I. General Policy
It is the policy of Gunn-Mowery (under the HIPAA privacy rule) to maintain and protect the privacy of the protected health information (“PHI”) of its clients (Employers on behalf of their employees/ participant) and to give specific rights with respect to their PHI.
This policy is intended to promote awareness of the confidential nature of the medical information that is collected, maintained and disseminated by Gunn-Mowery. This policy and these procedures reflect the commitment of Gunn-Mowery to protecting the confidentiality of private health information.
IV. Collection and Receipt of Protected Health Information
Gunn-Mowery will make reasonable efforts to limit PHI to the minimum necessary information to accomplish the intended purpose of the collection, receipt or maintenance of PHI.
- When collecting or receiving PHI, employees will request only the minimum necessary information. Prior to making such a request and at the time this policy first becomes effective, employees who collect or receive PHI will evaluate the information that is requested or received to determine that he or she is receiving or requesting the minimum necessary. The Privacy Official will make the final determination (when necessary) as to what information can be requested and received.
- When collecting or discussing PHI, employees will comply with the following privacy guidelines, along with any additional procedures established from time to time.
- PHI should not be discussed in any open area;
- Documents containing PHI should be kept in locked files and should not be left in any open area or area where the general public has access;
- Documents containing PHI should be de-identified wherever possible; and
- Documents containing PHI should be shredded when they are no longer needed.
V. Uses and Disclosures of Protected Health Information
Gunn-Mowery will execute Business Associate Agreements with outside entities that create) receives, maintain or transmit protected health information in the course of performing functions on behalf of Gunn-Mowery. The agreement will inter cilia require the business associate to comply with the HIPAA Privacy Rule, report a breach of unsecured PHI to the Plan, and agree to enter into business associate agreements with any subcontractors who receive PHI.
- To the extent reasonably possible, PHI that is requested or disclosed by Gunn-Mowery will be received or distributed after it has been de-identified. The Privacy Official will oversee the de-identification process.
- Where it is not possible or practicable to de-identify PHI that is disclosed, employees will disclose only the minimum necessary information. The Privacy Official will help, upon request, to determine that the minimum necessary information is disclosed. Minimum necessary standards will be created and followed for all routine disclosures of PHI.
- In any situation where PHI is requested from Gunn-Mowery an employee will verify the identity of the person requesting the information and the authority of the person to have access to PHI (unless the identity and authority is already known).
- PHI will be disclosed to a Valid Recipient as described above through the telephone, only after the identity and authority of the person who is on the other end of the call is verified.
- PHI will be sent to a Valid Recipient by facsimile only if the employee who is sending the information can determine that the intended recipient will be the receiver of the facsimile, or that he or she is expecting the confidential facsimile at that time.
- All fax cover sheets utilized by employees will contain a standard confidentiality statement.
- Gunn-Mowery will not use or disclose PHI that is genetic information for underwriting purposes.
- Gunn-Mowery may disclose PHI to family members or others who were involved in the decedent’s health care or payment for their care prior to the decedent’s death so long as the disclosure is relevant to the person’s involvement and is not inconsistent with the decedent’s prior expressed wishes.
VI. Amendment of Protected Health Information
Gunn-Mowery will allow participants to request amendment of their PHI that is part of the designated record. PHI that was not created by Gunn-Mowery or that is accurate and complete, as determined by the Privacy Official, is not subject to amendment.
- A request for amendment of PHI must be made on a form approved by Gunn-Mowery. The request must be made by the participant or the participant’s personal representative, parent (for a minor or an enrolled dependent child) or guardian (collectively referred to as “plan participant”). The request must reference the information for which amendment is requested and the reason for the requested amendment.
- When a participant first contacts Gunn-Mowery to request an amendment, the employee who receives the request will notify the participant of the requirements for requesting the change.
- All written requests for amendment will be forwarded to the Privacy Official for response.
- Within 60 days after receipt of the request for amendment, the Privacy Official will either accept or deny the amendment request. The Privacy Official will make this determination. If the amendment request is accepted, the Privacy Official will notify participant and request the agreement of the participant to notify business associates or other persons who have received the incorrect PHI about the participant. If the amendment request is denied, the Privacy Official will notify the participant of the basis for the denial, the right of the participant to submit a written statement of disagreement or to request that the amendment and the denial be included in any future disclosures, and a description of how the participant may file a complaint.
- If the participant files a statement of disagreement, the Privacy Official may prepare a written rebuttal, which must be given to the participant. All future disclosures of PHI for this participant must include both the statement of disagreement and the rebuttal, if any, and a link between these documents and the PHI that is subject to dispute.
VII. Accounting of Disclosures of PHI
It is the Policy of Gunn-Mowery to provide participants with an accounting of disclosures of PHI that were made for purposes other than the payment and healthcare operations.
