HIPAA Privacy

Policy Number: J – 4

Policy:

This policy defines controls to safeguard the protected health Information of West Texas Centers’ consumers. Ensure the integrity and compliance of federal and state regulations as it pertains to protected health Information. It serves as a central policy document with which all employees and contractors must be familiar and defines actions and prohibitions that all users must follow. The policy provides West Texas Centers with policies and guidelines concerning the access, disclosure, use, breach notification, investigations and audits of protected health information.

Introduction

Purpose

This policy defines controls to safeguard the protected health information of West Texas Centers’ consumers. Ensure the integrity and compliance of federal and state regulations as it pertains to protected health information. It serves as a central policy document with which all employees and contractors must be familiar, and defines actions and prohibitions that all users must follow. The policy provides West Texas Centers with policies and guidelines concerning the access, disclosure, use, breach notification, investigations, and audits of protected health information.

ScopeCopy Link

This policy applies to all Center Staff responsible for creating, managing, storing and the disclosing of consumer protected health information.

Policy

It is the policy of West Texas Centers (WTC) that all operations involving the receipt, handling, maintenance and disclosure of any individually-identifiable information regarding the treatment, care, and billing of WTC consumers are performed in accordance with federal and state patient privacy laws including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Chapters 181 and 611 of the Texas Health and Safety Code, and 42 CFR Part 2 (where applicable).

Definitions

Affiliated Covered Entity

Legally separate affiliated Covered Entities may be designated as a single Covered Entity for purposes of HIPAA Privacy if the separate entities are under common ownership or control.

Business Associate

A Business Associate includes an entity that ”creates, receives, maintains, or transmits” protected health information on behalf of a Covered Entity. Entities that maintain or store protected health information on behalf of a Covered Entity are Business Associates, even if they do not actually view the protected health information.

Examples of Business Associates:

Patient Safety Organizations
Health Information Organizations
Vendors of Personal Health Records that require routine access to PHI
Persons who facilitate data transmission
Data storage company that has access to PHI (whether digital or hard copy), even if the entity does not view the information
Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate.

Examples of persons and organizations not considered Business Associates:

Oversight agencies (OIG, CMS)
A person or organization that acts merely as a conduit (a conduit transports information but does not access it, ex: United States Postal Service)
Financial institutions
Health care providers
Employees of a Covered Entity

“Certain” Health Care Operations

“Certain” Health Care Operations means any of the following activities performed or undertaken by another Covered Entity requesting a disclosure from WTC.

Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines
Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination
Contacting patients regarding information about treatment alternatives
Reviewing the competence or qualifications of health care professionals
Evaluating provider performance
Evaluating health plan performance
Accreditation
Certification
Licensing
Credentialing
Health care fraud and abuse detection or compliance

Covered Entities

Health plans, health care clearinghouses, and health care providers.

Disclosure (Disclose)

Release, transfer, provide access to, or divulge in any other manner of information outside of WTC.

Electronic Media

Includes any electronic storage material as defined by NIST. Thus, “intranets” come within the definition. PHI stored, whether intentionally or not, in a photocopier, facsimile, or other device is subject to the Privacy and Security Rules. Exception: If the information exchanged by facsimile did not exist in electronic form immediately before transmission, that information is not electronic media.

Employee

For purposes of the Privacy policies, the definition of employee includes all WTC workforce members including interns and temporary personnel. See also “Workforce Member” below.

Group Health Plan

An employee welfare benefit plan defined in section 3(1) of ERISA, 29 U.S.C. 1002(1), including insured and self-insured plans to the extent the plan provides medical coverage to employees or their dependents directly or through insurance, reimbursement, or otherwise, and has 50 or more participants or is administered by an entity other than the employer that established and maintains the plan.

Health Care Operations

Health Care Operations means any of the following activities performed or undertaken by WTC:

Conducting quality assessment and improvement activities
Accreditation
Credentialing
Certification
Case management
Licensing
Evaluating health plan performance
Patient safety activities as defined in the PSQIA
Prohibition on using or disclosing genetic information for underwriting purposes

Insurance activities relating to the renewal of a contract for insurance:

Underwriting
Premium rating

Other activities relating to the creation, renewal or replacement of a contract for health insurance or health benefits, as well as ceding, securing or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss and excess loss insurance)

Note: A group health plan that wants to replace its insurance carrier may disclose certain PHI to insurance issuers in order to obtain bids on new coverage, and an insurance carrier interested in bidding on new business may use PHI obtained from the potential new client to develop the product and price.

Conducting or arranging for medical review
Auditing functions, including fraud, abuse detection, and compliance programs
Conducting or arranging for legal services
Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment, or coverage policies
Business management activities and general administrative functions, such as:
Management activities relating to implementation of and compliance with the requirements for health care operations
Customer service, including the provisions of data analyses for policyholders, plan sponsors, or other customers, provided PHI is not disclosed to such policyholder, plan sponsor, or customer
Resolution of internal grievances (includes quality of care and internal employee complaints)
Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a Covered Entity or, following completion of the sale or transfer, will become a Covered Entity
Activities that would not be considered health care operations:
Marketing of health and non-health items and services;
Disclosure of PHI for sale, rent, or barter;
Use of PHI by a non-health related division of an entity; or
Disclosure to an employer for employment determinations.

Health Information

Any information, whether oral or recorded in any form or medium, that:

Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university or health care clearinghouse.
Relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or past, present or future payment for the provision of health care to a patient.
“Health Information” includes genetic information.

Health Plan

An individual or group plan that provides or pays the cost of medical care, including church plans and government plans. (Any plan to which creditable coverage applies.)

Individually Identifiable Health Information

Information that is a subset of health information, including demographic information, collected from a patient and:

Is created or received by a Covered Entity.
Relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or past, present or future payment for the provision of health care to a patient:
Which identifies the patient; and
With respect to which there is a reasonable basis to believe the information can be used to identify the patient.

Organized Health Care ArrangementCopy Link

A clinically integrated care setting in which patients typically receive health care from more than one health care provider.
An organized system of health care in which more than one Covered Entity participates, and in which the participating Covered Entities hold themselves out to the public as participating in a joint arrangement and participate in joint activities that include at least one of the following:
Utilization review, in which health care decisions by participating Covered Entities are reviewed by other participating Covered Entities or by a third party on their behalf.
Quality assessment and improvement activities in which treatment provided by participating Covered Entities is assessed by other participating Covered Entities or by a third party on their
behalf.
Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating Covered Entities through the joint arrangement and if PHI created or received by a Covered Entity is reviewed by other participating Covered Entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to PHI created or received by such health insurance issuer or HMO that relates to patients who are or who have been participants or beneficiaries in such group health plan.
A group health plan and one or more other group health plans, each of which are maintained by the same plan sponsor.
The group health plans described in number 4 above and health insurance issuers or HMOs with respect to such group health plans, but only with respect to PHI created or received by such health insurance issuers or HMOs that relates to patients who are or have been participants or beneficiaries in any of such group health plans.

Payment

The activities undertaken to:

Obtain premiums or determine or fulfill our responsibilities for coverage and provision of benefits.
Obtain or provide reimbursement for the provision of health care.
The activities that relate to the patient receiving health care include, but are not limited to:
Determinations of eligibility or coverage (including coordination of benefits) and adjudication or subrogation of health benefit claims;
Adjusting premium amounts due based on enrollee health status and demographic characteristics (this is aggregate data used to rate an entire group);
Billing, claims management, collection activities, or obtaining payment under a contract for reinsurance (including stop-loss);
Medical necessity review; and
Utilization review activities (preauthorization).

WTC may disclose to consumer reporting agencies any of the following PHI relating to collection of premiums or reimbursement: a patient’s name, address, date of birth, Social Security number and payment history, account number, and name and address of the patient’s health care provider and/or health plan.

Plan Sponsor

Plan sponsor is defined in section 3(16) (B) of ERISA, 29 U.S.C. 1002(16) (B). The plan sponsor is the employer or employee organization (in the case of an employer benefit plan) established or maintained by an employer (includes church and government plans). The plan sponsor is responsible for setting up the plan and regulatory reports, and retains the right to amend the plan and sign official plan documents. The plan sponsor is limited to assigned responsibilities.

Protected Health Information (PHI)

All individually identifiable health information transmitted or maintained by a Covered Entity, regardless of form.

The HIPAA Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years.

Psychotherapy Notes

Notes recorded by a health care provider who is a mental health professional documenting conversation during a private counseling session or a group, joint, or family counseling session. The information must be separated from the rest of the patient’s medical record.

Subcontractor

A person who acts on behalf of a Business Associate, other than in the capacity of a workforce member of the Business Associate. The Covered Entity is not required to have a contract with the subcontractor. The Business Associate is required to obtain satisfactory assurances from the subcontractor in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard PHI.

TreatmentCopy Link

The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Underwriting Purposes

In this context, “underwriting” refers to a group health plan, health insurance coverage, or Medicare supplemental policy. Examples of “underwriting purposes” are:

Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy. This includes changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program.
The computation of premium or contribution amounts under the plan, coverage, or policy.
Includes discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program.
The application of any pre-existing condition exclusion under the plan, coverage, or policy.
Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

“Underwriting Purposes” does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.

Use

The employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains the information.

Workforce Member

The term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or a Business Associate, is under the direct control of the Covered Entity or Business Associate.

Section 1—Privacy Procedures

This section includes policies and procedures as part of West Texas Centers’ consumer (patient) privacy compliance program.

Designation of Privacy Official

West Texas Centers will designate a privacy official as required under state and federal patient privacy laws and regulations.

Procedure

The Director of Health Information is responsible for the development and implementation of policies and procedures to safeguard the privacy of consumers’ health information consistent with federal and state laws and regulations.

The specific responsibilities of the Director of Health Information include:

Developing policies and procedures as provided in section 1.8
Developing and conducting training programs on privacy policies and procedures
Responding to questions from staff and consumers concerning privacy policies and procedures
Receiving complaints concerning the privacy practices described in the notice of privacy practices as described in section 1.17
Auditing compliance with privacy policies and procedures
Investigating and correcting violations of privacy policies and procedures

The Director of Health Information may assign any of these responsibilities to other Staff Member(s) or contractors but is responsible for making sure these responsibilities are carried out.

General Staff Responsibilities

West Texas Centers will create assurances that all staff and associates act in an appropriate and compliant manner to protect consumer information under the HIPAA privacy regulations.

ProcedureCopy Link

All Staff Member(s) are responsible for safeguarding the privacy of consumer health information.

An organizational chart of positions relevant to the compliance of this privacy policy is in Appendix A. A list of privacy related positions with names is located in Appendix A.

All Staff Member(s) must:

Use and disclose protected health information only as authorized in their job description or as authorized by a supervisor
Conduct oral discussions of personal health information with other staff or with consumers and family members in a manner that limits the possibility of inadvertent disclosures
Complete a privacy training (see section 1.3)
Report suspected violations of a business associate’s contractual obligations to safeguard protected health information (see section 1.7)
Report suspected violations of the policies and procedures established in this manual by Staff Member(s) as detailed in section 1.6

These requirements may be satisfied by referring to standard job classes the Director of Health Information may establish under section 1.12, “Use and Disclosure of Protected Health Information for Health Care Operations,” definitions of the positions authorized to routinely use or disclose standard categories of protected health information.

Training and Education

West Texas Centers will ensure that all staff and associates are trained regarding the HIPAA privacy regulations and our organization’s privacy practices and that any revisions in the policies will be communicated via trainings and or notices.

Procedure

The Director of Health Information or a Staff Member(s) designated by the Director of Health Information will develop a privacy policy orientation and training program.

This purpose of this program is to make sure that all WTC employees and contractors (herein, Staff Member(s) are familiar with the privacy policies and procedures adopted by West Texas Centers.

The training and orientation program will cover:

The definition and identification of protected health information
How to provide the notice of privacy practices to all consumers and obtain a written acknowledgment of receipt
Use and disclosure of protected health information for treatment, payment, and health care operations
How to obtain authorization, when required, for use and disclosure of protected information
Procedures for handling suspected violations of privacy policies and procedures
Penalties for violations of privacy policies and procedures
Documentation required by the policies and procedures manual

Staff Member(s) will:

Receive a summary of WTC’s privacy policies and procedures
Have an opportunity to review the policies and procedures manual
Have an opportunity to ask questions about the privacy policies and procedures of West Texas Centers

All Staff Member(s) must complete the privacy policy orientation and training program during their probationary period.

Completion of the privacy policy orientation and training program will be documented in the employee’s personnel file by the Director of Health Information or the Staff Member(s) who conducts the training.
Until Staff Member(s) complete the privacy policy orientation and training program, their supervisors will closely monitor their use and disclosure of protected health information.
Before the end of a Staff Member(s) probationary period, his or her supervisor should confirm that he or she has completed privacy training.
The probationary period of any new employee who has not completed the privacy policy orientation and training program will be extended. In some cases, an employee who does not complete the privacy orientation and training program before the end of his or her probationary period will be required to complete the program before resuming normal job duties.
If privacy policies are revised, or if there is a change in regulations requiring additional training, the Director of Health Information or a Staff Member(s) designated by the Director of Health Information will develop training materials on new or revised privacy policies and procedures.
Staff whose job responsibilities are affected by a change in privacy policies and procedures must complete training on the revised policies and procedures within one month of their effective date.
Completion of training on revised policies and procedures will be documented.

Reporting of Suspected Violations of Privacy Policies and Procedures

West Texas Centers employees and associates will be responsible for reporting any suspected violations of privacy policies or procedures.

Procedure

All Staff Member(s) should report possible violations of privacy policies and procedures to their supervisor. The supervisor will notify the Director of Health Information for further investigation.

Under the following circumstances, a Staff Member(s) should not report potential violations to his or her supervisor and/or the Director of Health Information:

Violations involving the Staff Member(s) supervisor should be reported directly to the Director of Health Information
Violations involving the Director of Health Information should be reported to the Chief Executive Officer.
Staff Member(s) always have the right to contact the Department of Health and Human Services Office for Civil Rights directly as well, at OCRcomplaint@HHS.gov.
Reportable offenses include use and disclosure of protected health information that may violate:
The practices described in the notice of privacy practices form
A consumer’s authorization

Discussion of protected health information in public areas should be reported only if the discussion involves the disclosure of a substantial amount of protected health information and it would have been practical to conduct the discussion in a private area.

