UM-St. LOUIS

CENTER FOR EYE CARE

7800 Natural Bridge Road

St. Louis , MO 63121

314-516-5131

HIPAA

POLICIES AND PROCEDURES

October 13, 2003

May 21, 2007

PRIVACY OFFICER JOB DESCRIPTION

Policy Number: 1 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, the Center for Eye Care will have a privacy officer.

1. Qualifications of the privacy officer:

• Knowledge of the HIPAA Privacy Rule.
• Available time to devote to compliance effort.
• Available time to attend educational seminars on privacy compliance, and to summarize seminar content for staff.
• Capable of sustained and detailed effort.
• Capable of effectuating change, when needed.
• Capable of creative or innovative solutions to privacy issues.
• Good communication skills.
• Good organizational skills.
• Motivates staff to achieve compliance.
• Prudent fiscal manager.
• Works well with governing body or management.
• Works well with outside resources, as applicable.

2. Duties of the privacy officer:

• Creates and implements policies and procedures to comply with HIPAA’s Privacy Rule.
• Monitors compliance efforts. Responds to specific HIPAA Privacy Rule compliance questions.
• Conducts educational sessions for our work force about HIPAA requirements and compliance.
• Receives and investigates allegations of non-compliance, and resolves any problems.

Ralph P. Garzia, O.D. is the Privacy Officer of the Center for Eye Care.

PUBLIC INFORMATION OFFICER JOB DESCRIPTION

Policy Number: 2 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, the Center for Eye Care will have a public information officer.

1. Qualifications of the Public Information Officer:

• Knowledge of the HIPAA Privacy Rule, and of our privacy policies and procedures.
• Knowledge of our organizational structure, and who are the “go to” people to accomplish any task.
• Good interpersonal skills.
• Good communication skills.
• Sympathetic to patient concerns.
• Good investigational skills.
• Capable of prompt and thorough resolution of identified problems, in conjunction with the privacy officer, as indicated in particular cases.

2. Duties of the public information officer:

• Receive, investigate, substantiate/not substantiate patient privacy complaints.
• Correct problems identified through investigation of privacy complaints.
• Provide information to patients and the public about our privacy practices and compliance.
• Report any concerns about privacy compliance to our privacy officer, and cooperate in the investigation and resolution of the problem.
• Accept and act upon patient requests for confidential methods of communication.
• Accept and act upon patient’s requests to restrict the way we handle protected health information for treatment, payment, or health care operations.
• Accept and act upon patient requests for access to their own protected health information.
• Accept and act upon patient requests to amend their own protected health information.
• Accept and act upon patient requests for an accounting of our disclosures of their protected health information.

Mindy Braniff, A. B.O.C., Center Manager is the Public Information Officer for the Center for Eye Care.

AUTHORIZATION FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION

Policy Number: 3 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, with certain exceptions, it is the policy of the Center for Eye Care to obtain a signed patient authorization before making a use or disclosure of protected health information. The Center for Eye Care requires a signed authorization prior to releasing Protected Health Information (PHI) other than for purposes of treatment, payment or operations, such as quality assurance or utilization review. The Center for Eye Care shall comply with applicable federal and state laws and regulations regarding the release of PHI for the prevention of serious harm to an individual.

1. Any request for the release of PHI must be accompanied by a written authorization signed by the patient before release of the PHI will be permitted, except under circumstances set forth in the Center for Eye Care’s policy regarding disclosure of PHI without an authorization.

2. Staff members of the Center for Eye Care are required to obtain a copy of an authorization to release PHI in writing, which must be maintained in the patient’s record.

3. Staff members may not rely on assurances from others that a proper authorization exists.

4. Facsimile or photostatic copies of the authorization are acceptable if reasonable attempts are made to certify the identity of the sender.

5. The Center for Eye Care is not required to disclose PHI precisely in accordance with an individual’s authorization. In various cases, it may be burdensome to undertake the effort to review the record and select the portions relevant to the request (or to redact portions not relevant). In such circumstances, the Center may provide the entire record to the individual who may then redact and release the PHI as desired to the requester. The entire record may not be sent to anyone other than the individual who is the subject of the PHI.

6. The Center must document and retain all signed authorizations for six years from the date of its creation or the date when it last was in effect, whichever is later.

7. A named insured may sign a valid authorization for an individual if the named insured is a personal representative for the individual under applicable law.

8. To be a valid authorization under this policy, the authorization must be written in plain language, and must contain at least the following elements:

• A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
• The name or other specific identification of the person(s), or class of person(s), authorized to make the requested use or disclosure;
• The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
• An expiration date or an expiration event that related to the individual or the purpose of the use or disclosure;
• A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization;
• A statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer protected by law;
• The signature of the individual and the date; and
• If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual.
  

Protected Health Information (PHI)

Protected health information means information that identifies an individual patient (alone or in combination with other publicly available information) and that is:

• Generated or received by a health care provider who engages in the electronic transmissions of individually identifiable health information as part of one of the transactions identified in the HIPAA regulations, a health plan, or a health care clearinghouse.
• Relates to the past, present, or future physical or mental health or condition of the individual; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual.
• PHI includes demographic information collected from the individual.

PHI can take any form:

• Hard copy
• Electronic
• Oral
• Photographs, video, audio recordings.

Identifiers include:

• Names.
• All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geo codes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
• The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
• The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
• All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
• Telephone numbers.
• Fax numbers.
• Electronic mail addresses.
• Social security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web universal resource locators (URLs)
• Internet protocol (IP) address numbers.
• Biometric identifiers, including finger and voice prints.
• Full face photographic images and any comparable images.
• Any other unique identifying number, characteristic, or code.

ACTIVITIES THAT INVOLVE USE OF PROTECTED HEALTH INFORMATION

• Sending reminders of existing appointments.
• Reviewing patient database to find patients that need to make an appointment (recalls).

Intake when the patient comes to the appointment. [front desk staff]

• Sign in sheets.
• Waiting room procedures.
• Checking insurance coverage.
• Validating demographic information.
• Retrieving old clinical charts.

