PART ONE

A. The Privacy Standards. The HIPAA “Standards for Privacy of Individually Identifiable Health Information” (“the Privacy Standards”), found at 45 CFR Parts 160 and 164, are effective April 14, 2003. The Privacy Standards establish a comprehensive system of federal law governing medical information confidentiality. This marks a significant departure from historical practice. Except for a limited set of regulations governing the use and disclosure of information regarding alcohol and drug abuse patients, the federal government has not previously regulated medical information confidentiality; leaving the area almost entirely to state governments. This Guide is intended to serve as a resource to Nevada healthcare providers in their efforts to comply with the Privacy Standards.

B. Covered Entities, Guide for Providers. The Privacy Standards govern the use and disclosure of “protected health information” by “covered entities”, including health care providers (“providers”). This guide applies only to providers.

C. The Privacy Standards Are Different. The Privacy Standards go far beyond the scope of any previous confidentiality laws, either state or federal. Some of the more striking differences are mentioned below.

1. The Standards Regulate “Internal Disclosure”. Most providers are accustomed to being careful about disclosing a patient’s medical information to persons outside of the provider’s operations. For example, a hospital is careful when answering a request for patient medical information from an attorney, and a physician’s office requires an authorization before sending a patient’s information to another physician’s office. All providers are accustomed to being careful about such “external disclosure”; that is, when medical information leaves the provider’s operation or the control of the provider’s workforce.

However, the Privacy Standards also regulate “internal disclosure”; - the sharing of a patient’s medical information between and among the provider’s employees. For example, if a doctor discusses a patient’s condition and proposed treatment with a nurse, this is an “internal disclosure” of a patient’s medical information under the Privacy Standards and it is regulated by the Privacy Standards. That discussion cannot take place expect in circumstances permitted under the Privacy Standards, and

it may only be conducted in a manner permitted by the Privacy Standards. Similarly, when the nurse in a physician’s office takes a patient over to the scheduler, and says “Schedule Mrs. Jones for a follow up appointment in three weeks”, that communication is an “internal disclosure” of a patient’s medical information under the Privacy Standards. It is regulated by the Privacy Standards. That discussion cannot take place expect in circumstances permitted under the Privacy Standards, and it may only be conducted in a manner permitted by the Privacy Standards. When certain parts of Mrs. Jones’ medical record go to the biller, that involves an “internal disclosure” of a patient’s medical information under the Privacy Standards and it is regulated by the Privacy Standards. That discussion cannot take place expect in circumstances permitted under the Privacy Standards, and it may only be conducted in a manner permitted by the Privacy Standards. When a hospital administrator talks to a member of the medical staff about resolving a patient’s grievance, when a surgeon and an internist consult on a patient’s case, when medical records personnel follow up with a physician’s office about documentation in the patient medical record; - all of these communications are regulated by the Privacy Standards.

2. The Standards Regulate “Use”. In addition to internal and external disclosure, the Privacy Standards regulate the “use” of a patient’s medical information by providers. When the biller accesses chart information to prepare a bill, when the nurse calls out a patient’s name in the waiting room, when the surgeon’s office writes the patient’s name in the appointment book, when the hospital peer review committee accesses patient data to evaluate the competence of a colleague, any time a provider’s staff accesses and utilizes patient information for any reason; - these “uses” of medical information are regulated by the Privacy Standards. A provider may not use a patient’s medical information except in circumstances and in a manner permitted by the Privacy Standards.

3. The Standards Broadly Define “Protected Health Information”. Providers are accustomed to being careful about disclosing information relating to a patient’s condition or treatment. “Protected Health Information” under the Privacy Standards also includes any information relating to payment for the patient’s care, past present or future, and any demographic information. A patient’s name, standing alone, is protected health information under the Privacy Standards, and its use and disclosure is regulated by the Privacy Standards.

4. Violations of the Standards May Be Severely Punished. Violations of the Privacy Standards may be punished by the federal government both civilly and criminally. The Office of Civil Rights (“OCR”) of the federal Department of Health and Human Services has responsibility for enforcement of the Privacy Standards. Civil fines of no more than $100 “per violation”, up to a maximum of $25,000 per calendar year, may be assessed by the OCR for violations of an identical requirement or prohibition. For knowing misuse, which occurs when a person knowingly obtains or discloses protected health information in violation of the Privacy Standards, a criminal prosecution may be brought. The penalties vary according to classification of the violation. For “simple violations”, with no aggravating factors, violators face a fine of no more than $50,000 or one (1) year imprisonment per violation. Where the violation is committed under false pretenses, the penalty is no more than $100,000 or five (5) years imprisonment per violation. Where the offense is committed for commercial advantage, personal gain or malicious harm, the applicable penalty is a fine no greater than $250,000 or ten (10) years imprisonment per violation.

Investigation of violations will be complaint-driven. The OCR has been instructed to try to resolve complaints informally, without resort to civil or criminal proceedings.

Patients will be able to sue providers for violations of the Privacy Standards under applicable state law theories. These include misrepresentation and medical malpractice.

D. Preemption of State Law, Other Federal Law. The Privacy Standards do not uniformly preempt state laws governing the confidentiality of medical information. Preemption is selective. State laws that are “contrary” to the Privacy Standards are preempted. State laws that are “more stringent” than the Privacy Standards continue in effect, and apply in conjunction with the Privacy Standards.

Most Nevada state confidentiality laws appear to be more stringent than the Privacy Standards with respect to the use of medical information for marketing and research purposes. Further, Nevada state law appears more stringent with respect to certain specific types of medical information; specifically, (i) blood, breath and urine test results, (ii) genetic information, (iii) communicable disease information, and (iv) mental health information. In addition, existing federal regulations covering alcohol and drug abuse treatment information have more stringent restrictions than do the Privacy Standards. (This subject is more fully discussed in the article “The Nevada Healthcare Provider’s Guide to The Application of Nevada’s Medical Information Confidentiality Laws under the HIPAA Privacy Standards” which can be found on the website of the Clark County Medical Society at www.clarkcountymedical.org, under “Newsletter”.

This Guide addresses how to reconcile the requirements of the Privacy Standards, the federal drug and alcohol abuse regulations and Nevada law where relevant.

E. Areas Not Covered. This Guide does not cover the full scope of the Privacy Standards. It is intended as a resource to areas of concern that will be commonly encountered in the operations of Nevada providers, as opposed to an exhaustive treatise. Providers should have and should read a complete copy of the Privacy Standards.

F. Significant Legal Uncertainty. The Privacy Standards have not been subject to interpretation by the courts, nor any sustained interpretation by the OCR. The regulations present many unanswered questions. For this reason, significant legal uncertainty exists concerning the subject matter of this Guide.

G. Guide is Not Legal Advice. The author of this Guide is not rendering legal advice to the reader. This Guide is for information purposes only, and is not a substitute for professional legal advice. Due to the complexity of the subject matter and the legal uncertainties discussed above, providers are advised to seek knowledgeable legal counsel for the resolution of use and disclosure questions in any particular circumstance or situation.

PART TWO

DEFINITIONS

II. HIPAA Definitions. The Privacy Standards govern the use and disclosure of “protected health information” by “covered entities”. “Healthcare providers” are covered entities.

A. Protected Health Information. Protected health information (“PHI”) is any information that is “created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse,” and which is or has been transmitted or maintained by a covered entity, which relates to:

1. the past, present or future physical or mental health or condition of the patient,

2. the provision of health care to the patient,

3. the past, present or future payment for the provision of health care provided to the patient, and

4. any demographic information,

5. where such information identifies the patient, or where there is a reasonable basis to believe that the information can be used (e.g., in conjunction with other information already in possession of the recipient) to identify the patient.

6. Exception: Employment Records. Information in a provider’s employment records is not PHI, even if they contain information that would otherwise be PHI. This exception can lead to confusion. For example, where a physician performs a pre-employment physical on a prospective employee, the physician is acting as a provider, and the information that results from the physical is PHI. Therefore, an authorization is needed from the prospective employee-patient to send the results to the provider’s employee file. However, once the PHI goes into the employee’s employment record, it is no longer PHI and the Privacy Standards no longer apply to it.

7. Deceased Patients. The PHI of a deceased patient remains subject to the Privacy Standards.

B. Health Care Provider. This term is very broadly defined. It includes any institutional provider, any practitioner, anyone who bills and is paid for (i) healthcare services or (ii) drugs, devices, equipment or other supply items in accordance with a prescription; but only if the provider also transmits any health information in electronic form in connection with a HIPAA-standard electronic transaction. The qualifying transmission may be done by an agent (i.e., a billing company) rather than the provider; the provider is still a covered entity.

C. Designated Record Sets. Providers are required to establish “Designated Record Sets” (a “DRS”) applicable to the patient. A DRS is “a group of records under the control of the [provider] from which information is retrieved by name, number [or some other mark or code] which is used by the [provider] to make decisions about the patient...”. A DRS must include all PHI held by the provider and its business associates. For a provider, DHS always includes the medical record and billing records, but it will usually include other records as well. Most notably, since the DRS will include PHI that is held by the provider’s business associates (where that information is not merely duplicative of information held by the provider), a patient’s DRS may include information not physically in the custody of the provider.

D. Psychotherapy Notes. The Privacy Standards treat “psychotherapy notes” with particular sensitivity. The following definition is provided.

Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the patient’s medical record.

Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

One aspect of this definition is of key importance to institutional providers (e.g., hospitals); that being the requirement that psychotherapy notes “are separated from the rest of the patient’s medical record.” This does not mean that providers can change the characterization of psychotherapy notes by a decision to include them in a patient’s medical record. But it does seem to indicate that psychotherapy notes are not something that should be found in a patient’s hospital medical record; (other than medical records maintained by the psychotherapist himself or, perhaps, those maintained by a mental health institution.) The status of a consulting psychotherapist’s consultant’s report to an attending physician is not clear under the Privacy Standards. However, commentary to the Privacy Standard regulations refer to psychotherapy notes as “process notes” which are, in essence, notes that the therapist writes to himself. Experts explain that such notes would typically include details the therapists considers inappropriate to include in the patient’s medical record, and conclude that psychotherapy notes are not generally part of the documentation that a health care organization needs to carry out treatment, payment or health care operations.