The Staff Member(s) reporting a violation should describe the possible violation in writing or should arrange a meeting with the supervisor and/or Director of Health Information to discuss the possible violation.

Investigation of Potential Privacy Violations by Staff Member(s)

All potential privacy violations will be investigated by the Director of Health Information or a delegate assigned by the Director of Health Information

Procedure

Upon being notified of a potential violation of privacy policies and procedures by a Staff Member(s) or consumer (under section 1.26), the Director of Health Information will:

Review any documentation
Meet with the Staff Member(s) or consumer who reported the possible violation
Meet with the Staff Member(s) who may have violated the policies and procedures
Determine what, if any, protected health information was used or disclosed
Determine whether the use or disclosure violated policies and procedures
Determine whether the violation was accidental or intentional
Recommend to the Staff Member(s) supervisor the disciplinary action, if any, that should be taken
Document the findings of the investigation and action taken on the HIPAA violation incident form

Sanctions and Penalties

Following a full investigation, appropriate sanctions will be brought against employees and associates who have been found to have violated the privacy practices of West Texas Centers.

Procedure

There are two types of violations of privacy policies and procedures:

Technical violations that do not result in the use or disclosure of protected health information
Violations that do involve the use or disclosure of protected health information

There also are two types of violations that involve use and disclosure:

Unintentional or accidental uses or disclosures
Intentional and deliberate uses and disclosures

Incidental disclosures of information, such as disclosures that occur when a consumer asks a question in a public area, do not need to be reported, documented, or investigated. No sanction will be imposed for incidental disclosures of information. Staff Member(s) should, nevertheless, make reasonable efforts to minimize incidental disclosures.

The severity of penalties varies with the type of violation. The most severe penalties apply to the intentional disclosure of protected health information in violation of policies and procedures. The least severe penalties apply to unintentional technical violations of policies that do not result in the disclosure of protected health information.

Examples of violations include:

Technical violations—When obtaining an authorization, a Staff Member(s) fails to notice that the consumer signed but did not date the authorization form.
Accidental disclosure—Information on the wrong consumer is accidentally sent to a third-party payer.
Intentional disclosure—A Staff Member(s) provides a drug company representative a list of consumers with an identified medical condition without obtaining the consumer’s authorization for this disclosure.

The procedures and penalties that apply to each of these types of violation are defined in sections 1.6.1-1.6.3 below.

The Director of Health Information shall establish and maintain files that document all actions taken to impose sanctions under section 1.6.

This information shall include:

A description of, and documenting evidence for, the violation
A statement clarifying the nature of the violation, specifically indicating whether it was technical or involved the use or disclosure of protected health information, and whether the violation of policies was accidental or intentional
A description of the sanction that was imposed

An unproven or unsubstantiated allegation of a violation of privacy policies and practices does not have to be documented.

Sanctions and Penalties for Technical Violations Not Involving Use or Disclosure

A Staff Member(s) who commits a technical violation of privacy policies and procedures that does not result in any use or disclosure of protected health information will:

Meet with his or her supervisor to review the policies and procedures that were violated
Demonstrate to the satisfaction of the supervisor that he or she understands the policies and procedures that should be followed in similar circumstances

The violation will be documented in the Staff Member(s) personnel file. A pattern of repeated technical violations, even if none result in the inappropriate use or disclosure of protected health information, may result in transfer to another position, suspension, or termination of the Staff Member(s) per WTC employment policies.

Sanctions and Penalties for Unintentional Violations Involving Use and Disclosure

A Staff Member(s) who unintentionally uses or discloses protected health information in violation of the privacy policies and procedures will:

Meet with his or her supervisor to review the use or disclosure of protected health information that violated WTC’s policies and procedures or the Staff Member(s) authority to use or disclose information
Demonstrate to the satisfaction of the supervisor that he or she understands the uses and disclosures that he or she is authorized to make under the practice’s policies and procedures

The violation will be documented in the Staff Member(s) personnel file. A pattern of repeated unauthorized use or disclosure of protected health information will result in transfer to another position, suspension, or termination of the Staff Member(s) per WTC employment policies.

Sanctions and Penalties for Intentional Violations Involving Use and Disclosure

The intentional violation of privacy policies and procedures may result in immediate suspension in addition civil or criminal penalties may be imposed, pending further investigation and termination per WTC employment policies. Documentation of the investigation of the violation must show clear evidence that the disclosure of information was intentional and deliberate. That is, the Staff Member(s) must have disclosed the information knowing that the disclosure violated the policies and procedures of the practice.

If the Staff Member(s) has previously disclosed the same or similar type of information under the same or similar circumstances, it will be presumed that the disclosure was intentional and deliberate.

Business Associates

West Texas Centers protects the confidentiality and integrity of health information of its consumers. This procedure defines the guidelines that must be followed for business associates who come into contact with protected health information.

Definition: A business associate is any person or organization that performs or helps perform any function or activity that involves the use or disclosure of protected health information.

In short, any person (other than an employee or other member of the practice staff) or organization that receives transmits, or uses protected health information from West Texas Centers is a business associate. A business associate may receive protected health information from WTC, create protected health information for WTC, or transmit data on behalf of WTC.

Protected health information may be disclosed to business associates only if West Texas Centers receives satisfactory assurances that the business associate will safeguard the privacy of the protected health information that it creates or receives.

Business Associate Agreements

A sample business associate agreement can be found in appendix A at the end of this Policy.

Procedure

Written contracts or agreements must be negotiated between a WTC and any business associate that will handle protected health information it receives from or creates for the practice. This contract or agreement must include provisions that:

Agree to sign a business associate and/or the Texas Health and Human Services (HHS) Data Use Agreement (DUA). The DUA is to facilitate creation, receipt, maintenance, use, disclosure, or access to confidential information with contractor; contractor rights and obligations with respect to the confidential information; the purposes for which the contractor may create, receive, maintain, use, disclose or have access to confidential information; the remedies in the event of noncompliance with its obligations under the DUA.
Identify the uses and disclosures of protected health information permitted under the contract
Permit the business associate to use or disclose the information only as permitted under the privacy standards
Restrict use and disclosure of the protected health information the business associate creates or receives to those that are specified in the contract
Call on the business associate to fully comply with the provisions of the HIPAA privacy and security regulations, not limited by specific references in the contract with West Texas Centers
Provide for reporting to West Texas Centers any use or disclosure of protected health information not provided for under the business associate’s contract
Require the business associate to apply the same restrictions and conditions on use and disclosure of protected health information to the agents and subcontractors to whom it forwards the protected health information
Make protected health information available to consumers as provided under section 1.23
Amend any protected health information that it receives when asked to do so by West Texas Centers
Make available to West Texas Centers the information it needs to account for uses and disclosures of protected health information as provided under section 1.25
Make internal practices, books, and records related to the use and disclosure of protected health information available to HHS for the purposes of determining compliance with the privacy standards
Return, if feasible, all protected health information to West Texas Centers upon termination of the contract, and destroy any copies of such information. When return and/or destruction of protected health information is not feasible, the business associate will extend contractual protections to the use and disclosure of the information for the purposes that make its return or destruction not feasible.
Notify West Texas Centers in the event of an unauthorized disclosure of unsecured PHI
Provide for termination of the contract if the business associate violates these contractual provisions
Comply with the privacy rule to the extent the business associate is carrying out the organization’s obligations under the privacy rule
Business associates must enter into business associate agreements with their subcontractors that impose the same obligations that apply to the business associates themselves

Duty of Staff to Report Contractual Breaches by Business Associates

Procedure

If a Staff Member(s) becomes aware of activities or practices by the business associate that violate WTC’s contractual obligations, the activities or practices must be reported to the Director of Health Information

Investigation and Correction of Contractual Breaches

Procedure

When the Director of Health Information is notified that a business associate has violated a contractual provision related to the privacy of protected health information, he or she must implement the following procedure to correct the violation.

The Director of Health Information will contact the business associate and determine whether a contractual provision has been violated.
If a contract provision has been violated, the Director of Health Information will contact the
Director of Human Resources who will identify steps to be taken by the business associate that will enable it to comply with its contractual obligations.
The Director of Health Information and Director of Human Resources will review the corrective action steps with the business associate and determine whether those steps or other measures suggested by the business associate will correct the violation. If an agreement can be reached, the corrective measures will be summarized in writing and sent to the business associate.
The Director of Human Resources will monitor the implementation of the corrective action measures by periodically contacting the business associate. The Director of Human Resources may discontinue monitoring the contract after receiving adequate assurances that the corrective measures have been implemented and that the contract provisions will be complied with in the future.
f it is not possible to develop an acceptable corrective action plan, the Director of Human Resources should implement the procedures established in section 1.7.4 to terminate the contract.

Reporting of Contractual Breaches by Business Associates

Procedure

When the Director of Human Resources is not able to correct violations of contractual obligations by a business associate, he or she should implement the following procedure.

Identify an alternative source for the services provided by the business associate.
Refer the matter to the Chief Executive Officer and other responsible parties regarding termination of the contract with a request that formal action be taken to terminate the contract.
Have WTC’s legal counsel notify the business associate that action will be taken to terminate the contract if the violation of contract provisions is not immediately corrected.
Monitor the status of the contract and arrange for replacing the business associate when the contract is formally terminated.

If the contract cannot be terminated, the contract violation should be reported by the Corporate Compliance Officer to HHS as required by federal regulations.

Development and Maintenance of Privacy Policies and Procedures

West Texas Centers is responsible for developing and maintaining written privacy policies and procedures pursuant to the HIPAA privacy standards.

Procedure

The Director of Health Information will develop policies and procedures that are reasonably designed to ensure compliance with federal and state standards for the protection of the privacy of health information. The Director of Health Information may delegate this responsibility to a Staff Member(s), but such delegation must be reflected in that Staff Member(s) job description, and the Director of Health Information will supervise the development of all privacy policies and procedures.

The Director of Health Information must:

Monitor changes in federal and state law and regulations that may require changes in privacy policies and procedures
Notify the executive team of the issuance of new or revised federal or state requirements and describe the need to modify policies and procedures, including the date by which revised policies and procedures must be implemented
Take the initiative to develop new or revised policies and procedures as necessary to meet the requirements of new laws and regulations
Identify any revisions needed in the privacy orientation and training program to reflect revised policies and procedures

Before a revised policy or procedure is submitted for approval, the Director of Health Information will review the notice of privacy practices form (see section 1.17) and determine whether the notice must be revised to reflect the new privacy policies or procedures.

The effective date of a revised policy or procedure must not be earlier than the date on which the revised notice of privacy practices is posted and made available to consumers.

All policies and procedures must be approved by the executive team and the Director of Health Information before they can be implemented.

New or revised policies and procedures are to be communicated to staff through the following:

An all-staff memorandum from the Director of Health Information will announce the adoption of the new or revised policies and indicate affected staff functions. This memorandum should describe the new policy, indicate its effective date, and indicate the date on which the new policy will be available for staff review.
The Director of Health Information or a designated representative will announce the adoption of the new policies at appropriate staff meetings and provide appropriate training.
A memorandum from the Director of Health Information to those Staff Member(s) whose job responsibilities are directly affected by the new policies should indicate whether training or orientation meetings or programs will be held and whether background information on the new policies is available. A copy of the revised policy should be attached to the memorandum, or staff should be directed to consult the updated policy and procedure manual.
Copies of the revised policy will be distributed to Staff Member(s) for updating their copies of the policy manual.

Identifying Protected Health Information

WTC will treat as PHI any information that relates to a consumer’s health condition, identifies a consumer, or for which there is reasonable basis to believe the information can be used to identify the consumer, and limit the use and disclosure of such information.

Individually identifiable health information

Information that is a subset of health information, including demographic information collected from a consumer, and:

Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of a consumer; the provision of health care to a consumer; or the past, present, or future payment for the provision of health care to a consumer; and
Identifies the consumer; or
With respect to which there is a reasonable basis to believe the information can be used to identify the consumer.

Protected Health Information (PHI)

A consumer’s personally identifiable health information that is:

Transmitted by electronic media;
Maintained in any medium described in the definition of electronic media; or
Transmitted or maintained in any other form or medium, including paper and fax documents and oral communications.

PROCEDURE

WTC will protect the use and disclosure of a consumer’s individually identifiable health information by treating certain identifiers as PHI. The identifiers pertain to the consumer as well as the consumer’s family members, employers or household members and include, but are not limited to:

Names;
Geographic designations smaller than a state, including street address, city, county, precinct, and zip code (except that the first three digits of the zip code may be used if the area has more than 20,000 residents);
All elements of dates (except for year) directly related to a consumer, including birth date, admission date, discharge date, date of death, and age (although the year of age may not be used if the consumer is over 89 unless aggregated into a single category of age 90 or older);
Telephone numbers;
Fax numbers;
Email addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers, serial numbers, and license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs) and Internet Protocol (IP) addresses;
Biometric identifiers, such as fingerprints;
Full-face photographs and any comparable images; and
Any other unique identifying number, characteristic, or code.

If individually identifiable health information is “de-identified,” it is no longer treated as PHI. WTC may de-identify information by removing all identifiers described above.

Minimum Necessary

Employees may not use, request, or disclose to others, any PHI that is more than the minimum necessary to accomplish the purpose of the use, request, or disclosure. This includes business information.

WTC shall limit disclosures to the extent practicable to the limited data set, as defined in 45 CFR section 164.514(e)(2), or if needed by the receiving entity, to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Employees who use PHI not related to their jobs (orally, or from written records or computer terminals) or employees who disclose PHI to any party in violation of this policy or any other privacy policy, shall be subject to disciplinary procedures as per the WTC Sanction Policy including, but not limited to, dismissal. All employees are required to sign and abide by the Employee Confidentiality and Security Agreement.

WTC may rely on a request from another entity for PHI as representing the minimum necessary for the stated purpose, if such reliance is reasonable under the circumstances, and if:

The request is from a public official.
The disclosure to the public official must otherwise be permitted under WTC’s policies.
The public official must represent the information requested is the minimum necessary for the stated purpose(s).
The information is requested by another Covered Entity.
The information is requested by a professional who is an employee or a Business Associate.
The purpose of the request is to provide professional services to the Covered Entity.
The professional represents the information requested is the minimum necessary for the stated purpose(s).

Exceptions

WTC is not limited in the amount of PHI it may disclose to a provider of health care for the purpose of medical treatment.

When federal or state law requires a disclosure of PHI, the minimum necessary information is that which is required to comply with such law. Requests for PHI made by the federal government in the course of a complaint investigation or compliance review and undertaken under Federal Privacy Rule are deemed to meet the minimum necessary rule.

