Compliance Plan 0307 - Summa Health

Summa Hospitals

Compliance Plan

November, 2006 Revised 02/07, 03/07

2

Summa Hospitals Compliance Plan

Table of Contents

Policy Page Number

Purpose 8

Scope 8

Part I: Code of Conduct Introduction 9

Relationships With Health Care Partners

Patients Patient Care Services 9

Privacy and Security of Protected Health Information 10

Admission, Transfer, Discharge 11

Emergency Departments 12

Patient Billing and Associated Conflict Resolution 12

Affiliated Physicians Financial Arrangements With Physicians 13

Kickbacks and Improper Payment for Referrals 13

Self-Referrals (Stark Laws) 13

Third-Party Payers Billing – All Payers 14

Laboratory 14

Educational Institutions, Students and Resident Physicians Relations With Educational Institutions, Students

and Resident Physicians 14

3

Business Information and Information Systems Accounting and Financial Responsibility 15

Confidentiality of Employee and Business Information 15

Use of Personal Computers 16

Workplace Conduct and Employment Practices Antitrust 16

Bribes, Gratuities and Gifts 17

Conflict of Interest 17

Equal Opportunity Employment 17

Equitable Compensation 18

Harassment and Workplace Violence 18

Individuals Excluded From Participation in Medicare, Medicaid and Other Federal Health Care Programs 19

Licensure, Certification and Registration 19

Performance Evaluation 19

Personal Use of Organizational Resources 19

Political Activity and Tax-Exempt Status 20

Possession of Firearms, Explosives and Other Weapons 20

Reporting Actual or Potential Wrong-Doing 20

Responding To Outside Investigations 21

Substance Abuse and Mental Acuity 21

Vendor/Subcontractor Relations 21

Marketing Practices

Marketing 22

Safety and Environmental Preservation

The Environment, Medical Waste and Hazardous Materials 22

Safety 23

4


Part II: Compliance Plan Elements

Policy Page Number

Role of the Summa Hospitals Chief Compliance Officer 25

Composition and Role of the Summa Hospitals Compliance Committees 28

Role of the Department of Corporate Compliance 30

Corporate Compliance Education 31

Reporting Actual or Potential Wrong-Doing and Policy of Non-Retaliation/Non-Retribution 32

Response When a Potential Compliance Concern Is Raised 34

Pre-Employment/Pre-Engagement Inquiry for Eligibility To Participate in Government-Funded Programs 36

Auditing and Monitoring 54

Departmental Compliance Training, Monitoring, Auditing and Annual Reporting Requirement 55

Discipline Regarding Compliance Violations 56

RespondingTo Government Investigations 58

5


Part III: Policies Addressing Compliance Risks

Policy Page Number

Summary of Part III Policies 59

Billing For Health Care Services 62

Chargemaster Compliance Policy 63

Contingency-Based Arrangements 67

Health Information Management Department Standards of Conduct for Coding 69

Hourly Observation Policy and Procedure 73

Medical Necessity 79

Medical Record Chart Content 82

Medical Record Retention Procedure 83

Medicare Bad Debt 85

Medicare Cost Report 86

Procedure For Completing Quarterly Medicare Credit Balance Report 87

Offices of Medical Education and Research Administration 90

Outpatient Services Rendered To Medicare Patients In Connection With Inpatient Stays 92

Patients’ Freedom of Choice in Post-Acute Care Services 93

Physician Services Support Policy 95

Refund Guideline Policy 100

Prevention of False Claims 101

6


Part IV: Health Information Privacy and Security Policies

Policy Page Number

General Obligations Regarding Uses and Disclosures of Protected Health Information 104

Uses and Disclosures of Protected Health Information In the Workplace 113

Access to Protected Health Information 127

Accounting of Disclosures of Protected Health Information 131

Amendments to Protected Health Information 135

Authorizations 139

Authorizations Checklist 143

Computer Systems Contingency Policy 153

Computers Hardware, Software, and Use 156

Confidential Communications 161

Contract Management and Business Associate Contracts 162

Family and Friends Involved With a Patient 166

Floppy Diskette, CD’s and Other Portable Media Storage/Disposal 169

Fundraising Activities 171

Information Access/Control 173

Information Internal Audit 179

Information Physical Security 182

Information Risk Analysis and Management 185

Information Security 188

Limited Data Set 193

7

Marketing Activities 195

Minimum Necessary Information 197

Minimum Necessary Disclosure Checklists 200

Mitigation of Improper Uses or Disclosures of Protected Health Information 206

Notice of Privacy Practices 210

Notice of Privacy Practices Distribution 215

Patient Directory 217

Personnel Security Policy 220

Restrictions on Uses and Disclosures of Personal Protected Health Information 224

Sanction Policy 227

Termination Procedure 228

Verification of Identity and Authority 231

8

Purpose and Scope of the Compliance Plan PURPOSE The Compliance Program of Summa Health System Hospitals and Cuyahoga Falls General Hospital embodies dedication to the highest standards of ethical behavior, expressed through corporate culture and through adherence to the law. This Compliance Plan reflects acceptance of a duty, and commitment of resources, to meet those standards.

SCOPE In this Compliance Plan, Summa Health System Hospitals, including Akron City and Saint Thomas Hospitals, and Cuyahoga Falls General Hospital are referred to collectively as “Summa Hospitals.” The provisions of this Compliance Plan apply to everyone involved in overseeing, managing and operating all components of Summa Hospitals, including board members, corporate officers, managers, supervisors, employees, medical staff, resident physicians, other health care professionals, students, volunteers and, as applicable, contractors, consultants and vendors.

9


Part I: Code of Conduct

Introduction Summa Hospitals is committed to improving the health status of its community, to providing high quality undergraduate and graduate medical education for the next generation of physicians and to upholding the highest ethical and legal standards. Summa Hospitals supports a work environment that promotes individuality, teamwork, innovation, initiative and opportunities for growth through personal and professional support, training and development. Summa Hospitals also provides clinical training opportunities for a broad range of health care disciplines. This is a Code of business ethics that reflects basic principles and policies of conduct. Although this document does not include coverage of all existing policies and procedures, it provides guidelines for acceptable behavior with respect to Summa Hospitals’ patients, customers, physicians, third party payors, suppliers, competitors, employees, and community. The Summa Hospitals Code of Conduct sets forth guidelines to be used to evaluate and handle situations in a consistent and uniform manner, and to ensure compliance with laws and regulations. All Summa Hospitals employees and agents have a responsibility to conduct themselves in an ethical manner, so that Summa Hospitals can achieve its mission: to provide the highest quality, compassionate care to our patients and to contribute to a healthier community.

Relationships With Health Care Partners

Patients

Patient Care Services

The Administration and Clinical Staff of Summa Hospitals are committed to a consistent level of quality care and service for patients and families. To avoid compromising the quality of care, clinical decisions (including tests, treatments and other interventions) are based on identified patient health care needs regardless of how the hospital compensates its employees or clinical staff. This philosophy is supported by policies and procedures available to patients, clinical staff, licensed independent practitioners, and hospital personnel on request. The acuity of the patient’s condition as assessed by the respective

10

health care professional determines the plan of care and resource allocation for the patient’s needs. Comparable levels of patient/nursing care are provided throughout the system based on patient acuity/care needs. Access to appropriate care and treatment is available to all patients regardless of the patient’s ability to pay or source of payment. Although insurance verification and approval for care and services are routine processes integral to care delivery, provision of care is based on medical necessity, assessment of need, care planning and standards of care/practice guidelines. Patients and families are informed of payor communication/direction to providers prior to care provision when the opportunity is available. Patients and families can then make informed decisions regarding care recommendations/options and payment sources. Circumstances can arise in which the payor, the physician and the interdisciplinary team determine that the patient no longer needs care or the current level of care and the patient or family disagrees. In these situations, an interdisciplinary care conference with the patient and family will be conducted. Rationale for medical decisions and treatment plans will be explained and discussed with the patient and family. Resources will be provided including members of administration, legal counsel, Ethics Committee, patient advocate, etc. in an effort to assure the patient and family of the care plan objectives. Informed decisions can then be made by the patient and family regarding selected options and financial responsibilities.

Privacy and Security of Protected Health Information Summa Hospitals collects and maintains protected health information about patients. Both Ohio and federal law on patient privacy and confidentiality, including the federal HIPAA regulations, limit how health care providers and their workforce members may use and disclose this information. Protected health information (PHI) includes information that is:

• Created or received by Summa Hospitals; • Relates to the past, present, or future physical or mental health or condition of a patient;

the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and

• Identifies the patient or provides a reasonable basis to believe that it can be used to identify the patient.

Protected health information includes information of persons living or deceased. The requirement for confidentiality applies to all media of communication, whether verbal, written, graphic or electronic. Within Summa Hospitals, personnel may use only as much protected health information as needed to do their work. Access of information beyond work needs is prohibited, and will lead to disciplinary action.

11

Disclosure of information outside Summa Hospitals may be made under certain circumstances, but is subject to many legal restrictions. All personnel should seek advice from the Privacy or Information Security Officer if they are uncertain whether any particular access or disclosure of protected health information is appropriate. In addition, all workforce members are responsible for preserving the integrity, confidentiality, and security of computerized protected health information. Important practices to protect computerized information include never sharing passwords, never allowing others to use your computer after you have logged on, and locking down your computer or logging off when you are not sitting at the keyboard. Policies covering use, disclosure and security of protected health information are found in Part III of Summa Hospitals’ Compliance Plan, located on Summa Hospitals’ web site at http/:www.summahealth.org and in every copy of Summa Hospitals’ Administrative Policy Manual. Other sources of information regarding use, disclosure and security of protected health information include:

• An employee’s supervisor or other manager • The Privacy Issues Help Line at 330-375-6665 • Summa Hospitals’ Compliance Hot Line at 1-800-421-0925 • Summa Hospitals’ Privacy Officer • Summa Health System Hospitals’ or Cuyahoga Falls General Hospital’s Information

Security Officer • The Department of Legal Services

Admission, Transfer, Discharge

Admissions, transfers and discharges are conducted in a medically appropriate and ethical manner, and in accordance with local, state, and federal laws and regulations. Summa Hospitals does not base admission or transfer policies on patient or hospital economics. Please refer to the following policies found in the respective Administrative Policy binders for greater detail:

At Summa Health System Hospitals:

• Admission of Patients to the Psychiatric Unit Policy • Admission of Patients Under Police Protection Policy • Patient Transfer Policy • Case Management Policy

At Cuyahoga Falls General Hospital:

• Admission of Patients • Patient Transfer

12

Emergency Departments All hospitals that participate in the Medicare program and operate emergency departments are subject to the Emergency Medical Treatment and Active Labor Act of 1986 (“EMTALA”). The law requires Summa Hospitals to provide a medical screening examination for any individual (not just Medicare beneficiaries) who comes to the Emergency Department seeking emergency treatment. If it is determined that the individual has an emergency condition, the Emergency Department must provide treatment to stabilize the condition and upon completion of stabilization, admit or discharge the patient, or transfer the patient in accordance with certain requirements that Summa Hospitals has set forth in Patient Care Services Policy, Patient Discharge/Transfer Outside Summa Health System. Neither an initial screening nor any needed stabilizing treatment may be delayed in order to inquire about an individual’s method of payment or insurance status. Further detailed information on Emergency Department operations is found in relevant Policies and Procedures of Summa Hospitals’ Emergency and Ambulatory Care Departments. Patient Billing and Associated Conflict Resolution Summa Hospitals is committed to honest, accurate, fair and understandable billing through proper and lawful means. The following procedures ensure that patients are billed only for those services received: 1. Patient receives a summary statement that includes date(s) of service and a summary of

charges. 2. Patient receives an itemized bill upon request. 3. If a patient or payer questions a charge, the inquiry is reviewed in a timely manner, and any

complaints are handled in a non-biased manner. 4. Service complaints related to patient care are formalized by the Patient Financial Services

Department (Customer Service) and/or the Financial Counselor. Once formalized, the complaint is sent to the appropriate Supervisor/Manager for investigation, resolution and follow-up with the initiator of the complaint. A copy of the complaint is forwarded to the Patient Liaison (Summa Health System Hospitals) or the Risk Manager (Cuyahoga Falls General Hospital) for statistical and Quality Improvement purposes. When follow-up is complete, original documentation is retained by the Manager, Customer Service/Patient Financial Services.

5. General credit and collections procedures are handled in a responsible, professional and courteous manner, with sensitivity to the human dignity of debtors. Summa Hospitals will not, under any circumstances, engage in any unlawful or unfair collection practices in the handling of accounts, as such practices are defined by any applicable laws or guidelines established by any Federal, State or local agency.

The following policy and procedure further supports Summa Hospitals’ commitment to fair billing and associated conflict resolution: Patient Financial Services Policy, Patient Financial Services Department Customer Service.

13

Affiliated Physicians Financial Arrangements With Physicians All financial transactions involving goods or services provided by or to physicians must be reviewed and approved by the Summa Health System Vice President, Legal Services, as well as by other corporate officers and the Medical Executive Committee as appropriate, for compliance with applicable federal and state laws and regulations involving anti-kickback and self-referral prohibitions. Leases of equipment or office space to or from physicians are subject to the same review. Kickbacks and Improper Payment for Referrals Summa Hospitals, its employees and agents are prohibited from knowingly and willfully soliciting, offering to pay or making payments (kickbacks, bribes or rebates) for referrals of patients for services. Federal and state law prohibits the receipt of payments for referral of patients for services. In addition, the receipt of payments for purchasing, leasing, ordering, or for recommending the purchase, lease or ordering of goods, facilities or services is also prohibited. Definition of “payments” includes but is not limited to: cash, payment for goods, services or rentals in excess of fair market value, free goods or services, paying the salary of an employee, or waiving or non-collection of co-payments or deductibles. No Summa Hospitals employee should engage in any activity that could be construed as an improper referral or payment, even if the activity appears to fit within a legal “safe harbor” exception, without prior approval by the Summa Hospitals Chief Compliance Officer or Vice President, Legal Services and other corporate officers as appropriate. Self-Referrals (Stark Laws) Federal law prohibits physicians from referring Medicare and Medicaid patients to entities in which the physician (or any member of his immediate family) holds a financial interest for provision of designated health services (as listed below). Providers may not submit or cause to be submitted a bill or claim for reimbursement for services performed as a result of a prohibited referral. Although there are certain exceptions to the self-referral prohibition, all such proposed transactions must be brought immediately to the attention of the Summa Health System Vice President, Legal Services. Designated health services affected by the referral prohibition include:

• Clinical laboratory services • Physical therapy services • Occupational therapy services • Radiology services, including magnetic resonance imaging, computerized axial

tomography scans, and ultrasound services • Radiation therapy services and supplies • Durable medical equipment and supplies

14

• Parenteral and enteral nutrients, equipment and supplies • Prosthetics, orthotics, and prosthetic devices and supplies • Home health services • Outpatient prescription drugs • Inpatient and outpatient hospital services

Third-Party Payers Billing - All Payers Summa Hospitals complies with all federal and state regulations to properly ensure the preparation and submission of accurate and complete claims. We prohibit any subcontractor from knowingly presenting or causing to be presented claims for payment that are false, fictitious or fraudulent. All subcontractors that perform billing or coding services must have the appropriate skills, training, quality assurance process, systems, necessary procedures, and knowledge of federal and state regulations to ensure that all billings are correct. All Subcontractors are reviewed on a department-specific basis using quality assurance methods to reinforce our commitment to accuracy and completeness. Summa Hospitals is committed to maintaining current and accurate billing. Laboratory The Clinical Laboratory at Summa Hospitals strives to adhere to laws, regulations and Federal and State guidelines, and to maintain a reputation as a reliable, honest and trustworthy health care provider. Laboratory billing follows the guidelines stated in this code, as well as, among others, guidelines regarding issues of medical necessity, accurate and appropriate coding, complete documentation and document retention. Laboratories must bill only for services both ordered and actually rendered. In addition to this code, specific information related to laboratory operations can be found in Laboratory Policies and in Summa Hospitals’ Laboratory Billing Compliance Manual. Educational Institutions, Students and Resident Physicians Relations with Educational Institutions, Students and Resident Physicians Summa Hospitals offers educational opportunities for resident physicians and for students from educational institutions and programs in a wide variety of disciplines. All Summa Hospitals personnel should treat resident physicians and students positively and respectfully. Summa Hospitals personnel working directly with resident physicians and students should strive to provide opportunities of maximum educational value, and to fulfill Summa Hospitals’ commitments to each student’s home institution. In return, resident physicians and students are

15

expected to abide by all relevant Summa Hospitals policies, including this Code of Conduct, as well as the terms of relevant affiliation agreements or Graduate Medical Education policies. Affiliation agreements are developed between Summa Health System and a variety of educational institutions. Individual affiliation agreements detail the relationship between Summa Health System, educational institutions and their students.

Business Information and Information Systems Accounting and Financial Responsibility Summa Hospitals is committed to the highest standards of business ethics and integrity, and to maintaining the integrity and accuracy of its books, records, and accounts. This requires every employee to record and report information accurately and honestly, including accurate reporting of time worked, business expenses incurred, ancillary test results, patient charts, revenues and expenses, and other business-related activities. Financial records must accurately reflect the assets, liabilities, revenues and expenses of Summa Hospitals. All company records are subject to audit, and financial results are to be reported in accordance with generally accepted accounting principles (GAAP), as well as with all applicable federal, state, and local laws. In 2004 the Audit Committee of Summa Health System’s Board of Directors authorized the establishment of an Internal Audit Department that will be focused on bringing the health system entities into compliance with the Sarbanes-Oxley regulations related to financial reporting accuracy and internal control monitoring. Although these federal regulations are not mandated for not-for-profit entities, Summa Health System is committed to this higher standard of performance and accountability. Since Summa Hospitals receives reimbursement under government programs such as Medicare and Medicaid, Summa Hospitals is required to submit reports to government agencies on the costs of operations. Summa Hospitals commits to complying with all federal and state laws, regulations and policies defining allowable costs and appropriate methodologies to claim reimbursement for services provided to Medicare and Medicaid patients. Confidentiality of Employee and Business Information All information concerning the business affairs of Summa Hospitals should remain confidential, including but not limited to information regarding employees, financial affairs and development or strategic plans.

16

For more information, please refer to the following Summa Health System Hospitals Human Resources Policies:

• Confidentiality of Employee Records • Disciplinary Process and Rules of Conduct

Use of Personal Computers Computers are used widely throughout Summa Hospitals’ business operations. Standards and guidelines for proper use of personal computers have been developed. All existing Summa Hospitals Administration and Human Resources policies regarding confidentiality and employee conduct apply to computerized information. Electronic mail (e-mail) sent outside Summa Health System that contains health information protected under HIPAA will automatically be encrypted. Confidential information should not be sent within Summa Health System unless it is absolutely necessary. Each Summa Hospitals employee is responsible for maintaining the security and confidentiality of data to which he or she has access. Violation of Summa Hospitals’ policies regarding computer usage can result in disciplinary action. Specific information regarding use of computers at Summa Hospitals is found in Part III of Summa Hospitals’ Compliance Plan, and in the following Administrative Policies: At Summa Health System Hospitals

• Personal Computers Hardware & Software • Internet Use • Electronic Mail Use;

At Cuyahoga Falls General Hospital, in addition to the policies above:

• Project Request • Computer Security and Hardware/Software Requests

Workplace Conduct and Employment Practices Antitrust Under no circumstances should a Summa Hospitals employee engage in any anti-competitive activity with a competitor or potential competitor. Anti-competitive activity includes:

- agreeing to fix prices of goods, services or labor - allocating products, services, patients or territories - boycotting certain suppliers, payors, physicians, or other providers

Discussion or the exchange of competitively sensitive information between Summa Hospitals and a competitor or potential competitor is also considered illegal under the antitrust laws. A Summa Hospitals employee should never provide or request competitively sensitive information from a competitor or potential competitor. Competitively sensitive information includes, but is

17

not limited to, such fields as prices of goods or services, marketing activity and development plans. Participation in surveys of prices, costs or other competitively sensitive information is appropriate if conducted by an independent third party, such as a hospital association. No response to any request for competitive information from any other outside source should be issued without guidance from the Summa Health System Vice President, Legal Services. Prior to entering into negotiations regarding joint venture arrangements, mergers, affiliations, and management and operating agreements or any other contracts, the Summa Health System Legal Services Department should be consulted. When a complaint, subpoena or request for information is received by Summa Hospitals employees from any government branch, agency or department which is not covered by existing guidelines and procedures, the Summa Health System Vice President, Legal Services should be notified promptly before any response or acknowledgement is made. Bribes, Gratuities and Gifts Summa Hospitals personnel are prohibited from giving or accepting money, gifts, favors or anything of value where the intent or effect might be, or might appear to be, the exertion of undue or improper influence on a business decision. Only gifts that are ordinary, customary expressions of social or business friendship or courtesy (meals, entertainment, golf, etc.) may be accepted. More information can be found in Summa Hospitals Administrative Policies on Conflict of Interest. Conflict of Interest All Summa Hospitals employees and members of the Boards of Directors of Summa Hospitals and its affiliated entities should act in the best interest of Summa Health System. No employees or agents of Summa Hospitals should engage in any outside business or financial activity that may interfere with their ability to fulfill their obligations or perform their duties. If any employee or Board Member encounters a conflict of interest they should follow the existing Administrative Policies on Conflict of Interest. These policies address examples of conflicts of interests, the role of corporate officers and executive staff, competitive bidding, access to information, gifts, loans, and travel. Equal Opportunity Employment Summa Hospitals is committed to providing a work environment with equal opportunity employment. Everyone should be treated with fairness, dignity, and respect. All qualified persons are entitled to equal employment opportunities regardless of race, color, religion, age, sex, disability, national origin, sexual orientation or status as a veteran. Summa Hospitals will comply with all federal, state and local laws, regulations, and policies related to non-discrimination and the employment relationship including but not limited to recruiting, hiring, training, benefit administration, promotion, transfer, and working conditions. More information

18

on equal opportunity employment can be found in the Human Resource Manual, Equal Employment Opportunity/Workforce Diversity. Equitable Compensation Summa Hospitals is committed to paying equitable wages, which are based upon the duties and responsibilities of the job and rates paid in the appropriate labor market for comparable work. The pay program and pay practices of Summa Hospitals will be administered without regard to race, color, sex, age, national origin, religion, or disability. For more information, refer to the Human Resource Policy Manual, Compensation Philosophy. Harassment and Workplace Violence All Summa Hospitals employees, patients, and agents have the right to an environment that is free of violence and harassment. Degrading or humiliating jokes, slurs, intimidation, or other harassing conduct is not acceptable. All forms of sexual harassment are prohibited. Sexual harassment includes but is not limited to unwelcome sexual advances, requests for sexual favors in conjunction with employment decisions, or verbal or physical conduct of a sexual nature. An employee having knowledge of any alleged harassment is responsible for reporting it to the supervisor and/ or the Human Resource Department immediately. Such reports will be held in confidence and the employee will be protected from harassment or retaliation for reporting this misconduct. Further, any employee who is aware of a person who engages in any kind of harassment and fails to report it will be subject to discipline. Summa Hospitals will investigate all claims of harassment and take immediate and appropriate remedial action. Also see the following policies: At Summa Health System Hospitals

• Human Resource Policy, Disciplinary Process and Rules of Conduct • Summa Health System Medical Staff Policy, Code of Conduct • Summa Health System Medical Staff Bylaws • Summa Health System Graduate Medical Education Policies and Procedures Manual.

At Cuyahoga Falls General Hospital

• Human Resource Policy, Disciplinary Process and Rules of Conduct • Cuyahoga Falls Health System Medical Staff Policy, Sexual Harassment • Cuyahoga Falls Health System Medical Staff Bylaws • Cuyahoga Falls Health system House Staff Manual

19

Individuals Excluded From Participation in Medicare, Medicaid and Other Federal Health Care Programs Summa Hospitals will not knowingly employ or contract with any individual or entity listed by a federal agency as excluded, debarred, suspended or otherwise ineligible to participate in federal health care programs. In order to carry out this policy, Summa Hospitals will make reasonable inquiry into the status of any prospective employee, consultant or contractor. Specific procedures are contained in Summa Hospitals’ Compliance Plan, Part I, Pre-Employment/Pre-Engagement Inquiry For Eligibility To Participate In Government-Funded programs. Licensure, Certification and Registration All potential employees who have completed an application for employment for a position requiring licensure, registration, or certification by the State of Ohio or Summa Hospitals must possess a valid, current license, registration, or certification. Throughout their association with Summa Hospitals, such licensed, certified or registered personnel are expected to maintain current credentials continuously in compliance with Federal, State and organizational requirements. To assure compliance, Summa Hospitals requires periodic evidence of current license or credential status. More information may be found in Human Resources Policy, License Verification. Performance Evaluation Performance appraisal is used to formally communicate to employees the manner in which they are meeting the standards and expectations of their position and department. There are two processes for evaluating employee performance. The Performance Management process is designed to evaluate goal/objective work and the Employee Performance Appraisal process is used to evaluate task-oriented work. Both processes are developmental, collaborative, and emphasize both past performance and future growth. Performance evaluations are to be conducted at least once per year by an employee’s supervisor. This subject is detailed in the Human Resource Policy, Employee Performance Appraisal.

Personal Use of Organizational Resources Summa Hospitals assets are to be maintained and used for business-related purposes. Unauthorized use, taking or borrowing of Summa Hospitals equipment, supplies, materials or services is prohibited. Personal use of any Summa Hospitals asset without prior supervisory approval is forbidden. Unauthorized removal of Summa Hospitals property and unauthorized or inappropriate use of Summa Hospitals supplies, equipment and/or services are offenses that may result in immediate termination. Community or charitable use of Summa Hospitals resources (including employee time, information and telephone) must be approved in advance by a supervisor. Use of Summa Hospitals assets for personal financial gain is not allowed. Personal telephone calls are to be kept to a minimum. The personal use of computers is addressed

20

separately within this Code under the heading, “Use of Personal Computers”. Additional information can be found in Human Resource Policies: Disciplinary Process and Rules of Conduct, and Telephone Usage. Political Activity and Tax-Exempt Status Summa Hospitals is not permitted to engage in excessive lobbying activities at the state or federal levels, nor may its assets be used to support or oppose political candidates. Violations of this policy may jeopardize Summa Hospitals’ tax-exempt status. While employees are encouraged to participate in federal, state, and local government they must be sure that their activities are not viewed as activities taken on behalf of Summa Hospitals. Further, employees will not be reimbursed in any manner for their involvement in political activities. As a non-profit, tax-exempt entity, Summa Hospitals is prohibited from permitting its assets to inure to the benefit of insiders of the organization. Summa Hospitals has a legal and ethical obligation to comply with applicable laws and regulations, to engage in activities that further its charitable purposes, and to ensure that its resources are used to further the community benefit rather than the private or personal interests of any individual. Summa Hospitals, its agents and employees must avoid compensation arrangements and benefits in excess of fair market value, must accurately report payments to appropriate taxing authorities, and must file all tax information returns according to applicable laws. All pension and benefit plans must conform to the Internal Revenue Code, the Employee Retirement Income Security Act (ERISA), and other applicable laws. Possession of Firearms, Explosives and Other Weapons No employee may possess explosives on any Summa Hospitals premises. The possession of firearms and other weapons by unauthorized personnel is strictly prohibited. Violation of security regulations, including the possession of weapons on Summa Hospitals property, is an offense that may result in immediate termination. Possession of weapons is addressed in Human Resource Policy: Disciplinary Process and Rules of Conduct. Reporting Actual or Potential Wrong-Doing All Summa Hospitals employees, supervisors, managers, agents and contractors are responsible for promptly reporting actual or potential infringements of law, regulation, policy, or procedure. The proper channels to report wrong-doing include the employee’s immediate supervisor or manager, a higher level supervisor or manager, the Human Resources Department, the Legal Department, Nursing Administration, the Compliance Officer, and/or the Compliance Hot Line. For details, please refer to Summa Hospitals Policy, Reporting Actual or Potential Wrong-Doing and Policy of Non-Retaliation/Non-Retribution. Compliance Hot Line numbers are:

21

At Summa Health System Hospitals • 1-800-421-0925

At Cuyahoga Falls General Hospital

• 1-866-265-4575 Responding To Outside Investigations Summa Hospitals is committed to complying with all applicable laws and to cooperating with any reasonable requests for information from the federal, state and local governments, while protecting its rights and those of its employees. If a Summa Hospitals employee is contacted directly by a government investigator, the employee should notify his/her supervisor prior to speaking with the investigator. In addition, the Vice President, Legal Services and the Chief Compliance Officer should be consulted before any interview is conducted. Summa will provide legal counsel in such situations at the employee’s request, provided that the Vice President, Legal Services determines that no conflict of interest exists. An employee may also secure his/her own counsel. Substance Abuse and Mental Acuity Summa Hospitals is strongly committed to maintaining a safe, healthy workplace environment free from the effects of drug and alcohol abuse. Reporting to work under the influence of illicit drugs or alcohol, as well as possessing, using or selling alcohol or illicit drugs on Summa Hospitals property, may lead to accelerated discipline including immediate termination. Drug screening is part of every individual’s pre-employment physical examination. Existing employees identified as chemically dependent must agree to enter rehabilitation or face termination of employment. Drug screening may be required after any employee is injured, or contributes to injury or property damage on the job. More information on Summa Hospitals’ position against the effects of drugs and alcohol in the work environment can be found in the Human Resources Policy & Procedure Manual. Specific policies include Pre-Employment Drug and Alcohol Testing & Reasonable Suspicion Testing; Disciplinary Process and Rules of Conduct. Vendor/Subcontractor Relations Good relations with subcontractors and vendor representatives are important for success in the procurement of goods and services. Contacts with salespeople and subcontractors add to the basis upon which public opinion about Summa Hospitals is formed. For these reasons, Summa Hospitals employees should always treat subcontractors and salespeople with fairness and integrity. Summa Hospitals’ purchasing and subcontracting decisions are based on objective criteria, not on personal relationships or friendships. Objective decision-making considers

22

factors such as quality, design, price, consistent and timely delivery, adherence to schedules, service, and maintenance of adequate sources of supply. The following values should always be observed in evaluating and awarding bids, in administering contracts, and in conducting subcontractor/vendor relations: • Keep all competition open and fair. • Discourage revision of bids after submission and insist on receiving the best price first. • Be truthful in all verbal and written transactions. • Respect the confidentiality regarding quotes and other information provided by vendors or

subcontractors. In turn, all salespeople must sign in through purchasing before meeting with hospital personnel. Subcontractors and vendors are expected to conduct themselves in accordance with the same values. Summa Hospitals employees may not accept bribes, gifts or gratuities as discussed in this Code and in Administrative Policy: Conflict of Interest.

Marketing Practices Marketing Marketing practices are conducted with truth, fairness and responsibility to patients, the community and the public at large. All information issued will be accurate at the time of publication, and will not be presented in an intentionally misleading manner. Summa Hospitals will not purposely misrepresent its services, supply needs, or any other aspect of its business. Summa Health System Hospitals observes all legal requirements regarding marketing communications with patients. For more specific information, see Summa Health System Hospitals Compliance Plan: Procedures for Marketing Activities.

Safety and Environmental Preservation The Environment, Medical Waste and Hazardous Materials Summa Hospitals is committed to protecting the environment. Although Summa Hospitals’ business may affect its surroundings in many ways, Summa Hospitals’ primary environmental impact lies in the management of medical waste and other hazardous materials and, to a lesser degree, in air emissions from pollutant sources and wastewater discharges. Every Summa Hospitals employee is responsible to safeguard patients, fellow employees, the community and the general environment from harm. Summa Hospitals complies with all applicable occupational health (OSHA), environmental and waste management (EPA) laws and regulations, and

23

cooperates with local, state and federal agencies in their inspection and enforcement activities. Specific aspects of Summa Hospitals’ environmental commitment are found in the following policies contained in the Summa Hospitals Safety Assessment & Improvement Manual:

• Employee, Physician, Student & Volunteer Responsibility for Safety; • Rationale - Protection of Assets; • Rationale - Regulatory Requirements; • Waste Management Policy; • Regulated Medical Waste; and • Hazardous Materials & Waste Management Plan.

At summa Health System Hospitals, policies and procedures regarding safety are found in the Safety Assessment and Improvement Manual. Policies in the Manual that are particularly relevant to this statement include:

• Safety Management Plan • Employer & Board of Directors Responsibility for Safety • Rationale – Protection of Assets • Risk Assessment Management Program • New Employee Orientation on Safety • Safety Education.

In addition, see Human Resource Policy, Disciplinary Process and Rules of Conduct. At Cuyahoga Falls General Hospital, policies and procedures regarding safety are found in the Safety Assessment and Improvement Manual. These policies include:

• Employee, Physician, Student & Volunteer Responsibility for Safety • Rationale – Protection of Assets • Rationale – Regulatory Requirements • Waste Management Policy • Regulated Medical Waste • Hazardous Materials & Waste Management Plan

Safety High-quality health care can only be provided in an environment free from identifiable hazards to Summa Hospitals’ patients, staff and visitors. Each Summa Hospitals employee is required to observe completely all relevant laws and regulations, as well as the Environment of Care standards set by the Joint Commission for Accreditation of Health Care Organizations (JCAHO) at Summa Health System Hospitals, or by the American Osteopathic Association (AOA) at Cuyahoga Falls General Hospital. Requests from regulatory agencies shall be referred to the respective Safety Officer. Everyone within Summa Hospitals has an obligation to maintain a safe working environment not only for themselves and their co-workers, but also for anyone entering Summa Hospitals property. To support the obligation to avoid accident or injury, all employees are provided with

24

training at hire, annually and as appropriate. In addition, Summa Hospitals provides to all employees personal protective equipment and other equipment as appropriate, and written policies detailing safety procedures and requirements. Employees are expected to know and to use specific safety policies, procedures and resources related to their individual jobs. All Summa Hospitals employees should immediately report to their supervisor any injury to an employee or any injury or unusual occurrence to patients or others. No one may use tobacco products in any Summa Hospitals building or outside any building entrance. Summa Hospitals’ policy regarding tobacco products is found in the Administrative Policy & Procedure Manual, Smoking Policy. Policies and procedures regarding safety at Cuyahoga Falls General Hospital are found in Cuyahoga Falls’ Safety Assessment and Improvement Manual. Policies in the Manual that are particularly relevant to this statement include:

• Safety Management Plan • Rationale – Protection of Assets • Risk Assessment Management Program • New Employee Orientation on Safety • Safety Education.

In addition, see Human Resource Policy, Disciplinary Process and Rules of Conduct.

25


Part II: Compliance Plan Elements

Role of the Summa Hospitals Chief Compliance Officer The Hospitals Chief Compliance Officer, an official appointed by the Summa Health System Chief Compliance Officer with the approval of the Boards of Directors of Summa Hospitals, holds responsibility, authority and resources to establish and operate Summa Hospitals’ Corporate Compliance Program. The Hospitals Chief Compliance Officer assures that Summa Hospitals’ Corporate Compliance Program is an effective program to prevent and detect fraud, abuse and other violations of Federal, State or local statutes, regulations and policies, as well as violations of the standards of ethical behavior expressed in Summa Hospitals’ Code of Conduct. Summa Hospitals is composed of multiple departments. The Hospitals Chief Compliance Officer may at his or her discretion delegate authority and responsibility for Compliance activities at the department level in a manner consistent with the structure and provisions of this Compliance Plan. In any case, the Hospitals Chief Compliance Officer retains accountability for all Compliance responsibilities of Summa Hospitals. In addition to general accountability for Summa Hospitals’ Corporate Compliance Program, the Hospitals Chief Compliance Officer’s responsibilities include: • Periodic assessment of Summa Hospitals’ compliance risk exposure, and action to ensure

that the Compliance Program responds to identified areas of risk

• Formulation and communication of Summa Hospitals’ Code of Conduct, a statement of the organization’s expectations of ethical behavior on the part of all employees and associates

• Oversight of the establishment and maintenance of policies and procedures to support the Compliance Program throughout Summa Hospitals

• Ensuring that effective systems are in place to prevent employment of individuals or contractors, or purchase from vendors, who have been barred from participation in Government programs, or who have demonstrated a propensity to engage in illegal activities

• Assuring that Corporate Compliance training programs accomplish the following:

− acquaint all Summa Hospitals employees and associates with the Corporate Compliance Program and Code of Conduct

− update and refresh this information through mandatory periodic retraining − address Compliance issues related to departments or groups of employees or associates

26

• Maintaining a well-publicized confidential disclosure program for reporting of potential Compliance violations without fear of retribution

• Keeping a record of all compliance-related complaints and allegations and the disposition of

each case, including any associated disciplinary actions. • Participating in disciplinary actions based on violations of this Compliance Plan when

appropriate • Conducting investigations, or authorizing outside investigations, of potential violations of

laws or regulations, or instances of unethical behavior, that place the organization at risk, in consultation with Summa Hospitals’ Vice President, Legal Services

NOTE: The respective Department Director/Vice President is responsible to identify and report any known and/or potential instances of illegal or unethical behavior. Communication of any actual or potential compliance issues at the department level is to be directed, as a point of information, to the Hospitals Chief Compliance Officer. Collaborative investigations may occur, if needed, with the Hospitals Chief Compliance Officer and Vice President, Legal Services. • Determining, implementing and evaluating responses to correct and prevent future offenses

after a violation has been detected • Reporting within requirements, in consultation with Summa Hospitals’ Vice President, Legal

Services, any Compliance matter requiring external reporting or disclosure • Acting as chairperson of the Summa Hospitals Compliance Committees • Serving as a member of the Audit Committee of Summa Hospitals’ Boards of Directors • Reporting periodically and at need to Boards of Directors, the Compliance Committees and

Senior Management • Reviewing and updating this Corporate Compliance Plan both periodically and as events

require • Other responsibilities as designated by the Boards of Directors, the Chief Executive Officer,

and as otherwise specified in this Plan. The Hospitals Chief Compliance Officer has authority to seek the advice of legal counsel as he or she deems appropriate. To carry out the responsibilities of his or her role, the Hospitals Chief Compliance Officer has complete authority to examine any and all documents or other information related to compliance activities including, but not limited to, the following:

• Patient records

• Billing records

27

• Records concerning marketing activity

• Records concerning Summa Hospitals’ arrangements with other parties such as

employees, professionals on staff, independent contractors, suppliers, agents and hospital-based physicians

• Contracts and obligations that may contain compliance issues under the Anti-Kickback

Statute, Stark Laws or other statutory or regulatory requirements.

