TEAM Professional Services COVID-19 Health Information Privacy Policies & Procedures
These Policies & Procedures are intended to address in vitro diagnostic testing to detect SARS-CoV-2 (including testing to detect antibodies against SARS-CoV-2) or diagnose COVID-19 (collectively, “COVID-19 Testing”), and the administration and reporting of test results that constitute Protected Health Information (“PHI”). It is the intention of TPS Alert, LLC and its affiliates (“TPS”) to ensure the confidentiality and integrity of all PHI relating to COVID-19 Testing in its possession, as required by the Health Insurance Portability and Accountability Act (“HIPAA”).
- General Rule: No Use or Disclosure
Our office must not use or disclose protected health information (PHI), except as these Privacy Policies & Procedures permit or require.
- Acknowledgment and Consent
Our office will make a good faith effort to obtain a written acknowledgement of receipt of our Notice of Privacy Practices Related to COVID-19 Testing (see Section 10) from a patient before we use or disclose his or her protected health information (PHI). Our office’s use or disclosure of PHI for our payment activities and healthcare operations may be subject to the minimum necessary requirements (see Section 8).
Our office will become familiar with Oklahoma’s privacy laws.
In some cases we must have proper, HIPAA-compliant written authorization (“Authorization”) from the patient (or the patient’s personal representative) before we use or disclose a patient’s PHI. Where COVID-19 Testing is being performed in connection with an employer’s return-to-duty or COVID-19 screening protocols, our office retains the right to condition such testing on the patient’s execution of a valid Authorization in accordance with the provisions of HIPAA.
- Authorization Revocation — A patient may revoke an Authorization at any time by written notice. Our office will not rely on an Authorization we know has been revoked.
- Authorization from Another Provider — Our office will use or disclose PHI as permitted by a valid Authorization we receive from another healthcare provider. Our office may rely on that covered entity to have requested only the minimum necessary protected PHI. Therefore, our office will not make our own “minimum necessary” determination, unless we know that the Authorization is incomplete, contains false information, has been revoked, or has expired.
- Authorization Expiration — Our office will not rely on an Authorization we know has expired.
- Oral Agreement
In limited circumstances, our office may use or disclose a patient’s PHI with the patient’s oral agreement or if the patient is unavailable subject to all applicable requirements.
- Permitted Without Acknowledgement, Authorization or Oral Agreement
Our office may use or disclose a patient’s PHI in certain situations, without Authorization or oral agreement. In our office, these disclosures are not likely to be frequent.
- Verification of Identity — Our office will always verify the identity of any patient, and the identity and authority of any patient’s personal representative, government or law enforcement official, or other person, unknown to us, who requests PHI before we will disclose the PHI to that person.
- Our office will obtain appropriate identification and, if the person is not the patient, evidence of authority. Examples of appropriate identification include photographic identification card, government identification card or badge, and appropriate document on government letterhead. Our office will document the incident and how we responded.
- Uses or Disclosures Permitted under this Section 5. The situations in which our office is permitted to use or disclose PHI in accordance with the procedures set out in this Section 6 are listed below.
- Our office may disclose a patient’s PHI to that patient on request.
- Our office may disclose to a patient’s personal representative PHI relevant to the representative capacity. We will not disclose to a personal representative we reasonably believe may be abusive to a patient any PHI we reasonably believe may promote or further such abuse.
- Our office may use or disclose PHI in the following types of situations, provided procedures specified in the Privacy Rules are followed:
- To employers in connection with return-to-duty or COVID-19 screening protocols provided a patient Authorization has been obtained;
- For public health activities;
- To health oversight agencies;
- As required by law;
- As part of research projects; and
- As authorized by state worker’s compensation laws.
- Required Disclosures
Our office will disclose protected health information (PHI) to a patient (or to the patient’s personal representative) to the extent that the patient has a right of access to the PHI (see Section 11); and to the U.S. Department of Health and Human Services (HHS) on request for complaint investigation or compliance review. Our office will use the disclosure log to document each disclosure we make to HHS.
- Minimum Necessary
Our office will make reasonable efforts to disclose, or request of another covered entity, only the minimum necessary protected health information (PHI) to accomplish the intended purpose. There is no minimum necessary requirement for: disclosures to or requests by one another in our office or by a healthcare provider for treatment; permitted or required disclosures to, or for disclosures requested and authorized by, a patient; disclosures to HHS for compliance reviews or complaint investigations; disclosures required by law; or uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules.