E. Complex Entities. The Privacy Standards also recognize certain types of complex entities. Complex entities have special rules. For example, “organized health care arrangements” are of two types. A “clinically integrated setting” occurs where the patient typically receives healthcare from more than one health care provider. (Example: Hospital and medical staff.) A “joint arrangement” occurs where participating covered entities hold themselves out to the public as participating in a joint arrangement, including at least one of the following: UR, QA, and payment activities (but only where there is shared financial risk and PHI is reviewed by other participating entities to administer the shared financial risk.) (Example, an IPA.) Other types of complex entities include “hybrid entities, where a non-covered entity may have a covered-entity type function (e.g., a manufacturer with an employee health clinic), and “affiliated entities”, (e.g., a chain of separately incorporated hospitals or clinics.)

The Privacy Standards require providers to adopt certain policies and procedures. For providers who are or are part of a complex entity, designing those policies and procedures to encompass the entire entity may greatly simplify their operations under the Privacy Standards. Providers who are or are part of a complex entity should review the Privacy Standards and obtain counsel in this regard.

F. Business Associates. A “business associate” is any person or entity to whom a provider discloses protected health information so that the business associate can carry out, assist with the performance of, or perform on behalf of the provider, a function. A provider’s business associates would include billing companies, and the provider’s lawyers, auditors, and consultants if they access PHI to do their jobs.

III. Other Privacy Law Definitions. This Guide also addresses the “more stringent” requirements of Nevada’s medical information privacy laws and federal regulations governing drug and alcohol abuse treatment information. Certain defined terms used in those laws and this Guide are set out below.

A. General Medical Information. All information other than (i) “psychotherapy notes” as defined in the Privacy Standards or (ii) any of the specific types of information in B through F below.

B. Blood, breath or urine test results. Results of tests on blood, breath or urine to show intoxication or the presence of controlled substances.

C. Genetic information. Information resulting from an examination of a person’s DNA or otherwise relating to abnormalities in a person’s genetic structure.

D. Communicable disease information. Information relating to the presence or treatment of 66 communicable diseases listed in Nevada Revised Statutes (“NRS”) 441A.220, including AIDS, HIV and STDs.

E. Mental health information. NRS 433A.360 governs the release of clinical records for “clients”. The term “clients” is defined to include persons who seek mental health treatment or training in a private institution offering mental health services. Private institutions that provide mental health services to “clients” must keep “clinical records”. “Clinical records” are records including “information pertaining to the client’s admission, legal status, treatment and individualized plan for habilitation.” The term “mental health information” when used in this Guide will refer to information kept in the “clinical records” of “clients”

F. Drug and alcohol abuse information. Where a provider operates a drug or alcohol abuse “program” within the meaning of 42 Code of Federal Regulations (“CFR”), Part 2, then those regulations govern the use and disclosure of program patient medical information. The term “drug and alcohol abuse information” as used in this Guide will refer to information kept by such a provider about “program” patients where such information would identify the patient as an alcohol or drug abuser.

PART THREE

PATIENT’S RIGHTS

IV. Patient’s Rights/Access. Providers are required to disclose information to the patient. Required disclosures to patients are discussed below.

A. Timeliness. A patient’s DRS must be made available to the patient upon request in any format requested which is “readily producible” by the provider. Access must be provided within 30 days of the patient’s request, unless the information is off-site, in which case 60 days is allowed. The provider may have one 30-day extension, but must give the patient a written statement of the reasons for the delay and a date for access. The patient can be charged the cost of copying and postage.

B. Other Parties Named in PHI. A patient’s DRS may contain information about another person, who may also seek access. The Privacy Standards specifically provide that a “named second party” does not have rights to access a DRS; - only the patient.

C. Unreviewable Denials. A patient does not have the right to access certain types of PHI. Most commonly, the patient does not have the right to see psychotherapy notes, information compiled by the provider for use in a legal proceeding and any PHI which is not available for access under the Clinical Laboratory Improvement Act. Further, a provider does not have to allow access to PHI that was obtained from someone (other than another provider) under a promise of confidentiality where access would likely reveal the source of the information. A patient has no right to seek review of a denial of access to any of the foregoing information.

D. Discretionary, Reviewable Denials. A provider may also deny a patient access to certain PHI where a licensed healthcare professional has determined, in the exercise of professional judgment, that the access requested is likely to (i) endanger the life or physical safety of the patient or another person, or (ii) cause substantial harm to the patient or another person. If a provider denies access for these reasons, the patient has the right to have the decision reviewed by an independent licensed healthcare professional (at the cost of the provider) who is designated by the provider to act as a reviewing official and who did not participate in the original review. That third party’s decision then decides the matter.

E. Limited Denial. If access to some of the DRS is denied for a reason in C or D above, the patient must still be provided access to all other PHI in the DRS.

V. Patient’s Rights/Confidential Communications. Providers must accommodate a patient’s reasonable requests for communications by alternative means, or at alternative locations. For example, the patient may request that he only be contacted at work, and that nothing be mailed to his home. The provider may (1) require that the request be in writing, (2) condition the accommodation on information as to how payment will be handled and the specification of an alternative address or other method of contact. The provider may not require that the patient explain the need for confidential communication.

VI. Patient’s Rights/Privacy Practices Notice. Providers are required to provide patients with a notice of their health care information use/disclosure practices (a “Privacy Practices Notice” or “Notice”). The requirements of the Notice are set out in detail in the Privacy Standards, and must be completely satisfied. (See Section XXII for details.) A model Privacy Practices Notice is set out at Exhibit A.

A. Written Acknowledgment. Providers with direct treatment relationships (i.e., they provide face-to-face service delivery) must make a good faith effort to obtain written acknowledgment of the patient’s receipt of the Notice upon the first face-to-face service delivery. If the patient refuses, the provider must document the effort and the reason for failure.

B. Publication. Providers are required to post the Notice in a place where it is reasonable to expect patients seeking service to read it. Providers must also provide a copy at the first face-to-face service delivery. Where there is no face-to-face service delivery, (e.g. reference labs) the provider must provide the Notice “in an appropriate manner within a reasonable period of time after the first service delivery.” If the provider maintains a web site, the Notice must be on the web site.

VII. Patient Right’s/ Disclosure Accounting. Upon a patient’s request, he must be provided with a “disclosure accounting.” The accounting must be made in writing and must document all uses and/or disclosures made by the provider and its business associates of the patient’s PHI within the prior six years (but in no case, prior to April 14, 2003.)

A. Exceptions. There are important exceptions to this requirement. A disclosure Accounting does not have to include disclosures:

1. Made for treatment, payment or operations in accordance with the Privacy Standards.

2. Made pursuant to written authorization.

3. To the patient.

4. “Incidental disclosures” (see Section XVII).

5. Research disclosures in a “limited data set” (refer to the Privacy Standards).

6. Research disclosures, unless the disclosure involved more than 50 records. (If more than 50 records are disclosed, the accounting must disclose the name of the study or protocol, a description of the purpose of the study, the type of PHI sought and the timeframe of the disclosures. The provider must also assist the patient in contacting the researcher(s) upon request.)

7. For the provider’s facility directory, for directory purposes, to persons involved in the patient’s care or for other notification purposes as permitted by the Privacy Standards.

8. For national security or intelligence purposes.

9. To correctional institutions or law enforcement in accordance with the Privacy Standards.

10. That occurred prior to April 14, 2003.

B. Content. A Disclosure Accounting must include any disclosures made by the provider’s business associates and must include:

1. The date of each disclosure.

2. The name and address of the person or organization who received the PHI.

3. A brief description of the information disclosed.

4. If the disclosure was not at the request of the patient, the purpose of the disclosure.

5. Copies of all authorizations and requests for disclosure.

C. Disclosure Suspension. Under certain circumstances, a provider may temporarily suspend an accounting of disclosures made to law enforcement or oversight agencies. Refer to the Privacy Standards.

D. Timeliness. A disclosure accounting must be provided in 60 days. One 30-day extension is available but a written statement of reasons for the delay must be given to the patient.

E. Frequency. One disclosure accounting may be requested free-of-charge in any 12-month period. For additional requests, the provider may impose a reasonable cost-based fee.

F. Retain Documentation. Providers must document and retain the documentation on all information which is required to be in a disclosure accounting, the written accountings provided, and the titles of persons responsible for receiving and processing disclosure accounting requests.

VIII. Patient Rights/Amendment and Correction of PHI.

A. Timely Amendment. Patients have the right to ask that PHI maintained by a provider be amended or corrected. Patients who make a proper request must be advised within 30 days whether their request has been approved or denied. Where an action is indicated with respect to such request, it must be taken within 60 days.

B. Reasons for Denial. A provider may refuse to amend PHI in its DRS for the following reasons:

1. The PHI in question was not created by the provider, (unless the patient provides information giving a reasonable basis to believe that the entity that originated the PHI is no longer available to act on the requested amendment.)

2. The PHI in question is not part of the patient’s Designated Record Set.

3. The provider could deny the patient access to the PHI in question under the Privacy Standards. (See Section IV.C-E.)

4. The PHI in question is accurate and complete.

C. Complaint and Rebuttal. If a request to correct or amend is denied, in whole or in part, the provider must notify the patient of his right to complain to the provider and/or DHHS and give the patient a written statement in plain language describing (1) the basis for the denial and (2) the means by which the patient may file a written statement of disagreement with the denial. The provider must also permit the patient to file a written statement of disagreement and include that written statement of disagreement with any future disclosures of the challenged information. (The provider may establish reasonable limits on the length of such a statement or summarize it, if necessary.) The provider may also include its own rebuttal statement with future disclosures.

D. Amend Record. Where a request to amend or correct health information is approved, the provider must so advise the patient, make the amendments or corrections timely, and (on the involved record) identify each amended or corrected entry as such. The provider must have procedures in place to ensure that business associates make the same corrections or amendments. A provider who is informed of an amendment made by another covered entity must make the same amendment.

E. Notify Others. The provider must also make reasonable efforts to notify (i) anyone the patient requests be notified of the amendments and (ii) any other person or entity who may have received the incorrect or incomplete information and might rely on it to the detriment of the patient.

PART FOUR

PERSONAL REPRESENTATIVES

IX. Personal Representatives. A provider must treat a patient’s personal representative (“PR”) as having the access and other rights regarding PHI that would normally be accorded the patient.

