Part 2 - Services to Indians and Others
Chapter 7 - Health Insurance Portability and Accountability Act
Privacy Rule and the Privacy Act
Manual Exhibit 2-7-A
Policy and Procedure for Patients' Rights to Access, Inspect, and Obtain a Copy of Their Protected Health Information
Manual Exhibit 2-7-B
Policy and Procedure for Matters Related to Accounting of Disclosures of Protected Health Information
Manual Exhibit 2-7-C
Policy and Procedure for the Transmittal of Confidential Communication by Alternate Means or to an Alternate Location
Manual Exhibit 2-7-D
Policy and Procedure for Use or Disclosure of Health Information Pursuant to Authorization or Valid Written Request
Manual Exhibit 2-7-E
Policy and Procedure for Requests for Correction/Amendment of Protected Health Information
Manual Exhibit 2-7-F
Policy and Procedure for De-Identification of Protected Health Information and Subsequent Re-Identification
Manual Exhibit 2-7-G
Policy and Procedure for Use and Disclosure for Directory Purposes
Manual Exhibit 2-7-H
Policy and Procedure for the Use and Disclosure of Protected Health Information during a Disaster and for Disaster Relief Purposes
Manual Exhibit 2-7-I
Policy and Procedure for Sending and Receiving Protected Health Information by Facsimile
Manual Exhibit 2-7-J
Policy and Procedure for Creating a Limited Data Set
Manual Exhibit 2-7-K
Policy and Procedure for Limiting the Use or Disclosure of and Requests for Protected Health Information to the Minimum Necessary
Manual Exhibit 2-7-L
Policy and Procedure for Providing Indian Health Service Notice of Privacy Practices
Manual Exhibit 2-7-M
Policy and Procedure for Use and Disclosure of Protected Health Information for Involvement in the Patient's Care and For Notification Purposes
Manual Exhibit 2-7-N
Policy and Procedure for Maintenance, Use, and Disclosure of Psychotherapy Notes
Manual Exhibit 2-7-O
Policy and Procedure for Use and Disclosure of Protected Health Information for Research Purposes
Manual Exhibit 2-7- P
Policy and Procedure for Request for Restriction(s) on the Use and Disclosure of Protected Health Information
Manual Exhibit 2-7-Q
Policy and Procedure for Disclosure of Protected Health Information of Un-Emancipated Minors
Manual Exhibit 2-7-R
Policy and Procedure for Verification of Identity Prior to Disclosure of Protected Health Information
Manual Exhibit 2-7-S
Policy and Procedure for the Use and Disclosure of Protected Health Information for Emancipated Minors and Adults with Personal Representatives or Legal Guardians
Manual Exhibit 2-7-T
Policy and Procedure for the Disclosure of Protected Health Information to Law Enforcement Officials
- Purpose. The purpose of this chapter is to provide instructions and guidance regarding the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Privacy Act requirements.
- Background. This chapter contains the Indian Health Service (IHS) policy and procedures developed to achieve compliance with the HIPAA Privacy Rule, the IHS Notice of Privacy Practices (NPP) or “Notice,” including the use of new forms and the instructions for completing them, and sending or receiving confidential information by facsimile.
The HIPAA Privacy Rule requires the IHS to implement new procedures for protecting protected health information (PHI) created or received by the IHS, or in its direct possession or control. The implementation of these new procedures requires the use of newly developed HIPAA-specific forms.
The HIPAA Privacy Rule requires that the IHS provide all beneficiaries (individuals) with a Notice specifying how their personal PHI may be used and disclosed, how the individual can get access to such information, and the obligations the IHS has to patients regarding the use and disclosure of such information. In addition, the IHS must attempt to obtain acknowledgment from the patient(s) they have received the Notice prior to the IHS providing treatment to the extent possible.
Patient health information must be transmitted in accordance with the requirements of 5 United States Code (U.S.C.), Section 552a, the Privacy Act of 1974, as amended; 45 Code of Federal Regulations (CFR) Part 160, the HIPAA General Administrative Requirements; and 45 CFR Part 164, Security and Privacy Rule. Note: Due to the complex and distinct issues related to computer-based electronic transmission of health information, this chapter is not intended to address the safeguards necessary to ensure the confidentiality of that particular form of health information transmission. These safeguards can be found in 45 CFR 164.308; 45 CFR 164.310; 45 CFR 164.312; and 45 CFR 164.530(c)(1)-(2).