28

Composition and Role of the Summa Hospitals Compliance Committees

The purpose of the Corporate Compliance Committees is to provide cross-functional expertise, coordination and oversight to assist the Hospitals Chief Compliance Officer in creation, implementation and operation of Summa Hospitals’ Corporate Compliance Plan. The Committees consists of both permanent members and temporary or ad hoc members who serve at need for specific issues. Permanent members of the Summa Health System Hospital and Cuyahoga Falls General Hospital Corporate Compliance Committees include representatives of selected departments:

• Chief Compliance Officer, Summa Hospitals • Individuals who bear primary responsibility for compliance plans and activities in

individual departments • Finance Department • Human Resources Department • Information Security Officer • Legal Services Department • Medical Affairs Department • Medical Education • Medical Records • Medical Staff • Patient Care Services • Patient Financial Services • Physician Services • Privacy Officer • Research Administration • Utilization Management Director

Ad hoc Committee members may be drawn from any area relevant to matters under discussion. For example, ad hoc members may include representatives of outpatient service areas, social work, discharge planning, Medical Staff, and employees or managers of key operating units. The staff of the Department of Corporate Compliance acts as the staff of the Compliance Committees. Members of the respective Corporate Compliance Committees assist the Hospitals Chief Compliance Officer and further the goal of Corporate Compliance at Summa Hospitals by: • Formulating and recommending this Plan and its components to Senior Management and the

Boards of Directors • Reviewing and revising this Plan periodically

29

• Representing and communicating this Plan to their colleagues • Offering input on Corporate Compliance issues • Providing input on responses to Corporate Compliance Plan violations • Advising, assisting and performing monitoring and auditing activities • Assessing effectiveness of the Corporate Compliance Plan • Promoting incorporation of compliance activities into operations at departmental and work

process levels

30

Role of the Department of Corporate Compliance The Department of Corporate Compliance, under the guidance of the Hospitals Chief Compliance Officer, carries out a variety of activities in the ongoing operation of the Corporate Compliance Plan, including: • Primary responsibility for responding to the Compliance Hotlines • Designing, performing and reporting audits associated with Compliance issues and

investigations • Participating in the design of Compliance training programs • Assisting in design of departmental or other monitoring activities and internal controls • Acquiring, maintaining and disseminating health care compliance and risk information,

including concerns addressed in Special Fraud Alerts, Special Advisory Bulletins and Annual Work Plans issued by the Office of the Inspector General of the United States Department of Health and Human Services.

• Providing information on compliance-related laws, regulations and public policies on request • Assisting departments and business units in developing standards of conduct, policies and

procedures to promote compliance • Preparing reports to enable the Hospitals Chief Compliance Officer to meet internal and

external reporting requirements • Other duties as directed by the Hospitals Chief Compliance Officer in support of the

Corporate Compliance Plan

31

Corporate Compliance Education Summa Hospitals will continuously take steps to communicate its ethical expectations, compliance standards and procedures to all Hospitals officials, managers, employees, physicians and major independent contractors. Training will include a review of the provisions of this Plan, Summa Hospitals’ expectations of ethical conduct, and a summary of fraud and abuse laws, as well as focused training in requirements and procedures in selected departments. Physicians and contractors will be informed of Summa Hospitals’ Compliance Program contractually. All concerned personnel will receive updated general education and information annually. All new employees will receive initial Compliance training as part of their general and/or departmental orientation program. Department-level Compliance policies will be distributed during department orientation and training. Subsequent training in departmental compliance policies and procedures will be provided annually or more frequently as needed by managers in departments involved in claims development or submission. Adherence to the provisions of the Compliance Plan, including attendance and completion of Compliance training, will be a factor in each employee’s annual performance evaluation. Failure to attend and participate in Compliance training may be grounds for disciplinary action, including termination of employment. As new developments or concerns arise, the Hospitals Chief Compliance Officer may require additional training for some or all employees. Acknowledgement of Summa Hospitals’ Corporate Compliance Plan is a provision of all consultant, contractor and vendor contracts.

32

Reporting Actual or Potential Wrong-Doing and Policy of Non-Retaliation/Non-Retribution

POLICY: A. Internal Reporting: All Summa Hospitals employees, supervisors, managers, agents and contractors are responsible for promptly reporting actual or potential infringements of law, regulation, policy, or procedure. The proper channels to report wrong-doing include the employee’s immediate supervisor or manager, a higher level supervisor or manager, the Human Resources Department, the Legal Department, Nursing Administration, the Compliance Officer, and/or a Compliance Hotline. Channels to report wrong-doing may differ depending on the campus, business unit or product line in which an employee works. B. Non-Retaliation/Non-Retribution for Reporting or Participating in an Investigation

A prompt and forthright disclosure of an error by an employee will generally be considered a constructive action by the employee. Summa Hospitals supervisors, managers and employees are not permitted to engage in retaliation or any form of harassment directed against an employee or staff member who reports a concern or participates in an investigation, compliance review or hearing. In regard to Protected Health Information, retaliation is prohibited against anyone who opposes any act the person believes in good faith to be unlawful, provided the manner of opposition is reasonable and does not involve a disclosure of protected health information that in itself constitutes a violation of law or organization policy. Any manager, supervisor or employee who engages in such retribution or harassment is subject to discipline up to and including dismissal. All substantiated instances of retaliation or harassment against reporting employees will be brought to the attention of the Vice President of Human Resources who will determine the appropriate discipline. This does not mean that an employee can avoid discipline for poor work or wrong acts by reporting his or her own inadequate performance. It does mean that the consequences of poor performance may not be more severe because an employee has made the report on his or her own. PROCEDURE: 1. While employees may use any appropriate reporting channel, it is typically most effective to report concerns to a supervisor or manager in the employee’s work place. 2. If an employee prefers not to report a concern to his or her own supervisor or manager,

the employee may report the concern to a higher-level manager.

33

3. For some types of concerns, there are special reporting channels, which may differ between business units and product lines. Examples include the Human Resources Department (for employment conditions, health and safety, discrimination, sexual harassment concerns), Nursing Administration (patient care concerns), Security (physical safety, some health and safety issues, theft or abuse of property), Corporate Compliance or Internal Audit (financial fraud, billing), Quality Assurance (JCAHO accreditation), and the Legal Department (legal and regulatory concerns).

4. In addition to these reporting channels, methods have been established to report

wrongdoing or other ethical concerns directly and anonymously by telephone.

Summa Hospitals has established two Compliance Hotlines:

• At Summa Health System Hospitals: 1-800-421-0925;

• At Cuyahoga Falls General Hospital: 1-866-265-4575 While the primary use of the Compliance Hotlines is to allow employees to report concerns not adequately resolved at a lower organizational level, any Summa Hospitals employee, supervisor, manager, agent, contractor or patient may call a Hotline at any time to report a concern or to obtain information pertinent to a concern. The Compliance Hotlines are answered by a Compliance Auditor in the Department of Corporate Compliance. Callers may phone a Compliance Hotline anonymously and investigations of concerns reported on a Compliance Hotline will be conducted confidentially.

Examples:

i. Summa Hospitals is obligated to report a violation if the caller provides evidence of a specific violation of the law;

ii. Summa Hospitals, as well as the individual(s) answering the hotline, has an obligation to cooperate with government investigations.

34

Response When a Potential Compliance Concern Is Raised Potential compliance concerns may reach the Hospitals Chief Compliance Officer through a variety of means. A concern may be communicated through a Compliance Hot Line, or directly to Compliance personnel by phone, face-to-face or in writing. Compliance concerns may arise through referral by a third party or as a result of audit activity. The Hospitals Chief Compliance Officer will maintain a record of all complaints and allegations and the disposition of each case. If a reported problem does not concern compliance, the Hospitals Chief Compliance Officer may refer the issue to the manager of the department most affected or involved. A written statement by the manager concerned documenting follow-up and resolution of the issue will be required in every referred case. The Hospitals Chief Compliance Officer will maintain a record of all such statements. When a reported concern is deemed to be a potential compliance issue, the Hospitals Chief Compliance Officer and the Department of Corporate Compliance will conduct or oversee an internal review to determine whether the complaint or allegation appears credible. If further investigation is warranted, the Hospitals Chief Compliance Officer will determine whether the investigation should be conducted internally or with the aid of outside experts. If the investigation is conducted internally, the Hospitals Chief Compliance Officer and the Department of Corporate Compliance will determine appropriate modalities for gathering and processing information. The Hospitals Chief Compliance Officer may take such steps as he or she believes necessary to arrange for the suspension of various activities until the process of investigation is completed. This may result in suspension of billing, extending of filing deadlines, suspending an individual from conducting an activity, or other methods as appropriate. After the conclusion of the investigation, if appropriate, the activities may be resumed. Employment or business relationships with individuals facing debarment or exclusion from Government programs, or facing criminal charges related to health care, will be suspended pending legal resolution. The Department of Corporate Compliance will prepare a written summary and detailed report of findings in every case involving a potential compliance issue. The Hospitals Chief Compliance Officer is responsible for prompt development and implementation of a plan for corrective action if findings indicate the need for such. The Hospitals Chief Compliance Officer will review findings and corrective action plans with such parties as he or she deems necessary to resolve the specific case and to prevent recurrence, and will retain a copy of all plans and reports. The Vice President, Legal Services will receive a copy of each report involving a potential compliance issue and corrective action plan. The effectiveness of corrective actions will be evaluated through timely post-implementation compliance audits. Failure to take effective corrective action on the part of concerned personnel may result in disciplinary action as discussed in this Plan. When misconduct is confirmed, the Hospitals Chief Compliance Officer will initiate appropriate disciplinary action as detailed in this Plan. The Hospitals Chief Compliance Officer is also

35

responsible to create and implement a plan to prevent recurrence of the misconduct detected. Such an action plan may include increased or altered monitoring and auditing procedures, focused training of personnel, replacement of culpable supervisors, revision of this Plan, or other measures. If an investigation shows that funds should be returned to payers, the Hospitals Chief Compliance Officer will ensure that a prompt refund is made. The Hospitals Chief Compliance Officer and the Vice President, Legal Services will jointly determine the best approach to returning the funds. The Hospitals Chief Compliance Officer, in consultation with the Vice President, Legal Services, will notify appropriate government agencies when he or she determines that the policies of such agencies may have been violated as a result of inadvertent or intentional acts.

36

Pre-Employment/Pre-Engagement Inquiry for Eligibility To Participate in Government-Funded Programs

PURPOSE:

An organization must avoid delegating substantial authority to individuals whom the organization knows or should know to have a propensity to engage in illegal activities. Two steps to avoid such inappropriate delegation are a pre-employment background investigation and screening against Government databases of individuals and business entities barred from participation in government-funded programs.

POLICY:

a. For all new employees who have discretionary authority to make decisions that may involve compliance with the law or compliance oversight, Summa Hospitals will conduct a reasonable and prudent background investigation as part of every such employment application prior to employment. The employment application for such individuals will specifically require the applicant to disclose any criminal conviction, as defined by Chapter 42, Section 1320a-7(I) of the United States Code, as well as any exclusion action.

b. Summa Hospitals will not knowingly employ or contract with, with or without

compensation, any individual or entity recently convicted of a criminal offense related to health care or who is listed by a federal agency as excluded, debarred, suspended or otherwise ineligible to participate in federal programs.

SCOPE:

Each department of Summa Hospitals that performs primary hiring functions is responsible to perform a reasonable inquiry (sanction check) regarding a prospective employee’s eligibility to participate in government-funded programs. These departments include, but may not be limited to, the following:

• Department of Human Resources • Department of Nursing • Department of Medical Education • Any other department utilizing contract temporary staff not processed through

Human Resources, the Department of Nursing or the Department of Medical Education

Sanction checking of staff physicians is integrated in the physician credentialing process.

37

RESPONSIBILITY:

Sanction checks should be performed prior to actual hiring, purchasing, contract signing or finalization of any business relationship.

The director of each department or area performing primary hiring functions is responsible for sanction checks for prospective employees.

All prospective Summa Hospitals employees and medical staff must be checked without exception.

Prospective employees do not need to be checked more than once. For instance, an employee checked by Human Resources or the Department of Nursing does not need to be checked again by the department or unit in which the prospective employee will actually work. In contrast, temporary contract employees on site at Summa Hospitals who have not been engaged through the Human Resources Department should be checked by the department in which they will work, since no prior sanction check will have been performed within Summa Hospitals.

All Contractors and Consultants must sign the Addendum to Consultant/Contractor Agreement located on the Summa Hospitals Bulletin Board. Directors of high-risk departments are responsible for performance of sanction checks on any contractors, consultants or vendors with whom the department forms a business relationship, whether or not a written contract is created. Checking is not limited to clinical, direct care or claims processing entities, but extends to all outside business associates. Contractors, consultants, vendors and companies, must be checked. Checking all individual employees of contracting firms is not required.

Call the Department of Corporate Compliance to resolve questions about sanction checking.

PROCEDURE:

Via the Internet, search the following two databases. Observe the search procedures detailed in each database.

1. Department of Health and Human Services – Office of Inspector General (HHS-

OIG) Cumulative Sanctions Report at:

• http://exclusions.oig.hhs.gov

Employees

Contractors, Consultants and Vendors

38

− If searching the name of a person, type the last name in the “Last Name” field, and the first name in the “First Name” field.

− If searching the name of a business, type the business name in the “Business” field. The elements of the business name should be entered exactly in the order they occur in normal use, e.g. John Jameson Health Science Supply should be entered exactly as “John Jameson Health Science Supply.” “Johnson & Barnes” should be entered exactly as “Johnson & Barnes.”

− Click on the “Search” button on the left below the text entry boxes. The “Search Result” screen will appear

− Click on the “Print” icon in the menu bar to make a hard copy of the search result. The name searched will appear automatically on the page.

− NOTE: up to five individuals or entities may me searched simultaneously.

2. General Services Administration Excluded Parties List System (EPLS) at:

• http://epls.arnet.gov

The home page of the EPLS site will appear. Near the top of the upper left-most column will appear three menu selections. Above these menu selections is a text box followed by a “Go” button. See example 1.

Partial Name Search

39

Example 1

40

The text box may used for a “Partial Name” search, potentially the easiest search method. To perform a Partial Name search, type the last name of an individual or the most distinctive word in the name of a business entity in the box and click on the “Go” button. NOTE: the EPLS site is not case-sensitive. See example 2.

41

Example 2

42

If the result for an individual shows no match, accept the result as final and print a copy of the result page and retain it to document the search. See example 3.

43

Example 3

44

If the result for a business entity shows no match, try searching other words in the entity’s e name, or go to the “Advanced Search” function described below. The result screen of a partial name search may show many matches, depending on the frequency of common names in the EPLS database. This is because the Partial Name search returns a result for the entered name no matter where it occurs in any given record. The Partial Name search will return a match for every instance in which the entered name occurs as a first name, middle name, hyphenated name or last name in the database. See example 4.

Result of Partial Name Search

45

Example 4

46

If the Partial Name search returns relatively few matches, review each item visually. If no match is identified visually, print the results page and retain it to document the search. The Partial Name search for a commonly-occurring name may return many pages of matches. If the result is so large that visual review of all returned matches is not practical, the Advanced Search function may be used. To access the Advanced Search function, click on the menu item immediately below the Partial Name search box on the any EPLS page. The Advanced Search page will appear. See example 5.

Advanced Search

47

Example 5

48

Delete any characters appearing in the Partial Name box. Enter the name to be searched in the “Exact Name” box. You do not need to enter any other data in any other option on the page. To run the search, scroll down and click on the “Search” button at the bottom of the page. The Advanced Search function requires TOTAL accuracy in the Exact Name box to return a match. That is, in order to return a match the Exact Name box must contain a COMPLETELY EXACT character match INCLUDING SPACES AND PUNCTUATION. However, as with the Partial Search function, the Advanced Search function is not case-sensitive. The syntax required by the Advanced Search function for an individual search is: last name comma space first name space middle initial period [e.g. Smith, Brenda L.] or, if a full last name is used: last name comma space first name space middle name [e.g. Smith, Brenda Lee]. For a business entity, enter the name exactly as it appears in your documents, being careful to include spaces and punctuation exactly as in your source. If an ampersand [&] is part of the name, search both the name including the ampersand and the name substituting the word “and” for the ampersand. IF THE SYNTAX OF THE ENTRY IS NOT 100% ACCURATE, THE SEARCH WILL RETURN NO MATCH EVEN THOUGH THE NAME INTENDED TO BE SEARCHED MAY ACTUALLY EXIST IN THE DATABASE. For example, the EPLS database contains a record for “Smith, Brenda L.”. The following entries in the Exact Name box will NOT produce a match with this record:

Smith, Brenda [no middle initial] Smith, Brenda Lee [full middle name instead of initial and period] Smith, Brenda L [period omitted after initial] Smith,Brenda L. [space omitted between last name and first name] Smith, BrendaL. [space omitted between first name and middle initial] Brenda L. Smith [first name precedes last name]

ONLY Smith, Brenda L. will produce a match. In the same way, the EPLS database contains an entry for “Smith, Brenda Katherine”. A search for Smith, Brenda K. will return no match. The EPLS database also contains an entry for “Smith, Brenda”. An exact name search on Smith, Brenda will return a match. All three records cited here as examples exist in the EPLS database and represent three different

Advanced Search - Exact Character Match

Required Syntax

49

individuals. If, when you want to find out if Smith, Brenda L. is in the EPLS database and you search Smith, Brenda instead, you will receive a false positive match. The construction of the EPLS search functions potentially makes it difficult to rule out any particular individual or entity. If an individual or entity cannot quickly be ruled out by a Partial Name search, run multiple Advanced Searches using different forms of the name, including full middle name or initial as available [e.g. Smith, Brenda L. and Smith, Brenda Lee and Smith, Brenda]. If an Exact Name match is found, the next step is to search through the “Exact Name and SSN/TIN” menu option immediately below the Advanced Search option near the top of the left-most column of any EPLS page. Enter the exact name and the Social Security Number for an individual or the Tax Identification Number for a business entity, then click on the “Search” button immediately below the text entry boxes. See example 6. If the EPLS database contains the SSN or TIN of the individual or entity being searched, the search will accurately return match or no match. A match in the Exact Name and SSN/TIN function can be considered conclusive. However, not all records in the EPLS database contain SSN or TIN numbers.

Searching Multiple Forms of a Name

Exact Name and SSN/TIN Search

50

Example 6

51

If you lack sufficient information to use the Exact Name and SSN/TIN function, or if either of the following situations occurs, contact the Department of Corporate Compliance immediately: • The Exact Name and SSN/TIN functions returns a match; • The Exact Name and SSN/TIN function shows that the SSN or TIN is

unknown. See example 7.

Contacting the Department of Corporate Compliance

52

Example 7

53

4. The Department of Corporate Compliance will confirm or disprove the identity of

the sanctioned person or business. In any such case, no employment, contract or business relationship may be formed unless the initial identification of a sanctioned individual or entity is found to be in error by the Hospitals Chief Compliance Officer, and the individual or entity concerned has not in fact been sanctioned. The Department of Corporate Compliance will inform the referring party as soon as each case is resolved.

5. Retain the paper copy of all search results in each department for at least six

years. Search results may be retained in individual case files or in a central departmental file.

Revised June 2003, December 2003, October, 2006

54

Auditing and Monitoring Monitoring refers to concurrent oversight carried out by and within an individual department or product line. Each department or product line is required to determine, in conjunction with the Department of Corporate Compliance, what level of monitoring of its activities is necessary in order to detect and prevent violations of applicable requirements. Monitoring is to be carried out on an ongoing basis. Each department performing monitoring activities will inform the Department of Corporate Compliance of any adverse findings, as well as any remedial actions and their results. Directors of operational departments with a high level of compliance risk will make an annual presentation in person to the Summa Hospitals Compliance Committee, on a schedule determined by the Hospitals Chief Compliance Officer. Compliance Auditing refers to the evaluation of the effectiveness of internal controls to mitigate compliance risk. The Hospitals Chief Compliance Officer will supervise all compliance activities. The Department of Corporate Compliance, under the direction of the Hospitals Chief Compliance Officer, is responsible for the following audit activities related to the Corporate Compliance Program: Compliance Risk Assessment

Assessment of relative organizational compliance risk levels can be determined through baseline audits of Summa Hospitals’ internal and external environments.

Retrospective Compliance Audits

Retrospective compliance audits are performed when a potential compliance violation has been identified to identify internal control weaknesses and related financial liabilities.

Prospective Compliance Audits

Prospective compliance audits establish and assess internal controls to mitigate compliance risk regarding issues identified through Compliance Risk Assessment.

55

Departmental Compliance Training, Monitoring, Auditing and Annual Reporting Requirement

Responsibility for Departmental Compliance Training and Other Compliance-Related Actions Effective corporate compliance only takes place in the context of daily operational work. Operational departments are responsible for training new and existing employees on compliance-related policies and procedures relevant to each employee’s work. The Department of Corporate Compliance is responsible for generating the content for new employee general compliance training, and for existing employee general compliance training conducted annually. Responsibility for Departmental Compliance Monitoring and Auditing Given limited corporate resources and the inherently decentralized nature of responsibility for compliant behavior, the Department of Corporate Compliance will limit its involvement in specific compliance issues or problems to investigation and initial auditing. The Department of Corporate Compliance will train operational managers on how to perform follow-up auditing at the conclusion of a corporate integrity agreement, voluntary self-disclosure, or a significant intermediary repayment. Responsibility for all subsequent auditing and monitoring rests with operational managers. Responsibility for Annual Reporting on Departmental Compliance Activities Multiple high-risk operational departments have processes involving compliance training, monitoring and auditing. These departments may also hold responsibility for specific compliance tasks such as employee or vendor/contractor sanction checking. Directors of operational departments with a high level of compliance risk will make an annual presentation in person to the Summa Hospitals Compliance Committee, on a schedule determined by the Hospitals Chief Compliance Officer. The annual presentation should include compliance training, monitoring and auditing as well as other compliance-related departmental actions such as sanction checking and policy updates in response to changing compliance requirements. The presentation will also provide a forum for discussion of departmental compliance issues, and for managers to bring forward their own needs for compliance information or assistance. Adopted September, 2003; Revised October, 2006

56

Discipline Regarding Compliance Violations The Human Resources Department of Summa Hospitals is responsible for maintaining specific sanctions or penalties for those employees who violate Summa Hospitals policies, including this Compliance Plan. The Chief Compliance Officer, in consultation with the Vice President, Legal Services and the Vice President of Human Resources will make recommendations for appropriate disciplinary action based on Summa Hospitals’ Corporate Compliance Plan and on relevant Human Resources policies. Disciplinary decisions are made by line managers in consultation with their direct superiors and the Human Resources Department, considering relevant laws, regulations and organizational policies and any recommendations of the authorities cited in this Plan. Grounds for discipline include both active violation and failure to report a known violation of the law or of the Compliance Plan. Failure to cease and correct any conduct criticized in any Special Fraud Alert issued by the Office of the Inspector General of the United States Department of Health and Human Services, or to take reasonable action to prevent such conduct from recurring in the future, will lead to disciplinary action. Discipline may include counseling, warning, suspension or termination of employment. All levels of personnel, including all levels of management, will be subject to similar penalties for similar offenses. Corporate officers, managers, supervisors, medical staff and other health care professionals will be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, this Plan and all applicable standards, laws and procedures. If an employee is found to have participated in, condoned, ignored or directed an act that is illegal or in violation of Summa Hospitals policies, the Chief Compliance Officer will report this finding to the Vice President, Legal Services, the Vice President of Human Resources, and the employee’s supervisor or immediate superior. The Chief Compliance Officer will report situations involving members of senior management to the Chief Executive Officer and/or the appropriate Summa Hospitals’ Board of Directors for disciplinary action consistent with organizational policies. Disciplinary actions against physicians will proceed according to the Medical Staff Bylaws. If the Vice President, Legal Services determines that misconduct may be illegal, the Chief Compliance Officer will report the person responsible for the misconduct to an appropriate government agency. In addition to routine Human Resources documentation, the Chief Compliance Officer will maintain records of all disciplinary actions based on violation of the Compliance Plan. If a person, agent or company doing business with Summa Hospitals is found to have participated in an act or directed an act that is illegal or in violation of Summa Hospitals policies, the Chief Compliance Officer will consult with Summa Hospitals’ senior management, including the Vice President, Legal Services, to determine an appropriate response. Summa Hospitals’ response to such an external event will be consistent with the internal guidelines expressed in this Plan.

57

If a current employee or independent contractor is debarred or excluded from participation in Government programs, or is convicted of a criminal offense related to health care, the employment or business arrangement will be terminated immediately.

58

Responding To Government Investigations Summa Hospitals is committed to complying with all applicable laws and to cooperating with requests for information from the federal, state and local governments, while protecting its rights and those of its employees. Government officials can approach an employee at the employee’s home or work place with a request that the employee provides information regarding Summa Hospitals. If this happens, the employee should not answer any questions until he or she has contacted his or her supervisor, and until the Vice President, Legal Services and the Chief Compliance Officer have been consulted. The employee should then follow the instructions of these authorities. Summa Hospitals will provide legal counsel in such situations at the employee’s request, provided that the Vice President, Legal Services determines that no conflict of interest exists. An employee may also secure his/her own counsel. Employees should be aware that Summa Hospitals has a right to be represented by its own legal counsel. If an employee is not contacted by an investigator but learns of a government inquiry through other means, the employee should immediately contact the Vice President, Legal Services or the Chief Compliance Officer. If a government agency actively conducts an investigation of Summa Hospitals, all requests for information should be directed to the Vice President, Legal Services, who is responsible for coordinating provision of information to the investigating agency. The Chief Compliance Officer and the Vice President, Legal Services will collaborate on any response to requests for compliance-related information from any government agency, whether or not an active investigation exists.

Summa Hospitals employees must never do any of the following:

− Destroy any company documents in anticipation of a request for those documents; − Alter Summa Hospitals documents, or any other documents, related to an

investigation or potential investigation; − Mislead or lie to any government investigator; or − Pressure or intimidate anyone to hide information or provide false information to any

government investigator. It is illegal to selectively destroy documents that may implicate Summa Hospitals once an investigation has begun.

59


Part II: Policies Addressing Compliance Risks

Policy Name Summary

Billing For Health Care Services

Misrepresentation of information relating to a claim for reimbursement for health care services is a violation of law. It is therefore imperative that Summa Health System employees maintain an accurate and compliant billing process. For purposes of this policy, personnel involved in the preparation of claims include hospital staff who are responsible for charge entry, patient access (registration), coding and billing in any way.

Prohibited billing and billing-related practices are described.

Chargemaster Compliance Policy

The Chargemaster Compliance Committee will assist in the maintenance of existing charges and implementation of future charges to assure accurate coding of HCPCS/CPT and revenue codes and overall compliance with payor requirements and regulations.

Chargemaster Compliance Committee composition and function is detailed, as well as procedures for requesting Chargemaster additions, deletions and alterations.

Medical Necessity

Medicare will only pay for services, which are determined to be reasonable and necessary. A signed Advance Beneficiary Notice (ABN) must be obtained when ordered outpatient tests/services do not meet medical necessity requirements.

It is the intent of Summa Health System to obtain a signed Advanced Beneficiary Notice (ABN) from Medicare beneficiaries prior to service when outpatient tests/services are believed to be non-covered according to Local Medical Review Policies or National Coverage Limitations.

Medical Record Chart Content

The medical record must contain sufficient information to facilitate patient care. The hospital initiates and maintains a medical record for every individual assessed or treated.

Medical Record Retention Procedure

Inpatient and outpatient medical records maintained by the Medical Records Department will be retained for 20 years. Outpatient medical records retained by ancillary areas will be retained for 10 years with certain specified exceptions. Indexes and registers will be retained for variable periods as detailed.

60

Health Information Management Department Standards of Conduct for Coding

This policy defines standards of ethical coding and imparts the accountability and importance coders have as members of the health care team.

Ethical coding guidelines have been implemented within the Medical Record Department as part of the Standards of Conduct for Coding. The standards were developed by the American Health Information Management Association (AHIMA) Council on Coding and Classification and AHIMA Certified Coding Specialist (CCS) Coding Competencies and are a guide for the coder in this process.

Medicare Bad Debt Procedures to properly identify, quantify and report Medicare Bad Debts on the Medicare Cost Report are enumerated.

Medicare Cost Report Summa Health System must make sure that the Medicare Cost Report, Medicaid Cost Reports, Champus Cost Report, Exception Reports and all related reports (HCFA 339, HCFA 91, etc,) are filed accurately in accordance with the rules and regulations of the Health Care Finance Administration (HCFA) or other governing agency.

Procedures to achieve accurate, compliant cost reports are described.

Offices of Medical Education and Office of Research Administration Corporate Compliance Policy

The Office of Medical Education includes the administration of activities performed in relationship to the provision of undergraduate education of medical students, graduate education of residents and continuing medical education of attending staff. The Office of Medical Education will provide educational services and facilities to all persons without regard to race, color, religion, sex, marital status, national origin, age or handicap.

Specific provisions relate to regulatory and accrediting organizations, licensure, citizenship status, affiliation agreements, recruitment, continuing medical education, and the medical library and bookstore.

With regard to research, Summa Hospitals will remain in compliance with all relevant FDA and OHRP regulations, per Summa Hospitals’ respective Federal Wide Assurances.

Outpatient Services Rendered To Medicare Patients In Connection With Inpatient Stays

Whenever outpatient diagnostic services and/or non-diagnostic/therapeutic services are provided to any Medicare patient by Summa Health System Hospitals, or under arrangements with Summa Health System Hospitals, within three calendar days prior to the date of admission, Summa Health System Hospitals will combine billing for outpatient services with billing for a subsequent inpatient admission.

Certain permissible exceptions are described.

61

Patients’ Freedom of Choice in Post-Acute Care Services

Hospitals are required under the Social Security Act 1861(ee)ID and Title XVIII, 42 US Code, section 1395x(ee) to provide patients’ freedom of choice when they are discharged from the inpatient setting and may require home health, hospice or skilled nursing facility services. Whenever it has been determined that a patient would benefit from home such services, the patient is provided a choice of agencies/ individuals that provide the needed services. The patient is also informed at that time that Summa’s HomeCare or Hospice is a department of the hospital and a financial relationship exists.

Physician Services Support Policy

All professional service arrangements will meet fair market value standards, anti-kickback statutes, self-referral statutes and any other known and accepted compliance standards for such arrangements.

The Physician Services Support Policy addresses these concerns in the areas of professional service arrangements, joint venture relationships, fair market compensation, professional services hours compliance tracking, professional fee billings in educational settings and physician education.

Prevention of False Claims All Summa Hospitals employees, managers and corporate officers must avoid submission of false or fraudulent claims for payment in violation of the Civil False Claims Act. Private individuals can bring suit on behalf of the Government in regard to false claims under certain circumstances. Employees engaging in such a lawsuit are protected from retaliation by the whistleblower provisions of the False Claims Act.

Procedure For Completing Quarterly Medicare Credit Balance Report

Medicare Credit Balance Reports will be created quarterly. A step-by-step procedure and timeline is detailed.

Policy for Contingency-Based Arrangements

Contingency-based external consulting arrangements involving submissions to government payors are not acceptable for use within Summa Health System.

Refund Guideline Policy Refund thresholds are established comparable to industry standards. Medicare, Medicaid, other Federal healthcare programs and Care Assurance refunds will always be processed regardless of credit balance.

Hourly Observation Hourly Observation accounts must be classified, coded and billed in accordance with governmental regulations.

62

Billing for Health Care Services Misrepresentation of information relating to a claim for reimbursement for health care services is a violation of law. It is therefore imperative that Summa Hospitals employees maintain an accurate and compliant billing process. For purposes of this policy, personnel involved in the preparation of claims include hospital staff members who are responsible for charge entry, patient access (registration), coding and billing in any way. The following billing practices are prohibited: • Billing for services and/or supplies not provided

• Misrepresenting diagnoses, services, service dates, the identity of patients or amounts charged

• Duplicate billing to obtain double payment (for example, billing both Medicare and the beneficiary for the same service or submitting multiple claims for the same service)

• Unbundling charges, e.g. billing an entire battery of tests as though the tests were performed individually, except as specified by Medicare, Medicaid, or other payer regulations

• Upcoding or using inappropriate codes for billed items or services

• Using a Diagnosis Related group, Home Health Related Group or Ambulatory Payment Classification (DRG/HHRG/APC) that provides a higher payment rate than the DRG/HHRG/APC code that accurately reflects the service furnished or the severity of a patient’s illness

• Charging Medicare for a full DRG as if a patient were discharged, when the patient was actually transferred to another facility under Medicare’s Prospective payment System

• Billing for services known to be medically unnecessary

• Requesting additional payments, other than appropriate copayments and deductibles, from a beneficiary

• Submission of false cost reports

• Failure to refund credit balances

63

Summa Hospitals Chargemaster Compliance Policy PURPOSE: The Chargemaster Compliance Committee will assist in the maintenance of existing charges and implementation of future charges to assure accurate coding of HCPCS/CPT and revenue codes and overall compliance with payor requirements and regulations. CHARGEMASTER COMPLIANCE COMMMITTEE MEMBERS: Chair: Billing and Follow-Up Director Charge Description Master Specialist(s) Clinical Informatics Nurse Financial Applications Analyst Corporate Compliance and Internal Audit Director Senior Compliance and Internal Auditor Medical Records Administrative Director APC Supervisor Medical Records Department Outpatient Coding Representative Director, Manager, or Designee from each Clinical/Ancillary Department with CDM revisions Associate Counsel, Legal Services Reimbursement Manager Financial Analyst/Pricing Information Technology Services Director, as requested FUNCTION:

• Chargemaster Compliance Committee meetings shall be held at least monthly.

• The Hospital Compliance Committee will resolve any issues the Chargemaster Compliance Committee cannot settle.

• The Chief Compliance Officer, the V.P. Legal Services, and the Chief Financial Officer

of Summa Hospitals, in consultation with each other, have the authority to request changes to the CDM, providing an explanation only to the appropriate Committee Members.

• Minutes from the Chargemaster Compliance Committee meetings shall be maintained by

the Charge Description Master Specialist(s) via the Request for Additions/Revisions to the Charge Description Master Form.

• Minutes from the Chargemaster Compliance Committee will be distributed monthly to

the Hospital Compliance Committee for review. They will be filed along with the Hospital Compliance Committee Meeting Minutes, which will be retained for a minimum of 10 years.

64

• The Chargemaster Compliance Committee will review the Charge Description Master

(CDM) for accuracy and appropriateness of HCPCS/CPT codes, revenue codes, local codes and descriptions.

• Monthly Local Coverage Determinations (LCDs) & Program Memorandum/Transmittal

update notifications are e-mailed to each affected department by the Charge Description Master Specialist(s). Department Directors/Managers will be expected to review LCDs/Program Memorandums for their departments for any CDM revisions. Department Directors/Managers will also bring to the committee, for discussion purposes, publications from their professional organizations to assist in the CDM reviews.

• All requests for CDM additions/deletions/revisions will be submitted to the Charge

Description Master Specialist(s) in Patient Financial Services via e-mail, one week prior to the monthly Chargemaster Compliance Committee Meeting to allow inclusion of their requests on the monthly Chargemaster Compliance Committee Agenda. The requesting department will also submit supporting documentation from their professional organizations or program memorandum along with their request to assist in the review of their request. The Charge Description Master Specialist(s) will complete the Request for Additions/Revisions to the Charge Description Master Form for the requested change and e-mail it to the requestor. The Charge Description Master Specialist(s) will be responsible for maintaining the documentation (i.e. e-mails, sources of authority, etc.) for CDM additions/deletions/revisions.

• All departmental requests for new charge codes, or price changes to existing charge

codes, must include a completed CDM Charge Form. This form, which is available within a sub-folder of All Public Folders on Microsoft Outlook, MUST be completed prior to the creation of a new charge or price change. This information is needed to determine the appropriate charge for the service being provided. This form will also provide the necessary information to update the hospital’s Cost Accounting Support System. The CPT code provided on the CDM Charge Form must tie to the CPT code approved by the APC Supervisor on the Request for Additions/Revisions to the Charge Description Master Form. The requesting department should contact their area’s Financial Analyst to set up pricing and for help with the CDM Charge Form. The analyst will assist, but will not fill out the form. These fully completed forms should be returned in an electronic format to the CDM Specialist. Hardcopy submissions will not be accepted and incomplete forms will be returned. The CDM number will be populated by the CDM Specialist. A copy will subsequently be sent to the SHSH Financial Analyst who maintains the CostFlex System. Any questions regarding the completion of the form or the costing information may be directed to the Summa Health System Hospitals Financial Analysis Department at extension 68985, or the Cuyahoga Falls General Hospital Financial Analysis Department at extension 7433.

• Prior to the monthly meeting, the following individuals will review the requests for the

approval of the items indicated:

65

■Requesting Department – Verify the Request for Additions/Revisions to the Charge Description Master Form is correct ■Financial Analyst/Pricing – Verify costing information and determine pricing

• If the request is only for a deletion, the CDM will be inactivated in the appropriate billing

system immediately. For deletions, the requesting department will not need to attend the monthly Chargemaster Compliance Committee Meeting unless the CDM is deleted due to compliance issues. If the request is for an addition or revision, the requesting department will need to attend the monthly meeting.

• If the request is for a non-patient service CDM from Patient Financial Services, the

request will be prepared by the Charge Description Master Specialist(s) and sent to the Financial Reporting Director & the Reimbursement Manager for approval of the Cost Center & GL Key number assignments. These requests will be reviewed and final approved by the Chargemaster Compliance Committee, and will be filed with the monthly minutes of the Hospital Compliance Committee to document additions/deletions/revisions to non-patient service CDMs.

• If a CDM change request is completed without departmental involvement, (ie. Craneware

findings, MRD review findings, etc) the Department Head must be notified for approval prior to implementing the change.

• The Chargemaster Compliance Committee will review and provide final approval for all

requests for deletions/additions/revisions to the CDM at the monthly meeting. Following the meeting, the Charge Description Master Specialist(s) will activate approved requests for additions and revisions in the appropriate billing system.

• Occasionally, requests need further review or research and are not approved by the CDM

Compliance Committee. Any CDM request not approved by the Committee at the monthly meeting will need to be brought to the next monthly meeting for approval or if necessary, issued as a “stat” request to be implemented prior to the next monthly meeting.

• At Cuyahoga Falls General Hospital, the Pharmacy Director will be responsible for

making all approved CDM changes in the Pharmacy HBOC module. Pharmacy will keep printouts of all changes made to the Pharmacy CDM for a period of 10 years.

