THE INSTITUTE OF PROFESSIONAL PRACTICE, INC.*

HIPAA POLICIES AND PROCEDURES MANUAL

FOR PERSONS SERVED

REVISED

June 10, 2010

January 7, 2011

February 8, 2011

May 31, 2011

November 8, 2011

September 23, 2013

*Including Mid-Atlantic Human Services Corporation

i

THE INSTITUTE OF PROFESSIONAL PRACTICE HIPAA

POLICIES AND PROCEDURES MANUAL FOR PERSONS SERVED

TABLE OF CONTENTS

GENERAL POLICY………………………………………………...….. 1

Definitions……………………………………………………….… 3

PART A. PRIVACY…………………………..………………………………….... 11

SECTIONS PAGES

I. CONFIDENTIALITY……………………………………..……….... 11

II. IDENTIFYING PHI………………………………………..………… 11

III. PROPER USE AND DISCLOSURE………………………..………. 12

IV. PROPER USE AND DISCLOSURE/MINIMUM NECESSARY

STANDARD……………………………………………………..……. 12

V. ACCESS/AUTHORIZATION………………………………....…….. 13

VI. ACCESS/LIMITED ACCESS TO PERSONS SERVED

RECORDS…………………………………………………………...…14

VII. INFORMAL DISCLOSURE OF PHI ….…….……..….………...….16

VIII. BUSINESS ASSOCIATES/ADHERENCE TO POLICY ……..….. 17

IX. PROTECTION OF PHI DURING

NON-EMERGENCY/PERMITTED USES……………………….….20

X. THERAPY AND COUNSELING RECORDS…………………....….21

XI. RECORDS CORRECTION ……………………………………….… 22

XII. CLOSED CASES……………………………………………..……..….22

XIII. MAILING PHI……………………………………………………....….23

XIV. E-MAIL MESSAGES............................................................................. 23

XV. FACSIMILE…………………………………………………..….……..24

XVI. TELEPHONE……………………………………………………….......25

XVII. TRANSCRIPTION…………………………………………….…...…..25

XVIII. PRINTING/COPYING………………………………………….…..... 27

XIX. PHI SHALL BE STORED SECURELY……………………..….........27

XX. IDENTIFICATION OF NON PHI/DE-IDENTIFYING PHI ………. 28

XXI. PERMITTED USES/ TREATMENT………………………….…......29

XXII. PERMITTED USES/PAYMENT…………………………….…….…31

XXIII. PERMITTED USES/HEALTH CARE OPERATIONS…….............32

ii

XXIV. PERMITTED USES/ LEGAL, JUDICIAL, ADMINISTRATIVE,

AND LAW ENFORCEMENT PROCEEDINGS……………..….......33

XXV. PERMITTED USES/ HEALTH AND PUBLIC HEALTH

OVERSIGHT………………………………………………………...…35

XXVI. MISCELLANEOUS PERMITTED USES/WORKERS

COMPENSATION.………………………………………….……........36

XXVII. AUTHORIZATIONS/WHEN AUTHORIZATIONS ARE

REQUIRED…………………………………………………….……....38

XXVIII. AUTHORIZATIONS/CORE ELEMENTS OF AN

AUTHORIZATION…………………………………………….…...…38

XXIX. AUTHORIZATIONS/SPECIAL CASE/PSYCHOTHERAPY

NOTES……………………………………………………………….….41

XXX. AUTHORIZATION/SPECIAL CASE/MARKETING……....…....…42

XXXI. AUTHORIZATION/ REVOCATIONS, AND RESTRICTIONS

OF USES…………………………………...……………………..……..45

XXXII. RIGHT OF ACCESS/NOTIFICATION……………..…………….…46

XXXIII. RIGHT OF ACCESS/SPECIAL RULES FOR ACCESS TO

TREATMENT NOTES…………………………………………..……48

XXXIV. RIGHT OF ACCESS/RIGHT TO CORRECT, MODIFY AND

AMEND PHI…………………………………………………….…. ….49

XXXV. RIGHT OF ACCESS/RIGHT OF PERSONS SERVED TO

RELEASE PHI………………………………………………………....50

XXXVI. REQUESTS FOR ALTERNATE CONFIDENTIAL

COMMUNICATIONS…………………...………………………........51

XXXVII. CONFLICT RESOLUTION……………………….……….……..….53

XXXVIII. MITIGATION OF INADVERTANT DISCLOSURES OF PHI......53

XXXIX. DOCUMENTATION AND RECORDKEEPING/ACCOUNTING

FOR DISCLOSURES……………………………………………........53

XL. NOTICE OF PRIVACY

POLICY……………………………..……………………………........55

XLI. WRITTEN POLICIES/POSTING……………………………….......56

XLII. SUBSTANTIVE CHANGES IN POLICY AND

PROCEDURES/NOTIFICATION/ TIMELINESS………………....57

XLIII. TRAINING……………………………………………………………..57

XLIV. RETENTION OF PRIVACY DOCUMENTATION……...……...…57

XLV. SANCTIONS…………………………………………………...........…62

XLVI. PRIVACY OFFICER ………………………………..………..…….. 63

XLVII. PRIVACY BREACH NOTIFICATION……………………………..63

XLVIII. PRIVACY OFFICER/JOB DESCRIPTION……………………...…69

iii

PART B. SECURITY PROCEDURES…………………………………...……..70

I. GENERAL REQUIREMENTS OF THE SECURITY

STANDARDS………………………………………………….…...…..70

II. ELECTRONIC PHI…………………..………………………….…….70

III. PHI ADMINISTRATIVE PROCEDURES..............................….…...71

IV. SYSTEM INVENTORY…………………………………..…….…..…71

V. SYSTEMIC RISK ANALYSIS………….…..………………….……..71

VI. RISK MANAGEMENT PROGRAM………………………….…..….72

VII. LOW LEVEL RISK INFRASTRUCTURE……………………..…...73

VIII. ACCESS/AUTHORIZATION………………………...…………..…..73

IX. REVIEW OF AUTHORIZATION AND OTHER

INFRASTRUCTURE REQUIREMENTS…………….......................73

X. CRIMINAL BACKGROUND CHECKS/PHI……………………….74

XI. AUTHENTICATION/PASSWORD MANAGEMENT

SYSTEM…………………………………….……………………...…..74

XII. INTERNAL BREACHES/ATTEMPTS NOTED……………..….….75

XIII. SECURING PHI WHEN AUTHORIZED STAFF LEAVE……..….76

XIV. CORRECTIONS OF ELECTRONIC RECORDS………….….....…77

XV. SECURE TRANSMISSION OF ELECTRONIC DATA….….......…78

XVI. PHI PROTECTION WHEN SHARED…………………………....….78

XVII. STORING ELECTRONIC DATA SECURELY………………….…79

XVIII. DISPOSING OF ELECTRONIC DATA SECURELY…..……….…79

XIX. PHI BACKUP……………………………………………………….….80

XX. PREVENTION OF VIRAL/MALICIOUS SOFTWARE…..…….…80

XXI. CONTINGENCY PLANS: BACKUP, DISASTER RECOVERY,

EMERGENCY OPERATIONS………………………...…………….81

XXII. SECURITY AND PRIVACY

TRAINING………………………..…………..……………………......81

XXIII. SANCTIONS POLICY…………………….…………………….….....82

XXIV. FAIR ADMINISTRATION OF SANCTIONS POLICY…………....82

XXV. WRITTEN SECURITY POLICIES AND PROCEDURES…...…....83

XXVI. REVIEW OF SECURITY POLICIES AND

PROCEDURES………………………………………….........…....…..83

XXVII. SECURITY OFFICER……………………………………...................83

XXVIII. EXCEPTIONS…………………………………………….………....…84

XXIX. DISCLOSURES OF ELECTRONIC PHI

TO BUSINESS ASSOCIATES……………………..……...……....…..84

iv

PART C. FORMS

1. HIPAA EMPLOYEE ACKNOWLEDGEMENT

2. BUSINESS ASSOCIATE AGREEMENT

3. BUSINESS ASSOCIATE TRACKING WORKSHEET

4. AUTHORIZATION FOR RELEASE OF INFORMATION

5. REQUEST FOR ALTERNATE COMMUNICATIONS

6. RESPONSE TO REQUEST FOR ALTERNATE

COMMUNICATIONS

7. REQUEST FOR ACCOUNTING OF DISCLOSURES OF

PROTECTED HEALTH INFORMATION

8. RESPONSE TO REQUEST FOR ACCOUNTING OF

DISCLOSURES OF PROTECTED HEALTH INFORMATION

9. REQUEST TO AMEND OR CORRECT PROTECTED HEALTH

INFORMATION

10. RESPONSE TO REQUEST TO AMEND OR CORRECT

PROTECTED HEALTH INFORMATION

11. REQUEST FOR RESTRICTIONS ON USE OR DISCLOSURE OF

PROTECTED HEALTH INFORMATION

12. RESPONSE TO REQUEST FOR RESTRICTIONS ON USE OR

DISCLOSURE OF PROTECTED HEALTH INFORMATION

13. NOTICE OF AVAILABILITY OF PRIVACY PRACTICES

14. NOTICE OF PRIVACY PRACTICES

15. PRIVACY DISCLOSURE LOG

16. REQUEST TO INSPECT OR COPY PROTECTED HEALTH

INFORMATION

17. RESPONSE TO REQUEST TO INSPECT OR COPY PROTECTED

HEALTH INFORMATION

18. COMPLAINT FORM

- 1 -

GENERAL POLICY: It is the policy of the Institute of Professional Practice, Inc. (IPPI) to

preserve the integrity and confidentiality of medical, behavioral, and therapeutic records along

with other sensitive health information pertaining to the persons whom it serves (“Person” or

“Persons Served”) . As further defined herein, such records, data and information shall be

considered protected health information (PHI).

This Manual will ensure that IPPI and its officers, employees and agents have the necessary

medical, behavioral, therapeutic and financial information needed to provide the highest quality

care possible, while protecting the confidentiality of that information in accordance with local,

state and federal laws and regulations. To this end, IPPI, its officers, employees and agents will

collect and use individual PHI only for purposes of providing medical, behavioral, therapeutic

and financial services and for supporting the delivery, quality, integrity and payment of such

services.

IPPI, its officers, employees and agents recognize that PHI collected about Persons Served must

be accurate, complete, timely and available when needed. It will complete, authenticate and

maintain all records containing PHI in accordance with local, state, and federal laws, professional

ethics, and relevant accreditation standards. Reasonable measures will be taken to preserve the

integrity of all PHI, and no PHI will be altered or destroyed, except as permitted by law, when

necessary, and according to accepted policies.

IPPI recognizes that Persons Served have a right of privacy with respect to PHI. As such, IPPI, its

officers, employees and agents will respect the individual dignity of Persons Served at all times,

acting as responsible stewards of information and treating all individual PHI records and data as

sensitive and confidential.

IPPI also recognizes that Persons Served, IPPI and/or their legal representatives have the right of

access to their own PHI and will provide access to such PHI in timely fashion using reasonable

procedures and in compliance with local, state and federal laws. Persons Served and/or their legal

representatives will also be given the opportunity to request and to provide deletions and

modifications to the record should they feel such are necessary.

All employees, officers, and agents of IPPI must adhere to this general policy and IPPI will not

tolerate violations of it. Violation of this policy is grounds for disciplinary action, up to and

including termination of employment and criminal or professional sanctions in accordance with

IPPI’s PHI sanction policy as well as with local, state, and Federal laws and regulations, and the

standards of ethics of professional organizations.

No third party rights are intended to be created by this policy. IPPI reserves the right to amend or

change this policy at any time (and even retroactively) without notice. To the extent this policy

establishes requirements and obligations on IPPI, acting as either a covered entity or non-covered

entity, above and beyond those required by the Health Insurance Portability and Accountability

Act of 1996 (HIPAA), those requirements and policies shall be aspirational and shall not be

binding on IPPI.

This policy does not address requirements under other federal or state laws.

To the extent state laws are more stringent than the HIPAA rules, those laws shall govern.

A state law relating to privacy or security will be considered “more stringent” than HIPAA

privacy and security standards if the state law meets at least one of the following six

- 2 -

criteria:

1. The state law prohibits or restricts uses and disclosures of PHI that

would otherwise be permitted by the HIPAA standards;

2. The state law permits individuals greater rights of access to or

amendment of PHI;

3. The state law permits greater disclosure/notice of information to an

individual who is the subject of PHI about use, disclosure, rights, and

remedies relating to such PHI, including disclosures relating to data security

breaches;

4. With respect to an authorization/release of records form, the state law

narrows the scope or duration, increases the privacy protections afforded, or

reduces the coercive effect of the circumstances surrounding the

authorization, as applicable;

5. With respect to record keeping or requirements relating to

accounting of disclosures, the state law requires retention or

reporting of more detailed information or for a longer duration; or

6. With respect to any other matter, the state law provides greater privacy

or security protections for the person who is the subject of the PHI.

For purposes of the Manual, a “covered entity” is a health care provider who transmits any health

information in electronic form in connection with a transaction covered by subchapter C of

subtitle A of Title 45 of the Code of Federal Regulations.

RATIONALE: These policies have been developed in response to the enactment of laws and

regulations of the federal government regarding protected health information, enacted and

modified from time to time.

STRUCTURE OF THE MANUAL: The following pages state the specific policies to be

implemented under the Manual followed by the procedure that implements the specific policy.

The Manual consists of four parts: Part A (Privacy), Part B (Security), Part C (Forms used in the

administration of the Manual.

PERSON RESPONSIBLE: Corporate Privacy Officer

DATE EFFECTIVE: June 1, 2011; Last Revision September 23, 2013

- 3 -

DEFINITIONS

Where the following capitalized terms appear in these Policies, they have the definitions

set forth below.

(1) Authorization: A written document that authorizes a Use or Disclosure

ofProtected Health Information or PHI and that satisfies Sections XXVII-XXXI

of this Manual.

(2) Business Associate: A person who, on behalf of IPPI or as a subcontractor of an

IPPI Business Associate, either (i) performs (or assists in the performance of) a

function or activity involving the Use or Disclosure of protected health

information or any other function or activity regulated by the HIPAA Privacy

Standards; (ii) provides legal, actuarial, accounting, consulting, data aggregation,

management, administrative, accreditation, or financial services to or for IPPI,

where the provision of the service involves the Disclosure of protected health

information from IPPI, or from another Business Associate of IPPI, to the person;

or (iii) creates, receives, maintains, or transmits PHI on behalf of a covered entity;

provided that the term “Business Associate” does not include IPPI when it is

functioning as the sponsor of a group health plan.i The relationship between IPPI

and a Business Associate must be formalized by a written Business Associate

Agreement that binds the Business Associate to comply with all applicable

provisions of this Manual as to any PHI collected or held on behalf of IPPI and

includes a Certification.

(3) Carrier: A health insurance carrier, which is an insurance company, insurance

service, or managed care organization (including an HMO) that is licensed under

and subject to state law that regulates insurance; provided that the term “Carrier”

does not include a group health plan.ii

(4) Certification: A certification that an entity shall:

a. Not Use or Disclose PHI other than as permitted or required by the group

health plans administered or sponsored by IPPI or as required by law;

b. Agree to the same restrictions and conditions that apply to IPPI with

respect to such information;

c. Not Use or Disclose PHI for employment-related actions and decisions or

in connection with any other benefit or employee benefit plan of IPPI or

IPPI Administration;

d. Take steps to deal with any Use or Disclosure of PHI of which it becomes

aware that is inconsistent with the Uses or Disclosures provided for;

e. Make available PHI in accordance with individuals’ right to access PHI,

- 4 -

which right is described in Sections XXXIII-XXXV of this Manual;

f. Make available PHI for amendment and incorporate any PHI amendments

into the Designated Record Sets held by IPPI in accordance with

individuals’ right to request amendments of PHI, which right is described

in Section XXXIV of this Manual;

g. Make available the information required to provide an accounting of

disclosures of PHI in accordance with individuals’ right to receive an

accounting of disclosures, which right is described in Section XXXIX of

this Manual;

h. Make IPPI’s internal practices, books, and records relating to the Use and

Disclosure of PHI available to the Secretary for purposes of determining

IPPI’s compliance with the HIPAA Privacy Standards;

i. If feasible, return or destroy all PHI received that IPPI still maintains in

any form and retain no copies of such information when no longer needed

for the purpose for which Disclosure was made, except that, if such return

or destruction is not feasible, limit further Uses and Disclosures to those

purposes that make the return or destruction of the information infeasible;

and

j. Ensure that any adequate separation of records or PHI is established and

maintained.iii

(5) Contact Person: The person or office designated as the Privacy Officer.

(6) Covered Entity: A health plan (as defined by HIPAA), a health care

clearinghouse (as defined by HIPAA), or a health care provider (as defined by

HIPAA) who transmits any health information in electronic form in connection

with a transaction covered by Subchapter C of Subtitle A of Title 45 of the Code

of Federal Regulations.iv

(7) De-identified Information: Information that does not identify an individual and

that IPPI has no reasonable basis to believe can be used to identify an individual.v

Two methods by which IPPI can demonstrate that information qualifies as De-

identified Information are as follows:

a. A person with appropriate knowledge of and experience with generally

accepted statistical and scientific principles and methods for rendering

information not individually identifiable: (i) determines, applying such

principles and methods, that the risk is very small that the information

could be used, alone or in combination with other reasonably available

information, by an anticipated recipient to identify an individual who is a

- 5 -

subject of the information, and (ii) documents the methods and results of

the analysis that justify such determination; or

b. IPPI ensures that (i) it does not have actual knowledge that the information

could be used alone or in combination with other information to identify

an individual who is a subject of the information, and (ii) the following

identifiers of the individual, or relatives, employers, or household

members of the individual, are removed:

• Names;

• All geographic subdivisions smaller than a state, including street

address, city, county, precinct, and zip code and their geocodes (except

that the initial three digits of a zip code may be used if more than 20,000

people reside within the area included in all zip codes sharing those

initial three digits, and, if fewer than 20,000 people reside within such

area, the number “000” may be used instead);

• All elements of dates (except the year) for dates directly related to an

individual, including birth date, admission date, discharge date, and date

of death;

• All ages over 89 and all elements of dates (including the year) indicative

of such age, except that such ages and elements may be aggregated into

a single category of age 90 or older;

• Telephone numbers;

• Fax numbers;

• Electronic mail addresses;

• Social Security numbers;

• Medical record numbers;

• Health plan beneficiary numbers;

• Account numbers;

• Certificate/license numbers;

• Vehicle identifiers and serial numbers, including license plate numbers;

• Device identifiers and serial numbers;

• Web Universal Resource Locators (URLs);

• Internet Protocol (IP) address numbers;

• Biometric identifiers, including finger and voice prints;

• Full face photographic images and any comparable images; and

• Any other unique identifying number, characteristic, or code (other than

a code that enables the information’s creator to re-identify the

information).vi

(8) Designated Record Set: The set of information that includes PHI and that either

(i) is enrollment, Payment, claims adjudication, and case or medical management

record systems maintained by or for IPPI, or (ii) is used, in whole or in part, to

make decisions about individuals.vii

- 6 -

(9) Disclosing, a Disclosure, to Disclose or to be Disclosed: Divulging information

outside an entity, including release, transfer, or provision of access to

information.viii

(10) Group Health Plan or Plan: Group health coverage that is offered to eligible

employees, retired employees, spouses and eligible dependents of IPPI and related

entities and that is self-funded.

