HIPAA Privacy Policy

This Policy applies to the following employee welfare benefit plans (collectively the "Plans") that are sponsored by Orthopedic Associates of Middletown, P.C.: Orthopedic Associates of Middletown, P.C. Health & Dental Plans.

Policy

    It is the policy of the Plans to maintain and protect the privacy of the protected health information ("PHI") of its plan participants and to give its plan participants specific rights with respect to their PHI.

Purpose

    This policy is intended to promote awareness of the confidential nature of the medical information that is collected, maintained and disseminated by the Plans. This policy and these procedures reflect the commitment of Orthopedic Associates of Middletown to protecting the confidentiality of its plan participants' private health information.

Structure

    This Privacy Policy shall be overseen by the Privacy Official, who shall report on privacy issues to the Operations Manager or Administrator. The Privacy Official shall be the Operations Manager, who shall have authority and responsibility for implementation and operation of the policy.

Collection and Receipt of Protected Health Information

Policy

    The Plans will collect only the minimum necessary PHI that is needed for the particular purpose for which it is collected and will safeguard this information.

Procedures

  1. When collecting or receiving PHI, employees will request only the minimum necessary information. Prior to making such a request and at the time this policy first becomes effective, employees who collect or receive PHI will evaluate the information that is requested or received to determine that he or she is receiving or requesting the minimum necessary. The Privacy Official will make the final determination (when necessary) as to what information can be requested and received.
  2. When collecting or discussing PHI, employees will comply with the following privacy guidelines, along with any additional procedures established from time to time:
    • PHI should not be discussed in any open area;
    • Documents containing PHI should be kept in locked files and should not be left in any open area or area where the general public has access;
    • Documents containing PHI should be de-identified wherever possible; and
    • Documents containing PHI should be shredded when they are no longer needed
  3. PHI will be discussed and shared with an employee only to the extent that the individual has a need to know the PHI as part of the performance of his or her job duties.

Access to Protected Health Information by Plan Participants

Policy

    The Plans will provide their plan participants with the right to access their own PHI that has been collected and is maintained by the Plans. This information, called the Designated Record set includes the policy binder located in small office off the conference room. This right of access does not apply to psychotherapy notes and information compiled in anticipation of a criminal or civil legal action.

Procedures

  1. A plan participant may request a copy of his or her PHI, as long as the request is in writing and is dated and signed by the plan participant on a form approved by the Plans. All such requests will be given to the Privacy Official for response.
  2. Within 30 days of receipt of the written request (or 60 days for information that is not maintained on-site), the Privacy Official will inform the plan participant of the acceptance of the request, will provide a written denial, or will direct the plan participant to the entity that maintains the requested information.
  3. The Privacy Official will provide the plan participant either with the ability to inspect the plan participant's file or will provide a copy of the file, as requested by the plan participant. The Plans may charge a reasonable fee for all copying requests. This fee will include supplies, labor and postage.
  4. The Privacy Official will provide the file in the format requested by the plan participant, unless it is not readily producible in that format.
  5. The Privacy Official may provide the plan participant with a summary of the PHI or an explanation of the PHI, if the plan participant requests such a summary or explanation.

Amendment of Protected Health Information

Policy

    The Plans will allow plan participants to request amendment of their PHI that is created and/or maintained by the Plans. PHI that was not created by the Plans or that is accurate and complete, as determined by the Privacy Official, is not subject to amendment.