A. Adults/Emancipated Minors. If the PR has the authority to act for a patient in making decisions related to health care (e.g., the PR has a durable power of attorney for health care decisions), the provider must treat the PR as if he were the patient (e.g., having same rights of consent, authorization, access and amendment concerning the patient’s PHI)...but only with respect to information relevant to scope of representation. (Example give: only “cancer” information to PR with authority to make decisions relating to treatment of cancer.)

B. Unemancipated Minors. Where a parent, guardian, or other person acting “in loco parentis” has the authority to act or give consent for a minor under other applicable law, that person does not necessarily have authority with regards the minor’s PHI. Under the Privacy Standards if (i) the minor has the authority under state law to consent to the health care provided and (ii) does consent to the care, and (iii) no other consent is required by law, then the minor alone controls his PHI. The parent or guardian may not have access or authorize disclosure. This is true even if the parent or guardian may also legally consent to treatment and does in fact give consent. Alternatively, if the minor does not consent to the treatment despite having the authority, and the parent or guardian does consent, then the parent or guardian has authority regarding the minor’s PHI.

C. Unemancipated Minor Consent in Nevada. In Nevada, it is clear that unemancipated minors, acting alone and without the consent of their parents or guardians, can give consent to treatment for the following:

1. Contraception advice, devices or supplies from a federally-funded program.

2. Treatment of a communicable disease, including HIV, AIDs and STDs.

3. Treatment for the abuse of a controlled substance, where the minor is, or is suspected to be under the influence of a controlled substance.

Further, certain categories of minors can give consent to their health care treatment of any type, except for sterilization (and if under 18, for a breast implant). To give consent, the minor must “understand the nature and purpose of the proposed examination or treatment and its probable outcome and voluntarily request it.” Those categories are:

a. Minors living apart from parents or a legal guardian, with or without their consent, for at least 4 months.

b. Minors who are married or have been married.

c. A minor who is a mother, or has borne a child. This includes a woman in first-time pregnancy before birth. Women in this category may also consent to care for their children, and may consent to pregnancy testing.

d. A minor, who in the physician’s judgment, is in danger of suffering a serious health hazard if health care services are not provided.

With respect to these categories, a provider must make “prudent and reasonable efforts” to obtain the minor’s consent to communicate with his or her parents before treatment and should document those efforts, but parental consent is not required if the minor refuses.

D. Abuse/Endangerment Situations. A provider may elect not to treat a person as a PR if (i) the provider has a reasonable belief that the patient has been or may be subjected to domestic violence, abuse or neglect by the PR; or treating such person as the PR could endanger the patient; and (ii) the provider, in the exercise of professional judgment, decides it is not in the best interest of the patient to treat such person as the patient’s PR.

PART FIVE

USES AND DISCLOSURES OF PHI

X. Uses and Disclosures of PHI. The Privacy Standards break down a provider’s use and disclosure of PHI into four categories, arranged by the need for patient authorization and the type of authorization needed.

A. General Rule: Authorization Required. The general rule is that a patient’s PHI may not be used or disclosed unless a written authorization is obtained. The Privacy Standards place very specific requirements on the form and content of an authorization, which must all be met. This is discussed further in Section XXI below. General authorizations or so-called “blanket authorizations” that a patient signs on intake or admission and which authorize broad categories of use are not permitted. Rather, authorizations are required to be detailed and situation-specific. Therefore, obtaining a patient authorization will entail significant effort by a provider.

B. Exceptions. There are three categories of exceptions to the general rule where a written authorization is not required. The first exception category has to do with certain “required” uses and disclosures; these are covered under Patient’s Rights in Part Three of this Guide. The second exception category is for purposes and in circumstances where the Privacy Standards allow use and disclosure of a patient’s PHI without an authorization or any permission whatsoever. A very important segment of this category is the so-called “TPO” (standing for “treatment, payment and operations”) exception. This exception is intended to allow a provider to undertake its normal operations without the need to obtain patient consent to use or disclose the required PHI. The last category is where a formal written authorization is not required and oral or inferred authorizations are permitted. This is called the “notice and opportunity to object” category. Each category is discussed separately below. The all-important TPO area is discussed separately.

C. Business Associates. Providers are allowed to share PHI with their business associates and to let them access PHI to perform their functions, so long as a written “business associate contract” which complies with the Privacy Standards is in place.

1. Business Associate Contract. The Privacy Standards place very specific requirements upon the terms and contents of business associate contracts. A model business associate contract is provided as Exhibit B.

2. Persons Who Are Not Business Associates. Members of the provider’s “workforce”, (employees, volunteers, trainees and other persons under the provider’s direct control,) are not business associates. Further, a disclosure between providers “for consultation or referral purposes” does not make the involved providers business associates of each other.

3. Breach of Required Business Associate Contract Provision. If a business associate violates the Privacy Standards, the provider can be punished for the violation only if the provider knows of the violation and fails to take reasonable steps to cure the violation or terminate the contract. Upon knowledge of a breach of the business associate contract or a violation by a business associate, a provider must take reasonable steps to cure the breach or end the violation. If that cannot be done, the provider must terminate the contract and the relationship with the business associate or, if that is not feasible, report the violation to the Secretary of DHHS.

XI. The Minimum Necessary Rule. One of the most important and most difficult rules in the Privacy Standards is the “minimum necessary rule”. That rule provides that where the Privacy Standards permit the use or disclosure of PHI, a provider does not have carte blanche to make disclosures of any or all PHI. Rather, the provider is required to “make all reasonable efforts not to use or disclose more than the minimum amount of [PHI] necessary to accomplish the intended purpose of the [permitted] use or disclosure.”

A. Exceptions. The “minimum necessary” rules does not apply in certain circumstances, including (i) disclosures to or requests by a provider for PHI for treatment purposes, (ii) disclosures made to the patient, (iii) uses or disclosures required by law, (iv) disclosures or uses pursuant to a written authorization that authorizes unlimited disclosure.

XII. Healthcare Treatment, Payment and Operations (“TPO”) Purposes. A provider may use and disclose a patient’s PHI without authorization for the purposes of treating the patient, seeking payment and operating the provider’s practice or facility.

A. Treatment. Treatment purposes are broadly defined. They include the provision of healthcare, the coordination of healthcare among providers, the referral of a patient from one provider to another, and the coordination of health care services among providers and third parties authorized by the health plan or the patient.

1. Treatment Purposes of Another Provider. A provider may not only use and internally disclose PHI within its workforce for the provider’s treatment purposes, a provider may disclose a patient’s PHI to another health care provider to facilitate that provider’s treatment of the patient.

2. No Minimum Necessary Rule. “Treatment purposes” disclosure is the only TPO area in which the Minimum Necessary Rule does not apply.

B. Payment. Payment purposes are broadly defined. They include activities undertaken by or on behalf of a provider (or its business associate) to obtain reimbursement, including (i) determinations of coverage, including eligibility and COB (ii) risk adjusting, (iii) billing, claims management and data processing, (iv) review of services for medical necessity of, or justification of charges, and (v) U.R., including certification and pre-authorization.

1. Payment Purposes of Another Entity. A provider may not only use and internally disclose PHI within its workforce for the provider’s payment purposes, a provider may disclose a patient’s PHI to another health care provider or other type of covered entity to facilitate that person’s attempts to seek payment. The minimum necessary rule applies to payment-purposes disclosures and uses, but a provider may rely on another covered entity’s representation that its request is for the minimum amount of PHI necessary to accomplish its purpose.

C. Operations. Operations purposes are broadly defined. They include a long list of management functions necessary for support of treatment or payment functions, including (i) quality assessment and improvement, including outcomes evaluation and the development of clinical guidelines (ii) review of the competence or qualifications of health care professionals, (iii) insurance rating activities in connection with contracting or with respect to enrollees of a health plan, (iv) medical review and auditing (including fraud and abuse detection) (v) conducting or arranging for legal services, (vi) business planning and development, (vi) business management and general administrative functions, (vii) due diligence to a potential successor in interest, (viii) resolution of internal grievances and (ix) customer service. Also, a special rule allows reporting of certain limited information to consumer reporting (credit) agencies.

1. Operations Purposes of Another Entity. A provider may not only use and internally disclose PHI within its workforce for the provider’s operations purposes, a provider may disclose a patient’s PHI to another health care provider or other type of covered entity to facilitate that person’s operations, but only for that entity’s operation’s purposes under (i) and (ii) above, and only where each entity has, or had a past treatment relationship with the patient. The minimum necessary rule applies to operations disclosures and uses, but a provider may rely on another covered entity’s representation that its request is for the minimum amount of PHI necessary to accomplish its purpose.

D. Special Law Considerations in Nevada. Nevada law and federal regulations governing alcohol and drug abuse information also apply with respect to TPO uses and disclosures, and the Privacy Standard’s TPO rules must be modified for use in Nevada as indicated below.

1. General medical information. A provider should follow the Privacy Standard’s TPO rules for it’s own TPO purposes, but require a signed patient authorization for disclosures to another provider or plan for their TPO purposes.

2. Blood, breath and urine test results. A provider should follow the Privacy Standard’s TPO rules for it’s own TPO purposes, but require a signed patient authorization for disclosures to another provider or plan for their TPO purposes.

3. Genetic information. A provider should follow the Privacy Standard’s TPO rules for it’s own TPO purposes. Do not make disclosures to another provider or plan for their TPO purposes unless the patient provides an informed consent on the state-approved form.

4. Communicable disease information. A provider should follow the Privacy Standard’s TPO rules for it’s own TPO purposes, but require a specific, signed patient authorization for disclosures to another provider or plan for their TPO purposes. A specific authorization should state clearly that information about communicable diseases, including HIV, AIDS and/or STDs may be disclosed.

5. Mental health information. A provider should follow the Privacy Standard’s TPO rules for it’s own TPO purposes, but require a specific, signed patient authorization for disclosures to another provider or plan for their TPO purposes. A specific authorization should state clearly that mental health information may be disclosed.

6. Alcohol and drug abuse information. A provider who operates a “program” may make only the following TPO uses and disclosures without a signed, specific patient authorization.

a. To medical personnel to the extent necessary to meet a bona fide medical emergency.

b. To qualified personnel for the purposes of conducting management audits, financial audits or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such audit or evaluation or otherwise disclose patient identities in any manner.

c. To a qualified service organization where information is needed by that organization to provide services to the program.

d. Among personnel in the program or working for an entity having direct administrative control over the program, in connection with their duties that arise out of the provision of diagnosis, treatment or referral for treatment, so long as the communications are within the program or between the program and the controlling entity.