Student work up of patient before attending examination. [students]

Attending examination. [attending faculty]

Writing or phoning medication prescriptions, including responding to validation calls from the pharmacy. [attending faculty]

Writing prescriptions for glasses or contact lenses. [attending faculty]

Assisting patients with selection of eyewear. [dispensary staff]

Writing and filling orders for glasses or contact lenses. [dispensary staff]

Communicating with outside optical laboratories. Communicating with eyewear manufacturers. [dispensary staff]

Responding to validation calls from outside vendors of contact lenses. [attending faculty]

Referring patients and on-going communication with other professionals involved in the patient’s care. [attending faculty, students, staff]

Performing LASIK and other surgical pre-ops and post-ops [attending faculty, students]

Preparing and submitting bills to third party payers, or to the patient, and collections. [billing staff]

Marketing or advertising products and services. [department ass’t promotions]

Reporting suspected adult or child abuse. [attending faculty]

Providing relevant information to patient caregivers. [attending faculty, students, staff]

Returning patient phone calls. [attending faculty, students, staff]

Performing quality assessment and improvement. [attending faculty, QA faculty]

Hiring decisions about Center attending faculty and staff. [Center Manager]

Training attending faculty, residents, professional students, graduate students and staff. [Privacy Officer]

Reporting adverse events or contagious diseases to the FDA or other public health authorities. [attending faculty]

Sending clinical files or portions of them to providers or others that the patient directs. [Center Manager, front desk staff]

Sending clinical files to attorneys involved in litigation. [Center Manager, Ass’t Dean]

Communicating with school nurses regarding children eye exams. [attending faculty, students, staff]

Participating in managed care organization credentialing. [QA faculty]

Conducting clinical research. [attending faculty]

Writing articles for professional journals. [attending faculty]

Business planning and administrative management. [Center Manager, Ass’t Dean, BFO]

DISCLOSURE OF PROTECTED HEALTH INFORMAITON

WITHOUT AN AUTHORIZATION

Policy Number: 4 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to obtain a signed patient authorization before making a use or disclosure of protected health information, except in those circumstances in which HIPAA does not require such an authorization. As stated in HIPAA, we will not obtain a signed patient authorization in the following circumstances:

1. Uses and disclosures for treatment, payment, or health care operations. This includes, among other activities:

• Providing care to patients in our office
• Writing/sending, and filling prescriptions for drugs and eyewear or contact lenses
• Preparing and submitting claims and bills
• Receiving/posting payments, and collection efforts
• Managed care credentialing
• Professional licensure and specialty board credentialing
• Quality assurance
• Financial audits/management
• Training of professional and non-professional staff, including students
• Office management
• Fraud and abuse prevention activities

[Notwithstanding the lack of need for a signed patient authorization, we will obtain such an authorization from our patients before we disclose protected health information for the following activities:

• Seeking assistance from consultants;
• Making referrals of patients for follow-up care;
• Reports to referral sources

2. Disclosures to business associates that have signed a business associate agreement.

3. Disclosures that are required by our state law, provided that we disclose only the precise protected health information required, and only to the recipient required.

4. Disclosures to applicable state, local or federal governmental public health authorities to prevent or control disease, injury, or disability.

5. Disclosures to applicable local, state, or federal governmental agencies to report suspected child abuse, elder abuse or neglect.

6. Disclosures to individuals or organizations under the jurisdiction of the federal Food and Drug Administration (“FDA”), such as drug or medical device manufacturers, regarding the quality or safety of drugs or medical devices.

7. Disclosures to applicable local, state, or federal governmental agencies in order to report suspected abuse, neglect, or domestic violence regarding adults, provided that we:

• Get an informal agreement from the patient unless:
• We are required by law to report our suspicions.
• We are permitted, but not required by law to disclose the protected health information, and we believe that a report is necessary to prevent harm to our patient or other potential victims.
• We tell the patient that we are making this disclosure, unless:
• Telling the patient would put the patient at risk for serious harm, or
• Someone else is acting on behalf of the patient and we think that this person is the abuser and that telling him or her would not be in the best interest of the patient.

8. Disclosures for health oversight audits, investigations, or disciplinary activities, provided that we only disclose to afederal, state or local governmental agency (or a private person or organization acting under contract with or grant of authority from the governmental agency) that is authorized by law to conduct oversight activities.

9. Disclosures in response to a court order, provided that we disclose only the precise protected health information ordered, and only to the person ordered.

10. Disclosures to police or other law enforcement officers regarding a crime that we think happened at our office, provided that we reasonably believe that the protected health information is evidence of a crime.

11. Disclosures to organizations involved in the procurement, banking, or transplantation of eyes in order to facilitate eye donation and transplantation.

12. Uses of protected health information to market or advertise our own health care products or services, or for any other marketing exception (see related policy on Marketing).

13. Disclosures to a researcher with a waiver of authorization from an IRB or privacy board; to a researcher using the protected health information only for purposes preparatory to research or to a researcher only using the protected health information of deceased patients, provided that the researcher gives us the assurances required by HIPAA (see related policy on Research).

14. If at any time a proposed use or disclosure does not fit exactly into one of the exceptions to the need for an authorization described in paragraphs 1 through 13, we will obtain a signed patient authorization before making the use or disclosure.

FACILITY DIRECTORY

Policy Number: 5 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to give patients an opportunity to object to including their protected health information in our facility directory.

1. Our facility directory will consist of only the following information:

• patient name
• location within the facility
• general status information (testing not started, testing in progress, testing completed).

2. If we receive a call from someone knowing the patient’s name, we will disclose the directory information about the named patient to the caller, unless the patient has previously objected to such disclosure. We will not disclose more information than that specified in paragraph 1 to any caller.

3. The Public Information Officer is responsible for managing our facility directory and for providing patients the chance to object to being included or to having certain information disclosed.

4. At the time that a patient checks in to our facility, the front desk staff will advise the patient in writing of our directory, the information that is ordinarily contained in it, and our disclosure policy. The Public Information Officer will ask if the patient has any objection to being included in the directory. The patient is free to object to:

• being included at all
• having particular elements of information included
• disclosing some or all of the information to certain callers.

5. If a patient objects, the Public Information Officer will note the objection and make an entry in the patients electronic demographic record. The Public Information Officer will provide the note to all front desk staff who might receive a call requesting directory information. All front desk staff will abide by patient’s objections regarding directory information.