(11) Health Care: Services that prevent, treat, cure or heal human physical and mental

conditions and illnesses.

(12) Health Care Operations: Any of the following activities:

a. Reviewing the competence or qualifications of health care professionals;

evaluating practitioner and provider performance or health plan

performance; conducting training programs in which students, trainees, or

practitioners in areas of health care learn under supervision to practice or

improve their skills as health care providers; training of non-health care

professionals; and accreditation, certification, licensing, or credentialing

activities;

b. Underwriting, premium rating, and other activities relating to the creation,

renewal, or replacement of a contract of health insurance or health

benefits; and ceding, securing, or placing a contract for reinsurance of risk

relating to claims for health care (including stop-loss insurance and excess

of loss insurance);

c. Conducting or arranging for medical review, legal services, and auditing

functions (including fraud and abuse detection and compliance programs);

d. Business planning and development (including cost-management and

planning-related analyses related to managing and operating the entity,

formulary development and administration, and development or

improvement of methods of payment or coverage policies); and

e. Business management and general administrative activities of the entity

including (i) management activities relating to implementation of and

compliance with the requirements of the HIPAA Privacy Standards; and

(ii) in accordance with the HIPAA Privacy Standards creating De-

identified Information or a Limited Data Set.ix

(13) Health Care Provider: A physician or other provider licensed under the laws of

the state to provide health care to an individual.

(14) Health Oversight Agency: An agency or authority of the United States, a state, a

territory, a political subdivision of a state or territory, or an Indian tribe (or a

- 7 -

person or entity acting under a grant of authority from or contract with such

public agency, including the employees or agents of such public agency or its

contractors or persons or entities to whom it has granted authority) that is

authorized by law to oversee the health care system (whether public or private) or

government programs in which health information is necessary to determine

eligibility or compliance, or to enforce civil rights laws for which health

information is relevant.x

(15) HIPAA: The Health Insurance Portability and Accountability Act of 1996, as

amended from time to time.

(16) HIPAA Privacy Standards or Privacy Rule: The privacy regulations at Part 160

of, and subparts A and E of Part 164 of, Title 45 of the Code of Federal

Regulations, as amended from time to time.

(17) HMO: A federally qualified health maintenance organization, an organization

recognized as a health maintenance organization under state law, or a similar

organization regulated for solvency under state law in the same manner and to the

same extent as such a health maintenance organization.

(18) Limited Data Set: Information that excludes the following direct identifiers of

the individual and his relatives, employers, and household members:

• Names;

• Postal address information (but not including town or city, state, and zip

code);

• Telephone numbers;

• Fax numbers;

• Electronic mail addresses;

• Social Security numbers;

• Medical record numbers;

• Health plan beneficiary numbers;

• Account numbers;

• Certificate/license numbers;

• Vehicle identifiers and serial numbers, including license plate numbers;

• Device identifiers and serial numbers;

• Web Universal Resource Locators (URLs);

• Internet Protocol (IP) address numbers;

• Biometric identifiers, including finger and voice prints; and

• Full face photographic images and any comparable images.xi

(19) Manual: This compilation of IPPI’s HIPAA privacy policies and procedures for

Persons Served.

(20) Medical Record: Information that is created by a health care provider; identifies

or can be readily associated with the identity of an individual; and relates to the

health care of the individual.

- 8 -

(21) Notification Disclosures: Disclosure of PHI to an individual’s relative or close

personal friend or other person identified by the individual, if such PHI is directly

relevant to such person’s involvement with the individual’s care or payment for

the individual’s health care; and Disclosure (or Use) of PHI to notify, or assist in

the notification of, a person responsible for the individual’s care (such as the

individual’s family member or personal representative) of the individual’s

location, general condition, or death.xii

(22) Payment: Activities undertaken by a Group Health Plan to obtain premiums or to

determine its responsibility for coverage and provision of benefits under the

Group Health Plan, and activities undertaken by a health care provider or health

plan to obtain or provide reimbursement for the provision of health care. Such

activities include, without limitation:

a. Determinations of eligibility or coverage (including coordination of

benefits or the determination of cost sharing amounts), and adjudication or

subrogation of health benefit claims;

b. Risk adjusting amounts due based on enrollee health status and

demographic characteristics;

c. Billing, claims management, collection activities, obtaining payment

under a contract for reinsurance (including stop-loss insurance and excess

of loss insurance), and related health care data processing;

d. Review of health care services with respect to medical necessity, coverage

under a health plan, appropriateness of care, or justification of charges;

e. Utilization review activities, including precertification and

preauthorization of services and concurrent and retrospective review of

services; and

f. Disclosure to consumer reporting agencies of any of the following PHI

relating to collection of premiums or reimbursement: name, address, date

of birth, Social Security number, payment history, account number, and

the health care provider’s and/or health plan’s name and address.xiii

(23) Plan Sponsor: An employer that maintains a group health plan for its employees.

(24) Privacy Officer: The individual appointed to serve as the Privacy Officer for IPPI

or the Privacy Officer’s authorized designee.

(25) Protected Health Information or PHI: Any information, transmitted or

maintained in any form or medium (including orally), that (i) is created or

- 9 -

received by a health care provider, health plan, employer, or health care

clearinghouse; (ii) relates to the past, present, or future physical or mental health

or condition of an individual, the provision of health care to an individual, or the

past, present, or future Payment for the provision of health care to an individual;

and (iii) either identifies the individual or with respect to which there is a

reasonable basis to believe the information can be used to identify the individual;

provided that the term “PHI” does not include (A) education records covered by

the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g,

(B) student treatment records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and (C)

employment records held by a Covered Entity in its role as employer.xiv

(26) Psychotherapy Notes: Notes recorded by a health care provider who is a mental

health professional documenting or analyzing the contents of conversation during

a private counseling session or a group, joint, or family counseling session and

that are separated from the rest of the individual’s medical record, but excluding

the following: medication prescription and monitoring, counseling session start

and stop times, the modalities and frequencies of treatment furnished, results of

clinical tests, and any summary of diagnosis, functional status, the treatment plan,

symptoms, prognosis, and progress to date.xv

(27) Public Health Authority: An agency or authority of the United States, a state, a

territory, a political subdivision of a state or territory, or an Indian tribe (or a

person or entity acting under a grant of authority from or contract with such

public agency, including the employees or agents of such public agency or its

contractors or persons or entities to whom it has granted authority), that is

responsible for public health matters as part of its official mandate.xvi

(28) Secretary: The Secretary of Health and Human Services (or any other officer or

employee of the Department of Health and Human Services to whom the

authority involved has been delegated).xvii

(28A) Subcontractor: A person to whom a Business Associate delegates a function,

activity or service other than in the capacity of a member of the workforce of such

Business Associate.

(29) Summary Health Information: Information that summarizes the claims history,

claims expenses, or types of claims experienced by individuals to or on whose

behalf health benefits have been provided and from which the following

information has been deleted:

• Names;

• All geographic subdivisions smaller than a state (including street address,

city, county, and precinct), except for the initial five digits of zip codes;

• All elements of dates (except the year) for dates directly related to an

individual, including birth date, admission date, discharge date, and date

of death;

- 10 -

• All ages over 89 and all elements of dates (including the year) indicative

of such age, except that such ages and elements may be aggregated into a

single category of age 90 or older;

• Telephone numbers;

• Fax numbers;

• Electronic mail addresses;

• Social Security numbers;

• Medical record numbers;

• Health plan beneficiary numbers;

• Account numbers;

• Certificate/license numbers;

• Vehicle identifiers and serial numbers, including license plate numbers;

• Device identifiers and serial numbers;

• Web Universal Resource Locators (URLs);

• Internet Protocol (IP) address numbers;

• Biometric identifiers, including finger and voice prints;

• Full face photographic images and any comparable images; and

• Any other unique identifying number, characteristic, or code (other than a

code that enables the information’s creator to re-identify the

information).xviii

(30) Treatment: The provision, coordination, or management of health care or related

services by one or more health care providers, including the coordination or

management of health care by a health care provider with a third party,

consultation between health care providers relating to a patient, and the referral of

a patient for health care from one health care provider to another.xix

(31) Using, a Use, or To Use: Both (i) employment, application, utilization,

examination, or analysis of information, and (ii) sharing information within an

entity.xx

- 11 -

PART A. PRIVACY

I. CONFIDENTIALITY

Policy: All PHI shall be considered confidential and shall be treated in

accordance with the terms of the Manual.

Procedures:

A. No PHI shall be used or disclosed without a proper authorization, or when

the use or disclosure is permitted or otherwise authorized, or allowed, or

required by local or state laws or regulations, or HIPAA or other federal

laws or regulations.

B. No IPPI employee shall access or disclose PHI unless properly

authorized to do so and shall otherwise disclose PHI only to those

persons served and/or their legal representatives who are authorized to

receive such information.

C. For purposes of the Manual (i) “using,” “a use” or to use means the

sharing of information within IPPI; and (ii) “disclosing”, or “disclosed’ or

“to be disclosed” means divulging information outside IPPI, including

release, transfer, or provision of access to information.

II. IDENTIFYING PHI

Policy: IPPI shall identify when routine health information becomes PHI.

Procedures:

A. The following information will be designated as PHI: Any health

information, including demographic information collected from Persons

Served, transmitted or maintained in any form or medium, that:

1. is created or received by IPPI; and

2. relates to the past, present, or future physical or mental health or

condition of Persons Served; the provision of health care to Persons

Served; or the past, present or future payment for the provision of

health care to Persons Served; and

3. identifies a Person Served or can be used to identify a Person Served.

- 12 -

B. Routine health information which meets the above definition, will be

automatically designated PHI upon its receipt by IPPI.

C. PHI does not include (i) education records covered by the Family

Educational Rights, and Privacy Act, as amended, 20 U.S.C. § 123g; (ii)

student treatment records, and (iii) employment records held by IPPI in its

role as employer. To the extent information is held by IPPI in its capacity

as an employer or covered entity under the group health plan, such

information shall be treated as provided in the HIPAA Privacy

Compliance Manual for IPPI’s Group Health Plan and VEBA.

D. IPPI will adhere to its own policies and procedures and all other applicable

laws, regulations, policies and procedures when maintaining, using and

disclosing such PHI.

III. PROPER USE AND DISCLOSURE

Policy: IPPI shall ensure that PHI is used and disclosed properly for the

treatment of Persons Served, for the payment of such treatment, and for general

health care operations as they relate to Persons Served and as further provided

herein, IPPI shall not improperly withhold such PHI for any of these purposes.

Procedures:

A. The procedures for carrying out this Policy are set forth in this Manual.

IV. PROPER USE AND DISCLOSURE/MINIMUM NECESSARY STANDARD

Policy: HIPAA requires that when PHI is used or disclosed, the amount disclosed

generally must be limited to the “minimum necessary” to accomplish the purpose

of the use or disclosure.

Procedures:

A. IPPI shall make reasonable efforts to limit the scope of PHI to the

minimum necessary to accomplish the intended purpose of the use,

disclosure, or request. This minimum necessary rule applies in three

circumstances:

1. When using PHI internally;

2. When disclosing PHI to an external party in response to a

request;

3. When requesting PHI from another covered entity.

The “minimum-necessary” standard does not apply to any of the

following:

- 13 -

i. Uses or disclosures made to the individual;

ii. Uses or disclosures to another covered entity who requests the

information;

iii. Uses or disclosures made pursuant to a valid authorization;

iv. Disclosures made to Health and Human Services (HHS);

v. Uses or disclosures required by law; and

vi. Uses or disclosures required to comply with HIPAA.

B. Disclosure of Entire Record. If a use or disclosure involves an

individual’s entire medical record, the justification for such use or

disclosure shall be documented. For example, the request of an

auditor for PHI must represent that the information requested is the

minimum necessary for the stated purpose.

C. Incidental Use. A use and disclosure that occurs incidentally to

another use or disclosure permitted by this Manual shall be acceptable,

provided that IPPI employs reasonable safeguards to limit incidental

Uses and Disclosures.

D. Consultation with State Privacy Officer. If there is a question as to what

the “minimum amount of PHI” should be in any of the above situations,

the State Privacy Officer shall be consulted. In the absence of the State

Privacy Officer, or should the State Privacy Officer him/herself wish, the

Corporate Privacy Officer shall be consulted.

V. ACCESS/AUTHORIZATION

Policy: Only authorized persons shall have access to the PHI of Persons Served.

Procedures:

A. The Institute of Professional Practice alone shall determine which

positions will be authorized for such access.

B. Electronic software used must allow individualized

access, provided that appropriate precautions shall be taken, as described

in Section VI to prevent unauthorized access.

C. Written records containing PHI shall be locked in file cabinets or kept in

file cabinets in rooms that are locked or in locked rooms.

D. Authorized persons shall not leave written records unattended

on their desks or in public places.

- 14 -

E. For purposes other than treatment, payment or operations, or other

permitted uses, written or electronic records shall not be provided to

anyone unless an authorization has been obtained from the appropriate

person(s).

F. Electronic records shall be viewable on computer monitors

only by staff who have been authorized to view those records.

G. All computers or other electronic devices with electronic records on them,

including hardware where electronic records are saved, shall be password

protected to prevent unauthorized access.

VI. ACCESS/LIMITED ACCESS TO PERSONS SERVED RECORDS

Policy:

Unauthorized staff shall have no access to PHI. Authorized staff may have access

to all or part of the Persons Served file as determined by IPPI.

Procedures:

A. The State Director or his/her designee shall determine what

positions/employees shall have access to the files of Persons Served within

their state and to what part of the file that position or employee shall have

access. Those decisions shall be made on the basis of the need to know for

the provision of appropriate services.

B. For electronic files, the State Director or his/her designee shall inform

the Network Administrator of the positions/employees which have been

given access to a file and to what part of that file access has been allowed.

C. For electronic files the Network Administrator shall then assign a user

name and the authorized employee who has been given access shall

choose a password. The Network Administrator shall then provide

appropriate access to the authorized positions. This may range

anywhere from full access to partial access as determined by the State

Director. Authorization levels shall be reviewed by the State Director at

least annually and as circumstances warrant.

D. Each time an employee in an authorized position wishes to access an

electronic file from a computer or other electronic device, that

employee must enter his/her user name and password.

E. Passwords shall be changed as often as necessary to protect the security of

electronic files in accordance with best practices which practices shall be

reviewed periodically and as circumstances warrant.

- 15 -

F. Periodically in accordance with security best practices, the Network

Administrator and/or State IT Security Officer shall monitor electronic

files to see if non-authorized personnel are attempting to, or have been,

accessing data to which they do not have authorized access and provide a

report to the State Director.

State IT Security Officer refers to that person designated by the State

Director to be responsible for HIPAA Security policies and procedures.

G. Employees shall not leave their computers when a file containing PHI is

open. However, in order to further accommodate computer security for

electronic files, screen savers shall be launched after twenty (20) minutes

of inactivity. The screen saver shall also be password protected to prevent

unauthorized access to a computer and its stored information. When staff

leave their stations and expect to be absent, they shall log off or lock their

workstation so that information can be accessed only by staff with the

authorized password.

H. Computer monitors shall be placed in shared offices so that staff at one

monitor shall not be able to see PHI data on another monitor.

I. When an invalid password is entered three consecutive times, the machine

shall lock after the third attempt to protect electronic files, and further

unauthorized access shall be denied.

J. If the locking of computer access was due to the mistake of the authorized

employee in remembering his/her password, then the authorized employee

must ask the Network Administrator or State Privacy or Security Officer

to unlock his/her computer.

K. The Network Administrator and the State IT Security Officer both shall be

notified of any attempt to breach electronic files.

L. Software designed to prevent breaches of electronic files shall be utilized

by IPPI.

M. The State Privacy Officer shall also monitor access to non electronic files

and shall investigate any reported incidents of breaches or any suspicious

evidence of breach activity.

N. If breach attempts are traced to a particular employee(s), corrective action

shall be taken immediately by the State Security Officer in conjunction

with the State Director, and notice of the breach and corrective action shall

be given to the Network Administrator.

- 16 -

O. All employees shall be trained to report any suspected incidents of

breaches in privacy to their respective program manager and directly to

the State Privacy Officer in their state.

P. All such reports shall be documented and filed appropriately in a secure

file or location and in the employee’s personnel file, and shall include a

description of the incident, findings, recommendations, corrective action

and follow up. A copy of any sanctions meted out to any employee(s) shall

be placed in the employee(s) personnel file. A copy of the report

summarizing the breach and the corrective action shall be sent to the

Corporation’s Privacy Office in the event of a serious breach.

Q. IPPI shall keep all records concerning Persons Served separate from other

information held by IPPI concerning the Person Served and including any

employment-related information kept by IPPI.

VII. INFORMAL DISCLOSURE OF PHI

Policy: Informal disclosure of PHI shall be eliminated or minimized.

Procedures:

A. Staff orientation and re-training sessions shall stress (i) the need for

privacy with emphasis placed on the dangers of informal sharing of

information, (e.g., conversations in hallways and other public places,

telephone conversations, and privacy leaks in computer locations), and (ii)

that IPPI does not tolerate violations of the Manual, and that employees

shall be subject to discipline up to and including termination for a

violation of the Manual.

