HIPAA privacy requirements became effective April 14, 2003 and were further modified by the 2009 enactment of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and the Privacy and Security Regulations (collectively referred to herein as “HIPAA”).

Definitions

Protected Health Information (PHI): information (including demographic information) that:

·      Is created or received by a health care provider and transmitted or maintained in any form or medium, including electronic media;

·      Relates to the health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual; and

·      Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Covered Entity: a health care provider who transmits any health information in electronic form in connection with a transaction.  Stratum Dermatology, PLLC (the “Practice”) is a covered entity and therefore is subject to the privacy requirements.

Authorization: a detailed document that gives a covered entity permission to use PHI for a specified purpose(s) (which is generally other than treatment, payment, or health care operations), or to disclose PHI to a third party specified by the individual.  An Authorization must comply with HIPAA requirements to be valid.

Consent: a document that gives health care providers permission to disclose a patient’s medical information for specified purposes, including treatment, payment, and health care operations.  Under Massachusetts law, a Consent is required prior to most disclosures of medical information.  A Consent for the disclosure of medical information is different from a patient’s consent to treatment.

Minimum Necessary: when using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.  This rule does not apply to disclosures to or requests by other health care providers for treatment, uses or disclosures made to the patient, or uses or disclosures made pursuant to an Authorization.

Treatment, Payment, or Health Care Operations (TPO): HIPAA permits a covered entity to use or disclose PHI for the purposes of TPO without first obtaining a patient’s Authorization.  However, under Massachusetts law, the covered entity must first obtain a patient’s Consent prior to disclosing health information, even for TPO.

·      Treatment.  Without the patient’s Authorization or Consent, the Practice may use PHI to provide treatment and other services to the patient, for example, to treat the patient’s skin condition.  However, prior to disclosing a patient’s PHI, the Practice must obtain the patient’s Consent.  For example, a Consent is required prior to disclosing a patient’s PHI to the patient’s primary care physician to ask for their opinion on the patient’s conditions that may affect the treatment of the patient’s skin.     

·      Payment.  Without the patient’s Authorization or Consent, the Practice may use PHI to obtain payment for services provided to patients, for example, to identify claims for payment from a patient’s health insurer.  However, prior to disclosing PHI to obtain payment for services, the Practice must obtain the patient’s Consent.  For example, a Consent is required prior to disclosing a patient’s PHI to file claims and obtain payment or to verify that a health insurer will pay for health care.

·      Health Care Operations.  Without the patient’s Authorization or Consent, the Practice may use PHI for health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care and customer service that the Practice delivers.  For example, the Practice may use PHI to evaluate the quality of the medical services the Practice provides.  However, prior to disclosing PHI for the health care operations of the Practice, the Practice must obtain the patient’s Consent.  For example, a Consent is required prior to disclosing a patient’s PHI to a third party engaged by the Practice to help resolve patient complaints.  

Personal Representative: For a patient who is a minor (i.e., someone who is younger than 18 years old and not an emancipated minor), a Personal Representative is a parent with legal custody over the minor, a court-appointed guardian, or other person acting in loco parentis who has authority under Massachusetts law to act on behalf of the patient in making decisions related to health care (e.g., a foster parent, a representative of the Department of Social Services (to the extent that the Department of Social Services has custody over the minor), or a representative of the Department of Mental Health (to the extent the Department of Mental Health has custody over the patient)) (with some limited exceptions).  For a patient who is an adult (i.e., at least 18 years old) or an emancipated minor, a Personal Representative is a person who has authority under Massachusetts law to act on behalf of the patient in making decisions related to health care (e.g., an individual who is a court-appointed guardian, a designated health care agent (pursuant to a valid health care proxy) of that individual, or a representative of the Department of Mental Health (to the extent the Department of Mental Health has custody over the patient)).  As a general rule, an individual’s Personal Representative is given the same rights as the individual for purposes of HIPAA (though there are some exceptions).  A Personal Representative may only exercise rights on behalf of an individual if that individual is incompetent (due to physical incapacity, mental incapacity or because the individual is a minor and not an emancipated minor).  In the case of a decedent, an appropriate Personal Representative includes the decedent’s personal representative, formerly known as an “executor”.