• For expedited approval of CDM additions/revisions, that need to be activated prior to the

next monthly meeting, departments must submit the request to the Charge Description Master Specialist(s) and indicate it is a “stat” request. Departments should only use this approach to request “stat” CDM additions/revisions in extenuating circumstances. The Charge Description Master Specialist(s) will complete the Request for Additions/Revisions to the Charge Description Master Form for the requested “stat” change and e-mail it to the requestor, APC Supervisor, Medical Records Department Outpatient Coding Representative, Billing and Follow-Up Director, Senior Compliance Auditor, and the appropriate Financial Analyst for pricing revisions. Patient Financial Services, Medical Records and Compliance will e-mail their approval of the “stat”request

66

and include the primary source of authority. The “stat” requests are then activated in the appropriate billing system prior to the next monthly meeting. However, the Chargemaster Compliance Committee will final approve all “stat” additions/revisions to the CDM during the next monthly meeting.

• All Finance Department price changes will need to be presented at the Chargemaster

Compliance Committee Meeting prior to implementation in the appropriate billing system.

• Annually, the Charge Description Master Specialist(s) will e-mail excel spreadsheets to

each area with the deletions/additions/revisions to the HCPCS/CPT codes. The Department Directors/Managers are responsible for notifying the Charge Description Master Specialist(s) of any additions or revisions that pertain to their department CDM based on these code changes. These department specific additions/revisions must be approved by the Chargemaster Compliance Committee prior to the implementation deadline of January 1. The Charge Description Master Specialist(s) will automatically inactivate any CDMs with deleted HCPCS/CPT codes according to the effective deletion date, January 1.

• At Summa Health System Hospitals, the Charge Description Master Specialist(s) will

coordinate with the Clinical Informatics Nurse to ensure all CDM changes are updated in Carewindows for those areas performing charge entry via Carewindows.

• All departments will be responsible for revising and maintaining their Charge Ticket,

based on revisions made to their CDMs, to ensure a current copy is available for staff use.

• The Charge Description Master Specialist(s) will e-mail IT&S when approved requests have been keyed. IT&S will then update SMS the appropriate billing system so production and test systems are in sync.

• All departments with LCDs resulting in CPT/HCPC code changes will be responsible for

completing the Healthworks Checklist Form and submitting it to the Charge Description Master Specialist(s) who will update the Healthworks System. This system will then accurately generate Advanced Beneficiary Notices for non-medically necessary services provided to Medicare beneficiaries.

Revised 08/05

67

Policy for Contingency-Based Arrangements

PATIENT FINANCIAL SERVICES DEPARTMENT Policy No: ADM-001 Effective Date: 04/01/01 Revision Dates: 03/29/01, 01/27/04, 03/01/06 SCOPE: All Summa Health System personnel responsible for performing/supervising eligibility, coding, billing, and collecting of inpatient and outpatient services related to government payors including, but not limited to:

Administration Emergency Department Patient Access Medical Records Laboratory Department Human Resources Corporate Compliance/Internal Audit Radiology Department Case Management Ancillary Departments Quality Resource Management Information Technology & Services Patient Financial Services Reimbursement Materials Management

and any other contracting department

PURPOSE: To ensure that all external companies and personnel retained via a contingency-based contractual arrangement, for the purpose of performing/supervising government eligibility, coding, billing, collecting, and reimbursement activities, operate appropriately. POLICY: Contingency-based external arrangements involving submissions to government payors are acceptable for use within Summa Hospitals provided the external arrangements adhere to the guidelines of this policy. GUIDELINES: 1. External arrangements that include a “percentage of dollars” associated with collections from the performance of government eligibility, coding, billing, collecting and reimbursement activities are permitted, provided that:

a) The government payor has the authority to make final decisions regarding additional reimbursement to Summa Hospitals; or

b) The external company and personnel are prohibited from altering bills (i.e. adding charges or changing codes) that could result in additional reimbursement to Summa Hospitals. Hospital employees are the only individuals who can alter bills.

68

2. Any department manager that engages an external company in a contingency-based arrangement is responsible for monitoring and auditing the activities of the external company and personnel to ensure compliance with this policy. 3. Legal Services and/or Corporate Compliance must be contacted for review of proposed contracts for external services associated with government eligibility, coding, billing, collecting, and reimbursement activities.

4. Alternatives to contingency-based external arrangements involving the review of coding and billing data elements could be based on:

a. Time required to review or audit for completeness, accuracy, and consistency of coded and billed data.

b. Materials required to review or audit for completeness, accuracy, and consistency of coded and billed data.

c. Volume of records reviewed or audited for completeness, accuracy, and consistency of coded and billed data.

69

Health Information Management Department Standards of Conduct for Coding

Policy No: 1 – MRD Adopted: 11-12-1998 Revised: 02-17-1999, 09-26-2000, 07-15-2003 , 01-30-06 PURPOSE: It is the goal of the Health Information Management Department Coding Staff to follow standards of ethical coding developed by the American Health Information Management Association (AHIMA) Council on Coding and Classification. PROCEDURE: All employees performing coding responsibilities must meet the following standards of conduct: A. Diagnoses that are present on admission or diagnoses and procedures that occur during

the current encounter are to be abstracted after a thorough review of all physician’s documentation. Those diagnoses not applicable to the current encounter should not be abstracted.

B. Selection of the principal diagnosis and principal procedure, along with other diagnoses

and procedures, must meet the definitions of the Uniform Hospital Discharge Data Set (UHDDS).

C. Assessment must be made of the documentation in the chart to ensure that it is adequate

and appropriate to support the diagnoses and procedures selected to be abstracted. D. Medical record coders should use their skills, their knowledge of ICD-9-CM and CPT

and any available resources to select diagnostic and procedural codes. E. Medical record coders should not change codes or narratives of codes in such a way that

the meanings are misrepresented. Nor should diagnoses or procedures be included or excluded because the payment will be affected. Statistical clinical data is an important result of coding, and maintaining a quality database should be a conscientious goal.

F. Physicians should be consulted for clarification when they enter conflicting or ambiguous

documentation in the chart. G. The medical record coder is a member of the healthcare team and, as such, should assist

physicians who are unfamiliar with ICD-9-CM, CPT or DRG methodology by discussing resequencing or inclusion of diagnoses or procedures when needed to more accurately reflect the occurrence of events during the encounter, irrespective of the implications to reimbursement.

70

H. The medical record coder is expected to strive for the appropriate payment to which the

facility is legally entitled, but it is unethical and illegal to maximize payment by means that contradict regulatory guidelines.

CODING COMPETENCIES: Hospital-based competencies A. Data identification

1. Read and interpret health record documentation to identify all diagnoses and procedures that affect the current inpatient stay/outpatient encounter visit.

2. Assess the adequacy of health record documentation to ensure that it supports all

diagnoses and procedures to which codes are assigned.

3. Apply knowledge of anatomy and physiology, clinical disease processes, pharmacology, and diagnostic and procedural terminology to assign accurate codes to diagnoses and procedures.

4. Apply knowledge of disease processes and surgical procedures to assign

nonindexed medical terms to the appropriate class in the classification/nomenclature system.

B. Coding Guidelines

1. Apply knowledge of current approved “ICD-9-CM Coding and Reporting Official Guidelines”* to assign and sequence the correct diagnosis and procedure codes for hospital inpatient services.

2. Apply knowledge of current “Diagnostic Coding and Reporting Guidelines for

Outpatient Services”*.

3. Apply knowledge of CPT format, guidelines, and notes to locate the correct codes for all services and procedures performed during the encounter/visit and sequence them correctly.

4. Apply knowledge of procedural terminology to recognize when an unlisted

procedure code must be used in CPT. C. Regulatory Guidelines

1. Apply Uniform Hospital Discharge Data Set (UHDDS) definitions to select the principal diagnosis, principal procedure, complications and comorbid conditions, other diagnoses and significant procedures which require coding.

2. Select the appropriate principal diagnosis for episodes of care in which determination of principal diagnosis is not clear because the patient has multiple problems.

71

3. Apply knowledge of the Prospective Payment System to confirm DRG assignment which accurately reflects the occurrence of events and ensures appropriate reimbursement.

4. Refuse to fraudulently maximize reimbursement by assigning codes that do not

conform to approved coding principles/guidelines*.

5. Refuse to unfairly maximize reimbursement by unbundling services and codes that do not conform to basic coding principles and the National Correct Coding Initiative (CCI).

6. Apply knowledge of the Ambulatory Payment Center (APC) Payment Groups to

confirm APC assignment which ensures appropriate reimbursement.

7. Apply policies and procedures on health record documentation, coding, and claims processing and appeal.

8. Use the HCFA Common Procedural Coding System (HCPCS) to appropriately

assign HCPCS codes for outpatient Medicare reimbursement.

Coding 1. Exclude from coding diagnoses, conditions, problems, and procedures related to

an earlier episode of care which have no bearing on the current episode of care.

2. Exclude from coding ICD-9-CM nonsurgical, noninvasive procedures which carry no operative or anesthetic risk.

3. For inpatients, exclude from coding information such as symptoms or signs

characteristic of the diagnosis, findings from diagnostic studies, or localized conditions, which have no bearing on the current management of the patient.

4. For outpatients, code the diagnosis, condition, problem, symptom, injury or other

reasons for the encounter or visit which is chiefly responsible for the service provided.

5. Apply knowledge of ICD-9-CM instructional notations and conventions to locate

and assign the correct diagnosis and procedural codes and sequence them correctly.

6. Facilitate data retrieval by recognizing when more than one code is required to

adequately classify a given condition.

7. Exclude from coding those procedures which are component parts of an already assigned CPT procedure code.

72

Data quality 1. Clarify conflicting, ambiguous, or nonspecific information appearing in a health

record by consulting the appropriate physician.

2. Participate in quality assessment to ensure continuous improvement in ICD-9-CM and CPT coding and collection of quality health data.

3. Demonstrate ability to recognize potential coding quality issues from an array of

data.

4. Apply policies and procedures on health record documentation and coding that are consistent with official coding guidelines*.

5. Contribute to development of facility-specific coding policies and procedures.

C. The cooperating parties (American Health Information Management Association,

American Hospital Association, Health Care Financing Administration, National Center for Health Statistics) publish official guidelines in the Coding Clinic for ICD-9-CM, available from the American Hospital Association. These guidelines are also available in the ICD-9-CM CD-ROM offered by the US Government Printing Office. “ICD-9-CM Coding and Reporting Official Guidelines” and “Diagnostic Coding and Reporting Guidelines for Outpatient Services (Hospital-Based and Physician Offices)” published in Fourth Quarter, 1995, Coding Clinic for ICD-9-CM (Volume 7, No. 1). The CPT Assistant newsletter, published by the American Medical Association, is also considered a coding resource for the CCS exam.

DISCIPLINARY PROCESS: Completeness of the patient record is governed by the Medicare Conditions of Participation, state licensure requirements and Joint Commission on Accreditation of Healthcare Organization standards. The medical record coder should also reference the internal Medical Record Department policy and procedure manual as a guide in performing job responsibilities. Failure to follow the above competencies can result in discipline which will follow the Human Resources Disciplinary Process and Rules of Conduct, Policy Number 9.1. When there are repeated occurrences of similar errors after counseling and education, continued errors would be classified as a Group One Offense. Failure to perform work at minimum acceptable standards after explanation and guidance. Any disciplinary action will follow the normal progression from counseling through termination according to this policy.

73

Hourly Observation Policy & Procedure Effective Date: 6/22/04 Revised: 2/12/07

POLICY: To ensure that Hourly Observation accounts are correctly classified, coded and billed in accordance with governmental regulations. PROCEDURE: Akron City and St. Thomas Hospitals I. Healthcare Review

A. Health Care Review (HCR) nurses complete concurrent review of all observation cases on assigned nursing unit for Medicare and all other payors. In performing concurrent case review of observation cases, HCR will determine if Interqual/Millimen observation criteria are met.

1. If observation criteria are not met, HCR will ask the physician to change the HOP status to Inpatient Admission or Bedded Outpatient status as appropriate.

2. If observation criteria are met HCR will determine the severity level of the observation case, denoting qualifying clinical documentation and complete the Observation Level of Severity Form. HCR will also denote the total numbers of hours the patient met HOP criteria.

B. The completed Observation Level of Severity Form is placed on the chart in front of

the Registration Record. C. Chart is picked up by Health Information Management (HIM) staff during daily pick-

up and taken to the HIM Department for processing. II. Health Information Management

A. HIM Analyst will review the chart for Observation Level of Severity Form. Charts without the Observation Level of Severity Form will be returned to HCR to complete the severity level form and then returned to the HIM Department.

B. HIM Analyst will verify that the patient type is “H”. If not, they will generate a

correction form and forward the correction and the chart to the Data Integrity Specialist for correction in SMS (Siemens Medical Systems).

C. HIM Abstractors review the chart for HOP/Observation Assignment order. If there is

a valid HOP order, complete the following fields in ClinTrac: i. HOP Yes/No – Select “Y” for Yes ii. HOP Date In – Enter the date of the physician’s order.

74

iii. HOP Time In – Enter the time of the physician’s order. If the physician’s order is not timed, enter the time when care begins according to the nurse’s notes.

iv. HOP Date Out – Enter the date the physician writes the discharge order, or the date the admit order is written if the patient is admitted following observation.

v. HOP Time Out – Enter the time the D/C order is written, or the time the order is written to admit the patient if admitted following observation

vi. HOP Severity Level – Enter the severity level as indicated on the yellow Outpatient Observation Services Severity Level form

vii. HOP Physician – Enter the name of the physician responsible for care while on the Observation Unit

viii. HOP LOS Hours – This field will automatically calculate based on the data entered above

ix. HOP Nursing Unit – Enter the nursing unit the patient is bedded in for observation

x. Verified – DO NOT USE – this is for administrative use only!

D. The Coding staff will cease coding records with any HOP activity by 3:00 pm each weekday. (Note: Coders must NOT code/finalize any record with HOP activity on Saturday or Sunday, as the charge will not hit the account prior to the bill generating.)

E. The Health Information Analyst will generate a HOP report which indicates the

utilization of observation services, based on the following criteria: i. Finalization date is equal to today’s date ii. HOP Yes/No field is equal to “Yes” iii. Both Inpatients and Outpatients will appear on this report.

F. Health Information Analyst will enter User Bill Hold of “O” in SMS to each account listed on the Daily HOP Report.

III. Patient Account Services

A. Each day, by 3:30 p.m., the Daily HOP report (from ACH/STH) is set up to print on the Patient Accounts Services (PAS) printer for data entry of charges.

B. PAS will be responsible for ensuring that they do not post duplicate charges to the

account, per their procedure. (rationale: Each time an account is “re-finalized” in ClinTrac, it will appear on that current day’s report of finalized records).

C. PAS will be responsible for daily entry of charges. Charges should be posted to the

account the next business day. D. For each account listed on the “Daily HOP Report” (ACH, STH, & CFGH), PAS

Biller will review the HOP Date In, HOP Date Out, Unit and Severity Level documented, and compare this data to the “HOP CDMs” spreadsheet (ACH;STH) or

75

“HOP CHARGES” document (CFGH) to determine the appropriate Hourly Observation charge. There are charges established for each nursing unit based on Low, Moderate, and High Severity, as well as 1 Day and 2 Day stays. An Hourly Observation patient admitted and discharged on the same calendar day is considered a 1-Day stay.

• Example 1: HOP Date In = 1/25/06

HOP Date Out = 1/26/06 Unit = 5E Patient Severity = Moderate Appropriate Observation Charge = 2103299 – 5E-HOURLY OBS 2DAY-MOD

• Example 2: HOP Date In = 1/25/06

HOP Date Out = 1/25/06 Unit = 5W Patient Severity = Low Appropriate Observation Charge = 2103372 – 5W-HOURLY OBS 1 DAY-LOW

E. To calculate the number of Hourly Observation units to charge, review the HOP LOS

and SMS columns on the “Daily HOP Report”. The HOP LOS column documents the hours and minutes a patient was in Hourly Observation status, and the Type column documents the Account Type. For those patients, including those admitted as an INPATIENT (Type= I, E or O), use the figure noted in the HOP LOS column to determine the number of Hourly Observation units to charge. Round down for minutes less than 30 and round up for minutes of 30 or more.

• Example 1: HOP LOS = 25:30

HOP Units to Charge = 26 (round up)

• Example 2: HOP LOS = 11:10

HOP Units to Charge = 11 (round down)

NOTE: For those patients ADMITTED AS AN INPATIENT (Type=I), use the figure noted in the HOP LOS column to determine the number of Hourly Observation units to charge. Round down for minutes less than 30 and round up for minutes of 30 or more. After rounding, charge total HOP hours for the date the patient was assigned to observation and an inpatient room and board charge for the date the patient was admitted as an inpatient.

76

• Example 1: HOP Date = 10/5/06 HOP LOS = 9:10 (round down to 9 hours)& Time In = 10/5/03 22:10

Admit Date = 10/6/06

• Example 2: HOP Date = 10/15/06 HOP LOS = 10:45 (round up to 11 hours)

Admit Date = 10/16/06

F. PAS Billers will enter the CDM number of the appropriate Hourly Observation charge and the number of units in SMS Patient Accounting, with the exception for Medicaid noted below.

G. For Medicaid accounts, the number of units must always equal one (1). Enter the

appropriate dollar amount for the actual number of units of Hourly Observation charges, but enter a quantity of one (1).

H. For Medicaid accounts, Hourly Observation charges that span two (2) calendar days

must be reported as two (2) separate line items on the UB-92. Enter the appropriate dollar amount for the actual number of units of Hourly Observation charges for the first calendar day with a quantity of one (1). Then enter as a second charge the appropriate dollar amount for the actual number of units of Hourly Observation charges for the second calendar day with a quantity of one (1).

• Example: HOP Date and Time In = 1/25/06 at 23:10

HOP Date and Time Out = 1/26/06 at 16:15 Unit = 5E Patient Severity = Moderate Appropriate Observation Charge = 2103299 – 5E-HOURLY OBS 2 DAY-MOD ($74.00) Post Charges for 1/25/06 = 1 unit; Total Charges equal $74.00 ($74.00 X 1) Post Charges for 1/26/06 = 1 unit; Total Charges equal $1184.00 ($74.00 X 16)

I. PAS Biller will remove the User Bill Hold “O” from the account in SMS or “H” in

HBOC to release the account for billing and place the following comment on the account – “Added HOP hrs per procedure/daily HOP report and removed Bill Hold”.

77

Cuyahoga Falls General Hospital IV. Case Management

A. Case Management (CM) nurses complete concurrent review of all observation cases on assigned nursing unit for Medicare and all other payors. In performing concurrent case review of observation cases, CM will determine if Interqual observation criteria is met.

1. If observation criteria is not met, CM will ask the physician to change the HOP status to Admit or Outpatient status as appropriate.

2. If observation criteria is met CM will determine the severity level of the observation case, denoting qualifying clinical documentation and complete the Observation Level of Severity Form retrospectively.

B. Chart is picked up by MR (Medical Records) staff during daily pick-up and taken to

MR Dept for processing. Chart is returned to Case Management. C. The completed Observation Level of Severity Form is placed on the chart in front of

the Registration Record. CM will also denote the total numbers of hours the patient met HOP criteria. Copy is given to Documentation Review Coordinator.

V. Medical Records

A. Chart is picked up by the Medical Records Staff during daily pick-up rounds and taken to MR Dept. for processing.

B. Medical Records Outpatient Assembly/Analyst will verify that the patient type is OBS. If not, they will forward the chart to Case Management for correction in HBOC.

C. Medical Record will be placed on the Case Management shelf in Medical Records

for review and assignment of the Level of Severity by Case Management.

D. Case Management will make a copy of the completed Level of Severity form for the Documentation Review Coordinator and place the HOP/OBS records on the Documentation Review Coordinator’s shelf in MR Dept.

78

E. Medical Records Documentation Review Coordinator will enter the User Bill Hold of “H” in HBOC to each account a Level of Severity form received from Case Management.

F. Medical Records Coder / Abstractors review the chart for HOP/OBS Assignment

order. If there is a valid HOP/OBS order, complete the following fields in 3M HDM:

1. Verify Patient Type Field – Observation 2. HOP/OBS Date In – Enter the date of the physician’s order.. 3. HOP/OBS Time In – Enter the time of the physician’s order. If the

physician’s order is not timed, enter the time when care begins according to the nurse’s notes.

4. HOP/OBS Date Out – Enter the date the physician writes the discharge order, or the date the admit order is written if the patient is admitted following observation. Refer to the completed Level of Severity form.

5. HOP/OBS Time Out – Enter the time the D/C order is written, or the time the order is written to admit the patient if admitted following observation. Refer to the completed Level of Severity form.

6. HOP/OBS Care Unit – Enter the nursing unit the patient is bedded in for observation.

7. HOP/OBS LOS Hours – This field will automatically calculate based on the data entered above.

8. HOP/OBS Severity Level – Enter the severity level (CPT Code) as indicated on the white Outpatient Observation Services Severity Level form.

G. The Medical Records Management Staff generates a Daily HOP/OBS report that

is e-mailed to PAS which indicates the utilization of observation services, based on the following criteria:

1. Report based on Coding Completion Date 2. Patient Type is OBS or I/P (with Observation hours) 3. Will include all Financial Classes 4. A separate report will be produced on both Inpatient and Outpatient.

H. See III. C - I. of this policy for procedures related to CFGH Patient Account of

HOP accounts.

79

Medical Necessity Policy: Medicare will only pay for services which are determined to be reasonable and necessary. A signed Advance Beneficiary Notice (ABN) must be obtained when ordered outpatient tests/services do not meet medical necessity requirements. It is the intent of Summa Hospitals to obtain a signed Advanced Beneficiary Notice (ABN) from Medicare beneficiaries prior to service when outpatient tests/services are believed to be non-covered according to Local Coverage Determinations or National Coverage Determinations. Definitions: Allied Health Practitioner: Any non-physician practitioner permitted by law to provide care and services within the scope of the individual’s license and consistent with individually granted scope of practice and approved by the Allied Health Practitioner Committee. For example, certified nurse-midwives, certified registered nurse anesthetists, physician assistants and nurse practitioners are all allied health practitioners. Medicare Beneficiary: For purposes of this policy, a Medicare Beneficiary includes anyone enrolled in Traditional Medicare. Local Coverage Determinations (LCD): In absence of applicable national policy, a policy developed specifying criteria that describe whether a test/service is covered and under what clinical circumstances the test/service is considered to be reasonable and necessary. Local Coverage Determinations are issued by Fiscal Intermediaries: AdminaStar Federal, Inc. for Summa Hospitals. National Coverage Determinations (NCD): Medicare review policies as issued by the Center for Medicare and Medicaid Services (CMS) which identifies specific medical tests, services, treatment procedures or technologies that are covered and paid by the Medicare program. National Coverage Determinations can be found in the Coverage Issues Manual (HCFA Pub.6) and the Medicare Hospital Manual (HCFA Pub.10). Procedure:

I. Medical Necessity Documentation: We document medical necessity by obtaining written physician orders that meet the following criteria:

• Include patient’s name • Include procedure • Include diagnosis (i.e. ICD-9 codes and/or verbiage including diagnosis, clinical

signs and symptoms, and/or chief compliant)

80

• Dated • Signed by a physician or authorized allied health practitioner

II. When an ABN Must be Obtained:

An Advance Beneficiary Notice must be obtained when one or more of the following circumstances exists:

• The test/service is for investigative or research use only. • The test/service provided does not meet medical necessity requirements

according to LCD or NCD. • The test/service may only be paid for a limited number of times within a

specified time period (frequency limitation) and the visit may exceed that limit.

• The test/service has not been approved by the Food and Drug Administration. • The test is for a routine screening, unless the screening test has been identified

as one which Medicare will cover.

III. Form of the ABN

An ABN must be on the approved CMS Form.

IV. Review of Outpatient Services for Medical Necessity

When a traditional Medicare beneficiary presents with an order signed by a physician or authorized allied health practitioner with diagnosis for outpatient services, Summa Hospitals will use medical necessity software and/or the LCD and NCD downtime electronic folder to compare procedures (CPT codes) and diagnoses (ICD-9 codes) for a determination of medical necessity.

V. Medical Necessity Guidelines Met

When the results of the compliance check satisfy medical necessity guidelines, an ABN does not need to be produced and the patient will proceed with having the procedure/test performed.

VI. Medical Necessity Guidelines Not Met

When the results of the compliance check do not meet medical necessity guidelines, an ABN must be produced. Summa Hospitals staff may contact a physician office to obtain additional diagnostic information. Whenever an additional diagnosis is obtained, the following must be documented:

1. the new diagnosis (i.e. ICD-9 codes and/or verbiage including diagnoses, clinical signs and symptoms, and/or chief complaint)

81

2. the name of person who provided the diagnosis 3. date and time obtained 4. initials of Summa Hospitals staff who obtained the information

VII. Patient Options

When an ABN must be produced, the patient will be instructed on the purpose of the form and be asked to sign one of two options on the ABN form:

• Patient agrees to Pay:

Patient agrees to pay for service(s) which are determined to be not medically necessary and services are performed; or

• Patient refuses to Pay:

Patient refuses to pay for the services which are determined to be not medically necessary and services are not performed.

VIII. Billing Requirements

There are three requirements for billing as follows: • Medicare-covered services that are medically necessary will be billed in the

covered column of the UB92 claim form. • Medicare-covered services that are not medically necessary will be billed in

the non-covered column with the appropriate modifier and occurrence code. • Services that are statutorily not covered by Medicare will be billed in the non-

covered column of the UB-92 claim form to Medicare if there is secondary insurance or to the patient if there is no secondary insurance.

IX. Retention of ABN

The original ABN should be scanned into Document Imaging and then forwarded to Patient Accounts for filing.

X. Prohibition of Routine Use of ABN

Unless an exception applies, the routine use of an ABN is prohibited. There must be a specific reason to believe Medicare does not consider the test/service ordered to be medically necessary for an ABN to be produced. An example of an exception is for tests/services that have a frequency limitation, an ABN may be routinely distributed.

Revised February, 2004; June, 2006

82

Medical Record Chart Content Adopted: 02/27/01 Reviewed: 1/23/02, 7/15/03, 1/30/06 Policy: To facilitate patient care, the medical record must contain sufficient information

to:

• identify the patient • support the diagnosis • justify the treatment • document the course and results; and • facilitate continuity of care.

The hospital initiates and maintains a medical record for every individual assessed and treated. Minimum Form content specific to each department can be found in their respective procedure manuals.

83

Medical Record Retention Procedure ADOPTED: 11/12/98 REVISED: 02/27/01, 09/20/03, 11/25/03 REVIEWED: 01/30/06 POLICY: To establish a corporate Retention Policy for Patient Medical Records, Fetal

Monitors, Logs and Indexes that meets Legal Statutes and JCAHO requirements. PROCEDURE: A. Inpatient Medical Records and Outpatient Medical Records maintained by the Medical

Records Department.

RETENTION – 20 YEARS 1. Inpatient

2. Emergency Room 3. Same Day Surgery 4. Hourly Observation 5. Non-admission maternity 6. Dialysis 7. Endoscopy 8. Cardiac Cath 9. Anesthesia Block 10. Oncology 11. Chemical Dependency Interim Outpatient – Psych Interim Outpatient

B. Outpatient Medical Records maintained in Ancillary Areas.

RETENTION – 10 YEARS

• EXCEPTION: Radiation Therapy and Hospital based Clinics Patients, under the age of 18, shall be retained for 20 years.

C. FETAL MONITORING STRIPS

• Permanent Retention D. INDEXES AND REGISTERS:

• Disease Index 20 years • Physician Index 10 years • Operating Index 20 years • Master Patient Index Permanent • Patient Admission Register Permanent • Delivery Room Register 5 years

84

• Death Register 5 years • Birth Certificate Logs 1 year + current • Correspondence Requests 1 year + current • Organ Donation Forms 3 years + current

85

Medicare Bad Debt Policy Reimbursement Section of Finance Department

Approved: 9/26/00 Reviewed: 10/28/05 Policy:

To properly identify, quantify and report Medicare Bad Debts on the Medicare Cost Report.

Procedure:

Each year the regulations for preparing the Medicare Cost Report are reviewed. For Medicare bad debts the regulations to be reviewed are:

Regulation - 42 CFR §413.80 Program Instructions - PRM Part I Chapter 3, §308

Criteria for Allowable Bad Debt Program Instructions - PRM Part I Chapter 3, §310 Reasonable Collection Effort Per the Regulation and Instructions above, the following currently apply:

1. The debt must be related to covered services and derived from deductible and

coinsurance amounts. 2. Summa Hospitals must be able to establish that reasonable collection efforts were made. 3. The debt was actually uncollectible when claimed as worthless. 4. Sound business judgment established that there was no likelihood of recovery at any time

in the future. 5. Medicare collection efforts must reflect the same efforts put forth for

other payors.

Summa Hospitals’ procedures are as follows for all payors: 1. Patient Accounts Department will issue 5 statements over a 120-day period. The final

letter serves as a pre-collection letter. 2. At this time the account balance is written off our books. 3. Collection efforts take place for 150 days before determining whether to file suit. 4. Bad Debt expense is removed from our Cost Report via an A-8. 5. After the collection effort deems that no more money will be collected, the Medicare

balance is claimed as bad debt on the cost report.

86

Medicare Cost Report Policy Reimbursement Section of Finance Department

Approved: 9/26/00 Reviewed: 10/28/05 Policy: To make sure that the Medicare Cost Report, Medicaid Cost Reports, Champus Cost Report, Exception Reports and all related reports (CMS 339, etc.) are filed accurately in accordance with the rules and regulations of the Centers for Medicare and Medicaid Services (CMS) or other governing agency. Procedures: Cost Reports

1. Each year the regulations for preparing the Medicare, Medicaid or Champus Cost Report are reviewed.

2. Expenses are pulled from the general ledger and are tied to the audited financial statements.

3. Statistics are pulled from our billing system Data Warehouse. 4. Memos are sent out to various departments to provide information with regard to

unallowable costs (e.g. alcohol, promotional, lobbying and Procuren drug expense). 5. Information on statistical allocations is prepared by individual departments supported by

their data (e.g. pounds of laundry, time studies, meals served, time spent). 6. Prior year adjustments and reclassifications are reviewed to see if they still apply or need

changed. 7. Prior intermediary audit adjustments are incorporated into the current cost report. 8. The Organizational Chart is updated and changes are reflected on the CMS 339

Questionnaire when necessary. 9. Related parties if applicable are disclosed on the CMS 339 Form. 10. Bad debt expense is reported based upon our Medicare Bad Debt Policy and Procedure. 11. When material errors are found, the cost report will be revised and sent to the necessary

agency or agent. 12. Contracted help will work under the conditions of this policy.

Exception and Other Related Reports: Proper procedures will be taken to file accurately and within the instructional guidelines of the related report. Assistance from the department concerned will be utilized. The same steps to file an accurate Cost Report will be taken for Exception and other related reports as applicable.

87

Procedure for Completing Quarterly Medicare Credit Balance Report

PATIENT ACCOUNT SERVICES DEPARTMENT REFUND ANALYST UNIT

Policy No: RA-011 Effective Date: 2/24/00 Revision Date: 5/4/06 Review Date: 3/01/06 PURPOSE: To comply with the mandatory quarterly Medicare Credit Balance (HCFA Form 838) reporting. POLICY: To develop a standard procedure for completing the quarterly Medicare Credit Balance Report. PROCEDURE: 1) The first quarter (January – March) Medicare credit balance report is always due at the end of

April. • The second quarter (April – June) Medicare credit balance report is always due at the end

of July. • The third quarter (July – September) Medicare credit balance report is always due at the

end of October. • The fourth quarter (October - December) Medicare credit balance report is always due at

the end of January. 2) Medicare Credit Balance Processing

a) Processing in SMS i) The accounts with a Medicare credit balance appear weekly in the SMS Collector

Workstation function. In addition, Medicare credit balances are identified through other modalities. However, the same procedure is followed.

ii) The Refund Analysts analyze the account detail to determine if a refund is due back to Medicare, Medicaid or any other insurance. This analysis may require all EOBs be pulled in order to make a correct determination

iii) If a Medicare refund is due, the Refund Analysts place a Medicare credit balance form of the account in the dedicated area.

iv) Simultaneously, if applicable, the account and all associated paperwork (e.g. EOB, etc.) are referred to Billing.

v) Once a determination is made as to which payer should be refunded, the SMS “PAY SCALE” field must be valued. By valuing the pay scale field, once the accounts are completed to reflect a zero balance, they do not reappear in Collector Workstation. To value the SMS “PAY SCALE” field, select PF2 (Patient Financial Data) from the “Patient Overview” screen. Be sure to value the “Pay Scale” field and not the “Credit” field. The “Pay Scale” field is located after the slash (/) as indicated below.

88

CREDIT/PAY SCALE: _ / _

Value the “PAY SCALE” field according to the following payer information:

• If Medicare is due a refund, enter M in the Pay Scale field • If Medicaid is due a refund, enter C in the Pay Scale field • If any other payer is due a refund, enter R in the Pay Scale field • If the Medicaid account is completed enter T in the Pay Scale field

Note: the Pay Scale field will NOT update until the next day.

b) Processing in HBOC

i) The Medicare Credit Aged Trial Balance is run from HBOC each month end and sent to the Refund Analyst.

ii) Working from the Medicare Credit Aged Trial Balance, each account detail should be analyzed to determine if a refund is due back to Medicare, Medicaid or any other insurance. This analysis may require that all EOBs be pulled in order to make a correct determination.

iii) If a Medicare refund is due, the Refund Analyst places a Medicare credit balance form of the account in the dedicated area.

c) In both SMS and HBOC, the accounts are noted by the Refund Analysts. If the account has been referred to Billing, the initials of the Biller and the referral date is listed.

d) Processing of Medicare Credit Balance Form

i) The Medicare credit balance forms placed in the dedicated area accumulate

throughout the quarter. Towards the end of the quarter, the Supervisor, Cash Flow reviews the accounts in the system to identify whether a Medicare credit balance remains. These accounts with a remaining credit balance are forwarded to the Charge Audit and Reconciliation Technician to manually enter on the Excel spreadsheet.

ii) If Medicare is due a refund, and the account is less than 18 months old, the Medicare Billers will adjust the claim online. If the claim is older than 18 months, the claim must be adjusted via hard copy.

iii) Accounts that are no longer available on the Medicare on-line system must have a hard copy claim sent with the credit balance report for the applicable quarter ending. All accounts require the following information:

Provider Number: 36-0020 Medicare Generic 36-6138 SNF 36-T020 Therapy/Rehab 36-S020 Psych 36-2303 Dialysis 36-0150 CFGH Medicare Generic

89

( 1) Beneficiary Name (Last Name, First Name) ( 2) HIC Number (must be at least 9 digits long) ( 3) ICN Number (must be at least 14 digits long) ( 4) Type of Bill: ( 5) Admission Date (MM/DD/YY) ( 6) Discharge Date (MM/DD/YY) ( 7) Paid Date (MM/DD/YY) ( 8) Cost Report* (O-Open or C-Closed) ( 9) Amount of Credit Balance: (10) Amount Repaid to Medicare (must equal #9) (11) Method of Payment (C-Check; A-Adjusted by Hard Copy Claim; E-Adjusted

Online Electronically) (12) Medicare Amount Outstanding (#9 minus #10) (13) Reason for Credit Balance (1-Duplicate Pay; 2-Primary Payment by other

insurer; 3-other reasons (14) Value Code (if answer to #13 is 2): (12=Working Aged; 13=End Stage Renal;

14= Auto NoFault/Liab; 15=Worker’s Comp; 16=Other Gov. Prog; 41=Black Lung; 42=Veterans Admin; 43=Disability)

(15a) Primary Payer (if answer to #13 is 2) (15b) Primary Payer Address (if answer to #13 is 2)

e) Do NOT report anything on the quarterly report that has had the adjustment (or cancel)

sent and has been corrected by Medicare. Accounts that have been identified and have had an adjustment (or cancel) sent but have NOT been corrected by Medicare by the quarter ending, must be reported.

90

Offices of Medical Education and Office of Research Administration Corporate Compliance Policy

The Offices of Medical Education include the administration of activities performed in relationship to the provision of undergraduate education of medical students, graduate education of residents and continuing medical education of attending staff. By providing the administrative support for these activities and services, the Offices of Medical Education will offer an educational programs which will strategically place Summa Hospitals in a position to train and support highly competent and compassionate physicians. This is accomplished through the functions of undergraduate student coordination, resident recruitment, administration and maintenance of resident education and resident retention, administration of continuing medical education and administration and maintenance of educational materials and services through the medical libraries and medical bookstore. The Offices of Medical Education will provide these services and facilities to all persons without regard to race, color, religion, sex, marital status, national origin, age, handicap, sexual orientation or status as a veteran.

The following is a listing of agencies that provide the regulatory compliance guidelines for the provision of medical education at Summa Hospitals and the areas in which they provide guidance. 1) As they apply to the provision of medical education, the Offices of Medical Education will comply with all rules and regulations as outlined by the Centers for Medicare and Medicaid Services (CMS), the Accreditation Council for Graduate Medical Education (ACGME), the American Medical Association (AMA) Principles of Medical Ethics, and the Joint Commission on Accreditation of Health Care Organizations (JCAHO), the Council on Postdoctoral Training (COPT) and the American Osteopathic Association (AOA) as applicable. All hazardous materials contained within the Offices of Medical Education are regulated under the Occupational Safety and Health Act. 2) In reference to medical licenses, the Offices of Medical Education will comply with all licensing regulations as outlined by the Federation of State Medical Boards of the United States and the State Medical Board of Ohio for both training certificates and permanent licenses. 3) In regards to residents who do not hold permanent United States citizenship, the Office of Medical Education will comply with all regulations as outlined by the United States Immigration and Naturalization Service (INS) and the Educational Commission for Foreign Medical Graduates (ECFMG). 4) Undergraduate medical education services, administered through the Offices of Medical Education, provide undergraduate educational experiences through an affiliation agreement with Northeastern Ohio Universities College of Medicine (NEOUCOM) and/or the Ohio University College of Osteopathic Medicine (OUCOM/CORE) and through cooperative arrangements with other allopathic and osteopathic medical schools accredited through the Liaison Committee on Medical Education (LCME) or the American Osteopathic Association (AOA) and located

91

throughout the United States, Puerto Rico and Canada. Medical students from non- LCME or non- AOA accredited medical schools are not permitted to participate in any undergraduate medical education experience at Summa Hospitals. The Offices of Medical Education will comply with all LCME and AOA rules and regulations as they apply to the provision of undergraduate medical education on a clinical campus site. 5) The Offices of Medical Education will maintain compliance with all regulations as they pertain to the recruitment of residents to the Summa Hospitals' graduate medical education programs. These regulations include compliance with the National Resident Matching Program (NRMP), the Fellowship and Residency Electronic Interactive Database Access System (FREIDA), the Electronic Residency Application Service (ERAS) and the American Osteopathic Association (AOA). Once a medical student graduates from medical school and is admitted to the graduate medical education program, all contractual agreements between the new resident and Summa Hospitals will be governed by the regulations as set forth in the respective Summa Hospitals House Staff Manuals. In addition, the educational activities of the resident will be governed by the regulations of the ACGME, AOA, COPT, CMS, the specific regulations for physicians at teaching hospitals (PATH) and all other regulatory agencies as applicable to graduate medical education resident contracts. 6) Continuing medical education for physicians is administered through the Offices of Medical Education. The Ohio State Medical Association (OSMA) and the American Osteopathic Association (AOA) accredit and regulate the continuing medical education programs of Summa Hospitals. The Offices of Medical Education maintain compliance with these regulations and in full accreditation for the provision of continuing medical education. 7) The medical libraries and medical bookstore are administered through the Offices of Medical Education and are subject to and remain in compliance with all regulations as outlined by the United States Copyright Laws. 8) With regard to research, Summa Hospitals will remain in compliance with all relevant FDA and OHRP regulations, per Summa Hospitals’ respective Federal Wide Assurances.