B. Staff discussions of PHI shall be only for treatment or business purposes

and only on a “need to know” basis. Discussions shall be conducted in a

professional and dignified manner and only in an appropriate place, such

as in an individual office, and with other persons with whom the sharing

of such information has been authorized, or in a peer review or

consultation situation, or a special committee established by law,

regulation or required by professional discipline.

C. Doors shall be locked when offices are not expected to be in use.

D. Files shall either be locked or kept in rooms that are locked.

E. Fax machines shall either be kept secure or kept in an area that is

monitored to see that no one but authorized employees receive

information.

- 17 -

G. Employees making copies of PHI on copy machines will remove the

originals and copies immediately upon making them and shall dispose of

them only in secure recycling bins or shall shred them immediately.

H. Smart phones and pocket PCs shall be equipped so that, after a determined

period of time, the device shall automatically go to “password protected”

when not in use and cannot be re-opened unless the proper password is

entered.

VIII. BUSINESS ASSOCIATES/ADHERENCE TO POLICY

Policy: IPPI shall require any Business Associate of IPPI, as defined in

paragraph E below, to agree by written agreement to certain restrictions and

duties with respect to PHI that the Business Associate creates, collects or holds on

behalf of IPPI in its capacity as a covered entity.

Procedures:

A. Indentifying Business Associates.

IPPI shall review existing contracts that involve use or disclosure of PHI or

other function regulated by the HIPAA Privacy Standards including but not

limited to, an entity that creates, receives, stores, maintains or transmits

PHI in order to determine whether such contracts need to be amended to

include Business Associate agreement provisions. Prior to entering into any

new agreement with another entity concerning such services or activities,

IPPI shall determine whether the entity is a Business Associate as a result

of such services or activities.

B. Contracting with Business Associates.

If a Business Associate creates, receives, maintains, stores, uses, transmits

or discloses the PHI of Persons Served, IPPI shall require the Business

Associate to enter into a written contract or other written agreement with

IPPI that:

i. Establishes the Business Associate’s permitted and required uses

and disclosures of PHI of Persons Served, which uses and

disclosures would not violate the HIPAA Privacy Standards if

performed by IPPI, except that the agreement may permit the

Business Associate to (i) use Persons Served PHI as necessary to

carry out the Business Associate’s proper management and

administration or legal responsibilities; (ii) disclose PHI of Persons

Served for such purposes if the disclosure is required by law or if

the Business Associate obtains reasonable assurances from the

person to whom PHI is disclosed that it will be held confidentially

- 18 -

and used or further disclosed only as required by law or for the

purpose for which it was disclosed to the person and the person

notifies the Business Associate of any instances of which it is

aware in which the confidentiality of Persons Served PHI has been

breached; and (iii) conduct data analyses relating to the health care

operations of both IPPI and another entity of which the Business

Associate is a Business Associate;

ii. Provide that the Business Associate will (i) implement

administrative, physical, and technical safeguards that reasonably

and appropriately protect the confidentiality, integrity and

availability of electronic PHI that the Business Associate creates,

receives, maintains or transmits on behalf of IPPI and (ii) authorize

termination of the contract by IPPI if it determines the Business

Associate has violated a material term of the contract;

iii. Provides that the Business Associate shall use appropriate

safeguards to prevent use or disclosure of IPPI PHI other than as

provided for by the agreement;

iv. Provides that the Business Associate shall report to IPPI any

use or disclosure of Persons Served PHI not provided for by

the agreement of which it becomes aware;

v. Provides that the Business Associate shall ensure that any

agent, including a Subcontractor, to whom it provides PHI of

Persons Served, agrees to the same restrictions and conditions

that apply to the Business Associate with respect to such PHI;

vi. Provides that the Business Associate shall make the PHI of

Persons Served available to IPPI that is necessary for IPPI to

respond to a request made;

vii. Provides that the Business Associate shall make its internal

practices, books, and records relating to the use and disclosure

of PHI of Persons Served available to the Secretary of Health

and Human Services for purposes of determining IPPI’s

compliance with the HIPAA Privacy Standards;

viii. Provides that the Business Associate shall, at termination of the

underlying service agreement, if feasible, return or destroy all

PHI of Persons Served that the Business Associate still

maintains in any form and retain no copies of such PHI or, if

such return or destruction is not feasible, extend the

protections of the agreement to the PHI and limit further uses

- 19 -

and disclosures to those purposes that make the return or

destruction of the PHI of Persons Served infeasible;

ix. Authorizes termination of the agreement by IPPI in the event

that IPPI determines that the Business Associate has violated a

material term of the agreement, except that this provision may

be omitted from the agreement if it is inconsistent with the

statutory obligations of IPPI or the Business Associate; and

x. Provides that the Business Associate shall notify IPPI of any

breach of unsecured Protected Health Information in

accordance with the requirements of Section XLVII of Part A

of this Manual and the requirements of the Health Information

for Economic and Clinical Health Act of 2009.

Notwithstanding the foregoing, if an entity is required by law to perform an

activity or provide a service, and the entity qualifies as a Business Associate

solely because of such legally required activities or services, IPPI may either

(x) require the entity to enter into a written agreement as described above, (y)

obtain satisfactory assurances from the entity that it will comply with the

agreement’s provisions described above, or (z) if IPPI’s good faith attempt to

obtain such satisfactory assurances fails, document the attempt and the

reasons that such assurances could not be obtained. A model Business

Associate Agreement and a Business Associate Tracking Sheet are provided

in Part C to the Manual.

C. Monitoring Business Associates.

If IPPI learns that a Business Associate has materially violated one or

more of the written agreement’s provisions described in this Section

VIII, IPPI shall take reasonable steps to end the violation and mitigate

the violation’s harmful effects. If IPPI’s steps to end the violation and

mitigate its effects are unsuccessful, IPPI shall terminate the contract

or arrangement with the Business Associate or, if the State Privacy

Officer determines that such termination is not feasible, report the

problem to the Secretary.

D. Documentation of Business Associates.

IPPI shall retain any written agreement with a Business Associate, or

any other set of written provisions intended to comply with this

Section. Such documentation shall be retained in accordance with

Section XXXIX of this Part A of the Manual.

Employees may disclose PHI to IPPI’s Business Associates and allow

Business Associates to create or receive or transmit PHI on its behalf.

- 20 -

However, prior to doing so, IPPI must first obtain assurances from the

Business Associate that it will appropriately safeguard the information.

Before sharing PHI with outside consultants or contractors who meet the

definition of a “Business Associate,” employees must verify that a

Business Associate contract is in place.

E. A “Business Associate” is an entity defined above in Definitions;

F. Forms used in the administration of this Policy:

i. Business Associate Agreement (See 2, Part C (Forms) of the Manual).

ii. Business Associate Tracking Worksheet (See 3, Part C (Forms) of the

Manual).

IX. PROTECTION OF PHI DURING NON-EMERGENCY/PERMITTED

USES

Policy: Federal and state laws, and the ethical requirements of certain

professional disciplines to which some employees of IPPI are subject may require

the formation of committees for the performance of peer review, safety,

certification, abuse review, and record oversight etc. Further, good clinical

practice requires supervision as a necessary component of treatment. Participants

in these meetings, consultations, or supervisory sessions may or may not have

been specifically authorized to access the record of a Person Served. Therefore, it

is IPPI’s policy to disclose this potential disclosure of PHI to Persons Served and

to have the Persons Served consent to this use of PHI from the Persons Served for

the provision of services.

Procedures:

It shall be the practice of IPPI that:

A. Each Persons Served shall be given notice that such meetings may be held

and that their case may be reviewed by persons with whom the Person

Served has not had a previous professional relationship. Persons Served,

or their legal representative, will be provided with notice of such privacy

practice prior to receiving services.

B. All employees who are members of the committees referenced above and

all supervisors and consultants shall sign statements that they understand

the requirements of confidentiality in all situations where they have access

to PHI, whether authorized or not, and such statements of understanding

shall be filed in the employee’s personnel record or in the consultant’s file.

- 21 -

X. THERAPY AND COUNSELING RECORDS

Policy: Therapy and counseling records of Persons Served shall be properly

protected.

Procedures:

A. Therapy/counseling records shall be kept in a locked file or a secured area,

and shall be available only to authorized employees.

B. Changes in therapy and counseling notes shall be made in such a way that

the material changed or corrected is still clearly visible and the

correction/change is signed and dated. (See Section XIV of Part B of the

Manual).

C. Employees who might otherwise have access to an entire file of a Person

Served, may not necessarily be authorized to see therapeutic or counseling

notes. The determination of access and authorization to such notes shall be

the responsibility of the State Director or his/her designee.

D. The materials in such records shall not be shared with anyone outside the

agency (except in emergency situations) unless (i) they are being used as

permitted under Sections XX-XXVI or (ii) authorized by the person

served or his/her legal representative, and subject to the conditions set out

in Sections XXVII- XXXI of this Part A of the Manual.

E. IPPI shall not release any information about Persons Served to any person

or legal entity outside the agency which was not generated at IPPI unless

they are a covered entity with whom IPPI has a Business Associate

Agreement (provided the Business Associate Agreement does not prohibit

or restrict further disclosure); or he/she is a parent, guardian, advocate of

the Person Served. All requests for such material must be made to the

original source. For example, if a Person Served enters a hospital and the

hospital provides IPPI with a therapeutic summary, all requests for that

summary must be made directly to the hospital, unless they are a covered

entity with whom IPPI has a Business Associate Agreement which permits

such further disclosure.

F. When information is released as a result of the request or consent of a

Person Served, their family or legal guardian, the date the material has

been sent will be noted on the request or consent document, or on an

official form, and shall be placed in the record of the Persons Served.

- 22 -

XI. RECORDS CORRECTION

Policy: Records shall be corrected by authorized staff in a manner that does not

make the original entry unreadable, except that incorrectly filed information may

simply be moved to the correct individual’s file.

Procedures:

A. Errors shall be identified by crossing out, circling, or covering with a

translucent color, e.g. yellow, so the erroneous material can be easily read.

B. The correction and any additional material related to the correction, shall

be initialed and dated.

C. No corrections shall be made by whiting out the material or using other

opaque fluids, or by shredding, throwing out or otherwise removing the

corrected material completely from sight.

D. Electronic records shall be corrected as provided in XIV Part B (Security)

of the Manual.

XII. CLOSED CASES

Policy: The privacy of closed cases of Persons Served shall be maintained.

Procedures:

A. All closed records that are written shall be kept in locked files, or kept in

files in a room which will be locked, or both.

B. All closed cases which have been recorded in whole or in part on

computers, shall only be downloaded to encrypted flash drives or saved on

a server and deleted from the computer itself. All backup material shall be

kept in secure storage, e.g. a locked file, or in a file in a room which is

locked, or both.

C. Access to such closed cases shall be authorized only by the State Director

or his/her designee, or, in Vermont, the Executive President.

D. Unless otherwise required by law, cases which have been formally closed

for 7 years and in which no activity has been recorded for 7 years, and

cases which have not been formally closed, but in which no activity has

been recorded for 7 years, shall be destroyed by shredding or other

acceptable methods of destruction unless required to be kept for longer

periods by law or other regulation. Records for active Persons Served are

retained for ten (10) years, unless otherwise required by law.

- 23 -

E. No information from such closed files shall be released unless the person

served, or the legal representative, authorizes such release and there shall

be a written record when the information was released and when it was

returned to the file.

XIII. MAILING PHI

Policy: Mailings including PHI shall be kept confidential.

Procedures:

A. Records containing PHI, if mailed, should be sent in a sealed envelope

marked “CONFIDENTIAL.”

B. The staff employee under whose direction a mailing is directed shall take

reasonable steps to assure that the envelope is marked and secure as

described above.

XIV. E-MAIL MESSAGES

Policy: IPPI shall safeguard PHI so as to minimize uses and disclosures of PHI

that violate HIPAA’s privacy standards or the policies or procedures set forth in

this policy. PHI shall not be inappropriately communicated electronically via e-

mail.

Procedures:

A. All e-mail messages sent or received that concern PHI of Persons Served

shall be treated as part of their medical/personal records with the same

degree of confidentiality as other parts of that record.

B. Whenever feasible, the transmission should be made via a system which

has the capability of securely encrypting the messages from point of entry

into the messaging system until delivered to the intended recipient in such

a way that only the intended recipient can decrypt them.

C. Whenever feasible, an IPPI employee should assure that PHI information

sent through an e-mail has firewalls, encryption, verification software,

recipient and sender name, and password systems in place.

D. E-mails shall be labeled confidential when containing PHI and requiring

the authorized person receiving the material to confirm receipt. Should

the person receiving the material be unauthorized to do so, the confidential

label should also specify that the unauthorized person should notify the

sender that they were unauthorized to receive it and destroy the material.

- 24 -

E. Emails containing PHI must include a privacy statement notifying the

recipient of the insertion of electronic messaging and of whom to contact

should the message be misdirected. Misdirected messages must be

documented in the Disclosure Log (See Part C of the Manual) upon the

notification of the message being misdirected.

F. Forms used in the administration of this Policy:

1. Disclosure Log (See 15, Part C (Forms) of the Manual).

XV. FACSIMILE

Policy: PHI shall not be inappropriately communicated via facsimile.

Procedures:

A. All fax machines and the rooms in which they are situated must be

secure and/or reasonably private.

B. Employees must limit information transmitted to what is necessary to meet

the requester’s needs to the limit of the requester’s authorization.

C. Employees must make reasonable efforts to ensure that they send the fax

appropriately to an authorized person. To help ensure that faxes are sent to

the correct destination, any frequently used numbers or programmed

numbers shall be periodically checked for accuracy, and new fax numbers

shall be confirmed with the intended recipient before any PHI is faxed.

D. All pages of a fax containing PHI shall be marked “CONFIDENTIAL.”

Facsimiles containing PHI must include a privacy statement notifying the

recipient of whom to contact should the message be misdirected and an

instruction to destroy the communication. Misdirected messages must be

documented in a Disclosure Log upon the notification of the message

being misdirected.

E. Employees must report any misdirected faxes to the State Privacy Officer

in their state and to their supervisor.

F. The Privacy or Security Officer in each state shall periodically and/or

randomly check all speed dial numbers to ensure their currency,

validity, accuracy and authorization to receive confidential information.

- 25 -

XVI. TELEPHONE

Policy: IPPI shall reasonably safeguard PHI that is orally used or disclosed. PHI

shall not be inappropriately communicated via telephone.

Procedures:

A. All telephone messages sent or received that concern PHI of Persons

Served or employees shall be treated as part of their medical record and

with the same degree of confidentiality as other parts of the record.

B. Employees must make reasonable efforts to ensure that they transmit PHI

via the phone only to authorized persons.

C. Employees must limit information transmitted to what is necessary to meet

the requester’s needs and to the limit of their authorization.

D. Telephone conversations involving PHI must take place in private areas.

E. The loss or theft of any Smart Phones/Pocket PCs, PDAs or other portable

devices shall immediately be reported by the employee to the Network

Administrator who shall immediately wipe the device clean from all data,

including PHI.

XVII. TRANSCRIPTION

Policy: Transcription of PHI shall be done in such a way as to maximize the

confidentiality and integrity of the information.

Procedures:

A. It is understood that the transcription system and all transcribed data

are part of the business equipment of IPPI, are owned by IPPI, and are not

the property of the users of the system.

B. Employees do not have the right of privacy in their use of the

transcription system or its data. IPPI reserves the right to monitor, audit

and read transcribed documents.

C. IPPI may monitor the content and usage of the transcription system to

support operational, maintenance, auditing, security and investigative

activities.

D. Transcriptionists and others using the transcription system may transcribe

only after having completed proper training and having received proper

- 26 -

authorization solely relative to transcription in accordance with IPPI’s

Privacy and Security Policies.

E. Dictation shall not be done in an environment in which unauthorized

persons can overhear confidential dictation.

F. Transcriptionists, when transcribing in an electronic data base, must log

off computers and dictation equipment when transcribing is not being

done, unless they use a pause feature that removes the documentation from

screen view and access until the transcriptionist reactivates it.

G. Dictation on analog audio cassettes, CDs, or other voice files may only

be shipped with carriers authorized by the State Director

or his/her designee.

H. Employees shall not transmit voice data to equipment with an

activated auto answer such as an answering machine unless it has been

properly secured. The recipient of such voice data should immediately

acknowledge its receipt to the sender.

I. Users may store dictation only for the length of time necessary to

transcribe and review documentation and in a manner that protects

against unauthorized access. Once a voice file has been transcribed and the

data received by the provider, the voice file shall be deleted from a digital

system or erased from an analog system in a manner that

prevents unauthorized access. Destruction must be in a manner

approved by the State Director or his/her designee. Transcribed tapes

may not be re-used unless erased.

J. After the transcriptionist completes a report he/she shall authenticate it

using an identifier assigned by the State Director or his/her designee.

K. No transcriptionist may release any patient data except to the

originator of the document or to persons authorized by the State

Director or his/her designee.

L. Dictation playback must be done in a secure environment that

protects the information from being overheard by unauthorized

personnel.

- 27 -

XVIII. PRINTING/COPYING

Policy: Printing, copying or downloading PHI shall be done in such a manner as

to maximize privacy.

Procedures:

A. When using the network’s printers, employees must go immediately to

the printer and retrieve the information to avoid unauthorized viewing

of confidential material.

B. All PHI copied by staff shall be removed immediately from the machine

by the person making the copies along with the original material.

XIX. PHI SHALL BE STORED SECURELY

Policy: IPPI will establish appropriate administrative physical and technical

procedures, including limiting access to information by creating computer

firewalls and physical safeguards to prevent PHI from being intentionally or

unintentionally disclosed in violation of HIPAA’s requirements.

Procedures:

A. Buildings where PHI is stored shall be locked after normal operating

hours.

B. Windows to all rooms shall be locked after normal operating hours.

C. Keys shall be given to an employee only to the areas where they have been

given authorized access.

D. All keys to the buildings that are issued to employees shall be logged.

E. Upon leaving agency employment all keys given to the employee shall be

turned in, and State Human Resource Directors shall be responsible for

establishing policies in their own states for securing the return of keys.

F. Rooms with servers shall be locked at the end of the day.

G. Rooms containing PHI shall be locked or the file cabinets, in rooms which

cannot be locked, shall be locked at the end of the regular business hours.