The minimum necessary rule does not apply when disclosing a consumer’s PHI to the consumer or the consumer’s personal representative.

All information requested within an authorization may be disclosed in accordance with that authorization. This policy does not limit such disclosures.

Designation of Record Sets

The Access of PHI Policy and Amending PHI Policy permits patients to request access to their Protected Health Information (PHI), receive copies of it, and request certain information be amended. This applies only to information stored in a Designated Record Set.

Designated Record Sets are sets of records containing PHI and used to make decisions about individual patients.

Procedure

The following are WTC’s designated record sets:

A group of records maintained by or for a Covered Entity that is:
The medical and billing records about individuals maintained by or for a covered health care provider;
The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Used, in whole or in part, by or for the Covered Entity to make decisions about individuals.
For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a Covered Entity.”
The record consists of paper files housed at several locations operated by West Texas Centers, paper records stored off site and electronic files stored in the electronic health records.

Documentation and Record Keeping

West Texas Centers will establish and maintain appropriate systems for maintenance of documentation under the HIPAA privacy regulations. This documentation will be retained for the appropriate timeframes based on the regulations and West Texas Centers procedures.

Procedure

The Director of Health Information will establish and oversee record-keeping systems to maintain the documentation required by the HIPAA privacy regulations, 42 CFR Part 2 and any other applicable federal or state regulation or law as discussed in various policies throughout this manual.

The information to be maintained in written documentation includes, but is not limited to:

The policies and procedures contained in this procedure manual
The notice of privacy practices
The signed acknowledgment of receipt of the notice of privacy practices
Signed authorization forms
Records of recommended disciplinary actions and actions taken against Staff Member(s) for violations of privacy policies and procedures
Records of actions taken to enforce compliance with contract provisions by business associates
Complaint forms received from consumers or other individuals and associated written correspondence
All requests for an accounting of disclosure of protected health information and records related to such requests
All requests for amendment of protected health information and records related to the disposition of such requests

Retention of Records

Procedure

All documentation of actions called for by other policies and procedures contained in this manual will be retained for a minimum of the program regulation from the date the information was created as follows:

Programs under Health and Human Services (HHS)
State Agency	Minimum Retention Period
Texas Health and Human Services (HHS)/Early Childhood Intervention(ECI) Program	Seven years after the child has been dismissed from services unless a longer period is required by state or federal law. (26 TAC 350)
Texas Health and Human Services (HHS)	Original medical records for a minor until a minor’s twenty-fourth birthday or five years from the date of service, whichever is later. (40 TAC 15)
Texas Health and Humans Services (HHS) Adults & Children	Seven years past the last date on which services was given or until the consumer’s 21^st birthday, whichever occurs later. (22 TAC 165)

In the case of policies and procedures, the retention period will be measured from the date of the most recent revision of the procedure. In other words, when new policies are issued, a copy of the policies that are superseded should be retained for reference purposes for six years following the last day the policy was in effect.

Record Destruction – All hardcopy medical records that require destruction are shredded using National Institute of Standards and Technology (NIST) 800-88 guidelines.

Routine and Recurring Disclosures of Protected Health Information

WTC limits routine and recurring disclosures of PHI to the minimum necessary amount of information that is reasonably necessary to accomplish the purpose of the request or disclosure, in compliance with applicable federal and state laws and regulations.

Some examples of routine and recurring disclosures are:

To health care providers for claims payment and billing purposes;
To entities under an Organized Health Care Arrangement for the purposes of Treatment, Payment, Health are Operations and certain quality improvement activities;
To a Business Associate under contract to provide specified services; and
To a plan sponsor and specified consumers for Payment and Health Care Operations of a selffunded plan under an ASO Agreement that permits such disclosure.

Routine and recurring types of PHI disclosure may only occur per the Uses and Disclosures of PHI Policy. Information disclosed in aggregate form that cannot identify an individual consumer is not considered PHI and is not subject to the HIPAA Privacy policies and procedures.

Reports containing PHI

The Privacy Officer must review all new and revised non-routine and recurring reports that contain PHI being disclosed to an external party prior to the disclosure.

Use and Disclosure of Mental Health Information

Procedure

WTC and its personnel may use and disclose Protected Health Information related to mental health care. Describe the appropriate use and disclosure of mental health information.

Psychotherapy notes

“Notes that are recorded (in any medium) by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the consumer’s medical record. These are records that are kept as private records of a mental health professional. Psychotherapy notes do not include medical records concerning psychiatric or psychological consultations at WTC, or records made by WTC personnel concerning the mental health, well-being, or complaints by consumers. Psychotherapy notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies or treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.”

Use and Disclosure of Psychotherapy Notes

WTC personnel will obtain consumer authorization to use or disclose psychotherapy notes, except in the following circumstances:

The originator of the psychotherapy notes may use those notes for treatment of the consumer.
WTC personnel, under supervision, may use psychotherapy notes to carry out training programs in mental health. The psychotherapy notes will not be included in the consumer’s medical records. The students or trainees in the training programs may examine psychotherapy notes under supervision but will not obtain copies of the psychotherapy notes.
WTC personnel may use or disclose psychotherapy notes to defend a legal action or other proceeding brought by the consumer.
WTC personnel will use or disclose psychotherapy notes when they are required by another law to do so.
WTC personnel will disclose psychotherapy notes to the Secretary of DHHS during DHHS investigations of WTC’s compliance with the HIPAA Privacy Standards if DHHS specifically requests to see psychotherapy or mental health professional’s personal notes.
WTC personnel will disclose psychotherapy notes to health oversight agencies if a health oversight agency specifically requests to see psychotherapy notes or the mental health professional’s personal notes.
WTC personnel may disclose psychotherapy notes to coroners and medical examiners regarding deceased consumers if they represent to WTC personnel that those notes are necessary for them to perform their functions.
WTC personnel may use or disclose psychotherapy notes where necessary to avert a serious and imminent threat to safety. In this circumstance, WTC personnel will first consult with the Compliance Office.

Use and Disclosure of Information Obtained During Court-ordered or Voluntary Evaluation, Examination and Treatment of a Person with a Serious Mental Illness

All records and other information obtained in the course of evaluation, examination, or treatment of a person subject to the mental health evaluation and treatment provisions are confidential. WTC personnel will disclose these records only as listed in the paragraphs below. If this information includes “psychotherapy notes,” WTC personnel will follow the provisions of paragraph 2 below with regard to the psychotherapy notes only, but will follow the provisions of this paragraph regarding all other information.

WTC personnel may disclose this information to mental health professionals and other providers of health, mental health, or social and welfare services involved in caring for, treating, or rehabilitating the consumer.
WTC personnel may disclose this information to persons to whom the consumer has given written authorization to receive the information. WTC personnel will use the WTC Release of Information form, or a form that meets the authorization requirements set forth in WTC’s policy on authorization.
WTC personnel may disclose this information to the consumer’s legal representative, such as a court-
appointed guardian, or the consumer’s agent appointed under the consumer’s health care directive.
WTC personnel will have a signed authorization to disclose this information to the consumer’s
attorney.
WTC personnel will disclose this information to a person when ordered by a court to do so.
WTC personnel may disclose this information to a jail/correctional institution if the consumer is an inmate with a county, state or federal jail/correctional institution and an appropriate official represents in writing to WTC personnel the information is necessary for:
- The provision of health care to the consumer;
- The health and safety of the consumer or other inmates;
- The health and safety of officers or employees;
- The health and safety of people transporting inmates;
- Law enforcement on the premises; or
- The administration and maintenance of the “safety, security, and good order of the correctional institution.”
If the corrections official cannot make this representation in writing because of the immediate need for such information, WTC personnel will seek such representation verbally and document the representation in the consumer’s medical record.
WTC personnel may disclose limited information to governmental or law enforcement agencies when necessary to secure the return of a consumer who is on an unauthorized leave of absence from any agency where the consumer was undergoing evaluation and treatment. WTC personnel will limit the information provided to name, address, date and place of birth, Social Security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death (if applicable), and a description of distinguishing physical characteristics (such as height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos). If governmental or law enforcement officials need additional health information, WTC personnel will consult with the Compliance Office before disclosing any additional information.
WTC personnel may disclose this information to family members actively participating in the consumer’s care, treatment, or supervision, but only if a mental health professional or other professional interviews the consumer and determines the release of information is in the best interest of the consumer. If the mental health professional or professional documents in the record that release is in the best interest of the consumer, WTC personnel will release only information relating to the person’s diagnosis, prognosis, need for hospitalization, anticipated length of stay, discharge plan, medication, medication side effects, and short- and long-term treatment goals.
WTC personnel may release information to a state agency that licenses health professionals and requires records in the course of investigating complaints or negligence or incompetence, such as the Texas Medical Board, except that pursuant to 45 C.F.R. 164.512(d) (2), WTC will not release information where the consumer for whom records are requested is the subject of the investigation.
WTC personnel may release information to local or state education official for a consumer between the age of three (3) and twenty-two (22) years, where the agency represents the information is necessary to provide educational services to persons with disabilities. The information provided will be limited to evaluation and treatment information affecting the educational programming and placement decisions for the consumer, and will be made only with the authorization of the consumer or consumer’s representative.
WTC personnel will release this information to a governmental agency or a competent professional as necessary to comply with state statutes concerning sexually violent persons.
WTC personnel will release this information to human rights committees, only with the authorization of the consumer or consumer’s representative.
WTC personnel will not make any use or disclosure other than that listed in this policy without first consulting with the Compliance Office.

Verification of Identity and Authority

WTC personnel will verify the identity and authority of the recipient of the PHI.

Disclosing the Minimum Necessary Amount of PHI

WTC personnel will disclose only the minimum amount of PHI necessary for the purpose.

Use and Disclosure of Protected Health Information for Treatment Purposes

West Texas Centers uses protected consumer information pursuant to its notice of privacy practices and under the guidance of the HIPAA privacy regulations for purposes of consumer treatment. The use and disclosure of information for the purpose of treatment does not require specific authorization (see section 1.18).

Procedure

The use of information for treatment purposes is described in the notice of privacy practices. Before nonemergency treatment is initiated, an effort must be made to obtain the consumer’s written acknowledgment of having received the notice of privacy practices. Obtaining the written acknowledgment is the responsibility of the assigned West Texas Centers associate. If the consumer’s acknowledgment cannot be obtained, the attempt to obtain an acknowledgment should be documented in writing.

Procedures for obtaining the acknowledgment are described in section 1.17.

Sharing of PHI for Treatment Purposes

A provider who is not a member of the practice may contact the Director of Health Information and request information for the purpose of treating a consumer previously treated at West Texas Centers, the Director of Health Information or appointed staff may provide information without appropriate authorization in cases of emergency. It is not necessary for the consumer to authorize the disclosure of protected health information that will be used for the purpose of treatment when it is an emergency.

When disclosing information to another provider for purposes of payment, Staff Member(s) should use the following procedure.

A consumer may have requested and been granted restrictions on the use or disclosure of protected health information. Director of Health Information or appointed staff should review the consumer’s records to determine if any restrictions have been placed on the use or disclosure of protected health information.
Before disclosing information for treatment purposes, Director of Health Information or appointed staff must verify the identity of the person making the request. In other words, the Director of Health Information or appointed staff must determine that the person making the request is, in fact, a health care professional who is requesting the information for the purpose of treatment. If the professional is known to the practice, is a member of a group that is known to Director of Health Information or appointed staff, or is affiliated with a facility that is known to the practice, Director of Health Information or appointed staff may presume that the provider is who he or she claims to be. Otherwise, Director of Health Information or appointed staff should obtain additional assurances sufficient to satisfy his or her professional judgment that the person requesting the information is a health care provider who will use the information for purposes of treatment.
If the request is made in person, verification of identity may be accomplished by asking for photo identification (such as a driver’s license or agency identification badge).
If the request is made over the telephone, verification may be accomplished by requesting identifying information such as birth date, address, and/or medical record number and confirming that this information matches what is in the consumer’s record. (The last four digits of the consumer’s social security number (SSN) may be used as a last resort.) Or, verification will occur through a call-back process using phone numbers documented in the consumer record to validate the caller’s identity or the main number of a business posted on their website or other public media source (Staff should not take a call back number from the person making the request over the telephone and notify the person that the staff will provide the information by calling the main number).
If the request is made in writing, verification may be accomplished by requesting a photocopy of photo identification. If a photocopy of the ID is not available, the signature on the written request must be compared with the signature in the Medical Record. In addition, staff may need to verify the validity of the written request by contacting the consumer by telephone.
Protected health information should be sent only to the verified business address or phone number of the provider requesting it.

When a Staff Member(s) requires information on a consumer’s health condition from another provider, he or she may request the needed information. The consumer will need to authorize this request.

The information requested must, however, be used for the purpose of evaluating the consumer’s medical condition or determining a course of treatment. A consumer may have requested and been granted a restriction on the information that is to be used or disclosed to other providers. In this situation, the restriction must be honored.

Use and Disclosure of Protected Health Information for Payment Purposes

West Texas Centers uses protected consumer information pursuant to its notice of privacy practices and under the guidance of the HIPAA privacy regulations for payment purposes. The use and disclosure of information for payment purposes does not require specific authorization, but only the minimum necessary amount of information must be made available.

Procedure

Use and disclosure of protected health information is permitted under this procedure to conduct the following activities:

Providing information to the consumer’s health plan to determine the consumer’s eligibility for benefits and coverage
Submitting a claim for services to the consumer’s health plan
Processing credit card transactions or transactions to obtain authorization for personal checks
Providing information needed by the consumer’s health plan to determine coverage, including information needed by the health plan to conduct medical review

Before seeking payment for nonemergency treatment, a consumer must be given the notice of privacy practices, and a written acknowledgment of receipt must be obtained. Obtaining the acknowledgment is the responsibility of the assigned WTC associate.

Procedures for obtaining an acknowledgment are described in section 1.17.

Use and disclosure of protected health information for payment purposes is limited to the information that can be transmitted using the standards for electronic transactions. These restrictions apply whether the transaction is conducted electronically or using paper forms.

Use and Disclosure of Protected Health Information for Health Care Operations

West Texas Centers uses protected consumer information pursuant to its notice of privacy practices and under the guidance of the HIPAA privacy regulations for purposes of health care operations. The use and disclosure of information for health care operations-related activity does not require specific authorization, but only the minimum necessary amount of information must be made available.