PROVIDING INFORMATION TO FAMILY AND FRIENDS OF PATIENTS INVOLVED IN CARE

Policy Number: 6 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to give patients a chance to agree or object to providing protected health information to close family or friends who are helping with the patient’s care.

1. If we feel that it is necessary or appropriate to inform a close family member or friend who is involved in a patient’s care about certain protected health information relevant to their involvement, we will give the patient a chance to agree or object to such disclosure before we make it. If the patient is present or available when this need arises, we will do any of the following:

• Get an oral agreement from the patient that the disclosure is acceptable.
• Give the patient a chance to object to the disclosure.
• Infer from the circumstances that the patient does not object. For example, we can reasonably infer that the patient does not object if the family member or friend is in the examining room with the patient.
• If the patient is not present or available when the need arises, we will use our best judgment about whether it is in the patient’s best interest to disclose the information. An example might be when a family member or friend comes to our office to pick up eyewear that the patient previously ordered, as a convenience to the patient.

2. If we make a disclosure to a close family member or friend under the circumstances described in paragraph 1, we will only disclose information that is relevant to the family member or friend’s involvement with the patient’s care. Examples:

• If the patient’s spouse will pick up ordered eyewear, we will provide the eyewear but not disclose any diagnoses or special features of the eyewear.
• If a son or daughter will assist a patient with eye drops, we will provide information about when and how the drops should be administered, but will not disclose the patient’s diagnosis.

3. If someone claiming to be a family member or friend of the patient initiates contact with us seeking information, we will:

• Verify the identity of the caller and their relationship to the patient.
• Determine if they are involved in the patient’s care.
• Determine if the patient is available (by phone, email, or other communications method) to either agree or object to the disclosure. If so, we will give the patient the chance to agree or object. If the patient objects, we will not disclose any information to the caller. If the patient is not available by any reasonable means, we will use our best judgment to determine whether disclosure of information is in the patient’s best interest.

MARKETING AND ADVERTISING

Policy Number: 7 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to require a signed patient authorization to use or disclose protected health information for marketing or advertising purposes, subject to the conditions and exceptions described in this policy.

1. Marketing means to make a communication that encourages the person receiving the communication to purchase a product or service.

2. We use protected health information in connection with a marketing communication if we review patient data bases or records to target the communication to specific recipients. We disclose protected health information in connection with a marketing communication if the content of the communication includes protected health information (photographs, testimonials, and the like).

3. If a marketing communication discloses protected health information, we will always get a signed patient authorization.

4. If we use protected health information in connection with a marketing communication, we will get a signed patient authorization, except for:

• Marketing communications about our own health care products or services.
• Communications made in the course of treatment, case management, or care coordination for an individual patient.
• Communications made during a face-to-face encounter with a patient.
• Communications consisting of distribution of promotional gifts of nominal value. We consider a gift to be of nominal value if the individual gift is worth less than $10 per item, and if we distribute less than $50 in gifts to any one patient per year.
• Communications falling into these specified categories do not require a signed patient authorization.

5. Any marketing communication that does not require a signed patient authorization must be included in our accounting of disclosures available to a patient upon request.

6. When we need an authorization, we will include information about any money or other valuable thing that we get from someone else in connection with the communication.

7. Many marketing communications do not use or disclose protected health information. These communications are not affected by HIPAA’s Privacy Rule. Examples of these communications are:

• general TV ads
• brochures mailed to “occupant” using a zip code data base

8. The Privacy Officer is responsible for obtaining signed patient authorizations for marketing, when they are required, and for making sure that the authorization discloses any money or thing of value that we get from someone else in connection with the marketing communication.

DISCLOSURES FOR RESEARCH

Policy Number: 8 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to obtain a signed patient authorization before using or disclosing protected health information for research purposes, unless the research satisfies one of HIPAA’s exceptions to the need for authorization. In accordance with HIPAA’s exceptions:

1. We will not obtain a signed patient authorization if a researcher has obtained, and presents to us, a proper waiver of authorization from an Institutional Review Board (“IRB”) or Privacy Board.

2. The University of Missouri- St. Louis IRB is convened to oversee the protection of human subjects in research, pursuant to regulations of the federal Food and Drug Administration.

3. In order to be a proper waiver, the following criteria must be satisfied:

• We must have documentation that the IRB has determined that a waiver is appropriate because:
• The use or disclosure of protected health information during the research poses no more than minimal risk to the privacy of the research participants;
• The protected health information is necessary for the research;
• As a practical matter, the research could not proceed without a waiver.
• We must have documentation from the IRB specifying what protected health information can be used or disclosed as part of the waiver.
• We must have documentation that the IRB made all its determinations according to proper procedures.
• The documentation must be signed by the chair of the IRB. The documentation must include the name of the IRB and the date of its approval of a waiver.

4. The Privacy Officer is responsible for obtaining proper IRB waivers of authorization for research that we want to conduct without a signed patient authorization. The Privacy Officer will consult with the IRB to determine what information the IRB or Privacy Board wants in order to make its determinations. If an outside researcher wants to use protected health information about our patients, the Privacy Officer is responsible for reviewing all documents that the researcher presents in support of a waiver of authorization, to verify their sufficiency.

5. The Privacy Officer is responsible for any ongoing communication with an IRB that has granted a waiver of authorization, if any is needed.

6. We will rely upon the IRB’s statement of the protected health information that is subject to the waiver as being the minimum amount of protected health information that is necessary for the research.

7. We will not obtain a signed patient authorization if a researcher gives us specific assurances that:

• The researcher wants to review or disclose protected health information solely to prepare a research protocol or take other steps in preparation for research. These might include checking a database to see if any patients are good candidates for the research.
• The researcher will not take any protected health information off-site from where it is held.
• The researcher needs the protected health information for research purposes.

8. The Privacy Officer is responsible for reviewing all assurances that an outside researcher may give us in support of a disclosure of protected health information. The Privacy Officer is also responsible for providing specific assurances whenever we want to obtain protected health information from someone else for activities preparatory to research.

9. We will not obtain a signed patient authorization if a researcher wants the protected health information in order to conduct research solely on deceased patients and provides specific assurances that:

• The researcher is asking for protected health information strictly to conduct research.
• The person identified in the protected health information is dead. The researcher should supply a death certificate.
• The researcher needs the PHI in order to perform research.