H. Files containing PHI that can be locked shall be locked at the end of the

day. Files that cannot be locked shall be stored in rooms that can be locked

and these rooms shall be locked at the end of the regular business day.

- 28 -

I. When employees are finished with their computers for the day they shall

secure them by logging off or shutting them down to prevent any breach

from unauthorized users.

XX. IDENTIFICATION OF NON PHI/DE-IDENTIFYING PHI

Policy: IPPI will establish appropriate procedures for the de-identification of PHI.

Procedures:

A. Information that does not identify an individual and that IPPI has no

reasonable basis to believe can be used to identify an individual is de-

identified information and may be used as described herein. IPPI has the

capability to identify all information that is not PHI. Only health

information that “identifies” an individual is subject to the HIPAA privacy

standards as described in the Manual. Consequently, health information

that does not identify an individual, and with respect to which there is no

“reasonable basis” to believe that information may be used to identify any

individual, is not PHI and not subject to the privacy standards.

IPPI will designate employees in each state with the appropriate

knowledge and experience for rendering information not individually

identifiable. These designated employees will be aware of all the

individual identifiers that need to be removed to render health information

non-PHI.

B. Removing identifying information shall be referred to as “de-identifying”

PHI. Once information has been de-identified it may be used in a number

of ways, including, as a tool in utilization review and as a Limited Data

Set as defined in Section XXXIX of this Part A of the Manual for

research, evaluation, public health uses or health care operations,

marketing, fundraising etc.

C. Methods used to Demonstrate Information as De-identified.

1. A person with appropriate knowledge of and experience with

generally accepted statistical and scientific principles and methods

for rendering information not individually identifiable: (i)

determines, applying such principles and methods, that the risk is

very small that the information could be used, alone or in

combination with other reasonably available information, by an

anticipated recipient to identify an individual who is a subject of

the information, and (ii) documents the methods and results of the

analysis that justify such determination; or

- 29 -

2. IPPI ensures that (i) it does not have actual knowledge that the

information could be used alone or in combination with other

information to identify an individual who is a subject of the

information, and (ii) the following identifiers of the individual, or

relatives, employers, or household members of the individual, are

removed:

Names;

All geographic subdivisions smaller than a state, including

street address, city, county, precinct, and zip code and their

geocodes (except that the initial three digits of a zip code may

be used if more than 20,000 people reside within the area

included in all zip codes sharing those initial three digits, and,

if fewer than 20,000 people reside within such area, the number

“000” may be used instead);

All elements of dates (except the year) for dates directly related

to an individual, including birth date, admission date, discharge

date, and date of death;

All ages over 89 and all elements of dates (including the year)

indicative of such age, except that such ages and elements may

be aggregated into a single category of age 90 or older;

Telephone numbers;

Fax numbers;

Electronic mail addresses;

Social Security numbers;

Medical record numbers;

Health plan beneficiary numbers;

Account numbers;

Certificate/license numbers;

Vehicle identifiers and serial numbers, including license plate

numbers;

Device identifiers and serial numbers;

Web Universal Resource Locators (URLs);

Internet Protocol (IP) address numbers;

Biometric identifiers, including finger and voice prints;

Full face photographic images and any comparable images; and

Any other unique, identifying number, characteristic, or code

to re-identify the information.

XXI. PERMITTED USES/TREATMENT

Policy: The HIPAA Privacy Standards do not require a consent from the Person

Served to execute health care treatment. The standards do give covered entities

express permission to use or disclose PHI under certain circumstances for

treatment.

- 30 -

Procedures:

A. “Treatment” is defined as the provision, coordination or management of

health care and related services by one or more health care providers,

including:

1. Coordination or management of health care by a health care

provider with a third party;

2. Consultation between health care providers relating to a patient;

and

3. Referral of a patient for health care by one health care provider to

another.

B. “Treatment” is dependent on the provision of “health care” which is

defined as services that prevent, treat, cure or heal human physical and

mental conditions and illnesses, and includes, but is not limited to:

1. Preventive, diagnostic, rehabilitative, maintenance or palliative

care, and counseling, service, assessment or procedure with

respect to the physical or mental condition or functional status of

an individual or to the structure or function of the body;

2. Sale or dispensing of a drug, device, equipment, or other item in

accordance with a prescription.

C. A release of PHI is for treatment only if:

1. The recipient of the PHI is a health care provider, but not another

entity, including a health plan;

2. The PHI must enable the recipient provider to treat the Persons

Served;

3. Only one Person Served directly benefits from the release of the

PHI.

D. Staff shall disclose PHI only for purposes of the treatment in accordance

with the standard set forth in this Section XXI. Notwithstanding the

above, a use or disclosure of PHI that constitutes an individual’s entire

medical record or psychotherapy notes shall not be considered made under

routine circumstances and shall require the approval of the State Privacy

Officer.

- 31 -

XXII. PERMITTED USES/PAYMENT

Policy: The HIPAA Privacy Standards do not require the consent of a Person

Served to execute payment for health care

.

Procedures:

A. “Payment” is defined as activities undertaken by:

1. A health plan to obtain premiums or to determine or fulfill its

responsibility for coverage and provision of benefits under the health

plan;

2. A health care provider, or health plan, to obtain or provide

reimbursement for the provision of health care.

B. Payment activities include, but are not limited to, the following:

1. Determinations of eligibility or coverage, including the coordination of

benefits, or the determination of cost sharing amounts, and

adjudication or subrogation of health benefit claims;

2. Risk adjusting amounts due, based on enrollee health status and

demographic characteristics;

3. Billing and claims management collection activities;

4. Obtaining payment under a contract for reinsurance, including stop

loss insurance and excess loss insurance, and related health care data

processing;

5. Review of health care services with respect to medical necessity,

coverage under a health plan, appropriateness of care, or justification

of charges;

6. Utilization review activities, including pre-certification and pre-

authorization of services, concurrent and retrospective review of

services;

7. Disclosure to consumer reporting agencies of any of the following PHI

relating to collection of premiums or reimbursement: name and

address, date of birth, Social Security number, payment history,

account number, name and address of the health care provider and/or

health plan, uses and disclosures of debt collection activities.

- 32 -

C. Employees shall disclose PHI only to the extent required for the purposes

of the treatment in accordance with the standards set forth in this section

XXII. Notwithstanding the above, a use or disclosure of PHI that

constitutes an individual’s entire medical record or psychotherapy notes

shall not be considered to be made under routine circumstances and shall

require the approval of the State Privacy Officer.

XXIII. PERMITTED USES/HEALTH CARE OPERATIONS

Policy: The HIPAA Privacy Standards do not require the consent of a person

served to release PHI to execute Health Care Operations.

Procedures:

A. Health Care Operations encompass operational and administrative tasks of

the health care entity in five major areas:

1. Quality Assurance (QA) and Quality Improvement (QI) Activities:

Conducting QA and QI activities, including:

outcome evaluation and development of clinical guidelines;

population-based activities relating to improving health or

reducing health care costs;

protocol development;

case management and care coordination;

contacts with health care providers and patients with

information about treatment alternatives; and

related functions that do not include treatment.

2. Reviews and Evaluations:

reviewing the competence or qualification of health care

professionals;

evaluating practitioner, provider or health plan

performance;

conducting training programs in which health care students,

trainees or practitioners learn under supervision to practice

or improve their skills as health care providers;

training non-health care professionals;

accreditation, certification, licensing, or credentialing

activities.

3. Professional Services: conducting or arranging for medical review,

legal services, and auditing functions, including fraud and abuse

detection and compliance programs.

- 33 -

4. Business Planning: business planning and development such as

conducting cost-management and planning related analyses relating

to managing and operating the entity.

5. Business Management and Administration:

management activities relating to implementation of,

and compliance with, privacy standard requirements;

customer service, including the provision of data

analyses, provided that PHI is not disclosed;

resolution of internal grievances;

the sale, transfer, merger or consolidation of all or part

of IPPI with another covered entity or an entity that

will become a covered entity after these transactions,

and due diligence conducted in conjunction with these

activities;

creating de-identified information or Limited Data Set,

as defined herein, fundraising for the benefit of the

covered entity; and

disclosing PHI to a medical liability insurer.

B. Employees shall use or disclose PHI only to the extent required for the

permitted use or disclosure in accordance with the standard set forth in this

Section XXIII. Notwithstanding the above, a use or disclosure of the

Person Served’s entire medical record or psychotherapy notes shall not be

considered routine and shall require the approval of the State Privacy

Officer.

XXIV. PERMITTED USES/ LEGAL, JUDICIAL, ADMINISTRATIVE, AND

LAW ENFORCEMENT PROCEEDINGS

Policy: IPPI shall disclose PHI without prior written authorization to the extent

that such use or disclosure is required by proper legal, judicial, administrative,

and law enforcement proceedings.

Procedures:

A. Disclosures for Law Enforcement Purposes: IPPI may disclose an

individual’s PHI to a law enforcement official under any of the

following circumstances:

1. Court Order: In compliance with and as limited by the relevant

requirements of a court order, a court-ordered warrant, a subpoena

or summons issued by a judicial officer, a grand jury subpoena,

or—if (A) the PHI sought is relevant and material to an IPPI

- 34 -

related law enforcement inquiry, (B) the request is specific and

limited in scope to the extent reasonably practicable in light of the

purpose for which the PHI is sought, and (C) De-identified

information could not reasonably be used—an administrative

request (including an administrative subpoena or summons, a civil

or an authorized investigative demand, or similar process

authorized under law);

2. Using PHI for Identification or Location: In response to a law

enforcement official’s request for such PHI for the purpose of

identifying or locating a suspect, fugitive, material witness, or

missing person;

3. Alerting of Death: For the purpose of alerting law enforcement of

the individual’s death, if IPPI suspects that such death resulted

from criminal conduct; or

4. Alerting of Criminal Conduct: Due to IPPI’s good faith belief that

such PHI constitutes evidence of criminal conduct that occurred in

connection with benefits obtained through IPPI.

B. Mandatory versus Permissive Legal Requirements. IPPI shall identify

whether a requested use or disclosure is required by law and the

relevant requirements of such law and comply with such requirements

when using or disclosing PHI pursuant to that law.

IPPI may require the requestor to provide proof that the requested

information is required to be disclosed by IPPI. If IPPI determines that

a use or disclosure is required by law, IPPI shall use or disclose the

PHI that the law requires be used or disclosed as requested. If IPPI

determines the requested use or disclosure is merely permitted, and not

required, by law, IPPI shall determine if the use or disclosure is

permitted under another section of this policy as a permissible

disclosure and follow all requirements set forth in that section.

C. If IPPI determines that the use or disclosure is not required by law and

is not permitted under another section of this policy, IPPI must obtain

an authorization from the individual who is the subject of the PHI; de-

identify the information before using or disclosing it; require the

requestor to obtain the authorization of the individual; or require the

requestor to provide a court order or other legal process that would

authorize IPPI to release the information.

D. No Duty to Disclose. This Section does not create any duty or

obligation to use or disclose PHI to a requestor. Rather, this Section

- 35 -

permits IPPI to use or disclose PHI when IPPI is required by law to do

so.

E. A determination of whether to disclose PHI shall be made by the State

Privacy Officer in consultation with the Corporate Privacy Officer.

F. Should any of the requests described in paragraph A through E of this

Section XXIV, not be required by law, or, if required by law, if the request

is not presented to IPPI in a proper legal fashion, then IPPI may, in its

discretion decide whether to disclose the PHI. Such decisions shall be

made by the State Privacy Officer in the state in which the request is

made. If the State Privacy Officer chooses to disclose PHI under these

circumstances, the Persons Served or his/her legal representative must be

notified and a release obtained. If releases are refused, then IPPI shall not

disclose such information. If the Person Served or his or her legal

representative cannot be reached after diligent efforts by IPPI to do so, the

State Privacy Officer must seek and obtain a Protective Order from a court

of appropriate jurisdiction in order to release the requested information.

Unless such order is given, no information shall be released.

G. Forms used in the Administration of this provision.

1. HIPAA Privacy Disclosure Log (See 15, Part C (Forms) of the

Manual.

XXV. PERMITTED USES/HEALTH, PUBLIC HEALTH OVERSIGHT

Policy: The HIPAA Privacy Standards do not require prior written authorization

of Persons Served to release PHI for Health and Public Health Oversight. IPPI

may disclose PHI to a health/public health oversight agency for oversight

activities authorized by law.

Procedures:

A. Uses and Disclosures for Public Health Activities: Subject to the

minimum necessary rule described in Section IV of this Manual, IPPI

may disclose PHI for:

1. Disease Prevention: A Public Health Authority that is authorized

by law to collect or receive such information for the purpose of

preventing or controlling disease, injury, or disability (including,

but not limited to, the reporting of disease, injury, vital events such

as birth or death, and the conduct of public health surveillance,

public health investigations, and public health interventions) or, at

the direction of a Public Health Authority, an official of a foreign

- 36 -

government agency that is acting in collaboration with the Public

Health Authority;

2. Reporting Abuse or Neglect: A Public Health Authority or other

appropriate government authority authorized by law to receive

reports of child, adult and elder abuse or neglect;

3. FDA Regulation: A person subject to the jurisdiction of the Food

and Drug Administration (“FDA”) with respect to an FDA-

regulated product or activity for which that person has

responsibility, for the purpose of activities related to the quality,

safety, or effectiveness of such FDA-regulated product or activity,

including (A) collecting or reporting adverse events (or similar

activities with respect to food or dietary supplements), product

defects or problems (including problems with the use or labeling of

a product), or biological product deviations, (B) tracking FDA-

regulated products, (C) enabling product recalls, repairs,

replacement, or look back (including locating and notifying

individuals who have received products that have been recalled,

withdrawn, or are the subject of look back), and (D) conducting

post marketing surveillance;

4. Disease Control: A person who may have been exposed to a

communicable disease or may otherwise be at risk of contracting

or spreading a disease or condition if IPPI or a Public Health

Authority is authorized by law to notify such person as necessary

in the conduct of a public health intervention or investigation; or

5. Immunization Records. Student immunization records required by

a school prior to admitting the student, provided IPPI documents

the requested disclosure from the parent, guardian or person acting

in loco parentis, or the Person Served.

B. Prior to the release of PHI to a health oversight authority, the approval of

the State Privacy Officer in consultation with the Corporate Privacy

Officer shall be required.

C. Forms used in the Administration of this provision:

1. Privacy Disclosure Log (See 15, Part C (Forms) of the Manual.)

XXVI. MISCELLANEOUS PERMITTED USES/WORKER’S COMPENSATION

Policy: The HIPAA Privacy Standards do not require the prior written

authorization of the Persons Served to release PHI as authorized by, and to the

extent necessary to comply with laws relating to Workers’ Compensation or

- 37 -

similar laws that provide benefits for work-related injuries or illness without

regard to fault.

Procedures:

A. IPPI may, therefore, disclose PHI to employers, Workers’ Compensation

carriers, and state officials to process and adjudicate and/or coordinate

Workers’ Compensation claims.

B. A use or disclosure of PHI that constitutes an individual’s entire medical

record or psychotherapy notes shall not be considered to be made under

routine circumstances and shall require the approval of that state privacy

officer.

C. Uses and Disclosures Due to Imminent Threat to Health or Safety:

IPPI may, consistent with applicable law and standards of ethical

conduct, use or disclose PHI if IPPI, in good faith, including reliance

on actual knowledge or on a credible representation by a person with

apparent knowledge or authority, believes the use or disclosure is

necessary to prevent or lessen a serious and imminent threat to the

health or safety of a person or the public and involves PHI, including

psychotherapy notes, disclosed to a person or persons reasonably able

to prevent or lessen the threat, including the target of the threat.

D. Uses and Disclosures Required by Military Authority: IPPI may use or

disclose the PHI of individuals who are Armed Forces personnel, or

foreign military personnel, for activities deemed necessary by

appropriate military command authorities to assure the proper

execution of a military mission, if the appropriate military authority

has published by notice in the Federal Register (i) the appropriate

military command authorities and (ii) the purposes for which the PHI

may be used or disclosed.

E. Uses and Disclosures for National Security Activities: IPPI may

disclose PHI to authorized federal officials for the conduct of lawful

intelligence, counter-intelligence, and other national security activities

authorized by the National Security Act (50 U.S.C. § 401 et seq.) and

implementing authority (e.g., Executive Order 12333).

F. Disclosures to Coroners and Medical Examiners: IPPI may disclose

PHI, including psychotherapy notes, to a coroner or medical examiner

for the purpose of identifying a deceased person, determining a cause

of death, or other duties as authorized by law. In connection with such

disclosure, IPPI shall not be required to redact identifying information

about persons other than the deceased individual.

- 38 -

G. Disclosures to Funeral Directors: IPPI may disclose an individual’s

PHI to funeral directors, consistent with applicable law, as necessary

to carry out their duties with respect to the individual after his death, or

prior to and in reasonable anticipation of the individual’s death.

H. Forms used in the administration of this policy.

1. HIPAA Privacy Disclosure Log (See 15, Part C (Forms) of the

Manual).

XXVII. AUTHORIZATIONS/WHEN AUTHORIZATIONS ARE REQUIRED

Policy: IPPI must obtain the authorization of the Persons Served and/or their

personal representatives before it discloses PHI unless the disclosure is permitted

or required under the Privacy Policy (sections XXI-XXVI above).

Procedures:

A. To be valid, an authorization must be written in plain language and

include specific core elements and notification requirements.

B. When PHI is provided, based on an authorized request or consent, the date

the materials are sent shall be noted on the request or consent form, or on

another form, and placed in the file of the Persons Served.

C. Forms used in the administration of this policy.

1. Authorization for Release of Information (See 4, Part C

(Forms) of the Manual).

XXVIII. AUTHORIZATIONS/CORE ELEMENTS OF AN AUTHORIZATION

Policy: The authority of personal representatives to act on behalf of a Person

Served shall be appropriately verified and authorized only as described herein.

Procedures:

A. Identification of Personal Representatives:

1. A person qualifies as an individual’s “personal representative” to

the extent the person has authority under applicable state or federal

law to act on the individual’s behalf in connection with the

individual’s PHI including a person with authority to act on behalf

of a deceased individual or the individual’s estate.

- 39 -

2. A person who presents him or herself to IPPI as the personal

representative of an individual in order to exercise the rights of that

individual afforded to an individual under the HIPAA Privacy

Rules and/or this Manual shall be required to provide

documentation of his or her status to IPPI, except that in the case

where a person presents himself or herself as the parent of an

individual who is a minor child, verification may be based on

confirmation of the child’s enrollment as the dependent minor

child of the person in a benefit plan.