E. Summary. A tabular summary of the HIPAA TPO rules is presented on Exhibit C. A tabular summary of the Nevada TPO rules is presented on Exhibit D.

XIII. Marketing. Providers may wish to use patient PHI for a marketing communication.

A. General Rule: Authorization Required. The general rule is that any marketing communication that involves the use or disclosure of PHI will require a patient authorization. However, the definition of “marketing” used in the Privacy Standards is very porous. As a result, many communications are allowed without authorization.

B. Marketing Defined. A marketing communication under the Privacy Standards is “a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service.” This definition gauges the effect of the communication on the patient, not the provider’s intent in making the communication.

However, a marketing communication does not include (1) any face-to-face communication by a provider to a patient or (2) a promotional gift of nominal value.

Further, marketing communications do not include treatment-related communications. These are defined as communications made orally, or in writing by a provider where the purpose of the communication is (i) describing the entities in a network, or describing the products or services offered by a provider or the benefits covered by a health plan; (ii) for the purpose of treatment of that patient; and (iii) for case management or care coordination of that patient, or (iv) to direct or recommend alternative treatments, therapies, providers or settings. This is true even where the provider is remunerated by someone else (e.g., a drug company) to make the communication. However the provider must make the communication, it cannot allow the remunerating party to make the communication, even though the remunerating party can pay for the provider to have someone else (e.g, a postal packaging service) do the mailing.

C. Special Law Considerations in Nevada. Nevada law and federal regulations governing alcohol and drug abuse information also apply with respect to marketing uses and disclosures, and the Privacy Standard’s marketing rules must be modified for use in Nevada as indicated below.

1. General medical information. Under the Nevada statutes, an authorization by the patient, even a “blanket authorization” (i.e., a broad general authorization given at the time of admission to a facility or acceptance into a medical practice), that allowed the use and disclosure of a patient’s information for marketing purposes, should be adequate to permit the disclosure of general medical information. Therefore, a provider wishing to make uses or disclosures of patient information for marketing purposes should modify its admission/intake consent forms to incorporate such permission. (While a “blanket authorization does not work for HIPAA Privacy Standards purposes, it is sufficient to authorize disclosure under state law.)

2. Blood, breath and urine test results. This information should not be used or disclosed for marketing purposes without a specific, signed patient consent.

3. Genetic information. This information should not be used or disclosed for marketing purposes without a signed patient informed consent on the state-approved form.

4. Communicable disease information. These should not be used or disclosed for marketing purposes without a specific, signed patient consent.

5. Mental health information. This information should not be used or disclosed for marketing purposes without a specific, signed patient consent.

6. Alcohol and drug abuse information. This information should not be used or disclosed for marketing purposes without a specific, signed patient consent.

XIV. Fundraising. A provider may use or disclose certain PHI without a patient authorization to a business associate or institutionally related foundation for the purposes of raising funds for its own benefit. The provider may disclose demographic information and the dates of health care provided to a patient. However, the provider must also indicate in any fund-raising communications how the patient may opt out of receiving them in the future.

A. Special Law Considerations in Nevada. Nevada law and federal regulations governing alcohol and drug abuse information also apply with respect to fund raising uses and disclosures, and the Privacy Standard’s rules must be modified for use in Nevada as indicated below.

1. General medical information. An authorization by the patient, even a “blanket authorization”, that allowed the use and disclosure of the patient’s information for fund-raising purposes, should be adequate to permit the disclosure of general medical information. Therefore, a provider wishing to make disclosures of patient-identifiable information to fund raisers should modify its admission/intake consent forms to incorporate such permission.

2. Blood, breath and urine test results. This information should not be used or disclosed for fund-raising purposes without a specific, signed patient consent.

3. Genetic information. This information should not be used or disclosed for fund-raising purposes without a signed patient informed consent on the state-approved form.

4. Communicable disease information. This information should not be used or disclosed for fund-raising purposes without a specific, signed patient consent.

5. Mental health information. This information should not be used or disclosed for fund-raising purposes without a specific, signed patient consent.

6. Alcohol and drug abuse information. This information should not be used or disclosed for fund-raising purposes without a specific, signed patient consent.

XV. Other Permitted Uses and Disclosures of PHI without Patient Authorization.

A. Public and Governmental Purposes. Providers may make certain disclosures in this area without patient authorization.

1. Public Health Activities. The Privacy Standards provide a broad exception from the patient authorization requirements for activities such as communicable disease reporting, child abuse reporting, FDA evaluation and monitoring.

a. Victims of Abuse, Neglect Or Domestic Violence. A provider may disclose PHI to a government authority authorized to receive reports of abuse, neglect or domestic violence if (1) the victim/patient agrees or (2) if disclosure is required by law (such as elder abuse, in Nevada) or (3) if the disclosure is permitted (but not required) by law and the provider believes, in the exercise of professional judgment, that disclosure is necessary to prevent serious harm to the patient or other potential victims.

Except in the case of child abuse or neglect reporting, if a provider makes a disclosure required by law (e.g., elder abuse), it must promptly inform the patient/victim that the report has been made unless the provider believes, in the exercise of professional judgment, that (i) informing the patient would place the patient in risk of serious harm or (ii) the patient has a personal representative who would receive the information, and the provider has reason to believe the PR is responsible for the abuse, neglect or violence.

2. Health Oversight. Disclosures may be made to a public agency (or person acting under a grant of authority from one) for (i) audit, investigation or inspection, (ii) licensure or discipline, (iii) civil, criminal or investigative proceedings, and (iv) other appropriate oversight activities.

3. Legal Proceedings. PHI may be released in response to a duly authorized process of law in the context of a judicial or administrative proceeding where the subject is a party and his medical condition or history is at issue. Otherwise, either: (i) a court order must specify the PHI to be disclosed or (ii) the requesting agency or legal counsel for the requesting litigant must provide satisfactory assurances to the provider that reasonable efforts have been made to secure a qualified protective order or the patient has been given notice of the subpoena and has failed to object. See the Privacy Standards for details.

B. Coroners and Law Enforcement. The Privacy Standards contain very detailed, situation-specific rules about disclosures in these areas. The following are allowed:

1. Law enforcement.

a. Purpose. Information may be disclosed without legal process to law enforcement for specific purposes.

(i) for identification or location of a suspect, fugitive, missing person or material witness.

For identification and location disclosures, the Privacy Standards limit the PHI that may be disclosed. The information that may be provided to law enforcement for this purpose is the patient’s (1) name and address, (2) date and place of birth, (3) SS#, (4) ABO blood type, (5) type of injury, (6) date and time of treatment, (7) date and time of death and (8) distinguishing physical characteristics. The provider may not disclose PHI relating to DNA, dental records, or typing, samples or analysis of body fluids or tissue.

(ii) about a patient who is suspected to be a victim of a crime, but only if (1) the patient agrees or (2) the patient cannot agree due to incapacity or emergency and law enforcement represents (a) that such information is needed to determine whether another person committed a crime and the information will not be used against the patient and (b) that the law enforcement activity would be materially and adversely affected by waiting until the patient is able to agree.

(iii) about a deceased patient if the provider suspects the death may have occurred from criminal activity.

(iv) to report a crime on the provider’s premises.

(v) to report a crime not on the provider’s premises if the disclosure appears necessary to alert law enforcement to (a) the commission and nature of a crime, (b) the identity, description and location of the perpetrator.

b. To coroners and medical examiners, PHI may be disclosed to identify a deceased person, determine cause of death or other purpose authorized by law.

c. To funeral directors, PHI may be disclosed as necessary to carry out their duties consistent with applicable laws.

d. For cadaveric organ, eye and tissue donation purposes PHI may be disclosed to the involved entities as necessary to carry out their duties consistent with applicable laws.

2. All Others. All other disclosures to the above-listed persons require legal process, and disclosures in response to an administrative process must be carefully limited as provided in the Privacy Standards

3. Law Enforcement/ Special Law Considerations in Nevada. Nevada law and federal regulations governing alcohol and drug abuse information also apply with respect to law enforcement uses and disclosures, and the Privacy Standard’s rules must be modified for use in Nevada as indicated below.

a. General medical information. A provider should follow the Privacy Standard’s rules.

b. Blood, breath and urine test results. A provider should follow the Privacy Standard’s rules.

c. Genetic information. This information may be disclosed only (i) where the information is needed to conduct a criminal investigation or investigate the death of a person in a criminal proceeding (ii) in an action to determine parentage or identity of a person or corpse under NRS 56.020, (iii) in actions to determine parentage under NRS 126.121 or 425.384, (iv) to a federal, state, county or city law enforcement agency to establish the identity of a person or corpse, or (v) pursuant to court order. Before disclosure, the identity and authority of the requestor should be verified and documented. It is strongly recommended that legal counsel be involved.

d. Communicable disease information. This information may be disclosed only (i) in a prosecution for a violation of the Communicable Disease Act, or an action for an injunction thereunder; or (ii) in reporting actual or suspected child or elder abuse. Before disclosure, the identity and authority of the requestor should be verified and documented. It is strongly recommended that legal counsel be involved.

e. Mental health information. This information may be disclosed only under a court order.

f. Alcohol and drug abuse information. This information may be disclosed to law enforcement officers, where the disclosure and use is (i) directly related to a patient’s commission of a crime on the program’s premises or a threat to commit such a crime, and (ii) limited to the circumstances of the incident, including the patient status of the perpetrator, his name and address and last known whereabouts

C. Uses and Disclosures to Avert a Serious Threat to Health or Public Safety. A provider may use or disclose PHI if it in good faith believes the use or disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and is to a person reasonably able to prevent or lessen the threat, including the target of the threat, or (2) is necessary for law enforcement authorities to identify or apprehend an individual who is the provider’s patient, where the patient has admitted participation in a violent crime that may have caused serious physical harm to the victim or where it appears that the patient has escaped from a correctional institution or custody. However, a use or disclosure under this exception may not be made if the provider learned the PHI in the course of the patient’s treatment (or recommendation for treatment) for the propensity to commit the crime, e.g., drug use.