- Privacy Act of 1974 as amended, 5 U.S.C., Section 552a;
- General Administrative Requirements, 45 CFR, Part 160; and
- The HIPAA Security and Privacy Rule, 45 CFR, Part 164.
- Policy. It is the policy of the IHS to:
- fully comply with the requirements of the HIPAA General Administrative Requirements, the Privacy Rule, and the Privacy Act,
- provide every patient who receives services at an IHS facility with a copy of the Notice of Privacy Practices or the IHS “Notice,”
- ask the patient to acknowledge receipt when given a copy of the IHS “Notice,” and
- ensure the confidentiality of all patient records transmitted by facsimile.
- Director, IHS. The Director, IHS, administratively ensures that the IHS is in compliance with all requirements of the HIPAA legislation.
- Director, Office of Clinical and Preventive Services. The Director, Office of Clinical and Preventive Services (OCPS), is responsible for reporting HIPAA privacy and other documentation issues that could affect health care delivery to the Director, IHS.
- Area Director. Each IHS Area Director will:
- ensure their Area is in compliance with HIPAA regulations,
- be responsible for providing an annual HIPAA activity report to the Director, IHS, on HIPAA implementation, compliance and ongoing training activities of each IHS facility within their respective IHS Area, and
- be responsible for the development of their respective Area HIPAA policies and procedures.
- for Contract Health Service (CHS) provided directly through the Area Office; the Area Director will designate in writing an Area Privacy Official, with the authority and responsibility to:
- review, approve, or deny any patient request to restrict the use or disclosure of PHI;
- inform the patient in writing regarding the decision in section (4) a. above;
- acknowledge receipt of the completed IHS-917, “Request for Correction/Amendment of Protected Health Information” form; and
- ensure that the completed IHS-917 form and any correspondence pertaining to the request is filed in the patient’s health record.
- Health Information Management Consultants. The IHS Headquarters Health Information Management (HIM) Consultant advises the Director, OCPS, on HIPAA activities and consults with Area HIM Consultants on IHS-wide HIPAA activities. The Area HIM Consultant is responsible for advising the IHS Area Director, service unit Chief Executive Officers (CEO), and their staffs on HIPAA implementation activities within their geographic areas. The Area HIM Consultant will:
- advise Area Directors, IHS Area staff, CEOs, and service unit staff on patient information/medical record issues, and
- shall consult with the IHS Privacy Act Officer on overlapping HIPAA Privacy Rule and Privacy Act issues for resolution.
- Chief Executive Officers. Each CEO is responsible for ensuring compliance with HIPAA regulations, including the development of policies, procedures, and status reports to their respective Area Director for HIPAA compliance, complaints, violations, implementation, and ongoing training for each IHS facility within their respective Service Unit.
Each CEO will designate in writing a Service Unit Privacy Official, with the authority and responsibility to:
- review, approve, or deny any patient request to restrict the use or disclosure of PHI;
- inform the patient in writing regarding the decision in section E(1) above;
- acknowledge receipt of the completed IHS-917, “Request for Correction/Amendment of Protected Health Information” form;
- ensure that the completed IHS-917 form, and any correspondence pertaining to the request is filed in the patient’s health record.
- Others. The Headquarters Privacy Act Officer, Area Privacy Act Advocates, Privacy Act Liaisons (service unit), and Area HIPAA Coordinators in consultation with Area HIM Consultants are responsible for HIPAA implementation and compliance within their geographic area. Area Privacy Act Advocates advise service unit staff on Privacy Act and HIPAA privacy rule issues and resolves differences with HIPAA privacy rules and incidences where Privacy Act of 1974 and its subsequent amendments overlap with HIPAA. Some Area HIM Consultants serve as Area Privacy Act Advocates. Area Privacy Act Advocates report directly to the Area Director and advise the IHS Privacy Officer of any HIPAA violations, non-compliance, complaints, and resolutions. The IHS Privacy Officer will inform the Director, OCPS, and the Director, Division of Regulatory Affairs, on any potential HIPAA compliance problems for action.