92

Outpatient Services Rendered to Medicare Patients In Connection With Inpatient Stays

Whenever outpatient diagnostic or therapeutic services are provided to any Medicare patient by Summa Hospitals, or under arrangements with Summa Hospitals, within three calendar days prior to the date of admission, Summa Hospitals will combine billing for outpatient services with billing for a subsequent inpatient admission.

“Under arrangements” refers to patient services or items provided by an entity outside Summa for which Summa bears the cost and bills the patient account in turn, e.g. testing by a reference laboratory (See Hospital Manual [HCFA Pub-10] §207).

The following exceptions apply to this policy:

1. Services provided by Summa Hospitals’ home health agency, skilled nursing units and hospice prior to an inpatient admission will not be combined with the inpatient bill unless diagnostic services provided by these units are payable under Part B. If diagnostic services are payable under Part B, the services will be combined with the inpatient admission as detailed above.

2. Maintenance renal dialysis services will not be combined with the inpatient bill.

Professional services personally furnished by physicians will not be combined with the inpatient admission. Under no circumstances will outpatient services be provided in such a way as to deliberately avoid combining outpatient services billing with inpatient admissions to Summa Hospitals.

93

Patients’ Freedom of Choice In Post-Acute Care Services Hospitals are required under the Title XVIII, 42 US Code, section 1395x(ee) and 42 US Code of Federal Regulations section 482.43 (b)(6) to provide patients’ freedom of choice when they are discharged from the inpatient setting and may require post-hospitalization home care or extended Skilled Nursing Facility (SNF) services. The CMS’ Interpretive Guidelines for the Hospital Conditions of Participation extends this requirement to include Hospice services. During the discharge process patients are to be evaluated for any likely needs of post-discharge home health, SNF or hospice services and the availability of needed services to the patient. Participating agencies, or individuals, are to have the following:

Medicare certification; Serve the area in which the patient resides; and Request to be a participating entity or individual provider of home health,

skilled nursing facility or hospice services. Summa Health System adheres to the above regulatory requirements through processes established in nursing, social work and discharge planning areas. The hospitals in the system have established the following:

Discharge Planning: Home Health Services

• Once it has been determined that the patient would benefit from home health services the following occurs: o The patient is provided a choice of agencies/individuals that provide the needed

services. This choice can be offered by a Social Worker, Patient Care Coordinator, or Case Manager;

o The patient is also informed at that time that Summa’s HomeCare is a department of the hospital and there is a financial relationship.

o Once the patient has made a choice, that choice is recorded on a ‘Patient Choice Form’ that the patient is asked to sign.

o A copy of the form is provided to the patient with the original remaining in the patient’s chart.

The Home Health Provider List is based on a written request from any agency or individual to be included on the list. The list is maintained by the Social Work department.

Discharge Planning: Skilled Nursing Facility (SNF) • Discharge placement in a local SNF by Patient Care Coordinators or Case Managers

includes presentation of the Care Coordination Network book available on inpatient care units. The Care Coordination Network book lists SNFs which are member of Summa’s preferred provider network of skilled nursing facilities.

94

o If placement to Summa Health System Hospitals’ Transitional Care Unit (TCU) is selected, patients and families are informed of the hospital’s financial relationship with the TCU.

o Patient Care Coordinators and Case Managers must document the process and outcome of patient choice in the patient record.

• Discharge placement in a local SNF by Social Workers is accomplished in accordance with Department of Social Work policy.

o If placement to Summa Health System Hospitals’ Transitional Care Unit (TCU) is selected, patients and families are informed of the hospital’s financial relationship with the TCU.

o Social Workers must document the process and outcome of patient choice in the patient record according to Department of Social Work policy.

NOTE: choice may be driven by restrictions from the patient’s insurance provider.

Discharge Planning: Hospice Service • All personnel arranging discharge placement to a hospice service must verbally inform

patients of their right to freely choose among hospice service providers. o Summa Health System Hospitals’ Hospice may be recommended as the preferred

choice. o If Summa Health System Hospitals’ Hospice is selected, patients and families

must be informed of the financial relationship between the Hospice and Summa Health System Hospitals.

o The process and outcome of patient choice must be documented in the patient record.

NOTE: choice may be driven by restrictions from the patient’s insurance provider.

References: Administrative Policy Manual, Patient Rights

Social Work Policy Manual, Placement at Extended Care Facility (ECF)

Nursing Policy Manual, Patient Discharge/Transfer outside Summa Health System

95

Physician Services Support Policy Background: Summa Health System Hospitals (“Summa”) operates a variety of Medical Administrative Departments with a focus on supporting its Medical Staff structure and Residency Training Programs operated at Summa and Cuyahoga Falls General Hospital (“CFGH”). Physician Services personnel directly support the Vice President of Physician Alignment and other key members of the Summa and CFGH Senior Management Teams in the development and administration of the physician compensation arrangements required to perform these operations and to contract with the Physicians needed to provide Administrative, Clinical and Teaching support to Summa.. Physician Services support includes general coordination of professional services contracting, and drafting and routing of proposed arrangements for key legal, compliance, operational, and financial reviews and approvals prior to implementation. The Physician Services staff also supports the Physician Time Study professional services hours verification process including support to help bring compliance if so required. Physician Services Support Policy: The Summa and CFGH Senior Management Teams have established and maintained an expectation that all professional services arrangements and employment agreements with Physicians will meet fair market value standards, and comply with all federal and state laws governing hospital-physician relations, including the Stark law, the Antikickback statute, IRS guidelines, and any other known and accepted compliance standards for such arrangements. In addition, all professional service arrangements also incorporate all necessary language to ensure that both parties are compliant with Medicare Conditions of Participation, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Summa and CFGH Medical Staff policies. Toward this end, the Physician Services Department has established the following operational support policies: Development and Implementation of Professional Service Agreements/Employment Agreements:

All proposed professional services arrangements and employment agreements are developed under pre-established Physician contracting guidelines as have been recommended and/or approved by the Board of Directors, the Compensation Committee, Legal Services, Compliance Department, key Senior Managers and other accountable parties. The current set of Physician contracting guidelines is maintained in Physician Services where the general coordination function for the development of Physician compensation arrangements occurs.

96

The Summa/CFGH Physician Contracting Guidelines apply to all professional service arrangements and employment agreements including those Physician arrangements operated through Summa Physicians, Inc, a Summa wholly owned professional corporation and Health Care Center Physicians Inc. (“HCCP”) a CFGH wholly owned Professional Corporation. The Physician Contracting Guidelines are reviewed and updated on an as needed basis in order to remain in compliance with all current regulations. These updates are coordinated through the Legal and Compliance Departments and members of the Senior Management Teams, including but not limited to, the Vice Presidents of Physician Alignment, Service Lines, Medical Education, Medical Affairs, and Legal Services. Professional Services arrangements and Employment Agreements are considered proposed until all appropriate and necessary reviews and approvals are secured. No compensation arrangement can be implemented without, as a minimum:

Written documentation from national or regional physician compensation benchmarking publications demonstrating the appropriateness of the proposed compensation to ensure such compensation is within fair market standards for the professional services to be provided.

Compliance Department approval for arrangementsinvolving new program

development and professional fee billing.

Documentation of the need for the service and the final authorization to implement the recommended arrangement from the operational manager for the area and the responsible Vice President.

Legal Service approval.

Where appropriate or necessary, the review and/or approval of the associated

financial or business plans are coordinated with the appropriate financial approval body such as:

- the general physician contracting terms and guidelines are subject to

the approval of Senior Management and the Compensation Committee.

- financing for Summa’s new physician practice start-ups will be

reviewed and subject to the approval of the Hospital Operations Committee.

- IRS Physician recruitment arrangements will be subject to the

approval of the appropriate Board of Directors. - Contracted bonus compensation or other incentive payments will be

97

subject to review by the appropriate Vice President before final annual awards are implemented.

Determining Fair Market Compensation

Physician Services subscribes to a minimum of three (3) nationally recognized physician production and compensation databases. In addition, Physician Services receives support from the Summa Human Resources Department, Compensation and Employee Reward management staff to obtain regional physician compensation benchmarking. Individual Physician or service line compensation recommendations are developed in compliance with Summa’s Physician Contracting Guidelines. As such, the compensation recommendations will take into account the total compensation available to the physician when performing his or her contracted role. Professional service arrangements will state clearly the hospital and physician expectations regarding the physician’s right to bill, collect and retain any professional fees earned in conjunction with the physician performing his or her contracted role. Compensation is paid in accordance with the agreed upon contracted rate. No change in compensation occurs without appropriate legal documentation.

Documenting Completion Of Contracted Service Requirements: Contracted physicians will be expected and contractually required to demonstrate they

have fulfilled their contracted service commitments. This is documented and may be accomplished through a variety of means including, but not limited to, computerized office and clinical practice schedule documents, copies of the monthly completed call coverage rotation programs, and completion of specific Physician Time Study Forms.

A Physician Services’ representative will meet with any physician who becomes delinquent in providing such verification, in order to gain their compliance. Failure to demonstrate that the contracted services are being fulfilled will result in suspending compensation payments until such reporting requirements are met. Chronic failure to provide such documentation could serve as the basis for termination of the professional services arrangement, with cause.

Professional Fee Billings in an Educational Setting

All professional service arrangements involving Resident Physician and/or Medical Student education as the primary professional service or when such education support services occur incident to the medical administrative or clinical services required of the contacted physician, will incorporate a requirement that the physician perform such services in compliance with the current Center for Medicare and Medicaid Services (“CMS”) professional fee billing guidelines.

98

Failure to meet such guidelines may serve as a basis for termination of the arrangement for cause.

Physician Education

The interactions between Physician Services personnel and the Physicians during the contracting process provide opportunity for Physician education as it relates to fair market value issues as well as hospital and physician compliance responsibilities. Open communication with our Physicians regarding these fair market values and compliance requirements is a standard expectation. Questions or concerns that cannot be addressed by Physician Services personnel are referred to the appropriate Legal and Compliance Department representatives.

Conflict Of Interest In order to help assure that Summa can achieve its charitable mission, Physician

arrangements incorporate a Conflict Of Interest (“COI”) disclosure requirement. Failure to disclose a conflict may serve as grounds for termination of any arrangement. In addition, the professional services agreements will include a provision limiting the Physician’s ability to obtain ownership in a competing health care entity during the term of the arrangement.

Medical Records Physicians holding professional service or employment agreements with Summa and/or

CFGH are required to maintain all patient records in accordance with Medicare Conditions of Participation and Medical Staff policies.

Utilization of Professional Consultants Consistent with the outcomes of its strategic planning process and the movement toward

stronger physician alignment, Summa has engaged a professional consulting firm, The Hay Group, to help define a new Physician Compensation Plan Document for Physicians who will be employed through SPI. This SPI Physician Compensation Plan is subject to the approval of the Summa Senior Management and the Compensation Committee of the Board. It is anticipated that the Physician Compensation Plan will include nationally accepted clinical work load unit production requirements which shall be benchmarked to the fair market rate of compensation to be paid for the contracted clinical services. Any final approved Plan Document will become part of this Support Policy and be fully implemented subsequent to securing all required approvals.

Exceptions To The Standard Compensation Plan Approach: Summa and CFGH anticipate that there will occasionally be specialized clinical needs,

professional shortages and/or other markets that may necessitate the negotiation of a

99

compensation approach or amount that will fall outside the Plan target parameters. Any such strategic situations or opportunities shall be documented and implementation will be subject to the approval of the Compensation Committee.

100

Refund Guideline Policy

PATIENT FINANCIAL SERVICES DEPARTMENT REFUND AREA

Policy No: RA-006 Effective Date: 4/14/99 Revision Dates: 1/02/01, 03/01/06 PURPOSE: To implement controls that are comparable to the current industry standards POLICY: To consistently process overpayments received by Summa Health System PROCEDURE:

1. Refunds of $24.99 and less will not be made unless requested by the patient (verbally or in writing) or by the insurance company in writing. The credit balance on an account will be debited to bring to zero using transaction code (94 or Debit) 00300137.

2. Refunds of $25.00 and greater will be made regardless of request, consistent with the

State Prompt Pay law.

3. Medicare, Medicaid, other Federal healthcare programs and Care Assurance refunds will always be processed regardless of credit balance.

101

Policy Applies to:

X Akron City Hospital X St. Thomas Hospital X Cuy. Falls General Hosp. X Summa Health Network X SummaCare

Title: PREVENTION OF FALSE CLAIMS Policy Number: 9.18 Page 1 of 3 For Union, See Contract Original Date: 12-11-06 Article: Section: Revision Date:

Approval:

__________________________________________________________________________________________ PURPOSE: o To avoid submission of false claims; o To comply with §6032 of the Deficit Reduction Act of 2005 by discussing in detail the Civil False Claims

Act and its associated administrative remedies. POLICY: All Summa Hospitals employees, managers and corporate officers must avoid submission of false or fraudulent claims for payment. Submission of any false or fraudulent claim subjects individuals and Summa Hospitals to liability under a variety of criminal and civil statutes, including especially the Civil False Claims Act (31USC3729-3733) and its associated administrative remedies (31USC3801-3812). Discussion of provisions of the civil False Claims Act, including the rights of employees to be protected as whistleblowers, as well as Summa Hospitals’ Compliance Plan to prevent fraud, waste and abuse, will be included in Summa Hospitals’ Employee Handbooks. Summa Hospitals’ Compliance Plan is available on the Summa Health System web site at http://www.summahealth.org, and in each copy of Summa Hospitals’ Administrative Policy Manuals. DISCUSSION: False Claims Act The objective of the civil False Claims Act (FCA) is to recover money owed to the Government and to levy penalties and damages.

102

Title: PREVENTION OF FALSE CLAIMS Policy Number: 9.18 Page 2 of 3 __________________________________________________________________________________________ A violation of the FCA occurs when any person or organization: o knowingly presents, or causes to be presented, to the Government a false or fraudulent claim for payment or approval; o knowingly makes, uses, or causes to be made or used a false record or statement to get a false or fraudulent claim paid or approved by the Government; or o conspires to defraud the Government by getting a false or fraudulent claim allowed or paid. MEDICARE AND MEDICAID ARE GOVERNMENT PROGRAMS COVERED BY THE FCA. The statute defines “knowing” and “knowingly” to mean that the person or organization: o has actual knowledge that the claim is false, fraudulent or fictitious; o acts in deliberate ignorance of the truth or falsity of the claim or statement; or o acts in reckless disregard of the truth or falsity of the claim or statement. No proof of specific intent to defraud is required. In other words, the Government is not required to prove that a person or organization actually meant to make false claims. The mere fact that a false claim was submitted is enough to establish liability under the FCA. The FCA provides that a person or organization that violates the statute is liable for a civil penalty of not less than $5,000 and not more than $10,000 per claim plus three times the amount of the false claims. “Claim” means any request, demand or submission made to an authority for property, services or money. Each claim form or individual request for payment constitutes a separate claim. This means that claims even for an inexpensive service repeated frequently over time can result in multi-million dollar penalties. A few examples of actions that would violate the FCA are: • Billing of services and/or supplies not provided. • Misrepresenting diagnoses, services, service dates, the identify of patients or amounts charged. • Duplicate billing to obtain double payment (for example, billing both Medicare and the

beneficiary for the same service or submitting multiple claims for the same service). • Billing for services known to be medically unnecessary. Violation of the FCA also violates Summa Hospitals’ Compliance Plan. This is a Group Two offense according to Summa’s Human Resources policy. Discipline, including employment termination, is possible.

103

Title: PREVENTION OF FALSE CLAIMS Policy Number:9.18 Page 3 of 3 __________________________________________________________________________________________ Whistleblower Provision Another aspect of the FCA is its “qui tam” or whistleblower provision. In a qui tam suit, any private person who has direct and independent knowledge of wrongdoing (not based on publicly disclosed information) can bring an action on behalf of the Government to enforce the civil FCA. The Government may decide to intervene in the case and take over from the person who filed the case. If the Government doesnot intervene, the person filing the action is free to proceed on his or her own. In a successful qui tam suit, the person initiating the action is entitled to 15% - 25% of the recovery if the Government intervenes, and 25% - 30% where the Government declines to participate. If a person proceeds independently and the defendant wins, the person bringing the action may be required to pay the defendant’s legal fees. The FCA protects employees who are discharged, demoted, harassed, or in any manner discriminated against by their employer because of their participation in or furtherance of an FCA action. Summa Hospitals’ Compliance Plan also prohibits harassment or retaliation. Employees can report harassment or retaliation to their supervisor, an upper-level manager, an appropriate department such as Human Resources, or the Compliance Hot Line at 1-800-421-0925. POLICY ADMINISTRATION AND INTERPRETATION Human Resources will be responsible for administering and interpreting the guidelines and provisions of this policy.

104


Part IV: Health Information Privacy and Security Policies Workforce General Obligations Regarding Uses and Disclosures of Protected

Health Information PURPOSE: To set forth the standards and processes by which Summa Hospitals protects the privacy and confidentiality of patients' protected health information and complies with state and federal law regarding this information. Summa Hospitals collects and maintains a great deal of protected health information about patients. Both Ohio and federal law on patient privacy and confidentiality, including the federal HIPAA regulations, limit how health care providers and their workforce members may use and disclose this information. In many cases, prior patient permission must be obtained. To safeguard the privacy and confidentiality of patients' protected health information and to comply with state and federal law, all members of the Summa Hospitals workforce are required to comply with the provisions of this policy. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location. Medical Staff. Provisions of Summa Hospitals’ privacy policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. DEFINITIONS Protected health information (PHI), the subject of this policy, includes information that is: 1. Created or received by Summa Hospitals; 2. Relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and 3. Identifies the patient or provides a reasonable basis to believe that it can be used to identify the patient. Protected health information includes information of persons living or deceased. The following components of a patient's information also are considered protected health information: • names; • street address, city, county, precinct, zip code;

105

• dates directly related to a patient, including birth date, admission date, discharge date, and date of death;

• telephone numbers, fax numbers, and electronic mail addresses; • Social Security numbers; • medical record numbers; • health plan beneficiary numbers; • account numbers; • certificate/license numbers; • vehicle identifiers and serial numbers, including license plate numbers; • device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • biometric identifiers, including finger and voice prints; • full face photographic images and any comparable images; and • any other unique identifying number, characteristic, or code. • Disclosure. The release, transfer, provision of access to, or divulging in any other manner of protected health information to persons who are neither members of Summa Hospitals’ workforce nor working within Summa Hospitals. Request. When any person affiliated with Summa Hospitals asks for personal health information from a person or entity outside of Summa Hospitals. Use. The sharing, employment, application, utilization, examination, or analysis of protected health information by any member of Summa Hospitals’ workforce or others working within Summa Hospitals. Patient. “Patient” includes both the patient himself or herself and the patient’s legal representative. POLICY All workforce members of Summa Hospitals, as a condition of their employment or continued relationship with Summa Hospitals, must comply with the following requirements regarding protected health information: USES, REQUESTS AND DISCLOSURES Uses, Requests and Disclosure for Treatment. Personal health information may be used, requested or disclosed for treatment of a patient if the use, request or disclosure is consistent with the Minimum Necessary Policy of Summa Hospitals and if any one of the following conditions are met:

• Personal health information is being used as appropriate for your professional duties; or • Personal health information is being requested from another health care provider or health plan;

or • Personal health information is being disclosed to another health care provider for the treatment

activities of the provider that receives the information; or • There is an authorization signed by the patient or the patient's representative; or

106

• Such use, request or disclosure is approved by your immediate supervisor or the Privacy Officer.

Uses, Requests and Disclosure for Payment. Personal health information may be used, requested or disclosed for payment purposes if the use, request or disclosure is consistent with the Minimum Necessary Policy of Summa Hospitals and if any one of the following conditions are met:

• Personal health information is being used as appropriate for your professional duties; or • Personal health information is being requested from another health care facility, health care

professional or health plan for our payment activities; or • Personal health information is being disclosed as necessary for our payment purposes; or • Personal health information is being disclosed to another health care facility or health care

professional for the payment of the entity that receives the information; or • There is an authorization signed by the patient or the patient's representative; or • Such use, request or disclosure is approved by your immediate supervisor or the Privacy

Officer.

Uses, Requests and Disclosure for Health Care Operations. Personal health information may be used, requested or disclosed for health care operations (note exceptions in our Policy on Fundraising and our Policy on Marketing) and if the use, request or disclosure is consistent with the Minimum Necessary Policy of Summa Hospitals and if any one of the following conditions are met:

• Personal health information is being used as appropriate for your professional duties; or • Personal health information is being requested from another health care facility, health care

professional or health plan for our health care operations; or • Personal health information is being disclosed to a business associate for our health care

operations; or • Personal health information is being disclosed to another health care facility, health care

professional or health plan for the health care operations of the entity that receives the information and both Summa Hospitals and the receiving entity have or have had a relationship with the patient whose information is being disclosed and the purpose of the disclosure is for any of the following activities:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

• Health care fraud and abuse detection or compliance. • There is an authorization signed by the patient or the patient's representative; or

107

• Such use, request or disclosure is approved by your immediate supervisor or the Privacy Officer.

• Verification. In many cases, you are required to verify the identify and the authority of a person requesting personal health information from us. See our Policy on Verification of Identity and Authorization for the guidelines on when verification is required. Disclosures Directly to the Patient. Personal health information of a patient may be disclosed directly to the patient or the patient's representative without an authorization by the patient or the patient's representative. It is required to verify the identity and authority of the patient's representative if the person is not known to you.. A properly completed and signed Authorization form is required before a patient views or receives a copy of the designated record set. Psychotherapy Notes. Unless an authorization is signed by the patient or the patient's representative, psychotherapy notes may only be used or disclosed as follows:

• Can be used by the originator of the psychotherapy notes for treatment; • Can be used or disclosed for our own training programs in which students, trainees, or

practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling;

• Can be used or disclosed by us to defend ourselves in a legal action or other proceeding brought by a patient or other individual; and

• Can be released to the Secretary of the U.S. Department of Health and Human Services for compliance investigations; as required by law; to a health oversight agency for oversight of the originator of the notes; to coroners and medical examiners; and to avert serious threats to health and safety.

Other Uses, Requests and Disclosures of Personal Health Information. No other uses, requests for, or disclosures of personal health information may be made except for the following:

• There is an authorization signed by the patient or the patient's representative for the use, request, or disclosure; or

• The use or disclosure is permitted without authorization pursuant to the Checklist for Determining Whether Authorization is Required.

• The use, request or disclosure is approved by your immediate supervisor or the Privacy Officer. Patient Restrictions. If a patient has requested a restriction on the uses and disclosures of his or her protected health information and this has been agreed to by the Privacy Officer, then the information may not be used or disclosed to anyone for any purpose except as necessary for the emergency treatment of the patient or as required by law. Before using or disclosing any protected health information, each workforce member must determine whether any restriction exists and act consistent with the restriction. Restrictions will be listed in the medical record and can be obtained by contacting the Medical Record Department or other department where the medical record is housed. All requests for the restrictions must be approved by the Privacy Officer.

108

Facility Directories. Summa Hospitals maintains a public facility directory that includes certain information regarding patients at the facilities that is generally available to callers and visitors who request such information by the patient’s name. Patients have the right to opt-out of the facility directory. No person shall disclose any information in the facility directory without first checking to see if the information may be disclosed. Unless there is an opt-out, the directory information may be disclosed to any person who requests the information by a specific patient’s name (but not religious affiliation information) and to a member of the clergy (including religious affiliation) regardless of whether the clergy member asks for a patient by specific name. Family and Friends Involved in a Patient’s Care. Patients often will have family members or friends involved in some aspect of caring for them or in paying for their care. In such situations it may be beneficial to share certain protected health information regarding the patient with family members or friends to facilitate their involvement with the patient’s care or with payment for such care. Workforce members must obtain approval from the patient prior to sharing protected health information with persons involved with the patient. Such approval can be written, oral or can be inferred from the circumstance (e.g., the friend/relative is present during the examination). When the patient is unavailable or unable to agree due to incapacity or emergency, such disclosure may be made if it is deemed to be in the best interest of the patient. If a patient is unconscious or otherwise unable to give direction and no legal representative is available, contact Summa Hospitals’ Privacy Officer or designee prior to any disclosure to family or friends, except in urgent circumstances when professional judgment will prevail. Confidential Communications. Patients have the right to receive communications from Summa Hospitals by alternative means or at alternative locations. All reasonable requests will be honored. All approved confidential communication requests will be documented on the Confidential Communication Request Form and entered into the appropriate databases and hospital ancillary system. Before communicating with any patient, determine whether a confidential communication restriction exists. For example, patients may request appointment reminders be sent in sealed envelopes rather than on a postcard, or a patient may request telephone calls at home, but not at work. Research. Patient information may not be used for internal research or disclosed to anyone outside of Summa Hospitals for research without specific approval from the Institutional Review Board or patient/legal representative. Education and Training. All workforce members must sign a Summa Hospitals Information Security Agreement and attend all required educational and training sessions relating to privacy and confidentiality of protected health information. Workforce members must attend initial HIPAA training, and information will be included in new employee orientation starting in 2003. Information will be incorporated into the Mandatory Organizational Education (MOE) materials in 2004. General topics to be covered should include, but not be limited to: • The responsibilities of all members of the workforce with respect to protected health information as

set forth in this policy; • The privacy policies and procedures of Summa Hospitals applicable to all members of the

workforce; • The personal and ethical obligations of each individual with respect to protected health

information;

109

• The disciplinary actions and legal sanctions applicable to individuals who violate the privacy policies and procedures.

All workforce members are required to understand and adhere to the standards and policies of Summa Hospitals related to the use and disclosure of protected health information as documented in the Administrative Policy & Procedure Manual. Workforce members should seek guidance and training when necessary to resolve questions about the standards and policies.

It is the responsibility of each individual department manager to ensure that workforce members receive additional training and education addressing privacy-related issues specific to their jobs. PRIVACY OFFICER Summa Health System Hospitals and Cuyahoga Falls General Hospital each have a designated Privacy Officer. The Privacy Officer is responsible for providing guidance and assistance with implementing and monitoring the privacy policies and practices of Summa Hospitals. The Privacy Officer will work with Legal Services and management to ensure that workforce members comply with the privacy policies, and when necessary recommend disciplinary action for violation of any privacy standards. CONCERNING PATIENT RIGHTS Patients of Summa Hospitals have certain rights required by federal law. In order to assure that these rights are not compromised, all workforce members must be aware of these rights and the following duties and responsibilities: Notice of Privacy Practices. Patients have the right to receive a Notice of Privacy Practices explaining the ways in which Summa Hospitals may use or disclose protected health information. Members of the workforce must ensure that every patient of Summa Hospitals receives a Notice of Privacy Practices and that each patient acknowledges receiving this Notice by signing the Receipt of Notice of Privacy Practices Acknowledgement Form (“the Form”). If the patient receives the Notice but does not acknowledge receiving it by signing the Form, the workforce member who gave out the Notice must document the good faith attempt that he or she made to get the patient to sign the Form. Workforce members must document this good faith attempt on the Form and forward the Form to Patient Financial Services. If the patient acknowledges receiving the Notice or if a workforce member documents the good faith attempt that he or she made to get the patient to sign the Form, then Summa Hospitals may use that patient’s protected health information for treatment, payment, or health care operations. Notices and patient acknowledgement forms are available from any point of registration. Upon completing a patient acknowledgement form, forward the form promptly to Patient Financial Services File Room. Authorization. Patients have the right to require Summa Hospitals to get their signed authorization before using or disclosing protected health information for any reason that does not include treatment, payment, or health care operations. For example, a patient must sign an authorization form before Summa Hospitals may send physical examination information to that patient’s employer or life insurance company. Authorization forms are available from the Medical Records Department, Patients Accounts Department, each nursing unit or the Summa Forms Bulletin Board in Summa’s Microsoft

110

Outlook program. Upon completing an authorization form, promptly forward the form to the Privacy Officer. Access to Protected Health Information. Patients have the right to access, copy, and inspect much of the protected health information that is retained on their behalf by Summa Hospitals. If any patient or other person requests access to protected health information, refer the person to the Privacy Officer or give the person a copy of the form used for making an access request. Forms are available from the Medical Records Department, Patient Accounts Department, each nursing unit or the Summa Forms Bulletin Board in Summa’s Microsoft Outlook program. Upon receiving a completed form requesting access, promptly forward the form to the Privacy Officer. Amendments to Protected Health Information. Patients have the right to request Summa Hospitals make amendments to their protected health information. If a patient or any other person requests an amendment to protected health information, refer the person to the Privacy Officer or give the person a copy of the amendment form. Forms are available from the Medical Records Department or the Summa Forms Bulletin Board in Summa’s Microsoft Outlook program. Upon receiving a completed form, forward the form promptly to the Privacy Officer. Accounting for Disclosures. Federal law allows a patient to request an accounting of most disclosures made of his/her protected health information. Upon receiving a request for this information, refer the person to the Privacy Officer, or give the person a copy of the accounting form used for this type of request. Forms are available from the Medical Records Department, or the Summa Forms Bulletin Board in Summa’s Microsoft Outlook program. Upon receiving a completed form promptly forward it to the Privacy Officer. Complaints. Patients and others have the right to file a complaint with Summa Hospitals if they believe that their privacy rights have been violated. If any person requests information on how to file a complaint, refer the person to the Compliance Hotline, the Privacy Officer, and/or the Patient Liaison. Patients also have the right to file complaints with the Secretary of the U.S. Department of Health and Human Services Office for Civil Rights. This is the Government agency responsible for enforcement of the HIPAA Privacy Regulation. Instructions on filing a complaint with the Office for Civil Rights can be found through the internet at http://www.hhs.gov/ocr/privacyhowtofile.htm. No Waiver of Rights. Members of the workforce may not require a patient to waive any of the rights set forth in this policy as a condition of the provision of treatment or payment. PRIVACY VIOLATIONS Mitigating Misuses or Improper Disclosures of Protected Health Information. Workforce members that become aware of any misuse or improper disclosure of protected health information must promptly notify Summa Hospitals’ Privacy Officer or designee. The workforce member shall work with the Privacy Officer to limit, to the extent practicable, any known harmful effect of a use or disclosure of protected health information in violation of this or other policies and procedures of Summa Hospitals.

111

Business Associates and Limited Data Set Users. Summa Hospitals has agreements with business associates who use or disclose protected health information while performing services on behalf of Summa Hospitals and with limited data set users who use limited amounts of patient information for specified purposes. These agreements include provisions that require the business associate or limited data set user to keep protected health information confidential. Safeguarding Protected Health Information. All workforce members must take reasonable steps to safeguard protected health information from any intentional or unintentional use or disclosure that violates any Summa Hospitals policy. Safeguarding includes, but is not limited to, storing protected health information in a cabinet or closed file at the end of the work day; maintaining privacy during oral discussions of protected health information; restricting electronic transmission of protected health information to job related duties; and disposing of documents strictly in accordance with the policies of Summa Hospitals. Noncompliance Sanctions. Summa Hospitals will take appropriate disciplinary measures against workforce members who violate any policy or procedure of Summa Hospitals concerning the privacy of protected health information. The disciplinary measures taken will be consistent with the violation and the circumstances of each case. Summa’s response to violations will follow provisions of the policies and procedures detailed in the Human Resources Policy and Procedure Manual, Summa Hospitals’ Compliance Plan and applicable Medical Staff bylaws. Non-Retaliation Policy. Summa Hospitals policy and federal law strictly forbid intimidation, threats, coercion, discrimination or any other retaliatory action against workforce members, patients, visitors or others who exercise the rights or duties set forth in this policy and federal law. These rights or duties include but are not limited to:

• Filing a complaint with Summa Hospitals or the Secretary of the U. S. Department of Health and Human Services

• Testifying, assisting in or participating in an investigation, compliance review proceeding or

hearing regarding the federal law on patient privacy

• Opposing any unlawful act or practice relating to protected health information as defined by federal law and Summa Hospitals policy, provided the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of Summa Hospitals policy or federal law.

Compliance Investigations and Reviews. Federal law authorizes the Secretary of the U. S. Department of Health and Human Services or a designee to conduct investigations and reviews of Summa Hospitals’ compliance with the federal privacy laws and regulations. CHANGES TO POLICIES Summa Hospitals must change its policies regarding protected health information to comply with changes in state and federal law and may change its policies for other organizational reasons, so long

112

as any changes comply with state and federal law. Prior to their effective date, all policy changes must be documented in a revised version of any affected policies, in accordance with state and federal law. Any change to a privacy policy or practice that is stated in Summa Hospitals' Notice of Privacy Practices must comply with the provisions for changing the Notice, as described in the Notice of Privacy Practices Policy. DOCUMENTATION All policies regarding the confidentiality of protected health information must be documented in writing in accordance with state and federal law. Summa Hospitals must retain this documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. Summa Hospitals is committed to complying with all applicable laws and to cooperating with any reasonable requests for information from the federal, state and local governments, while protecting its rights and those of its workforce. Government officials may approach a workforce member at the member’s home or work place with a request for information regarding Summa Hospitals. If this happens, the workforce member should not answer any questions until he or she has contacted his or her supervisor, and until the Vice President, Legal Services and the Chief Compliance Officer have been consulted. The workforce member should then follow the instructions of these authorities.

113

Uses and Disclosures of Protected Health Information In The Workplace

Objective: To set forth the standards and processes by which Summa Hospitals protects the privacy and confidentiality of patients' protected health information by implementing appropriate administrative, technical, and physical safeguards to reasonably safeguard protected health information from any oral use or disclosure that violates state or federal law.

APPLICABILITY

Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location. Medical Staff. Provisions of Summa Hospitals’ privacy policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. DEFINITIONS Protected health information (PHI), the subject of this policy, includes information that is: 1. Created or received by Summa Hospitals; 2. Relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and 3. Identifies the patient or provides a reasonable basis to believe that it can be used to identify the patient. Protected health information includes information of persons living or deceased. The following components of a patient's information also are considered protected health information: • names; • street address, city, county, precinct, zip code; • dates directly related to a patient, including birth date, admission date, discharge date, and date of

death; • telephone numbers, fax numbers, and electronic mail addresses; • Social Security numbers; • medical record numbers; • health plan beneficiary numbers; • account numbers; • certificate/license numbers; • vehicle identifiers and serial numbers, including license plate numbers; • device identifiers and serial numbers; • Web Universal Resource Locators (URLs);

114

• biometric identifiers, including finger and voice prints; • full face photographic images and any comparable images; and • any other unique identifying number, characteristic, or code. • Oral protected health information. Protected health information that is used or disclosed orally. This includes, but is not limited to, communications that are face-to-face or that involve the telephone and voice mail, dictation, intercoms and overhead pages, or presentations. Electronic protected health information. Protected health information that is used or disclosed in electronic form. This includes, but is not limited to, information in computer systems, electronic mail, wireless communications, faxes, and audio recordings. Photographic protected health information. Protected health information that is used or disclosed in photographic form. This includes, but is not limited to, x-rays and other diagnostic imaging films, and photographs and videos of patients, including photographs required by law. Written protected health information. Protected health information that is used or disclosed in written form. This includes, but is not limited to, medical and billing record information, labeled items, bulletin/white boards, and other paper protected health information. Disclosure. The release, transfer, provision of access to, or divulging in any other manner of protected health information to persons who are neither members of Summa Hospitals’ workforce nor working within Summa Hospitals. Use. The sharing, employment, application, utilization, examination, or analysis of protected health information by any member of Summa Hospitals’ workforce or others working within Summa Hospitals. Incidental Use or Disclosure. A minor use or disclosure that occurs as a by-product of engaging in health care communications and practices. An incidental use or disclosure is permissible only to the extent that Summa Hospitals has applied reasonable safeguards and implemented the minimum necessary standard, where applicable. Minimum Necessary Standard. When using or disclosing protected health information or when requesting protected health information from another entity, members of the Summa Hospitals’ workforce must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Patient. “Patient” includes both the patient himself or herself and the patient’s representative. POLICY All workforce members of Summa Hospitals, as a condition of their employment or continued relationship with Summa Hospitals, are required to adhere to the standards and policies of Summa Hospitals related to the use and disclosure of protected health information. Workforce members

115

should seek guidance and training when necessary to resolve questions about the standards and policies. It is the responsibility of each individual department manager to ensure that workforce members receive additional training and education addressing privacy-related issues specific to their jobs.

ORAL COMMUNICATIONS FACE-TO-FACE COMMUNICATIONS Examples. Face-to-face communications include, but are not limited to, those statements or conversations that occur in or around the family waiting area, patient rounds, meeting rooms, workplace cubicles, common areas, nurses’ stations, cafeterias, hallways, elevators, and any other place where people meet or congregate. Means of Safeguarding Face-to-Face Communications. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that face-to-face communications do not result in the use or disclosure of protected health information in violation of federal or state law:

1. Make every attempt to keep oral communications with or about patients as private as circumstances allow. For instance, workforce members should move to a private room, draw the curtains and keep voices low, move to the corner of a room, etc.

2. Never discuss protected health information in public spaces, like elevators, hallways, and cafeterias.

3. Do not ask patients aloud for their reason for visiting a clinical setting. For example, within the hearing of others, do not ask, “Are you here today for your mammogram?”

4. Protect the privacy of co-workers who are patients. Do not discuss the health care services provided to your co-workers with anyone who is not directly involved in their care. Do not ask co-workers their reasons for accessing health care services.