D. Correctional Institutions and Custody. A provider may use or disclose PHI concerning a patient who is an inmate or in custody to law enforcement if law enforcement represents that it is necessary to (1) provide health care to inmates, or (2) protect the health and safety of inmates or others, (3) protect the health and safety of law enforcement or other personnel who work at the correctional facilities or transport inmates, or (4) the administration and maintenance of safety, security and good order on correctional institution premises. (Refer to B.3 above for additional restrictions on furnishing certain types of information under other applicable law.)

E. Miscellaneous. Other exceptions allow disclosures for military purposes, for routine banking or payment transactions with a financial institution, and for research purposes. Refer to the Privacy Standards for details.

XVI. Permitted Disclosures of PHI with Notice and Opportunity to Object. “Notice and opportunity to object” rules apply in certain situations. Under these rules the patient may be informed orally of an intended use or disclosure, and be afforded the opportunity to object or orally agree. If there is no objection, the use or disclosure may occur. (While the Privacy Standards permit oral as opposed to a written agreement to these disclosures, in many cases, a conscientious provider should document the fact that the oral consent was given.)

A. Facility Directories. A provider that maintains a facility may use the following PHI for the directory and directory services, unless the patient objects: name, location, condition described in general terms which do not communicate specific medical information and religious affiliation. All of the preceding information may be disclosed to visiting clergy; all of it except for religious affiliation may be disclosed to anyone else who asks for the patient by name. The patient must be informed of information to be disclosed, and to whom, and be given an opportunity to object to the disclosure or to limit the disclosed information. In an emergency, or where the patient is incapable of consenting, these disclosures can be made so long as (i) the provider knows of no patient preference to the contrary and (ii) in its professional judgment, determines the disclosure is in the patient’s best interests.

B. To Others Involved in the Patient’s Care or for Notification Purposes. A provider may disclose to a family member or other relative, a close personal friend or any other person identified by the patient, any PHI relevant to that person’s involvement in the patient’s care or payment. For example, if a friend is to drive a patient home from surgery, and the patient is orally notified and does not object, the provider may inform the friend of the patient’s departure time and possible reactions to travel and may provide aftercare instructions if the friend will participate in aftercare.

C. Notification Purposes. A provider may use and disclose a patient’s PHI to notify, or attempt to notify a family member, personal representative or other person responsible for a patient’s care of the patient’s location, general condition or death.

1. Disaster Relief. A provider may make disclosures to a public or private entity “authorized by law or its charter to assist in disaster relief efforts” for the purposes of notifying others involved in the patient’s care, without a notice and opportunity to object (that is, without any type of permission) if the provider determines, in the exercise of professional judgment, that those requirements interfere with the entity’s ability to respond to the emergency.

D. Where Patient Is Present. Where the patient is present (for example, when the patient and his wife are both present in the examination room) for the use or disclosure of PHI, and the patient has the capacity to make health care decisions, the provider may use and disclose PHI to other persons present if the provider either:

1. Obtains the patient’s agreement.

2. Provides the patient an opportunity to object and no objection is made.

3. Reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object.

For example, where a patient brings his spouse into the exam room, a physician can probably reasonably infer from this that the patient does not object to the disclosure of PHI to his spouse. If, however, the spouse enters uninvited, the physician should provide the patient the opportunity to object.

E. Limited Uses Where the Patient is Not Present. If the patient is not present, or cannot agree due to incapacity or emergency, a provider may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient and, if so, disclose only the protected PHI that is directly relevant to the person’s involvement in the patient’s health care.

1. Examples: The OCR has provided as examples of the use of this exception, allowing another person to pick up a patient’s filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.

XVII. Special Rule for Incidental Uses and Disclosures. The Privacy Standards provide a special rule for “incidental uses and disclosures.” For example, where a physician and a nurse discuss a patient’s condition in hushed voices at the nursing station, but they are overheard by a passing patient, an incidental disclosure has occurred. In the same vein, an incidental disclosure occurs where a passing visitor looks into the viewing room while passing a nursing station and sees a patient’s x-rays. The Privacy Standards permit a secondary use or disclosure of PHI that (1) cannot be reasonably prevented, (2) is limited in nature and (3) that occurs as a byproduct of an otherwise permitted use or disclosure so long as (4) the provider has applied reasonable safeguards and (5) implemented the minimum necessary standard. For example, using a waiting room sign-in sheet that lists patient names should be permissible, but a waiting list that asks for “complaint or condition that brings you to the office today” would not be permissible.

XVIII. All Other Uses and Disclosures? All uses and disclosures not mentioned above will require a written authorization from the patient.

PART SIX

REQUIRED FORMS, POLICIES AND PROCEDURES

XIX. Required Policies and Procedures. The Privacy Standards do not specifically mandate a long list of specific policies and procedures that must be implemented by providers. However, many policies and procedures are implied by the Privacy Standards.

A. Mandated Policies. A few specific policies and procedures seem to be mandated.

1. A provider must designate a “Privacy Official” who will be responsible for developing and implementing its privacy policies and procedures, and document that designation.

2. A provider must ensure that all personnel who, by virtue of their positions, are likely to obtain access to PHI are promptly trained it its privacy policies and procedures. This training must be documented.

3. A provider must document all complaints received about its handling of PHI, and the disposition of those complaints, if any.

4. A provider must have and apply appropriate sanctions against members of its workforce who fail to comply with its privacy policies and practices, and document sanctions applied.

5. Document Retention. The Standards require that various things be documented. PHI and any required documentation must be retained for six years from its creation.

B. Implied Policies. Beyond those specific requirements, only the following general command about policies and procedures is given in the regulations.

Standard: policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart. The policies and procedures must be reasonably designed, taking into account the size and type of activities that relate to protected health information undertaken by the covered entity.

Given this command, a number of other policies and procedures can be implied from the Privacy Standards. Opinions as to what other policies and procedures a provider must develop vary widely, as opinions tend to do. Exhibit E lists and outlines one opinion as to the types and content of policies and procedures that are implied by the regulation set out above.

C. Policy Implications of the TPO Exception and “Minimum Necessary Rule”. There has been considerable controversy about whether compliance with the “minimum necessary rule” requires providers to review each and every job position within the organization, make a reasoned determination about whether the position requires access to PHI to perform the job function, and if so, how much under the “minimum necessary rule”, and document that determination in each individual job description; along with a procedure to ensure the employee can only access that “minimum necessary” amount of PHI. Many institutions have implemented compliance efforts of this scope.

A compliance effort at this level is not specifically commanded. The OCR’s comments in the preamble to the August 14, 2002 Final Rule seem to indicate that a somewhat more generic, and less specific level of effort is expected. Consider the following comments from the preamble to the August 14, 2002 Final Rule.

“For example, a hospital that permits an employee to have unimpeded access to patient’s medical records, where such access is not necessary for the employee to do her job, is not applying the minimum necessary standard” and therefore violates the Privacy Rule.

“For uses of [PHI], the policies and procedures must identify the persons or classes of persons within the Covered Entity who need access to [PHI] to carry out their job duties, the categories or types of [PHI] needed, and the conditions appropriate to such access. For routine or recurring requests or disclosures, the policies and procedures may be standard protocols. Non-routine requests for, and disclosures of [PHI] must be reviewed individually.”

This seems to imply a minimum of at least a policy and procedure that (1) identifies the persons or classes of persons in the provider’s operations who need access to PHI, (2) identifies the PHI that each must access, (3) describes conditions appropriate to accessing PHI for each class, and (4) establishes a review procedure for non-routine PHI access.

Further OCR comments illustrate the level of specificity expected in a provider’s policy addressing requests that the provider might make for PHI from another covered entity:

“Specifically, for requests not made on a routine and recurring basis….a Covered Entity must implement the minimum necessary standard by developing and implementing criteria designed to limit its requests for [PHI] to the minimum necessary to accomplish the intended purpose.”

These comments are reflected in the list of policies and procedures set out in Exhibit E.

XX. Required Security Measures. Specific security measures are not set out in the Privacy Standards. The Privacy Standards only supply the following general commands:

Standard: safeguards. A covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.

Implementation specifications: safeguards.

(i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementations specifications or other requirements of this subpart.

(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses and disclosures made pursuant to an otherwise permitted or required use or disclosure.

Opinions expressed in the industry about the implications of this Standard vary widely, almost fantastically. Conversations with OCR officials seem to indicate the agency will take a common sense, “ reasonable man” approach to this area. Significant architectural renovations do not seem to be envisioned.

XXI. Authorizations.

A. Not Consolidated, Plain Language. The Privacy Standards provide that authorizations to disclose PHI (i) cannot be included in the same document as authorizations for treatment or payment, and (ii) must be in “plain language”.

B. Contents. Authorizations must include the following:

1. A “specific and meaningful” identification and description of the information to be used or disclosed.

2. The name of the Covered Entity or “the class of entities or persons” authorized to make the use or disclosure.

3. The name or other specific identification of the persons or entities to which the disclosure will be made.

4. A description of each purpose of the use or disclosure. (“At request of the patient” is sufficient.)

5. An expiration date or event.

6. A dated signature by the patient, (or if signed by another person, a statement describing that person’s authority to act for the patient.)

7. A statement in which the patient acknowledges that he has the right to revoke the authorization at any time.

8. If the authorization is signed by a Personal Representative, a description of the PR’s authority to act for the patient.

9. A statement of the patient’s right to revoke the authorization in writing and instructions on how to do so.

10. A statement that treatment or payment is not conditioned on the authorizations. (Exceptions are made to this requirement for (a) research-related treatment, (b) for treatment the purpose of which is creating PHI for a third party, such as pre-employment physicals, and (c) for health plans who condition enrollment or on an authorization requested prior to enrollment, or where payment is conditioned on an authorization to use PHI to determine payment. The health plan exception in (c) does not apply to psychotherapy notes.)

11. A statement that the information disclosed may be subject to redisclosure by the recipient and no longer protected by the privacy regulations.

12. On an authorization for marketing uses or disclosures, a statement as to whether the entity will be remunerated by a third party.

The patient must be given a copy of the authorization.

C. Complete Forms Required. Where an authorization lacks any of the required items, it will be defective and any resultant disclosure or use of PHI will be a violation of the Privacy Standards. A model form is provided at Exhibit F. An authorization will also be considered defective if “any material information in the authorization is known by the covered entity to be false.”