10. If an authorization is needed, the researcher is responsible for obtaining it to conduct the research. The Privacy Officer is responsible for reviewing all authorizations presented to us by outside researchers.

PERSONAL REPRESENTATIVES FOR PATIENTS

Policy Number: 9 Effective Date ___ 2/1/03___________

In order to comply with HIPAA's Privacy Rule, it is the policy of the Center for Eye Care to allow properly authorized personal representatives to stand in the shoes of a patient in order to exercise all the rights that the patient could exercise regarding the use and disclosure of protected health information and to give any required consent for a use or disclosure of protected health information.

1. Adult patients:

• Adult patients are those 18 years of age and older.
• Generally, adult patients handle all matters about their protected health information.
• An adult patient’s legal representative may provide consent or authorization on behalf of that adult; a legal representative may include a legal guardian or the attorney-in-fact named in a durable power of attorney for health care when the adult patient is incapacitated.

2. Minor patients

A minor patient is a person under the age of 18 years.

Generally minors are not able to provide consent or authorizations concerning their own protected health information because the law presumes that they are incapacitated by their age. The following may provide consent/authorization for minors:

• a parent for his/her child in his/her legal custody
• a court appointed guardian
• individuals who are considered to be “in loco parentis” in case of emergency

The following minors may consent to their own treatment or authorize use or disclosure of their health information:

• Any minor who has been lawfully married
• Any minor parent or legal custodian for him/herself, his/her child and any child in his/her custody
• Any minor for him/herself in the case of pregnancy but excluding abortions, venereal disease or drug abuse or substance abuse.

3. Deceased adult patients

The personal representative of the estate of the deceased adult patient may provide consent/authorization regarding use or disclosure of the decedent’s protected health information.

4. In a few instances, we will not work with the personal representatives listed above. This can happen in the following cases:

We believe that a person claiming to be a personal representative has or may have committed domestic violence, abuse, or neglect against the patient, and it is not in the patient’s best interest to treat that person as the personal representative.

5. Before we work with someone claiming to be a personal representative, we will check out their legal authority to so act. This might include:

• checking a photo identification
• examining court orders, powers of attorney or other legal documents
• consulting the University of Missouri General Counsel’s Office

If we are unsure of a person’s authority to sign consents/authorizations permissions or exercise rights regarding protected health information of a patient, we will not use or disclose that protected health information until any such ambiguity is resolved.

NOTICE OF PRIVACY PRACTICES

Policy Number: 10 Effective Date 2/1/03

In order to comply with HIPAA's Privacy Rule, it is the policy of the Center for Eye Care to:

1. Distribute a Notice of Privacy Practices to every patient at their first appointment.

• The Notice of Privacy Practices to use is attached to this Policy. Only Ralph P. Garzia, Assistant Dean has authority to change this Notice of Privacy Practices.
• The Center Manager is responsible to distribute the Notice of Privacy Practices.
• The Center Manager through the staff must give the patient a copy of the Notice of Privacy Practices at check-in.
• The Center Manager must ask the patient to sign an acknowledgement of receipt of the Notice of Privacy Practices. The acknowledgement of receipt is attached to this Policy. The signed acknowledgement of receipt is placed in the patient’s medical record.
• If the patient chooses not to sign the acknowledgement of receipt, the Center Manager must make a note of the fact that the patient was asked and that the patient refused. This note will be placed in the patient’s medical record.
• It is not necessary to give a Notice of Privacy Practices to a patient every time they come in after April 14, 2003 unless we change the Notice of Privacy Practices.
• At every patient encounter, the Center Manager must look in the patient’s medical record to determine if the patient has previously signed an acknowledgement of receipt.
• If yes, it is not necessary to give that patient another Notice of Privacy Practices unless we have changed our Notice of Privacy Practices since the date of the acknowledgement of receipt . Our most current Notice of Privacy Practices will always have an effective date on the front.
• If no, then it is necessary to distribute a Notice of Privacy Practices and ask for signature on an acknowledgement of receipt .
• If our first encounter with a patient after April 14, 2003 is electronic, our electronic system will automatically send a Notice of Privacy Practices and ask for a signed acknowledgement of receipt.

2. A copy of our Notice of Privacy Practices will be placed in the waiting room of all Center for Eye Care locations.

3. Copies of the Notice of Privacy Practices will be placed in the waiting rooms of all Center for Eye Care so that patients and visitors can take one, if they wish.

4. Our Notice of Privacy Practices will be redistributed as above whenever we change it.

5. We will use and disclose protected health information in a manner that is consistent with HIPAA and with our Notice of Privacy Practices. If we change our Notice of Privacy Practices, the revised Notice of Privacy Practices will apply to all protected health information that we have, not just protected health information that we generate or obtain after we have changed the Notice of Privacy Practices.

DESIGNATED RECORD SET

Policy Number: 11 Effective Date 2/1/03

In order to comply with HIPAA's Privacy Rule, the Center for Eye Care designates the following records to be our "designated record set" for purposes of patients' right to access and amend their protected health information:

1. The patient's medical record, hard copy or electronic:

• reports of screening and diagnostic tests
• examination results
• notes on examinations
• consultant reports
• referral reports
• eyewear prescriptions
• history and medication reports
• all other clinical information

2. The patient's billing records, hard copy or electronic:

• insurance claims
• remittance advice from insurance companies
• electronic fund deposit receipts
• bills to patients
• evidence of payment by patients
• collection records
• referrals to collection agencies or attorneys
• reports to consumer credit agencies for unpaid balances
• all other billing, claim, payment and collection records

3. Eyewear order and receipt forms specific to a particular patient, hard copy or electronic:

• orders for glasses
• orders for contact lenses
• acceptance of delivery of ordered eyewear
• patient pick up records
• repair requests and documentation of completion
• fitting information
• distribution of eyewear accessories
• any other records relating to eyewear

4. This does not include any documents created in connection with litigation.

PATIENT’S ACCESS TO THEIR PROTECTED HEALTH INFORMATION

 Policy Number: 12 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to allow patients to inspect and/or copy their own protected health information under the conditions stated in this policy. If the patient has a personal representative, the personal representative can inspect or copy the patients protected health information on behalf of the patient.