5. Limit the amount of protected health information used during a face-to-face conversation to the amount required for immediate clinical or administrative needs.

COMMUNICATIONS USING TELEPHONE, CELL PHONE, VOICE MAIL, OR ANSWERING MACHINES Person-to-Person Telephone Communications. Hospital personnel often find it necessary, or in the patient’s best interest, to disclose certain protected health information by telephone to patient representatives, or to other family and friends involved in a patient’s care. When this occurs, follow the policy on Disclosures to Family and Friends Involved With a Patient. If the patient is present and able to respond and has not already given permission to disclose information to a particular caller, obtain the patient’s oral permission and document in the patient’s medical record prior to disclosing information.

116

If the patient is unable to respond, use your best judgement to determine whether the disclosure is in the best interest of the patient and, if so, disclose only the information that is directly relevant to the caller’s involvement with the patient. If a caller is unknown to you, or you suspect that a caller is not who he/she claims to be, you should verify this person’s identity and relationship to the patient. Follow the provisions of the policy on Verification of identity and Authorization. Examples of verification can include obtaining information such as date of birth, social security number, date of admission or treatment, or other information specific to the patient. Means of Safeguarding Person-to-Person Telephone Communications. Please follow the same guidelines listed under Face-to-Face Communications above when speaking on the telephone. Person-to-Machine Telephone Communications (Patients). Verify the identification of the patient or the patient’s representative by listening for a message in which the patient or patient’s representative provides positive identification (e.g., “You’ve reached the home of John Doe.”).

• If the patient or patient’s representative does not verify his/her identity on the answering message, then state only your name, telephone number, affiliation with Summa Hospitals, and the minimum amount of information necessary to carry out the purpose of the call. You may include the name of your department in your message.

• If the patient or patient’s representative verifies his/her identity on the answering message, then you may also give the patient’s name, in addition to your name, telephone number, affiliation with Summa Hospitals, and the minimum amount of information necessary to carry out the purpose of the call. You may include the name of your department in your message.

Person-to-Machine Telephone Communications (Non-Patients, e.g. Co-Workers, Business Associates or Treatment Providers With a Relationship To the Patient). Verify the identification of the non-patient by listening for a message in which the non-patient provides positive identification (e.g., “You’ve reached the office of John Doe.”).

• If the non-patient does not verify his/her identity on the answering message, then state only your name, department, and telephone number.

• If the non-patient verifies his/her identity on the answering message and is either a co-worker, business associate, or treatment provider with a relationship to the patient about whom you will be speaking, then you may use protected health information, if needed, but only in the minimum necessary amount required to accomplish the purpose of your message.

Means of Safeguarding Person-to-Machine Telephone Communications. Please follow the same guidelines listed under Face-to-Face Communications above when speaking on the telephone.

117

DICTATION Because all dictation recipients are either business associates of or workforce members of Summa Hospitals, there is no need to verify the identification of the recipient of dictation. Please follow the same guidelines listed under Face-to-Face Communications above when dictating.

OVERHEAD PAGING Means of Safeguarding Overhead Page Communications. Workforce members may use a patient’s name and clinical setting to page a patient or his/her representative or family members overhead if the patient is within the hospital premises. Workforce members should avoid paging overhead if another practicable method of reaching the intended recipients is available.

PRESENTATIONS AND LECTURES Means of Safeguarding Communications by Presentation and Lecture. Where a presenter uses protected health information while addressing a body of fellow workforce members, business associates, or treatment providers, workforce members should take steps, like closing doors, to prevent unintended recipients from hearing the protected health information. Where it is not possible to prevent unintended recipients from hearing the protected health information, such as when presentations are given in an auditorium or other large space, presenters should use only de-identified information. In addition, please follow the same guidelines listed under Face-to-Face Communications above when making a presentation.

ELECTRONIC USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION COMPUTER SYSTEMS INFORMATION Examples. For major systems, computer systems information includes, but is not limited to, information from systems for laboratory, radiology, pharmacy, registration (i.e., SMS), and patient accounting. For personal systems and files, computer systems information includes, but is not limited to, information from personal desktop and laptop computers and PDAs (personal digital assistants, e.g., Palm Pilot). Means of Safeguarding Computer Systems Information. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of electronic information does not result in the use or disclosure of protected health information in violation of federal or state law:

118

1. Creation and Use a. Be aware of physical surroundings as you create protected health information in

computer systems, in order to limit access to those records. b. Follow established departmental policies and procedures when using protected health

information. c. Limit the amount of protected health information that you access to the minimum

necessary to do your job. d. Protect electronic protected health information from open view by the public by

covering screens, turning monitors away from public view, minimizing applications if not finished and leaving the workstation, and clearing patient information from the screen when finished (i.e., returning to the menu screen).

2. Storage

a. For most major systems, the Information Technology and Systems Department is responsible for storage.

b. For personal systems and files, delete protected health information that is no longer needed.

c. For personal systems and files, store protected health information only on Summa Hospitals personal computers.

d. Removal of protected health information from Summa Hospitals’ property is prohibited, except when management staff removes such information for employment-related purposes or an outside vendor removes such information in reasonable furtherance of its duties to Summa.

e. Follow the appropriate departmental or system Record Retention Policy. f. When printing a file or page, follow the Written Protected Health Information Policy.

3. Retrieval a. Follow established departmental policies and procedures when accessing protected

health information. b. Unless employment duties require accessing particular electronic health information,

never access any one else’s record, including that of a spouse or other relative. c. Never permit others to use the computer under your log-on. Always log off. d. Use passwords that are not easy to guess. e. Keep your passwords secret. Do not reveal them to anyone.

4. Disclosure (external) a. Follow established departmental policies and procedures when disclosing protected

health information. b. Follow the Verification and Authorization Policies when evaluating requests for

disclosure of protected health information.

5. Internal physical transfer a. Do not create disks or file downloads where their creation is not required. b. Download files only to a safe and familiar directory or folder in order to insure that the

file is not misplaced. c. Deliver disks to the appropriate individual at a secure location.

119

6. Destruction

a. Follow the Floppy Diskette, CD and Other Portable Electronic Media Storage/Disposal Policy. If the media is needed for reuse, you may reformat to erase the data and reuse the media. If the media is no longer needed for reuse, it should be sent to the IT&S Data Center at ACHS for disposal with the interoffice envelope labeled “IT&S Data Center Disposal, ACHS”. IT&S will complete the erasing of data and disposal of the media.

b. Never dispose of disks containing protected health information in the regular trash. c. Follow the appropriate departmental or system Record Retention Policy.

ELECTRONIC MAIL Means of Safeguarding Electronic Mail. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of electronic protected health information does not result in the use or disclosure of protected health information in violation of federal or state law:

1. No transmission of protected health information using unencrypted e-mail Summa uses Zix email encryption for emails sent outside of the organization. If you are sending an email containing PHI, to make certain the email is encrypted, type the word Zixencrypt somewhere in the subject or body of the email. Emails containing PHI must not be sent outside of the organization unencrypted. Email must not be used to communicate with patients regarding their diagnoses or treatment. Emails inside the organization should only contain PHI when needed to perform the job.

2. Storage of e-mail containing protected health information received from sources outside Summa Hospitals

a. Store e-mail containing protected health information only on Summa Hospitals personal computers.

b. Removal of protected health information from Summa Hospitals’ property is prohibited, except when management removes or authorizes removal of such information for employment-related purposes or an outside vendor removes such information in reasonable furtherance of its duties to Summa.

c. Follow the appropriate system Record Retention Policy. d. After printing an e-mail message, follow the Written Protected Health Information

section of this policy. e. Do not auto-forward Summa Hospitals e-mail to your home or any other e-mail

account.

3. Destruction Delete e-mail messages that contain protected health information when you are finished using them.

120

FAXES Means of Safeguarding Fax Communications. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of faxes does not result in the use or disclosure of protected health information in violation of federal or state law:

1. Creation and Use a. Be aware of physical surroundings as you place fax machines, in order to limit access to

those people not authorized to view protected health information. b. Follow established departmental policies and procedures when using protected health

information. c. Limit the amount of protected health information that you access or send to the

minimum necessary to do your job. d. Limit the faxing of protected health information to urgent or non-routine situations

when mail or other delivery is infeasible. e. Do not fax especially sensitive health information that deals with HIV or AIDS, mental

health, substance abuse, or sexually transmitted diseases. f. Consider designating separate fax machines, one to be used for sending and receiving

protected health information and another for routine administrative faxes. g. Use only standard Summa Hospitals fax cover sheets containing the appropriate

warning available on the Summa Forms Bulletin Board. h. If you receive a fax message containing protected health information erroneously,

immediately notify the sender of the mistake and destroy the protected health information.

2. Retrieval and Storage

a. When expecting a fax containing protected health information, coordinate timing with the sender so that you can retrieve the fax promptly.

b. If you receive many faxes containing protected health information, designate appropriate employees regularly to empty fax trays and disseminate their contents to responsible parties.

c. Removal of protected health information from Summa Hospitals’ property is prohibited, except when management removes or authorizes removal of such information for employment-related purposes or an outside vendor removes such information in reasonable furtherance of its duties to Summa.

d. Follow the Written Protected Health Information section of this policy regarding storage and retrieval of faxed documents.

e. Faxes containing protected health information should be deposited in a secure and confidential place upon delivery and not left where passersby can see them.

3. Disclosure (external)

a. Follow established departmental or system-wide policies and procedures when faxing protected health information.

b. Confirm the accuracy of fax numbers and the security of recipient machines by calling the intended recipients to:

i. Double-check fax numbers;

121

ii. Verify recipient machine security; iii. Notify them that a fax is on the way; and iv. Request verification of receipt.

c. Do not rely on fax numbers listed in directories or provided by persons other than recipients.

d. When faxes are sent regularly to the same people, program these fax numbers into your machine’s memory, and institute a set procedure to test programmed numbers on a regular basis.

e. Make sure that your fax machine prints a confirmation of each outgoing transmission. f. If a fax has been misdirected, ensure that improperly faxed documents are either

immediately returned or destroyed by the recipient.

4. Destruction a. Follow Environmental Services policies to recycle all paper, including faxes containing

protected health information. AUDIO RECORDINGS Examples. Audio recordings include, but are not limited to, tapes or cassettes containing protected health information. Means of Safeguarding Audio Recordings. Workforce members of Summa Hospitals should follow the same guidelines listed under Face-to-Face Communications above when dictating. Store tapes or cassettes in locked offices or cabinets or in staffed rooms.

Written Uses and Disclosures of Protected Health Information MEDICAL RECORD INFORMATION Examples. Written medical record information includes, but is not limited to, treatment records; parts of the designated record set; all chart forms; notes from all inpatient, outpatient, and treatment areas; and computer printouts, etc. Means of Safeguarding Written Medical Records. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of written medical information does not result in the use or disclosure of protected health information in violation of federal or state law: 1. Creation

a. Be aware of physical surroundings as you create medical records, in order to limit access to those records.

122

2. Use a. Follow established departmental policies and procedures when using protected health

information. b. Limit the amount of protected health information that you access to the minimum necessary

to do your job. c. Protect charts and other writings from open view by the public, by covering papers, turning

papers over when not using, and removing papers from counter tops. d. Return charts or other writings to appropriate, secure locations (e.g., nurse station chart

box). e. Close chart boxes or other containers holding written information.

3. Storage

a. Store medical record information in locked offices or cabinets or in staffed rooms. b. Removal of protected health information from Summa Hospitals’ property is prohibited,

except when management removes or authorizes removal of such information for employment-related purposes or an outside vendor removes such information in reasonable furtherance of its duties to Summa.

c. Follow the appropriate departmental Record Retention Policy. 4. Retrieval

a. Follow established departmental policies and procedures when accessing protected health information.

b. Unless employment duties require accessing a particular medical record, never access any one else’s record, including that of a spouse or other relative.


a. Follow established departmental policies and procedures when disclosing protected health information.

b. Follow the Verification and Authorization Policies when evaluating requests for disclosure of protected health information.

6. Internal physical transfer a. Carry medical charts and other written medical record information through the facilities

without exposing protected health information to public view. b. Deliver written medical record information to the appropriate individual in person.

7. Destruction

a. Never dispose of written medical record information in the regular trash. Follow established policies for secure disposal of PHI.

b. Follow the appropriate departmental Record Retention Policy.

Note: This policy applies to clinical documentation used for temporary purposes (e.g., copies, preliminary reports, personal pocket notes, etc.).

123

BILLING RECORD INFORMATION Examples. Written billing record information includes, but is not limited to, itemized bills, UB92 forms, printed screen pages, ancillary department daily charges print pages, Advance Beneficiary Notices (ABN), insurance card photocopies, remittance advice, managed service provider forms, etc. Means of Safeguarding Written Billing Records. Workforce members of Summa Hospitals should apply the guidelines listed under “Medical Record Information” to ensure that the handling of written billing information does not result in the use or disclosure of protected health information in violation of federal or state law. Note: This policy applies to billing documentation used for temporary purposes (e.g., hard copies for work in progress, preliminary reports, copies, etc.). LABELED ITEMS Examples. Labeled items include, but are not limited to, IV bags or bottles, specimen containers, charge sticker cards, pill bottles, patient identification bands, radiology preparation materials, etc.

Means of Safeguarding Labeled Items. Workforce members of Summa Hospitals” must ensure that the handling of labeled items does not result in the use or disclosure of protected health information in violation of federal or state law. All labeled items must be disposed of in white bag trash. BULLETIN/WHITE BOARDS Examples. Bulletin/white boards include, but are not limited to, bulletin boards, white (dry erase) boards, black (chalk) boards, flip-charts, etc. Means of Safeguarding Bulletin/White Boards. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of bulletin/white boards does not result in the use or disclosure of protected health information in violation of federal or state law:

1. Creation a. Be aware of physical surroundings as you create entries, in order to limit access to those

records. b. Do not attach patient names to clinical information at any site routinely visible to the

public. 2. Use

a. Follow established policies and procedures when using protected health information. 3. Internal physical transfer

a. Carry any bulletin/white boards containing written medical record information through the facilities without exposing protected health information to public view.

4. Destruction a. Destroy written protected health information immediately after done with its use.

124

ALL PAPER PROTECTED HEALTH INFORMATION Workforce members of Summa Hospitals should adhere to the Environmental Services Policy to ensure that the destruction of all paper protected health information does not result in the use or disclosure of protected health information in violation of federal or state law:

OTHER PAPER PROTECTED HEALTH INFORMATION Examples. Other paper protected health information includes, but is not limited to, notes, scraps of paper, transparencies, reports, telephone notes, schedules, and any other written or printed material containing protected health information. Means of Destroying Other Paper Protected Health Information. Workforce members of Summa Hospitals should apply the guidelines listed under “Medical Record Information.” However, unlike the destruction or retention of written medical record information, destroy other paper protected health information as soon as no longer needed.

Photographic Uses and Disclosures of Protected Health Information

X-RAYS AND OTHER DIAGNOSTIC IMAGING FILMS Examples. X-rays and other diagnostic imaging films include, but are not limited to, films from x-rays, CT scans, MRI scans, ultrasound, angiography, radiation therapy, nuclear medicine, cardiac catheterization, echocardiography, etc. Means of Safeguarding X-rays and Other Diagnostic Imaging Films. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of x-rays and other diagnostic imaging films does not result in the use or disclosure of protected health information in violation of federal or state law:

1. Use a. Follow established departmental policies and procedures where applicable when using

protected health information. b. Limit the amount of protected health information that you access to the minimum

necessary to do your job. c. Protect x-rays and other diagnostic imaging films from open view by the public.

Although it is acceptable to place x-rays and other diagnostic imaging films on viewscreens in public areas, you should remove films from public view as soon as review of them is finished.

d. Return x-rays and other diagnostic imaging films to appropriate, secure locations (e.g., film jacket, film library).

125

2. Storage

a. Store x-rays and other diagnostic imaging films in locked offices or cabinets or in staffed rooms.

b. Removal of x-rays and other diagnostic imaging films from Summa Hospitals’ property is prohibited, except when management staff removes such information for employment-related purposes or an outside vendor removes such information in reasonable furtherance of its duties to Summa.

c. Follow the appropriate departmental Record Retention Policy for x-rays and other diagnostic imaging.

3. Retrieval

1. Follow established departmental policies and procedures where applicable when accessing protected health information. Apply the Verification Policy to the persons listed as “emergency contact” or “next of kin” who come to retrieve film from you.

2. Unless employment duties require accessing particular x-rays or other diagnostic imaging films, never access any one else’s films, including that of a spouse or other relative.




4. Internal physical transfer

a. Carry x-rays and other diagnostic imaging films through the facilities without exposing protected health information to public view.

b. Deliver x-rays and other diagnostic imaging films to the appropriate individual at a secure location.

5. Destruction

a. Return x-rays and other diagnostic imaging films to any Radiology Film Room for appropriate disposal.

b. Follow the appropriate departmental Record Retention Policy for x-rays and other diagnostic imaging.

PHOTOGRAPHS AND VIDEOTAPES OF PATIENTS OR PATIENT RECORDS (e.g. MICROFILM)

Examples. Photographs and videotapes of patients, including those required by law, include, but are not limited to, photographs or videotapes taken for research, demonstration, diagnosis, identification, etc.; microfiche copies of patient records.

126

Means of Safeguarding Photographs and Videotapes of Patients and Patient Records. Workforce members of Summa Hospitals should adhere to the following guidelines to ensure that the handling of microfilms, photographs and videotapes of patients, including those required by law, does not result in the use or disclosure of protected health information in violation of federal or state law:

1. Creation and Use a. Follow established departmental policies and procedures when using protected health

information. b. Limit the amount of protected health information that you access to the minimum

necessary to do your job. c. Protect microfilms, photographs and videotapes of patients, including those required by

law, from open view by the public by covering them, turning them over when not in use, and removing them from counter tops.

2. Storage

a. Store microfilms, photographs and videotapes of patients, including those required by law, in locked offices or cabinets or in staffed rooms.

b. Removal of photographs and videotapes of patients, including those required by law, from Summa Hospitals’ property is prohibited, except when management staff removes such information for employment-related purposes or an outside vendor removes such information in reasonable furtherance of its duties to Summa.

c. Follow the appropriate departmental Record Retention Policy.

3. Retrieval a. Follow established departmental policies and procedures when accessing protected

health information. Apply the Verification Policy to the persons listed as “emergency contact” or “next of kin” who come to retrieve microfilms, photographs and videotapes of patients, including those required by law, from you.

b. Unless employment duties require accessing particular microfilms, photographs and videotapes of patients, including those required by law, never access any one else’s films, including that of a spouse or other relative.




5. Internal physical transfer

a. Carry photographs of patients, including those required by law, through the facilities without exposing protected health information to public view.

b. Deliver microfilms, photographs and videotapes of patients, including those required by law, to the appropriate individual at a secure location.

6. Destruction a. If applicable, destroy microfilm in accordance with department policies. b. Follow the appropriate departmental Record Retention Policy.

127

Processing Requests for Access to Protected Health Information PURPOSE Summa Hospitals collects and maintains protected health information about patients. The federal HIPAA regulations on patient privacy and confidentiality allow patients the right to access certain information and records contained in their designated record set. In order to protect the privacy and confidentiality of patients' protected health information and to comply with federal law, all workforce members, as defined in the Workforce General Obligations Policy, are required to comply with the provisions of this policy.

DEFINITIONS

Designated Record Set is a group of records maintained by or for Summa Hospitals that includes the medical records and billing records about individuals used, in whole or in part, by or for Summa Hospitals to make decisions about individuals.

Psychotherapy Notes are notes recorded, in any way, by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.

PROCEDURE

1. Initial Request. Patients or their representatives may request access to their protected health

information by completing the Authorization for Medical Information. This form is available from the Medical Records Department, the Patient Accounts Department, each nursing unit or the Summa Health System forms bulletin board on Microsoft Outlook.

Completed forms may be returned to the place where the patient received the form, to the Privacy Officer, or to the Privacy Officer’s designee as appropriate. Workforce members who receive completed Authorization for Medical Information forms and who are not designated by the Privacy Officer, e.g. nursing unit staff, etc., must forward the forms to the Privacy Officer.

The Privacy Officer of Summa Hospitals or designee must review the request, according to this policy and the verification policy. If access is denied, e.g. psychiatric admission records, the requesting patient will be notified. The record requested by the patient will be forwarded to the physician of record. The patient will be referred to the physician of record for follow-up at the physician’s discretion. The Privacy Officer or designee will be responsible to carry out all steps of this policy.

128

2. Response Time. After a completed Authorization for Medical Information is received, one of the following sets of outcomes will result.

a. If the requested record is stored on the grounds of Summa Hospitals, then:

1. The Access Denial Notice must be sent to the requesting patient or legal representative within 30 days of Summa Hospitals’ receipt of the request.

2. If the access request is approved, Summa Hospitals must grant access or provide a copy of the designated record set within 30 days of its receipt of the request.

b. If the requested record is stored off the grounds of Summa Hospitals, then: 1. The Access Denial Notice must be sent to the requesting patient or legal

representative within 60 days of Summa Hospitals’ receipt of the request. 2. If the access request is approved, Summa Hospitals must grant access or provide

a copy of the designated record set within 60 days of its receipt of the request. c. If Summa Hospitals is unable to process the access request within the 30 or 60 day

limits, then 1. It may take one 30 day extension 2. It must notify the requesting patient or legal representative of the extension in

writing prior to expiration of the original 30- or 60-day limit, including the reason for the extension and the new date by which it intends to respond.

3. Initial Action. When a completed Authorization for Medical Information is received, it must be promptly entered in the Chart Release system. The reviewer must enter all pertinent information in the computer system, making sure that the reviewer's initials are entered in the appropriate area. To the extent possible, grant the patient's request for access to the information sought after excluding or redacting the information for which there is a ground to deny access.

4. Grounds to Deny in Whole or Part. If, after review of the request, any of the following circumstances exist, the request should be denied in part or in total, as appropriate, and the Access Control Form is noted accordingly:

a. The patient or the patient's representative does not sign the Authorization for Medical Information.

b. The patient's representative signs the Authorization for Medical Information, but the representative has not provided information on the source of his/her authority to act for the patient consistent with the Verification Policy of Summa Hospitals.

c. Part or the entire access request relates to a record that is not maintained by Summa Hospitals.

d. Part or the entire access request relates to information or a record that is not part of the patient's designated record set.

e. Part or the entire access request relates to psychotherapy notes. f. Part or the entire access request relates to information that has been compiled in

anticipation of or for use in a civil, criminal, or administrative proceeding. g. Part or the entire access request relates to information that is not accessible pursuant to

the Clinical Laboratory Improvements Act (CLIA). h. Part or all of the access request relates to information created or obtained by Summa

Hospitals in the course of research still in progress that includes treatment of the patient, the patient agreed to the denial of access when consenting to participate in the research,

129

and Summa Hospitals informed the patient that the right of access will be reinstated after the research is completed.

i. A licensed health care professional has determined that part or all of the access requested is reasonably likely to endanger the life or physical safety of the patient or another person.

j. Part or all of the access request relates to information that makes reference to another person (unless such other person is a health care provider), and a licensed health care professional has determined that the access requested is reasonably likely to cause substantial harm to such other person.

k. The request for access is made by the patient's personal representative, and a licensed health care professional has determined that access by such personal representative is reasonably likely to cause substantial harm to the patient or another person.

l. The request is made by an inmate of a correctional institutional to receive a copy of the information, and Summa Hospitals has determined that obtaining such a copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for transporting the inmate. The existence of this circumstance allows denial only of obtaining a copy, not of inspecting the medical record.

m. Part or the entire access request relates to information obtained by Summa Hospitals from a non-health care provider under a promise of confidentiality, and access would likely reveal the source of the information.

5. Completing the Access Approval/Denial Notice. If a request for access is denied after review and within the applicable response time defined above, an Access Denial Notice, together with a Statement of Rights if access is denied for reasons i., j., or k. of Section 3 above, is sent to each requestor.

6. Providing the Information. If the Privacy Officer or designee approves the request for access, provide the access requested by the patient. The patient (except for an inmate under certain provisions of Ohio law) has the right to receive a copy by mail or in person. The patient (including an inmate) also has the right to inspect the information.

7. Fees. Summa Hospitals will assess fees for copying designated record sets. Copying fees will be consistent with state law.

8. Request for Review. When a licensed health care professional has made a determination that the patient should not have access to the requested information according to the provisions of Section 3 i, j or k, the patient is entitled to a review of the denial decision. If a patient files a review request, the Privacy Officer will assign the review to a designated physician who was not involved in the original denial decision. Send the reviewer the patient's Authorization for Medical Information and any other information relevant to the request and the denial. Ask the reviewer to provide an oral decision within 30 days of the receipt of the information. Once the reviewer has made a determination, provide notice to the patient of the review decision and document the review in the comment section of Chart Release with a notation: Reviewed by__________________________ on_____________________ (insert date of review).

130

Final determination is as follows:

______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Complete the applicable sections of the form. The patient is not entitled to any further review by Summa Hospitals.

131

Processing Requests for an Accounting of Disclosures of Protected Health Information

PUPOSE

Summa Hospitals collects and maintains a great deal of personal protected health information about our patients. Summa Hospitals is required and/or permitted to disclose that information to many of our business associates and other entities for a variety of reasons. The federal HIPAA regulations on patient privacy and confidentiality grant patients the right to receive an accounting of disclosures we have made of their personal protected health information. In order to protect the privacy and confidentiality of our patients' personal protected health information and to comply with federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy.

DEFINITIONS

Limited Data Set. Health information from which the following identifiers of the patient or of relatives, employers, or household members of the patient, are removed:

• Names; • Postal address information, other than town or city, State, and zip code; • Telephone numbers; • Fax numbers; • Electronic mail addresses; • Social security numbers; • Medical record numbers; • Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers, including finger and voice prints; and • Full face photographic images and any comparable images

Note that a limited data set may include the following identifiable information:

• Admission, discharge, and service dates; • Date of death; • Age (including age 90 or over); and • Five-digit zip code.

132

PROCEDURE:

1. Initial Request. Patients or their representatives may request an accounting of disclosures of their protected health information by completing an Accounting Request Form. This form is available in the Medical Records Department or the System Forms Bulletin Board in Summa’s Microsoft Outlook program. Completed Accounting Request forms must be returned to the Privacy Officer, who is responsible to carry out this procedure.

2. Requests for an Accounting. All requests for an accounting must be submitted in writing and signed by the patient or the patient's representative. Do not process any requests that are not in writing and appropriately signed. Do not process any requests if signed by the patient's personal representative, and the representative has not provided information consistent with the Verification Policy of Summa Hospitals to support his/her authority to act on behalf of the patient. If the request form does not specify a period of time for the accounting, prepare the accounting to include all applicable disclosures between the date of receipt and April 14, 2003.

3. Response Time. When a written request for an accounting is received, you must provide the accounting within 60 days after receipt of the accounting request. If you are unable to process an accounting request within the required 60 days, you may take one 30-day extension. The patient must be notified of the extension in writing, and the notice must be sent before the original 60 days have lapsed. You can only take one extension, and the notice must inform the patient of the reasons for the extension and the date by which we intend to respond.

4. Fees. If the patient making the request for the accounting has already received one accounting within the 12 month period immediately preceding the date of receipt of the current request, prepare a Notice of Fees for an Accounting to the patient advising that a fee for processing will be charged and provide the patient a chance to withdraw the request. If a withdrawal notice is not received within 20 days of mailing, prepare the accounting and bill the patient for the fee amount.

5. Business Associates. The accounting must include all applicable disclosures made by business associates, as well as those made by Summa Hospitals. When an accounting request is received, each affected business associate will be sent a copy of the Business Associate Accounting Request Form within five days of the receipt of the accounting request.

Content of the Accounting. The accounting must include disclosures (but not uses) of the requesting patient's personal protected health information made by Summa Hospitals and business associates during the period requested by the patient up to six years prior to the request. Note, however, that we are not required to account for any disclosures made prior to April 14, 2003. The following types of disclosures do not have to be included in the accounting:

• Disclosures made pursuant to a signed authorization by the patient or the patient's representative;

• Disclosures to carry out our own treatment, payment and health care operations; • Disclosures for treatment or payment activities of another health care provider; • Disclosures for the health care operations of another health care provider or health plan listed

on the Checklist for Determining Whether Authorization is Required under the Health Care Operations section;

• Disclosures made to the requesting patient or the patient's personal representative; • Disclosures to the Patient Directory;

133

• Disclosures made to persons involved in the patient’s care or notification of next-of-kin or family members;

• Disclosures for national security or intelligence purposes; • Disclosures in the form of de-identified information or information contained in a limited data

set; • Disclosures to correctional institutions or law enforcement officials about inmates or others in

custody; and • Disclosures that occurred prior to the April 14, 2003 compliance date of the federal regulations.

The accounting must include the following information for each reportable disclosure of the individual’s protected health information:

• The date of disclosure; • The name of the entity or person to whom the information was disclosed; • If available, the address of the entity or person to whom the information was disclosed; • A brief description of the protected health information disclosed; and • A brief statement explaining the purpose for the disclosure. You may, in lieu of this statement,

include a copy of the written request for disclosure that caused the disclosure, if applicable.

You do not need to list within the accounting disclosures for which you have a temporary suspension statement from a health oversight agency or a law enforcement official. In order for these disclosures to be excluded, you must have a written statement from the agency or official stating that providing notice of the disclosure to the patient would be reasonably likely to impede the agency's activities and stating a time when the suspension will be in effect. In all cases, the fact of the disclosure must be provided to the patient at the conclusion of the suspension period. If we have made multiple disclosures of a patient's information, you may provide the following information in lieu of listing each multiple disclosure:

• For the first disclosure, all of the information listed above is required (date, name of entity, etc.) • For the last disclosure, the date of the disclosure. • For all other disclosures, the frequency, periodicity, or number of disclosures made during the

time period.

For example, if a state department of health requires monthly reporting by statute, you may provide the accounting for those multiple disclosures in the format described above. Accounting for Research Disclosures. If, during the period covered by the accounting, we have made disclosures for a particular research purpose for 50 or more individuals, the accounting may provide:

• The name of the protocol or other research activity; • A description of the research protocol or other research activity, including the purpose of the

research and the criteria for selecting particular records; • A brief description of the type of information that was disclosed; • The date or period of time during which such disclosures occurred, or may have occurred,

including the date of the last such disclosure during the accounting period;

134

• The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and

• A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.

Note that information disclosed for research that has been de-identified or is contained in a limited data set does not need to be included in the accounting. Denying the Request for Accounting. A request for an accounting can only be denied when it is requested by the personal representative of the patient and you have a reasonable belief that:

• The patient has been or may be subjected to domestic violence, abuse, or neglect by the personal representative; or treating such person as the personal representative could endanger the patient; and

• A licensed health care professional, in the exercise of professional judgment, decides that it is not in the best interest of the patient to treat the person as the patient's personal representative.

Approved and Denied Accounting Requests. When the accounting is approved, send a copy of the completed accounting to the address requested by the patient together with an Approval/Denial Form for Accounting Requests with the appropriate information checked on the form. If an accounting is denied, send the Approval/Denial Form for Accounting Requests with the appropriate information check on the form.

135

Processing Requests for Amendments to Protected Health Information PURPOSE

Summa Hospitals collects and maintains protected health information about patients. The federal HIPAA regulations on patient privacy and confidentiality allow patients the right to request that we make amendments to the information and records contained in their designated record set in certain circumstances. In order to protect the privacy and confidentiality of our patients' protected health information and to comply with federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy.

DEFINITIONS

Designated Record Set is a group of records maintained by or for Summa Hospitals that includes the medical records and billing records about individuals used, in whole or in part, by or for Summa Hospitals to make decisions about individuals.

PROCEDURE

1. Initial Request. Patients or their legal representatives may request an amendment to their protected health information by completing an Amendment Request Form. This form is available in the Medical Records Department, or the System Forms Bulletin Board in Summa’s Microsoft Outlook program. Completed Amendment Request forms must be returned to the Privacy Officer, who is responsible to carry out this procedure.

2. Initial Action. When a completed amendment request form is received, it must be promptly entered in the Chart Release system. The reviewer must enter all pertinent information in the computer system, making sure the reviewer's initials are entered in the appropriate area.

3. Initial Review. We are not required to approve amendments in certain circumstances. Review each amendment request as follows:

Amendment Request Form Not Signed and/or Does Not State a Reason for the Amendment Request. In these cases, the request does not need to be further processed and the Chart Release system should be noted accordingly. A denial letter must be sent to the requestor (if proper name and address has been provided) within 60 days of the receipt of the amendment request.

Amendment Request Form Signed By a Patient's Representative and Authority Not Documented. If the Amendment Request Form is signed by a patient's representative, the representative must include documentation or information to support his/her authority to act for the patient. If such information, in accordance with our Verification Policy, is not included, the request does not need to be further processed and the Chart Release system should be noted accordingly. A denial notice must be sent to the requestor (if proper name and address has been provided) within 60 days of the receipt of the amendment request.

136

The Amendment Request Relates to a Record That Was Not Created by Summa Hospitals. Determine whether the amendment request relates to a record that was created by Summa Hospitals. If it was not created by Summa Hospitals, the Chart Release system is noted accordingly. A denial notice must be sent to the requestor within 60 days of the receipt of the amendment request. The denial notice should indicate to the patient where the amendment request should be sent (i.e, the creator of the record), if known. Note that in those cases where Summa Hospitals possesses the record but the record was not created by Summa Hospitals, we will process the request if the patient has provided credible information that the originator of the record is no longer available to act on the request.

The Amendment Request Relates to Information or a Record that is Not Part of the Designated Record Set. If the amendment request relates to information or a record not within the patient's designated record set, the Chart Release system is noted accordingly. A denial notice must be sent to the requestor within 60 days of the receipt of the amendment request indicating that the record is not part of the designated record set.

The Amendment Request Relates to Information that the Patient is not Authorized to Inspect by Law. If the amendment request relates to information or a record that the patient is not authorized by law to inspect, the Chart Release system is noted accordingly. A denial notice must be sent to the requestor within 60 days of the receipt of the amendment request indicating that because the record is not available by law for the patient to inspect, it is also not available for amendment. Information which the patient is not authorized by law to inspect includes, but is not limited to, psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; information maintained by laboratories subject to or exempt from CLIA.

The Amendment Request Relates to Information to which the Access Policy allows Summa Hospitals to Deny Access. If the amendment request relates to information or a record that the patient may not inspect according to the Access Policy, the Chart Release system is noted accordingly. A denial notice must be sent to the requestor within 60 days of the receipt of the amendment request indicating that because the record is not available for the patient to inspect, it is also not available for amendment. Circumstances under which access to inspection may be denied include instances where the requested information is being used in research still in progress, where a licensed health care professional has determined that access is reasonably like to endanger or cause substantial harm to the patient or another person, or where Summa received the information from a non-health care provider under a promise of confidentiality.

4. Substantive Review. If the request has not yet been denied for the above reasons, simultaneously provide a copy of the Amendment Request Form to the author of the record or

137

information in question and review the record or information to see if the amendment is appropriate. If the Privacy Officer and the author of the record cannot reach agreement on the requested amendment, the Privacy Officer will refer the requested amendment to a designated physician for final decision.

Record is Accurate and Complete as Written. If, after consultation with the author of the record or information in question, it is determined that the record is accurate or complete as written and does not require amendment, the Chart Release System is noted accordingly. A denial notice must be sent to the requestor within 60 days of the receipt of the amendment request indicating that the record is complete and accurate as written.

Amendment is Appropriate. If, after consultation with the author of the record, it is determined that the amendment request is appropriate, the Chart Release System is noted accordingly. An amendment approval notice must be sent to the requestor within 60 days of the receipt of the amendment request indicating that the amendment has been accepted and the records amended as requested.

5. Documenting Approved Amendments. A. Amending the Record. When an amendment or correction is approved, append the

amendment to the applicable record. B. Informing Others. When an amendment is accepted, provide appropriate notice to all

persons or entities listed on the patient's amendment request form, if any, and also provide notice of the amendment to any persons/entities who you know have the particular record that may rely on the uncorrected information to the detriment of the patient. Document the Chart Release System with the names of the person/entities receiving the amendment notice.

6. Documenting Denied Amendments. A. Documenting the Record. When an amendment request is denied, append the

amendment request to the applicable record, as well as the denial notice of the request; the patient's statement of disagreement, if any; and our rebuttal/response to such statement of disagreement, if any.

B. Statement of Disagreement. When an amendment request is denied, the patient has the right to submit a statement of disagreement and we have the right to prepare a rebuttal to such statement of disagreement. If a rebuttal statement is prepared by us, a copy must be promptly sent to the patient.

C. Future Disclosures of the Record. If a statement of disagreement has been submitted by the patient, include patient's request for an amendment; the denial notice of the request; the patient's statement of disagreement, if any; and our rebuttal/response to such statement of disagreement, if any, with any subsequent disclosure of the record to which the request for amendment relates. If the patient has not submitted a written statement of disagreement, include the individual’s request for amendment and its denial with any subsequent disclosure of the protected health information only if the individual has requested such action.

7. Extension. If you are unable to process a request for amendment within the required 60 days, you may take one 30-day extension. The patient must be notified of the extension in writing

138

and the notice must be sent before the original 60 days have lapsed. You can only take one extension and the notice must inform the patient of the reasons for the extension and the date by which we intend to respond.

139

Obtaining and Complying With Patient Authorizations

PURPOSE

Summa Hospitals collects and maintains a great deal of personal protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality place restrictions on our ability to use and disclose that information in many circumstances. In order to protect the privacy and confidentiality of our patients' personal protected health information and to comply with federal law, this policy pertains to all workforce members of Summa Hospitals.

DEFINITIONS

Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.

Disclosure. The release, transfer, provision of access to, or divulging in any other manner of information to persons not employed by or working within Summa Hospitals.

Use. The sharing, employment, application, utilization, examination, or analysis of information by any person working for or within Summa Hospitals.

Protected health information (PHI): Protected health information includes information that is:

1. Created or received by Summa Hospitals;

2. Relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and

3. Identifies the patient or provides a reasonable basis to believe that it can be used to identify the patient.

Protected health information includes information of persons living or deceased. The following components of a patient's information also are considered protected health information:

• names; • street address, city, county, precinct, zip code; • dates directly related to a patient, including birth date, admission date, discharge date, and date of

death;

140

• telephone numbers, fax numbers, and electronic mail addresses; • Social Security numbers; • medical record numbers; • health plan beneficiary numbers; • account numbers; • certificate/license numbers; • vehicle identifiers and serial numbers, including license plate numbers; • device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • biometric identifiers, including finger and voice prints; • full face photographic images and any comparable images; and • any other unique identifying number, characteristic, or code.