All disclosures of PHI, other than those conducted in the course of payment or healthcare operations, will be reported to the Privacy Official. When requested by a participant in writing, the Privacy Official will prepare an accounting of all disclosures that were not part of the health care operations. The accounting will include all disclosures made by Gunn-Mowery that occurred in the past six years (or shorter period as requested by the participant), but excluding any disclosures made by Gunn-Mowery prior to April 14, 2004, and will comply with all applicable laws and regulations. The accounting will be provided within 60 days of the request. No charge will be imposed for the first accounting requested during any 12-month period.
VIII. Restriction on Disclosures of PHI
It is the Policy of Gunn-Mowery to allow participants to request a restriction on the uses and disclosures of participant’s PHI made by Gunn-Mowery.
- A request for restriction on the uses and disclosures of PHI must be made on a form approved by Gunn-Mowery. The request must be made by the participant or the participant’s personal representative, parent (for a minor or an enrolled dependent child) or guardian (collectively referred to as “plan participant”). The request must reference the particular type of restriction that is requested and the reason for the requested restriction.
- When a participant first contacts Gunn-Mowery to request a restriction, the employee who receives the request will notify the participant of the requirements for requesting the change.
- All written requests for restriction will be forwarded to the Privacy Official for response.
- Within a reasonable period of time after receipt of the request for restriction, the Privacy Official will either accept or deny the restriction request. The Privacy Official will make this determination. If the restriction request is accepted, the Privacy Official will notify the participant and will document the agreed upon restriction. If the restriction request is denied, the Privacy Official will notify the participant of the basis for the denial.
IX. Notice in case of Breach of Unsecured PHI
It is the Policy of Gunn-Mowery to secure PHI in accordance with its Security Policy to notify individuals, the media and the Department of Health and Human Services in the event of a breach of unsecured PHI, in accordance with the HITECH Act. Gunn-Mowery will presume that a reportable breach has occurred when any impermissible acquisition, access, use or disclosure of unsecured PHI has happened, unless Gunn-Mowery can demonstrate there is a low probability that the information has been compromised based on a risk assessment of certain factors or the breach fits within certain exceptions.
- Gunn-Mowery, LLC will follow the Security Policy that it has adopted to comply with the HIPAA Security Rules and will secure any electronic PHI that if maintains in accordance with the HITECH Act.
- Gunn-Mowery, LLC will document all risk assessments regarding all reportable breaches in order to demonstrate it provided all required breach notifications or, in the alternative, that the impermissible use or disclosure did not constitute a breach.
- For any breach of unsecured PHI (as both breach and unsecured are defined in the HITECH Act, Gunn-Mowery, LLC will provide written notice or a substitute notice (if the last known contact address is insufficient) to each affected individual within 60 days following discovery of any breach of Unsecured PHI. The notice will include:
- A brief description of what happened including the date of the breach and the date of discovery, if known;
- A description of the types of unsecured PHI that were involved in the breach;
- Any steps the individual should take to protect him/her from potential harm resulting from the breach;
- A brief description of what Gunn-Mowery, LLC is doing to investigate the breach in accordance with HIPAA breach notification requirements;
- Contact procedures for individuals to ask questions or learn additional information.
- If a breach of unsecured PHI involves more than 500 residents of a state, Gunn-Mowery, LLC will provide notice to local media outlets serving the state within 60 days of discovering the breach.
- If a breach of unsecured PHI involves more than 500 covered persons, Gunn-Mowery, LLC will provide notice to the DHHS not later than 60 days offer the end of the calendar year in with the breach occurred.
- Additional training sessions may he conducted by the Privacy Official as needed.
- All training will be documented by the Privacy Official, or other employee as requested by the Privacy Official.
- The Privacy Official will review all complaints, will discuss them (as needed) with the Managing Partner and will review relevant documents and will respond to the participant who has filed the complaint.
- All complaints will be logged by the Privacy Official. The log will include the complaint and a brief description of the resolution of the complaint.
XII. Record Keeping
- The following documents will be maintained in the files of the Privacy Official or other secured location:
- Notice of Privacy Practices (all versions)
- Privacy Notice and Notice of Privacy Practices Distribution Log
- All signed authorizations
- PHI Disclosure Log
- Record Request Log
- Record Requests
- Complaint Log, along with copies of any written complaints
- Records of any sanctions imposed on employees
- Employee training manuals and procedures
- Business associate contracts
- Record of breaches and any associated risk assessments
- Breach Information
- Every year on or about January 1st, the Privacy Official will determine which records, if any, have been held for the minimum period required and should be destroyed.
XIV. Miscellaneous Policies
Refraining from Intimidating or Retaliatory Acts
G. Greg Gunn, CIC
Theodore W. Mowery