II.     Privacy Officer

Seth Stratton is the Practice’s Privacy Officer and can be reached as follows:

Email: sstratton@stratumderm.com

Office: 413-750-9044

Fax: 413-333-2400

Stratum Dermatology, PLLC

III.   Notice of Privacy Practices

The Notice of Privacy Practices is posted in the Practice’s waiting room.  In addition, the Notice of Privacy Practices is prominently posted and made available electronically on the Practice’s web site.  The Practice will have copies of the Notice of Privacy Practices that can be handed to patients who present at the Practice’s office location(s) and request a copy.  Each patient treated by the Practice must be handed a Notice of Privacy Practices at his/her first service encounter, unless the Practice sent an electronic copy of the Notice of Privacy Practices to the patient prior to the patient’s first service encounter.

In accordance with HIPAA, the Practice makes a good faith effort to obtain each patient’s written acknowledgment of receipt of the Notice of Privacy Practices.  The Acknowledgment is part of the Consent form, which must be obtained one time from each patient treated by the Practice. 

IV. Consent Form

The Consent form (titled, Acknowledgement and General Consent Form) must be provided to and signed by each patient treated by the Practice.  The Consent form includes an acknowledgment of the patient’s receipt of the Notice of Privacy Practices and includes a general consent that permits the Practice to disclose medical information so that the Practice can treat the patient, seek payment from third parties for such treatment, and generally carry on the health care operations of the Practice.  The Consent form also includes a general consent that permits the Practice to disclose medical information to insurers and other providers when necessary for purposes of treatment, payment for that treatment, and their own health care operations. 

V.   Authorization Form

A patient’s PHI can be used for purposes of treatment, payment or health care operations without an Authorization form.

A patient’s PHI can be disclosed for purposes of treatment, payment or health care operations without an Authorization form, if the patient has a signed a Consent form (see Section IV above). 

For all other purposes (e.g., research, marketing, fundraising, etc.), the patient must sign an Authorization form prior to the use or disclosure of the patient’s PHI.  There are some exceptions to this rule, as noted in the Practice’s Notice of Privacy Practices (e.g., State reporting requirements). 

All questions about whether an Authorization is required prior to using or disclosing PHI should be directed to the Privacy Officer.

VI. Highly Confidential Information

The following types of information are considered to be highly confidential:

• information about HIV/AIDS status*

• information about a substance use disorder (alcohol or drug) from a program that is covered by 42 CFR Part 2*

• information related to mental health community program records*

• information about genetic testing

• information about venereal disease(s)

• abortion consent form(s)

• mammography records

• information about family planning services

• information related to confidential communications with a psychotherapist, psychologist, social worker, sexual assault counselor, domestic violence counselor or other allied mental health professional or human services professional

• if the patient is an emancipated minor, certain information about his/her treatment and diagnosis

• information about research involving controlled substances

Those types of information marked with an * can be disclosed only if the patient has signed an Authorization or Consent form in connection with the specific disclosure.  The remaining types of information can be disclosed in accordance with the patient’s signed Acknowledgement and General Consent form (i.e., for purposes of treatment, payment, and/or health care operations), unless the patient withheld consent for the disclosure of a particular type of information, as indicated on that form (by striking a line through the particular type of Highly Confidential Information).  In such case(s), the Practice must redact that information from the document(s) to be disclosed.  The Practice may note that the patient has not authorized the Practice to disclose the redacted information.

VII.   Safeguards

A.   Minimum Necessary

The HIPAA Privacy Rule requires that all uses and/or disclosures of, and/or requests for, PHI be limited to the minimum amount necessary to accomplish the stated purpose.  To the extent practicable, the PHI used/disclosed should exclude the following direct identifiers of the patient or of relatives, employers, or household members of the patient: (i) names; (ii) postal address information, other than town or city, State and zip code; (iii) telephone numbers; (iv) fax numbers; (v) electronic mail addresses; (vi) social security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) web universal resource locators (URLs); (xiv) internet protocol (IP) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images.

Uses and disclosures for treatment, payment or health care operations, and disclosures pursuant to an Authorization are exempt from the minimum necessary requirement.

B.    Disclosures to Family, Friends and Others

The Practice understands that patients often wish for family members, other relatives, close personal friends, and/or other persons involved in the patient’s health care and/or involved in payment related to the patient’s health care (in addition to the patient’s Personal Representative) (“Recipient”) to be able to learn information about the patient.  As a result, the Practice will disclose a patient’s PHI to a Recipient where the patient agrees in advance to the disclosure.  More specifically, where a patient is present and capable of consenting to a disclosure, Practice staff may disclose PHI to a Recipient in any of the following situations: 

1.              The patient agrees to the disclosure, which agreement is documented on the Acknowledgment and General Consent form signed by the patient, or is given verbally and shall be documented in the patient’s medical record; or

2.              The patient does not express an objection when given the opportunity, which shall be documented in the patient’s medical record; or

3.              If staff can reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.  Example of reasonable inference:  if a patient’s adult child is in the same room as the patient during a procedure, staff can infer that disclosures to that adult child are appropriate.  Such reasonable inference shall be documented in the patient’s medical record.

