HIPAA Patient Privacy and Confidentiality Policy

SUD Specialty Group -- CA; Mental Health Specialty Group, P.A.; Mental Health Specialty Group NJ, PC; and Mental Health Specialty Group KS, P.A. (collectively, the "Group") contracts with Path CCM, Inc. d/b/a Rula Health ("Rula") for management and administrative support services. This policy applies to the Group and Rula.

Policy Statement

This policy is to ensure compliance with the regulations set forth in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and 42 CFR, Part 2. It is the responsibility of the Group and Rula, CCM to maintain the confidentiality and security of protected health information in order to ensure the patient’s right to privacy.

Applicability

This policy applies to all team members. For purposes of this policy, the Group’s and Rula’s team members include individuals who would be considered part of the workforce such as employees, independent contractors, business team members, and other persons whose work performance is under the direct purview of Rula or the Group’s business practices. 

Definitions

Protected Health Information (PHI): is a subset (record or transmission) of health information, including demographic information collected from an individual. 

Electronic Protected Health Information (ePHI): is PHI that is produced, saved, transferred or received in an electronic form. ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. 

Use: is the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for the Group or by a Business Associate of Rula.

Disclosure is the release, transfer, provision of access to, or divulging in any manner of PHI to persons not employed by or working within Rula with a business need to know PHI

Unauthorized disclosure is any release, transfer, provision of access to, communication of or divulging in any other manner of PHI to persons not employed by or working within Rula with a business need to know PHI without an authorization. 

Minimum Necessary is the least amount of information, when using or disclosing confidential patient information, that is needed to accomplish the intended purpose of the use, disclosure, or request. 

Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.

Payment is the various activities of health care providers to obtain payment or be reimbursed for their services 

Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

Covered Entity is a health plan, health care clearinghouse, or health care provider that transmits any information in an electronic form in connection with financial and administrative activities related to health care.

Policy

1. HIPAA and 42 CFR Part 2

1. Both HIPAA and 42 CFR, Part 2 protect patient identifying information. 
2. HIPAA protects any health information that identifies an individual, while 42 CFR, Part 2 only protects information that identifies an individual as being a patient in a drug or alcohol abuse program or as having a drug or alcohol problem. It is possible for some information, i.e. that which does not include drug/alcohol info, to only be protected by HIPAA and not by 42 CFR, Part 2.

B. Protected Health Information (PHI) 

1. PHI is created or received by a health care provider, health plan, employer, or health care clearinghouse. It relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 
2. Additionally, the information identifies the individual; or can be used to identify the individual. The following is a list of data elements that are considered to be an identifier of an individual:

1. Names;
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code;
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers; 
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images;
18. Any other unique identifying number, characteristic, or code.

C. Uses and Disclosures of PHI and Minimum Necessary Rule

1. In general, a patient’s PHI can be disclosed to any person, entity or company only:
   1. After verification that the disclosure is authorized by the treatment, payment or operations definitions of the Privacy Regulation, or the disclosure is authorized by 42 CFR Part 2
   2. When a Business Associate Agreement is in place
   3. A valid written authorization has been received.
2. There are instances in which PHI is used or disclosed without prior written consent of the patient. Please reference the Authorization to Release Patient Information policy or the Notice of Privacy Practices (NPP) for more information. 
3. All requests for disclosures of PHI will be managed through the Privacy Officer. Disclosures of PHI will be carried out in accordance with all applicable legal requirements and in accordance with Authorization to Release of Information policy and the NPP.
4. The minimum necessary requirement of the Privacy Rule will be followed when disclosing or requesting PHI. The minimum necessary provision exceptions include: 
   1. Disclosures to or requests by a health care provider for treatment purposes.  
   2. Disclosures to the individual who is the subject of the information.  
   3. Uses or disclosures made pursuant to an individual’s authorization.  
   4. Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.  
   5. Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.  
   6. Uses or disclosures that are required by other law
5. In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by: 
   1. A public official or agency who states that the information requested is the minimum necessary for a purpose permitted under 45 CFR 164.512 of the Rule, such as for public health purposes (45 CFR 164.512(b)).
   2. Another covered entity.
   3. A professional who is a workforce member or business associate of the covered entity holding the information and who states that the information requested is the minimum necessary for the stated purpose. 
   4. A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.

D. Mitigation and Safeguards

1. HIPAA training is completed prior to performing any work for the Group or Rula. Annual HIPAA training is also required. 
2. Role-based access to PHI is identified based on the team member's position or status. Reference the Access Control policy for more information.  
3. Reasonable and appropriate administrative, technical, and physical safeguards are maintained to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
4. A Business Associate Agreement is maintained with all non-covered entities where PHI is shared. 

E. Patient Complaints about Confidentiality and Privacy

1. Patients or other interested parties have the right to file a grievance if they believe the Group or Rula, CCM has not adequately protected their privacy or confidentiality. 
2. The Notice of Privacy Practices has information for patients on how to file a grievance related to their privacy and confidentiality. The NPP is available on the website for patients to access.
3. Reference the HIPAA Privacy and Confidentiality Complaints policy for more information. 

Attachments: None