POLICY

No use or disclosure of personal protected health information may be made by any workforce member unless any one of the following exceptions exists:

1. An exception is listed on the attached Checklist For Determining Whether an Authorization is Required and the excepted use or disclosure is consistent with your job description or professional duties or has been approved by the Privacy Officer or designee.

2. For any of the following purposes if such use or disclosure is consistent with your job description or professional duties or has been approved by the Privacy Officer or designee, and there are no agreed-to restrictions in accordance with our Restriction Policy:

a. The information may be used for the treatment, payment, or health care operations of Summa Hospitals, but note exceptions for psychotherapy notes, marketing communications and fundraising below.

b. The information may be disclosed for the treatment activities of another health care provider, but note exceptions for psychotherapy notes below.

c. The information may be disclosed to another health care facility, health care provider or health plan for the payment of the entity that receives the information.

d. The information may be disclosed to another health care facility, health provider or health plan for health care operations activities of the facility, provider or plan that receives the information, if both Summa Hospitals and the receiving facility, provider or plan have or have had a relationship with the patient whose information is being disclosed and the purpose of the disclosure is for any of the following:

i. quality assessment and improvement activities; ii. population-based activities relating to improving health or reducing health care

costs; iii. protocol development; iv. case management or care coordination; v. contacting health care providers and patients with information about treatment

alternatives; vi. reviewing the competence or qualifications of health care professionals;

vii. evaluating practitioner and provider performance;

141

viii. conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers;

ix. training of non-health care professionals; x. accreditation, certification, licensing, or credentialing activities; or

xi. health care fraud and abuse detection or compliance. 3. There is a signed authorization by the patient or the patient's representative that specifically

authorizes the use or disclosure.

An authorization form is required prior to many uses or disclosures of pyschotherapy notes and prior to many marketing and fundraising communications. All uses and disclosures of psychotherapy notes must be preceded by a signed patient authorization unless the use and disclosure is listed on the attached Checklist For Determining Whether an Authorization is Required under Psychotherapy Notes. All uses and disclosures for fundraising and marketing must comply with our policy on Marketing and our policy on Fundraising. If you have any questions about uses and disclosures of these categories of patient information, contact the Privacy Officer prior to such use or disclosure. PROCEDURE

1. Authorization Form. The authorization form of Summa Hospitals shall be used for all uses and disclosures for which an authorization is required by this policy, including authorizations requested by the patient, authorizations requested by Summa Hospitals, and authorizations for research. This form is available from the Medical Records Department, the Patient Accounts Department, each nursing unit or the Summa Health System forms bulletin board on Microsoft Outlook.

2. Before making any uses or disclosures of information authorized to be used or disclosed by a signed authorization form, determine that the authorization form is valid. Valid authorization forms are those that are properly signed by the patient or the patient's representative, all applicable information is included on the form and not known to be inaccurate or false, and the form has not expired or been revoked. The expiration date of the authorization form must be a specific date (such as July 1, 2003) or a specific time period (e.g., one year from the date of signature), or an event directly relevant to the patient or the purpose of the use or disclosure (e.g., for the duration of the individual's enrollment with the health plan that is authorized to make the use or disclosure). When the use or disclosure is for a research study or for creation and maintenance of a research database or research repository, "end of the research study" or "none" can be listed as the expiration date. When the use or disclosure is related to requests for medical records and/or billing records, refer to the Medical Records Department Policy “Proper Authorization for Release of Information”.

3. No authorization form may be combined with any other document. 4. Workforce members will not require patients to sign an authorization in order to receive

treatment or provide payment, with the following exceptions: a. Patients may be required to authorize research-related uses and disclosures of PHI in

order to receive research-related treatments. b. Patients may be required to authorize uses and disclosures of information to a third

party when the sole reason for treatment is to create PHI for disclosure to the third party.

142

5. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and condition of the authorization.

6. If an authorization form is signed by the patient's representative, you must verify the authority of the representative to act for the patient in accordance with Summa Hospitals’ Verification Policy.

7. If an authorization form is revoked in writing by the patient or the patient's representative, no further uses or disclosures of the authorized information pursuant to the authorization form may be made unless approved by the Privacy Officer.

143

CHECKLIST FOR DETERMINING WHETHER AN AUTHORIZATION IS REQUIRED FOR USES AND DISCLOSURES

OF PERSONAL PROTECTED HEALTH INFORMATION

A covered health care provider can make most uses and disclosures of personal protected health information for treatment (exceptions for psychotherapy notes), payment, and health care operations of the organization (exceptions for marketing and fundraising) without a signed authorization from the patient. All other uses and disclosures must be authorized by a signed authorization from the patient or the patient's representative, unless there is an exception in the regulations. Set forth below are those exceptions when personal protected health information may be released without a signed authorization. Note that you are permitted to release any information that is required to be released by a federal or state law even if that type of release is not listed here.

For any questions on content or interpretation of this table, contact the Privacy Officer.

Type of Information or Reason for Disclosure

No Authorization Required If:

Abuse, neglect or domestic violence

Abuse, neglect or domestic violence

To a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence (not including child abuse) in any of the following circumstances:

• To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;

• If the individual agrees to the disclosure; or • To the extent the disclosure is expressly authorized

by statute or regulation and a) the covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or b) if the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely

144

(continued)

affected by waiting until the individual is able to agree to the disclosure.

In all cases above, the covered entity must promptly inform the individual that such report has been or will be made except in one of the following circumstances: a) the covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or b) the covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.

Audits and investigations To a health oversight agency for oversight activities authorized by law, including audits; civil, administrative or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative or criminal proceedings or actions, fraud investigations or self-disclosures, or other activities necessary for the appropriate oversight of:

• The health care system; • Government benefit programs for which health

information is relevant for beneficiary eligibility; • Entities subject to government regulatory programs

for which health information is necessary for determining compliance with program standards; or

• Entities subject to civil rights laws for which health information is necessary for determining compliance.

This exception does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to: a) the receipt of health care; b) a claim for public benefits related to health; or c) qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.

Child abuse or neglect To a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.

Crime victims In response to a law enforcement official's request for

145

information about a patient who is or is suspected to be a victim of a crime, (other than disclosures that involve victims of abuse, neglect or domestic violence):

• The individual agrees to the disclosure; or • The covered entity is unable to obtain the individual's

agreement because of incapacity or other emergency circumstance, provided that: a) the law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; b) the law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and c) the disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.

Criminal conduct To a law enforcement official if you believe in good faith that the information constitutes evidence of criminal conduct that has occurred on the premises of our campus. To a law enforcement official for the purpose of alerting law enforcement of the death of the person whose information is disclosed if you have a suspicion that such death may have resulted from criminal conduct. In response to a medical emergency (other than such emergency on the premises of the covered health care provider and other than emergencies involving abuse, neglect or domestic violence) to a law enforcement official if such disclosure appears necessary to alert law enforcement to:

• The commission and nature of a crime; • The location of such crime or of the victim(s) of such

crime; and • The identity, description, and location of the

perpetrator of such crime.

146

Death To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. (Can include psychotherapy notes.) To funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent (disclosure can be prior to, and in reasonable anticipation of, the individual's death).

Disaster relief To a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures necessary to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the patient, of the patient's location, general condition, or death. In these circumstances, the covered entity must a) obtain the patient's agreement; b) provide the patient with the opportunity to object to the disclosure, and the patient does not express an objection; or c) reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

Disease reporting To a public health authority (typically a department of health) authorized by law to collect or receive such information. To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or a public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.

Employers

To an employer, about an individual who is a member of the workforce of the employer, if the covered entity provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace; or to evaluate whether the individual has a work-related illness or injury. The information must consist of findings concerning a work-related illness or injury or a workplace-related medical surveillance. The covered entity must provide written notice to the individual that personal protected health information relating to the medical surveillance of the workplace and work-related illnesses and

147

Employers (continued)

injuries is disclosed to the employer by giving a copy of the notice to the individual at the time the health care is provided; or, if the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.

Facility directory information To any person who requests information by specific patient name or to a member of the clergy even if a specific name is not provided. Note that there are limits on what information can be included in a facility directory and that patient's have the right to "opt-out" of the directory listing and to place restrictions on the use of the information.

Family or friends involved with the patient's care or payment

To family and friends involved with the patient's care or payment if the covered entity:

• Obtains the patient's agreement; • Provides the patient with the opportunity to object to

the disclosure, and the patient does not express an objection; or

• Reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

Food and drug To a person subject to the jurisdiction of the Food and Drug Administration with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:

• To collect or report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;

• To track FDA-regulated products; • To enable product recalls, repairs, or replacement or

lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback; or

• To conduct post marketing surveillance.

148

Health care operations For our own health care operations. Also to another covered entity for health care operations activities of the entity that receives the information, if each entity has or has had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure for any of the following purposes:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

• Health care fraud and abuse detection or compliance.

Injury or disability reports To a public health authority (typically a department of health) authorized by law to collect or receive such information. Includes gunshot wounds and other types of injuries or disabilities required to be reported.

Inmate information

To a correctional institution or a law enforcement official having lawful custody of an inmate or other individual if the correctional institution or law enforcement official represents that such protected health information is necessary for: a) the provision of health care to such individuals; b) the health and safety of such individual or other inmates; c) the health and safety of the officers or employees of or others at the correctional institution; d) the

149

Inmate information (continued) health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another; e) law enforcement on the premises of the correctional institution; and/or f) the administration and maintenance of the safety, security, and good order of the correctional institution.

Law enforcement In response to a law enforcement official's request for information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that: the covered entity discloses only the following information: a) name and address; b) date and place of birth; c) Social security number; d) ABO blood type and rh factor; e) type of injury, if applicable; f) date and time of treatment; g) date and time of death, if applicable; and h) a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos. The covered entity may not disclose any information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.

Medical suitability determinations Entities that are a component of the Department of State may use information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: a) a required security clearance; b) as necessary to determine worldwide availability or availability for mandatory service abroad under the Foreign Service Act; or c) for a family to accompany a Foreign Service member abroad.

Military personnel information

For activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: a) appropriate military command authorities; and b) the purposes for which the protected health information may be used or disclosed. To the Department of Veterans Affairs, for purposes of a determination by the Department of an individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs,

150

Military personnel information (continued)

information about a member of the Armed Forces upon the separation or discharge of the individual form military service.

National security and intelligence activities

To authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act.

Organ donations To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

Payment For our own payment purposes or to another covered entity or health care provider for the payment of the entity that receives the information.

Protected services for the President and others

To authorized federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879.

Psychotherapy Notes To carry out the following treatment, payment, or health care operations: a) Use by originator of the psychotherapy notes for treatment; b) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or c) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the patient. Psychotherapy notes may also be released to the Secretary of the U.S. Department of Health and Human Services for compliance investigations; as required by law; to a health oversight agency for oversight of the originator of the notes; to coroners and medical examiners; and to avert serious threats to health and safety. See description of each of these categories.

Research

For research, regardless of the source of funding of the research, provided covered entity obtains specific documentation that an alteration to or waiver, in whole or in part, of the patient authorization for use or disclosure of protected health information has been approved by either an Institutional Review Board or a privacy board. For reviews preparatory to research, if the covered entity

151

Research (continued) obtains from the researcher representations that the information is sought solely to review information to prepare a research protocol or for similar purposes preparatory to research, that no information will be removed from the covered entity by the researcher, and that the information is necessary for the research. For research on decedents, if the covered entity obtains from the researcher representations that the information is sought solely for research on information of decedents and that the information is necessary for research purposes.

Secretary of U.S. Department of Health and Human Services

To the Secretary of the U.S. Department of Health and Human Services or his/her designee for investigations for HIPAA privacy compliance.

Subpoenas/discovery requests In response to a subpoena or discovery request issued by a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order. In response to a subpoena or discovery request that is not accompanied by an order of a court or administrative tribunal, if the covered entity receives a written statement and accompanying documentation demonstrating that either of the following has occurred:

• The party requesting the information has made a good faith attempt to provide written notice to the individual and the notice includes sufficient information about the litigation or proceeding for which the information is requested to permit the individual to raise an objection to the court or administrative tribunal; and the time for the individual to object has lapsed and no objections were filed or all objections have been resolved by the court or administrative tribunal; or

• The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal; or the party seeking the information has requested a qualified protective order from the court or administrative tribunal.

152

Threats to health or safety To a person or persons reasonably able to prevent or lessen the threat, including the target of the threat, when such disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. To law enforcement authorities to identify or apprehend an individual because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim. Only the following information is permitted to be disclosed without authorization: a) name and address; b) date and place of birth; c) social security number; d) ABO blood type and rh factor; e) type of injury, if any; f) date and time of treatment or death, if applicable; and g) a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos. Note that this exception does not apply, and authorization is required, if the information is learned by the covered entity: a) in the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure, or counseling or therapy; or b) through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy. To law enforcement authorities to identify or apprehend an individual where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

Treatment For our own treatment activities or to another health care provider for the treatment activities of the provider that receives the information.

Veterans To components of the Department of Veteran Affairs that determine eligibility for or entitlement to, or that provide, benefits under the law administered by the Secretary of Veterans Affairs, if the covered entity is a component of the Department of Veterans Affairs.

Vital statistics, including births or deaths

To a public health authority (typically a department of health) authorized by law to collect or receive such information.

Workers' compensation To workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

153

Computer Systems Contingency Policy Objective: To define computer systems contingency plans and requirements to protect ePHI, which includes the infrastructure which supports systems with ePHI, at Summa Hospitals in the event of any disaster. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location. Medical Staff. Provisions of Summa Hospitals’ privacy and security policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. DEFINITIONS Electronic Protected Health Information (ePHI), is the electronic form of PHI as defined in the Summa Workforce General Obligations Regarding Uses and Disclosures for Protected Health Information Policy. System Administrators, are persons designated to control access to a particular data base or information base. Data Owners, are management level persons who ensure the accountability for the accuracy, integrity, and appropriate use of data contained within their database. POLICY Data Criticality Analysis: All data bases containing PHI will be ranked by a Data Criticality Analysis matrix. Any new systems purchased must also be ranked by the Data Owners.

Data owners are responsible for ensuring that their systems are ranked according to the Data Criticality Analysis Matrix. Data owners are responsible for ensuring that new systems are ranked prior to going live on the system. The ranking should be sent to the Security Officer and the Director of Network and Technical Support. If the Data Owner feels any ranking has changed or is incorrect, they may request a re-ranking of their system. The IT&S Administrative Director and the CIO reserve the right to review and modify rankings and notify the Data Owners of any changes to ranking.

154

The Director of Network and Technical Support is responsible for ensuring that a listing of the data bases and their criticality ranking is kept accessible to staff who must work through restoring systems during any disaster. Emergency Mode Requirements: Data Backup: Backup procedures should include:

• Frequency of the backup • Offsite storage process, recommend weekly • Documentation of backup • Periodic testing of backup and recovery from backup and documentation of the testing

The Director of Network and Technical Support along with the Manager of Computer Operations and the System Administrators, will maintain backup policies and procedures for all systems that are in the data center. System Administrators with servers not located in the data center will develop written backup procedures for their systems. These procedures will be subject to periodic review and testing. Downtime Procedures: All System Administrators and Data Owners are responsible for developing written downtime procedures. The downtime procedures should include:

• Procedures for an unexpected downtime • Procedures for a planned downtime • Procedures for a partial downtime (only parts of an application are down) • Procedures for downtime of systems that directly affect your system (such as the ADT interface

being down) • Process for notifying staff of downtime • Process for notifying Help Desk of downtime • Periodic testing of downtime procedures and documentation of the testing • Periodic education of staff on downtime procedures and documentation of staff education

Revisions and Upgrade Requirements:

System Administrators and Data Owners must make all efforts to protect the integrity of data in their systems. System Administrators and Data Owners need to have written policies and procedures for the implementation of revisions or upgrades to hardware or software.

These policies must include the following:

• A full backup.

155

• Documentation of testing data integrity for custom programming changes, and unique scenarios. Documentation that the testing was done.

• Documentation of any customizations to software or data base structure containing PHI to be kept for the duration of the retention of the data.

• After upgrades, retesting of the security of the system to ensure that access and access levels are still secure post revision upgrade.

Disaster Recovery Requirements:

The Director of Network and Technical Support along with the Manager of Computer Operations will maintain a Summa Hospitals Disaster Recovery Plan that will be reviewed and updated yearly.

In the event of a disaster, the Director of Network and Technical Support and the Manager of Computer Operations will use the Data Criticality Analysis ranking as a guide in determining which systems to focus on restoring as a priority during any recovery operations. Sanctions Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Hospitals’ policies on Information Contingency Policy possible, up to and including termination. Violations by medical staff will be addressed through the Medical Staff Bylaws.

156

Computers Hardware, Software, and Use Policy Objective: To define personal computer hardware and software policies to maximize business efficiency, minimize support costs, and ensure proper use and protection of Summa Hospitals information and ePHI. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.

Medical Staff. Provisions of Summa Hospitals’ privacy and security policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals.

DEFINITIONS

Electronic Protected Health Information (ePHI), is the electronic form of PHI as defined in the Summa Workforce General Obligations Regarding Uses and Disclosures of Protected Health Information Policy.

User, is defined as a Workforce Member or Medical Staff.

Computers, are defined as computers not in the Data Center, examples including but not limited to desktops portable computers, and PDA’s (Personal Data Assistant) and any Medical Equipment that includes computers that store ePHI.

Portable Computers include, but are not limited to, laptops, PDA’s, Smart phones, Blackberry, iPAQ, Tablets, Palm Pilots, etc.

POLICY

Personal computers at Summa Hospitals are for business use and are the property of Summa Hospitals, not the individual users of those computers. This policy address acquisition, setup and configuration, disposal and reassignment, and proper use of Summa Hospitals personal computer (PC) hardware and software and Medical equipment containing computers that store ePHI. Personal computer hardware and software installed on personal computers must be approved by IT Customer Support. Adding to or changing the hardware or software configuration of Summa-owned systems by the user is not permitted.

USE OF COMPUTERS

• Users logging onto the system will ensure that no one observes the entry of their password.

157

• Users will not log onto the system using another’s password nor permit another to log on with

their password. Nor will user enter data under another person’s password.

• Each workforce member using Summa information systems is responsible for the content of any data he or she inputs into the computer or transmits through or outside the facility’s system. No user may hide their identity as the author of the entry or represent that someone else entered the data or sent the message. All workforce members will familiarize themselves with and comply with the facility’s email policy.

• No workforce member may access any confidential patient or other information if it is not

required by their job function. No workforce member may disclose confidential patient or other information unless properly authorized.

• Workforce members using Summa information systems will not write down their password and

locate it at or near the terminal, such as but not limited to putting their password on a yellow “stickie” on the screen or a piece of tape under the keyboard.

• All systems that have an automatic logoff feature for periods of inactivity must enable that

feature and document the time limit within their Information Access/Control Policy. All workforce members must lock their computer when not in use or set the autologoff.

USE OF PORTABLE COMPUTERS

• Portable computers pose a significant security risk because they may contain confidential patient information and, being portable, are more at risk for loss, theft, or other unauthorized access than the Summa Hospitals’ less easily movable computers. Portable computers may be more vulnerable to viruses and other such threats because the user may not regularly use virus protection software. Portable computer use is more difficult to audit; thus security breaches may be more difficult to identify and correct.

• Summa issues the portable computer for the workforce member’s use. The hardware, software,

all related components, and data are the property of Summa Hospitals and must be safeguarded and be returned upon request and upon termination of workforce member’s employment.

• Any Summa workforce member using a portable computer must agree to the following:

1. Summa Hospitals reserves the right to restrict the use and capabilities of Summa-owned portable equipment. The workforce member understands that the hardware may have been disabled from performing any functions other than those intended for business use and instructed by their manager and that the workforce member may not attempt to enable such other functions.

2. Workforce members are responsible for securing the unit, all associated equipment, and all

data, within their homes, cars, and other locations. When configurable, portable pc’s must be configured to have the power-on password enabled and must never be disabled.

158

3. Workforce members must not alter the serial numbers of the equipment in any way.

4. Workforce members are responsible for securing the computer from use by non-workforce

members.

5. Workforce members must immediately report any lost damaged malfunctioning, or stolen equipment or breach of security or confidentiality to the Information Security Officer and the member’s Department Manager.

6. Any workforce member using a Summa provided home pc or portable pc must sign a

Workforce Member Home Equipment Form, available on Summa Forms. Physicians and physician staff will sign the Security and Usage Agreement External form.

Many physicians may want to use their own portable computer equipment to access Summa’s network. Summa will permit this access if the physician agrees to the following minimum guidelines:

1. All requests for physician personally owned hardware to be used on the Summa Network

will be directed for approval by Clinical Information Systems. The clinical systems analyst will verify active medical staff credentialing appointment for Physician and forward an e-mail to the IT&S HW/SW e-mail box with the contact information for the requesting physician. IT Customer Support will contact and arrange an appointment with the physician to complete the request..

2. The physician agrees to password-protect his or her portable computer device when

configurable.

3. The physician agrees to notify the IT&S Information Security Officer immediately if the device is lost, stolen or replaced.

4. Physicians who will be using their laptops to access Summa resources are responsible for proper anti-virus software on their equipment.

5. Summa supports a standardized PDA solution. All PDA purchases and/or usage that

synchronize with Summa email, calendar, or files should be coordinated with IT&S PC Support through the use of a Hardware/Software request. With a nominal fee, the PDA can be licensed to synchronize email and calendar appointments wirelessly as well as wipe the unit should it become lost or stolen.

PROCEDURE FOR HARDWARE AND SOFTWARE

1. Acquisition of hardware and peripherals. All Summa Hospitals, Grant or Foundation funded PC hardware and peripherals must be requested through IT Customer Support.

159

2. Hardware setup. IT Customer Support is responsible for installing operating system, network adapters, and peripherals. Approved configurations are installed and must not be modified by users without prior written approval by IT Customer Support.

3. Hardware additions. No additional hardware such as modems, scanners, and hard drives may

be connected to Summa Hospitals, Grant or Foundation funded PCs, without prior written approval from IT Customer Support. Periodic manual and automated inventory is performed on PC hardware. Any unauthorized hardware will be removed.

4. Modems and Remote control Software. Internal and external modems are permitted on PCs

only when authorized by IT Customer Support. Use of remote control programs without prior written approval from IT Customer Support is expressly prohibited by this policy.

5. Software standards. IT Customer Support installs and supports standard software for use at

Summa Hospitals. Contact IT Customer Support for the current list. All software on Summa, Grant or Foundation funded PCs must be on the standards list unless prior written approval has been given by IT Customer Support. Periodic manual and automated software inventory is performed on PCs. Applications that have not been approved will be removed if discovered during a service call or detected during an automated inventory.

6. Copying software from personal computers. Software on Summa Health System PCs may

not be copied for any reason without prior written approval of IT Customer Support.

7. Personalizing. PCs at Summa Hospitals are for business use. Customizing with personal wallpaper, non-standard screen savers and any personal software that is not part of the Microsoft Operating system is not permitted.

8. Software installation and troubleshooting. IT Customer Support and IT Technical Support

are solely responsible for installing, configuring and troubleshooting applications installed on PCs at Summa Hospitals. Problems should be reported to the Support Desk for resolution.

9. Network applications. All applications that run on Summa pc’s, databases or file servers need

to be approved by IT&S.

10. Transfer and Moving of Equipment. No PCs or peripherals may be transferred from one location to another or one department to another without the prior written approval of IT&S. This procedure does NOT prohibit rearranging equipment within the same office and reconnection to the same network outlet.

11. Disposal. Any PCs or peripherals not in active use must be returned to IT Customer Support,

which handles reassignment or appropriate disposal procedures. Disposal procedures include removing software applications and PHI and complying with environmental requirements and HIPAA requirements. Notify the Support Desk of any equipment not in use.

12. Policy violations. When automated software inventory, hardware inventory, or on-site

inspections detect unauthorized hardware or software, it will be removed without notification

160

and the PC will be returned to a standard configuration. This procedure will cause loss of any personal configuration information and personal data stored on the computer.

Sanctions: Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Hospitals’ policy on Computer Hardware, Software and Use is possible, up to and including termination. Violations by medical staff will be addressed through the Medical Staff Bylaws. Revised 8/15/2006

161

Requests for Confidential Communications PURPOSE Summa Hospitals collects and maintains a great deal of personal protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality allow patients the right to request that communications from us be made by alternative means or at alternative locations. In order to protect the privacy and confidentiality of our patients’ personal protected health information and to comply with federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy. POLICY Patients have the right to request to receive communications from us by alternative means or at alternative locations. For example, patients may ask us to only send appointment reminder cards in sealed envelopes rather than on postcards, or to call them only at work rather than at home. Summa Hospitals will accommodate all reasonable requests. Until an alternate means of communication can be approved, SHSH workforce members should follow standard operating procedures. PROCEDURE

1. When a patient indicates a need for a confidential communication, SHSH workforce members should have them complete the Confidential Communication Request Form and review the request to assure that it is properly signed by the patient or the patient’s representative. This form is available in the Medical Records Department, or the System Forms Bulletin Board in Summa’s Microsoft Outlook program. Forward the completed request to the Privacy Officer.

2. The Privacy Officer will determine Summa Hospitals’ ability to comply with the request. 3. It is prohibited to inquire of the patient why he/she is requesting communications on a

confidential basis. 4. The Privacy Officer will share all approved confidential communication requests with the

hospital department likely to communicate with the patient and document this on the form. All confidential communication requests that are approved must be entered into the appropriate databases and hospital ancillary systems.

5. If a confidential communication request cannot be reasonably accommodated, the Privacy Officer will contact the patient to explain why and document this on the form.

6. Workforce members should always determine whether a confidential communication request has been approved prior to any communication to that person’s home.

7. If there is a question about implementation, the Privacy Officer can be contacted for guidance.

Reviewed 6/28/06

162

Contract Management and Business Associate Contracts Policy PURPOSE Summa Hospitals collects and maintains protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality limit how that information can be used by and disclosed to outside persons and entities that provide services for us. In order to protect the privacy and confidentiality of our patients' protected health information and to comply with state and federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy.

DEFINITIONS Contract. An agreement between any part of Summa Health System Hospitals and some other person or business to do a particular thing or things. Although many contracts are written agreements, a spoken or oral agreement is still a contract. Protected Health Information (PHI) includes information about persons living or deceased that:

1. Is created or received by Summa Health System Hospitals; 2. Relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and 3. Identifies the patient or provides a reasonable basis to believe that it can be used to identify the patient.

The following components of a patient's information also are considered protected health information:


death; • telephone numbers, fax numbers, and electronic mail addresses; • Social Security numbers; • medical record numbers; • health plan beneficiary numbers; • account numbers; • certificate/license numbers; • vehicle identifiers and serial numbers, including license plate numbers; • device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • biometric identifiers, including finger and voice prints; • full face photographic images and any comparable images; and • any other unique identifying number, characteristic, or code.

163

Business Associate. A person who or business that:

1. Is not a member of the workforce of Summa Health System Hospitals; 2. Uses or discloses protected health information that is received from Summa Health System Hospitals for more than just treatment purposes. 3. Performs a function or activity on behalf of Summa Health System Hospitals or provides a service to or for Summa Health System Hospitals.

Note: Any person or business that receives protected health information only for treatment purposes is not a business associate. Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals’ premises and who perform a substantial proportion of their activities at that location.

Disclosure. The release, transfer, provision of access to, or divulging in any other manner of protected health information to persons who are neither members of Summa Hospitals’ workforce nor working within Summa Hospitals.

Use. The sharing, employment, application, utilization, examination, or analysis of protected health information by any member of Summa Hospitals’ workforce or others working within Summa Hospitals. PROCEDURE Responsibilities of Non-Manager Workforce Members. Workforce members who are not managers are not permitted to enter into any written or oral agreements on behalf of Summa Health System Hospitals. All existing or proposed written or oral agreements must be reported to the appropriate manager. Responsibilities of Managers. Prior to entering into, renewing, extending, or amending any written or oral contract or relationship with any person or entity for activities or services to be performed to, for, or on behalf of Summa Health System Hospitals, managers must assume the following responsibilities: 1. To know which contracts, written or oral, are maintained by their departments and to provide a list

of these contracts to the Legal Services Department. 2. To ensure that any new or existing contracts, written or oral, are reported to managers by

employees. 3. To use the business associate relationship algorithm, listed below, to assess whether a business

associate relationship exists, for every written or oral contract. 4. Send all new contracts to the Legal Department.

164

Business Associate Relationship Algorithm. Complete the attached flowchart version of the business associate relationship algorithm. If you are uncertain about an answer in the algorithm, you are responsible for seeking further information about the proposed contract by contacting the other party to the proposed contract, another manager, your supervisor, or the Legal Services Department.

You may not release or disclose any protected health information to a business associate providing any activities or services that are not treatment, unless such release or disclosure is consistent with the terms of the contract with that person or entity. If you are unsure whether the release or disclosure includes patient specific information or information in a patient's record or whether the release or disclosure is consistent with the terms of the contract, contact the Legal Services Department before making such release or disclosure.

Revised 6/28/06

166

Disclosures to Family and Friends Involved With a Patient

PURPOSE

Summa Hospitals often finds it necessary, or in the best interest of a patient’s care, to disclose certain personal protected health information to family, friends, or others who may be involved with the care provided to or payment for a patient. The federal HIPAA regulations on patient privacy and confidentiality set forth conditions for sharing personal protected health information with a patient’s family, friends, or others so involved. In order to protect the privacy of our patients' personal protected health information and to comply with federal and state law, this policy applies to all members of Summa Hospitals’ workforce.

POLICY

Each inpatient and outpatient of Summa Hospitals must be advised at the time of registration and at any other time during the course of treatment, as necessary, that Summa Hospitals may be asked to share or need to share certain personal protected health information with the patient’s family, friends, or others involved with the care of or payment for the patient during the course of the patient’s treatment. Workforce members must obtain the patient’s oral approval of this practice unless one of the exceptions listed below in the Procedure applies. The patient’s approval or disapproval should be documented in the medical record and should specify who among those involved in the care of the patient or in the payment of the patient’s care may receive what information. Such persons involved in care and other contact persons might include, but are not limited, to blood relatives, spouses, roommates, boyfriends and girlfriends, domestic partners, neighbors, and colleagues.

PROCEDURE

1. If the patient is present or otherwise available prior to a disclosure of information and is capable of making decisions, then a clinical care provider must:

• Obtain the patient's agreement; or • Provide the patient with the opportunity to object to the disclosure; or • Reasonably infer from the circumstances that the patient does not object to

the disclosure (e.g. when patients ask to have a spouse or friend present in the examination room).

On occasions where the clinical care provider reasonably suspects that the patient would speak more freely if outside the presence of family or friends, the clinical care provider should privately ask the patient whether the patient would like to be separated from family and friends.

167

2. If the patient is not present or the opportunity to agree or object to a use or disclosure cannot feasibly be provided due to the patient's incapacity or emergency circumstance, then the patient’s nurse must:

• Determine whether the disclosure is in the best interests of the patient and, if so, disclose only the information that is directly relevant to that person's involvement with the patient's health care or related payment. Examples of acceptable disclosures when the patient is not present or capable of agreeing to the disclosures include: informing the person who accompanies the patient to the emergency room that the patient has suffered a heart attack and providing updates on the patient's progress and prognosis; disclosing functional information to persons assisting in a patient's care (for example, providing information about a patient's mobility limitations to a friend driving the patient home from the hospital); and using professional judgment and experience to make reasonable inferences of the patient's best interest in allowing a person to act on a patient's behalf to pick up prescriptions, medical supplies, X-rays, etc.

3. Verification of Identity of Family and Friends. It is not necessary to verify the identity of an individual involved in the patient’s care. However, where workforce members suspect that someone is not who he/she claims to be, they should verify this person’s identity and relationship to the patient. The patient's act of involving other persons in his/her care or payment will generally suffice as verification of their identity. For example, the fact that a person brings a family member into the doctor's office when treatment information will be discussed constitutes verification of the involved person's identity. Likewise, the fact that a friend arrives at a pharmacy and asks to pick up a specified prescription for a patient effectively verifies that the friend is involved.

4. Documentation of Disclosures To Family and Friends. Summa Hospitals is not required to document such disclosures or list them in any accounting requested by the patient.

5. Scope Of Disclosure. Merely because the patient allowed us to disclose information to a particular person in the past, does not imply agreement to disclose personal protected health information to that same person indefinitely in the future. Workforce members involved in disclosing personal protected health information in accordance with this policy should exercise professional judgment in determining the scope of the person's involvement in the patient's care or payment and the time period for which the patient is agreeing to the other person's involvement. For example, if a friend simply picks up a patient from the hospital but has played no other role in the patient's care, workforce members should not call the friend to disclose lab test results a month after the initial encounter with

168

the friend. However, if a patient routinely brings a spouse into the doctor's office when treatment is discussed, you may infer that the spouse is playing a long-term role in the patient's care and may discuss personal protected health information with the spouse consistent with his or her role in the patient's care (for example, discussion of treatment options).

6. Suspicion That The Person Seeking Information May Have Abused The Patient. If workforce members suspect that an incapacitated patient is a victim of abuse or domestic violence and that a person seeking information about the patient may have abused the patient, then workforce members should not disclose information to the suspected abuser if there is reason to believe that such a disclosure could cause the patient harm.

7. Personal protected health information Disclosures Limited By Applicable State Law. In accordance with Ohio law:

• Do not tell any family member, friend, or other person that the patient has taken an HIV test, the results of the test, or that the patient has been diagnosed with AIDS, unless the patient has completed an authorization form for this release, or the Legal Services Department has authorized this release.

8. Facility Directory. Nothing in this policy is intended to prevent the disclosure of patient information in our facility directory to a person who requests directory information about a patient by name, assuming the patient has neither objected to being listed nor restricted the use of that information.

9. Psychotherapy Notes. Information involving psychotherapy notes will not be released or disclosed to family members or friends under this policy without specific patient authorization.

Reviewed 6/28/06

169

Floppy Diskette, CD’S and Other Portable Media Storage/Disposal Policy

PURPOSE To define standards and requirements for the use, control and disposal of media to ensure the security of data at Summa Hospitals.

APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.

Medical Staff. Provisions of Summa Hospitals’ privacy policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. DEFINITIONS This policy covers computer data storage media such as floppy diskettes, CD’s, zip drives, zip disks, DVD’s, and any other portable electronic storage media. POLICY Storage/Use:

• Media must be kept in a secure location when not in use. e.g. locked drawer, locked cabinet, secured office, or lockable container.

• After use of media, it must be returned to a secure location.

• Removal of Summa owned, leased, or licensed media, from Summa Hospital’s

property is prohibited except when authorized by management.

• When media are removed from the premises, the media must be under the care and control of the workforce member and must be returned to Summa as soon as is practical.

170

Disposal:

• MEDIA DEFINED IN THIS POLICY SHOULD NEVER BE THROWN IN THE TRASH.

• If the media are needed for reuse, you may reformat to erase the data and reuse

the media.

• If the media are no longer needed for reuse, they should be sent to the IT&S Data Center at ACH for disposal with the interoffice envelope labeled “IT&S Data Center Disposal, ACH”. IT&S will complete the erasing of data and disposal of the media.

Sanctions: Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Hospitals policies on media control is possible, up to and including termination. Revised 10/9/2006

171

Procedures for Fundraising Activities Summa Hospitals collects and maintains a great deal of personal health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality limit how this information may be used and disclosed during our fundraising activities. All persons involved with fundraising for or on behalf of Summa Hospital are required to comply with the provisions of this policy. DEFINITIONS

Fundraising includes any appeal for money or other donations, sponsorship of events, etc. that is undertaken for the benefit of Summa Hospitals.

Institutionally related foundation is a foundation that qualifies as a nonprofit charitable foundation under sec. 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to Summa Hospitals. PROCEDURE Uses of Information. In preparing fundraising materials and mailing lists for our own fundraising, you may only use the following information regarding current or past patients:

• Demographic information about the patient, including name, address and other contact information, age, gender, and insurance status.

• Dates of health care provided to a patient.

You may not use any information about the patient's illness or treatment. Disclosures of Information. Information regarding current or former patients for our own fundraising purposes may only be disclosed to a business associate of Summa Hospitals or to Summa Health System Hospitals Foundation and only the following information may be disclosed:

• Demographic information about the patient, including name, address and other contact information, age, gender, and insurance status.

• Dates of health care provided to a patient.

You may not disclose any information about the patient's illness or treatment.

172

Contents of Fundraising Materials. All fundraising materials sent to or in relation to any current or past patient of Summa Hospitals must include within the material the following information:

You have the right to request that we not send you any future fundraising materials and we will use our best efforts to honor such request. You may make the request by sending your name and address to the Summa Health System Hospitals Privacy Officer at P.O. Box 2090, Akron, OH 44309-2090 or to the Cuyahoga Falls General Hospital Privacy Officer at 1900 23rd Street, Cuyahoga Falls, OH 44223, together with your request to be removed from our fundraising mailing lists.

If a recipient of the fundraising materials returns the opt-out notice, future fundraising materials may not be sent to that person. Other Uses and Disclosures for Fundraising. Any other use or disclosure not expressly authorized in this policy for fundraising for our own or a third party's behalf must be expressly and specifically authorized by the patient whose information is being used or disclosed. An authorization form approved by Summa Hospitals must be used. Revised 6/28/06

173

Information Access/Control Policy Objective: To define standards and requirements for access to electronic applications that contain ePHI. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals’ premises and who perform a substantial proportion of their activities at that location.

Medical Staff. Provisions of Summa Hospitals’ privacy and security policies apply to all members of the Summa Health Systems and Cuyahoga Falls medical staff while performing clinical, administrative or educational duties at or on behalf of Summa Health System and Cuyahoga Falls General Hospitals.

DEFINITIONS

Electronic Protected Health Information (ePHI) is the electronic form of PHI as defined in the Summa Workforce General Obligations Regarding Uses and Disclosures for Protected Health Information Policy.

Electronic Applications – refer to any electronic applications or databases that contain PHI or facilitate access to applications with PHI. Examples include but are not limited to:

Applications: Laboratory Information Systems, Radiology Information Systems, Clinical Information Systems, Television access systems, etc.

Databases: Individual databases on PC’s or servers in Excel or Access or other dB applications

Business Associate - A person or business that: 1) Is not a member of the workforce of Summa Hospitals; 2) Uses or discloses protected health information that is received from Summa Hospitals for more than just treatment purposes; 3)Performs a function or activity on behalf of Summa Hospitals or provides a service to or for Summa Hospitals.