Procedure

Use and disclosure of protected health information is permitted under this procedure to conduct the following activities:

Quality assessment and improvement
Professional credentialing
Medical and utilization review
Legal services
Auditing
Business planning and market research
Grievance procedures
Due diligence analysis related to sales and acquisitions
Creation of de-identified information and limited data sets
Customer service
Compilation of consumer directories
Compliance monitoring
Health information exchange sharing

Before using or disclosing protected health information for any of the functions included in health care operations, WTC must give the consumer its notice of privacy practices.

Obtaining an acknowledgment of receipt of the notice is the responsibility of the assigned WTC associate at each program. Procedures for obtaining an acknowledgment are established in section 1.17.

Use and Disclosure of Protected Health Information for Health Oversight Activities

WTC may disclose Protected Health Information (PHI) in response to certain legal requests without obtaining authorization from the consumer.

WTC shall ensure all disclosures of PHI requested for health oversight purposes comply with established procedures designed to protect and limit the amount of information disclosed.

Procedure

WTC may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits, civil, criminal, or administrative investigations, inspections, licensure or disciplinary actions, or other activities necessary for appropriate oversight of:

The health care system;
Government programs for which health information is necessary to determine eligibility for benefits;
Entities subject to government regulatory programs for which health information is necessary to determine compliance with program standards; or
Entities subject to civil rights laws for which health information is necessary to determine compliance with those laws.

In cases where a consumer is the subject of the investigation or other activity, WTC will not disclose PHI without authorization of the consumer unless the investigation, or other activity, arises out of and is directly related to:

The receipt of health care;
A claim for public benefits related to health; or
Qualification for, or receipt of, public benefits or services when the consumer’s health is integral to the claim for public benefits or services.

WTC may disclose PHI for public health purposes without authorization to a person or entity subject to FDA jurisdiction. The request must be related to the quality, safety, or effectiveness of an FDA- regulated product or activity for which that person has responsibility. Examples include:

Collecting or reporting adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;

Tracking FDA-regulated products;
Enabling product recalls, repairs, or replacement (including locating and notifying individuals who have received products that have been recalled, withdrawn, or have other problems); or
Conducting post-marketing surveillance.

WTC must limit its disclosure of PHI to the minimum necessary to meet the requirements of the law pursuant to which the request is made.

If a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits unrelated to health, WTC will consider the joint activity or investigation to be a health oversight activity.

WTC personnel who receive a request for PHI for health oversight purposes should forward the request to the Director of Health Information.

Director of Health Information will: (1) verify the identity of the requestor; (2) ensure the request for records complies with applicable regulations; and (3) notify the originator of the request if the subpoena or request for records does not comply with applicable regulations.

For an FDA-related investigation, WTC personnel may identify the entity or entities responsible from the product label, written material that accompanies the product, or from sources of labeling, such as the Physicians’ Desk Reference.

Documentation: WTC personnel must appropriately document the request and delivery of the PHI, including the name/identity of the requestor, the consumer whose PHI was disclosed, the WTC personnel who made the disclosure, the nature of the information disclosed and the date of the disclosure. This documentation should be made in the consumer’s medical record.

Disclosures of Protected Health Information Relating to Judicial and Administrative Proceedings

WTC may disclose PHI in response to certain legal requests without obtaining authorization from the consumer.

WTC shall ensure all disclosures of PHI requested in litigation or administrative proceedings comply with established procedures designed to protect and limit the amount of information disclosed.

Qualified Protective Order

Qualified Protective Order means either: an order of a court or administrative tribunal or a stipulation of the parties to the underlying proceeding, which:

Prohibits the parties to the underlying proceeding from using or disclosing PHI for any purpose other than the litigation or proceeding for which such information was requested; and
Requires that, at the conclusion of the litigation, the PHI is either destroyed or returned to WTC.
Reasonable efforts to secure a Qualified Protective Order means WTC receives a written statement and accompanying documentation (such as a copy of the order or stipulation) demonstrating that:
The parties to the underlying dispute have agreed to a Qualified Protective Order and have presented it to the court or administrative tribunal; or
The requesting party has requested a Qualified Protective Order from the court or administrative tribunal.

Reasonable efforts to notify the consumers whose PHI is being sought means WTC receives a written statement and accompanying documentation (such as a copy of the notice used) demonstrating that:

The requesting party has made a good faith effort to provide a written notice of the request to the persons whose PHI is being requested, including sufficient information regarding the underlying litigation or proceeding to permit the persons to raise objections before the court or administrative tribunal; and
The time for the persons whose information is being requested to raise objections has elapsed and no objections were filed, or the objections have been resolved such that the disclosure is permitted.

If the requesting party provides satisfactory assurance through the notification process, it is not the responsibility of WTC to respond to any objections from consumers who receive the notice or to explain the procedures by which to object, unless otherwise required by law.

Procedure

WTC may disclose PHI in response to a court or tribunal order. If WTC makes a disclosure for this purpose, it may only disclose that PHI which is expressly authorized by the order.

In the absence of a court order, WTC may disclose PHI in response to a subpoena, discovery request, or other lawful process. If WTC makes a disclosure for this purpose, it must receive “satisfactory assurance” that the requesting party has made reasonable efforts either to:

Secure a qualified protective order; or
Notify the consumer(s) whose PHI is being sought.

If WTC does not receive the required satisfactory assurance, it may not disclose the PHI, except that if WTC chooses, it may make its own efforts to respond and provide notice to the individual, or seek a Qualified Protective Order.

In responding to the request, WTC must disclose only the minimum amount of information necessary to comply with its terms.

WTC personnel who receive a request for PHI through a court order, grand jury subpoena, or for law enforcement purposes should contact the Director of Health Information

Once the determination is made for a use or disclosure is lawful and appropriate under this Policy and Procedure, WTC Director of Health Information or appointed staff should verify the identity and authority of the individuals requesting the PHI.

Once the identity and authority of the requestor has been verified, Director of Health Information or appointed staff may complete the request.

Documentation: WTC personnel must appropriately document the request and delivery of the PHI, including the name/identity of the requestor, the consumer whose PHI was disclosed, the WTC personnel who made the disclosure, the nature of the information disclosed, and the date of the disclosure. This documentation should be made in the consumer’s medical record.

Use and Disclosure for Specialized Government and Law Enforcement Officials

West Texas Centers may use and disclose protected health information without written consumer authorization for certain legal requests or specialized government functions as described below. These specialized government functions are:

Certain military and veterans activities, as required by the federal government
National security and intelligence activities
Protective service for the President of the United States and others as authorized by law
Certain medical suitability determinations
A correctional institution or other law enforcement custodial situation
Government programs providing and/or administering public health benefits

Use and Disclosure for Military, Government, Law Enforcement, and Judicial Purposes

Procedure

West Texas Centers may use and disclose information as appropriate to support military missions if appropriately directed by federal government agencies.

West Texas Centers may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counterintelligence, and other national security activities authorized by law.

WTC shall ensure all disclosures of PHI requested for law enforcement purposes comply with established procedures designed to protect and limit the amount of information disclosed.

West Texas Centers staff may disclose protected health information requested by law enforcement agencies without obtaining the consumer’s authorization.

WTC may disclose PHI (requested for a law enforcement purpose) to a law enforcement official as described in a court order or court-ordered warrant. All subpoenas, administrative requests, summons, and civil authorized investigative demand shall follow the WTC Policy relating to Disclosures of PHI Relating to Judicial and Administrative Proceedings Policy or contact the Director of Health Information

WTC may disclose PHI in response to a law enforcement official’s request for such information for identifying or locating a suspect, fugitive, material witness, or missing person.

WTC Staff Member(s) may report certain wounds and physical injuries to the Department of Family Protective Services [Adult Protective Services (APS) and/or Child Protective Services (CPS)] as required by state law.

WTC Staff Member(s) may report the name and address, date and place of birth, Social Security number, ABO blood type and Rh factor, type of injury, date and time of treatment or death, and a description of physical characteristics (height, weight, gender, race, hair and eye color, presence or absence of facial hair, beard or moustache, scars, and tattoos; and photograph of consumer if available) when requested by a law enforcement official.

Staff may not report other information such as information related to DNA or DNA analysis, dental records, tissue typing, samples, or the analysis of body fluids or tissues without a court order, subpoena, or summons.

WTC Director of Health Information or appointed staff may report protected health information concerning the victim of a crime, but only with the agreement of the victim if victim is capable or when a law enforcement office indicates that the information is needed to investigate suspected criminal activity.

If WTC Director of Health Information or appointed staff is unable to obtain the consumer’s agreement because of incapacity or other emergency circumstance, WTC may disclose PHI if WTC-Director of Health Information or appointed staff obtains representations from the requesting law enforcement official that:

Such information is needed to determine whether a violation of law by a person other than the victim occurred, and such information is not intended to be used against the victim; and
Immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the consumer is able to agree to the disclosure; and
WTC Director of Health Information or appointed staff makes a determination, in the exercise of professional judgment, which the disclosure is in the best interests of the consumer.

Requests for disclosures made for the purposes of this section must be submitted by an authorized law enforcement official.

WTC Director of Health Information or appointed staff may disclose PHI about a consumer who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the consumer if WTC-Director of Health Information or appointed staff has a suspicion that the death may have resulted from criminal conduct.

WTC Director of Health Information or appointed staff may disclose PHI to a law enforcement official if WTC Director of Health Information or appointed staff believes, in good faith, the information constitutes evidence of criminal conduct that occurred on the premises of WTC-Director of Health Information or appointed staff.

WTC Director of Health Information or appointed staff may disclose PHI to a law enforcement official to report a crime in an emergency situation.

WTC Director of Health Information or appointed staff may make a disclosure for this purpose if the disclosure appears necessary to alert law enforcement to:

The commission and nature of a crime;
The location of a crime or the victim(s) of the crime; or
The identity, description, and location of the perpetrator of the crime.
WTC Director of Health Information or appointed staff may report protected health information that is evidence of criminal conduct on the premises of the practice.

WTC Staff Member(s) should refer requests for protected health information received from law enforcement agencies to the Director of Health Information. The Director of Health Information will review requests for protected health information and obtain a legal opinion if he or she believes one is necessary before approving the disclosure of the requested information.

In regard to a judicial or legal action, WTC Director of Health Information or appointed staff may disclose protected health information only when such information does not contain references to alcohol or substance abuse in the following circumstances:

The information has been requested by means of a subpoena accompanied by a valid consent for release or satisfactory assurance as stated below.
The party seeking the protected health information has made a good-faith effort to provide a written notice to the subject of the request, has provided sufficient information to the subject of the request to permit the individual to object to the disclosure, and has resolved any objections that may have been raised or;
The party seeking the protected health information provides written documentation that it has entered into or otherwise obtained a qualified protective order that a) prevents the parties to the legal action from using or disclosing protected health information for any purpose not related to the litigation or legal proceeding for which the information was requested, and b) requires the return or destruction of the protected health information at the conclusion of that proceeding.
The information has been requested in a court order or an order of an administrative tribunal.
The information has been requested by means of a subpoena, discovery request, or other legal process accompanied by a court order.
The information has been requested by means of a grand jury subpoena.

If protected health information contains references to alcohol or substance abuse treatment such information must be redacted unless a valid consent for release of this information is on file or otherwise a valid court order pursuant to 42 CFR Part 2 has been presented. Any release of this information shall be accompanied by the requisite language specified under 42 CFR Part 2 included in Appendix A.

Before responding to the request, efforts should be made to ensure that disclosure is limited to the minimum 28 protected health information specifically requested.

Use and Disclosure for Public Health

Procedure

The following information may be reported to Department of State Health Services, Department of Aging and Disability Services, Department of Assistive and Rehabilitative Services, Health and Human Services as required by law whether or not the consumer authorizes the disclosure:

Information required to compile vital statistics (births and deaths)
Information on reportable injuries

Staff may disclose protected health information to government agencies such as the Department of State Health Services, Department of Aging and Disability Services, Department of Assistive and Rehabilitative Services, which are responsible for administering public health programs such as Medicare and Medicaid, and for licensing providers, conducting audits, and for other purposes related to the oversight of the health system.

WTC Staff Member(s) should refer requests for protected health information received from oversight agencies to Custodian of Medical Records, Director of Health Information or appointed staff.
The Custodian of Medical Records, Director of Health Information or appointed staff will review requests for protected health information and obtain a legal opinion if he or she believes one is necessary before approving the disclosure of the requested information.

Disclosures of Protected Health Information Relating to Communicable Diseases

Procedure

Special Confidentiality Treatment

WTC personnel will maintain the confidentiality of communicable disease-related information (including AIDS and HIV-related information) and will disclose that information only in compliance with this policy.
WTC policies on the use and disclosure of PHI do not apply to communicable disease-related information unless otherwise noted.

Disclosure of Communicable Disease-Related Information (Including HIV-Related Information) without Consumer Authorization

If a person or entity is not listed below, WTC personnel will obtain consumer authorization under the Disclosures to Persons Exposed to Communicable Diseases paragraph before disclosing the information.

Consumer or Consumer’s Legal Representative: WTC personnel may disclose communicable disease- related PHI to the consumer or the consumer’s representative.
Other Health Care Providers: WTC personnel may disclose communicable disease-related PHI to another health care facility or provider if the disclosure is necessary to provide appropriate care to the consumer or the consumer’s child. Before sending the PHI, WTC personnel will confirm with the receiving facility or provider that their employees or agents receiving the PHI have authorized access to medical records for purposes such as provision of health care, records maintenance, or billing.
Organ Procurement for Medical Education, Therapy or Transplantation: WTC personnel may disclose communicable disease-related PHI to a health care provider or facility for procurement, processing, distributing, or using a human body or body parts for use in medical education, therapy, or transplantation.
Quality Review and Oversight
- WTC personnel may use or disclose confidential communicable disease-related PHI to organizations, committees or individuals engaged by WTC to review professional practices at WTC (such as peer review, utilization review, medical necessity committees, The Joint Commission, other oversight, or accreditation agencies).
- The disclosure must be limited to that information necessary for the authorized review, and may not include information “directly” identifying the consumer, such as name, Social Security number, phone number or address.
Government Officials
- WTC personnel will disclose communicable disease-related information to local, county, state, and federal health officers when required by federal or state law to do so.
- WTC personnel will follow WTC policies and procedures concerning communicable disease reporting obligations.
- WTC personnel may disclose communicable disease-related information to federal or state officials who oversee WTC, such as the state Department of Health Services and the Federal Centers for Medicare and Medicaid Services. Communicable disease-related PHI released for this purpose may not include the consumer’s name.
Court or Administrative Order or Search Warrant
- WTC personnel may release confidential communicable disease-related PHI to a person designated in a valid court or administrative order or search warrant.
- The court or agency may issue the order or search warrant only if:
  - There is a compelling need for the information in a court or administrative proceeding;
  - A person is in clear and imminent danger of exposure;
  - There is a clear and imminent danger to public health;
  - The person requesting the information is lawfully entitled to the information; or
  - There exists either a clear and imminent danger to a person or to public health or there is a compelling need to disclose the information.
- If there is any doubt or question regarding the sufficiency of the legal order seeking disclosure, WTC personnel should obtain advice from WTC legal counsel or the Compliance Office before making the disclosure.
- Workers’ Compensation Claims: If communicable disease-related PHI is pertinent to a workers’ compensation claim, WTC personnel may disclose requested PHI to the Industrial Commission or parties to an Industrial Commission claim.
- Cause of Death: WTC personnel may list communicable disease-related illnesses on a death certificate or autopsy report to document the cause of death.