3. In the case of a person whose representation is based on an

attorney-client relationship with the individual, the person must

present or transmit by facsimile a verification of legal

representation.

4. IPPI staff, in consultation with the State Privacy Officer, shall

determine whether the documentation indicates that under

applicable law the person is legally entitled to act on behalf of the

individual.

5. Notwithstanding paragraph 4 of this subsection, the State Privacy

Officer may elect not to treat a person as an individual’s personal

representative if (i) the State Privacy Officer has reasonable belief

that (A) the individual has been or may be subjected to domestic

violence, abuse, or neglect by such person or (B) treating such

person as the personal representative could endanger the

individual; and (ii) the State Privacy Officer, in the exercise of

professional judgment, decides that it is not in the best interest of

the individual to treat the person as the individual’s personal

representative.

6. A person that is determined to be an individual’s legal

representative must also verify his or her identity as that person

through the verification processes described in this section.

B. Authority of Personal Representatives:

If the State Privacy Officer or his/her designee determines that a

person is an individual’s personal representative, IPPI shall treat such

person as the individual for purposes of this policy. For example, the

person has the authority to sign and revoke authorizations on behalf of

the individual, and the person has the authority to exercise the

individual privacy rights described in this policy on behalf of the

individual.

- 40 -

C. Documentation of Personal Representative Determinations:

Upon making a determination regarding whether to recognize a person

as an individual’s personal representative, the State Privacy Officer or

his/her designee shall document the determination. IPPI shall retain

such documentation in accordance with Section XXXIX of this

Manual.

D. Valid Authorization:

The core elements required in a valid authorization are as follows:

1. A description of the information to be used or disclosed that

identifies the information in a specific and meaningful fashion;

2. The name or other specific identification of the person(s) or class

of persons authorized to make the use/disclosure;

3. The name or other specific identification of the person(s) or class

of persons to whom the covered entity may make the

use/disclosure;

4. A description of each purpose of the requested use or disclosure. If

the persons served or their legal representatives request the

information to be disclosed, then the authorization need not

describe the purposes for which the request is made, but must state

that the disclosure is at the request of the person served or his/her

legal representative;

5. The authorization’s expiration date, or an expiration event that

relates to the person served or to the purpose or use of the

requested disclosure. For purposes of a research study, including

creation and maintenance of a research database, or research

depository, phrases such as “none” or “at the end of the research

study” are acceptable;

6. The signature of the Person Served, with a date, or, in the case of

the signature of the legal representative of the individual, identity

verification and the description of that person’s authority to act for

the person served. Initials may be accepted in lieu of signature

when documents are added to a file;

7. The right to revoke the authorization with a written notice and

either: (a) the exceptions to the right to revoke and instructions on

how to revoke, or, (b) a reference to IPPI’s Notice of Privacy

- 41 -

Practices, if that notice contains a description of the right to

revoke, exceptions to the right to revoke, and instructions on how

to do so;

8. Whether the covered entity conditions treatment, payment,

enrollment, or eligibility for benefits on the authorization, by

stating either: (a) that IPPI is prohibited from conditioning

treatment, payment, enrollment, or eligibility for benefits on the

individual’s agreement to sign the authorization, or (b) the

consequences to the individual if s/he refuses to sign the

authorization, but only as permitted; and

9. A statement that information used/disclosed under the

authorization may be subject to re-disclosure by the recipient and

not be protected e.g., permitted uses, etc. If IPPI is assured that the

information will remain protected after disclosure, either under its

own or another entity’s policies, it may so state in the notice.

XXIX. AUTHORIZATION/ SPECIAL CASE/PSYCHOTHERAPY NOTES

Policy: Psychotherapy notes shall not be treated “routinely” and shall be used and

disclosed with special care.

Procedures:

A. Psychotherapy notes are notes recorded in any medium by a health care

provider who is a mental health professional documenting or analyzing the

contents of conversation during a counseling session.

B. Such notes must be separated from the rest of the individual’s medical

record.

C. Such notes do not include medication prescription and monitoring, the

start and stop times and dates of counseling sessions, the modalities and

frequencies of treatment furnished, results of clinical tests, and any

summary of the following items: diagnosis, functional status, the treatment

plan, symptoms, prognosis and progress to date.

D. Except as provided in this policy, IPPI will obtain an individual’s

authorization prior to use or disclosure of psychotherapy notes.

E. IPPI may use or disclose psychotherapy notes in the following instances

without obtaining authorization of the Person Served:

1. to carry out treatment, payment or healthcare operations including:

- 42 -

a) use of psychotherapy notes by the originator for treatment;

b) use or disclosure by IPPI in training programs in which

students, trainees, or practitioners in mental health learn under

supervision to practice or improve their skills in group, joint,

family or individual counseling; and

c) use or disclosure by IPPI to defend itself in a legal action or

other proceeding brought by the individual.

2. use or disclosure that is required by compliance investigations;

3. use or disclosure permitted or required by law;

4. use or disclosure permitted by health oversight with respect to the

oversight of the originator of the psychotherapy notes;

5. use or disclosure permitted to the decedents; or

6. use or disclosure required if there is a threat to public safety.

F. IPPI will not condition treatment, enrollment or eligibility for benefits of

an individual on a requirement that the individual provide a specific

authorization for the disclosure of psychotherapy notes.

G.. The authorization will be written in plain language and may only be

combined with another authorization for a use or disclosure of

psychotherapy notes.

H. The authorizations will contain the core elements and the notice

requirements as set forth in section XXVIII above and XL, of this Part A

of the Manual below.

XXX. AUTHORIZATION/SPECIAL CASE/MARKETING

Policy: The HIPAA Privacy Rule gives individuals important controls over

whether and how their PHI is used and disclosed for marketing purposes. With

limited exceptions, the Rule requires an individual’s written authorization before

a use or disclosure of his or her PHI can be made for marketing. So as not to

interfere with core health care functions, the Rule distinguishes marketing

communications from those communications about goods and services that are

essential for quality health care.

- 43 -

Procedures:

A. This section of the policy addresses the use and disclosure of PHI for

marketing purposes by:

Defining what is “marketing” under the Rule;

Excepting from that definition certain treatment or health care

operations activities;

Requiring individual authorization for all uses or disclosures of PHI

for marketing purposes with limited exceptions.

NOTE: If IPPI received financial remuneration from a third party whose

products or services are being marketed, authorization is required.

B. The Privacy Rule defines “marketing” as making “a communication about

a product or service that encourages recipients of the communication to

purchase or use the product or service.” Generally, if the communication

is “marketing,” then the communication can occur only if IPPI first obtains

an individual’s “authorization.” This definition of marketing has certain

exceptions, as discussed below.

An example of “marketing” communications requiring prior authorization,

is a communication from a hospital informing former patients about a

cardiac facility, that is not part of the hospital, that can provide a baseline

EKG for $39, when the communication is not for the purpose of providing

treatment advice.

Marketing also means “an arrangement between a covered entity and any

other entity whereby the covered entity discloses PHI to the other entity,

in exchange for direct or indirect remuneration, for the other entity or its

affiliate to make a communication about its own product or service that

encourages recipients of the communication to purchase or use that

product or service. This part of the definition to marketing has no

exceptions. The individual must authorize these marketing

communications before they can occur.

C. A covered entity may not sell PHI to a Business Associate or any other

third party for that party’s own purposes. Moreover, covered entities may

not sell lists of patients or enrollees to third parties without obtaining

consent from each person on the list. For example, it is “marketing” when

a drug manufacturer receives a list of patients from a covered health care

provider and provides remuneration, then uses that list to send discount

coupons for a new anti-depressant medication directly to the patients.

- 44 -

D. The Privacy Rule carves out exceptions to the definition of marketing

under the following three categories:

1. A communication is not “marketing” if it is made to describe a health-

related product or service (or payment for such product or service) that

is provided by, or included in a plan of benefits of, the covered entity

making the communication, including communications about health-

related products or services available only to a health plan enrollee that

add value to, but are not PHI, of a plan of benefits.

This exception to the marketing definition permits communications by

a covered entity about its own products or services. For example,

under this exception, it is not “marketing” when a hospital uses its

patient list to announce the arrival of a new specialty group (e.g.,

orthopedic) or the acquisition of new equipment (e.g., x-ray machine

or magnetic resonance image machine) through a general mailing or

publication.

2. A communication is not “marketing” if it is made for treatment of the

individual and without financial remuneration from a third party

whose products or services are being marketed.

For example, under this exception, it is not “marketing” when:

A pharmacy or other health care provider mails prescription refill

reminders to patients, or contracts with a mail house to do so.

A primary care physician refers an individual to a specialist for a

follow-up test or provides free samples of a prescription drug to a

patient.

3. A communication is not “marketing” if it is made for case

management or care coordination for the individual, or to direct or

recommend alternative treatments, therapies, health care providers, or

settings of care to the individual and without financial remuneration

from a third party whose products or services are being marketed.

For example, under this exception, it is not “marketing” when:

An endocrinologist shares a patient’s medical record with several

behavior management programs to determine which program best

suits the ongoing needs of the individual patient.

A hospital social worker shares medical record information with

various nursing homes in the course of recommending that the

patient be transferred from a hospital bed to a nursing home.

- 45 -

For any of the three exceptions to the definition of marketing, the

activity must otherwise be permissible under the Privacy Rule, and a

covered entity may use a Business Associate to make the

communication.

E. Marketing Authorizations and When Authorizations are Not Necessary:

Except as discussed below, any communication that meets the definition

of marketing is not permitted, unless the covered entity obtains an

individual’s authorization in accordance with this policy. To determine

what constitutes an acceptable “authorization,” see 45 CFR 164.508. If the

marketing involves direct or indirect remuneration to the covered entity

from a third party, the authorization must state that such remuneration is

involved. A communication does not require an authorization, even if it is

marketing, if it is in the form of a face-to-face communication made by a

covered entity to an individual; or a promotional gift of nominal value

provided by the covered entity. For example, no prior authorization is

necessary when a hospital provides a free package of formula and other

baby products to new mothers as they leave the maternity ward.

XXXI. AUTHORIZATION/ REVOCATION, RESTRICTION OF USES

Policy: Persons Served and or their personal representatives generally may

revoke an authorization at any time, or restrict the uses of the authorization by

delivering a written request for the revocation or restriction.

Procedures:

A. This policy is restricted to two exceptions:

1. IPPI has taken action in reliance upon the authorization,

2. The authorization was obtained as a condition of obtaining insurance

coverage.

B. The original authorization must contain clear instructions on how to

revoke/restrict the authorization, or, if such is contained in the Notice of

Privacy, then the authorization may be referred to that document.

C. The revocation/restriction renders the authorization invalid once IPPI

knows the authorization has been revoked/restricted. Knowledge is

inferred by receipt of the revocation/restriction, but not before.

D. IPPI must permit Persons Served and/or their personal representatives to

request that IPPI restrict uses and disclosures of PHI:

1. to carry out Treatment, Payment, and Operations; and

- 46 -

2. for permitted disclosures to family members and to others

who are involved in the individual’s care.

E. While IPPI is not required to agree to a restriction, if it does agree, it must

not use or disclose the PHI in violation of the restriction, subject to certain

exceptions as specified in this policy, e.g., emergency care for the purpose

of treatment.

F. In no event shall IPPI agree to a restriction that limits the use or disclosure

of PHI for permitted uses including treatment by another provider, law

enforcement, public health, etc., as described in this section.

G. If IPPI has agreed to restrict the disclosure of PHI, then it cannot

terminate that agreement unless:

1. the individual agrees to, or requests, the termination in writing;

2. the request is oral and the oral request is documented;

3. IPPI informs the individual that it is terminating its restriction

agreement, except that such termination will be effective only with

respect to PHI created or received by the covered entity after the

termination of the restriction.

H. The determination of whether to grant a restriction or to terminate it

shall be made by the State Privacy Officer.

I. Forms used in the administration of this policy.

1. Request for Restrictions on Use or Disclosure of Protected

Information (See 11, Part C (Forms) of the Manual).

2. Response to Request for Restrictions on Use or Disclosure of

Protected Health Information (See 12, Part C, (Forms) of the

Manual).

XXXII. RIGHT OF ACCESS/NOTIFICATION

Policy: HIPAA gives individuals the right to access and obtain copies of their

protected health information that IPPI (or its business associates) maintains in

designated record sets. HIPAA also provides that individuals may request to have

their PHI amended, and that they are entitled to an accounting of certain types of

disclosures.

- 47 -

Procedures:

A. “Designated Record Set” Defined. “Designated Record Set” is a group

of records maintained by or for IPPI that includes other protected health

information used, in whole or in part, by or for IPPI to make coverage

decisions about an individual.

B. Procedures. Request from Individual, Parent of Minor Child, or Personal

Representative. Upon receiving a written request from an individual (or

from a minor’s parent or an individual’s personal representative) for

disclosure of an individual’s PHI, IPPI staff must take the following steps:

1. Follow the procedures for verifying the identity of the individual

(or parent or personal representative).

2. Review the disclosure request to determine whether the PHI

requested is held in the individual’s designated record set. See the

State Privacy Officer, if it appears that the requested information is

not held in the individual’s designated record set. No request for

access may be denied without approval from the State Privacy

Officer.

3. Review the disclosure request to determine whether an exception

to the disclosure requirement might exist; for example, disclosure

may be denied for requests to access psychotherapy notes,

documents compiled for a legal proceeding, certain requests by

Persons Served, information compiled during research when the

individual has agreed to denial of access, information obtained

under a promise of confidentiality and other disclosures that are

determined by a health professional to be likely to cause harm. If

there is any question about whether one of these exceptions

applies, the State Privacy Officer should be contacted. No request

for access may be denied without approval from the State Privacy

Officer.

4. Respond to the request by providing the information or denying the

request within 30 days. If the requested PHI cannot be accessed

within the 30-day period, the deadline may be extended for 30-

days by providing written notice to the individual within the

original 30 day period of the reasons for the extension and the date

by which IPPI will respond.

5. A Denial Notice must contain (1) the basis for the denial; (2) a

statement of the individual’s right to request a review of the denial,

if applicable; and (3) a statement of how the individual may file a

complaint concerning the denial. All notices of denial must be

- 48 -

prepared or approved by the State Privacy Officer. Note: All

denials must be approved by the State Privacy Officer.

6. Provide the information requested in the form or format requested

by the individual, if readily producible in such form. Otherwise,

provide the information in a readable hard copy or such other form

as is agreed to by the individual.

7. If the individual has requested a summary and explanation of the

requested information in lieu of, or in addition to, the full

information, prepare such summary and explanation of the

information requested and make it available to the individual in the

form or format requested by the individual.

8. IPPI may charge a reasonable cost-based fee for copying, postage,

and preparing a summary (but the fee for a summary must be

agreed to in advance by the individuals).

9. Disclosures must be documented in accordance with Section

XXXIX “Documentation and Recordkeeping Accounting for

Disclosures.”

C. Forms used in the Administration of this Policy:

1. Request to Inspect or Copy Protected Health Information (See 16, Part

C (Forms) of the Manual).

2. Response to Request to Inspect Protected Health Information (See 17,

Part C (Forms) of the Manual).

3. Privacy Disclosure Log (See 15, Part C (Forms) of the Manual).

XXXIII. RIGHT OF ACCESS/ SPECIAL RULES FOR ACCESS TO

TREATMENT NOTES

Policy: As noted above in section XXIX above, psychotherapy notes shall be

treated differently than other PHI.

Procedures:

A. Special treatment includes limitations on access as well as authorization

etc. The special conditions applicable to access to Psychotherapy notes by

Persons Served and their personal representatives are set forth at Section

XLIV of this Part A of the Manual.

B. The description of the rights to these notes shall be written clearly and

shall be included in the notification provided under Section XL, of this

Part A of the Manual, below.

- 49 -

XXXIV. RIGHT OF ACCESS/RIGHT TO CORRECT, MODIFY AND

AMEND PHI

Policy: Persons Served and/or their legal representatives have the right to correct,

modify and amend PHI.

Procedures:

A. Request from Individual, Parent of Minor Child, or Personal

Representative. Upon receiving a request from an individual (or a minor’s

parent or an individual’s personal representative) for amendment of an

individual’s PHI held in a designated record set, the employee must take

the following steps:

1. Follow the procedures for verifying the identity of the individual

(or parent or personal representative) set forth in verification of

identity of those requesting protected health information.

2. Review the disclosure request to determine whether the PHI at

issue is held in the individual’s designated record set. See the

State Privacy Officer if it appears that the requested information is

not held in the individual’s designated record set. No request for

amendment may be denied without approval from the State

Privacy Officer.

3. Review the request for amendment to determine whether the

information would be accessible under HIPAA’s right to access

(see the access procedures above). See the State Privacy Officer if

there is any question about whether one of these exceptions

applies. No request for amendment may be denied without

approval from the State Privacy Officer.

4. Review the request for amendment to determine whether the

amendment is appropriate, that is, determine whether the

information in the designated record set is accurate and complete

without the amendment.

5. Respond to the request within 60 days by informing the individual

in writing that the amendment will be made or that the request is

denied. If the determination cannot be made within the 60-day

period, the deadline may be extended for 30 days by providing

written notice to the individual within the original 60-day period of

the reasons for the extension and the date by which IPPI will

respond.

- 50 -

6. When an amendment is accepted, make the change in the

designated record set, and provide appropriate notice to the

individual and all persons or entities listed on the individuals’

amendment request form, if any, and also provide notice of the

amendment to any persons/entities who are known to have the

particular record and who may rely on the uncorrected information

to the detriment of the individual.

B. When an amendment request is denied, the following procedures apply:

1. All notices of denial must be prepared or approved by the State

Privacy Officer. A Denial Notice must contain (1) the basis for the

denial; (2) information about the individual’s right to submit a

written statement disagreeing with the denial and how to file such

a statement; (3) an explanation that the individual may (if he or she

does not file a statement of disagreement) request that the request

for amendment and its denial be included in future disclosures of

the information; and (4) a statement of how the individual may file

a complaint concerning the denial. Note: Denial of amendment

requests in inappropriate circumstances could lead to liability. For

this reason, IPPI requires all denials to be approved by the State

Privacy Officer.