Note: Any person or business that receives protected health information only for treatment purposes is not a business associate.

174

POLICY Summa Hospitals has established these standards that apply to security for all electronic applications containing patient data of any type. A security administrator or manager must be identified for each application. An application specific policy, which addresses each standard must be developed and maintained. Unique login names, passwords, and capability of tracking of activity are required once the HIPAA Security Standards deadline date is met. A. General requirement: Applications used primarily by one department must

develop a policy for that application that addresses each standard in this policy. Department management is responsible for identification of a security manager or administrator for each application, and development and maintenance of the policy. Any manager requesting software must ensure it meets HIPAA compliance. IT&S is responsible for developing a policy and identifying a security manager or administrators for applications used by multiple departments.

B. Application Security Administrator/Manager Responsibilities: An

application security administrator and backup individual or method are to be identified for each application. Application security administrators responsibilities include the following minimum standards: control of user account creation, deletion, and modification; controlling password creation and password change processes; monitoring access to application and data; report on user account status.

ELECTRONIC APPLICATION STANDARDS:

A. Access Control: Access to applications containing patient information is restricted to those who have a genuine need to know in order to perform their job functions. Each application must define procedures for:

1. Authorize access: An application for access must involve a manager’s written approval or review with the following considerations:

• Prospective data users will not get access unless they have a need for access.

• Prospective data users will get only the minimum access necessary to perform duties requiring such access within the capabilities of the specific application.

• Health care providers should have access only to data of patients that they have patient responsibility for, with an ability to access other patients’ data as the need arises.

• Access should be limited to necessary tasks to perform job duties. • Access and levels of access for employees should be reviewed

periodically by a manager to insure that the access is still appropriate.

175

2. Applying for Access: Department directors or managers will submit names of personnel needing access with recommended levels of access. Application for access must be in written form and approved by management. The System Administrator must have a procedure to include:

• Assigning the user a unique user identification. • Assigning the user an initial password. • Establish a protocol for users to change passwords • All workforce members are required to sign an Information Security

Agreement before access is granted regarding use of passwords that prohibits them from:

1. Writing down or storing the password in an unsecured location 2. Disclosing the password to another person or entity other than

to their manager. 3. Transmitting the password online, particularly by email. 4. Any other practice that would put the availability, accuracy, or

confidentiality of Summa’s data, media, or equipment at risk. 5. Never share computer passwords with anyone by permitting

others to use the computer on your log-on.

• Train the user on access, password protection and any aspects of system use to protect PHI

3. Modification of Access: Department Directors or Managers may

determine that an individual or a group of individuals need more, less, or otherwise changed access because of a change in duties or a change in status. When the department management makes such a determination, a request in writing must be submitted to the system administrator to change the current level of access to another level of access.

4. Access Review and Audit: Managers are responsible for notifying IT &

S of an employee’s termination date and time as soon as notice is received from the employee. The System Administrators will be notified by IT & S of an employee’s termination date and time. System Administrators must have a process in place for removing access on a timely basis. System administrators or their backup must review either departmental staffing lists or Summa’s reports for terminations to make certain that appropriate changes to access are completed.

5. Maintaining Records of such changes: Applications for access or

changes to access must be maintained for up to six years beyond the termination of access.

B. Access Policies: Each System administrator is responsible for documenting access procedures and policies and maintaining those policies and procedures.

176

Workforce Members: Workforce members are responsible for reading and signing the Information Security Agreement and following all Summa Information Access policies. Physician Office Staff: Office staff employed by physicians are required to follow Summa Health System policies when working with PHI information supplied by Summa Health System. Information Security Agreements are required for all offices accessing Summa patient information.

C. Sanctions for policy violations. Reports are to be provided to departmental

management on access violations. Disciplinary action for workforce members who violate Summa Health System policies on patient information is possible, up to and including termination. Violations by medical staff will be addressed by the Medical Staff Bylaws.

D. Login Names. Users of each application must be assigned a unique login name

to be used to access the application. Recommended login standards are as follows:

a. 1. Network login name or

2. Employee or physician number, prefixed with a code indicating category. For volunteers use the 6-digit ID Badge number.

b. If employee or physician number scheme is used, recommend the

following: 1. Prefixes P = physician

E = employee T = temporary

2. Temporary employees who do not have an employee number will use the prefix “T” followed by the name of their assigned department and a two character sequentially assigned number, e.g. TDIET01. Each number must correspond to a unique user, the list to be maintained by the System Administrator.

c. Temporary login accounts should be set to be disabled automatically, or

expire in 90 days or less, or at the end of the temporary’s contract period if less than 90 days. If automatic action is not available, System Administrators should review temporary accounts on a routine basis.

E. Passwords. Each user should have the ability to choose their own password,

based on good password selection criteria listed below. All facets of password creation and changes require positive identification of the user involved before any changes are made. Unless positive identification of an individual is

177

accomplished, no actions are to be taken. The following are the preferences for establishing identity: known personally to administrator; in person with Summa ID; through supervisor/manager known personally. Telephone requests must have confirmation of identity before changing passwords. Passwords should not be communicated via voicemail or email. Off-hours password changes should be addressed in each application policy.

a. Initial selection. Security administrators should discuss password

selection in person or via telephone with the user.

b. Changes. User should be able to change password in the system if that feature is possible for the application. If not, users should be able to quickly request and select a new password. Timeframes should be set on systems and documented in procedures, for passwords to expire forcing the user to periodically change the password.

c. Forgotten password. Confirmation of identity is required before changes

are authorized to be made.

d. Locking account. If application feature is available to lock accounts after a certain number of unsuccessful login attempts, this feature must be enabled. The recommended number of unsuccessful logins to lock accounts is three.

e. Password security. Selection of good passwords is critical. Passwords

should not be common words, names, birth dates, etc. F. Internal Audit\Tracking: If tracking of login, logout, and information accessed

is available in an application, these features must be enabled. Access logs and files should be kept for as long a period of time as is feasible for each application up to a maximum of 6 years. Each application security administrator must develop monitoring and log review procedures that are sufficient to ensure that only authorized users are accessing information appropriate for their job function. This includes removing access for any user that no longer should have access privileges. Security administrators are responsible for reviewing logs and taking appropriate action when policy violations are identified. Audits of access may be conducted by the Information Security Officer or as needed by the appropriate Summa authority. Information that must be available for audits includes written documentation of Access authorization/modifications with approvals, and details on access log reviews and action taken for inappropriate access violations.

G. Remote access: If remote access to the application is permitted, application

policy and procedures must provide details on remote access, including vendor dial-in and remote control applications. Additional security is required for all remote access, approved by IT management. Multiple levels of passwords and strong authentication are required

178

Automatic Logoff for Inactivity: All systems that have an automatic logoff feature for periods of inactivity must enable that feature and document the time limit within their Information Access/Control Policy. Sanctions: Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Health System policies on Information Physical Security is possible, up to and including termination. Violations by medical staff will be addressed through the Medical Staff Bylaws.

Revised: 08/15/2006

179

Information Internal Audit Policy Objective: To define standards and requirements for the auditing of information security and security processes at Summa Hospitals. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location. Medical Staff. Provisions of Summa Hospitals’ privacy and security policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. DEFINITIONS Electronic Protected Health Information (ePHI) is the electronic form of PHI as defined in the Summa Workforce General Obligations Regarding Uses and Disclosures for Protected Health Information Policy. POLICY Demonstrated competence in the security and privacy policies of Summa Health Hospitals is an important part of every workforce member’s responsibility.

Management must be responsible for enforcing the security and privacy policies of Summa Health Hospitals. General Audit Requirements: There will be periodic, unannounced audits of the Summa Hospitals. The Information Security Officer, along with the Privacy Officer, will determine the exact locations of the audits prior to the commencement of the audit. The Information Security Officer will be responsible for notifying the Director of General Services as to the date(s) of the audit as well as the name of the person(s) who will be conducting the audit. The Director of General Services is not to notify any member of his/her staff of the audit as their staff’s performance may be part of the audit scenario. The persons performing the audit will not have visible Summa Health System ID badges to try to simulate a security breach and the testing of staff response to a potential security

180

breach. The persons performing the audit will follow only the audit scenarios and will attempt to complete the audit as documented and also note other deficiencies that they observe. The auditor is to follow the intent of the scenarios without compromising patient care. Only the Summa Hospitals’ audit scenarios may be used.

The auditor will have a letter listing the auditor’s name, dates of the audit, and explaining the audit purposes, signed by the Information Security Officer, the Privacy Officer and the Director of General Services. The letter is to be shown only in the event that the auditor feels a serious situation is developing as a result of performing the audit.

The audits are designed to test the following:

• Access to PHI by a non-workforce member • Password protection by workforce members • Security of equipment

Results of Audits: All results are to be documented on the audit form. The results of the audits will be reported in writing to workforce members’ managers and the Privacy Officer. Managers are expected to commend workforce members who demonstrate positive security and privacy behaviors. Managers are expected to take disciplinary actions for workforce members who demonstrate negative security and privacy behaviors and develop action plans to correct these problems. Follow-up emails will be sent to managers one month after the original emails for negative survey results. These emails will ask the managers for their action plans for resolving the negative results and the outcomes of the action plans. Results of audits are to be kept and used to determine if a particular problem is developing. Trends would be reported to the appropriate Compliance Committee, Privacy Officer and Senior Management to assist in determining a house-wide solution. System Audit Requirements: The Information Security Officer or designee will conduct periodic, unannounced audits of systems. The audit will be conducted with the System Administrator and/or Data Owner. The audit will be documented and the documentation kept for at least six years. The audit will include: Reviewing written documentation of procedures for:

• Information Access/Control • Downtime – actual downtimes and testing of downtime procedures • Backup • Upgrades or Revisions

181

The results of the audit will be shared with IT management, the appropriate Compliance Committee, and the Senior Management of the areas being audited. Data Owners and Senior Managers are expected to commend System Administrators who demonstrate a high degree of compliance to security and privacy policies. Data Owners and Senior Managers are expected to take steps to remedy any deficiencies in the Security and Privacy Policies for their systems. Sanctions: Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Hospitals’ policies on Information Internal Audit is possible, up to and including termination. Violations by medical staff will be addressed through the Medical Staff Bylaws. Revised 10/9/06

182

Information Physical Security Policy Objective: To comply with the HIPAA regulations to protect the confidentiality and integrity of electronic Protected Health Information by limiting the physical access to health information and the systems where such information resides. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.


DEFINITIONS

Data Center, will be defined as the specific location on any Summa Hospitals campus housing the main computer equipment and servers for Summa Hospitals. Data Owners, are management-level persons who ensure the accountability for the accuracy, integrity, and appropriate use of data contained within their database. Closets, will refer to only those wiring and equipment closets that contain computer wiring and equipment critical to the computer systems at Summa Hospitals. Offices with Servers, will be defined as those areas that contain a computer server for a system that contains ePHI. These are servers that are not kept in the Data Center. Offices, will be defined as those areas that contain personal computers with access to ePHI, but not servers for software. Open Areas, will be defined as those areas that contain computer equipment with ePHI, but are not enclosed in “office-like” walls. Examples of open areas are nursing units, the Information Desk, and cubicles in an office area. POLICY

• This policy supplements the facility’s overall Information Security Policy and any department policies on physical access to ePHI that are intended to protect the physical security of health information.

183

• All Workforce members who have access to health information must read, understand, and comply with this policy.

• Access to IT&S Data Center, will be limited to personnel who require access for

the normal performance of their duties. Workforce members will follow the Data Center Access and Security Policy. The Data Center will be securely locked at all times, with intrusion alarms activated. Security cameras will monitor the entrances to deter/detect unauthorized entry.

• Whenever practicable, the computer servers for systems will be kept in the Data

Center.

• Access to Wiring Closets, will be limited to personnel who require access for the normal performance of their duties. Closets will be securely locked when unattended.

• Offices with Servers, must be locked when the department is unattended. Access

to Offices with Servers should be limited to those who require access for the normal performance of their duties.

• Offices, personal computers with network logins should be locked when

unattended. Lockdown PC’s must have all applications closed when no one is using the pc.

• Open areas, PCs should only be accessed by workforce members who display a

Summa Health System ID Badge or require access for the normal performance of their duties. Workforce members must challenge any person attempting to access a computer if that person does not have a Summa Hospitals ID Badge or who normally does not utilize that computer in the performance of their duties.

• Data Owners, are responsible for electrical power protection devices to suppress

surges, reduce static, and provide backup power for the servers in the event of a power failure.

• Equipment containing ePHI removed from a Summa Hospitals facility must be

removed only in accordance with the Computers Hardware, Software and Use Policy, Uses and Disclosures of Protected Health Information In the Workplace, and the Floppy Diskette, CD’s, and Other Portable Media Storage/Disposal Policy.

Sanctions: Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Hospitals policies on Information Physical Security is possible, up to and

184

including termination. Violations by medical staff will be addressed through the Medical Staff Bylaws. Revised 10/9/06

185

Information Risk Analysis and Management Objective: To provide guidelines for conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI), and to implement security measures sufficient to reduce the risks to an appropriate level. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.


DEFINITIONS

Electronic Protected Health Information (EPHI), is defined in the Summa Workforce General Obligations Regarding Uses and Disclosures for Protected Health Information Policy. System Administrators, are persons designated to control access to a particular data base or information base. Data Owners, are management level persons who ensure the accountability for the accuracy, integrity, and appropriate use of data contained within their database.

POLICY

Listing of Systems with ePHI The Information Security Officer will periodically poll managers for directories, databases, and software that contains ePHI and if they have process in place to protect the ePHI.

186

Data Criticality Analysis: The next step in performing a risk analysis is to identify and rank all systems according to their importance to the continuity of patient care and to the operation of the hospital.

Data owners are responsible for ensuring that their systems are ranked according to the Data Criticality Analysis Matrix. Data owners are responsible for ensuring that new systems are ranked prior to going live on the system. The ranking should be sent to the Information Security Officer and the Director of Network and Technical Support. If the Data Owner feels any ranking has changed or is incorrect, they may request a re-ranking of their system. The IT&S Administrative Director and the CIO reserves the right to review and modify rankings and notify the Data Owners of any changes to ranking. The Director of Network and Technical Support is responsible for ensuring that a listing of the data bases and their criticality ranking is kept accessible to staff who must work through restoring systems during any disaster. RISK ANALYSIS Periodic risk analysis will be conducted on the critical systems to identify changing threats and vulnerabilities. The following items will be considered:

• Nature of information and/or system • Business purpose • Physical environment • Existing protections • Impact of a security breach • Likelihood of a breach occurring

The Information Security Officer will complete a risk analysis every three years. Assistance by System Administrators, Data Owners, Management and the Privacy Officer is required. Results of each risk analysis will be documented and retained for a period of six years by the Information Security Officer. RISK MANAGEMENT Risk management practices shall include the following elements:

• Define “what” security needs to be accomplished • Define “how” it needs to be accomplished • Measure compliance • Identify the system assets that are necessary to support the function of the hospital

and prioritize them accordingly.

187

• Identify system impact, threats and vulnerabilities and rate them with a high-medium-low rating system.

• Evaluate and compare the security countermeasures available, the resources required to implement them, and the resources required to replace the system assets. Determine which countermeasures are reasonable to employ.

• Identify all federal and state security-related regulations and make certain that policies and procedures are in place to ensure compliance.

• Develop and implement appropriate detection methodologies based on risk. Approved March, 2005 Revised 7/11/2006

188

Information Security Policy Objective: To define standards and requirements for the organization, compliance, monitoring, response, awareness and training, and policy development for security of ePHI at Summa Hospitals. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.


DEFINITIONS

Electronic Protected Health Information (ePHI) is the electronic form of PHI as defined in the Summa Workforce General Obligations Regarding Uses and Disclosures for Protected Health Information Policy. Violations, are the misuse, unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, or theft of any Summa information or computer asset by users. System Administrators, are persons designated to control access to a particular data system or electronic data base. Data Owners, are management level persons, or their designee, who ensure the accountability for the accuracy, integrity, and appropriate use of data contained within their database. Business Associate. A person who or business that:

1. Is not a member of the workforce of Summa Hospitals; 2. Uses or discloses protected health information that is received from Summa

Hospitals for more than just treatment purposes. 3. Performs a function or activity on behalf of Summa Hospitals or provides a

service to or for Summa Hospitals.

189

Note: Any person or business that receives protected health information only for treatment purposes is not a business associate. POLICY Organization of Security Responsibility: All workforce members are responsible for preserving the integrity, confidentiality, and security of information at Summa Hospitals. In addition, all workforce members are responsible for reading and complying with all security policies, including revisions to policies, located in the Compliance Plan. The Compliance Plan can be found on the Summa website at the following address: http://www.summahealth.org/common/templates/article.asp?ID=468 or Summa@Work website. System Administrators are responsible for developing the policies and procedures for the security of a particular application or database, granting access in conjunction with data owners, modifying and/or terminating access to the application, and assisting in enforcing all security policies of Summa Hospitals. System Administrators are responsible for monitoring security compliance on their applications. Data owners are responsible for ensuring that System Administrators are adequately protecting the security of the data. Data Owners ensure that data is used and accessed appropriately and that data is accessible on a timely basis. The Director of Network and Technical Support is responsible for ensuring accountability for the accuracy, integrity, and appropriate use and security of the systems that support the Information Services infrastructure. Summa has a designated Information Security Officer who is part of the Information Technology and Services Department. The Information Security Officer is responsible for assisting all System Administrators, Data Owners, and workforce members in developing policies to ensure the security of data at Summa Hospitals. The Information Security Officer works under the direction of the CIO and the Administrative Director of IT & S. The Information Security Officer is responsible for developing and monitoring practices to ensure that Summa Hospitals’ health information is secure from unauthorized access, protected from inappropriate alteration, physically secure, and available to authorized users in a timely fashion. The Information Security Officer will monitor entity operations and systems for security compliance, report to management on the status of security compliance, and revise the security program as necessary to comply with changes in the law, regulations, professional ethics, and accreditation requirements. The Corporate Compliance Department is responsible for assisting in reviewing policies governing security and privacy.

190

The Chief Information Officer (CIO) is responsible for administrative direction and support of all activities and policies for ensuring the accountability, accuracy, integrity, appropriate use of, and security of data at Summa Hospitals. COMPLIANCE By committee, the CIO, Information Security Officer, designated System Administrators, and Data Owners are responsible for developing security policies and setting the standards for compliance of security policies. Corporate Compliance is responsible for assisting management in determining appropriate standards. MONITORING

System Administrators and/or Data Owners will develop monitoring tools and documentation to meet regulatory needs, if applicable, and ensure security, integrity and accountability of data.

All Management is responsible for monitoring workforce members and responding to any non-compliance issues.

The Director of Networks and Technical Support will be responsible for monitoring the systems that supports the Summa Hospitals Information infrastructure.

REPORTING

Workforce members that become aware of any security breach or non-compliance with security policies by a fellow workforce member or a business associate must promptly notify one of the following: their supervisor, the Compliance Hotline, or Summa Hospitals’ Information Security Officer. All incidents will be documented in the Security Incidents database. DOCUMENTATION All incidents will be reviewed, documented and investigated if warranted. INVESTIGATION When the Information Security Officer investigates a potential incident of security breach or non-compliance with security policies by a workforce member or business associate:

a. The Information Security Officer is responsible for an incident response plan that may include involvement of Legal Services, Risk Management Departments, Corporate Communications or all of the listed departments. The Information Security Officer will lead an ad hoc committee (Incident Response Team) at his/her discretion, to be comprised of the Information Security Officer, representatives of the

191

Departments of Legal Services and Risk Management, and representation by other departments as deemed appropriate. If sanctions are deemed appropriate, Human Resources will be included in the response team.

b. The Information Security Officer is responsible for retaining all records of the investigation or of meetings and communications concerning the investigation and any evidence significant to the investigation for six years.

c. The Information Security Officer will document the findings and conclusions of every investigation undertaken and will retain such documentation.

The Information Security Officer must report investigative findings and conclusions to the appropriate Summa Hospitals committee, CIO, department management, or individual (e.g., report improper acts by a business associate to Legal Services). CONTAINMENT To limit the extent of any security breach the Information Security Officer may take additional action. These steps include, but are not limited to:

• Contacting an employee’s manager to discuss the security breach. • After a consultation with an employee’s manager, requesting that a

System Administrator deny access to a member of the workforce about whom the Information Security Officer has reasonable suspicions regarding a security breach, pending the resolution of the investigation and mitigation process.

• Informing the Corporate Communications Department about the purpose and progress of the investigation.

Workforce members shall work with the Information Security Officer to limit, to the extent practicable, any known harmful effect of a security breach. CORRECTION The Information Security Officer will coordinate the investigation to determine the causes of any security breach and plan to prevent any recurrence of this improper use or disclosure, including training of workforce members as appropriate. AWARENESS AND TRAINING Summa Hospitals require all new employees to be trained regarding security policies and to sign an Information Security Agreement form.

Summa Hospitals provides annual training that includes security awareness and security policy review.

192

All Managers are expected to promote awareness to workforce members of security policies. Summa Hospitals will augment annual training on security policies with written security reminders to all staff from time to time. POLICIES

Summa Hospitals have developed security policies that support the HIPAA requirements.

The security policies will be reviewed periodically to ensure that they are consistent with industry standards and government regulations as well as best practices for security.

All HIPAA policies are reviewed and approved by the Hospital Compliance Committees. Any draft policies or changes to existing policies will be submitted to the CIO for review and then to the Hospital Compliance Committees for approval.

SANCTIONS Reports are to be provided to departmental management on violations in accordance with the Information Security Policy. Disciplinary action for workforce members who violate Summa Hospitals’ policies on Information Physical Security is possible, up to and including termination. Violations by medical staff will be addressed through the Medical Staff Bylaws. Revised March, 2003, 07/11/2006

193

Limited Data Sets PURPOSE Summa Hospitals collects and maintains protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality limit how that information may be used by and disclosed to outside persons and entities that provide services for us. Information that has been de-identified may be used or disclosed without regard to these limits. The HIPAA privacy regulations also allow for the use of patient information that has been partially de-identified, information in a limited data set. A limited data set contains fewer patient identifiers than protected health information, yet is not completely de-identified. In order to protect the privacy of patient information included in limited data sets and to comply with state and federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy. DEFINITION Limited Data Set. Health information from which the following identifiers of the patient or of relatives, employers, or household members of the patient, are removed:

• Names; • Postal address information, other than town or city, State, and zip

code; • Telephone numbers; • Fax numbers; • Electronic mail addresses; • Social security numbers; • Medical record numbers; • Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; • Vehicle identifiers and serial numbers, including license plate

numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers, including finger and voice prints; and • Full face photographic images and any comparable images

Note that a limited data set may include the following identifiable information:

• Admission, discharge, and service dates; • Date of death; • Age (including age 90 or over); and

• Five-digit zip code.

194

PROCEDURE

Workforce members of Summa Hospitals may use limited data sets for internal uses or may disclose to external entities for:

• Research • Public health studies • Health care operations of another covered entity.

You need not seek patient authorization or other approval for use of limited data sets for the above purposes, if you obtain the following agreements:

• For external recipients of the limited data sets, enter into data use agreements.

• For Summa recipients of the limited data sets, enter into confidentiality agreements.

Contact the Legal Services Department for assistance with preparing a data use or confidentiality agreement.

Revised 10/9/06

195

Procedures for Marketing Activities

Summa Hospitals collects and maintains a great deal of personal health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality place restrictions on our ability to use and disclose that information for marketing purposes. In order to protect the privacy and confidentiality of our patients' personal health information and to comply with federal law, all employees of Summa Hospitals are required to comply with the provisions of this policy.

DEFINITIONS

Marketing is a communication about a product or service to encourage recipients of the communication to purchase or use the product or service. Marketing does not include the following:

• Communications describing the products and services provided by or offered by Summa Hospitals. You may use patient information to describe our products and services and you can target patients by clinical information, zip code, sex, or age.

• Communications to a patient as part of his/her treatment and for the purpose of furthering his/her treatment, including case management and care coordination.

• Communications to a patient in the course of managing his/her treatment, to direct or recommend alternative treatments, therapies, health care providers or settings of care.

• Communications that promote health in a general manner, such as information about how to guard against development of a particular disease or condition, so long as the communications do not promote a specific product or service from a third party provider and the communications are population-based (i.e, are mailed to our entire patient base or to women or other population-based designations, but are not based on clinical information).

PROCEDURE An authorization signed by the patient must be obtained before using or disclosing that patient's health information for marketing purposes, except for the following:

• During face-to-face encounters with the patient; you may discuss our products and services or those of a third party with patients without an authorization;

• Communications consisting of a promotional gift of nominal value; for example: pens, magnets, calendars, etc. may be made without an authorization.

DISCLOSURES TO THIRD PARTIES No patient information may be disclosed to persons or entities outside Summa Hospitals for communications exempt from or included in the definition of marketing unless such person or entity is a business associate of Summa Hospitals and has signed a Business Associate agreement. No personal health information may be disclosed to any third

196

party, including a business associate, for communications that constitute marketing unless a signed patient authorization is obtained. You may not disclose patient information to any third party for the purpose of allowing the third party to market its own products or services. Revised 6/28/06

197

Using, Requesting and Disclosing Minimum Necessary Information

Summa Hospitals uses, requests and discloses personal protected health information about our patients for a variety of purposes. The federal HIPAA regulations on patient privacy and confidentiality require that in many cases only the minimum necessary information may be used, requested or disclosed. In order to protect the privacy and confidentiality of our patients' personal health information and to comply with federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy.

DEFINITIONS

Personal Protected health information (PHI), the subject of this policy, includes information that is:




Personal Protected health information includes information of persons living or deceased. The following components of a patient's information also are considered personal protected health information:

5. names; 6. street address, city, county, precinct, zip code; 7. dates directly related to a patient, including birth date, admission date, discharge date,

and date of death; 8. telephone numbers, fax numbers, and electronic mail addresses; 9. Social Security numbers; 10. medical record numbers; 11. health plan beneficiary numbers; 12. account numbers; 13. certificate/license numbers; 14. vehicle identifiers and serial numbers, including license plate numbers; 15. device identifiers and serial numbers; 16. Web Universal Resource Locators (URLs); 17. biometric identifiers, including finger and voice prints; 18. full face photographic images and any comparable images; and 19. any other unique identifying number, characteristic, or code.

198

Disclosure. The release, transfer, provision of access to, or divulging in any other manner of personal protected health information to persons not employed by or working within Summa Hospital.

Request. When any person affiliated with Summa Hospitals asks for personal protected health information from a person or entity outside of Summa Hospitals.

Use. The sharing, employment, application, utilization, examination, or analysis of personal health information by any person working for or within Summa Hospitals.

POLICY

It is the policy of Summa Hospitals that, unless otherwise excepted by this policy, all uses, disclosures, and requests for personal protected health information are limited to that which is reasonably necessary to accomplish the intended purpose of the use, disclosure, or request.

The following types of disclosures, requests and uses are not subject to the minimum necessary requirements:

• Disclosures to or requests to a health care provider for treatment; • Uses to prepare information for and disclosures made to a patient or a patient's

representative; • Uses, requests, or disclosures made pursuant to an authorization signed by a

patient or a patient's representative; • Disclosures made to the Secretary of the U.S. Department of Health and Human

Services for compliance and enforcement of the privacy regulations; and • Uses to prepare information for and disclosures that are required by law.

PROCEDURE Disclosures of Patient Information. All permissible disclosures of patient information must be limited to the amount of information reasonably necessary to accomplish the purpose of the disclosure in accordance with the guidelines set forth in the attached Minimum Necessary Disclosure Requirements. Routine and recurring disclosures must be made in accordance with the attached Routine and Recurring Disclosure Protocol. Each disclosure for which the minimum necessary rules apply must be individually evaluated to assure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure. In each case where individual evaluation is required, the entire medical record may not be disclosed unless the entire medical record is specifically justified and documented as the amount that is reasonably necessary to accomplish the purpose of the disclosure.

199

Requests for Patient Information. All permissible requests of patient information must be limited to the amount of information reasonably necessary to accomplish the purpose of the request in accordance with the guidelines set forth in the attached Minimum Necessary Request Requirements. Routine and recurring requests must be made in accordance with the attached Routine and Recurring Request Protocol. Each request for which the minimum necessary rules apply must be individually evaluated to assure that the amount of information requested is the minimum necessary to accomplish the purpose of the request. In each case where individual evaluation is required, the entire medical record may not be requested unless the entire medical record is specifically justified and documented as the amount that is reasonably necessary to accomplish the purpose of the request. Uses of Patient Information. All permissible uses of patient information must be limited to the amount of information reasonably necessary to accomplish the purpose of the use in accordance with the guidelines set forth in the attached Minimum Necessary Uses Requirements. If the use is subject to the minimum necessary requirements, your use must be limited to that which is authorized on the attached Minimum Necessary Uses by Worker Group Chart. If any use is required that is not authorized on the Minimum Necessary Uses by Worker Group Chart, approval for such use must be obtained from your immediate supervisor or from the Privacy Officer. Reviewed 6/28/06

200

MINIMUM NECESSARY DISCLOSURE REQUIREMENTS

The following chart outlines when the minimum necessary requirements apply to permissible disclosures of personal health information made by your organization to persons or entities outside of your organization.

Disclosures from Summa Hospitals: Disclosure Limited to Minimum Necessary?

Requirements

To another health care provider for treatment

No None

When requested by another covered entity for non-treatment purposes and no authorization

No Can reasonably rely that the requested disclosure is minimally necessary

When requested by a business associate of your organization

No, if requirements met

If the business associate represents that the information requested is the minimum necessary for the stated purpose

When requested by researchers and no authorization


If the IRB or privacy board has made waiver of authorization findings or researcher has signed representation that information only used for research protocol development or is research on decedents

When requested by public officials in accordance with public health activities and no authorization


If public official represents that the information requested is the minimum necessary for the stated purpose

To a patient or patient representative No None

To anyone if signed patient authorization No None, unless limited by authorization

When requested by the Secretary of Health and Human Services for compliance and enforcement of HIPAA privacy

No None

Routine and recurring disclosures and no authorization

Yes Subject to Routine and Recurring Disclosure Protocol

For purposes required by law and no authorization

No None

All other disclosures and no authorization Yes Each such disclosure must be individually evaluated to assure that the disclosure is limited to that which is reasonably necessary to accomplish the purpose for which the disclosure is made

201

ROUTINE AND RECURRING DISCLOSURE PROTOCOL FOR WHICH MINIMUM NECESSARY STANDARDS APPLY

The following chart can be used to list routine and recurring disclosures and the amount of information reasonably necessary to comply with the purpose of the disclosure.

Type of Disclosure Person/Entity Disclosed To

Frequency of Disclosure

Minimum Necessary to Accomplish Purpose of

Disclosure

Billing Payor or Government Agency Program

Upon discharge & as requested

Universal billing form and/or limited to written request

Legal Purpose Attorney or law firm As requested Limited to written request

Outside review Agency contacted for review

As requested Limited to written request

Law enforcement Law enforcement agency


Authorization for service Payor or Government Agency Program

Daily Limited to payor request

Registry Tracking Health care provider As needed Limited to registry requirements

Research Principal investigator or authorized

individual


202

MINIMUM NECESSARY REQUEST REQUIREMENTS

The following chart outlines when the minimum necessary requirements apply to requests for personal health information made by your organization to persons or entities outside of your organization.

Requests from Summa Hospitals:

Request Limited To Minimum

Necessary?

Requirements

To another health care provider for treatment

No None

To another covered entity for non-treatment purposes and no authorization

Yes Limit request to that which is reasonably necessary to accomplish the purpose for which the request is made

To anyone if signed patient authorization approving the request

No None, unless limited by authorization

Routine and recurring requests for information

Yes Subject to Routine and Recurring Request Protocol

All other requests for information and no authorization

Yes Each such request must be individually evaluated to assure that the request is limited to that which is reasonably necessary to accomplish the purpose for which the request is made

203

ROUTINE AND RECURRING REQUEST PROTOCOL FOR WHICH MINIMUM NECESSARY STANDARDS APPLY

The following chart can be used to list routine and recurring requests and the amount of information reasonably necessary to comply with the purpose of the request.

Type of Request Person/Entity Request Made To

Frequency of Request

Minimum Necessary to Accomplish

Purpose of Request

Billing/ Payment Payor or Government agency

Daily Information limited to payment status

Registries Tracking Healthcare provider As needed Limited to registry requirements

Authorization for services

Payor or Government Agency

Daily Limited to payor requirements

204

MINIMUM NECESSARY USE REQUIREMENTS

The following chart outlines when the minimum necessary requirements apply to uses of personal health information made by your workforce members, including those made for treatment.

Uses by Workforce members of Summa

Hospitals:

Use Limited to Minimum

Necessary?

Requirements

Uses to prepare information to be given to a patient or patient's representative

No None

Uses pursuant to an authorization signed by the patient or the patient's representative

No None, unless limited by authorization

Uses that are required by law; for instance, preparing information for a disclosure that is required to be made by law

No None

All other uses made without an authorization

Yes Use must be consistent with Minimum Necessary Uses by Worker Group Chart

205

Minimum Necessary Uses by Worker Group

The following chart will outline the accepted uses members of your workforce and other staff may make of patient information held by your organization. Note that workforce and staff are only permitted to use information for treatment, payment, and health care operations (with certain exceptions for fundraising, marketing, and psychotherapy notes). Other uses require a signed authorization unless there is an exception in the regulations as listed on the Checklist for Determining Whether Authorization is Required .

Uses By Work Group of Summa Hospitals:

Category of Information Which Can Be Accessed and Used Without a Patient Authorization

Non-Clinical Provider Minimum necessary for performance of job duties

Clinical Provider Entire medical record of any patient being treated by the medical staff member, nurse, or other health care provider and any other information necessary for the treatment of the patient

Chaplains Minimum necessary (e.g. name, room number, religious preference)

Hospital Committee Minimum necessary for performance of job duties

206

Mitigation of Improper Uses or Disclosures of Protected Health Information

PURPOSE Summa Hospitals collects and maintains personal protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality limit how that information can be used by and disclosed to outside persons and entities that provide services for Summa Hospitals. HIPAA regulations also require us to limit the damage resulting from a use or disclosure of protected health information in violation of Summa Hospitals policies and/or the HIPAA regulations. In order to protect the privacy and confidentiality of protected health information and to comply with state and federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy. DEFINITIONS Protected Health Information (PHI) includes information about persons living or deceased that:

1. Is created or received by Summa Hospitals; 2. Relates to the past, present, or future physical or mental health or condition of a patient; the

provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and


Protected health information includes information of persons living or deceased. The following components of a patient's information also are considered protected health information:


death; • telephone numbers, fax numbers, and electronic mail addresses; • Social Security numbers; • medical record numbers; • health plan beneficiary numbers; • account numbers; • certificate/license numbers; • vehicle identifiers and serial numbers, including license plate numbers; • device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • biometric identifiers, including finger and voice prints; • full face photographic images and any comparable images; and • any other unique identifying number, characteristic, or code.

207

Business Associate. A person or business that: 1. Is not a member of the workforce of Summa Hospitals; 2. Uses or discloses protected health information that is received from Summa Hospitals for

more than just treatment purposes. 3. Performs a function or activity on behalf of Summa Hospitals or provides a service to or for

Summa Hospitals.

Note: Any person or business that receives protected health information only for treatment purposes is not a business associate. Workforce Members - For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.


Use. The sharing, employment, application, utilization, examination, or analysis of protected health information by any member of Summa Hospitals’ workforce or others working within Summa Hospitals.

POLICY

Workforce members and business associates of Summa Hospitals regularly use or disclose protected health information. Disclosing protected health information improperly constitutes a violation of Summa Hospitals policies and procedures, and/or the provisions of business associates’ contracts with Summa Health System. Summa Hospitals will address these improper uses and disclosures through the procedures listed below.

Mitigating Improper Uses or Disclosures of Protected Health Information by Workforce Members or Business Associates

1. Reporting Workforce members that become aware of any improper use or disclosure of protected health information by a fellow workforce member or a business associate must promptly notify their supervisors, the Compliance Hotline, the Patient Liaison, or Summa Hospitals’ Privacy Officer. All reports to supervisors, the Compliance Hotline or the Patient Liaison must be communicated to the Privacy Officer.

208

2. Documentation The Privacy Officer will document and investigate all potential incidents of an improper use or disclosure of protected health information by a workforce member or business associate. 3. Investigation When the Privacy Officer investigates a potential incident of an improper use or disclosure of protected health information by a workforce member or business associate:

a. The Privacy Officer is responsible for an incident response plan that may include involvement of the Legal Services or Risk Management Departments, or both. The Privacy Officer will lead an ad hoc committee (Incident Response Team) at his/her discretion, to be comprised of the Privacy Officer, representatives of the Departments of Legal Services and Risk Management, representatives of Human Resources if applicable, and representation by other departments as deemed appropriate.

b. The Privacy Officer is responsible for retaining all records of the investigation or of meetings and communications concerning the investigation and any evidence significant to the investigation.

c. The Privacy Officer will document the findings and conclusions of every investigation undertaken and will retain such documentation.

d. The Privacy Officer must report investigative findings and conclusions to the appropriate Summa Hospitals committee, department, or individual (e.g., report improper acts by a business associate to Legal Services).

4. Containment To limit the extent of any improper use or disclosure of protected health information, the Privacy Officer must take steps to mitigate the exposure of protected health information to persons who or entities that should not have access to the protected health information. These steps include, but are not limited to:

a. Identifying the extent of distribution of any improper disclosure of protected health information.

b. Requesting recipients of improperly disclosed protected health information to ignore, return, or destroy the information.

c. Requesting recipients of improperly disclosed protected health information to maintain the confidentiality of the information.

d. Denying information access to a member of the workforce about whom the Privacy Officer has reasonable suspicions regarding an improper disclosure of protected health information, pending the resolution of the investigation and mitigation process.

e. Informing the Corporate Communications Department about the purpose and progress of the investigation.

f. Notifying the Legal Services Department about the purpose and progress of investigations into potential incidents of improper use or disclosure of protected health information.

209

Workforce members shall work with the Privacy Officer to limit, to the extent practicable, any known harmful effect of an improper use or disclosure of protected health information. 5. Correction The Privacy Officer must determine the causes of any improper use or disclosure of protected health information and plan to prevent any recurrence of this improper use or disclosure, including training of workforce members as appropriate. Reviewed 6/27/06

210

Summa Hospitals NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The terms of this Notice of Privacy Practices apply to Summa Hospitals. Members of the work force at Summa Hospitals will share personal, protected health information of patients as necessary to carry out treatment, payment and health care operations as permitted by law.