- Accounting of Disclosures. The IHS, with respect to each system of records under its direct control (i.e., Privacy Act System of Record 09-17-0001, Medical, Health and Billing Records) must keep a record of the date, nature, and purpose of each disclosure of a record to any person or agency under subsection (b) of the Privacy Act (5 U.S.C. 552a) and the name and address of the person or agency to whom the disclosure is made. An accounting need not be kept of intra-agency disclosures and Freedom of Information Act disclosures. This record must be kept for 5 years or the life of the record; whichever is longer, after the disclosure for which the accounting has been made. An individual (beneficiary) is entitled, upon request, to get access to this disclosure record of his or her own personal records with the exception for disclosures made under subsection (b) (7) of the Privacy Act (as a result of civil or criminal law enforcement activity). The IHS must inform any person or other agency about any correction or notation of dispute made by the IHS in accordance with subsection (d) of the Privacy Act (Access of Records) of any record that has been disclosed to the person or agency if an accounting of the disclosure was made. This is a mandatory reporting requirement and may be recorded utilizing IHS Form 505, Disclosure Accounting Record or the Resource and Patient Management System Release of Information software application.
- Designated Record Set. A designated record set means:
- A group of records maintained by or for a covered entity that includes:
- the medical, health, and billing records about individuals maintained by or for a covered health care provider;
- the enrollment, payment, claims adjudication, and case, or medical management record systems maintained by or for a health plan; or
- used, in whole, or in part, by or for the covered entity to make decisions about individuals.
- For purposes of this paragraph, the term “records” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
- Emergency Medical Condition. An emergency medical condition is a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:
- placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy;
- serious impairment to bodily functions; or
- serious dysfunction of any bodily organ or part.
- Facility Directory. In the Privacy Rule and for IHS purposes, this applies only to directories at inpatient facilities or hospitals.
- Health Information. The official definition means any information, whether oral or recorded in any form or medium, that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
- Highly Sensitive Health Information. Highly sensitive health information is any PHI relating to:
- The diagnosis, treatment, or referral for the Human Immunodeficiency Virus or other sexually transmitted diseases.
- The diagnosis, treatment, or referral for cancer or other life-threatening illnesses.
- The diagnosis, treatment, or referral for treatment of sexual assault/abuse, mental illness, and/or alcohol or substance abuse.
- Individually Identifiable Health Information. Individually identifiable health information is information that is a subset of health information, including:
- demographic information collected from an individual;
- demographic information that is created or received by a health care provider, health plan, employer, or health care clearinghouse;
- demographic information that relates to the past, present, or future physical or mental health or condition of an individual;
- the provision of health care to an individual; or
- the past, present, or future payment for the provision of health care to an individual; and
- that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- Notice of Privacy Practices. The Notice of Privacy Practices or “Notice” is a document describing:
- How an individual’s PHI, which is created and maintained by or for the IHS at an IHS health program facility, may be used and disclosed by the IHS.
- The individual’s rights, including how to access PHI.
- The IHS responsibilities with respect to PHI.
- Protected Health Information. Protected health information means individually identifiable health information:
- Except as provided in paragraph (2) of this definition, that is:
- transmitted by electronic media;
- maintained in electronic media; or
- transmitted or maintained in any other form or medium.
- Protected health information excludes individually identifiable health information in:
- education records covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C.1232g);
- records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
- employment records held by a covered entity in its role as employer.
- Psychotherapy Notes. This means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.
- Designation of Privacy Official. Each IHS facility shall designate a Privacy Official who shall be responsible for development of local policies and procedures for HIPAA Privacy compliance within the Service Unit. The Privacy Official must be knowledgeable of HIPAA Privacy Rule requirements; HIPAA complaint processes and procedures; and capable of resolving HIPAA privacy issues. The Privacy Official may be the same individual designated to carry out the responsibilities of the Privacy Act (these two regulations may overlap in regards to PHI).
