Privacy Policies

All staff and others who regularly have access to PHI maintained at Clinica Medica Primaria de Rising Sun must read, understand and adhere to the following:

Definitions:

  1. PHI – protected health information. This is health information that can be identified to that individual. This includes the paper chart, billing records, computerized records, and oral communications specific to the health of that individual. It does not include discussions with that individual that are not health related, solely their name, or health information that is not specific to that individual.
  2. TPO – treatment, payment, and health care operations. These are the areas that PHI can be transmitted without prior authorization from the patient.
  3. Covered entities – those individuals or institutions that are under the jurisdiction of the HIPAA regulations. These include physicians, physicians’ offices, hospitals, pharmacies, chiropractors, billing services, utilization review departments, health insurance companies, health department and others who are given patients health information. Those not included include pharmaceutical representatives, marketing agencies, lawyers, schools, and others who are not directly given health information from a patient.

Maintaining security of PHI during oral communications.

  1. Clinic staff will be vigilant about having the “minimal number of ears” hear any conversation that may have protected health information (PHI) discussed.
  2. When possible, only the first or last name or no name at all, will be used during oral communication. This is in order to avoid personally identifying any health care related conversations.
  3. Encourage those who have no need to hear phone conversation or discussion to maintain a safe distance from the conversation, out of earshot.
  4. We will keep the doors closed on exam rooms when a patient is inside to not only prevent a breach of security in discussions that occur in the exam room, but also to prevent conversations in the hallway and nurse’s station from being overheard by the patients in those rooms.
  5. Messages containing PHI will generally not be left on answering machines, voice mail, or with family members. We would prefer to leave all PHI with the individual. Only in the event that a timely or urgent intervention is necessary will a message not be conveyed directly. At those times, only that information that is minimally necessary will be conveyed, and only in the judgment of the clinical staff or provider.
  6. Each patient will review the patient detail sheet at the first visit and initial it to indicate the accuracy of the demographic and insurance information presented.

Maintaining security of PHI during electronic or digital transmission.

  1. We will not fax PHI to a non-covered entity. We will fax to those entities covered by the HIPAA regulations only minimally necessary PHI. We will fax to personal faxes only when specifically indicated by the individual patient and assured that confidentiality will be maintained. All faxed information will have a statement on the cover sheet detailing the security of confidential PHI expected from the recipient.
  2. As we utilized a shared fax server and system, only the staff of Clinica Medica Primaira de Rising Sun, Stone Run Family Medicine and Neil Lattin, MD, L.L.C will access incoming faxed PHI. They will determine which office staff it will go to.
  3. We will make every effort to ensure that transmitted PHI will be HIPAA compliant. This includes software vendors and insurance companies that we transmit information electronically.

Maintaining security of PHI during physical transmission of PHI.

  1. We will allow pick up, by persons other than the patient, of prescriptions, lab slips, paper referrals, and other PHI to ensure appropriate treatment of the patients and smooth health care operations.
  2. Patients will be discouraged from viewing or listening to other’s PHI both directly, but also indirectly, by the habits maintained by the office staff and the protocols established by this practice.
  3. We will print “Confidential” on each envelope sent that contains PHI.

Maintaining the security of written PHI.

  1. Certain areas of the office will be designated as PHI secure and PHI non-secure.
  2. Those areas indicated as non-secure include the hallways, patient exam rooms, bathrooms, referral desk area, check-in and checkout areas, waiting room, patient education room, office manager’s office and any area in which written PHI may be viewed from one of these areas. These are areas of the office that patients frequent.
  3. In these non-secure areas, any PHI will be concealed. Superbills, lab test forms, other clinical slips or forms in non-secure areas, may be concealed by turning to a blank back page or by removal of the PHI. PHI will not be stored in these non-secure areas.
  4. Patient’s names without any revealing PHI will not necessarily be concealed.
  5. Areas where there is no patient access are considered secure areas. Only those who have signed a confidentiality agreement, understand minimal necessary disclosure, and have knowledge and training of HIPAA regulations and these policies will have access to these secure areas. Persons who will have this access include office staff, physicians and other providers, and office staff of shared tenants. Janitorial and maintenance personnel who have access to PHI but do not routinely handle PHI will not sign a confidentially agreement as their exposure to PHI is incidental if ever.
  6. Chart storage will be in the chart area or mobile chart rack, not accessible to patients, behind locked doors after the last staff or cleaning person leaves. Locks will only be opened by those who have access to secure areas.
  7. Staff having access to any computerized system will use appropriate passwords and for any other computer system that has PHI. Screen savers will be utilized within 1 minute of departure from a computer. Programs containing PHI will be minimized at the departure of a staff member from a computer terminal. Routine backup of computerized date containing PHI will be maintained in secure areas.
  8. We shred any paper containing PHI that is otherwise about to be appropriately discarded.
  9. Medical authorization by signature of the patient or it’s facsimile will be necessary in order to release PHI to other entities who request PHI with the exception of those who need it for treatment, payment, or health care operations purposes.
  10. The infrequent presence of others in the PHI secure areas of the practice will only be made with the direct observation of one who has access and only with the explicit understanding that no disclosure of PHI should occur.

Maintaining policies regarding the disclosure of minimally necessary amounts of information.

  1. Providers and clinical assistants will be the only staff to have access to the entire chart. Clinic staff will be instructed to view clinical material only in order to establish a diagnosis for payment or health care operations. All clinic staff will have access to patient demographics in order to ensure efficient health care operations. Cleaning personnel and others entering the secure areas will not have and should not attempt to have direct access to PHI. Any PHI disclosed to any staff member, cleaning person, or others appropriately utilizing PHI, either directly or incidentally, should not be shared with others who do not have access to PHI. In other words, all PHI is to be kept confidential.
  2. Any deviance from this policy should be promptly reported to Joseph K Weidner, Jr. MD. As implementing this will be an educational process, reports of deviance from this policy will be handled without retribution to the individual reporting or deviating from the policy, with the exception of intentional or grossly negligent deviation.