Procedures

  1. A request for amendment of PHI must be made on a form approved by the Plans. The request must be made by the plan participant or the plan participant's personal representative, including a parent (for a minor) or guardian (collectively referred to as "plan participant"). The request must reference the information for which amendment is requested and the reason for the requested amendment.
  2. When a plan participant first contacts the Plans to request an amendment, the employee who receives the request will notify the plan participant of the requirements for requesting the change.
  3. All written requests for amendment will be forwarded to the Privacy Official for response.
  4. Within 60 days after receipt of the request for amendment, the Privacy Official will either accept or deny the amendment request. This determination will be made by the Privacy Official. If the amendment request is accepted, the Privacy Official will notify the plan participant and request the agreement of the plan participant to notify business associates or other persons who have received the incorrect PHI about the plan participant from the Plans. If the amendment request is denied, the Privacy Official will notify the plan participant of the basis for the denial, the right of the plan participant to submit a written statement of disagreement or to request that the amendment and the denial be included in any future disclosures, and a description of how the plan participant may file a complaint.
  5. If the plan participant files a statement of disagreement, the Privacy Official may prepare a written rebuttal, which must be given to the plan participant. All future disclosures of PHI for this plan participant must include both the statement of disagreement and the rebuttal, if any, and a link between these documents and the PHI that is subject to dispute.

Uses and Disclosures of Protected Health Information

Policy

  1. The Plans will use and disclose the PHI they create, collect and/or maintain for the following: quality assessment; disease management or wellness program development or implementation; rating provider and plan performance, including accreditation, certification, licensing or credentialing activities; to review claim appeals or to resolve internal grievances; to evaluate renewal proposals or new health plan or reinsurance vendors; to conduct cost-management and planning-related analyses such as formulary development and administration, development or improvement of payment methods or coverage policies; to conduct due diligence in connection with the sale or transfer of assets to a potential successor.
  2. All PHI collected by the Plans will be disclosed only to the following "valid recipients" or in the following situations: (1) to the plan participant; (2) if the plan participant is a minor, to the plan participant's parent or legal guardian; (3) to an insurance company, reinsurance company, TPA or a business associate of the Plans, (4) to the plan participant's representative, agent, or any other person with a signed authorization from the plan participant; (5) in response to legal process; (6) to investigate possible insurance fraud; (7) to help settle a claim dispute for benefits under a medical benefit plan or insurance policy; or (8) to the Plan Sponsor, in accordance with the provisions of HIPAA.

Procedures

  1. To the extent reasonably possible, PHI that is requested or disclosed by the Plans will be received or distributed after it has been de-identified. The Privacy Official will oversee the de-identification process.
  2. Where it is not possible or practicable to de-identify PHI that is disclosed, employees will disclose only the minimum necessary information. The Privacy Official will help, upon request, to determine that the minimum necessary information is disclosed. Minimum necessary standards will be created and followed for all routine disclosures of PHI.
  3. In any situation where PHI is requested from the Plans, an employee will verify the identity of the person requesting the information and the authority of the person to have access to PHI (unless the identity and authority is already known).
  4. PHI will be disclosed to a Valid Recipient as described above through the telephone, only after the identity and authority of the person who is on the other end of the call is verified.
  5. PHI will be sent to a Valid Recipient by facsimile only if the employee who is sending the information can determine that the intended recipient will be the receiver of the facsimile, or that he or she is expecting the confidential facsimile at that time.
  6. All fax cover sheets utilized by employees will contain a standard confidentiality statement.
  7. All disclosures of PHI, other than those conducted in the course of payment or healthcare operations of the Plans, will be reported to the Privacy Official. When requested by a plan participant in writing, the Privacy Official will prepare an accounting of all disclosures that were not part of the health care operations of the Plans. The accounting will include all disclosures made by the Plans that occurred in the past six years (or shorter period as requested by the plan participant), but excluding any disclosures made prior to April 14, 2003, and will comply with all applicable laws and regulations. The accounting will be provided within 60 days of the request. No charge will be imposed for the first accounting requested during any 12-month period.

Notice of Privacy Practices

Policy

    It is the Policy of the Plans to provide all plan participants with a Notice of Privacy Practices that describes the Plans required and permitted uses and disclosures of their PHI.