- Training. All IHS facilities must provide initial HIPAA Privacy overview training to all employees, volunteers, and on-site contractors. New employees must receive training as soon as possible, but no later than 30 days after official date of hire. Function-specific training must also be provided to other categories of staff such as health information management staff, business office staff, and nursing and medical staff. Training must also be provided to designated staff when policies and procedures are revised. Privacy training provided to staff shall be documented in their personnel file and maintained in writing or electronically for 6 years.
- Safeguards. All IHS facilities shall put in place policies and procedures to safeguard PHI in accordance with the Privacy Act and the HIPAA Privacy and Security regulations for both electronic and paper records to include administrative, technical and physical safeguards. Examples:
- Administrative safeguards include policies related to orientation and termination policies, incident reporting policies, access, contingency, and disaster recovery.
- Technical safeguards include user access and restrictions, user monitoring, authentication, and password issuance.
- Physical safeguards include physical access control before, during, and after business hours, document shredding policies, and medical record removal from a facility.
- Complaints. All complaints regarding HIPAA Privacy and Privacy Act violations shall be addressed to the Chief Executive Officer or designee. Complaints must be documented, maintained, and filed, and include a brief explanation of resolution, if any. Note: Individuals may also file complaints directly to the Secretary, Department of Health and Human Services (HHS).
- Sanctions. All IHS facilities working closely with their respective IHS Human Resource offices shall develop appropriate policies and procedures using current IHS policies and procedures, other Federal statutes including employee Standards of Conduct (5 CFR Part 2635); Privacy Act (45 CFR Appendix A - Part 5b): HIPAA Privacy Rule (45 CFR Part 164), and any other personnel system policies.
- Employees must be made aware of these policies and procedures during training. Sanctions could range from warning to termination depending on the level of violation.
- If applicable, facilities must document that the sanctions are applied.
- Prohibited Sanctions. The IHS and its facilities shall not invoke sanctions against employees, volunteers, and/or on-site contractors under the following conditions:
- Whistleblower. If an employee discloses PHI provided he or she believes in good faith that the facility is in violation of HIPAA or other clinical or health care standards or that facility activities or conditions could potentially endanger a patient (or patients), employee, or member of the public, so long as the disclosure is made to:
- a healthcare oversight authority, law enforcement agency, or public health authority authorized by law to investigate such violations or an accreditation organization for the purpose of reporting the failure to meet standards or misconduct by an IHS facility; or
- an attorney retained by the employee for the purpose of determining his or her legal options with regards to an IHS facility’s conduct.
- Law Enforcement. Disclosure by an employee (member of the workforce) who is a victim of a crime to a law enforcement official provided that PHI disclosed is about the suspected criminal and PHI disclosed is limited to the following:
- Name and address
- Date and place of birth
- Social Security Number
- ABO blood type and Rh factor
- Type of injury
- Date and time of treatment
- Date and time of death, if applicable
- A description of distinguishing physical appearance including height, weight, gender, race, hair or eye color, and the presence or absence of facial hair, scars, and tattoos.
- Mitigation. When an IHS facility becomes aware of possible violation of the use or disclosure of PHI by one or more of its employees or by a business associate, the facility shall take reasonable steps to ensure mitigation of the disclosure or violation. For example, when PHI has been improperly disclosed, steps shall be taken to mitigate its improper use based on knowledge on how such information might be used.
- Refraining From Intimidating or Retaliatory Acts. The IHS shall not intimidate, threaten, coerce, discriminate against, or take retaliatory action against patients for exercising their rights under the HIPAA Privacy Rule, or against any person including employees, volunteers, and on-site contractors, for participating in any process established for:
- filing privacy complaints with the Secretary, HHS;
- testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing related to the Privacy Rule; or
- opposing any act or unlawful practice under the Privacy Rule and the manner of opposition is reasonable and does not involve a disclosure of PHI not permitted.
- Waiver of Rights. Individuals shall not be required to waive their rights under the HIPAA Privacy Rule in any IHS facility, including, but not limited to, their rights to file a complaint with the Secretary, HHS, as a condition for the provision of treatment, payment, eligibility (Contract Health Service), or other benefits.
Back To Top