Laidlaw Inc. HIPAA Privacy Standards Assessment ... ... Assessment Questionnaire A. Uses and Disclosures

  • View
    0

  • Download
    0

Embed Size (px)

Text of Laidlaw Inc. HIPAA Privacy Standards Assessment ... ... Assessment Questionnaire A. Uses and...

  • 1

    Laidlaw Inc.

    HIPAA Privacy Standards Assessment Questionnaire

    Submitted by: Anthony O. Boswell Ethics, Privacy & Compliance Officer Corporate Counsel

  • 2

    HIPAA Privacy Standards

    Assessment Questionnaire

    A. Uses and Disclosures of Protected Health Information: General Rules, 45 C.F.R. §164.502

    HIPAA Standards

    Implementation Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    Standard:

    General Rule

    45 C.F.R. §164.502

    A Covered Entity may not use or disclose PHI, except as permitted or required by the privacy regulations.

    Permitted Disclosures:

    • To the individual. • With a Consent, to carry

    out treatment, payment, or health care operations.

    • Without consent, if in certain circumstances.

    • With an Authorization • Pursuant to an

    agreement under, the provisions permitting Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object.

    • As permitted and in compliance with the

    Has your entity identified the flow of protected health information both internally and externally?

    Does your entity have agreements in place regarding the disclosure or use of PHI?

  • 3

    HIPAA Standards

    Implementation Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    provisions permitting disclosures without consents, authorizations or opportunity to Agree or Object.

    Required Disclosures:

    • To an individual, when requested as permitted and in compliance with the provisions permitting: Access of individuals to PHI and Accounting of disclosures of PHI.

    • When required by the Secretary to investigate or determine the Covered Entity's compliance.

    How does an individual have access to his or her PHI? Does your entity have a policy or procedure about providing such access to an individual?

  • 4

    B. Uses and Disclosures: Organization Requirements, 45 C.F.R. §164.504

    HIPAA Standards Implementation

    Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    Standard:

    Business Associate Contracts

    45 C.F.R. §164.504(e)(1)

    Identify potential Business Associates by reviewing the definition of “business associate” and determining whether an arrangement falls within the definition.

    1. Does your organization have a policy and procedure in place for identifying and contracting with business associates?

    2. If not, how and when will business associate identification and contracting be implemented?

    3. Are any of your contracts oral or memorialized in writing by way of a purchase order or invoice?

    4. Do you have an accurate listing of all your organization’s contracts (oral, written or otherwise)?

    • If so, do you have a description of the type of service each contract addresses?

    5. What is your organization’s record retention requirement for contracts?

    6. Who in your organization is responsible for contract drafting, contract negotiation and contract administration?

  • 5

    HIPAA Standards Implementation

    Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    Implementation Specifications:

    Business Associate Contracts

    45 C.F.R. §164.504(e)(2)

    A contract between the Covered Entity and a business associate must contain certain requirements. Those requirements include provisions pertaining to:

    • Specific permitted and required use and disclosures of PHI;

    • Prohibition on other use or disclosures of PHI unless as required by law;

    • Required safeguards to prevent non-permitted use or disclosure of PHI;

    • Required notification of non-permitted use or disclosure of PHI;

    • Mirror obligation requirements on agents and sub-contractors;

    • Access requirements; • Amendment

    requirements; • Accounting of disclosure

    requirements; • Required availability of

    internal practices, books and records to DHHS;

    • Right to terminate contract for material

    1. Do your existing contracts contain written provisions which include provisions protecting the privacy of health information?

    2. Does your organization require its business associates to provide privacy training to its employees?

    3. Does your organization conduct any due diligence on vendors it does business with?

    • If so, does it regularly check the name of its vendors against the Excluded Party list?

    5. Does your organization operate under a Corporate Integrity Agreement or similar agreement with the Office of the Inspector General?

    6. Does your organization contract with federal agencies?

    7. Does your organization have contract administration policies and procedures that governs the process to be followed when contracts are terminated?

    • If so, does it require the return and destruction of all files? Does the third party retain copies?

  • 6

    HIPAA Standards Implementation

    Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    breach; and • Required post-

    termination obligations.

    9. If the third party vendor retains copies, are the contract terms amended to provide for insuring the security and privacy of PHI?

    10. If your organization does not have contract termination policies and procedures, how and when will they be implemented?

  • 7

    C. Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations, 45 C.F.R. §164.506

    HIPAA Standards Implementation

    Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    Standard:

    Disclosures With Consents

    45 C.F.R. §164.502

    A covered health care provider must obtain the individual’s consent prior to using or disclosing PHI to carry out payment, treatment or health care operations.

    1. Do you use consent forms for disclosures for treatment, payment or operations?

    2. How many consent forms are being used within your entity? Please provide a copy of each one.

    3. Do you specifically limit your consents to treatment, payment or operations?

    Implementation Specifications:

    Obtaining Consents in Direct Treatment Relationship

    45 C.F.R. §164.506(a)

    Consent should be obtained during the patient's first contact with the Covered Entity in a direct treatment relationship.

    1. Are guidelines on obtaining consents included in your policies and procedures?

    Implementation Specifications:

    Consent Content Requirements

    45 C.F.R. §164.506(c)

    A consent must be in plain language and contain specific terms provided in the regulations.

    A consent may not be combined in a single document with the Notice of Privacy Practices.

    1. Is the current consent form in plain language containing the elements set forth below?

    2. Is the consent combined with any other legal documents? If so, is it: • Visually and organizationally

    separate from such other written

  • 8

    HIPAA Standards Implementation

    Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    A consent for use or disclosure may be combined with other types of written legal permission from the individual (e.g., an informed consent for treatment, a consent to assignment of benefits and a research authorization), if the consent under this section:

    • Is visually and organizationally separate from such other written legal permission; and

    • Is separately signed by the individual and dated.

    legal permission? • Separately signed by the

    individual and dated?

  • 9

    HIPAA Standards Implementation

    Features

    HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

    Standard:

    Consent Not Required in Indirect Treatment Relationships

    45 C.F.R. §164.506(a)(2)(i)

    A covered health care provider may, without consent, use or disclose PHI to carry out treatment, payment, or health care operations if the covered health care provider has an indirect treatment relationship with the individual.

    1. Do you address indirect treatment consent practices in your policies and procedures?

    Implementation Specifications:

    Treatment, Payment and Operations without Consent

    45 C.F.R. §164.506(a)(3)

    A covered health care provider may, without prior consent, use or disclose PHI created or received under to carry out treatment, payment, or health care operations: • In emergency treatment

    situations, if the covered health care provider attempts to obtain such consent as soon as reasonably practicable after the delivery of such treatment;

    • If required by law to treat the individual, and the covered health care provider attempts to obtain such consent but is unable to obtain such consent; or

    • Unsuccessful Attempts If a covered health care provider attempts to

    1. Do your policies and procedures include guidelines for providing treatment, payment and operations without consent?

    • If so, under what circumstances will you proceed without consent?

    2. Is consent obtained in emergency treatment situations? If so, how? If not, when is the patient approached