1. We require that patients send a written request to inspect or copy their protected health information. If a patient calls on the telephone asking to inspect or copy their protected health information, we will inform the patient of the requirement to send the request in writing.

2. Our Public Information Officer is responsible for handling patient requests to inspect or copy their protected health information.

3. We will respond to a patient’s request to inspect or copy their protected health information within 30 days of receiving the written request, or 60 days if the protected health information is stored off-site. If we need more time, we can have one 30 day extension, but we must notify the patient in writing of the extension before the original time period expires. Use the form letter, attached.

4. We can deny the patient’s request only for one or more of the following reasons:

• A patient cannot inspect or copy information if it was prepared in connection with a lawsuit.
• A patient cannot inspect or copy information if it is generated as part of the patient’s participation in a clinical trial and the request is made during the clinical trial. We must have informed the patient about this restriction when the patient signed up for the clinical trial. The patient must be allowed to inspect or copy this information when the clinical trial is over.
• A patient cannot inspect or copy information if we got the information from someone else who is not a health care provider, and we promised that person that his/her identity would remain confidential.
• A patient cannot inspect or copy information if we, or another health care professional, determine that this would likely endanger the life or physical safety of the patient or someone else.
• A patient cannot inspect or copy information if it references someone else, and we, or another health care professional, determine that access would likely cause substantial harm to such other person.
• A patient’s personal representative (for example, legal guardian, or parent of a minor) cannot inspect or copy information about the patient if we, or another health care professional, determines that this would likely cause substantial harm to the patient or another person.
• A patient cannot inspect or copy information that is not in a designated record set.

5. If we deny a patient access to their protected health information, we will notify the patient of our decision.

6. If the denial is based upon reasons 4 d, e, or f, the patient has a right to a review of our decision.

• The Chief of Primary Care at the Center for Eye Care will handle the review.
• The chief of Primary Care will look at the information that the patient wants to inspect or copy, and decide if we were correct in determining that the patient’s circumstances meet the specifications of paragraph 4d, e, or f.
  1. If not, the patient may inspect or copy the information.
  2. If so, the patient may not inspect or copy the information.

The patient may not further question our decision. Our notice to the patient will include instructions about how the patient may take advantage of this review right. We will use the denial notice letter accompanying this policy.

7. When we permit a patient to inspect or copy the requested information, we will:

• Provide the information in the form or format that the patient requests, if we can reasonably produce it that way. If we cannot, we will either agree with the patient about another format or give it to the patient in hard copy.
• Allow the patient to inspect or copy the information at our office during normal business hours. Within these limits, the patient can select the date and time to inspect or copy the records.
• Charge the patient $.20 per page for copying the requested information for the patient. If the patient wants the information mailed to him or her, we will charge the patient the cost of mailing or any special delivery method that the patient wants us to use. We will collect all charges before we make any copies.
• If the patient agrees in advance, we may summarize the requested information and give this to the patient instead of having the patient inspect all the information or copy all of it. If we do this, we will charge the patient $25.00 for the cost of preparing the summary. We will collect all charges before preparing the summary.

8. We will notify the patient that their request to access information is granted. We will use the access notice letter attached to this policy.

Sample letter

Dear [name of patient]:

Thank you for your request to inspect or copy information that we have about you. Ordinarily, we would be able to respond to your request within 30 days, but due to unusual circumstances we need an additional 30 days in order to respond to you. Accordingly, please expect to hear from us by [insert farthest date].

We look forward to working with you in the future.

Sample letter

Thank you for your request to inspect or copy information that we have about you. We are pleased to be able to grant this request.

If you want to inspect your information or make copies of it yourself, you may do so at our office during our normal business hours. Please let us know what date and time you would like to come. We will do our best to accommodate your requested date and time.

If you would like us to make a copy of your information for you, we are happy to do so. However, we will charge you $.20 per page]. We require payment of these charges in advance, before we start making copies. If you want us to mail the copies to you, we are happy to do so.

If you prefer, we can summarize our information and give that to you instead of having you inspect or copy all of the information. If you want to do this, we will charge $25.00, and we require payment of this amount before we start making the summary.

You requested the information in [_____ format]. We [can/cannot] accommodate that form or format. [Because we cannot accommodate that form or format, we will provide the information to you in hard copy, unless we can agree upon some other format that we can accommodate.]

Thank you again for your request. We look forward to working with you in the future.

Sample letter

Thank you for your request to inspect or copy information that we have about you. Unfortunately, we are unable to permit you to inspect or copy this information.

The reason for this denial is:

[specify]

[You are entitled to one review of our decision. If you want to request a review, send a written request to Edna Major, Administrative Assistant at the address shown in our letterhead. Dr. Timothy Wingert will look at the information that you want to inspect or copy, and decide if our decision is correct. If it is, you will not be able to inspect or copy the information. If Dr. Wingert concludes that we were wrong in denying you access to the information, you will be able to inspect or copy it, and we will be back in contact with you.

You always have the option to complain to us or to the U.S. Department of Health and Human Services – Office for Civil Rights if you think that we have not properly respected your privacy. If you want to complain to us, write or call Mindy Braniff, Public Information Officer at the address or phone number in our letterhead.

Thank you again for your request. We look forward to working with you in the future.

AMENDMENT OF PROTECTED HEALTH INFORMATION

Policy Number: 13 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to permit patients to request us to amend their protected health information under the conditions stated in this policy. If the patient has a personal representative, the personal representative may exercise this right on behalf of the patient.

1. We require that all requests to amend protected health information be in writing. If a patient calls on the telephone to request an amendment, we will inform the patient of the requirement to submit this request in writing.

2. Our Public Information Officer is responsible for handling patient requests to amend their protected health information.

3. We will respond to requests for amendment within 60 days after we receive the written request. We can have one 30 day extension if we notify the patient that we need this additional time before the original time period expires. We will use the form letter attached to this policy.

4. We can deny a requested amendment only for one or more of the following reasons:

• The information is accurate and complete as it is.
• We did not create the information.
• The information is not in a designated record set.

5. If we deny a request, we will notify the patient. We will inform the patient of the right to either submit a statement of disagreement or to have the original amendment request accompany the information. We will use the form denial letter attached to this policy.