2. If, following the denial, the individual files a statement of

disagreement, include the individual’s request for an amendment;

the denial notice of the request, the individual’s statement of

disagreement, if any, and IPPI’s rebuttal/response to such

statement of disagreement, if any, with any subsequent disclosure

of the record to which the request for amendment relates. If the

individual has not submitted a written statement of disagreement,

include the individual’s request for amendment and its denial with

any subsequent disclosure of the protected health information only

if the individual has requested such action.

C. Forms used in the Administration of this Policy:

1. Request to Amend or Correct Protected Health Information

(See 9, Part C (Forms) of the Manual).

2. Response to Request to Amend or Correct Protected Health

Information (See 10, Part C (Forms) of the Manual).

XXXV. RIGHT OF ACCESS/RIGHT OF PERSONS SERVED TO RELEASE PHI

Policy: Persons Served and/or their legal representatives shall have a right to send

their own PHI to whomever they wish.

- 51 -

Procedures:

A. Proper authorization is required for such PHI to be released as set forth in

Section XXVII of this Part A of the Manual;

B. The release of PHI to a Person Served shall be subject to exceptions set

forth in Section XXXIII; e.g., treatment notes.

C. The rights of the Person Served and the exceptions to those rights are

described in the Notice of Privacy, Section XL of this Part A of the

Manual.

XXXVI. REQUESTS FOR ALTERNATE CONFIDENTIAL COMMUNICATIONS

Policy: An individual shall have the right to designate a specific means and a

specific location, if reasonable for IPPI’s communications of PHI to the

Person Served.

Procedures:

A. Individual’s Right to Request Confidential Communications. A

Person Served or the personal representative of a Person Served, shall

have the right to request that IPPI communicate PHI to that individual

by a specified means and/or to a specified location. Such request may

cover all PHI or, if specifically identified, only a class of PHI (e.g.,

PHI relating to a certain disease).

B. IPPI’s Consideration of a Request for Confidential Communications.

1. The State Privacy Officer or his/her designee shall be

responsible for receiving and processing the request of a

Person Served for confidential communications. The Privacy

Officer shall have ultimate authority regarding the disposition

of such requests. Upon receipt by IPPI of a request for

confidential communications on the appropriate form, IPPI

shall suspend any communications of the individual’s PHI that

are subject to the request.

2. IPPI may deny a request for confidential communications only

for one or more of the following reasons:

i. the request is not in writing;

ii. the request does not specify an alternative method (e.g., e-

mail or fax) or alternative location (e.g., business address or

post office box) for Disclosure of PHI;

- 52 -

iii. the State Privacy Officer determines that the administrative

difficulty that would result from granting the individual’s

request, would be unreasonable and would result in a more

than modest additional cost.

C. Granting a Request. If IPPI grants an individual’s request, IPPI shall

notify the individual through the alternative means specified for

communications of PHI. See 5, Part C (Forms) of the Manual,

Response to Request for Alternate Communications. Upon granting

an individual’s request for confidential communications, IPPI shall

conduct all communications of the individual’s PHI to the individual

in accordance with the alternative means specified. A communication

that contains both unrestricted PHI and restricted PHI shall be divided,

with the restricted portion being sent in accordance with the granted

request. The granted request shall be filed with the individual’s

Designated Record Set in accordance with this Manual.

D. Denying a Request.

1. If IPPI denies an individual’s request for confidential

communications, IPPI shall notify the individual of such

denial. Such notification shall be given in accordance with the

alternative means specified in the request unless (i) the request

does not specify an alternative means or location, or (ii) a

reason for the request’s denial is an unreasonable

administrative difficulty and notifying the individual of such

denial in the manner requested would, considered alone, result

in an unreasonable additional cost. If the notification of denial

is not sent in accordance with the specified alternative means

and/or location, such notification shall be given directly to the

individual (e.g., in person or by phone) or, if direct

communication fails or is not feasible, shall be in writing, shall

be addressed to the individual, and shall identify neither the

affected PHI nor any specified alternative means and/or

location.

2. A notification of denial shall set forth the reasons for denial

and shall include a blank form Request for Confidential

Communications of Medical Information.

E. Documentation of Requests for Confidential Communications. IPPI

shall document (i) all requests for confidential communications; (ii)

IPPI’s notifications of granted or denied requests; and (iii) the method

of delivery of such notifications. Such documentation shall be

retained in accordance with this Manual.

- 53 -

XXXVII. CONFLICT RESOLUTION.

Policy: IPPI shall have in place a process for conflict resolution concerning all

aspects of use and disclosure, including authorization, “permitted” use,

revocation, and restriction, access, correction, modification, amendment, and all

other rights and restrictions concerning PHI which may arise from time to time.

Procedures:

A. The Person Served and/or his/her legal representative shall be notified of

these procedures through the Notice of Privacy.

B. Should the Person Served or their personal representative not be satisfied at

the end of the internal appeals process, he/she may file a formal complaint

with the Federal Office for Civil Rights.

C. That right to appeal to the Federal Office of Civil Rights shall be

described in the IPPI Notice of Privacy Policy provided to each Person

Served or their personal representative.

D. Forms used in the Administration of this Policy:

1. Complaint Form (See 18, Part C (Forms) of the Manual).

XXXVIII. MITIGATION OF INADVERTENT DISCLOSURES OF PHI

Policy: IPPI shall mitigate, to the extent possible, any harmful effects that

become known to it from a use or disclosure of an individual’s PHI in violation of

HIPAA or the policies and procedures set forth in this Manual.

Procedures:

A. If an employee or Business Associate becomes aware of an unauthorized

use or disclosure of PHI, either by an employee or a Business Associate,

the employee or Business Associate must immediately contact the State

Privacy Officer so that appropriate steps to mitigate harm to the Person

Served can be taken.

XXXIX. DOCUMENTATION AND RECORDKEEPING ACCOUNTING

FOR DISCLOSURES

Policy: An individual has the right to obtain an accounting of certain disclosures

of his or her own PHI.

- 54 -

Procedures:

A. This right to an accounting extends to disclosures made in the last six

years, other than disclosures:

1. to carry out treatment, payment or health care operation to

individuals about their own PHI;

2. incident to an otherwise permitted use or disclosure;

3. pursuant to an authorization;

4. to persons involved in the individual’s care or payment for the

individual’s care or for certain other notification purposes;

5. to correctional institutions or law enforcement when the disclosure

was permitted without authorization;

6. as part of a Limited Data Set, as defined herein;

7. for specific national security or law enforcement purposes; or

8. disclosure that occurred prior to the compliance date.

B. IPPI shall respond to an accounting request within 60 days. If IPPI is

unable to provide the accounting within 60 days, it may extend the period

by 30 days, provided that it gives the participant notice (including the

reason for the delay and the date the information will be provided) within

the original 60-day period.

C. The accounting must include the date of the disclosure, the name of the

receiving party, a brief description of the information disclosed, and a

brief statement of the purpose of the disclosure that reasonably informs the

individual of the basis for the disclosure (or a copy of the written request

for disclosure, if any). If a brief purpose statement is included in the

accounting, it must be sufficient to reasonably inform the individual of the

basis of the disclosure.

D. The first accounting in any 12-month period shall be provided free of

charge. The State Privacy Officer may impose reasonable production and

mailing costs for subsequent accountings.

E. IPPI shall have a formal mechanism for documenting and maintaining an

accounting of when the PHI of persons served has been used or disclosed.

For some uses and disclosures, forms will be necessary. Examples include

but are not limited to:

- 55 -

1. Authorization forms for release of PHI by persons served

and/or their legal representatives;

2. Revocation/Restriction of Authorizations;

3. Request for Review of Record;

4. Request for Amendment of Record; and

5. Disclosure logs.

F. Signed copies of the above documents shall be kept in the files of the

persons served and a signed copy will be given to the persons served or

their legal representatives.

G. Upon request, persons served and/or their legal representatives shall be

informed of any disclosures of PHI, other than those for permitted uses.

H. Limited Data Set Defined: See Definition Section

I. Forms used in the Administration of this Policy:

1. Request for Accounting of Disclosures of Protected Health

Information (See 7, Part C (Forms) of the Manual).

2. Response to Request for Accounting of Disclosures of Protected

Health Information (See 8, Part C (Forms) of the Manual).

XL. NOTICE OF PRIVACY POLICY

Policy: IPPI shall send a notice of the Privacy Policy to all persons served and/or

their legal representatives.

Procedures:

A. In this notice, IPPI shall explain the rights of the persons served in

regard to:

1. Access to the record;

2. Right of accounting for all uses and disclosures except for

permitted uses upon request;

3. Right of the Person Served to restrict uses and disclosures of PHI;

- 56 -

4. Right of the Person Served to correct or amend the record according

to procedures;

5. Notice of any exceptions or limitations to the above, e.g., as with

therapy notes;

6. Complaint Resolution procedures including name and

telephone number of the contact person for further information;

7. The uses and disclosures that may be made by IPPI;

8. IPPI’s legal duties with respect to PHI; and

9. Other information as required by the HIPAA Privacy Rules.

B. If requested, a representative of IPPI will explain the policy in detail to

the Persons Served and/or their legal representatives.

C. Upon receipt of IPPI’s Notice of Privacy Policy, Persons Served and/or

their legal representatives will sign a form acknowledging they have

received such notice.

D. The Notice of Privacy practices shall be placed on IPPI’s website. The

Notice will be individually delivered:

1. At the time the individual becomes a Person Served; and

2. To a person requesting the notice.

Updates will be posted on the website and posted at service delivery sites.

They also will be enclosed in an annual mailing to Persons Served after a

material change in the Notice.

E. Forms used in the Administration of this Policy:

1. Notice of Availability of Privacy Practices (See 14, Part C (Forms)

of the Manual).

2. Notice of Privacy Practices (See 15, Part C (Forms) of the

Manual).

XLI. WRITTEN POLICIES/POSTING

Policy:

All policies and procedures related to the Privacy of PHI shall be in writing.

- 57 -

Procedures:

A. An easily read and understood statement summarizing the rights of

Persons Served with respect to PHI shall be developed and shall include

all the information contained in the Notice of Privacy Policy.

B. Such summary shall then be posted in highly visible areas in IPPI’s

facilities, including administrative offices, day programs and places of

congregate living and on the IPPI website.

XLII. SUBSTANTIVE CHANGES IN POLICY AND PROCEDURES/

NOTIFICATION/TIMELINESS

Policy: All Persons Served and/or their legal representatives, and all Business

Associates shall be notified within a reasonable period of time of any substantive

changes in the policies or procedures which affect PHI and shall be notified of

their right to receive a full copy of the Privacy and Security policies should they

so request.

Procedures:

A. Such notifications shall be initiated by the Privacy Officer in coordination

with the State Privacy Officer and posted on the IPPI website.

XLIII. TRAINING

Policy: IPPI’s policy is to conduct training in privacy of PHI for all employees

and the Board of Directors.

Procedures:

A. The training requirements for complying with the privacy and security

requirements of the Manual are set forth in Section XXII of Part B

(Security) of the Manual.

XLIV. RETENTION OF PRIVACY DOCUMENTATION

Policy: IPPI shall engage in document retention efforts. The primary purpose

of these efforts is to demonstrate past compliance and to facilitate continued

compliance with the HIPAA Privacy Standards.

- 58 -

Procedures:

A. Overview of Privacy Documentation.

IPPI shall maintain records, either in written or electronic form, of its

activities that are conducted in accordance with this Manual. The

content, organization, and duration of such records are described in

this Section XLIV.

B. Designated Record Set to Be Maintained for Each Covered Individual.

A Designated Record Set of all PHI held by IPPI shall be separately

maintained for each Person Served. Any Psychotherapy Notes

attributable to a Person Served shall be maintained separately from the

rest of such individual’s medical record.

C. Contents of a Designated Record Set.

In addition to any PHI held by IPPI on behalf of a Person Served, the

following documents shall be attached to the Designated Record Set:

1. Authorizations: Any valid Authorization signed by the covered

individual, in the event that IPPI may presently use or disclose the

PHI of the Person Served in reliance on such authorization. An

authorization that has expired, been revoked, or otherwise been

determined to be invalid shall be removed from the individual’s

designated record set.

2. Determination to Treat a Person as a Personal Representative:

documentation of any determination by the State Privacy Officer,

or his/her designee, to treat a person as the covered individual’s

personal representative in accordance with this policy. Such

documentation shall be removed from the individual’s Designated

Record Set in the event that the State Privacy Officer determines

that such person is no longer the covered individual’s personal

representative.

3. Restrictions on Uses and Disclosures: Any restriction on IPPI’s use

or disclosure of PHI of a Person Served in accordance with this

policy to which IPPI has agreed. Such restriction shall be removed

from the individual’s designated record set in the event that it

ceases to be effective.

4. Confidential Communications: Any request for confidential

communications applicable to disclosures of PHI to the covered

individual in accordance with this policy to which IPPI has agreed,

- 59 -

along with any other applicable documentation required by that

section. Such description of alternate communications shall be

removed from the Designated Record Set of the Person Served in

the event that it ceases to be effective.

5. Data Use Agreements: Any data use agreement to which IPPI has

agreed to in order to receive a Limited Data Set, in accordance

with this Manual. Such data use agreement shall be removed from

the Designated Record Set of the Person Served in the event that

IPPI no longer maintains the applicable Limited Data Set.

D. Compliance Records: Maintained for Each Person Served.

For each Person Served, IPPI shall maintain the following applicable

documents:

1. Accounted Disclosures of PHI: Listed disclosures of the

individual’s PHI with descriptions, in accordance with this

Manual. Documentation of a disclosure shall be retained at least

until the date that is 10 years after the date on which the Disclosure

occurred.

2. Suspension or Disclosure Inclusion in Accounting: Any request by

a health oversight agency or law enforcement official that results in

the suspension or inclusion in an accounting of disclosures shall be

retained at least until the date that is 10 years after the expiration of

the time period during which the applicable disclosures would be

excluded from any accountings requested.

3. Requests for Entire Medical Record: In accordance with this

policy, the justification for any IPPI request of the individual’s

entire medical record. Such documentation shall be retained at

least until the date that is 10 years after the date of the request.

4. Uses or Disclosures of Entire Medical Record: In accordance with

this Manual, the justification for a use or disclosure of the

individual’s entire medical record. Such documentation shall be

retained at least until the date that is 10 years after the date of the

use or disclosure.

5. Determinations of Personal Representatives: In accordance with

this Manual, any determination regarding whether a person is the

individual’s personal representative. Such documentation shall be

retained at least until the date that is 10 years after the later of the

determination date or, if the State Privacy Officer determines the

- 60 -

person is the personal representative, the date on which such

determination ceases to be effective.

6. Authorizations: In accordance with this policy, any Authorization

received for IPPI’s use or disclosure of the individual’s PHI. Such

documentation shall be retained at least until the date that is 10

years after the date on which the Authorization expires or is

revoked.

7. Notification Disclosures: If the State Privacy Officer approves a

notification disclosure concerning the individual (in accordance

with this policy), the reasons for the determination that such

notification disclosure is permissible. Such documentation shall be

retained at least until the date that is 10 years after the date of

disclosure.

8. Dates of Provision of a Notice: In accordance with this policy, a

log of the dates on which the individual requests a copy of the

notice of privacy practices and the dates on which he receives a

copy. Documentation of each date shall be retained at least until

the date that is 10 years after the date documented.

9. Requests for Access: The documents described in this Manual

relating to the individual’s request for access. All such documents

shall be retained at least until the date that is 10 years after the date

on which the last document attributable to the applicable request

for access was created.

10. Requests for Amendment: The documents described in this policy

relating to the individual’s request for amendment. All such

documents shall be retained at least until the date that is 10 years

after the date on which the last document attributable to the

applicable request for amendment was created.

11. Requests for Accounting: The documents described in this policy

relating to the individual’s request for accounting. All such

documents shall be retained at least until the date that is 10 years

after the date the applicable accounting is provided.

12. Requests for Restriction on Use or Disclosure of PHI: The

documents described in this policy relating to the individual’s

request for restriction. All such documents, if attributable to a

granted request, shall be retained at least until the date that is 6

years after the date on which the respective restriction is no longer

effective. All such documents, if attributable to a denied request,

- 61 -

shall be retained at least until the date that is 10 years after the date

of denial.

13. Requests for Confidential Communications: The documents

described in this policy relating to the individual’s request for

confidential communications. All such documents, if attributable

to a granted request, shall be retained at least until the date that is

10 years after the date on which the alternate communications are

no longer in effect. All such documents, if attributable to a denied

request, shall be retained at least until the date that is 10 years after

the notification of denial.

14. Notification of Complaint Disposition: In accordance with this

policy, any notification that is sent to the individual regarding the

disposition of his complaint. Such notification shall be retained at

least until the date that is 10 years after the date on which it is

given.

F. Compliance Records:

IPPI shall maintain the following general privacy files and shall

maintain them for the periods described below except as otherwise

provided by law:

1. Policies and Procedures: The current written policies and

procedures set forth in this Manual and, in accordance with this

policy, any written policies and procedures that are no longer in

effect. A superseded Section of the policies and procedures shall

be retained at least until the date that is 10 years after the date it

becomes superseded.

2. Notices of Privacy Practices: IPPI’s current version of the notice of

privacy practices and, in accordance with this policy, any former

version that is no longer in effect. A former version shall be

retained at least until the date that is 10 years after the date it was

revised.

3. Business Associate Contract Provisions: The provisions of contracts

with a Business Associate that are intended to comply with this

policy. Documentation of such contractual provisions shall be

retained at least until the date that is 10 years after the date on

which the provisions cease to be effective.

4. Data Use Agreements: Data use agreements that are intended to

comply with this policy. Any such agreement shall be retained at

- 62 -

least until the date that is 10 years after the date on which it ceases

to be effective.

5. Designation of Contact Person: Documents identifying IPPI’s

State Privacy Officer, in accordance with this policy. Such

documentation shall be retained at least until the date that is 10

years after the date on which the identified person or office ceases

to be the Contact Person.

6. Disposition of Complaints: In accordance with this Manual,

documentation of a complaint received and its disposition. Such

documentation shall be retained at least until the date that is 10

years after the date on which it is created.

7. Secretary Investigations: In accordance with this policy, any

written communications with the Secretary regarding IPPI’s

privacy policies and procedures. Each such document shall be

retained at least until the date that is 10 years after the date on

which it was created.