Summa Hospitals is required by law to maintain the privacy of our patients’ personal, protected health information and to provide patients with notice of our legal duties and privacy practices with respect to your personal, protected health information. We are required to abide by the terms of this Notice so long as it remains in effect. We reserve the right to change the terms of this Notice of Privacy Practices as necessary and to make the new Notice effective for all personal, protected health information maintained by us. You may receive a copy of any revised Notice at any Summa Hospital point of registration or a copy may be obtained by mailing a request to the Privacy Officer of Summa Hospitals at P.O.Box 2090, Akron, OH 44309-2090 or to the Privacy Officer of Cuyahoga Falls General Hospital at 1900 23rd Street, Cuyahoga Falls, OH 44223.

USES AND DISCLOSURES OF YOUR PERSONAL, PROTECTED HEALTH INFORMATION

Your Authorization. Except as outlined below, we will not use or disclose your personal, protected health information for any purpose unless you have signed a form authorizing the use or disclosure. You have the right to revoke that authorization in writing unless we have taken any action in reliance on the authorization.

Uses and Disclosures for Treatment. We will make uses and disclosures of your personal, protected health information as necessary for your treatment. For instance, doctors, nurses and other professionals involved in your care will use information in your medical record and information that you provide about your symptoms and reactions to plan a course of treatment for you that may include procedures, medications, tests, etc. We may also release your personal, protected health information to another health care facility or professional who is not affiliated with our organization but who is or will be providing treatment to you. For instance, if, after you leave the hospital, you are going to receive home health care, we may release your personal, protected health information to that home health care agency so that a plan of care can be prepared for you. Uses and Disclosures for Payment. We will make uses and disclosures of your personal, protected health information as necessary for the payment purposes of those health professionals and facilities that have treated you or provided services to you. For instance, we may forward information regarding

211

your medical procedures and treatment to your insurance company to arrange payment for the services provided to you or we may use your information to prepare a bill to send to you or to the person responsible for your payment.

Uses and Disclosures for Health Care Operations. We will use and disclose your personal, protected health information as necessary and as permitted by law, for our health care operations that include clinical improvement, professional peer review, business management, accreditation and licensing, etc. For instance, we may use and disclose your personal, protected health information for purposes of improving the clinical treatment and care of our patients. We may disclose protected health information to doctors, nurses, technicians, medical students, volunteers and other persons for review and learning purposes and for the operation of educational programs. We may also disclose your personal, protected health information to another health care facility, health care professional, or health plan for such things as quality assurance and case management, but only if that facility, professional, or plan also has or had a patient relationship with you.

Our Patient Directory. Summa Hospitals maintains a patient directory listing the name, room number, general condition and, if you wish, your religious affiliation. Unless you choose to have your personal, protected health information excluded from this directory, the information, excluding your religious affiliation, will be disclosed to anyone who requests it by asking for you by name. This information, including your religious affiliation, may be also provided to members of the clergy. You have the right during registration to have your information excluded from this directory.

Family and Friends Involved in Your Care. With your approval, we may disclose your personal, protected health information to designated family, friends, and others who are involved in your care or in payment of your care in order to facilitate that person’s involvement in caring for you or paying for your care. If you are unavailable, incapacitated, or facing an emergency medical situation, and we determine that a limited disclosure may be in your best interest, we may share limited personal, protected health information with such individuals without your approval. We may also disclose limited personal, protected health information to a public or private entity that is authorized to assist in disaster relief efforts in order for that entity to locate a family member or other persons that may be involved in some aspect of caring for you.

Business Associates. Certain aspects and components of our services are performed through contracts with outside persons or organization such as auditing, accreditation, legal services, etc. At times it may be necessary for us to provide some of your personal, protected health information to one or more of these outside persons or organizations who assist us with our health care operations. In all cases, we require these business associates to appropriately safeguard the privacy of your information.

Fundraising. We may contact you to donate to a fundraising effort for or on our behalf. You have the right to “opt-out” of receiving fundraising materials or communications and may do so by sending your name and address to the Privacy Officer of Summa Hospitals at P.O.Box 2090, Akron, OH 44309-2090 or to the Privacy Officer of Cuyahoga Falls General Hospital at 1900 23rd Street,

212

Cuyahoga Falls, OH 44223 together with a statement that you do not wish to receive fundraising materials or communications from us.

Appointments and Services. We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. You have the right to request and we will accommodate reasonable requests by you to receive communications regarding your personal, protected health information from us by alternative means or at alternative locations. For instance, if you wish appointment reminders not to be left on voice mail or sent to a particular address, we will accommodate reasonable requests. You may request such confidential communication in writing and may send your request to the Privacy Officer of Summa Hospitals at P.O.Box 2090, Akron, OH 44309-2090 or to the Privacy Officer of Cuyahoga Falls General Hospital at 1900 23rd Street, Cuyahoga Falls, OH 44223.

Health Products and Services. We may from time to time use your personal, protected health information to communicate with you about health products and services necessary for your treatment, to advise you of new products and services we offer, and to provide general health and wellness information.

Research. In limited circumstances, we may use and disclose your personal, protected health information for research purposes. For example, a researcher may wish to compare outcomes of all patients that received a particular drug and will need to review a series of medical records. In all cases where your specific authorization is not obtained, your privacy will be protected by strict confidentiality requirements applied by an Institutional Review Board that oversees the research, or by representations of the researchers that limit their use and disclosure of patient information.

Other Uses and Disclosures. We are permitted or required by law to make certain other uses and disclosures of your personal, protected health information without your authorization. We may release your personal, protected health information:

• for any purpose required by law; • for public health activities, such as required reporting of disease, injury, and birth and death,

and for required public health investigations; • as required by law if we suspect child abuse or neglect; we may also release your personal,

protected health information as required by law if we believe you to be a victim of abuse, neglect, or domestic violence;

• to the Food and Drug Administration if necessary to report adverse events, product defects, or to participate in product recalls;

• to your employer when we have provided health care to you at the request of your employer; in most cases you will receive notice that information is disclosed to your employer;

• if required by law to a government oversight agency conducting audits, investigations, or civil or criminal proceedings;

• if required to do so by a court or administrative ordered subpoena or discovery request; in most cases you will have notice of such release;

213

• to law enforcement officials as required by law to report wounds and injuries and crimes; • to coroners and/or funeral directors consistent with law; • if necessary to arrange an organ or tissue donation from you or a transplant for you; • if you are a member of the military as required by armed forces services; we may also release

your personal, protected heath information if necessary for national security or intelligence activities;

• to workers’ compensation agencies if necessary for your workers’ compensation benefit determination.

RIGHTS THAT YOU HAVE

Access to Your Personal, Protected Health Information. You have the right to receive a copy and/or inspect much of the personal, protected health information that we retain on your behalf. All requests for access must be made in writing and signed by you or your representative. We will charge you a reasonable fee if you request a copy of the information. We may also charge for postage if you request a mailed copy. Patients or their legal representatives may request access to their personal, protected health information by completing the Authorization for Release of Information Form. This Form is available from the Medical Records Department, the Patient Accounts Department, the Summa Hospitals Forms Bulletin Board in Microsoft Outlook.

Amendments to Your Personal, Protected Health Information. You have the right to request in writing that personal, protected health information that we maintain about you be amended or corrected. We are not obligated to make all requested amendments but will give each request careful consideration. All amendment requests, in order to be considered by us, must be in writing, signed by you or your representative, and must state the reasons for the amendment/correction request. If we make an amendment or correction that you request, we may also notify others who work with us and have copies of the uncorrected record if we believe that such notification is necessary. Amendment request forms may be obtained from the Medical Records Department, the Summa Forms Bulletin Board in Microsoft Outlook.

Accounting for Disclosures of Your Personal, Protected Health Information. You have the right to receive an accounting of certain disclosures made by us of your personal, protected health information after April 14, 2003. Requests must be made in writing and signed by you or your representative. Accounting request forms are available from the Medical Records Department, the Summa Forms Bulletin Board in Summa’s Microsoft Outlook program. The first accounting in any 12-month period is free; you will be charged a reasonable fee for each subsequent accounting you request within the same 12-month period.

Restrictions on Use and Disclosure of Your Personal, Protected Health Information. You have the right to request restrictions on certain uses and disclosures of your personal, protected health information for treatment, payment, or health care operations by contacting the Privacy Officer. We are not required to agree to your restriction request but will attempt to accommodate reasonable

214

requests when appropriate. We retain the right to terminate an agreed-to restriction if we believe such termination is appropriate. In the event of a termination by us, we will notify you of such termination. You also have the right to terminate, in writing or orally, any agreed-to restriction by sending such termination notice to the Privacy Officer of Summa Hospitals at P.O.Box 2090, Akron, OH 44309-2090 or to the Privacy Officer of Cuyahoga Falls General Hospital at 1900 23rd Street, Cuyahoga Falls, OH 44223. Any agreed-to restriction will not limit patient directory disclosures unless you exclude yourself from the patient directory.

Complaints. If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer, Patient Liaison, or the Compliance Hotline. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services in Washington, D.C. in writing within 180 days of a perceived violation of your rights. There will be no retaliation for filing a complaint.

FOR FURTHER INFORMATION

If you have questions or need further assistance regarding this Notice, you may contact the Privacy Officer of Summa Hospitals at P.O.Box 2090, Akron, OH 44309-2090, telephone (330) 375-6665 or the Privacy Officer of Cuyahoga Falls General Hospital at 1900 23rd Street, Cuyahoga Falls, OH 44223, telephone (330) 971-7198. You may also call the Compliance Hotline of Summa Hospitals at 1-800-421-0925 or the Compliance Hotline of Cuyahoga Falls General Hospital at (330) 971-7111 or 1-866-265-4575.

As a patient you retain the right to obtain a paper copy of this Notice of Privacy Practices, even if you have requested such copy by e-mail or other electronic means.

EFFECTIVE DATE

This Notice of Privacy Practices is effective April 14, 2003.

Reviewed 6/28/06

215

Distribution of the Notice of Privacy Practices Procedure PURPOSE Workforce members of Summa Hospitals collect and maintain a great deal of personal, protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality require us to provide notice to our patients and the public about how this information may be used and disclosed by our organization. Workforce members of Summa Hospitals are required to comply with the provisions of this policy.

PROCEDURE: 1. Timing of Provision: The Notice of Privacy Practices must be made available, distributed, and

posted in accordance with this policy on or after April 14, 2003. 2. Availability to the Public. A copy of the Notice of Privacy Practices must be made available

upon request at all points of Registration in Summa Hospitals. 3. Distribution to Patients. All patients must be provided a copy of the Notice of Privacy

Practices no later than the date of the first service delivery to each patient on or after April 14, 2003, including service delivered electronically. We are not required to provide Notice to any patient who is also an inmate in a correctional facility.

4. E-Mail Delivery of Notice. If the first service delivery to a patient is delivered electronically,

provide an electronic copy of the Notice of Privacy Practices automatically and simultaneously in response to the patient’s first request for service. If you know that the e-mail transmission has failed, you must provide a paper copy of the Notice to the patient. The patient who is the recipient of an electronic notice retains the right to obtain a paper copy of the Notice upon request.

5. Acknowledgment of Receipt. After providing the patient with a copy of the Notice of Privacy

Practices, obtain the patient’s signature on the “Receipt of Notice of Privacy Practices Acknowledgment Form.” In the case of an emergency when the patient is not able to sign the acknowledgment form, attempt to obtain the patient’s signature as soon as practicable. If the Notice is delivered electronically by e-mail, require the patient to acknowledge receipt of the e-mail electronically by e-mail by replying to the Notice delivery e-mail. When the patient refuses to sign the form or you are otherwise unable to obtain a signature or electronic acknowledgment, document the attempts made to obtain the signature and the reasons why you were unsuccessful. Retain the signed acknowledgement forms and the documentation of failed attempts to obtain the signed form in the Patient Accounts Department.

6. Posting the Notice. Copies of the Notice of Privacy Practices must be posted in each separate

building where patients are registered for treatment, in a clear and prominent location where it is reasonable to expect patients to be able to read the Notice.

216

7. Website Posting. A copy of the most current Notice of Privacy Practices must be posted

prominently on our website and must be accessible by a link from the front page of the website. 8. Revisions to the Notice. Whenever the Notice of Privacy Practices is revised:

• Make the revised Notice available upon request on or after the effective date of the revision,

• Distribute the revised Notice as required in paragraph 3, • Promptly post the revised Notice as required in paragraph 5, and • Post the revised Notice on the website as required in paragraph 6.

All patients arriving for treatment on or after the effective date of a revised Notice must be given the appropriate revised Notice.

Reviewed 6/28/06

217

Patient Directory PURPOSE Summa Hospitals maintains a patient directory for each facility with information regarding patients currently in our facilities. The federal HIPAA regulations on patient privacy and confidentiality limit how health care providers may disclose this information. In order to protect the privacy and confidentiality of our patient’s personal, protected health information and to comply with federal and state law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy. PROCEDURE General Policy: Every patient (e.g., inpatient, outpatient, observation patients, same day surgery, emergency department, diagnostic patients, etc.) of Summa Hospitals must be advised at the time of registration that Summa Hospitals maintains a Patient Directory that includes the patient’s name, room number (if admitted), and a general statement of condition (e.g., serious or satisfactory) with the exception of Behavioral Health patients. The patient information is disclosed to any person who inquires about that patient by name. The following must be asked of each patient: - Whether the patient wishes to be excluded from the facility patient directory.

If not excluded: (To be coded as “Y” in the hospital registration system.)

Advise the patient that if not excluded the following information will be disclosed to non-

clergy persons who ask for the patient by name: The individual’s name The location of the patient in the facility (room number); and The individual’s condition described in general terms that do not communicate specific

medical information (e.g., serious or satisfactory).

Ask the patient whether he/she wishes to provide a religious affiliation and whether he/she agrees to make that religious affiliation available to members of the clergy who inquire about patients by religious denomination. Advise the patient that the religious affiliation information will only be disclosed to members of the clergy.

If excluded: (To be coded as “N” in the hospital registration system.)

Advise the patient that if excluded, no information regarding his/her presence in the facility will be released to anyone outside of the members of the Summa Hospitals workforce who needs to know.

218

Disclosure from Summa Hospitals Workforce:

When information is requested on a particular patient, Summa Hospitals workforce members must carefully check to see if the patient has asked to be excluded from disclosure.

If a patient has requested to be excluded from the directory, no information about that

patient may be disclosed. If a patient chooses to register under an assumed name, information may be disclosed to

inquiries by that name. (See Confidential Name Registration Procedure in Central Registration Manual.)

Information may be disclosed to any person authorized to receive the information by the Summa Hospitals’ Privacy Officer.

News Media Disclosure:

If members of news media ask for a patient by name, Summa Hospitals’ workforce members may only disclose the information that the patient has allowed Summa Hospitals to release. The news media should be referred to Corporate Communications for all other questions. (See News/Media, Release of Information Procedure in the Administrative Manual.)

Clergy Disclosure:

Unless the information is excluded, the following information may be released to a member of the clergy who does not request it by individual patient name in person:

The individual’s name. The location of the patient in the facility (room number). The individual’s condition described in general terms that do not communicate specific

medical information (e.g., serious or satisfactory). The individual’s religious affiliation, if provided.

If the clergy member calls in by telephone to request information on patients, Summa

Hospitals workforce members may state “YES” or “NO” as to whether there are patients of a particular denomination as inpatients, but are NOT to release the patients’ names, room numbers or conditions. Summa Hospitals’ workforce members may release the above information to the clergy members in person.

Verification:

It is not necessary to verify the identity of a person requesting information on the facility patient directory unless a patient has requested an exclusion.

If a person states that he/she is a member of the clergy and is unknown to Summa

Hospitals’ workforce members, workforce members should ask for a form of identification

219

verifying the clergy member’s status, (e.g., Akron Regional Hospital Association badge), before releasing information that would not be available to any non-clergy person. If Akron Regional Hospital Association provides an individual with a clergy badge, Summa Hospitals will recognize the individual as clergy. For the purpose of this policy, leading members of the church are NOT to be considered “clergy” unless they have been assigned an Akron Regional Hospital Association badge.

Suspicious persons should be promptly reported to the Protective Services Officer on duty.

Suspected inappropriate access or use of information should be reported to the Summa

Hospitals’ Privacy Officer.

Incompetent or Emergency Patients: If a patient arrives at the facility and is unable to respond to the above questions or if asking the questions would delay treatment, the patient’s information will be included in the directory if the patient’s Emergency Department physician or other designated individual determines such inclusion is consistent with a prior expressed preference of the patient or if such inclusion appears to be in the best interest of the patient. In making the determination as to whether inclusion is in the best interest of the patient, the patient’s Emergency Department physician or other designated individual:

Whether disclosing that a patient is in the facility could reasonably cause harm or danger to

the individual (e.g., if it appears that an unconscious patient has been abused and disclosing the information could give the attacker sufficient information to seek out the person and repeat the abuse.)

Whether disclosing a patient’s location within a facility implicitly would give information

about the patient’s condition (e.g., whether a patient’s room number revealed that he/she was in a psychiatric ward).

Whether it is necessary or appropriate to give information about patient status to family or

friends (e.g., if giving information to a family member about an unconscious patient could help a physician administer appropriate medications); and/or

Whether the patient had, prior to becoming incapacitated, expressed a preference not to be

included in the directory. In cases where the patient is unable initially to object to inclusion in the directory (To be coded as “U” for Undetermined in the hospital registration system), the patient must be given the opportunity to object as soon as practicable to do so. A standardized report listing those patients who have not yet been given an opportunity to object to their inclusion in the Facility Patient Directory will be printed daily and distributed to the nursing units. The Patient Care Coordinator or Social Worker will be responsible for checking the list daily and to update the disclosure status on any patient whose condition change will enable an update.

Revised June, 2003 Reviewed 6/28/06

220

Personnel Security Policy

Summa Hospitals has adopted this Personnel Security Policy to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Department of Health and Human Services (“DHHS”) security and privacy regulations, and the Joint Commissions on Accreditation of Healthcare Organizations (“JCAHO”) accreditation standards, the American Osteopathic Association (“AOA”) standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. All workforce members and medical staff must comply with this policy. Familiarity with the Personnel Security Policy and demonstrated competence in the requirements of the policy are an important part of every employee’s responsibilities.

APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals’ premises and who perform a substantial proportion of their activities at that location. Medical Staff. Provisions of Summa Hospitals’ privacy and security policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. POLICY Along with its other policies and procedures protecting the integrity and confidentiality of health information, Summa Hospitals adopt this Personnel Security Policy to ensure that its workforce members and others who have access to health information are properly screened, properly trained, and properly supervised regarding their access to and use of health information. Screening of Individuals with Access to Individually Identifiable Health Information

HIPAA and the DHHS security regulations require “appropriate clearances” for all workforce members with access to individually identifiable health information. The regulations do not, however, specify what appropriate clearances consist of. Rather, they leave it up to covered entities to determine what screening is appropriate based on a risk analysis, defined as the process of selecting cost-effective security/control measures by balancing the cost of those measures against the harm that would occur if those measures were not in place.

Human Resources and the Hiring Manager are responsible for screening new employees and others with access to individually identifiable health information. An appropriate clearance may include, among others, the following elements:

• Criminal background check. • Credit check.

221

• Verification of references. • Verification of employment history. • Verification of licensure and/or certification. • In-depth interview. • Drug testing (coordinate with Human Resources and the Legal Department to ensure that such

testing is legal and proper). • Addendum to Consultant Agreement signed for contracted individuals/companies. • Self-certification in the employment application. If approved by Human Resources, such

documents could ask applicants to certify that they do not have felony convictions or any convictions involving dishonesty and know of no reason why they could not be trusted with confidential health information.

AUTHORIZATION OF ACCESS LEVEL Directors or Hiring Managers are responsible for reviewing and approving the level of access a workforce member has to protected health information. The level of access must be reviewed, authorized, and signed by the Director or Hiring Manager upon new hire and reviewed and reauthorized periodically. The documents that will be utilized by the Hiring Manager are the Hardware/Software Request Form and Information Security Agreement. All employees must sign an Information Security Agreement. A signed protocol may be used to assign large groups of employees to a particular system access or access level. This protocol must follow guidelines established in the Information Access/Control Policy.

TRAINING HIPAA and the DHHS security and privacy regulations require training all workforce members with access to individually identifiable health information. Training is an integral part of personnel security. All management are responsible for training personnel with access to health information. SUPERVISION Properly screening and training workforce members with access to individually identifiable health information is not enough. Workforce members and others with access must be continually reminded of their responsibilities concerning protection of health information. Therefore, management must take the following steps:

• Adherence to security and confidentiality policies must be a part of every workforce member’s

performance evaluation process. • Monitor the day-to-day performance of workforce members to detect problems with security

and confidentiality before they become serious breaches. • Audit compliance with security and confidentiality policies in accordance with the Summa

Hospitals’ Information Audit Policy.

222

• Report breaches of security or confidentiality in accordance with the Summa Hospitals’ Information Security Policy.

• Respond to breaches of security or confidentiality. • Commend workforce members demonstrating a high degree of proficiency in protecting data

integrity and confidentiality. • Take appropriate sanctions against workforce members who breach security/confidentiality in

accordance with the Summa Hospitals’ Sanction Policy. • Complete all necessary paperwork and notify the Systems Access Coordinator by email upon

receiving notification of employee’s intent to terminate. The Systems Access Coordinator in IT & S must be notified before the employee’s last work day. The Systems Access Coordinator must have sufficient notice to notify all System Administrators of major systems, to remove a workforce member’s access to information systems with protected health information for terminations. Transfers of employees do not need to be emailed to the Systems Access Coordinator unless the removal of access is needed. New access that is needed due to transfers will either follow established protocols or the hiring manager will fill out a Hardware Software Request.

PROCEDURE: What to do to for new employees?

1. Human Resources will have all new employees sign an Information Security & Confidentiality Agreement and the agreement will be stored in the database.

2. If your department has written, signed, authorized protocols for appropriate access, and the

access in the protocol is all that is needed for the new employee, hiring managers do not need to fill out a Hardware/Software Request. If there is no written, signed, authorized protocol, a Hardware/Software Request must be filled out and sent to IT&S. The Systems Access Coordinator will add new major system access for new employees to the PeopleSoft database.

What to do for transferred employees?

This procedure only needs to be done if the employee no longer needs access to the following systems:

Lab - Laboratory RAD - Radiology SMS – Siemens Registration, Pt Accts, Med Rec PHARM -Pharmacy PYXIS – Drug Dispensing SMED - Softmed CFCLN – Cuyahoga Falls, Clinical CFLAB – Cuyahoga Falls, Lab CFPH – Cuyahoga Falls, Pharmacy CFPTA – Cuyahoga Falls, Patient Accounts CFPTC – Cuyahoga Falls, Patient Care CFRAD – Cuyahoga Fall, Radiology

223

TRNSP - Patient Transport CW - Clinical Information Systems PLATO (Sunrise) ED Tracker Document Direct Tempus Scheduling System

If your system is not represented in the list above, you still must ensure the employee’s access is removed or changed as necessary.

1. The hiring manager reviews the system access the employee has by contacting the Systems

Access Coordinator by e-mail. The Systems Access Coordinator will be able to review the employee’s access in PeopleSoft with the manager. If the access is still appropriate to the employee’s job, then nothing needs to be sent to the Systems Access Coordinator.

2. If the hiring manager determines that access to a system is no longer appropriate, they will

notify the Systems Access Coordinator by email, including the employee’s number, name, the system access that needs removed and the date the access needs removed.

3. The Systems Access Coordinator will email the affected major system administrator and remove the computer system name from the list of access for that employee in the HR software.

WHAT TO DO FOR TERMINATED EMPLOYEES

1. If an employee has any computer access, notify the Systems Access Coordinator by email as soon as you get the letter of resignation from the employee. The email should include employee number, name, last date of work, last shift of work.

2. Hiring Manager must complete the Employee Separation Checklist and send it to Human

Resources to keep on file for six years past the employee’s termination date.

SANCTIONS: All workforce members of Summa Hospitals must adhere to this policy. Summa Hospitals will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions. Please refer to the Human Resources Policies on Disciplinary Policy and Rules of Conduct, and Separation from Employment. All medical staff violations of HIPAA policies will be handled through the Medical Staff Bylaws. Reviewed 10/9/06

224

Processing Requests for Restrictions on Uses and Disclosures of Personal Protected Health Information

PURPOSE

Summa Hospitals collects and maintains a great deal of personal protected health information about our patients. The federal HIPAA regulations on patient privacy allow patients the right to request certain restrictions on our uses and disclosures of their information. In order to protect the privacy of our patients' personal protected health information and to comply with federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy.

APPLICABILITY

The patient has the right to request restrictions on uses and disclosures of personal protected health information as it relates to carrying out treatment, payment, and health care operations. This also includes the right to restrict disclosures to family members and friends involved in the patient's care.

PROCEDURE

1. Request for Restrictions. Patients are advised through our Notice of Privacy Practices of their right to request a restriction on uses and disclosures of their medical information for treatment, payment, or health care operations. All requests for restrictions will be logged by the Privacy Officer and kept on file for six (6) years.

2. Processing Restrictions. Summa Hospitals is not required to approve restrictions requested by patients but will accommodate reasonable requests. When we have agreed to a restriction, the restriction must be documented by a notation in the medical record or similar notation. A clinician may approve a request for disclosures to family and friends. (See: Disclosure to Family and Friends policy.) For any other requested restrictions, the SHS workforce member receiving the request shall refer to the Privacy Officer by leaving a voice mail message. The Privacy Officer will decide whether or not the patient’s request for restriction will be honored and communicate that decision to the manager of the area. If the request was approved, the manager will document as necessary in the medical record. If the requested restriction was denied, reasonable attempts should be made to discuss with the patient why we have not agreed to the restriction.

3. Exceptions to Approved Restrictions. If a restriction is accepted and approved, no use or disclosure of the patient's health information may be made in violation of that restriction, with the following exceptions:

• When the patient who requested the restriction needs emergency treatment and the restricted information is needed to provide emergency treatment to the patient. If the information is disclosed to another health care provider for the emergency treatment,

225

request that the provider not use or disclose the information further. This request can be made orally.

• Restrictions won’t apply to:

1. Necessary disclosures to the Secretary of the U.S. Department of Health and Human Services for compliance and investigation purposes;

2. To the facility directory if the patient has not opted out of being listed;

3. Or for any other use or disclosure of personal protected health information permitted by law to be made without the authorization of the patient.

4. Terminating an Approved Restriction. An approved restriction may be terminated only as follows:

• By the patient in writing or orally;

• By Summa Hospitals if the patient is informed, in writing or orally, that we are terminating the restriction.

When a previously approved restriction is terminated orally, such oral termination must be documented in the medical record with the date and party who terminated it. (i.e., the patient or Summa Hospitals). If the restriction is terminated in writing, attach the request to the medical record.

When Summa Hospitals terminates a previously approved restriction without the patient's agreement, such termination only applies to the patient's health information that is created or obtained after the patient has been informed of the termination. Information created or obtained before the notification must continue to be used and disclosed consistent with the restriction.

Reviewed 6/28/06

226

Sanction Policy PURPOSE Summa Hospitals has adopted this Sanction Policy to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Department of Health and Human Services (“DHHS”) security and privacy regulations’ requirement for such a policy, as well as to fulfill our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. APPLICABILITY Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location. Medical Staff. Provisions of Summa Hospitals’ privacy and security policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals. POLICY Summa Hospitals has adopted Security and Privacy Policies requiring Summa Hospitals and its workforce members to protect the integrity and confidentiality of protected health information and other sensitive information pertaining to our patients. In addition, Summa Hospitals and its departments have adopted policies and standards to carry out the objectives of the Security and Privacy Policies. Each of these policies and standards notes that all workforce members of Summa Hospitals must adhere to these policies and standards, that Summa Hospitals will not tolerate violations of these policies and standards, and that such violations constitute grounds for disciplinary action up to and including termination, professional discipline, and criminal prosecution. Any workforce member of Summa Hospitals who believes another workforce member of Summa Hospitals has breached the facility’s Security and or Privacy Policies or otherwise breached the integrity or confidentiality of protected health information or other sensitive information must immediately report such breach to his or her superior, the Information Security Officer, or the Privacy Officer. The Information Security Officer or Privacy Officer in conjunction with management and Human Resources will conduct a thorough and confidential investigation into the allegations. The facility will inform the complainant of the results of the investigation and any corrective action taken. Summa Hospitals will not retaliate against or permit

227

reprisals against a complainant. Allegations not made in good faith, however, may result in discharge or other discipline.

As noted in the facility’s Human Resources Policy and Procedure Manual, Summa Hospitals has a progressive discipline policy under which the level of discipline imposed is related to the severity and frequency of the infraction. Disciplinary actions range from formal counseling through written warning, final written warning, loss of access, suspension without pay, demotion, or discharge. In the discretion of management, and in consultation with Human Resources, Summa Hospitals will determine the level of discipline for breaches of privacy or information security policy based on the following criteria:

1. The degree to which generic safeguards were violated as established by policy, procedure and practice norms

2. Evidence that the actions or decision-making on the part of the workforce member are reflective of a pattern in his/her practice

3. Expectation that the workforce member can/will gain the necessary knowledge, skill or responsibility to prevent a recurrence

4. The extent and severity of the actual or potential outcome of the breach of privacy or information security

5. The degree to which the breach was willful or grossly negligent 6. The degree to which inadequacies in systems or processes contributed to the

breach 7. Previous performance--related disciplinary actions against the workforce

member 8. Human Resources policies and Rules of Conduct.

Violation of the facility’s security and privacy policies or individual policies and standards may constitute a criminal offense under HIPAA, other federal laws, such as the Federal Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030, or state laws. Any workforce member who violates such a criminal law may expect that Summa Hospitals will provide information concerning the violation to appropriate law enforcement personnel and will cooperate with any law enforcement investigation or prosecution. Further, violations of the facility’s security and privacy policies or individual policies and standards may violate professional ethics and be grounds for professional discipline. Any individual subject to professional ethics guidelines and/or professional discipline should expect Summa Hospitals to report such violations to appropriate licensure/accreditation agencies and to cooperate with any professional investigation or disciplinary proceedings. All workforce members of Summa Hospitals are expected to comply and cooperate with the facility’s administration of this policy. Please refer to Human Resource Policy, Disciplinary Process and Rules of Conduct. Reviewed 10/9/2006

228

Termination Procedure Objective: Summa Hospitals has adopted this Termination Procedure to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Department of Health and Human Services (“DHHS”) security and privacy regulations, the Joint Commission on Accreditation of Healthcare Organizations (“JCAHO”) accreditation standards, the American Osteopathic Association (“AOA”) standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. All personnel of Summa Hospitals must comply with this policy. Familiarity with the policy and demonstrated competence in the requirements of the policy are an important part of every employee’s responsibilities.

APPLICABILITY

Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals’ premises and who perform a substantial proportion of their activities at that location.


POLICY HIPAA and the DHHS security and privacy regulations require termination procedures for all personnel with access to individually identifiable health information.

• The Manager is responsible for immediately notifying the Systems Access Coordinator within Information Technology and Services by e-mail of employees and others, such as independent contractors, who will be voluntarily leaving Summa Hospitals’ employ or otherwise (through reassignment, extended absence, and so forth) and will no longer need access to health information.

• The Manager is responsible for notifying the Systems Access Coordinator within Information Technology and Services by e-mail of employees and others, such as independent contractors, who through reassignment or otherwise no longer need the level of access that they previously had so that their level of access can be adjusted.

• Any other workforce member who becomes aware that a data user is leaving the facility either permanently or for an extended or unexplained absence should report the matter to the data user’s Manager, Information Security Officer and/or

229

the Privacy Officer for a determination of whether to revoke/suspend that data user’s access.

• Employees and others who are involuntarily terminated may expect to have their data access immediately terminated.

Upon voluntary resignation or involuntary termination of an employee or other person with access, the Manager will immediately take the following actions:

o Retrieve sensitive materials, including access control items, such as keys and badges.

o Retrieve all hardware, software, data, and documentation issued to or otherwise in the possession of the data user.

o Complete Human Resource Status Form and send to Human Resources to assure personnel are removed from payroll.

o Complete the Employee Separation Checklist (available on the Summa Forms bulletin board) to terminate computer software access, to verify retrieval of all items, to discuss any security/confidentiality concerns with the data user, and to remind the data user of the continuing need to protect data security and patient confidentiality.

o Forward the completed Employee Separation Checklist to the Human Resources Department where it will be retained for not less than six years from termination date.

o Arrange for the department Manager, Human Resources, or Security as is appropriate to the situation, to escort involuntarily terminated personnel from the facility and/or for an immediate audit of their accounts to detect any security or confidentiality threats or breaches, when the situation warrants these actions.

Upon voluntary resignation or involuntary termination of an employee or other person with access, the Systems Access Coordinator within Information Technology and Services will take the following actions:

o Check the PeopleSoft database for any major system access. o Notify the necessary System Administrators of the employee’s number,

termination date, and last shift work o System Administrators will enter future termination of access dates into

their systems if the software has that functionality, if not the administrator will have a process in place to remove access as soon as it is no longer needed.

Upon voluntary resignation or involuntary termination, employees and other persons with access will take the following actions:

o Work with the Manager to complete the Employee Separation Checklist. Employees and other persons who do not assist the Hiring Manager in completing the checklist may be marked as ineligible for re-hire.

230

Enforcement All workforce members of Summa Hospitals must adhere to this policy. Summa Hospitals will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions. Please refer to the Human Resource Policies on Disciplinary Policy and Rules of Conduct, and Separation from Employment. All medical staff violations of HIPAA policies will be handled through the Medical Staff Bylaws. Revised September 2003, 6/28/06

231

Verification of Identity and Authority

PURPOSE

Summa Hospitals collects and maintains a great deal of personal protected health information about our patients. The federal HIPAA regulations on patient privacy and confidentiality place restrictions on our ability to use and disclose that information to certain persons without proper verification. In order to protect the privacy and confidentiality of our patients’ personal protected health information and to comply with federal law, all workforce members of Summa Hospitals are required to comply with the provisions of this policy.

APPLICABILITY

Workforce Members. For purposes of this policy, the workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of Summa Hospitals, regardless of whether they are paid by Summa Hospitals. In addition, the workforce includes independent contractors whose assigned workstations are on Summa Hospitals premises and who perform a substantial proportion of their activities at that location.

Medical Staff. Provisions of Summa Hospitals’ privacy policies apply to all members of the medical staff while performing clinical, administrative or educational duties at Summa Hospitals.

DEFINITIONS

Protected health information (PHI), the subject of this policy, includes information that is:




The following components of a patient's information also are considered protected health information:

• names; • street address, city, county, precinct, zip code;

232

• dates directly related to a patient, including birth date, admission date, discharge date, and date of death;

• telephone numbers, fax numbers, and electronic mail addresses; • Social Security numbers; • medical record numbers; • health plan beneficiary numbers; • account numbers; • certificate/license numbers; • vehicle identifiers and serial numbers, including license plate numbers; • device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • biometric identifiers, including finger and voice prints; • full face photographic images and any comparable images; and • any other unique identifying number, characteristic, or code.


Use. The sharing, employment, application, utilization, examination, or analysis of protected health information by any member of Summa Hospitals’ workforce or others working within Summa Hospitals.

POLICY

All workforce members of Summa Hospitals, as a condition of their employment or continued relationship with Summa Hospitals, are required to comply with the following requirements regarding protected health information:

PROCEDURE

1. Except as otherwise provided in this policy, verify the identity of a person requesting protected health information and the authority of any such person to have access to that protected health information if the identity or authority of such person is not known to you; and

2. Except as otherwise provided in this policy, acceptable verification can include a

photo identification, social security number, a known address or place of business, valid letterhead, or oral information that provides assurances that the person is who he/she says he/she is. Retain all written documentation in the patient’s medical record and/or the patient’s billing record and record any oral information provided.

233

3. Departments may have stricter verification procedures if applicable for departmental operation.

ACCEPTABLE VERIFICATION

1. Requests by Patients for Their Own Information. If the request is made in person and that person is unknown to you, verify by use of photo identification. If the request is made by mail, fax, or phone verify by telephoning the patient to obtain identification information such as date of birth, social security number, or dates of admission or treatment. Obtain the telephone number from a public source such as a telephone book or an internet site.

Protected health information requested and authorized by a patient may be released to an authorized second party upon verification.

2. Requests by a Personal Representative for a Patient’s Information. Verify

the identity of the personal representative by photo identification if the personal representative is present and unknown to you. When the personal representative is not present, use your best judgment and efforts to ascertain that the person is who he/she says he/she is. Examples of verification can include asking personal representative to verify the patient’s birth date or social security number; or verifying the personal representative’s full name and address.

It is also necessary to verify the authority of the personal representative to act for

the patient. If the personal representative is a guardian or holds a power of attorney, obtain copies of the guardianship or power of attorney documentation before releasing any protected health information. If the personal representative is a parent of a minor child and is unknown to you, verify by requesting information about the minor patient, such as social security number, dates of admission or treatment, age of the minor patient, etc.

Departments may have stricter verification procedures if applicable for departmental operation.

3. Requests by Public Officials: You may reasonably rely on any of the following

to verify identity when the disclosure of personal protected health information is to a public official or a person acting on behalf of the public official:

a. If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;

b. If the request is in writing, the request is on the appropriate government letterhead; or

c. If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as contract for services, memorandum of

234

understanding, or purchase order, that established that the person is acting on behalf of the public official.

You may reasonably rely on any of the following to verify authority when the disclosure of personal protected health information is to a public official or a person acting on behalf of the public official:

• A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority;

• If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.

VERIFICATION NOT REQUIRED. It is not necessary to verify the identity or authority of persons in the following circumstances:

1. Signatures by patients on authorization forms whether or not the patient is present when signing;

2. Persons who request information about a patient by patient name through the facility directory;

3. Members of the clergy who request facility directory information; 4. Conversations with family and friends involved in the care of the patient or in

paying for the care of the patient. See our Policy on Disclosures to Family and Friends Involved with a Patient;

5. Routine communications between providers or with health plans where existing relationships have been established;

6. In any emergency situation where you have no reasonable reason to believe that the patient would object to the release of the information.

In any case where you have reservations as to the identity of a person or authority of a person to receive personal protected health information, request assistance from the Summa Hospitals Privacy Officer who may request that the person sign an affidavit of identity or authority or appear in person. Revised 6/28/06

Compliance Plan 0307 - Summa Health

Documents

Transcript of Compliance Plan 0307 - Summa Health