6. If we grant the requested amendment, we will notify the patient. We will use the form amendment letter attached to this policy. We will:

• Append or link the corrected information to the information that we are holding.
• Send the corrected information to anyone who we know has previously received the incorrect information.
• Send the correct information to anyone that the patient requests.

Sample letter

Thank you for your request dated [insert date] to amend information that we have about you. Unfortunately, we are unable to amend our information because:

[specify permitted reason]

If you are dissatisfied with our decision, you have two options:

1. You can write a statement disagreeing with our decision and explaining your point of view. We will keep this with your information, and include it in any authorized disclosure of your information from now on. We may decide to write a rebuttal to your statement of disagreement. If we do, it will be included with your information and sent along with any authorized disclosures of it from now on. If you want to do this, send your statement of disagreement to Edna Major, Administrative Assistant at the address above.

2. At your option, you could alternatively ask us to simply include your original amendment request with your information. If you do this, we will disclose your original request with any authorized disclosure of your information from now on. If you want to do this, call Edna Major, Administrative Assistant at the number above.

It is your right to complain to us or to the U.S. Department of Health and Human Services -- Office for Civil Rights if you feel that your privacy rights have been violated. If you want to complain to us, send a written complaint (either hard copy or electronic) to: Mindy Braniff, Public Information Officer at the address above.

Thank you, and we look forward to working with you in the future.

Sample letter

Thank you for your request dated [insert date] to amend information that we have about you. We have made the change that you requested. The corrected information will be sent whenever we are authorized to send your information to anyone from now on.

Please let us know if there is any one who should get a copy of the corrected information right now. If there is, we will send the corrected information to them as quickly as possible.

Thank you, and we look forward to working with you in the future.

Sample letter

Thank you for your request to amend information that we have about you. Ordinarily, we would be able to respond to your request within 60 days, but due to unusual circumstances we need an additional 30 days in order to respond to you. Accordingly, please expect to hear from us by [insert farthest date].

We look forward to working with you in the future.

ACCOUNTING FOR DISCLOSURES OF PROTECTED HEALTH INFORMATION

 Policy Number: 14 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to provide our patients, upon request, with an accounting of the disclosures that we have made of their protected health information during the six years preceding their request, subject to the terms and conditions stated in this policy.

1. We will provide an accounting of all of our disclosures of a patient’s protected health information, except for the following:

• Disclosures for treatment, payment, or health care operations.
• Disclosures made with a signed patient authorization.
• Disclosures that are incident to other permitted disclosures.
• Disclosures to the patient personally
• Disclosures for a facility directory and disclosures to family or friends involved in a patient’s care.
• Disclosures of a limited data set.
• Disclosures made before April 14, 2003.

2. In order to be able to provide an accounting when a patient requests one, we will keep track of all disclosures that we make of our patient’s protected health information, except for those disclosures listed in paragraph 1. Only the Public Information Officer is authorized to make a disclosure of protected health information that is not listed in paragraph 1. The Public Information Officer will document all these disclosures in a separate file. We will keep this documentation for six years. This documentation will include:

• The date of the disclosure
• The name and address (if known) of he person or organization that got the protected health information
• A description of the protected health information that was disclosed
• A statement of the purpose or basis for the disclosure, or a copy of any request for the protected health information that prompted the disclosure.

3. We require that all requests for an accounting be in writing. If a request is made by telephone, we will advise the caller to submit it in writing to the Public Information Officer.

4. We will respond to a request for an accounting within 60 days from our receipt of the written request. If we are unable to provide the accounting within this 60 day period, we may have an additional 30 days, provided that we notify the patient of this delay before the original 60 day period expires. This notice must include the reason for the delay and the date that we will have the accounting ready. We will use the letter accompanying this policy to inform patients of a needed delay. The Public Information Officer is responsible for advising patients of delays.

5. Our accounting will list all of the information described in paragraph 2 of this policy. We will use the template accompanying this policy to make our accounting. If we make repeated disclosures of protected health information about a patient to the same person or organization for the same purpose, our accounting will provide all of this information for the first such disclosure, and then indicate the frequency or periodicity of the other disclosures, and the date of the last such disclosure. The Public Information Officer is responsible for generating requested accountings and furnishing them to the patient.

6. We will provide patients with one free accounting, upon request, within any 12 month period. For additional accountings within any 12 month period, we will charge $50.00 for the actual cost of preparing and mailing the accounting. We will require payment of this amount in advance, before we prepare and furnish the accounting.

Sample letter

Thank you for your request dated [specify date] for an accounting of disclosures that we have made of your protected health information. Ordinarily, we would provide this accounting to you within 60 days of receipt of your written request. Unfortunately, we are unable to provide your accounting within this time because [specify reason]. We will have your accounting ready by [specify date].

Thank you for your patience, and we look forward to working with you in the future.

[signature block]

RESTRICTIONS ON USE OF PROTECTED HEALTH INFORMATION

Policy Number: 15 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to permit patients to request that we restrict the way that we use some protected health information for purposes of treatment, payment, or health care operations.

1. Our Public Information Officer will handle requests from patients for restrictions on the way we use protected health information for treatment, payment, or health care operations.

2. Generally, we will not agree to restrictions requested by patients. In unusual circumstances that the Public Information Officer thinks are meritorious, we may agree to a requested restriction.

3. If we agree to a requested restriction, the Public Information Officer will document its terms and put this documentation as part of the patient’s electronic demographic information. The Public Information Officer will communicate the terms of the restriction to all of our staff that need to know about it. If one or more of our business associates need to know about it as well, the Public Information Officer will inform them.

4. We will honor any restriction that we have agreed to. However, no restriction can prevent us from using any protected health information in an emergency treatment situation.

5. If we have agreed to a restriction but can no longer practically honor it, our Public Information Officer will do either of the following things:

• Contact the patient to work out a mutually agreeable termination of the restriction. Our Public Information Officer will document this agreement, and keep it in as part of the patient’s electronic demographic information.
• Contact the patient and advise that we are no longer able to honor the restriction that we previously agreed to. This notice will only apply to protected health information that we obtain or generate after the notice is given.

CONFIDENTIAL COMMUNICATION METHODS WITH PATIENTS

Policy Number: 16 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to accommodate requests from patients to send protected health information to them in a confidential way, subject to the conditions in this policy.