- Routine or Recurring Requests or Disclosures — Our office will follow the policies and procedures that we adopt to limit our routine or recurring requests for or disclosures of PHI to the minimum reasonably necessary for the purpose.
- Non-Routine or Non-Recurring Requests or Disclosures — No non-routine or nonrecurring request for or disclosure of PHI will be made until it has been reviewed on a patient-by-patient basis against our criteria to ensure that only the minimum necessary PHI for the purpose is requested or disclosed.
- Others’ Requests — Our office will rely, if reasonable for the situation, on a request to disclose PHI being for the minimum necessary, if the requester is: (a) a covered entity; (b) a professional (including an attorney or accountant) who provides professional services to our practice, either as a member of our workforce or as our Business Associate, and who represents that the requested information is the minimum necessary; (c) a public official who represents that the information requested is the minimum necessary; or (d) a researcher presenting appropriate documentation or making appropriate representations that the research satisfies the applicable requirements of the Privacy Rules.
- Entire Record — Our office will not use, disclose, or request an entire record, except as permitted in these Policies & Procedures or standard protocols that we adopt reflecting situations when it is necessary.
- Minimum Necessary Workforce Use — Our office will use only the minimum necessary PHI needed to perform our duties.
- Business Associates
Our office will obtain satisfactory assurance in the form of a written contract that our Business Associates will appropriately safeguard and limit their use and disclosure of the protected health information (PHI) we disclose to them. These Business Associate requirements are not applicable to our disclosures to a healthcare provider for treatment purposes. The Business Associate Contract Terms document contains the terms that federal law requires be included in each Business Associate contract.
- Breach Notification — If our office learns that a Business Associate has materially breached or violated its Business Associate Contract with us, we will take prompt, reasonable steps to see that the breach or violation is cured. If the Business Associate does not promptly and effectively cure the breach or violation, we will terminate our contract with the Business Associate, or if contract termination is not feasible, report the Business Associate’s breach or violation to the U.S. Department of Health and Human Services (HHS).In the case of a breach of unsecured protected health information, whether by our office or a Business Associate, the patient shall be notified as required by law. In some circumstances our Business Associate may provide the notification. We may also provide notification by other methods as appropriate.
- Notice of Privacy Practices Related to COVID-19 Testing. Our office will maintain a Notice of Privacy Practices as required by the Privacy Rules.
- Our Notice — Our office will use and disclose PHI only in conformance with the contents of our Notice of Privacy Practices Related to COVID-19 Testing. We will promptly revise a Notice of Privacy Practices Related to COVID-19 Testing whenever there is a material change to our uses or disclosures of PHI to our legal duties, to the patients’ rights, or to other privacy practices that render the statements in that Notice no longer accurate. All employees should read and have a good understanding of our Notice of Privacy Practices Related to COVID-19 Testing.
- Distribution of Our Notice — Our office will provide our Notice of Privacy Practices Related to COVID-19 Testing to new patients and any other person who requests it. Our office will have our Notice of Privacy Practices Related to COVID-19 Testing available for patients to take with them.
- Acknowledgement of Notice — Our office will make a good faith effort to obtain from the patient a written Acknowledgement of receipt of our Notice of Privacy Practices Related to COVID-19 Testing. If we cannot obtain written Acknowledgement from the patient, we will use the form to document our attempt and the reason why written Acknowledgement was not signed by the patient.
- Patients’ Rights. Our office will honor the rights of patients regarding their PHI.
- Access — A patient has the right to inspect and copy his or her health information, with limited exceptions. To access his or her medical information, a patient must submit a written request detailing what information he or she wants access to, whether the patient wants to inspect it or get a copy of it, and if the patient wants a copy, his or her preferred form and format. We will provide copies in the patient’s requested form and format if it is readily producible, or we will provide the patient with an alternative format the patient finds acceptable, or if we cannot agree and we maintain the record in an electronic format, the patient’s choice of a readable electronic or hardcopy format. We will also send a copy to any other person the patient designates in writing. We will charge a reasonable fee which covers our costs for labor, supplies, postage, and if requested and agreed to in advance, the cost of preparing an explanation or summary. We may deny a patient’s request under limited circumstances. If we deny a person’s request to access his or her child’s records or the records of an incapacitated adult the requesting party is representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient, the requesting party will have a right to appeal our decision.