Any disclosure made to a Recipient pursuant to this Section VII.B must be limited to PHI directly relevant to the Recipient’s involvement in the patient’s health care or payment related to the patient’s health care.

C.   Operational Matters

Members of the Practice staff are required to take certain actions and refrain from taking certain actions for the purpose of safeguarding PHI.  For more detailed information, please see the Practice’s HIPAA Security Policies and Procedures, as well as the Confidentiality Agreement that each member of the Practice staff is required to sign upon hiring and annually thereafter.

D.   Business Associates

Generally, in the event that the Practice needs to disclose PHI to a person or entity that will perform a function for or on behalf of the Practice, the Practice must enter into a Business Associate Agreement with that person or entity.  A billing service is an example of a Business Associate that requires a Business Associate Agreement.  The Practice shall ensure that Business Associate Agreements are in place when needed.  The Business Associate Agreement sets forth the limitations on how the business associate may use and disclose PHI. 

VIII.     Breach Notification

A.   What is a breach of PHI?

Generally, a breach of PHI is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.  In the event of a privacy incident, the Practice will investigate and assess the incident and determine whether the incident constitutes a breach of unsecured PHI in accordance with the Practice’s Breach Notification Policy.  In the event of a breach of unsecured PHI, the Practice will comply with applicable notification requirements (e.g., patient notification, government notification, and, in some cases, media notification) in accordance with the Practice’s Breach Notification Policy.

B.    Incident Reporting

Members of the Practice’s staff are not responsible for determining whether an incident is a breach of PHI.  Members of the Practice’s staff are responsible, however, for notifying the Privacy Officer of all incidents involving PHI (e.g., accidental disclosure of PHI to the wrong patient, lost medical records, inappropriate use or disclosure of PHI by a Business Associate, etc.).  In the event that a member of the Practice’s staff becomes aware of a potential incident, he or she is responsible for notifying the Privacy Officer immediately.  Failure to do so could result in the Practice taking disciplinary action, up to and including termination of employment or other engagement.

C.   Determining Whether An Incident is a Breach of PHI

In the event of an incident involving PHI, the Practice (together with legal counsel, as needed) shall determine whether the incident is a breach that triggers notification requirements.  The Privacy Officer will conduct (or coordinate) an investigation and risk assessment of the incident to determine whether there has been a breach of PHI.  Every member of the Practice’s staff is responsible for cooperating with any such investigation.  In the event that the Practice determines that there has been a breach of PHI, the Practice will fulfill its notification obligations, as required by law and any applicable policies the Practice has in place at that time. 

IX. Disposal of PHI

PHI (including old records and any other information that connects a patient’s name with a prescription or other PHI) must be disposed of as follows:

• paper documents must be redacted, burned, pulverized or shredded so that the information cannot practicably be read or reconstructed

• electronic media and other non-paper media must be destroyed or erased so that the information cannot practicably be read or reconstructed (e.g., clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding))

PHI in paper records, labeled prescription bottles, identification bracelets, PHI on electronic media, or other forms of PHI will not be placed in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons, unless first treated in the manner described above.  PHI can, however, be maintained for disposal in a secure area if the Practice has made arrangements with a disposal vendor (who is a business associate of the Practice), to pick up and shred or otherwise appropriately destroy the PHI.

X.   Patient Rights

A.   Access and Copies

A patient may request access to his/her medical record file and billing records maintained by the Practice in order to inspect and request copies of the records.  All requests for access must be made in writing using the Practice’s form.  Under limited circumstances, the Practice may deny the patient access to his/her records.  The Practice may charge patients for copies (as limited by the HIPAA Privacy Rule and Massachusetts law) and also for postage costs if the patient requests that the copies be mailed.  In the event that a patient seeks the medical records of his/her minor child, the Practice (together with legal counsel if necessary) will determine whether state law permits the parent to be the Personal Representative of the minor child, permitting access to the minor’s designated record set.  Generally, the Practice must respond to a patient’s access request within 30 days of receiving the request.

B.    Amendments

A patient has the right to request that the Practice amend PHI maintained in his/her medical record file or billing records.  Requests to amend PHI must be submitted in writing to the Practice using the Practice’s form.  The Practice will comply with the patient’s request unless the Privacy Officer believes that the information that would be amended is accurate and complete or other special circumstances apply (e.g., the information was not created by the Practice and the originator of the information is still available).  Generally, the Practice must act on a patient’s request for amendment no later than 60 days after receiving the request.  All questions concerning whether an amendment should be made as requested, how an amendment should be made, and/or about procedures for denying an amendment request should be directed to the Privacy Officer.