Disclosure of Communicable Disease-Related Information (Including HIV-Related Information) with Consumer Authorization

If a disclosure is not permitted under the Disclosure of Communicable Disease-Related Information (Including HIV-Related Information) without Consumer Authorization paragraph above, WTC personnel will obtain consumer authorization before disclosing communicable disease-related PHI.
- The authorization will meet the requirements of the WTC authorization policy.
- If WTC personnel seek to disclose HIV/AIDS-related information, the authorization form must specifically indicate its purpose to authorize disclosure of HIV-related information.
When WTC personnel make any disclosure of communicable disease-related PHI with consumer authorization, they will prepare a written statement that will accompany the production of the PHI warning the information is confidential and protected by state law that prohibits further disclosure without specific written authorization by the consumer.

Disclosures to Persons Exposed to Communicable Diseases

Except as provided below, WTC personnel will not communicate directly with a person who has been exposed to a communicable disease by a consumer. Rather, WTC personnel will report the exposure to the appropriate state department of health, following the WTC policies and procedures on communicable disease reporting obligations.
If a WTC mental health professional knows or has reason to believe that a significant exposure has occurred between a consumer and WTC personnel (or other health care or public safety) employee, the mental health professional may consult with the consumer and ask the consumer to release the information voluntarily.
If the consumer refuses to release the information concerning the significant exposure, the mental health professional may report directly to the exposed employee of the possibility of the communicable disease or HIV-related exposure in a manner that does not identify the consumer.

Record and Accounting of Disclosures

WTC personnel making a disclosure of communicable disease-related PHI will keep a written record of all disclosures.
On request, WTC will give the consumer or his or her personal representative access to the record of disclosures

HIV-related testing

WTC personnel ordering an HIV-related test must obtain the consumer’s explicit permission to do so using the WTC written, informed consent for HIV testing.
Oral consent is required if the test is done anonymously.

Verification of Identity and Authority of PHI Recipient

WTC personnel will verify the identity and authority of the recipient of the PHI.

Disclosing the Minimum Necessary Amount of PHI

WTC personnel will disclose only the minimum amount of PHI necessary for the purpose.

Use or Disclosure of Sale of Protected Health Information

In order to use or disclose a consumer’s PHI in exchange for direct or indirect remuneration from or on behalf of the recipient of the information, WTC must obtain an authorization for any disclosure. The authorization must state the disclosure will result in remuneration to the Covered Entity. Sale of PHI is prohibited without a consumer’s authorization.

If WTC is the recipient of the PHI, WTC cannot re-disclose the PHI in exchange for remuneration unless a valid authorization is obtained.

Guidelines:

The sale of PHI does not include payments WTC may receive in the form of grants, contracts, or other arrangements to perform programs or activities, such as a research study. WTC may receive only a reasonable, cost-based fee to cover the cost to prepare and transmit the information for research purposes.
Remuneration, as applied to the sale provisions, is not limited to financial payment in the same way it is limited in the marketing provisions.
The provisions prohibit the receipt of remuneration not only from the third party that receives the PHI, but also from another party on behalf of the recipient of the PHI.
The sale provisions apply to disclosures in exchange for remuneration including those that are the result of access, license, or lease agreements.
Exceptions:
- WTC may receive remuneration for use or disclosure of PHI for public health activities and/or for treatment and payment purposes.
- WTC may disclose PHI related to the sale, transfer, merger, or consolidation of all or part of it.
- WTC may disclose PHI to an individual for providing a right to access PHI or providing a right to receive an accounting of disclosures.

WTC may disclose PHI as required by law.

If WTC is a Business Associate, the following guidelines apply:
- WTC may disclosure PHI for activities undertaken on behalf of a Covered Entity, as long as the only remuneration provided is by the Covered Entity to the Business Associate for the performance of such activities; and
- As long as WTC is performing the activities pursuant to a Business Associate contract.
The exceptions in Paragraph above does not apply if WTC receives remuneration above the actual cost incurred to prepare, produce, and transmit the PHI for the permitted purpose, unless such fee is expressly permitted by other law.

Procedure

WTC must obtain an authorization for any use or disclosure for the sale of a consumer’s PHI.

WTC must obtain consumer authorization on the WTC HIPAA Request by WTC or HIPAA Release to 3^rd Party that contains the following items:

A specific and meaningful description of the PHI to be used or disclosed;
The name of the person, class of persons, or organization that will be making the disclosure of PHI, e.g., WTC;
The name or other identification of the person, class of persons, or organization to whom WTC is making the disclosure;
Specifically state the PHI is to be sold and WTC will receive remuneration;
An expiration date or an expiration event of the authorization that relates to the purpose of the use or disclosure;
A statement that the consumer has a right to revoke the authorization, and a reference to WTC’s Notice of Privacy Practices for details on that right;
A statement that WTC cannot condition treatment on whether the consumer signs the authorization;
The consumer’s (or personal representative’s) printed name, signature, and date of signature;
If the authorization is executed by a personal representative, a description of that person’s authority to act for the consumer; and
A statement that WTC will receive either direct or indirect payment.

Use and Disclosure for Marketing and Fundraising

West Texas Centers may not inappropriately use protected consumer information for marketing or fundraising and will provide all consumers an ability to opt out of all marketing and fundraising communications.

Use and Disclosure for Marketing

Procedure

The following types of marketing communications do not require authorization:

Communications to members of health plans that describe WTC, its members, and the services that are available from the practice, unless financial remuneration is provided to the practice for the communication
Communications to a consumer as part of the consumer’s treatment that are specific to the medical condition of the consumer, unless financial remuneration is provided to the practice for the communication
Communications from the consumer’s health plan during treatment for the purpose of alerting the consumer to the availability of alternative treatments, therapies, health care providers, or treatment settings, unless financial remuneration is provided to the practice for the communication
Face-to-face communications between WTC Staff Member(s) and consumers during a consumer visit
Promotional gifts of nominal value such as pens, note pads, or coffee mugs

Consumers must specifically authorize the use of protected health information collected or maintained by WTC for a communication that is sent to the individual describing a product or service offered by an organization other than WTC. Examples include mailings by pharmaceutical companies, retail pharmacies, health clubs, and suppliers of unrelated medical services such as durable medical equipment. Also, any communications that involve direct or indirect remuneration to the provider require authorization from the consumer, even if they are describing a health-related product or service provided by the organization itself.

Use and Disclosure for Fundraising

Procedure

The following information may be used by WTC, and/or disclosed to a business associate, to support fundraising efforts by the covered entities without the consumer’s authorization:

Demographic information describing the individual (i.e., name, date of birth, sex, address, and other nonclinical information that describes the consumer)
The dates on which the consumer received health care services from WTC
Department in which the service was provided
The treating mental health professional- a qualified individual with training or state issued license to deliver psychological assessments, therapy, diagnosis, medication, skills training and/or rehabilitation services.
Information about consumer outcome
Health insurance status

Other protected health information may not be used in fundraising activities without the consumer’s authorization. That is, the consumer’s authorization is required for the use of any protected health information except those items found in the list above.

Fundraising appeals sent to individuals must include the following paragraph describing how the individual may opt out of further fundraising communications:

To be removed from future fundraising appeals, please call (432) 264-4242 and ask to be removed from our fundraising mailing list, or check off the box asking to be removed from our fundraising mailing list on the reply card and return it to the office by dropping it in a mailbox.

A fundraising mailing list will be maintained by the Office of Strategy & Innovation. When a consumer asks to be removed from the mailing list, no additional fundraising communications may be sent to this consumer.

Protected health information may not be used to support fundraising on behalf of other organizations (that is, for raising funds that do not benefit the practice directly) without the consumer’s authorization.

Other Uses and Disclosures of Protected Health Information

West Texas Centers will make protected health information available as appropriate under the HIPAA privacy regulations.

Disclosure of Information for the Purpose of Cadaveric Organ Donation

Procedure

Following the death of a consumer, WTC Custodian of Medical Records may disclose protected health information to an organ procurement organization such as an eye bank or tissue bank without the consumer’s prior authorization and without obtaining the authorization of the consumer’s representative.

WTC Custodian of Medical Records may not disclose this information if a consumer or the consumer’s representative has indicated that he or she does not want to donate organs or tissue, or if the consumer has imposed a restriction on the disclosure of protected health information for this purpose.

Disclosure of Information to Coroners and Medical Examiners

Procedure

WTC Custodian of Medical Records may disclose protected health information without the consumer’s authorization to a coroner or medical examiner who requests the information for the following purposes:

Identification of a deceased person
Determination of the cause of death
Other purposes specified in state or federal law

The credentials of the coroner or medical examiner making the request should be verified. If the request is made in person, staff should ask to be shown an official identification. If the request is made by telephone, staff should ask that the request be submitted in writing and should obtain the official address to which information should be sent.

WTC Custodian of Medical Records or assigned representative should confirm that the information is being requested by the coroner or medical examiner to establish the identity of a deceased person or determine the cause of death.

The requested information should be sent only to the official address of the coroner or medical examiner.

Disclosure to Avert a Threat to Health or Safety

Procedure

WTC Custodian of Medical Records may disclose protected health information without the consumer’s authorization if, in his or her professional judgment, such disclosure is necessary to reduce a serious and imminent threat to the health and safety of a person or the public.

Information may be disclosed only to a person who is able, in the Custodian of Medical Records judgment, to prevent or lessen the threat.
If the consumer has threatened to harm or injure another person or persons, that threat may be disclosed to the person(s) identified by the consumer as the target(s).
If the consumer has admitted that he or she has participated in a violent crime, that admission may be disclosed to law enforcement agencies.
If the WTC Custodian of Medical Records has reason to believe, based on all circumstances, which the consumer has escaped from a correctional facility or other form of custody, the Custodian of Medical Records may disclose that belief to law enforcement agencies.

WTC Custodian of Medical Records may not disclose information related to participation in a violent crime if that information is learned in the course of treatment, counseling, or therapy for a propensity to engage in the criminal conduct, or if the consumer has disclosed criminal activity while requesting referral for treatment, counseling, or therapy of such a propensity.

Disclosure to Disaster Relief Agencies

Procedure

Information on a consumer’s location, medical condition, or death may be disclosed to disaster relief organizations such as the Red Cross and other public or private organizations.

Disclosure for Purposes of Research

Procedure

Use and disclosure of information for purposes of research is allowable under the rule with authorization from the consumer. In some instances, it is also allowable without specific signed authorization.

WTC may only use or disclose de-identified information for the purposes of research, public health, or health care operations or to a Business Associate who has submitted the appropriate documentation as required in WTC’s Business Associate Agreement.

All requests for de-identified information should be submitted to the Director of Health Information for review.

WTC Custodian of Medical Records may provide a researcher with protected health information in the following instances:

With a signed authorization from the consumer (sometimes found within the informed consent form for the research study)
With a HIPAA waiver from the applicable institutional review board or privacy board
When a data use agreement is in place with the researcher and there is a limited data set provided to the researcher, as described in the data use agreement
If the information has been de-identified

Disclosures to Schools Regarding Immunizations

Procedure

WTC Custodian of Medical Records may disclose information regarding immunizations about a consumer who is a student or a prospective student at an educational institution, if those immunizations are required by the state or other law for admission. Certain requirements must be met in order to provide this information to the educational institution.

A request must come from the educational institution or from the parent/guardian/consumer.
The protected health information to be provided to the school is limited to the proof of the immunizations required.
The school must be required by state or other law to have proof of these immunizations on file before admission of this student.
The parent, guardian, or the individual himself (if he or she is of age or an emancipated minor) must agree to the disclosure, and this must be documented by the practice.

Disclosure of Protected Health Information after Death

Procedure

The protected health information of a deceased individual is handled according to the policies and procedures applied to the protected health information of living consumers. The death of a consumer does not reduce the privacy protections that his or her protected health information will receive until 50 years after his or her death. At that point, health information is no longer considered protected health information unless specially protected by a law other than HIPAA.

Communications and Media Relations

West Texas Centers will ensure that all employees and associates who engage in communications and media relations activities on behalf of the organization do so in a manner compliant with the HIPAA privacy regulations and have approval from the Director of Community Relations under the direction of the Office of Strategy and Innovation.

Procedure

Internal Uses of PHI

Interviews with and/or articles about individuals circulated within West Texas Centers— When writing articles or stories that are printed in publications circulated within West Texas Centers, may contact the individual, or a health care provider to access the individual, to obtain signed consent from the individual allowing West Texas Centers to interview him or her and to obtain information for the article or story.

Consumer satisfaction surveys—Quality assessment and improvement activities are considered health care operations under the privacy regulations. To conduct consumer satisfaction surveys, which are quality assessment and improvement activities, West Texas Centers must state in its notice that it may use PHI for health care operations. If West Texas Centers uses a vendor to conduct consumer satisfaction surveys on behalf of West Texas Centers, there must be a business associate agreement in place.

External Disclosures of PHI

Media inquiries regarding an individual—West Texas Centers facility directories may contain the following information about an individual: (a) name, (b) location in the facility, (c) the condition of that individual in terms that do not communicate specific medical information (for example, critical, satisfactory, good). West Texas Centers must give individuals the opportunity to restrict or prohibit the use or disclosure of PHI for facility directories and inform the individual that West Texas Centers may disclose this information to the media.