8. Mitigation Efforts: In accordance with this policy, documentation

of IPPI’s efforts to mitigate the harmful effects of a privacy

violation. Such documentation shall be retained at least until the

date that is 10 years after the date on which it is created.

G. Records Relating to Personnel.

1. Privacy Training: In accordance with this policy, documentation of

privacy training received by all employees and any signed PHI

Employee Acknowledgement. Such documentation shall be

retained at least until the date that is 10 years after the person’s

date of termination of employment.

2. Sanctions: Description of any sanctions considered against the

employee in accordance with this policy, whether or not imposed.

Information that identifies the individual whose privacy rights

were violated shall be removed to the extent practicable. All such

documents shall be retained at least until the date that is 10 years

after the date on which they were created.

XLV. SANCTIONS

Policy: It is the policy of IPPI to appropriately sanction employees for violations

of the privacy and security procedures of the Manual and to communicate the

system of sanctions to all employees.

- 63 -

Procedures:

A. The sanction procedures for violation of the privacy and security

parts of this Manual are set forth at Section XXIII of Part B of the

Manual.

B. Training shall also emphasize that certain breaches of HIPAA policy may

require notification to other regulatory and licensing agencies, as well as

local, state and federal law enforcement agencies, and may result in civil

and/or criminal penalties.

XLVI. PRIVACY OFFICER

Policy: Each state shall have a Privacy Officer.

Procedures:

A. Each State Director shall designate a State Privacy Officer for the state

and be responsible for developing a formal job description for that Officer.

B. In Vermont the Executive President shall designate a Corporate Privacy

Officer for Vermont and for general oversight of Privacy issues for the

Corporation, and be responsible for developing a job description for the

duties of that person(s) both as State Privacy Officer of Vermont and as

Corporate Privacy Officer.

XLVII. PRIVACY BREACH NOTIFICATION

Policy: IPPI adopts the policies and procedures set forth in this Manual as the

provisions required by HIPAA for disclosure to affected individuals and the

Department of Health and Human Services of privacy breaches.

Procedures:

A. Breach Defined.

Breach means the acquisition, access, use, or disclosure of protected

health information in a manner not permitted under 45 C.F.R. Part

164, Subpart E which compromises the security or privacy of

protected health information.

1. Except as provided in paragraph 2 below, an acquisition,

access, use, or disclosure of PHI in a manner not permitted by

Subpart E is presumed to be a breach unless IPPI or the

business associate demonstrates that there is a low probability

- 64 -

that the PHI has been compromised based on a risk assessment

of at least the following factors:

(i) The nature and extent of the PHI involved, including the

types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the PHI or to whom the

disclosure was made;

(iii) Whether the PHI was actually acquired or viewed; and

(iv) The extent to which the risk to the PHI has been mitigated.

2. A Breach excludes.

(i) any unintentional acquisition, access, or use of protected

health information by a workforce member or person

acting under the authority of IPPI or a Business Associate,

if such acquisition, access, or use was made in good faith

and within the scope of authority and does not result in

further use or disclosure in a manner not permitted under

45 C.F.R. Part 164, Subpart E.

(ii) Any inadvertent disclosure by a person who is authorized to

access protected health information at IPPI or Business

Associate to another person authorized to access protected

health information at the same covered entity or business

associate, or organized health care arrangement in which

IPPI participates, and the information received as a result of

such disclosure is not further used or disclosed in a manner

not permitted under Subpart E of this part.

(iii) A disclosure of protected health information where IPPI or

Business Associate has a good faith belief that an

unauthorized person to whom the disclosure was made

would not reasonably have been able to retain such

information.

B. Unprotected Health Information.

Unsecured protected health information means protected health

information that is not rendered unusable, unreadable, or

indecipherable to unauthorized individuals through the use of

technology or methodology specified by the Secretary in the guidance

issued under section 13402(h)(2) of Public Law 111-5 on the HHS

Web Site.

C. Notification to Individuals.

1. Standard.

- 65 -

(i) General rule. Following the discovery of a breach of

unsecured protected health information, the State Privacy

Officer shall notify each individual whose unsecured protected

health information has been or is reasonably believed by IPPI

to have been, accessed, acquired, used, or disclosed as a result

of such breach.

(ii) Breaches treated as discovered. A breach shall be treated

as discovered as of the first day on which such breach is known

to IPPI, or, by exercising reasonable diligence would have been

known to IPPI.

2. Implementation specification: Timeliness of notification.

Except as provided in 45 C.F.R. §164.412, the State Privacy

Officer shall provide the notification required by paragraph (a)

of this section without unreasonable delay and in no case later

than 60 calendar days after discovery of a breach.

3. Content of notification. The notification required by this

section shall include, to the extent possible:

(a) A brief description of what happened, including the date of

the breach and the date of the discovery of the breach, if

known;

(b) A description of the types of unsecured protected health

information that were involved in the breach (such as

whether full name, social security number, date of birth,

home address, account number, diagnosis, disability code,

or other types of information were involved);

(c) Any steps individuals should take to protect themselves

from potential harm resulting from the breach;

(d) A brief description of what IPPI is doing to investigate the

breach, to mitigate harm to individuals, and to protect

against any further breaches; and

(e) Contact procedures for individuals to ask questions or learn

additional information, which shall include toll-free

telephone number, an e-mail address, Web site, or postal

address.

(f) Plain language requirement. The notification shall be

written in plain language.

- 66 -

4. Methods of individual notification. The notification required by

this section shall be provided in the following form:

(a) Written notice.

(i) Written notification by first-class mail to the individual

at the last known address of the individual or, if the

individual agrees to electronic notice and such

agreement has not been withdrawn, by electronic mail.

The notification may be provided in one or more

mailings as information is available.

(ii) If IPPI knows the individual is deceased and has the

address of the next of kin or personal representative of

the individual (as specified under 45 C.F.R.

§164.502(g)(4), written notification by first class mail

to either the next of kin or personal representative of

the individual. The notification may be provided in

one or more mailings as information is available.

(b) Substitute notice. In the case in which there is insufficient

or out-of-date contact information that precludes written

notification to the individual as described above, a

substitute form of notice reasonably calculated to reach the

individual shall be provided. Substitute notice need not be

provided in the case in which there is insufficient or out-

of-date contact information that precludes written

notification to the next of kin or personal representative of

the individual.

(i) In the case in which there is insufficient or out-of-date

contact information for fewer than 10 individuals, then

such substitute notice may be provided by an alternative

form of written notice, telephone, or other means.

(ii) In the case in which there is insufficient or out-of-date

contact information for 10 or more individuals, then

such substitute notice shall:

(A) Be in the form of either a conspicuous posting for

a period of 90 days on the home page of the Web

site of the covered entity involved, or conspicuous

notice in major print or broadcast media in

geographic areas where the individuals affected

by the breach likely reside; and

- 67 -

(B) Include a toll-free phone number that remains

active for at least 90 days where an individual can

learn whether the individuals unsecured protected

health information may be included in the breach.

(c) Additional notice in urgent situations. In any case deemed

by the State Privacy Officer to require urgency because of

possible imminent misuse of unsecured protected health

information, IPPI may provide information to individuals

by telephone or other means, as appropriate, in addition to

written notice.

D. Notification to Media.

1. Standard. For a breach of unsecured protected health

information involving more than 500 residents of a State or

jurisdiction, the State Privacy Officer shall, following the

discovery of the breach, notify prominent media outlets serving

the State or jurisdiction.

2. Implementation specification. Timeliness of notification.

Except as provided in 45 C.F.R. §164.412, IPPI shall provide

the notification required by this section without unreasonable

delay and in no case later than 60 calendar days after discovery

of a breach.

3. Content of notification. The notification required by paragraph

(a) of this section shall meet the requirements of 45 C.F.R.

§164.404(c).

E. Notification to the Secretary.

1. The State Privacy Officer shall, following the discovery of

breach of unsecured protected health information as provided

in 45 C.F.R. §164.404(a)(2), notify the Secretary of the

Department of Health and Human Services of the breach.

2. Breaches involving 500 or more individuals. For breaches of

unsecured protected health information involving 500 or more

individuals, a covered entity shall, except as provided in 45

C.F.R. §164.412, provide the notification required by

paragraph (a) of this section contemporaneously with the notice

required by 45 C.F.R. §164.404(a) and in the manner specified

on the HHS Web site.

- 68 -

3. Breaches involving fewer than 500 individuals. For breaches

of unsecured protected health information involving fewer than

500 individuals, the State Privacy Officer shall maintain a log

and other documentation of such breaches and, not later than

60 days after the end of each calendar year, provide the

notification required by this section for breaches discovered

during the preceding calendar year, in the manner specified on

the HHS Web site.

F. Notification by a Business Associate.

1. Standard.

(a) A Business Associate shall, following the discovery of a

breach of unsecured protected health information, notify

the State Privacy Officer of such breach.

(b) Breaches treated as discovered. A breach shall be treated

as discovered by a Business Associate as of the first day

on which such breach is known to the Business Associate

or, by exercising reasonable diligence, the breach would

have been known to the Business Associate. A Business

Associate shall be deemed to have knowledge of a breach

if the breach is known, or by exercising reasonable

diligence, would have been known to any person, other

than the person committing the breach, who is an

employee, officer, or other agent of the Business Associate

(determined in accordance with the federal common law

of agency).

(i) Timeliness of notification. Except as provided in

C.F.R. §164.412, a Business Associate shall provide

the notification required by paragraph (a) of this

section without unreasonable delay and in no case

later than 60 calendar days after discovery of a

breach.

(ii) Content of notification. The notification required by

this section shall include, to the extent possible, the

identification of each individual whose unsecured

protected health information has been or is reasonably

believed by the Business Associate to have been

accessed, acquired, used, or disclosed during the

breach.

- 69 -

(c) A Business Associate shall provide IPPI with any other

available information that IPPI is required to include in

notification to the individual under C.F.R. §164.404(c) at

the time of the notification required by this section or

promptly thereafter as information becomes available.

(d) Law enforcement delay. If a law enforcement official

states to IPPI or a Business Associate that a notification,

notice, or posting required under this subpart would

impede a criminal investigation or cause damage to

national security, IPPI or Business Associate shall:

(i) If the statement is in writing and specifies the time for

which a delay is required, delay such notification,

notice, or posting for the time period specified by the

official; or

(ii) If the statement is made orally, document the statement,

including the identity of the official making the

statement, and delay the notification, notice, or posting

temporarily and no longer then 30 days from the date of

the original statement, unless a written statement as

described in this section is submitted during that time.

XLVIII. PRIVACY OFFICER/JOB DESCRIPTION

The State Privacy Officers for each state and for Vermont, and the Corporate

Privacy Officer shall be responsible for developing a job description of the duties

and functions of that position. The Corporate Privacy Officer shall be responsible

for the development and implementation of policies and procedures relating to the

privacy of PHI. The State Privacy Officer will serve as the contact person for

Persons Served who have questions, concerns or complaints about the privacy of

their PHI. The Corporate Privacy Officer is responsible for ensuring that IPPI

complies with the provisions of HIPAA privacy rules regarding Business

Associates, including the requirement that a covered entity have a HIPAA

compliant Business Associate Agreement in place with all Business Associates.

The State Privacy Officer shall also be responsible for monitoring compliance by

all Business Associates with the HIPAA privacy rules and this policy. IPPI will

comply with the requirements of the HITECH Act and its implementing

regulations to provide notification to affected individuals, HHS, and the media

(when required) if IPPI or one of its Business Associates discovers a breach of

unsecured PHI.

IN ORDER TO IMPLEMENT IPPI’S GENERAL

STATEMENT, IPPI HAS DEVELOPED THE FOLLOWING

PROCEDURES RELATED TO SECURITY

- 70 -

PART B. SECURITY PROCEDURES

I. GENERAL REQUIREMENTS OF THE SECURITY STANDARDS

Policy:

IPPI intends to comply with four general HIPAA Security compliance

requirements that apply for all covered entities and which are designed to:

Procedures:

A. Ensure the confidentiality, integrity and availability of all protected health

information which it creates, receives, maintains or transmits;

B. Protect against any reasonably anticipated threat or hazard to the

confidentiality, availability and integrity of such information;

C. Protect against any reasonably anticipated uses or disclosures of such

information that are not permitted or required under the Privacy policies

and procedures; and

D. Enforce workforce compliance to ensure the security of PHI.

Procedure: The procedures implementing this policy follow.

II. ELECTRONIC PHI

Policy: It is IPPI’s policy to comply fully with the requirements of

HIPAA/HITECH security regulations. HIPAA, the Health Information

Technology For Economic and Clinical Health Act (“HITECH Act”) and their

implementing regulations and guidance require IPPI to implement various

security measures with respect to electronic protected health information

(electronic PHI). Whenever reference is made to PHI in its electronic form, it

shall refer to electronic PHI as defined in this Section B II.

Procedures:

Electronic PHI is protected health information that is transmitted by or

maintained in electronic media. Electronic Media means:

1. Electronic storage media including memory devices in computers

(hard drives) and any removable/transportable digital memory

medium, such as magnetic tape or disk, optical disk, or digital memory

card;

- 71 -

2. Transmission media used to exchange information already in

electronic storage media. Transmission media include, for example,

the Internet (wide-open), extranet (using Internet technology to link a

business with information accessible only to collaborating parties),

leased lines, dial-up lines, private networks, and the physical

movement of removable/transportable electronic storage media; or

3. Certain transmissions via electronic media, although the information

being exchanged did not exist in electronic form before the

transmission.

III. PHI ADMINISTRATIVE PROCEDURES

Policy: Administrative procedures shall be in place which shall guard the data

integrity, privacy and permitted availability of PHI.

Procedures: The procedures are those described in Part A (Privacy).

IV. SYSTEM INVENTORY

Policy: A systems inventory shall be kept.

Procedures:

A. The IPPI Security Officer shall keep a systems inventory of all

hardware, software, applications, servers etc. to see that Security

measures are kept up to date and that new hardware/software etc. do not

compromise the security system.

B. Security hardware and software shall be periodically updated and

incorporated into the system by the IPPI Security Officer, as more

efficient security systems are developed.

C. Each State shall keep its own system inventory with a copy sent to the

Network Administrator.

V. SYSTEMIC RISK ANALYSIS

Policy: IPPI shall conduct a corporate wide risk analysis using the standard

Federal HIPAA Risk Analysis format initially and every three years thereafter. If

major system or business changes occur, or there is a major change in HIPAA

policies or procedures prior to the three year period, IPPI will conduct a risk

analysis within a reasonable time after the changes occur.

Procedures:

- 72 -

A. IPPI manages risks to its electronic PHI by limiting vulnerabilities, based

on its risk analyses, to a reasonable and appropriate level, taking into

account the following:

1. The size, complexity, and capabilities of IPPI;

2. IPPI’s technical infrastructure, hardware, software, and security

capabilities;

3. The costs of security measures; and

4. The credibility of the electronic PHI potentially affected.

B. Based on risk analysis discussed in Section V, IPPI has made a reasoned,

well-informed and good-faith determination on the implementation of the

HIPAA security regulations that it need not take any additional security

measures, other than the measures set forth herein and the measures of the

Business Associates, to reduce risks to the confidentiality, integrity and

availability of electronic PHI.

VI. RISK MANAGEMENT PROGRAM

Policy: The HIPAA Implementation Committee shall address solutions to the

risks identified in the risk analysis, and shall provide the oversight to see that

corrections are implemented in a timely fashion.

Procedures:

A. The HIPAA Implementation Committee shall be composed of all State

Security Privacy Officers, and IT Coordinators, the corporate HR Officer

and others, positions or individuals as determined by the Executive

President.

B. The members of the HIPAA Implementation Committee are appointed by

the Executive President.

C. The HIPAA Implementation Committee shall meet at least annually and as

often as is necessary to carry out its responsibilities.

D. Minutes of the HIPAA Implementation Committee meetings shall be kept

and maintained in the office of the Corporate Privacy Officer.

VII. LOW LEVEL RISK INFRASTRUCTURE

- 73 -

Policy: The IPPI Security Officer shall have the overall authority and ultimate

responsibility to develop and maintain the electronic infrastructure that will

systemically reduce the risk of an electronic breach to PHI.

Procedures:

A. The IPPI Security Officer’s position shall be located in the IPPI Network

Administrator’s office and shall be a member of and report to the HIPAA

Implementation Committee.

B. The Committee shall meet as is necessary to fulfill these responsibilities.

VIII. ACCESS/AUTHORIZATION

Policy: Only authorized employees shall have access to the PHI of Persons

Served.

Procedures:

A. Access shall be determined in accordance with Section V of Part A

(Privacy) of the Manual.

IX. REVIEW OF AUTHORIZATION AND OTHER INFRASTRUCTURE

REQUIREMENTS

Policy: It is the policy of IPPI to review authorizations of access to PHI.

Procedures:

A. Members of the HIPAA Implementation Committee are empowered to

question the authorization of any staff with respect to records or parts of

records that contain PHI or any other infrastructure requirement.

B. If a member believes the State Director, or his/her designee, has

incorrectly authorized any person to access PHI, or an infrastructure

requirement is inappropriate for his/her state to implement, s/he may

respectfully challenge the decision directly to the State Director.

C. If the State Director disagrees, the Committee member may bring the issue

before the Committee.

D. If the Committee agrees with the Committee member, then the Executive

President of IPPI shall order the previously authorized person to no longer

be authorized or to make changes in the infrastructure requirement.

- 74 -

E. If the State Director still disagrees, s/he may appeal the Executive

President’s decision to the Senior Management Committee and the

decision of that committee shall be final.

X. CRIMINAL BACKGROUND CHECKS/PHI

Policy: Criminal background checks shall be done on all applicants for

employment and employees.

Procedures:

A. The State Human Resources Director shall be responsible for authorizing

criminal and background checks on IPPI applicants and staff.

B. If a background or reference check evidences a prior breach of

confidentiality of PHI or confidential information, the applicant shall not

be hired without a full understanding of the circumstances and final

approval by the State Director.

C. Employees who falsify information in the application process, or who fail

to divulge a breach of confidentiality of PHI that has resulted in

disciplinary action against the employee may be disciplined up to and

including immediate termination.

XI. AUTHENTICATION/PASSWORD MANAGEMENT SYSTEM

Policy: A password management system shall be developed and implemented as

described below that will allow access to PHI only to employees who have been

approved.