Procedures

  1. The first Notice of Privacy Practices will be delivered by Orthopedic Associates of Middletown's third party administrator [the insurance company(ies) that underwrite(s) the Plans] to each employee no later than April 14, 2004. If an employee has requested that benefit, enrollment or other employment information be delivered by e-mail, the notice may be given by e-mail. Otherwise, the Notice will either be hand delivered or sent by U.S. mail.
  2. Every three years from the date of the initial delivery of the Notice, Orthopedic Associates of Middletown, P.C. and the insurance companies for the Plans will be responsible for notifying employees that the Notice is available and that they can receive a copy of it on request.
  3. A revised Privacy Policy will be delivered to each employee within 60 days after a material change is made, based on a change in the law or regulations or a change in internal procedures.

Training

Policy

    The Privacy Official will train (or will oversee the training of) all new employees and current staff on the requirements of this Privacy Policy.

Procedures

  1. The Privacy Official will conduct training for all employees who have or may have access to or may be recipients of PHI, no later than the date that this Policy becomes effective. New staff will be required to receive training on the Privacy Policy within 3 months of the start of their employment, or within 3 months of the assignment to a position in which they deal with PHI as part of their job requirements.
  2. The Privacy Official will conduct training on any material changes made to the Privacy Policy within 1 month after the changes become effective.
  3. Additional training sessions may be conducted by the Privacy Official as needed.
  4. Each employee will be required to sign a Confidentiality Agreement on or before the effective date of this Policy or at the beginning of his or her employment, whichever is later. All signed Confidentiality Agreements will be kept by the Privacy Official.
  5. All training will be documented by the Privacy Official, or other employee as requested by the Privacy Official.

Complaints

Policy

    The Plans will accept and respond to complaints relating to the Privacy Policy, procedures, and compliance efforts relating to the privacy of PHI.

Procedures

  1. Complaints regarding this Privacy Policy will be forwarded to the Privacy Official for review and response.
  2. The Privacy Official will review all complaints, will discuss them with the management, and/or other employees, as needed, will review relevant documents and will respond to the plan participant who has filed the complaint.
  3. All complaints will be logged by the Privacy Official. The log will include the complaint and a brief description of the resolution of the complaint.

Recordkeeping

Policy

    The Plans will retain all documentation related to this Privacy Policy for a minimum of six (6) years from the date the documentation was created or the date that it was last in effect, whichever is later.

Procedures

  1. The following documents will be maintained in the files of the Privacy Official or other secured location:
    • This Privacy Policy
    • Notice of Privacy Practices (all versions)
    • All signed authorizations
    • PHI Disclosure Log
    • Access, amendment and restriction request log
    • Requests to access, amend or restrict disclosures of PHI
    • Complaint log, along with copies of any written complaints
    • Records of any sanctions imposed on employees
    • Employee training manuals and procedures
    • Business associate contracts
    • Plan document amendments
    • Plan sponsor certification
  2. Every year on or about January 1, the Privacy Official will determine which records, if any, have been held for the minimum period required and should be destroyed.

Sanctions

Policy

    The Plan Sponsor, on behalf of the Plans, will appropriately discipline any staff member who fails to comply with this Privacy Policy.

Procedures

  1. For the first material failure to comply with this Privacy Policy, an employee will receive a verbal warning.
  2. For any subsequent failure to comply with this Privacy Policy, the employee will be subject to sanctions up to and including removal of access by the employee to PHI and termination of employment.

Mitigation of Wrongful Disclosures

Policy

    The Plan will attempt to mitigate any disclosures of PHI that are in violation of this Privacy Policy by, for example, requesting return of any written PHI that was improperly disclosed, or by admonishing the recipients of any wrongly-disclosed PHI of their obligation not to further disclose the PHI.

Refraining from Intimidating or Retaliatory Acts

Policy

    It is the policy of the Plans to prohibit any intimidation, threats, coercion, discrimination or other retaliatory acts against any person for the exercise of his or her rights under this Privacy Policy, for filing a complaint with the DHHS, or for assisting in an investigation of any act made unlawful by the Health Insurance Portability and Accountability Act.

This Privacy Policy is effective as of April 14, 2004.
Name: Daniel E. Neal
Title: Administrator
Date Released: October 14, 2004