Associates should not disclose if a consumer is receiving services through West Texas Centers. Associates will first state that, “they will need to verify the identity of the requestor before any information is disclosed and the associate will need to verify if the individual that is being inquired about is a client of West Texas Centers. “

The Associate will next search the electronic health record for the individual that is being inquired about and if found, review for Authorization to Disclose Information has been authorized. If consent has been authorized only then can the associate disclose information to the media upon approval from their supervisor.

If the individual is incapacitated or deceased, or there is an emergency treatment situation, West Texas Centers may use or disclose some or all of the PHI in the facility directory if such use or disclosure is consistent with a prior expressed preference or if such use or disclosure is considered in the best interest of the individual. West Texas Centers must inform the individual of the use or disclosure when it is practical to do so.

When the media do not know an individual’s name but give other identifying information such as location or address of an accident, West Texas Centers may disclose nonconsumer-specific information, such as age and gender, in addition to the condition of the individual. If the media inquire about an individual by name, subject to that individual’s objection, West Texas Centers may give the media the information contained in the facility directory.

Media requests for interviews with and/or articles about an individual—health care professionals, other health care providers and/or media relations personnel who provide PHI about individuals to be included in an article or story must obtain the individual’s written authorization before making such a disclosure.

Photographs, videotapes or other images of individuals—West Texas Centers must obtain an individual’s written authorization before photographing or videotaping that individual for medical education, staff education, or publicity purposes. If the individual’s written authorization specifically allows the reuse of the information described above, the information may be reused in accordance with the authorization. If the authorization does not specifically allow the reuse of information, the information may not be reused.

Offshoring Information Outside Of the United States

West Texas Centers will ensure that offshoring, the use, disclosure, creation, maintenance or transmission of confidential information outside of the United States is done under written permission per the HHS Data User Agreement.

Procedure

Requests to release information to entities outside of the United States will not be processed until a complete review of the request has been completed and has been approved by the Custodian of Medical Records, Chief Executive Officer, and Health and Human Services (HHS). Requests will be reviewed on a case by case basis to include any law violations regarding the offshoring of Medicaid programs, HHS contractual requirements and data use agreements regarding the securities of protected health information, (e.g. subcontracting with an entity outside of the United States to provide appointment reminder calls to clients).

Publishing Confidential Information

West Texas Centers will ensure that publishing confidential information, offshoring, the use, disclosure, creation, maintenance or transmission of confidential information outside of the United States is done under written permission per the HHS Data User Agreement.

Procedure

Requests from entities to publicly release or publish protected health information will not be processed until a complete review of the request has been completed and has been approved by the Custodian of Medical Records, Chief Executive Officer, and Health and Human Services (HHS). Requests will be reviewed on a case by case basis to include violations of HIPAA laws, 42 CFR Part 2, contractual agreements and data use agreement with Health and Human Services, (posting the names of clients on the company website or social media; using television, newspaper, or radio to communicate the story of a client without appropriate permission).

Notice of Privacy Practices

West Texas Centers is required to provide a notice of privacy practices to all consumers or any persons requesting a copy. All individuals have a right to receive adequate notice of the uses and disclosures of protected health information that may be made by an organization, and of the individual’s rights and West Texas Centers’ responsibilities with respect to protected health information.

Sample notices of privacy practices as well as a sample acknowledgment form are found in Appendix A in the back of this manual.

Procedure

The Director of Health Information is responsible for developing the notice of privacy practices.

The notice of privacy practices must be written in language that most consumers of average intelligence and education will be able to understand. The notice must contain the following elements.

The following language must appear exactly as it is shown here and must be prominently displayed at the top of the notice:

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Uses and Disclosures

This section of the notice must describe and give examples of the uses and disclosures for purposes of treatment, payment, and health care operations covered by the notice.

It must identify the legally mandated disclosures that may be made without the consumer’s authorization.

It must indicate that any other use or disclosure of protected health information requires written authorization by the consumer, and that an authorization may be revoked by the consumer.

Additional Uses of Information

The uses and disclosures listed in this section must be specified if WTC intends to use protected health information for any of the listed activities. This section can be merged with the previous section.

This section identifies any use of protected health information in the preparation of appointment reminders, in offering information about treatment and other health-related benefits or services, or to conduct fundraising for the practice.

Individual Rights

This section of the notice of privacy practices must identify the rights of the consumer under the federal privacy rule. These must include:

The right to request restrictions
The right to receive confidential communication
The right to inspect and copy protected health information
The right to amend protected health information
The right to receive an accounting of disclosures
The right to receive a printed copy of the notice of privacy practices itself

West Texas Centers’ Duties

This section describes the duties of the organization, specifically with respect to maintaining the privacy of protected health information, giving the notice of privacy practices to consumers, and abiding by the terms of that notice.

Right to Revise Privacy Practices

The notice must clearly state that the organization reserves the right to modify its privacy practices and that should it do so, the revised notice will be made available to consumers upon their request.

Complaints

This section must outline the procedure for submitting complaints concerning the organization’s privacy practices or to report suspected violations of privacy rights.

It also must indicate that the organization will not retaliate against the consumer for submitting a complaint or reporting a suspected violation.

Contact Person

Director of Health Information/Privacy Officer

*Address and phone*

Giving the Notice of Privacy Practices to Consumers

Procedure

The notice of privacy practices must be given to all consumers at the time of their first visit to the organization. The notice must also be given to any consumer who requests one at any time.

All consumers will be given a copy of the notice during their first contact, whether in person in the office, via a telephone consultation or through other electronic means such as email.
Any consumer who requests a copy of the notice will be given a copy.
A copy of the notice will be posted in waiting areas. If WTC maintains a website, the notice will be posted on that site. An individual who receives a copy of the notice electronically (by email) also may request a printed copy of the notice.

Acknowledgment of the Notice

Procedure

All consumers must be asked to sign an acknowledgment that they have received a copy of the notice of privacy practices. If the consumer cannot sign the acknowledgment, his or her personal representative may sign the acknowledgment. If the consumer cannot sign the acknowledgment and a personal representative is not available or if the consumer refuses to sign the acknowledgment, the Staff Member(s) who requests the acknowledgment must document the attempt to obtain an acknowledgment and briefly summarize the reason it was not obtained.

When a consumer requires emergency treatment, providing the notice and obtaining an acknowledgment should be delayed until the consumer’s condition has been stabilized.

Copies of all signed acknowledgments should be included in the consumer’s medical record.

Notice of Substance Abuse Confidentiality

Procedure

At the time of admission staff shall communicate to any consumer receiving substance abuse or alcohol treatment that federal law and regulations protect the confidentiality of records for person’s receiving substance abuse services. The persons shall be given a written summary of the federal law and regulations. The staff person communication this information to the person shall sign and date the notice, as well as the person. A copy of the notice should be given to the person with the original filed in the person’s record.

Verification of the Identity and Authority of a Consumer Requesting Disclosure of Protected Health Information

Custodian of Medical Records or designated representative(s) who authorize the disclosure of PHI will take reasonable steps to:

Verify the identity of the person to whom the PHI is disclosed.
Verify the person’s authority to receive the PHI.

Depending on the circumstance, verification prior to disclosure of PHI should include the following:

If the employee knows the identity and authority of the recipient of the PHI first hand, no further verification is necessary.
PHI may be disclosed in accordance with WTC policies regarding disclosures to law enforcement officials, prison officials, or disaster relief agencies when the identity and authority of the recipient of the information may reasonably be inferred from the circumstances.
PHI may be disclosed as required by a subpoena or other legal document if the document meets the provisions of existing policy in this area.
Any legal documentation required by WTC policy, must be obtained before the PHI is disclosed.

WTC Custodian of Medical Records or designated representative(s) may rely on any of the following to verify the identity of a public official who requests PHI be disclosed without the consumer’s authorization:

An identification badge;
Official credentials;
Other proof of government status;
Written request on the appropriate agency letterhead along with official identification; or
Written evidence is required when a consumer is acting under government authority (such as a contract or purchase order that verifies a private citizen is acting as an agent of a government agency in requesting the PHI) along with identification.

WTC Custodian of Medical Records or designated representative(s) may rely on any of the following to establish the authority of a public official to receive PHI requested without the consumer’s authorization:

A written statement of legal authority to request the information;
An oral statement of legal authority (if a written statement is impractical under the circumstances); or
A legal process issued by a grand jury or a judicial or administrative tribunal.
Verification of identification will be documented within the consumer record.

Authorization to Use and Disclosure

West Texas Centers will use and disclose protected health information in certain situations only pursuant to a written, signed consumer authorization, as designated by the HIPAA privacy standards or other pertinent state laws.

A sample Authorization of Use and Disclosure form is found in Appendix A at the end of this policy: Authorization to Disclose Information.

Procedure

When the WTC Staff Member(s) knows in advance of collecting or creating protected health information that the information will be used or disclosed for a purpose not covered by the notice, the Staff Member(s) should seek the consumer’s authorization at the time the information is collected.

It is not necessary, however, to obtain the consumer’s authorization before the information is created. Authorization can be obtained at any time after it is created but before the information is used or disclosed for a purpose not covered by the notice.

WTC Staff Member(s) requesting the authorization should obtain an authorization form and complete the sections describing the information to be used or disclosed, the purposes of the use or disclosure, the persons who will use or disclose the information, and the persons to whom the information will be disclosed.
WTC Staff Member(s) should review the authorization request with the consumer.
The consumer may request restrictions on the use and disclosure of protected health information. Restrictions should be clearly noted on the authorization form.
The consumer should sign and date the authorization form.
The signed and dated authorization form should be kept in the consumer’s electronic health record.

Consumer’s Refusal to Sign an Authorization to Disclose Form

Procedure

A consumer who refuses to authorize a specific use or disclosure may not be refused treatment except under the following circumstances:

The treatment is available only to participants in a research study. A consumer who does not authorize use of information for research may be refused treatment that is available only to participants in the research study.
The services to be provided have no purpose other than responding to a request for information from another entity (for example, from a parent requesting a physical for a child who wants to participate in sports programs).

When a consumer refuses to sign an authorization, it should be determined whether the request involves information included in either of the two categories listed above.

If the authorization is for use and disclosure of information for purposes of research-related treatment, the consumer should be told that the treatment is available only to participants in a study and that participants must authorize use and disclosure of their information in the study.

If the authorization involves a request for information from another organization, the consumer should be told that the services will not be provided unless disclosure is authorized.

If the consumer continues to refuse to sign the authorization, the persons requiring the authorization should be notified of the consumer’s refusal.

Revoking of an Authorization to Use or Disclosure

Procedure

Staff member(s) shall give full effect to any revocation by a consumer. A consumer may revoke an authorization in writing or verbally. The revocation should be noted in the electronic health record. WTC Staff Member(s) should explain to the consumer that revoking the authorization will not affect any use or disclosure of information that has already occurred.

The consumer should sign and date the revocation form. The revocation form should be appended to the authorization and included in the consumer’s electronic health records.

Authorized Employee

Receives request from a consumer or personal representative to revoke an authorization.
If the request is from someone other than the consumer, verify the individual has the authority to make the request.
If the individual has the authority to make a request (consumer or personal representative), the revocation form should be completed and signed by consumer.
If the individual does not have the authority to make the request:
Notify the individual of the request denial; and
Document the call.

Consumer Requests for Restrictions on Uses and Disclosures of Confidential Communications

West Texas Centers recognizes the consumer’s right to request restrictions on specific uses and disclosures of protected health information, as well as to request confidential communications in certain instances.

Consumers have a right to ask WTC to communicate with them about Protected Health Information (PHI) at alternative addresses or by alternative means (“confidential communications”). WTC will accommodate reasonable consumer requests. This policy provides a mechanism for handling consumer requests for these confidential communications.

Consumer Requests for Restrictions on Use and Disclosure

Procedure

A consumer may request restrictions on the use and disclosure of protected health information for treatment, payment, and health care operations as described in the notice of privacy practices. A consumer also may request restrictions on the use and disclosure of protected health information covered by an authorization form.

WTC should consider these consumer requests but is not required to accept them. The practice generally accepts a request for a restriction on the uses and disclosures that are described in the notice of privacy practices or outlined in an authorization only if the following criteria are met:

The request will not impede treatment, payment, or day-to-day functioning of the practice.
The restrictions will not interfere with the purpose for which an authorization is being sought.
The consumer has valid reasons for requesting the restrictions, in the judgment of the consumer’s mental
health professional.

One instance in which the practice will be required to accept the requested restriction is when a consumer has requested a restriction on a release of information to a third-party payer for a service he or she has already paid for in full out of pocket. In that instance, the provider must accept the individual’s request for restriction, unless it is otherwise prohibited by law.

Once WTC accepts requested restrictions, they must be honored unless doing so would interfere with emergency treatment.

Receipt of Request for Confidential Communications

Written request – A consumer’s request for communications of PHI at an alternative address or by alternative means must be in writing.

Log in request:
- Upon receipt of a written request, log in the request in the WTC’s electronic health record.
- Log in a reminder to respond within ninety (90) days after receipt of the request.
Identification – Upon receipt of a written request, obtain identification of the requestor.

Requestors Who Identify Themselves as Consumer Representatives

Procedure

When the requestor is not the consumer but identifies him or herself as representing the consumer, consider the request in the following circumstances:

The requestor is an adult consumer’s guardian – Obtain a copy of the court order appointing the requestor as guardian, or a written and notarized statement that a court appointed the requestor as the consumer’s guardian and the appointment still is valid.
If a guardian has not been appointed and the requestor is the consumer’s agent under a health care power of attorney or mental health care power of attorney – Obtain the signed, valid medical power of attorney naming the requestor as the consumer’s agent and confirm with the consumer’s mental health professional that the consumer is unable to make his or her own health care decisions.
If a guardian has not been appointed and the consumer does not have a health care or mental health power of attorney, the requestor is directly involved in the consumer’s care or payment for health care. The consumer is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, West Texas Centers may discuss this information with the family and these other persons if the consumer agrees or, when given the opportunity, does not object. West Texas Centers may also share relevant information with the family and these other persons if it can infer, based on professional judgement that the consumer does not object. Confirm the requestor is a person on the following list and a person at a higher level of priority is not immediately available:
- The spouse, unless the consumer and spouse are legally separated.
- An adult child.
- A parent.
- If the consumer is unmarried, but has a domestic partner—if no other person has assumed any financial responsibility for the consumer.
- An adult brother or sister.
- A close friend of the consumer. This must be an adult who has exhibited special care and concern for the consumer. One who is familiar with the consumer’s health care news/desires and who is willing and able to become involved in the consumer’s health care and to act in the consumer’s best interests.
Confirm with the consumer’s mental health professional that the consumer is unable to make his or her own decisions.
The requestor is a minor consumer’s parent or guardian.
- Review the records to determine whether the consumer has been considered emancipated or is otherwise competent to give informed consent. If so, require written consent from the consumer before providing parent or guardian access to records.
- Before copying or otherwise providing access to records to the requestor, review the records to determine whether the consumer received reproductive health services. If so, contact the Director of Health Information before granting access to or copying records.
- Obtain identification verifying the requestor is the parent or guardian.