Procedures:

A. Only authorized persons, as determined by IPPI alone, may have access to

the PHI of Persons Served.

B. The State Director or approved designee(s) shall determine what position

shall have access to the file of a person served within each state and to

what part of the file that staff member shall have access. Those decisions

shall be made on the basis of a need to know for the provision of

appropriate services and communicated to the Vermont Network

Administrator and the State’s Security and Privacy Officers.

C. For electronic files, the State Director shall inform the Network

Administrator or his/her designee(s) of the positions which have been

given access to a file and to what part of that file access has been allowed,

by position.

- 75 -

D. The Network Administrator, or the State Security Officer, or approved

designee(s), shall then assign a user name and the authorized staff member

who has been given access shall then choose a password. The Network

Administrator, or the state Security Officer, or approved designee(s) shall

then provide appropriate access to the authorized positions.

E. Each time an employee in an authorized position wishes to access a

computer, s/he must enter his/her user name and password.

F. Passwords shall be changed periodically in accordance with best practices.

G. In order to further accommodate computer security, when employees are

not at their computer terminal, screen savers shall be launched after no

more than twenty (20) minutes of inactivity. The screen saver shall also be

password protected to prevent unauthorized access to a computer and its

stored information.

H. Staff who are no longer employed by IPPI shall have their user ID(s)

disabled. The State Director, or his/her designee(s) shall notify the

Network Administrator and the State Security Officer that a staff member

is no longer employed. When appropriate, the Network Administrator or

approved designee shall immediately disable the staff member’s access to

the network. Locally, the State Security Officer or approved designee(s)

shall also remove the staff member and his/her access.

XII. INTERNAL BREACHES/ ATTEMPTS NOTED

Policy: Breaches and suspected breaches of PHI shall be reported to the Network

Administrator.

Procedures:

A. When there have been five invalid attempts to log on to the system, access

will be denied.

B. The Network Administrator or State Security Officer shall note the breach

attempt.

C. A recognized utility will be used to stop breaches where access to

information is gained through signatures. (Currently IPPI uses Citrix

Secure Gateway.)

D. Should it be possible to trace the breach attempts to a particular staff

member(s), corrective action shall be taken immediately by the State

- 76 -

Security Officer in conjunction with the State Director and notice of the

breach and corrective action shall be given to the Network Administrator.

E. All staff shall be trained to report any suspected incidents of breaches in

Security to the respective program manager and directly to the State

Security Officer.

F. All such reports shall be documented and filed appropriately in a secure

file or location in each state and shall include a description of the incident,

findings, recommendations, corrective action and follow up. A copy of

any sanctions which have been given to any staff member(s) shall be

placed in the staff member(s)’ personnel file.

G. The Network Administrator shall also be notified of all documented

breaches of electronic files.

XIII. SECURING PHI WHEN AUTHORIZED STAFF LEAVE

Policy: PHI shall be secured when employment is terminated.

Procedures:

A. In the event that an employee is terminated without notice, or suddenly

leaves the agency, the State Security Officer, or designee, and the

Vermont Network Administrator, or designee, shall be notified

immediately, and any access to PHI authorized to that staff shall be denied

at once to prevent any Security breaches. The employee’s account shall be

disabled immediately, and all authorization to any files shall be removed.

If the State Security Officer, has the ability and authority to disable an

employee’s account, s/he or his/her designee shall be charged with

disabling the account. If the State Security Officer does not have the

ability or authority to disable an account, the Vermont Administrator, or

designee, shall be notified by the State Security Officer and shall disable

the account. If the employee is from VT, the Network Administrator (who

is also the VT State Security Officer), or designee, shall disable the

account.

B. Should an employee be discharged with notice, or resign with notice, any

decisions regarding the restriction of the employee to authorized files shall

be at the discretion of the State Director, or the Executive President in

Vermont if the employee is in the Vermont office. Whatever the decision,

it shall be immediately communicated to the State Security Officer. If the

State Security Officer has the ability and authority to disable an

employee’s account, the State Security Officer, or designee, shall disable

the account based on the State Director’s decision, e.g. either immediately

or after the employee’s last day of employment. If the State Security

- 77 -

Officer does not have the authority or the ability, s/he will notify the

Vermont Network Administrator, or designee, who will disable the

account as per instructions of the State Director. Should the employee be

from Vermont the Executive President will make the decision about when

the account shall be disabled and the Vermont Network Administrator

(who is also the State Security Officer), or designee, shall disable the

account as per instructions.

Network Administrator refers to the person who is responsible for

managing the IPPI IT system across all states. The term also refers to any

staff from the Network Administrator’s office who has been authorized to

provide technical assistance etc. to the Network Administrator and the

States.

State IT Coordinator is the person in each state, appointed by the State

Director to manage and administrate the IT System in that State. It also

refers to any person the State Coordinator designates to do a particular

function at a particular time, and the “backup” persons listed by the State

who are to be called in case the State Coordinator is not available.

XIV. CORRECTIONS OF ELECTRONIC RECORDS

Policy: Electronic records shall be corrected in accordance with HIPAA

standards.

Procedures:

A. No material shall be deleted from an electronic record.

B. Material which is to be corrected shall be highlighted using various

methods chosen by the State Privacy Officer, e.g. putting corrected

material in bold, or underlining it, or putting it in italics, or putting

parentheses around it.

C. The corrected information or information to be substituted for the

incorrect material, shall be highlighted using a different method than the

method used to highlight the material which is corrected.

D. The substituted material shall then be dated and signed (if possible) by the

person making the correction. If signing is not possible the person making

the correction shall type in his/her name.

E. Each state shall choose one method for identifying incorrect information

and a different method for identifying the substitute material, for example

bold for corrected material, italics for substituted material.

- 78 -

XV. SECURE TRANSMISSION OF ELECTRONIC DATA

Policy: Electronic data which is transmitted between the central office and state

offices shall be protected by a security system that is secure in accordance with

industry best practices.

Procedures:

A. The security system shall include, but not be limited to,

firewalls and a secured access site which uses an https protocol.

B. The system shall be monitored from servers, using event viewer for

logon attempts.

C. An SSL (Secured Sockets Layer) certificate shall be used for secured

access.

D. SSL 128 bit encryption shall be used for secured access.

E. Firewall security shall be in place.

F. States shall have direct access linkage to the Vermont corporate office

using the intranet secured site.

G. Any other features as may be determined, from time to time, appropriate

for protecting electronic PHI.

XVI. PHI PROTECTION WHEN SHARED

Policy: To assure proper service, IPPI may share service delivery with other

organizations, receive consultation, combine programs with other agencies,

contribute data, undergo reviews etc.

Procedures:

A. Where IPPI makes available and/or transfers PHI to another individual

provider, or another legal entity, in conjunction with goods or services, or

for other purposes not related to treatment, the two parties shall sign a

Business Associates Agreement, a sample copy of which is appended to

this document.

B. Details concerning business associate agreements are set forth at

Section VIII of this Part A of the Manual.

XVII. STORING ELECTRONIC DATA SECURELY.

- 79 -

Policy: Electronic data shall be stored securely.

Procedures:

A. Electronic data stored on the servers in VT and all States shall be

encrypted, and access to this data may only be achieved through the

process of Authentication. (See Section XI, of this Part B of the Manual,

above)

B. Back-up data shall be taken off site and secured.

C. Laptops shall be encrypted and files made available off line when needed.

D. No PHI is allowed to be stored on non-encrypted Laptops or Workstation

PCs for any length of time. They shall be stored on USB devices which

shall be encrypted.

XVIII. DISPOSING OF ELECTRONIC DATA SECURELY

Policy: Electronic data shall be disposed of securely.

Procedures:

A. When any of the following are to be disposed of their hard drives shall be

wiped clean first, then they shall be destroyed by a secure disposal

company whose business it is to destroy such hardware. In some instances

the hardware may be disposed of by the Network Administrator, or the

state consultant with approval from the Network Administrator.

B. The above procedure refers to data storage devices, including, but not

limited to:

1. Workstation PCs and non-encrypted Laptops (note that these should

not have PHI stored on them for any length of time);

2. Servers;

3. USB drives;

4. Tape drives;

5. Floppy disks, CDs and DVDs (Note: none of these should be used to

store PHI);

6. External, encrypted hard drives;

- 80 -

7. Scrub copiers before taken out of use -- including leased copiers.

XIX. PHI BACKUP

Policy: Electronic PHI shall be backed up in a manner that protects such data.

Procedures:

A. All PHI gathered on personal computers in offices or in the field shall be

backed up on a regular basis and within a reasonable period of time, but

no later than within seven days of its collection.

B. Such data must be backed up on an encrypted USB drive or a server. No

data may be backed up on a floppy disk, CD, or DVD.

C. All backed up data from Servers which contains PHI must be stored in

a secure location that does not have public access, is relatively secure from

disasters, and whose temperature and humidity levels are such that the

data will not be damaged.

D. IPPI shall work toward developing a system whereby there is a virtual

back-up mechanism in place. (See Emergency plans referred to under

Section XXI of this Part B of the Manual)

XX. PREVENTION OF VIRAL/ MALICIOUS SOFTWARE

Policy: All IPPI computers shall have IPPI approved antivirus protection

software.

Procedures:

A. The central office Network Administrator and the State Security Officer(s)

or approved designee(s) shall work together to routinely ensure that

updates to the latest virus software protection are available to protect PHI.

B. All staff shall scan their computers (including all drives) as a preventive

measure. The State Security Officer or his/her designee shall oversee this

procedure.

C. Staff shall refrain from loading software onto their computers unless it has

been approved by the central office Network Administrator.

D. Approved software shall be installed on individual workstations only by

the central office Network Administrator or his/her designee, or by the

State IT Consultant with the approval of the Network Administrator.

- 81 -

E. Once installed, staff shall not change settings (configurations) that are in

place.

F. Staff may not download anything from the Internet unless it is work

related.

G. The Network Administrator/Corporate Security Officer shall be

responsible for detecting and halting the spread of viruses and other

malicious software programs. His/her functions shall include infection

prevention, detection of malicious software and protection of systems

and data from damage/and/or corruption from the introduction of

malicious software.

XXI. CONTINGENCY PLANS: BACKUP, DISASTER RECOVERY,

EMERGENCY OPERATIONS.

Policy: Contingency planning, including data backup, disaster recovery and

emergency operations shall be in place.

Procedures:

A. Oversight, policy, and procedures for these activities shall be the

responsibility of the IT Department at IPPI and its Emergency

Subcommittee.

B. Such policies, procedures shall be subject to approval of the

Senior Management Team.

C. For specifics concerning contingency plans see Sections x-l of the IPPI IT

Policies and Procedures, attached hereto as Exhibit A.

XXII. SECURITY AND PRIVACY TRAINING

Policy: All staff shall be trained in HIPAA Privacy and Security Procedures.

Procedures:

A. When these Policies and Procedures were first promulgated staff and

Board Members were trained in both Privacy and Security matters prior to

April 15th

, 2003. Subsequent to this, Privacy and Security training have

been part of each employee’s and Board Member’s orientation.

B. Documentation of a particular employee’s training shall be maintained.

C. Subsequent to orientation, Privacy and Security training shall occur every

three years for all employees or as frequently as is necessary to acquaint

- 82 -

employees with significant changes in the Manual. Attendance shall be

documented and placed in the employee’s personnel file.

D. Training shall also emphasize that certain breaches of HIPAA policy may

require notification of other regulatory and licensing agencies, as well as

local, State and Federal law enforcement agencies, and may result in civil

and/or criminal penalties.

E. All employees shall acknowledge they have read and understood the

Manual using the Employee Acknowledgment Form (See 1, at Part C

(Forms) of the Manual.).

XXIV. SANCTIONS POLICY

Policy: Sanctions shall be imposed by the State Director in each state, or in

Vermont, by the Executive President, which policy shall be

communicated to all employees.

Procedures:

A. Sanctions within IPPI may include disciplinary action, up to and including

termination.

B. The sanction policy which includes notice of HIPAA penalties as well as

state and civil penalties and possible penalties based on the professional

ethics of the employee’s particular discipline shall be included in the IPPI

Personnel Manual.

C. All initial training and subsequent orientation training shall include

information on HIPAA as well as the possibility of employee sanctions for

violation of any HIPAA policies and procedures, up to and including

immediate discharge.

XXV. FAIR ADMINISTRATION OF SANCTIONS POLICY

Policy: It is understood that if the sanction policy is administered in an

inconsistent fashion it may be considered invalid when applied in subsequent

violations. Consequently the HIPAA sanction policy shall be administered fairly

and consistently in all cases, once the HIPAA policies and procedures have gone

into effect.

XXVI. WRITTEN SECURITY POLICIES AND PROCEDURES

Policy: All Security Policies and Procedures relating to PHI and strategies for

implementing them shall be in writing and available for inspection by Persons

Served.

- 83 -

Procedures:

A. These policies, procedures and implementation strategies shall be

reviewed with all staff at orientation and with all staff already employed at

the time of their official approval by IPPI.

B. Any subsequent employee trainings will also be grounded in the written

Policies and Procedures contained in the Manual as the Manual, from time

to time, is amended.

XXVII. REVIEW OF SECURITY POLICIES AND PROCEDURES

Policy: The HIPAA Implementation Committee is responsible for the

development of Security Policies and Procedures.

Procedures:

A. The Committee shall review the Policies and Procedures periodically.

B. The Committee shall revise Policies and Procedures as necessary, for

changes in federal and/or state laws, statutes and regulations, and given

changes in the nature of IT Systems, the increase or decrease of risks, and

the status of the Persons Served.

XXVII. SECURITY OFFICER

Policy: Each state shall have a Security Officer.

Procedures:

A. Each State Director shall designate a State Security Officer for the State

and be responsible for developing a formal job description for that Officer.

B. In Vermont the Executive President shall designate a Corporate Security

Officer for Vermont and for general oversight of Security issues for the

Corporation, and be responsible for developing a job description for the

duties of that person(s) both as Security Officer of Vermont and as

Corporate Security Officer.

XXVIII. EXCEPTIONS

Policy: IPPI intends the rules on these policies will be followed. However, IPPI

recognizes that there may be circumstances where it is not prudent or practical to

follow them and where an exception to the policies is warranted.

- 84 -

Procedures:

A. Exemptions from these policies must first be approved by the State

Director in consultation with the State Security and State Privacy Officers,

and must also be approved by the Network Administrator.

B. Even though an exemption is approved, it shall be reviewed and

considered at the next scheduled meeting of the HIPAA Implementation

Committee. If the committee does not approve the exemption, it shall no

longer be in effect.

C. No exception from the policies shall be approved if it would violate the

requirements of any applicable federal or state law.

XXIX. DISCLOSURES OF ELECTRONIC PHI TO BUSINESS ASSOCIATES

Policy: It is the policy of IPPI to identify all service providers who are Business

Associates.

Procedures:

A. A Business Associate is an entity as defined in the Manual.

B. IPPI may retain the Business Associate to create, receive, maintain, or

transmit electronic PHI on its behalf. IPPI has obtained or will obtain

satisfactory assurances from all business associates that they will

appropriately safeguard the information. Such satisfactory assurances

shall be documented through a written contract containing all of the

requirements of the HIPAA security regulations and specifically providing

that the business associate will:

1. Implement administrative, physical, and technical safeguards and

documentation requirements that reasonably and appropriately protect

the confidentiality, integrity, and availability of the electronic PHI that

the Business Associate creates, receives, maintains, or transmits on

behalf of IPPI (the Contract Electronic PHI);

2. Ensure that any agents or subcontractors to whom the Business

Associate provides electronic PHI agree to implement reasonable and

appropriate security measures to protect the Contract Electronic PHI;

3. Report to IPPI any security incident of which the Business Associate

becomes aware;

- 85 -

4. Take required steps with respect to breach notification requirements;

and

5. Authorize termination of the contract by IPPI if IPPI determines that

the Business Associate has violated a material term of the contract.

- 86 -

PART C. FORMS

1. HIPAA EMPLOYEE ACKNOWLEDGEMENT

2. BUSINESS ASSOCIATE AGREEMENT (Revised)

3. BUSINESS ASSOCIATE TRACKING WORKSHEET

4. AUTHORIZATION FOR RELEASE OF INFORMATION

5. REQUEST FOR ALTERNATE COMMUNICATIONS

6. RESPONSE TO REQUEST FOR ALTERNATE

COMMUNICATIONS

7. REQUEST FOR ACCOUNTING OF DISCLOSURES OF

PROTECTED HEALTH INFORMATION

8. RESPONSE TO REQUEST FOR ACCOUNTING OF

DISCLOSURES OF PROTECTED HEALTH INFORMATION

9. REQUEST TO AMEND OR CORRECT PROTECTED HEALTH

INFORMATION

10. RESPONSE TO REQUEST TO AMEND OR CORRECT

PROTECTED HEALTH INFORMATION

11. REQUEST FOR RESTRICTIONS ON USE OR DISCLOSURE OF

PROTECTED HEALTH INFORMATION

12. RESPONSE TO REQUEST FOR RESTRICTIONS ON USE OR

DISCLOSURE OF PROTECTED HEALTH INFORMATION

13. NOTICE OF AVAILABILITY OF PRIVACY PRACTICES

14. NOTICE OF PRIVACY PRACTICES (Revised)

15. PRIVACY DISCLOSURE LOG

16. REQUEST TO INSPECT OR COPY PROTECTED HEALTH

INFORMATION (Revised)

17. RESPONSE TO REQUEST TO INSPECT OR COPY PROTECTED

HEALTH INFORMATION

18. COMPLAINT FORM

c:\users\dnajjar.nelgpc\appdata\local\temp\r02ivkku\00. hipaapolicies and procedures09202013.doc

- 87 -

i 45 C.F.R. § 160.103.

ii Id.

iii Id. § 164.504(f)(2)(ii).

iv Id. § 160.103.

v Id. § 164.51(a).

vi Id. § 164.514(b).

vii Id. § 164.501.

viii Id.

ix Id.

x Id.

xi

Id. § 164.514(e)(2). xii

Id. § 164.510(b)(1). xiii

Id. xiv

Id. §§160.103, 164.501. xv

Id. § 164.501. xvi

Id. § a64.504(f). xvii

Id. § 160.103. xviii

Id. § 164.504(a). xix

Id. § 164.501. xx

Id.