C.   Accounting of Disclosures

Upon written request, a patient may obtain an accounting of certain disclosures of PHI made by the Practice to a recipient external to the Practice during any period of time prior to the date of the patient’s request, provided such period does not exceed six (6) years.  Except as provided below, the Practice is not required to account for disclosures made for purposes of treatment, payment, or health care operations, or certain other disclosures (e.g., disclosures made to the patient or pursuant to the patient’s Authorization).  If a patient requests an accounting more than once during a twelve (12) month period, the Practice may charge the patient for the accounting statement (as limited by the HIPAA Privacy Rule).  A request for an accounting must be in writing. 

To the extent that the Practice uses or maintains medical information in an electronic designated record set, a patient also has a right to receive an accounting of disclosures made for purposes of treatment, payment, and/or health care operations during a period of time up to three (3) years prior to the date of the patient’s request.  All requests for such information must be in writing.

The accounting provided by the Practice must include the following information (for disclosures from paper and/or electronic records):

1.              the date of the disclosure;

2.              the name of the entity or person who received the PHI and, if known, the address of such entity or person;

3.              a brief description of the PHI disclosed; and

4.              one of the following, as applicable:

(a)   a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or

(b)  a copy of a written request (if any) obtained in accordance with the HIPAA Privacy Rule concerning uses and disclosures of PHI for purposes of public policy; or

(c)   a copy of a written request (if any) from the Secretary of Health and Human Services to investigate or determine the Practice’s compliance with HIPAA.

Generally, the Practice must respond to a patient’s request for an accounting within 60 days of receiving the request.

D.   Restrictions

A patient has the right to request restrictions on certain uses and disclosures of PHI.  The Practice will consider each request but the Practice is not required to agree to the restriction (with one limited exception relating to disclosures to a health plan where the patient has paid out of pocket in full for the health care item or service).  Requests for restrictions must be submitted in writing to the Practice.

E.    Confidential Communications

A patient has the right to receive confidential communications of PHI from the Practice by alternative means or at alternative locations. The Practice is required to accommodate any reasonable request a patient makes.  Requests must be submitted in writing to the Practice.

F.     Notice of a Breach

A patient has a right to receive a breach notification that complies with applicable Federal and State laws and regulations in the event of a breach of unsecured PHI.  The Practice shall provide such notice in accordance with the Practice’s Breach Notification Policy and all applicable laws.

G.   Complaints

If a patient wishes to make a complaint concerning the Practice’s privacy policies, procedures, or violations thereof, the patient will be asked to submit the complaint in writing to the Practice for investigation and resolution.  Patients also can file complaints with the Federal Office for Civil Rights. 

H.   Retaliation and Waiver

Neither the Practice nor any member of its staff may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who exercises his/her privacy right.  In addition, neither the Practice nor any member of its staff may require an individual to waive his/her privacy rights in order to receive treatment, or otherwise in connection with his/her payment, enrollment in a health plan or eligibility for benefits.

XI. Training and Enforcement

Pursuant to HIPAA, the Practice is required to train its staff on privacy requirements, policies and procedures.  To this end, each current member of the Practice’s staff, and each new hire of the Practice (within a reasonable period of time after the person joins the Practice) must read these Policies as well as any additional policies and procedures the Practice has with respect to protecting patient information (e.g., HIPAA Security Policies and Procedures), and complete and sign the Practice’s Confidentiality Agreement attached at the end on an annual basis.  The Confidentiality Agreement will be maintained by the Practice to help demonstrate its HIPAA compliance.  In the event that the functions of a staff member are affected by a material change in the policies and procedures required by the HIPAA Privacy Rules, the Practice will train such individual(s) within a reasonable period of time after the material change becomes effective.  The Practice shall document all training provided to the members of its staff (e.g., training materials, attendance sheets, etc.).

In the event that a member of the Practice’s staff violates any Federal or State privacy requirement or any policy or procedure of the Practice, the Practice will take appropriate action, which may include disciplinary action against the individual, up to and including termination of employment or other engagement. 

XII.        Minors

With respect to a patient who is a minor under Massachusetts law, all rights and responsibilities set forth in these Policies and under HIPAA shall be exercised and fulfilled by the patient’s Personal Representative, rather than by the patient him/herself.