1. If a patient requests that we use a particular method to communicate with them in order to preserve the confidentiality of their information, we will accommodate that if we reasonably can. We can accommodate the following kinds of confidential communication methods:

• mail
• telephone
• fax

2. We require that such requests be in writing. If a request comes in by telephone, we will advise the patient how to send the request in writing.

3. We will not ask or require a patient to explain why they want the particular communication method.

4. We will charge the patient the reasonable cost of complying with their request, if any.

5. Our Public Information Officer is responsible for receiving and acting upon patient requests for confidential communication methods.

MINIMUM NECESSARY USES AND DISCLOSURES OF PHI

 Policy Number: 17 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to only use or disclose the minimum amount of protected health information necessary to accomplish the purpose for the use or disclosure, under the conditions and exceptions described in this policy.

1. People in the following job categories will only have access to the kind or amount of protected health information indicated:

• Attending faculty and students – any and all protected health information, including the entire medical record for treatment purposes of patients to whom that are providing treatment.
• Billers – basic demographic information found on office management software demographic screen, financial information and patient medical record only to process unpaid claims. Billers will only review that portion of the record that is necessary to process the unpaid claim.
• Front desk staff –– basic demographic information found on office management software demographic screen, entire medical record for chart preparation, patient ledger. Front desk staff will only review that portion of the record that is necessary to process the most current patient office visit.
• Dispensary staff – basic demographic information found on office management software demographic screen, patient medical record for information about diagnosis and spectacle prescription. Dispensary staff will only review that portion of the record that is necessary to process spectacle ordering.
• Center Manager – entire contents of patient medical record, including financial data.
• Business and Fiscal Operations Specialist – entire contents of patient medical record, including financial data
• Administrative Assistant -- basic demographic information found on office management software demographic screen, patient schedule
• Department Specialist -- basic demographic information found on office management software demographic screen, financial information and patient medical record only to process unpaid claims. Department Specialist will only review that portion of the record that is necessary to process the unpaid claim.
• Department Assistant for Finances -- basic demographic information found on office management software demographic screen, medical diagnosis and prescription. Department Assistant will only review that portion of the record that is necessary to process this information.

2. We will keep all medical records and billing records secure when they are not in use. Only authorized staff will have access to this secure storage location. We require that all computers be turned off when the user is away from the workstation. All staff are prohibited from browsing at someone else’s workstation or using their computer password. Attending faculty, students and staff are prohibited from about talking patients in public areas.

3. All attending faculty, students and staff will sign a “Notice of Confidentiality” indicating their commitment to access only the minimum amount of protected health information necessary for them to do their job, and to abide by the restrictions listed above. Violation of this agreement is grounds for employment discipline in accordance with University policies.

4. Whenever we get a request from a third party for protected health information about one of our patients, or whenever we intend to make a unilateral disclosure of protected health information about one of our patients, we will disclose only the minimum necessary amount of protected health information necessary to satisfy the purpose of that disclosure. This does not apply in the following cases:

• The patient has authorized the disclosure.
• The disclosure is for treatment purposes (for example, disclosures to a consultant or follow-up health care provider).

5. We will disclose only the indicated protected health information in response to the following routine kinds of disclosures that we make:

• billing
• further treatment, diagnosis and evaluation

6. We will rely upon the representations of the following third parties that they have requested only the minimum amount of protected health information necessary for their purposes:

• Another health care provider or health plan.
• A public official, like a law enforcement officer.
• Professionals providing services to us (such as attorneys or accountants).
• Researchers supplying documentation of IRB waivers.

7. The Privacy Officer is responsible for determining what is the minimum amount of protected health information necessary for us to disclose in situations that are not routine. The Privacy Officer will consider the reason for the disclosure, whether it falls into any of the circumstances described in paragraph 4 of this policy, and the protected health information that we have, in making this determination.

8. Whenever we request protected health information about one of our patients from someone else, we will ask for only the minimum necessary amount of protected health information necessary for us to accomplish the purpose that prompted us to ask for the information.

VERIFICATION BEFORE DISCLOSING PROTECTED HEALTH INFORMATION

 Policy Number: 18 Effective Date ____ 2/1/03_________

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to verify the authority and identity of people or organizations that request us to disclose protected health information about our patients, subject to the conditions of this policy statement.

1. If a patient has a personal representative who seeks to sign an authorization to disclose the patient’s protected health information to a third party, or to exercise any of the rights that patients have regarding their protected health information, we will take the following steps before we accept their signature or allow them to exercise those rights:

• Ask for copies of any documents that are relevant to their status as personal representative. For example, we will ask for a copy of the court papers appointing a legal guardian, or a power of attorney designating someone to make health related decisions for an incapacitated adult.
• We will ask for a picture identification of the person serving as personal representative.

2. We will review all documents that we receive and make sure that they in fact authorize the personal representative to control the patient’s protected health information, and that there are no limits or expiration dates that affect this authority. The Public Information Officer is responsible for reviewing documents. If there are questions about the documents, the Public Information Officer will work with our Privacy Officer to resolve them. We will not disclose any protected health information until all questions are answered and we have proper evidence of the authority of the person acting as personal representative.

3. If we receive a request from a third party to see or have a copy of protected health information that we have about our patients without a signed patient authorization, we will take the following steps before we allow such access:

• Ask the requestor for evidence that they are affiliated with an organization or government agency that is authorized to have access to protected health information without an authorization. Evidence can include an official badge or identification card, an assignment on official letterhead, or similar items.
• Ask the requestor for a picture identification.
• Ask the requestor to specify the legal authority that the requestor believes allows access to protected health information.

For example, if we are asked by a representative of a drug or medical device manufacturer to supply protected health information relating to our use of a particular drug or device, we will make sure that the representative is truly affiliated with the drug or device manufacturer; that the drug or medical devise manufacturer is under the jurisdiction of the U.S. Food and Drug Administration; and that the drug or device manufacturer is seeking the information because of a quality or safety concern about a product that they manufacture as provided in 45 CFR 164.512.

4. We will review all evidence supplied by the requestor to make sure that the requestor has proper authority to access protected health information, and that there are no limits or expiration dates that affect this authority. The Public Information Officer is responsible for this review. If there are questions, the Public Information Officer will work with our Privacy Officer to resolve them. We will not disclose any protected health information about our patients until all questions have been resolved and we are sure that the requestor has proper authority to access the protected health information.