D. Compound Authorizations. Compound authorizations (i.e., more than one use or disclosure authorized) are generally not allowed.

E. Authorizations for Psychotherapy Notes. An authorization is required for any use or disclosure of psychotherapy notes, except to carry out certain, limited TPO purposes of the provider, which are:

1. Use by the originator of the notes for treatment purposes.

2. Use or disclosure by the provider in its own mental health professional training programs.

3. Use or disclosure by the provider in a legal proceeding with the patient.

Authorizations for the use or disclosure of psychotherapy notes can only be combined with another authorization for the use or disclosure of psychotherapy notes. Authorizations for the disclosure of psychotherapy notes should not be combined on the same form with authorizations for the disclosure of other PHI.

F. Revocation. The Standards do not set out any procedure for revocation of consents or authorizations. For their own protection, providers should formulate a procedure for revocation and print it on the authorization form or their Privacy Practices Notice. Carefully consider this procedure (e.g., to be effective, a revocation must be received by Privacy Officer in writing, with name of subject, phone number, etc.). Some specific features of revocations under the Privacy Standards are:

1. Revocations must be in writing.

2. Revocations are not effective (1) to the extent the provider has acted in reliance on the authorization, or (2) if the authorization was obtained as a condition of obtaining insurance coverage and the insurer wishes to use to the PHI to lawfully contest a claim.

XXII. Privacy Practice Notices. Providers are required to provide patients with a written notice of their health care information use/disclosure practices.

A. Contents. The Notice must include at minimum:

1. A description of the uses or disclosures which will be made without authorization, including at least one example of each type, distinguishing between those required by law and those only permitted. The description must be in sufficient detail to provide the patient with notice of the uses and disclosures that are required or permitted by the Privacy Standards.

2. A description of each of the purposes for which the provider may use or disclose PHI without authorization.

3. If another applicable law places more stringent limitations on use or disclosure, a statement that the more stringent law will be observed.

4. A statement that no other uses will be made without authorization, and that authorization may be revoked.

5. Separate statements if the provider will contact the patient to make appointment reminders, to provide information about treatment alternatives or other benefits that may be of interest to the patient, or to raise funds.

6. A statement of the patient’s rights with respect to PHI (e.g., disclosure accounting, inspecting and copying, amending) and a brief description of how they may be exercised.

7. A statement that patients may request other uses or limitation; but that the provider need not accept those additional uses or limitations.

8. A statement that the provider (i) is required by law to protect the privacy of protected health information; (ii) is required by law to provide a notice of its policies and procedures and to abide thereby; and (iii) may change its policies and procedures at any time.

9. The Notice must inform the patient how they will be informed of material changes to the provider’s privacy practices.

10. A statement that patients may complain to the entity and/or DHHS if they feel their privacy rights have been violated.

11. The name and phone number of the provider’s Privacy Officer (or his designee.)

12. The effective date of the notice.

13. The following header is required: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

B. Model Privacy Practices Notice. As can be seen from the above, a sufficient Notice is a long document. A model Notice for Nevada providers is provided at Exhibit A.

C. Written Acknowledgment Required. Providers who have a “direct treatment relationship” (e.g., face-to-face service delivery to the patient) must make a good faith effort to obtain written acknowledgment of the patient’s receipt of the Notice. If the patient refuses, the provider must document the effort and the reason for failure.

1. Consultants providing services in facilities. One of the more burdensome aspects of this requirement falls upon consultants operating in facilities. For example, when an anesthesiologist first meets the patient on the morning of surgery, he must present his practice’s Privacy Practices Notice and make a good faith effort to obtain the patient’s signature. The neurologist who is called to consult on an inpatient must do the same. This is true even though the hospital has included members of its medical staff on its Privacy Practices Notices as members of an “organized health care arrangement” with the hospital. Many providers have found this requirement unbelievable. However, it has been enunciated by OCR officials and was addressed in the following FAQ published by the OCR in December of 2002.

Q: We participate in an organized health care arrangement (OCHA). How are we to comply with the HIPAA Privacy Rule’s requirements for providing notices and obtaining patients’ acknowledgements of the notice?

A: Health care providers and other covered entities that participate in an OCHA may use a single, joint notice that covers all of the participating covered entities… Where a joint notice is provided to a patient by any one of the covered entities to which the joint notice applies, the Privacy Rule’s requirements for providing the notice are satisfied. … In addition, each direct treatment provider within the OCHA must make a good faith effort to obtain the patient’s acknowledgement of the notice he or she provides.”

2. Web Site. A provider that maintains a web site must post the notice on its web site and make the notice available through its site.

3. Emergency. In an emergency situation, a provider may provide the Notice as soon as is reasonably practical after the emergency. The requirement to obtain patient acknowledgement does not apply in this circumstance.

4. Posting. If the provider has a facility, it must post the Notice in a clear and prominent location where it is reasonable to expect patients to be able to read the Notice. It must also have copies available for patients.

5. Other Providers. Providers who do not have direct treatment relationships, must make the Notice available to patients on demand. It is recommended it be mailed after the first service delivery.

EXHIBIT A: MODEL PRIVACY PRACTICES NOTICE

The Effective Date of This Notice is __________

this notice describes how medical information about you may be used and disclosed and how you can get access to this information. please review it carefully.

*****************************

[provider name]

Privacy practices notice

This page describes the type of information we gather about you, with whom that information may be shared and the safeguards we have in place to protect it. You have the right to the confidentiality of your medical information and the right to approve or refuse the release of specific information except when the release is required by law, or permitted by law without your authorization.

If the practices described in this notice meet your expectations, there is nothing you need to do. If you prefer additional limitations on the use of your medical information, you may request them following the procedure below.

If you have any questions about this notice, please contact our Privacy Officer at the address below.

Who is {Complex Entity}?

[Delete this Section if not a complex entity.]

The provision of this notice to you is required by the federal “Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 (“the regulations”). {Complex Entity} (“the Provider”) is an organized health care arrangement and a group of affiliated covered entities under the regulations. The entities involved in [here list all other entities to whom this notice will apply and with whom OHCA sharing of PHI for operations purposes is desired. Be sure to include medical staff’s. ]

The regulations also require that we make a good faith effort to obtain your written acknowledgement that you have received this Notice. This is why you will be asked to sign this form at the end.

Who Will Follow This Notice

This notice describes practices of all of the persons and entities in the Provider regarding the use of your medical information and that of:

Any health care professional employed by the Provider who is authorized to enter information into your hospital chart or medical record.
All departments and units of the Provider’s hospitals, clinics or doctor’s offices you may visit.
Any member of a volunteer group we allow to help you while you are in the hospital.
All employees, staff and other personnel who may need access to your information.
All entities, sites and locations of the Provider follow the terms of this notice. In addition, these entities, sites and locations may share medical information with each other for treatment, payment or health care operations purposes as described in this notice.

Our Pledge Regarding Medical Information

We understand that medical information about you and your health is personal. Protecting medical information about you is important. We create a record of the care and services you receive. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by the Provider, whether made by health care professionals or other personnel.

This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information.

We are required by law to:

keep confidential any medical information that concerns your condition or treatment, how your care is paid for and demographic information, if such information can be used to identify you;
give you this notice of our policies, procedures and information privacy practices with respect to medical information about you; and
follow the terms of the notice that is currently in effect.

Nevada Law

In addition to federal law, Nevada law places more stringent on the disclosure and use of mental health information, genetic information, communicable disease information and blood and urine tests. Other federal regulations place more stringent requirements of drug and alcohol abuse information. We shall comply with those more stringent restrictions.

How We May Use and Disclose Medical Information About You

The following categories describe different ways that we may use and disclose medical information. For each category of uses or disclosures we will try to give some examples. Not every use or disclosure in a category will be listed.

For Treatment. We may use medical information about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, technicians, training doctors, or other health care professionals who are involved in taking care of you. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. Different health care professionals also may share medical information about you in order to coordinate the different things you need, such as prescriptions, lab work and x-rays. We also may disclose medical information about you to people outside the hospital who may be involved in your medical care after you leave the hospital or that provide services that are part of your care.

For Payment. We may use and disclose medical information about you so that the treatment and services you receive may be billed to and payment may be collected from you, an insurance company or a third party. For example, your insurance may need to know about surgery you received so they will pay us or reimburse you for the surgery. We may also use and disclose medical information about you to obtain prior approval or to determine whether your insurance will cover the treatment, or to undertake other tasks related to seeking payment for services provided. We may also disclose medical information to another health care provider who is or has been involved in your treatment, so that that provider may seek payment for services rendered.

For Health Care Operations Purposes. We may use and disclose medical information about you for health care operations purposes. This is necessary to make sure that all of our patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you, or to otherwise manage and operate the Provider effectively. We may also disclose information to doctors, nurses, technicians, training doctors, medical students, and other hospital personnel for review and learning purposes. We may remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning who the specific patients are.

Appointment Reminders. We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care.

Treatment Alternatives. We may use and disclose medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you.

Health-Related Benefits and Services. We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.

Hospital Directory. We may include certain limited information about you in the hospital directory while you are a patient at the hospital. This information may include your name, location in the hospital, your general condition (e.g., fair, stable, etc.) and your religious affiliation. The directory information, except for your religious affiliation, may also be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends and clergy can visit you in the hospital and generally know how you are doing. If you object to our doing this, please let us know, and we will honor your objection.

Individuals Involved in Your Care or Payment for Your Care. We may release medical information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may also tell your family or friends your condition and that you are in the hospital. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

Research. Under certain circumstances, we may use and disclose medical information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with patients' need for privacy of their medical information. Before we use or disclose medical information for research, the project will have been approved through this research approval process, but we may, however, disclose medical information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs, so long as the medical information they review does not leave the hospital. Otherwise, we will almost always ask for your specific permission if the researcher will have access to your name, address or other information that reveals who you are, or will be involved in your care at the hospital.

As Required By Law. We will disclose medical information about you when required to do so by federal, state or local law.

To Avert a Serious Threat to Health or Safety. We may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

Fundraising Activities. We may use medical information about you in an effort to raise money for Provider entities and their operations. For example, we may disclose medical information to a foundation related to the hospital so that the foundation may raise money for the hospital. We only would release contact information, such as your name, address and phone number. If you do not want the Provider to contact you for our fundraising efforts, you must notify our Privacy Officer in writing at the address below.

