Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms... xi Chapter 1: Heading Into HIPAA... 1 A Brief Overview of HIPAA... 3 Whose Information Is Private?... 3 Why HIPAA Matters to Your Assisted Living Community... 4 What Is the Deadline for Compliance?... 5 Should I Just Hire a Consultant to Do All This?... 5 But my billing service takes care of all that!... 5 What If HIPAA Doesn t Apply to Your Community?... 6 Have a COW, Man!... 6 A Note About Legal Counsel... 7 Essential HIPAA Terminology... 7 Federal vs. State Law: When in Doubt, Do It the Hard Way... 7 The Privacy Rule and the Security Rule... 9 The Privacy Rule... 9 The Security Rule... 10 A Note About HITECH... 10 HIPAA FOR MANAGERS... 11 Chapter 2: The Privacy Officer and the Security Officer... 13 The Privacy Officer... 15 Privacy Officer qualifications... 15 Privacy Officer responsibilities... 15 The Security Officer... 15 Security Officer qualifications... 15 Security Officer responsibilities... 16 Duties of the Privacy Officer and Security Officer... 16 Training... 16 Monitoring and Audits... 17 Complaints and Security Incidents... 17 Investigation and Enforcement... 17 HIPAA: Not Your Only Responsibility... 17 Contingency Plans and Mitigation... 18 Retaliatory Acts... 18 Performing a Risk Assessment... 18 Creating a Culture of Compliance... 19 Helping Family Members Understand... 20 Sample Privacy Officer Job Description... 21 Sample Security Officer Job Description... 23 HIPAA Reminder Poster... 25 Sample Letter Informing Residents and Families of HIPAA Restrictions... 27 iii
Chapter 3: Resident Records... 29 What the Resident Record Contains... 31 The Resident Privacy Flow Sheet... 33 Making Entries in the Resident Record... 34 Bumps in the Log... 34 Correcting Errors in the Resident Record... 35 Resident Privacy Flow Sheet... 37 List of Approved Forms... 39 Chapter 4: Who Has Access to Protected Health Information?... 41 Employee Access to PHI... 43 Business Associates Access to PHI... 43 Exceptions to Minimum Necessary Standards... 43 Minimum Necessary Standards... 45 Chapter 5: Disclosing PHI... 47 TPO Disclosures... 49 Special PHI... 49 Approved resident restrictions... 49 Required Disclosures... 50 Permitted Disclosures... 51 Authorized Disclosures... 52 Expiration and revocation of authorizations... 52 Resolving conflicts... 53 Redisclosures... 53 Special PHI... 54 Recommendations on redisclosures... 54 Request to Restrict PHI Uses or Disclosures Form... 55 Form Letter to Attorney in Response to Subpoena... 57 Authorization for Use or Disclosure of Information... 59 Chapter 6: Residents Rights... 61 Right to a Notice of Privacy Practices... 63 Creating a Notice of Privacy Practices... 63 Distribution of the NPP... 65 Amending the NPP... 65 Right to Request Certain Restrictions on the Use and Disclosure of PHI... 65 Right to Request Access to PHI... 66 Fees for Resident Copies of Their Records... 66 Monitored access... 67 Denying a request for access to PHI... 67 Residents review rights... 68 PHI held at another facility... 68 Right to Request an Amendment of PHI... 68 Denying a request to amend PHI... 69 Right to an Accounting of PHI Disclosures... 70 Acknowledgment of Receipt of Notice of Privacy Practices... 71 Documentation of Good Faith Efforts... 73 Resident Request to Access PHI Form... 75 Decision for Resident Request to Access PHI from Privacy Officer... 77 Decision by Clinical Staff Designee on Denial of Access... 79 iv
Resident Request to Amend PHI Form... 81 Decision Regarding Resident Request to Amend PHI... 83 Resident Request for Accounting of PHI Disclosures Form... 85 Accounting of PHI Disclosures Report Form... 87 Chapter 7: Business Associates... 89 Who Is a Business Associate?... 91 Exceptions to the Business Associate Agreement... 92 Roster of Business Associates... 92 Business Associates Obligations... 93 Business Associate Agreement... 93 Accounting of Disclosures... 93 Breaches... 93 Business Associate Roster... 95 Letter Notifying Business Associates of Their Obligations... 97 Sample Business Associate Agreement Provisions... 99 Data Breach Notice from Business Associate... 105 MAKING HIPAA HAPPEN... 107 Chapter 8: Safeguarding Protected Health Information (PHI)... 109 Access and Storage Controls... 111 Malicious software... 112 Security incidents and emergencies... 112 Tips for Creating Strong Passwords...112 Storage controls... 113 Removal and destruction of PHI... 113 Employee Safeguards... 113 Employee obligations... 113 Termination... 114 Communication Safeguards: Written Materials and Telephone Calls... 114 Resident directories... 114 Telephone calls... 114 Communication Safeguards: Fax... 115 Communication Safeguards: Email... 116 Communication Safeguards: Social Media... 117 Communication Safeguards: Texting... 118 Safeguards on Computers and Other Electronic Media... 118 Checkout/check in procedures... 119 Disposal... 119 Business Associate Safeguards... 119 Action Form... 121 Termination/PHI Access Keys/Passwords Checklist... 123 Fax Cover Sheet... 125 Personal Electronic Media Statement... 127 Chapter 9: Training... 129 HIPAA Training... 131 Other Resources... 132 A Note About HIPAA Training or Materials from Hired Contractors... 132 Be aware of misleading marketing claims... 132 HIPAA Training Quiz... 133 v
HIPAA Training Quiz Answers... 135 Acknowledgment of Completion of HIPAA Training... 137 HIPAA HICCUPS... 139 Chapter 10: Breaches... 141 What Does the Government Do to Ensure HIPAA Compliance?... 143 What Triggers a HIPAA Audit?... 143 What Does This Mean for My Assisted Living Community?... 143 What Is a Breach?... 144 What are some common ways breaches occur?... 144 What are the different types of HIPAA breach violations?... 144 Penalties for Breach Violations... 145 Your Responsibility to Report Breaches... 146 What is your responsibility in investigating an alleged breach?... 146 When to Notify Residents of Breach Violations... 147 How to Notify Residents of Breach Violations... 149 Timing... 149 Format... 149 Content... 149 Corrective Action Your Community Should Take After a HIPAA Breach... 149 Preparing for an OCR Investigation... 150 Sample Notification of Breach Violation Letter to Resident... 153 Other optional considerations:... 153 Chapter 11: Complaints... 155 How the OCR Responds to HIPAA Complaints... 157 How are Complaints Filed?... 158 Contact information for OCR Region V (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin)... 158 How Should You Respond to a Complaint?... 159 Chapter 12: Audits... 161 Who Gets Audited?... 163 What to Expect in the Event of an Audit... 165 Timeline... 165 Process... 165 How to Prepare for an Audit... 168 General Recommendations to Best Prepare to Respond to Breaches, Complaints, and Audits... 168 ADDITIONAL MATERIALS... 169 HIPAA for Assisted Living: Quick Reference Guide... 171 Glossary of HIPAA Related Terms... 177 Notes on Mental Health Records/Psychotherapy Notes... 183 Uses and disclosures of protected mental health information... 183 Individual rights granted by the privacy standard... 183 Enforcement and destruction of mental health records... 184 Note about psychotherapy notes... 185 Communicable Disease Records Under State Law... 187 vi
Drug and Alcohol Treatment Records... 189 Sample Disaster Recovery Plan... 195 Checklist for Determining Your HIPAA Compliance... 199 vii