Revised 1/17 PROTECTION OF THE PRIVACY OF PROTECTED HEALTH INFORMATION POLICY Policy: Emory Valley Center will adopt as policy those requirements and regulations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). This organization intends to make a good faith effort to preserve the integrity and confidentiality of patient protected health information. The primary objective of the organization is to provide quality care while protecting the patient’s rights. The staff will adhere to the intent of the established policies. 1. The organization’s Privacy Officer will stay abreast of changing Privacy requirements and organizational compliance. Security Standards are managed and monitored by the Security Officer. 2. The organization shall conduct a periodic review of the current operations to identify areas needing attention in order to comply with the Privacy requirements as they are understood. The results of the Review will be used by the organization as a checklist for monitoring improvements in the organization’s compliance efforts. This responsibility may be outsourced. 3. The organization shall list potential Business Associates. A Business Associate is a person or company that uses and discloses PHI for the covered entity. This organization will establish and maintain an up-to-date Business Associate listing. The organization will establish a Business Associate Agreement that addresses the HIPAA requirements for Business Associates that is consistent with the requirements of the Omnibus Final Rule. 4. The organization has revised its Notice of Privacy Practices (NPP) to comply with the new requirements and will offer its NPP to each patient and post it in an accessible area within the organization as specified in the Privacy Rule. 5. This organization will follow appropriate policies and procedures to guide the providers and staff in meeting the details of Privacy Rule requirements. 6. The organization will provide appropriate HIPAA training for all levels of the organization workforce. The organization will provide standard staff training on the organization’s Revised 1/17 Privacy policies and procedures. This will include annual refresher and update training, as well as new employee training on the Privacy requirements. 7. All members of our workforce will be required to sign a Confidentiality Agreement. 8. We will endeavor to verify fax numbers prior to faxing any PHI and will always use a HIPAA-compliant coversheet. 9. When electronic communications (e-mails) include PHI, we will use an appropriate confidentiality statement. 10. We respect the privacy of our employees and will make a good faith effort to protect their information, including health-related matters as well as financial information. Exceptions: OSHA and Workers’ Compensation issues. This includes adherence to the “Minimum Necessary” requirement of the Privacy Rule. 11. In order to protect health information, we will adhere to the following policies as much as feasible a. Keep voices low when discussing PHI. b. Limit discussions within the organization to the minimum necessary. c. Close office doors before discussing PHI. d. Discuss financial issues in a private area. e. Limit traffic in the clinical areas. f. Escort individuals who are not part of our workforce while they are in clinical areas. g. Position terminals and written PHI so that unauthorized individuals may not readily access it. h. Place any papers in chart holders in such a manner as to protect any patient identifiers or health information from unauthorized individuals. i. Cover schedules or place them where unauthorized individuals cannot see them.