Special Situations

Organ and Tissue Donation. If you are an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities.

Workers' Compensation. We may release medical information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Risks. We may disclose medical information about you for public health activities. These activities generally include the following:

to prevent or control disease, injury or disability;
to report births and deaths;
to report child abuse or neglect;
to report reactions to medications or problems with products;
to notify people of recalls of products they may be using;
to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence.

Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the overall health care system, the conduct of government programs, and compliance with civil rights laws.

Lawsuits and Disputes. We may disclose medical information about you in response to a subpoena, discovery request, or other lawful order from a court.

Law Enforcement. We may release medical information if asked to do so by a law enforcement official as part of law enforcement activities; in investigations of criminal conduct or of victims of crime; in response to court orders; in emergency circumstances; or when required to do so by law.

Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about patients of the hospital to funeral directors as necessary to carry out their duties.

Protective Services for the President, National Security and Intelligence Activities. We may release medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations, or for intelligence, counterintelligence, and other national security activities authorized by law.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

Your Rights Regarding Medical Information About You.

You have the following rights regarding medical information we maintain about you:

Right to Inspect and Copy. You have the right to inspect and copy medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes.

To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to our Privacy Officer at the address below. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request.

We may deny your request to inspect and copy in certain very limited circumstances. In some circumstances, if you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional chosen by the Provider will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.

Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept.

To request an amendment, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request.

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
Is not part of the “designated record set” kept by the Provider;
Is not part of the information which you would be permitted to inspect and copy; or
Is accurate and complete.

Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of medical information about you. This accounting will not include many routine disclosures; including those made to you or pursuant to your authorization, those made for treatment, payment and operations purposes as discussed above, those made to the facility directory as discussed above, those made for national security and intelligence purposes and those made to correctional institutions and law enforcement in compliance with law.

To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer. Your request must state a time period that may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

Right to Request Restrictions. You have the right to request additional restrictions or limitations on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend.

However, we are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.

To request restrictions, you must make your request in writing to our Privacy Officer at the address below. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply

Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.

To request confidential communications, you must make your request in writing to our Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. If complying with your request entails additional expense over our usual means of communication, we may ask that you reimburse us for those expenses.

Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.

To obtain a paper copy of this notice, please request one in writing from our Privacy Officer at the address below.

Changes To This Notice

We reserve the right to change our policies and practices concerning the privacy of your medical information and this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will always post a copy of the current notice in the following locations___________[describe generally, .i.e. “near main patient entrances”.] The notice will contain on the first page, the effective date.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with the Provider or with the Secretary of the Department of Health and Human Services. To file a complaint with the Provider, contact our Privacy Officer at the address and phone number below. All complaints must be submitted in writing. You will not be penalized for filing a complaint.

Other Uses of Medical Information

Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, thereafter we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.

Privacy Officer

The Provider’s Privacy Officer is: {Name, Mailing Address, Telephone, Fax, e-mail, other means of correspondence}

Acknowledgement

I hereby acknowledge that I have received a copy of the Privacy Practices Notice.

Signature: _______________________________________________ Date: ________________

Print Name: _______________________________________________

Acknowledgement Refused

On this date, the undersigned patient refused or failed to acknowledge receipt of the Privacy Practices Notice.

Date: ___________

Name of Patient: _____________________________________________________________________

Reason for refusal/failure: ______________________________________________________________

____________________________________________________________________________________

Signature of Provider Employee: _____________________________________________________

File Signed Copy of this Page with Patient’s Record

EXHIBIT B

MODEL BUSINESS ASSOCIATE CONTRACT

This Agreement, effective on ___________________, is made by and between Business Associate and Covered Entity and modifies the Service Agreement.

1. DEFINITIONS.

1.1 Business Associate shall mean ____________ (insert name of Business Associate).

1.2 Covered Entity shall mean _____________ (insert name of Covered Entity).

1.3 Individual shall have the same meaning as the term “individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

1.4 Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

1.5 Protected Health Information shall have the same meaning as the term “protected health information” in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

1.6 Required by Law shall have the same meaning as the term “required by law” in 45 CFR 164.501.

1.7 Secretary shall mean the Secretary of the Department of Health and Human Services or his designee.

1.8 Service Agreement or Agreement shall mean that certain agreement between Business Associate and Covered Entity dated ___________________(Insert date of underlying agreement with Business Associate.)

All other capitalized terms not defined herein shall have the meanings assigned in the Privacy Rule.

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE.

2.1 Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law.

2.2 Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

2.4 Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.

2.5 Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

2.6 Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.

2.7 Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.

2.8 Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.

2.9 Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with CFR 164.528.

2.10 Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with Section 2.9 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

3.1 General Use and Disclosure Provisions: Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, a Covered Entity for the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity, or violate the minimum necessary policies and procedures of Covered Entity, for the purpose of performing the Service Agreement.

3.2 Specific Use and Disclosure Provisions:

3.2.1 Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

3.2.2 Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.2.3 Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).

3.2.4 Business Associate may use Protected Health Information to report violations of law to appropriate federal and State authorities, consistent with 164.502(j)(1).

4. OBLIGATIONS OF COVERED ENTITY.

4.1 Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices to the extent that such limitation may effect Business Associate’s use or disclosure of Protected Health Information.

4.2 Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures.

4.3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that the same may effect Business Associate’s use or disclosure of Protected Health Information.

4.4 Permissible Requests by Covered Entity: Covered entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, (unless permitted for a Business Associate under the Rule for data aggregation or the management and administrative activities of Business Associate.)

5. TERM AND TERMINATION.

5.1 Term. The Term of this Agreement shall be effective as of the date first written above, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or retuned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. Termination of this Agreement shall automatically terminate the Service Agreement.

5.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation, and Covered Entity shall:

5.2.1 Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, or

5.2.2 Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.

5.2.3 If neither termination nor cure are feasible, Covered Entity will report the violation to the Secretary.

5.3 Effect of Termination.

5.3.1 Except as provided in the following paragraph, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

5.3.2 In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

6. MISCELLANEOUS.

6.1 Regulatory References. A reference in this Agreement to a section in the Privacy means the section as in effect or as amended, and for which compliance is required.

6.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-191.

6.3 Survival. The respective rights and obligations of Business Associate under Section 5.3 of this Agreement shall survive the termination of this Agreement.

6.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.

6.5 Indemnification. Each party will indemnify the other and hold it harmless against any loss, cost, damage, claim or expense (including reasonable attorney’s fees) arising from the party’s improper use and/or disclosure of protected health information through negligence or intentional wrongdoing or from a breach of this Agreement.

COVERED ENTITY BUSINESS ASSOCIATE

By: ____________________ By: __________________________

Its: Its:

Exhibit C

TPO Rules Summary

Category

Use and Disclosure by Provider for its purposes.

Disclosure to another Covered Entity for its TPO Purposes.

Treatment

No Minimum Necessary Rule

OK to another health care provider (even if not Covered Entity).

No Minimum Necessary Rule.

Payment

Minimum Necessary Rule applies.

OK to another Covered Entity (and a health care provider that is not a Covered Entity).

Minimum Necessary Rule applies, but can accept Covered Entities representation of compliance.

Operations

Minimum Necessary Rule applies.

OK, but

... Only to another Covered Entity,

... Only for purposes of (i) quality assessment and improvement, including outcomes evaluation and the development of clinical guidelines, or (ii) review of the competence or qualifications of health care professionals, (but within an OHCA, to other OHCA members for any operations purpose) and

... Only where and to the extent that each entity has or has had a past treatment relationship with the patient.

Note: parties to an OHCA may share PHI for all common operations purposes.

Minimum Necessary Rule applies, but can accept Covered Entities representation of compliance.

Business Associates: If Covered Entity can make a TPO disclosure under the TPO rules, so can the Covered Entity’s Business Associate.

Psychotherapy Notes: TPO rules are limited: Covered Entity may disclose without authorization only to carry out its own TPO functions, and only in the following ways: (1) use by the originator of the notes for treatment purposes, (2) use or disclosure for the Covered Entity’s own training programs for mental health professionals, students and trainees, and (3) use or disclosure by the Covered Entity to defend itself in a legal action or other proceeding brought by the patient.

Exhibit D

Tabular Summary of Use and Disclosure under Nevada Law, federal regulations.

Type of Information	T.P.O. Purposes*	Research**	Marketing and Fundraising	Law Enforcement (including prosecutors.)
*General medical information*	Follow Privacy Standard’s rules for provider’s own purposes, require authorization for TPO disclosures to another provider or plan for its TPO purposes.	Obtain authorization, “blanket form” OK.	Obtain authorization, “blanket form” OK.	Follow Privacy Standard’s rules.
*Blood, breath, or urine test results*.	Follow Privacy Standard’s rules for provider’s own purposes, require authorization for TPO disclosures to another provider or plan for its TPO purposes.	Do not use or disclose.	Do not use or disclose.	Follow Privacy Standard’s rules.
Genetic information***	Follow Privacy Standard’s rules, but limit to your own TPO purposes. Disclose to another entity only with an informed consent from the patient on a state-approved form.	Do not use or disclose the identity of a person taking a genetic test or any genetic information.	Do not use or disclose the identity of a person taking a genetic test or any genetic information.	Disclose only (i) where the information is needed to conduct a criminal investigation or investigate the death of a person in a criminal proceeding (ii) in an action to determine parentage or identity of a person or corpse under NRS 56.020, (iii) in actions to determine parentage under NRS 126.121 or 425.384, (iv) to a federal, state, county or city law enforcement agency to establish the identity of a person or corpse, or (v) pursuant to court order. ****
*Communicable disease*	Follow Privacy Standard’s rules for provider’s own purposes, require specific authorization for TPO disclosures to another provider or plan for its TPO purposes.	Do not use or disclose the identity of a person with a communicable disease or any communicable disease information without specific authorization.	Do not use or disclose the identity of a person with a communicable disease or any communicable disease information without specific authorization.	Disclose only (i) in a prosecution for a violation of the Communicable Disease Act, or an action for an injunction thereunder; or (ii) in reporting actual or suspected child or elderly person abuse. ****
*Mental Health*	Follow Privacy Standard’s rules for provider’s own purposes, require specific authorization for TPO disclosures to another provider or plan for its TPO purposes.	OK to disclose for “statistical and evaluative purposes, if the information disclosed is abstracted in such a way as to protect the identity” of the patient.	Do not use or disclose without specific authorization.	Disclose only with a court order
*Drug and alcohol abuse.*	You may disclose: to medical personnel to the extent necessary to meet a bona fide medical emergency. ... to qualified personnel for the purposes of conducting management audits, financial audits or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such audit or evaluation or otherwise disclose patient identities in any manner. ... to a qualified service organization where information is needed by that organization to provide services to the program. ... among personnel in the program or working for an entity having direct administrative control over the program, in connection with their duties that arise out of the provision of diagnosis, treatment or referral for treatment so long as the communications are within the program or between the program and the entity.	You may disclose for the purposes of conducting scientific research, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, or otherwise disclose patient identities in any manner	Do not use or disclose for these purposes without very specific patient consent.	You may disclose to law enforcement officers, where the disclosure and use is (i) directly related to a patient’s commission of a crime on the program’s premises or a threat to commit such a crime, and (ii) limited to the circumstances of the incident, including the patient status of the perpetrator, his name and address and last known whereabouts

Response to Subpoena: Disclosures of any of the information above should not be made to an attorney in response to a subpoena, except where the attorney provides a HIPAA-compliant authorization form signed by the patient.