MITIGATION OF KNOWN HARM FROM AN IMPROPER

DISCLOSURE OF PROTECTED HEALTH INFORMATION

Policy Number: 19 Effective Date 2/1/03

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to mitigate known harm from an improper disclosure of protected health information, when it is practicable to do so.

1. Whenever we learn of harm caused by an improper disclosure of our protected health information, we will take reasonable steps to mitigate the harm. We will take these steps whether the improper disclosure was made by us or by one of our business associates.

2. Our Privacy Officer and Public Information Officer will determine what specific steps are appropriate to mitigate particular harm. It is our policy to tailor mitigation efforts to individual harm. Examples of some mitigation steps include:

• Getting back protected health information that was improperly disclosed.
• Preventing further disclosure through agreements with the recipient.

3. We do not consider money reparations to be appropriate mitigation.

4. If a business associate has made the improper disclosure, we will require the business associate to cure the problem to our satisfaction, or terminate the relationship with the business associate.

HANDLING PATIENT COMPLAINTS ABOUT PRIVACY VIOLATIONS

Policy Number: 20 Effective Date _____ 2/1/03________

In order to comply with HIPAA’s Privacy Rule, it is the policy of the Center for Eye Care to accept complaints from patients who believe that we have not properly respected their privacy, and to thoroughly investigate and resolve them.

1. Our Public Information Officer is responsible for accepting all patient complaints about alleged privacy violations. We require all complaints to be in writing. If a complaint comes over the telephone, the Public Information Officer will inform the patient to send it in writing. This can be hard copy or electronic, as the patient wishes. If a patient wishes to remain anonymous, we will accommodate that to the extent practical.

2. The Public Information Officer will keep all patient complaints for at least six years. These will be stored, along with information about the investigation and resolution of the complaint, in a log kept in the Public Information Officer’s Center for Eye Care office.

3. Upon receiving a patient complaint about privacy, the Public Information Officer will investigate it. The Public Information Officer has discretion to conduct the investigation in the manner considered reasonable and logical in light of the nature of the complaint. Generally, the Public Information Officer will do at least the following in order to investigate a complaint:

• Talk to the person in the office whom the patient thinks violated the patient’s privacy.
• Review the patient’s clinical chart.
• Talk to other office staff about the patient’s concern.
• Talk to the patient.
• Review any information or evidence that the patient presents in support of the claim of a violation of privacy.

4. Based upon the results of the investigation, the Public Information Officer will determine if the patient’s complaint is substantiated or not. If the complaint is not substantiated, the Public Information Officer will notify the patient in writing. If it is substantiated, the Public Information Officer will determine what steps are necessary to resolve the issue so that it does not recur.

5. In determining what steps are necessary to resolve a substantiated complaint of a violation of privacy, the Public Information Officer will consider at least the following points:

• What caused the privacy violation?
• If the violation was caused by a failure to comply with existing policy, the Public Information Officer will report the issue to Privacy Officer for action as a human resources disciplinary matter.
• If the problem was caused by a lack of an appropriate policy, or an inadequate policy, the Public Information Officer will consult with our Privacy Officer to determine how the policy should be changed, or if a policy needs to be developed. If policy revisions or new policies are needed, the Public Information Officer will work with the Privacy Officer to accomplish that.
• If a business associate was involved in the violation, what must the business associate do to prevent the violation from recurring? If the business associate cannot cure the breach, the business associate contract must be terminated. The Public Information Officer will consult with the Privacy Officer, who will obtain approval from management before any business associate contracts are terminated.
• If the privacy violation caused harm, what steps are necessary to mitigate that harm? The Public Information Officer will consult with the Privacy Officer to accomplish the steps.

6. Once a resolution of a complaint is determined, the Public Information Officer and the Privacy Officer will work cooperatively to take the steps identified as necessary for the resolution.

7. If new policies or procedures are put into place as part of the resolution, the Privacy Officer will conduct mandatory training for our workforce regarding them.

8. The Public Information Officer will develop a way to monitor whether the resolution is working to improve our privacy protections. The Public Information Officer will report to the Privacy Officer on the results of the monitoring. If the Public Information Officer discovers continued problems through monitoring, the Public Information Officer and the Privacy Officer will work cooperatively to fix the problems.

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION

Policy Number: 21 Effective Date 2/1/03

It is the policy of the Center for Eye Care to use de-identified information instead of protected health information whenever this is feasible. None of HIPAA’s Privacy Rule’s restrictions on the use and disclosure of protected health information apply to de-identified information, which can be used or disclosed freely.

1. Privacy Officer is responsible for determining the feasibility of de-identifying any protected health information that we have about our patients, and for performing such de-identification if it is feasible.

2. If we de-identify protected health information, we will use HIPAA’s “safe harbor” method of eliminating all specified identifiers. We will remove all the identifiers with respect to our patient, the patient’s relatives, the patient’s household members, and the patient’s employer. The identifiers that we will remove are the following:

• Names
• All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
  1. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
  2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code.

3. Even after we have removed all the identifiers listed in paragraph 2, we will not consider information to be de-identified unless we have no actual knowledge that the remaining information can be used, either alone or in combination with other reasonably available information, to identify a patient.

4. If we disclose de-identified information, we will not disclose any key that we have to re-identify the information.

LIMITED DATA SETS

Policy Number: 22 Effective Date 2/1/03

It is the policy of the Center for Eye Care to use a limited data set for certain disclosures of protected health information, whenever this is appropriate and feasible.

1. We will only use a limited data set for disclosures that are for research, public health purposes, or health care operations.

2. A limited data set is protected health information from which all of the following identifiers have been removed:

• Names
• Postal address information, other than town or city, State, and zip code
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images.

In order to consider protected health information to be a limited data set, we will remove all of these identifiers about our patient, the patient’s relatives, members of the patient’s household, and the patient’s employer.

3. The Privacy Officer is responsible for determining whether it is feasible and practical for us to disclose a limited data set, and if so, to create it.

4. Whenever we disclose a limited data set, we will require the recipient to enter into a data use agreement with us. The data use agreement restricts the ways in which the recipient can use the limited data set. We will use the master data use agreement accompanying this policy.