- Amendment — A patient has a right to request that we amend his or her health information which the patient believes is incorrect or incomplete. The patient must make a request to amend in writing, and include the reasons he or she believes the information is inaccurate or incomplete. We are not required to change a patient’s health information, and will provide the patient with information about this office’s denial and how the patient can disagree with the denial. We may deny a request if we do not have the information, if we did not create the information (unless the person or entity that created the information is no longer available to make the amendment), if the person making the request would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is. If we deny the request, the patient or requesting party may submit a written statement of his or her disagreement with that decision, and we may, in turn, prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information.
- Disclosure Accounting. A patient has a right to receive an accounting of disclosures of the patient’s health information made by this office, except that this office does not have to account for the disclosures provided to the patient or pursuant to the patient’s written authorization, or as described in the paragraphs concerning treatment, payment, health care operations, notification and communication with family and specialized government functions of the Notice of Privacy Practices or disclosures for purposes of research or public health which exclude direct patient identifiers, or which are incident to a use or disclosure otherwise permitted or authorized by law, or the disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing this accounting would be reasonably likely to impede their activities.
- Restriction on Use or Disclosure — The patient has the right to request restrictions on certain uses and disclosures of his or her health information by a written request specifying what information he or she wants to limit, and what limitations on our use or disclosure of that information the patient wishes to have imposed. We reserve the right to accept or reject any other request, and will notify the patient of our decision.
- Alternative Communications — Patients have the right to request us to use alternative means or alternative locations when communicating PHI to them. Our office will accommodate a patient’s request for such alternative communications if the request is reasonable and in writing. Our office will inform the patient of our decision to accommodate or deny such a request. If we agree to such a request, we will inform our Business Associates of the agreement and provide them with the information necessary to comply with the agreement. A patient has a right to notice of our legal duties and privacy practices with respect to the patient’s health information, including a right to a paper copy of the Notice of Privacy Practices Related to COVID-19 Testing, even if the patient has previously requested its receipt by e-mail.
- Applicability — Our office will be aware of and respect these patients’ rights regarding their PHI, even though in most situations patients are unlikely to exercise them.
- Staff Training and Management, Complaint Procedures, Data Safeguards, Administrative Practices
- Staff Training and Management
- Training — Our office will train all members of our workforce whose work involves or is related to the procedures described in Section 2 of these Privacy Policies & Procedures, as necessary and appropriate for them to carry out their functions. After the date of enactment of these Privacy Policies & Procedures our office will train each new staff member meeting this description within a reasonable time after the member starts. We will also retrain each staff member whose functions are affected either by a material change in our Privacy Policies and Procedures or in the member’s job functions, within a reasonable time after the change. Workforce members shall be requested to sign an acknowledgment that they have received and read a copy of these Policies and Procedures.
- Discipline and Mitigation — Our office will develop, document, disseminate, and implement appropriate discipline policies for staff members who violate our Privacy Policies & Procedures, the Privacy Rules, or other applicable federal or state privacy law. Staff members who violate our Privacy Policies & Procedures, the Privacy Rules or other applicable federal or state privacy law will be subject to disciplinary action, possibly up to and including termination of employment.
- Complaints — Our office will implement procedures for patients to complain about our compliance with our Privacy Policies & Procedures or the Privacy Rules. We will also implement procedures to investigate and resolve such complaints. The Complaint form can be used by the patient to lodge the complaint. Each complaint received must be referred to management immediately for investigation and resolution. We will not retaliate against any patient or workforce member who files a Complaint in good faith.
- Staff Training and Management
- Data Safeguards — Our office will “add to” and strengthen these Privacy Policies & Procedures with such additional data security policies and procedures as are needed to have reasonable and appropriate administrative, technical, and physical safeguards in place to ensure the integrity and confidentiality of the PHI we maintain. Our office will take reasonable steps to limit incidental uses and disclosures of PHI made according to an otherwise permitted or required use or disclosure.
- Documentation and Record Retention — Our office will maintain in written or electronic form all documentation required by the Privacy Rules for six years from the date of creation or when the document was last in effect, whichever is greater.
- State Law Compliance
Our office will comply with the privacy laws of the State of Oklahoma to the extent such laws provide greater protections or rights to patients than the Privacy Rules.
- HHS Enforcement
Our office will give the U.S. Department of Health and Human Services (HHS) access to our facilities, books, records, accounts, and other information sources (including individually identifiable health information without patient authorization or notice) during normal business hours (or at other times without notice if HHS presents appropriate lawful administrative or judicial process). We will cooperate with any compliance review or complaint investigation by HHS, while preserving the rights of our practice.
- Designated Personnel
Our office will designate a Privacy Officer and other responsible persons as required by the Privacy Rules.