The requestor is a person entitled to see the records of a deceased consumer if the requestor was involved in the consumer’s health care or payment for care prior to the consumer’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to West Texas Centers. The information disclosed is limited to that which is relevant to the person’s involvement in the consumer’s care or payment for care.

Time Frames for Responding to Requests for Confidential Communications

Procedure

WTC will notify the requestor of its decision on a request for confidential communications as soon as practicable and, as a guideline only, should attempt to do so within thirty (30) days of the request.

Custodian of Medical Records or designated representative(s) processing a request for confidential communications will log these dates in the WTC’s electronic health record.

Determining Whether to Agree to or Deny Request for Confidential Communications

Procedure

WTC will grant a request for confidential communications so long as the request is reasonable. Personnel will take into account the following factors:

The ability of WTC to comply with the request.
The resources and time needed to be devoted to compliance with the request.
Whether the consumer has provided an alternative address or other acceptable alternative means of communication.
Whether the consumer has made acceptable arrangements for billing.

All denials for requests for confidential communications will be signed by the Custodian of Medical Records or Director of Health Information

A restriction on the disclosure of information that a consumer requests and that the practice agrees to does not prevent the practice from disclosing information that is mandated by law, which does not ever require the consumer’s authorization.

A consumer may request a restriction on the use or disclosure of information at the time he or she signs an acknowledgment of receiving the notice of privacy practices or an authorization form.
The request should be reviewed by the Director of Health Information to determine whether the requested restriction would impede the use of information for treatment, payment, or health care operations.
The Director of Health Information or designated representative(s) should ask the consumer to explain why he or she is seeking the restriction.
The restriction should be agreed to if, in the judgment of the Director of Health Information, it will meet the requirements set out in this procedure.
If the request is agreed to, it should be documented on the authorization form to which it applies.

Termination of Restrictions on Use and Disclosure

The practice may terminate a restriction on the use and disclosure of protected health information to which it has agreed, with the exception of any restrictions it is required by law to accept.

Consumers must be notified of any termination of a restriction and must be given an opportunity to agree or disagree with the termination.

If the consumer agrees to the termination, information collected before the date of the termination may be used or disclosed as though the restriction had never been accepted.
If the consumer does not agree to the termination, only information collected after the date of the termination may be used or disclosed without considering the restriction. The restriction will continue to apply to information collected before the date of the termination.

The termination of a restriction must be attached to the authorization form in which the restriction appears.

The termination request should be approved if the continuation of the restriction would substantially impede treatment, payment, or the day-to-day operation of the practice.
The Staff Member(s) should contact the consumer to discuss the need for the termination and to seek the consumer’s agreement.
If the consumer agrees to end the restriction, he or she should sign a statement to that effect. If the consumer is not available to sign a written statement, his or her oral agreement should be noted, signed, and dated by the Staff Member(s) who discussed the termination with the consumer.
The termination of the restriction should be attached to the authorization form in which the restriction appears.

Consumer Requests for Confidential Communication WTC Staff Member(s) must accommodate a consumer’s request for confidential communication if the following criteria are met:

If a consumer desires to have communication from WTC transmitted to a different location other than what is documented in the client file the WTC Staff Member(s) shall complete a confidential communications form. Requests for confidential communication must be made in writing. The Staff Member(s) may provide the consumer with a confidential communication request form.
The request can be accommodated only without limiting the ability of WTC to submit claims to the consumer’s health plan. If the request for confidential communication will prevent the practice from submitting claims to the consumer’s health plan, the request will be accommodated only if the consumer identifies another method of paying for services provided by WTC.

Facsimile Transmission of Protected Health Information

It is the policy of WTC to protect the privacy and confidentiality of PHI transmitted via any format. Preferable method is by encrypted email delivery; however when not available and specifically requested, PHI can be transmitted by facsimile (fax). WTC hold employees responsible for following the proper procedure when PHI is sent via facsimile. Facsimile transmissions should include the WTC approved fax cover sheet containing a confidentiality statement. The employee must include on the fax cover sheet the name and fax number to whom the fax is going and the name and phone number of the person sending the fax at a minimum.

PHI may be transmitted by facsimile pursuant to WTC privacy policies. Information transmitted must be limited to the minimum necessary to meet the requestor’s needs.

Outgoing Faxes

Procedure

The fax cover sheet containing a confidentiality statement must contain directions for the recipient if he/she receives a misdirected fax.

Frequently dialed fax numbers should be programmed into the fax server and checked frequently to assure accuracy.

If the number dialed is not pre-programmed into the fax server, it should be double- checked for accuracy prior to sending the fax.

Incoming Faxes

Procedure

Any fax received in error should be reported to the sender and disposed of as directed by the sender.

Misdirected Faxes

Procedure

If a fax transmission containing PHI is not received by the intended recipient because of a misdial, check the internal logging system of the fax log to obtain the misdialed number.

If possible, a phone call should be made to the recipient of the misdirected fax requesting the entire content of the misdirected fax be destroyed. If the recipient cannot be reached by phone, a fax should be sent to the recipient requesting the entire fax transmission be destroyed.

Any instance of transmitting PHI to the wrong destination number must be tracked by the HIM department

Personal Representatives

West Texas Centers will recognize personal representatives pursuant to applicable privacy regulations. A personal representative may act on behalf of the consumer for the purposes of authorizing use and disclosure of protected health information, or receiving information that otherwise would be sent to the consumer.

Designation of a Personal Representative

Procedure

A personal representative may be the spouse, adult child, or other member of the consumer’s family. A personal representative also may be a close personal friend, or any individual legally authorized to make medical decisions on behalf of the consumer if he or she is incapacitated or otherwise unable to make decisions.

A consumer may designate a personal representative in writing. However, a person who is identified in the consumer record as having legal authority to act on behalf of the consumer will be recognized as a personal representative.

A parent or legal guardian of an unemancipated minor (generally a child under the age of 18) will be recognized as a personal representative of the child.

The West Texas Centers’ associates should ask the consumer to identify an individual or individuals who may act as the consumer’s personal representative on the acknowledgment form.
If a consumer becomes incapacitated, a person accompanying the consumer will be recognized as the consumer’s personal representative if he or she can present evidence of having legal power of attorney or other legally recognized authority to make medical decisions on behalf of the consumer.
The parent or legal guardian of an unemancipated minor will be recognized as the personal representative of a child, subject to the restrictions contained in section 1.21.

Authority of Personal Representative

Procedure

If a consumer is incapacitated, a personal representative may sign any form (such as authorization, revocation of authorization, and request for access to information), the uses of which are described in this privacy manual.

A personal representative may receive protected health information concerning the consumer necessary to carry out the representative’s legal duties to the consumer (for example, providing an informed consent to treatment, or for enforcing an advance directive concerning life support).

Refusal to Recognize Personal Representative

Procedure

A WTC Staff Member(s) may refuse to disclose information to a person identified as a consumer’s personal representative if the Staff Member(s) believes that disclosing such information may endanger the consumer.

A WTC Staff Member(s) who believes that disclosing information to a personal representative may endanger the consumer should notify their immediate supervisor.
Requests from the personal representative for information concerning the consumer should be referred to their immediate supervisor.

Parental Access to Protected Health Information Concerning Children

Procedure

A parent, guardian, or other person recognized by state law as acting in loco parentis on behalf of a consumer who is an unemancipated minor will be recognized as the consumer’s personal representative unless the minor has consented to treatment.

Note—In this procedure the term “parent” refers to a parent, guardian, or other person acting in loco parentis.

A parent may act as a personal representative unless state or other law permits the minor to request that information not be shared with a parent, guardian, or other person acting in loco parentis. Refer to Family Code Chapter 32 in Appendix A.

Generally, WTC requires a parent or legal guardian’s signature on any authorization forms for a minor consumer unless the consumer requests that his or her parents not be notified and there is no prohibition under state law in withholding information from the consumer’s parent.

The Director of Health Information should review any minor’s request for confidentiality pertaining to the use or disclosure of protected health information that relates to a parent or guardian to determine whether the request complies with state and federal laws.

Disclosure of Information to Family Members

Procedure

Protected health information concerning a consumer may be disclosed to a family member, other relative, or close personal friend of the individual who requires the information to assist in the consumer’s care and treatment.

If the consumer is able to, he or she must agree to the sharing of this information before it occurs. Consumers should generally be asked whether information may be shared with family members. However, permission can be assumed if the consumer has an opportunity to object to disclosure of information to family members and does not do so.
If the consumer is incapacitated, a WTC’s Staff Member(s) may exercise their professional judgment in determining when it is in the consumer’s best interests to disclose protected health information to the family member.

The information that may be disclosed to a family member, relative, or close personal friend is limited to information directly relevant to the family member’s involvement in the consumer’s care.

If possible, disclosure of information to others should occur when the consumer is present or after the consumer has agreed to the disclosure.
If the consumer is present or available for consultation concerning the disclosure, he or she should be given an opportunity to object to the disclosure. If the consumer objects, the information should not be disclosed.
If the consumer is not present or available for consultation, or is incapable of agreeing or objecting to the disclosure, the mental health professional should exercise his or her best professional judgment to determine whether disclosure is in the best interest of the consumer.
If the consumer agrees to the disclosure or the disclosure is determined to be in the best interest of the consumer, only that information that is directly relevant to the family member’s involvement in the consumer’s care should be disclosed.

Consumer Access to Protected Health Information

Consumers have the right to receive access to their protected health information under the HIPAA privacy regulations. It is the procedure of West Texas Centers to ensure that these rights are met.

Consumer Requests for Access to Protected Health Information

Procedure

A consumer or a consumer’s representative may, subject to approval under section 1.23.3, inspect and obtain a copy of consumer information maintained in medical records of West Texas Centers.

A consumer must submit a request to inspect or copy protected health information as provided for in section 1.23.2.
The request will be reviewed under section 1.23.3.
If the request is denied, the consumer will be informed as provided for in section 1.23.4.
If the request is approved, the consumer will be given access to the requested information as provided under sections 1.23.5-1.23.8.

Requests for Access to Protected Health Information

Procedure

A consumer must request in writing an opportunity to inspect or copy his or her protected health information.

This procedure does not address or prevent a mental health professional from sharing the results of laboratory or other diagnostic tests with a consumer or a consumer’s personal representative, or from discussing the results of medical procedures. These communications related to treatment may be made orally or in writing at the discretion of the consumer’s mental health professional.

This procedure does not address or prevent other Staff Member(s) from discussing or disclosing to the consumer, orally or in writing, information related to the current status of claims that have been submitted to the consumer’s health plan.

When a consumer or the consumer’s representative requests access to information, he or she should be told that all requests to inspect or copy protected health information must be submitted in writing. The consumer should be referred to the Custodian of Medical Records.
The Custodian of Medical Records or designated staff will complete the HIPAA request by Client form in the electronic health record.
Upon receipt of a request form, the Custodian of Medical Records will review the request as explained in section 1.23.3.

Review of Consumer Requests for Access to Protected Health Information

Procedure

The request for access to personal health information will be completed in the electronic health record and forwarded to the Custodian of Medical Records.

The Custodian of Medical Records will consider the restrictions on access listed below when determining whether to approve or deny the request to inspect or copy protected health information.

A decision to grant the consumer or the consumer’s personal representative permission to inspect or copy the requested information will be made within thirty (30) days of the date the request is submitted.

If the protected health information is maintained in electronic form and the consumer would like to view the information or receive a copy of it in electronic form, he or she must make that request specifically on the request form.

Restrictions on Access

Information compiled in anticipation of, or for use in, legal proceedings will not be made available to the consumer or the consumer’s legal representative unless required by law or court order.
Information that, by law, may not be disclosed to the consumer will not be made available to the consumer or the consumer’s representative.
Information will not be made available if the consumer’s mental health professional believes that it is likely to endanger the life or physical safety of the consumer.
Information will not be made available if the consumer’s mental health professional believes that access to the information is reasonably likely to cause substantial harm to a person other than the consumer who is referenced in the consumer’s records.
Information will not be made available to a personal representative of the consumer if the consumer’s mental health professional believes that access to the information by the personal representative is reasonably likely to cause harm to the consumer or to another person.

The Custodian of Medical Records will review the request to inspect or copy protected health information and will contact the consumer’s mental health professional to determine if there are any reasons to restrict the consumer’s or consumer representative’s access to the information.

If the request is disapproved, wholly or in part, the consumer will be notified using the procedures outlined in section 1.23.4.

If the request is approved, the consumer will be notified and arrangements made for the consumer to inspect or copy the requested information using the procedures described in sections 1.23.5- 1.23.8

Communication of Denial of Requests for Access to Personal Health Information and Review of Decision to Deny Access

Procedure

A written explanation of the denial of a consumer’s request to inspect or copy protected health information will be prepared using the appropriate form. If an alternative, such as a summary of the requested information, could satisfy the consumer’s request at least in part, the communication should describe that alternative.

A consumer or the consumer’s representative whose request to inspect or copy protected health information is denied may request a review of that decision by a licensed health professional who was not involved in the decision to deny the request.

The review should normally be completed within thirty (30) days. The Custodian of Medical Records will follow up with the reviewing mental health professional if the review is not completed within thirty (30) days.
The Custodian of Medical Records should communicate the result of the review to the consumer using the reviewer form.

Inspection of Records

Procedure

Upon request by consumer or their authorized personal representative records shall be made available to the consumer within thirty (30) business days from the date the request is made for records available through the consumer’s electronic health record or within sixty (60) calendar days if the record is in hard copy format. This time frame may be extended pursuant to state or federal regulations.

Communication of Decision to Permit Inspection or Copying of Protected Health Information

Procedure

Approval of a consumer’s request to inspect or copy protected health information should be communicated to the consumer or the consumer’s representative using the request approval form.

The form should specify the date and time that the records will be available for copying or viewing.

