HIPAA Compliance Agreement
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans). HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
If you want to read further about HIPAA please use this link: www.cdc.gov/phlp/publications/topic/hipaa.html
Payment and Health Care Operations are defined in the Privacy Rule at 45 CFR 164.501.
· “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
· “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:
* Determining eligibility or coverage under a plan and adjudicating claims;
* Billing and collection activities; o Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
* Utilization review activities; and o Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).
* “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:
* Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
* Therapists with reasonable concern must report the following to legal authorities as required: Child abuse or neglect.
* Therapists with reasonable concern must report the following to legal authorities as required: Adult and Domestic Abuse.
* Therapists with reasonable concern must report the following to legal authorities as required: Serious threat to health and safety. May be disclosed to relevant PHI and take reasonable steps by law to prevent the threatened harm from occurring. Therapist may disclose information to protect client or those associated with the threat.
* Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. General Provisions at 45 CFR 164.506. A covered entity may, without the individual’s authorization: Use or disclose protected health information for its own treatment, payment, and health care operations activities. For example:
* BHC, may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual’s treatment.
* A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan.
* A covered entity may disclose protected health information for the treatment activities of any health care provider (including providers not covered by the Privacy Rule). For example:
* A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.
* BHC, may send a patient’s health care instructions to a nursing home to which the patient is transferred or hospital.
* A covered entity may disclose protected health information to another covered entity or a health care provider (including providers not covered by the Privacy Rule) for the payment activities of the entity that receives the information. For example:
* A hospital emergency department may give a patient’s payment information to an ambulance service provider that transported the patient to the hospital in order for the ambulance provider to bill for its treatment
* A covered entity that participates in an organized health care arrangement (OHCA) may disclose protected health information about an individual to another covered entity that participates in the OHCA for any joint health care operations of the OHCA. For example:
* The physicians with staff privileges at a hospital may participate in the hospital’s training of medical students. Uses and Disclosures of Psychotherapy Notes. Except when psychotherapy notes are used by the originator to carry out treatment, or by the covered entity for certain other limited health care operations, uses and disclosures of psychotherapy notes for treatment, payment, and health care operations require the individual’s authorization. See 45 CFR 164.508(a)(2).
Minimum Necessary. A covered entity must develop policies and procedures that reasonably limit its disclosures of, and requests for, protected health information for payment and health care operations to the minimum necessary. A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment, and health care operations, based on those who need access to the information to do their jobs. However, covered entities are not required to apply the minimum necessary standard to disclosures to or requests by a health care provider for treatment purposes.
Consent. A covered entity may voluntarily choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations. A covered entity that chooses to have a consent process has complete discretion under the Privacy Rule to design a process that works best for its business and consumers. A “consent” document is not a valid permission to use or disclose protected health information for a purpose that requires an “authorization” under the Privacy Rule (see 45 CFR 164.508), or where other requirements or conditions exist under the Rule for the use or disclosure of protected health information. Right to Request Privacy Protection. Complaints: If you are concerned that your privacy rights or disagree with a decision made concerning your records, please contact the Brighter Health Counseling. You may also send a written complaint to the Secretary of the U.S Dept. of Health and Human Services. Brighter Health Counseling reserves the right to make new notice provisions for all PHI maintained at Brighter Health Counseling.
Revisions will be mailed of emailed.
My signature below indicates that I have read, or someone has read to me the Privacy Practices of Brighter Health Counseling.