Psychotherapy notes: Always follow HIPAA rules on the use and disclosure of “psychotherapy notes” where those rules are stricter about allowing use or disclosure.

Lab Reporting of Test Results: Where a licensed laboratory performs a test on the patient of a rural, county-owned or district hospital, test results may be released to the patient, the physician who ordered the tests and a any other provider of health care who is currently treating or providing assistance in the treatment of the patient. In all other cases, the laboratory may report the test results to the patient and the person requesting the test or procedure. Beyond that, a licensed lab can probably report test results to other providers involved in treating the patient, or another person designated by the patient, if the patient so directs the lab in a HIPAA-compliant authorization.

* The Privacy Standards place a “duty of verification” upon Covered Entities, requiring that they “verify the identity of a person requesting” health information and “the authority of the person to access” that information under the Standards. For TPO disclosures to third parties, securing a patient authorization for release of information, where possible, would satisfy that duty and is a recommended practice.

** Research column deals with disclosures of patient-identifiable data.

*** If making a disclosure pursuant to a patient authorization, remember that a patient’s “informed consent” is required to authorize disclosure of genetic information, using a procedure and a form established by the board of health. Both a HIPAA-compliant authorization and a state-mandated “informed consent” form will be required.

**** Before disclosure, the identity and authority of the requestor should be verified and document. It is strongly recommended that legal counsel be involved.

EXHIBIT E

HIPAA Privacy Standards

Required and Implied Policies and Procedures

(Simple Entity)

1. Privacy Officer: Training and Role: The Privacy Officer (“PO”) (and a designated back up) will be given (i) training in TPO and all Privacy Standard external disclosure rules, (ii) a copy an outline of the Privacy Standards and (iii) a copy of the regulations. PO’s and back-ups will sign compliance statements. These persons will be designated as decision makers for all (I) non-routine internal use and disclosure questions and (ii) all external disclosures.

2. Administrative Privacy Policy: Internal Use and Disclosure of PHI.

A. Classes: Review all job descriptions of person who must access PHI (“PHI personnel”) and place into appropriate category (T, P or O). (Some may be in multiple categories.)

B. Minimum PHI: For each class, identify the PHI needed to perform the job.

i. Treatment Personnel: No “minimum necessary rule”. Personnel to be trained in limits of TPO uses and disclosures. Those personnel shall sign statements that they understand and will honor those limits (“compliance statements”). (All compliance statements executed under these policies should, by their terms, become part of employee’s job descriptions.)

ii. Payment Personnel:

a. For each job category characterized by repetitive, common and routinely occurring functions (“RCRO functions”), define PHI needed to perform job. (Not all job categories will be so characterized. For example, most supervisorial and management jobs cannot be so categorized.) These personnel to be trained in limits of TPO uses and disclosures ; and the particular PHI limits which apply to their RCRO functions and the role of the Privacy Officer. Personnel to sign compliance statements.

b. For all other “P” jobs, involved personnel to be trained in limits of TPO uses and disclosures and the role of the Privacy Officer. Those personnel shall sign compliance statements.

iii. Operations Personnel:

a. For each job category characterized by RCRO functions, define PHI needed to perform job. These personnel to be trained in limits of TPO uses and disclosures, and the particular PHI limits which apply to their RCRO functions and the role of the Privacy Officer. Personnel to sign compliance statements.

2. Administrative Privacy Policy: External Disclosure of PHI.

a. For RCRO external disclosures, PO’s shall establish written policies and procedures to ensure compliance with the “minimum necessary rule”.

b. For non-RCRO disclosures, PO’s shall establish written review criteria for use in reviewing such disclosures to ensure compliance with the “minimum necessary rule”, and policies and procedures to provide for review of such disclosures.

3. Administrative Privacy Policy: External Requests for PHI.

a. All external PHI requests to be made by PO or PO’ designee only, in accordance with the “minimum necessary” rule.

b. For all RCRO external requests, PO’s shall establish written policies and procedures to ensure compliance with the “minimum necessary rule”.

c. For non-RCRO external requests, PO’s shall establish written review criteria for use in reviewing such requests to ensure compliance with the “minimum necessary rule”.

4. Administrative Privacy Policy: Training.

a. PO to provide training modules, materials, trainers, etc.

b. All PHI accessing workforce to be trained in limits of TPO and the role of the PO.

c. All personnel who are not in a PHI access category to receive basic training on PHI precautions as part of orientation.

d. For changes in policy or the regulations, the PO will supply written training materials to PHI personnel.

b. Administrative Privacy Policy: Certification of Training.For all other “P” jobs, involved personnel to be trained in limits of TPO uses and disclosures. Those personnel shall sign compliance statements.

iv. PO as Resource. All questions and concerns referred to PO for decision.

a. All trained personnel to sign compliance statements on completion of training, to be filed by PO.

b. POs to identify all new employees who will have PHI access and conduct training.

c. PO to obtain recertifications (signing of another compliance statement) every three (3) years from all PHI access personnel.

6. Miscellaneous Administrative Privacy Policies.

a. Business Associates. Covering identification of Business Associates and the execution of Business Associate Contracts. PO to provide and maintain contract form.

b. Confidential Communications. Policy and procedure covering how a patient may request “confidential communications”.

c. Authorizations. Obtaining, documenting and retaining authorizations for PHI disclosure and use. Policy must cover how an authorization is revoked.

d. Notice and Opportunity to Object Consents. Obtaining and documenting “notice and opportunity to object” consents (or written authorizations) for “facility directory” maintenance.

e. Information Practices Notices. Policy and procedure governing drafting, revision, distribution, posting, amendment of, acknowledgment of receipt, filing and retention of the Privacy Practices Notice.

f. Access and Amendment. Policy and procedure governing how a patient requests and obtains access to his designated record set (DRS) for inspection, how any denial of access may be complained of and appealed, how an independent review of access decisions will be obtained if and when necessary, how amendment may be sought and denial appealed, how any corrected information will be distributed.

g. Disclosure Accounting. Policy and procedure governing how an individual may obtain a disclosure accounting.

h. Complaints. Who may a patient complain to and how complaints will be handled, including documentation of all complaints made and their disposition.

i. Reporting of Violations. How employees and others may report perceived violations by the entity, its personnel or business associates, including documentation of reports made and their disposition.

j. Document Retention. Establish 6 year retention policy for all documents containing PHI and all documents mentioned in any of the policies herein (e.g, compliance statements, signed Privacy Practices Notices, patient complaints, etc.)

k. Verification. How the identity of persons not known to the Covered Entity will be verified in accordance with the regulation’s requirements, and how verification documentation will be requested and maintained.

l. Workforce Discipline. How employees and other workforce members will be disciplined for violations of the Privacy Rule and how such discipline will be documented.

m. Mitigation. How the organization will respond to detected violations of the Privacy Standards to attempt to mitigate any resultant breach of confidentiality or damages.

EXHIBIT F

{Name and Address of Provider}

AUTHORIZATION FOR THE RELEASE

OF PROTECTED HEALTH INFORMATION

This Authorization authorizes the release of Protected Health Information pursuant to 45 CFR Parts 160 and 164.

1. The undersigned authorizes the above-named provider (“Provider”) to release the following information: (describe in a “specific and meaningful fashion”) _____________

_______________________________________________________________________.

2. The information may be disclosed by employees or business associates of Provider.

3. The information may be disclosed to: (insert name or other specific identification of the persons or entities to which the disclosure will be made)________________________________.

4. The disclosure may be made for the following purpose (describe specifically. If disclosure it at patient’s request, “At request of patient” will suffice. If more than one purpose, describe each.)__________________________________________________________________

______________________________________________________________________________

5. This authorization will expire on (date) _________________________, or when (describe occurrence) __________________________.

6. I acknowledge: (i) that I have the right to revoke the authorization at any time, and (ii) that I understand that once the information is disclosed, it may no longer be protected by federal privacy law.

You may revoke this authorization only in a writing sent by certified mail to the Provider at the address above. The revocation will be effective only upon receipt, except (1) to the extent the Provider has acted in reliance on the authorization, or (2) the authorization was obtained as a condition of obtaining insurance coverage and the insurer wishes to use to the protected health information to lawfully contest a claim. Further information on the right to revoke may be provided from time to time in the Provider’s Notice of Privacy Practices.

7. I understand that treatment by the Provider is not conditioned on my signing this authorization, although exceptions will be made for (a) research-related treatment, (b) for treatment the purpose of which is creating protected health information for a third party, such as pre-employment physicals, and (c) except for psychotherapy notes, for health plans who condition enrollment or on an authorization requested prior to enrollment, or where payment is conditioned on an authorization to use PHI to determine payment.

8. If this authorization is for a marketing use or disclosure of my information, the Provider:

8.1 [ ] will be remunerated by a third party.

8.2 [ ] will not be remunerated by a third party.

Date:____________________________

Signed by :________________________________

Print Patient’s Name: _______________________

If person signing is other than patient, state authority under which signature is made: _________

______________________________________________________________________________

The patient must be given a copy of this authorization.