The Custodian of Medical Records will determine the earliest date at which the requested information can be made available.
The Custodian of Medical Records or a designated staff person will prepare the approval form and send it to the consumer.

Arrangements for Inspection of Protected Health Information by Consumers

Procedure

Arrangements should be made to provide access to protected health information at a place and time convenient for the consumer.
The consumer must inspect the records on the premises of WTC. If this is not satisfactory to the consumer, he or she should be given the option of having copies made and sent to an address that he or she specifies. However, the consumer may be charged the cost of preparing and mailing the copies or for the supplies and labor to put together the electronic version for mailing.

Fees for Copying Personal Health Information

Procedure

If it is deemed that the person is indigent and does not have this fee, it can be waived. West Texas Centers will not charge for the first set of copies made

If the consumer requests their records be put onto a disk or USB drive, he or she will be charged a flat fee of $18.00.

When applicable, a flat fee of $18.00 be invoice to Social Security Administration upon request of records for determination of benefits.

Amendment of Health Information

Consumers have the right to request that amendments be made to their protected health information under the HIPAA privacy regulations. It is the procedure of West Texas Centers to ensure that these rights are met.

Procedure

A consumer may request amendment of the information maintained by West Texas Centers in the designated record sets listed below. The consumer must follow the procedures outlined in section 1.24.1 when requesting amendment of information maintained by West Texas Centers.

Designated Record Sets

Consumers may request amendments to information contained only in the following record sets:

The consumer’s medical records
The consumer’s billing records
Other records that contain protected health information used to direct treatment

Procedures for Requesting Amendment of Information

Procedure

Requests to amend protected health information must be submitted in writing. Consumers should use the consumer information amendment form.

Consumers who indicate their belief that the information in their records is incorrect should be given a consumer information amendment form.
Consumers should be referred to the Custodian of Medical Records to resolve questions about the form.

Action on Requests for Amendment of Information

Procedure

The Custodian of Medical Records may deny a consumer’s request to amend records if the following criteria are met:

The information to be amended was not created by West Texas Centers but was received from another entity.
The information to be amended is accurate and complete- i.e. there is no need for the information to be amended.
The information to be amended does not exist in the specified records.
The information to be amended is not available for inspection by the consumer or the consumer’s representative (see section 1.23.1).

Action must be completed on any request for amendment within sixty (60) days of receiving the request. If action cannot be completed within sixty (60) days, WTC must notify the consumer of the delay, including the reasons for the delay, and complete the review within ninety (90) days of the date the request was originally received.

Consumer information amendment forms should be forwarded to the Custodian of Medical Records.
The Custodian of Medical Records should contact the consumer’s mental health professional or a Staff Member(s) (clinic supervisors) he or she designates and request a review of the requested amendments.
The mental health professional or designated Staff Member(s) should indicate which of the requested amendments should not be made because the information in the consumer’s record is accurate and complete or meets the other requirements for denying a request that are listed above
The mental health professional or designated Staff Member(s) should then return the form to the Custodian of Medical Records.
The Custodian of Medical Records should review the form after it is returned by the consumer’s mental health professional and identify any information that should be amended.
The Custodian of Medical Records should initiate the procedures for amending protected health information specified by sections 1.24.4 – 1.24.5.
The Custodian of Medical Records should prepare a response to the consumer as required by policies in sections 1.24.6-1.24.8.

Communication of Decision on Requests for Amendment of Information

Procedure

After completing the review of a consumer’s request for amendment of protected health information, the Custodian of Medical Records will complete the consumer information amendment form by indicating the disposition of each requested amendment.

A copy of the completed consumer information amendment form will be sent to the consumer along with any explanatory comments that the Custodian of Medical Records believes to be necessary.

The consumer will be asked to submit the names and addresses of any organizations or individuals that he or she has reason to believe have received the uncorrected information for the purpose of notifying them of the amendment.

Procedures for Amendment of Internal Records

Procedure

When a consumer’s request for amendment of protected health information is approved, either of the following procedures should be followed:

The records containing the affected information are updated.
The amended information is linked to the original information.

The Custodian of Medical Records will refer the request for amendment to WTC Staff Member(s) responsible for maintaining the affected records and will identify the records that need to be amended. Those records should either be amended or be linked to the amended information (that is, contained in a new or corrected record where it will be available when the affected information is used or disclosed in the future).

Notifying Other Parties That Information Has Been Amended

Procedure

When a consumer’s protected health information is amended in response to a consumer’s request, it is the consumer’s responsibility to notify other organizations to which the information being amended has been disclosed.

WTC is not required to confirm that the organizations or other entities notified of the amendment have updated their records.

Denial of Request for Amendment

Procedure

When a request to amend protected health information is denied, the consumer will be informed of the decision in writing. The notice sent to the consumer must advise the consumer of the following:

The consumer may submit a statement of disagreement that will become part of his or her records and will, in the future, be disclosed to any person or organization that receives the identified information.
If the consumer does not submit a statement of disagreement, he or she may ask WTC to include the request for amendment and the denial in any future disclosure of the identified information to any person or organization that receives the identified information.
The consumer may file a complaint with the provider concerning the request for amendment (a description of how the consumer can file this complaint must be included in the notice).

The letter must identify the name, mailing address, and telephone number of the Director of Health Information

Statement of Disagreement

Procedure

If the consumer disagrees in writing when notified that a request for amendment of protected information has been denied, the Custodian of Medical Records will review the objection and append or link it to the consumer’s record. This will ensure that the objection will accompany the original information when it is used or disclosed in the future.
The Custodian of Medical Records may prepare an accurate summary of the consumer’s statement of disagreement if he or she believes that a summary will adequately provide a clear understanding of the disputed information.

Rebuttal of Disagreement

Procedure

If a consumer disagrees in writing when notified that a request for amendment of protected health information has been denied, the Director of Health Information will review the statement and determine whether a formal rebuttal or response, as provided for in federal regulations, is necessary. If it is determined that a rebuttal is necessary, the privacy official will prepare and append it to the consumer’s records.

The Director of Health Information will consult as necessary with the consumer’s mental health professional or other WTC Staff Member(s) to make this determination.
Both the consumer’s statement of disagreement and the rebuttal statement will be noted in the consumer’s records.
The statement of disagreement and the rebuttal will be either included in the consumer’s records or linked to those records to permit them to be included with the original information when it is used or disclosed in the future.
A copy of the rebuttal statement will be sent to the consumer.

Receipt of Notification of Amendment

Procedure

When notified by another medical practice, health plan, or other covered entity that protected health information received earlier has been amended, WTC will follow the procedures in place for handling its own amended information.

Accounting to Consumers for Disclosures of Information

Consumers have the right to request an accounting of specific types of uses and disclosures of their protected health information made under the HIPAA privacy regulations.

Procedure to Request an Accounting of Disclosures

Procedure

To receive an accounting of disclosures of protected health information, a consumer must submit a written request to the Custodian of Medical Records.

A consumer who indicates to any WTC Staff Member(s) that he or she would like to receive an accounting of disclosures should be told to contact the Custodian of Medical Records.
The Custodian of Medical Records will provide the consumer with a disclosure accounting form and review the types of disclosures that will be reported in the accounting.
The Custodian of Medical Records will determine whether the ability of the consumer to obtain an accounting of disclosures has been suspended in response to a request from a law enforcement or health oversight agency.
If the consumer’s right to an accounting has not been suspended, the Custodian of Medical Records will start preparing an accounting.

Charges for Accountings of Disclosures

Procedure

If a consumer requests more than one accounting during any 12-month period:

The consumer will not be charged for the first accounting.
If the consumer received an accounting for which he or she was not charged during the preceding 12 months, he or she will be informed that WTC will charge $ 18.00 for the second accounting. If the consumer agrees to pay this fee, the accounting will be provided.

Suspension of a Consumer’s Right to Receive an Accounting of Disclosures

Procedure

A law enforcement or health oversight agency may request the provider to suspend the right of an individual to request an accounting of disclosures. Requests from law enforcement agencies should be submitted in writing. The written statement should indicate that providing an accounting is likely to impede the agency’s activities and should specify a time period during which the consumer’s right will be suspended.

Suspensions that last more than 30 days must be supported in writing, and requests must be made in writing. If a written request is not submitted, the individual’s right to an accounting may be suspended for no more than 30 days.

A communication from a law enforcement or health oversight agency requesting the suspension of a consumer’s right to an accounting of disclosures should be directed to the Director of Health Information
The Director of Health Information will verify the credentials of the government official that makes a verbal request and document the identity of the official or agency.
The Director of Health Information will place the consumer’s name on a list of persons whose right to an accounting has been suspended pursuant to an official request.

Information to Be Provided in an Accounting of Disclosures

Procedure

The information that will be provided in an accounting of disclosures includes:

The date of the disclosure
The name of the entity or person who received the protected health information
A brief description of the purpose of the disclosure or a copy of the authorization for the disclosure

Note: Disclosures to business associates for purposes of treatment, payment, and health care operations should not be included in the accounting.

Documentation of Accountings Provided to Consumers

Procedure

Copies should be made of all accountings of disclosed information prepared for consumers. The copies should be kept for six years.

Documentation of Disclosures Requiring an Accounting

Procedure

When a Staff Member(s) discloses protected health information, the Staff Member(s) will document the disclosure. This documentation would be necessary if the consumer were later to request an accounting of disclosures.

Any disclosure, other than a disclosure for purposes of treatment, payment, or health care operations, will be documented by completing a disclosure accounting form.
The disclosure accounting form will be forwarded to the Medical Records Clerk, who will update the files and databases that are used to prepare accountings of disclosures.

Submission of Complaints

A process has been adopted by West Texas Centers by which complaints regarding potential privacy violations can be submitted for investigation to the Director of Health Information.

Procedure

Staff Member(s) shall report complaints via an incident report to Director of Health Information. A consumer or other individual who wants to file a complaint concerning WTC’s privacy policies and procedures, or a suspected disclosure of protected health information that violates federal or state law should:

Be directed to the Client Rights Officer for answers to questions about filing complaints
Receive a copy of the complaint form from the Client Rights Officer to be returned by mail to the address printed on the form.

Complaint Resolution Procedures

West Texas Centers will work to resolve every complaint raised by an individual. All potential violations of privacy will be investigated.

Complaints Concerning Privacy Policies and Procedures

Procedure

The procedures for resolving complaints submitted by consumers or other individuals concerning the privacy practices of West Texas Centers or the policies and practices established in this manual are outlined below.

Upon receiving a complaint the Client Rights Officer or a designated Staff Member(s) will review the complaint and confer with the Director of Health Information, evaluate the specific details of the complaint, and determine whether the complaint warrants a change in the privacy policies or procedures of WTC.
If a change appears to be warranted, the Staff Member(s) conducting the evaluation will develop a recommendation and submit it to the Director of Health Information, who will determine whether an immediate change in policies and procedures is needed to prevent a violation of federal or state privacy standards, laws, or regulations.
If it is determined that a change in policies and procedures is necessary; a revised procedure will be prepared following the procedures outlined in section 1.8. The Client Rights Officer should prepare a response and send it to the individual submitting the complaint. The response should thank the individual for his or her interest. It should indicate that the suggestion has been evaluated, and that WTC believes that its current procedures comply with federal and state requirements
If a change does not appear to be warranted, the Client Rights Officer will prepare a response and send it to the individual submitting the complaint. The response should thank the individual for his or her interest and indicate that the suggestion has been evaluated but that WTC believes that its current privacy procedures comply with federal and state requirements and are sufficient to protect consumer privacy.
Receipt of the complaint and its final disposition should be documented using the procedures outlined in section 1.27.

Complaints Arising from Possible Violations of Privacy Policies

Procedure

The procedures for resolving complaints submitted by consumers or other individuals concerning the disclosure of protected health information are outlined below.

A Staff Member(s) who receives a complaint from a consumer or other individual that concerns a possible use or disclosure of protected health information that violates WTC’s privacy policies and procedures, or that violates federal and state law, should immediately refer the complaint to the Director of Health Information.
The Director of Health Information will review the complaint and determine whether a violation occurred and, if so, whether the violation involves only the privacy policies and procedures established in this manual or also involves a violation of federal and state privacy laws and standards.
If the Director of Health Information determines the complaint may involve a violation of federal or state standards and legal requirements, he or she will immediately forward the complaint to WTC’s legal counsel for evaluation. The request for evaluation should specify a date by which the evaluation should be completed.
The Director of Health Information should follow up and track the status of the referral. If the evaluation indicates that federal or state standards may have been violated, the mitigation procedures established in section 1.28 should be followed.
If the Director of Health Information determines that the complaint does not involve a violation of federal or state standards and legal requirements, he or she will determine whether WTC’s privacy policies and procedures were violated. If policies and procedures have been violated, the disciplinary procedures established by section 1.6 should be initiated.
Upon completion of step 4, the Director of Health Information should contact the person submitting the complaint and notify him or her of the actions that will be taken to address the complaint.
Evaluations of complaints should generally be completed within 30 days of receipt.
The receipt of the complaint and the final disposition should be documented using the procedures established in section 1.27.

Documentation of Complaints

Procedure

The Director of Health Information will establish and maintain files containing documentation of all complaints received. This documentation will include the actions taken to address or resolve the complaint, including any written correspondence with the person submitting the complaint.

Mitigation

West Texas Centers will mitigate to the extent possible any harmful effects resulting from the use or disclosure of protected health information that violates West Texas Centers policies and procedures, or the requirements of state and federal law.

Procedure

When Director of Health Information determines that a use or disclosure of protected health information has violated the policies and procedures established by this manual, the case will be referred to WTC’s legal counsel to:

Determine any action needed to mitigate any harm that may result to the consumer whose information was used or disclosed
Evaluate WTC’s legal exposure and recommend a course of action
Follow up with the consumer

All communications with the consumer concerning use or disclosure of protected health information that legal counsel determines may violate federal or state standards and legal requirements should be handled by WTC’s legal counsel.

Non-retaliation and Protection for Whistleblowers

West Texas Centers will ensure that no retaliatory action will be taken against consumers, staff, or any others that bring to the organization’s attention a potential privacy violation.

Procedure

As an organization, WTC does not partake in any type of intimidation, threats, coercion, discrimination, or other retaliatory action against any persons that bring to the attention of the organization or the HHS OCR potential issues in privacy practices. Any issues brought directly to the Director of Health Information will be investigated, and appropriate sanctions will be applied in the event that an issue is found.