HIPAA Privacy Rights and Operations Guide
HIPAA Security Summary
For the Practice of: Palmetto Medical Group Publish Date: April 3, 2023
This guide has been created to serve Palmetto Medical Group. . It is intended to provide this organization and its workforce members with an overview of our daily operating policies and procedures and this organization’s obligations relating to security and privacy standards for the use and disclosure of “protected health information” (PHI) under HIPAA, the Health Insurance Portability and Accountability Act of 1996.
This guide presents a simplified version of the fully detailed policies and procedures utilized to operate this Organization while maintaining the privacy and security of PHI. It should be used by workforce members and management as a quick reference to answer common questions about compliance operations and how to handle workplace situations so that HIPAA regulations are met, and Patient Rights are upheld.
This document is not typically intended for outside distribution except as part of a wider investigation by regulators or other appropriate parties.
It is the responsibility of this Organization to conduct regular reviews of this document to incorporate updates as regulations change and/or to add more definition to the actual operational procedures utilized by this organization.
If you have any questions—or if you need further guidance on HIPAA Privacy or Security requirements, please contact the Privacy Officer (PO) or Security Officer (SO):
Privacy Officer & Security Officer Office Manager
1040 Edgewater Corporate Parkway, Suite 101 Indian Land, SC 29707
803-548-7007 803-802-2015 info@palmettomedicalgroup.comSection A: Privacy
Privacy, according to the HIPAA Privacy Rule, is an individual’s right to control access and disclosure of their protected, “individually identifiable” health information. Besides giving individuals significant rights to understand and control how their health information is used, the Privacy Rule describes requirements for the use and disclosure of individuals’ health information—protected health information (PHI)—by Covered Entity (CE) organizations subject to the Privacy Rule. PHI is considered “identifiable” if it contains any one or more of the 18 specific identifiers. (NOTE: See policy ‘ 8s – Minimum Necessary’ for a complete list of the 18 identifiers)
1. Notice of Privacy Practices
Individuals have a right to receive a notice of the CE’s privacy practices. The notice must be written in plain language and describe the ways in which the CE may use or disclose PHI. It also explains individual rights with respect to their health information, including the right to complain to Health and Human Services (HHS) and to the CE if they believe their privacy rights have been violated.
Our Organization creates record(s) of the care and services that patients receive from us. We need this record to provide them with quality care and to comply with certain legal requirements. Our NPP describes the ways in which we may use and disclose medical information about the patient. It also describes their rights and certain obligations we have regarding the use and disclosure of their medical information.
Our Organization always strives to follow all of the rules set down in our NPP. Any variation from our published practices that you notice should immediately be brought to the attention of the Organization’s Security / Privacy Officer(s).
2. TPO (Treatment, Payment and Operations)
A CE may use or disclose PHI for its own treatment, payment or healthcare operations. Within our NPP, the following categories describe different ways that we may use and disclose patient PHI.
− Treatment. We may use medical information to provide a patient with medical treatment or services. We may disclose medical information about the patient to doctors, nurses,
technicians, health care students, or other personnel who are involved in taking care of the patient within our Organization.
− Payment. We may use and disclose medical information about a patient so that the treatment and services received from the Organization may be appropriately billed and
payment may be collected from the government, an insurance company or a third party.
− Healthcare Operations. We may use and disclose medical information about a patient for Organization operations. These uses and disclosures are necessary to run
the Organization and make sure that all our patients receive quality care.
3. Access, Use and Disclosure of PHI
General rules for access, use and disclosure of PHI are addressed within our NPP. Minimum Necessary principals are always applied to access, use, or in the disclosure of PHI, meaning only the least amount of information needed to perform the permitted task is utilized. (NOTE: See policy ‘8s – Minimum Necessary’ for additional details)
− Appointment Reminders. We may use and disclose medical information to contact a patient as a reminder that they have an appointment for treatment or medical care at the Provider location.
− Treatment Alternatives. We may use and disclose medical information to tell a patient about or recommend possible treatment options or alternatives that may be of interest to them.
− Health & Related Benefits and Services. We may use and disclose medical information to tell a patient about health and related benefits or services that may be of interest to them. − Fundraising Activities. PMG will never use your PHI for any fundraising activity. − Emergencies. We may use or disclose a patient’s medical information if they were to need emergency treatment or if we are required by law to treat them but are unable to obtain their consent. If this happens, we will try to obtain the patient’s consent as soon as we reasonably can after treatment. − Communication Barriers. We may use and disclose a patient’s health information if we are unable to obtain their consent because of substantial communication barriers, and we believe they would want us to treat them if we could communicate with them. − Provider Directory. Amit Shah, MD and Daniel Kirkley, PA-C − Individuals Involved in the Patient’s Care or Payment for Care. We may release medical information about a patient to a friend or family member who is involved in their medical care and to whom the patient has agreed it is permissible. We may also give information to someone who helps pay for their care. In addition, we may disclose medical information about a patient to an entity assisting in a disaster relief effort so that the family can be notified about their condition, status and location. − Research. If you participate in research study we may disclose your PHI to the research facility for treatment purposes. − As Required By Law. We will disclose medical information about a patient when required to do so by federal, state or local law. − To Avert a Serious Threat to Health or Safety. We may use and disclose medical information about the patient when necessary to prevent a serious threat to their health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. − Organ and Tissue Donation. If a patient is an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation. − Military and Veterans. If the patient is a member of the armed forces, we may release medical information about the patient as required by military command authorities. − Workers’ Compensation. We may release medical information about a patient for workers’ compensation or similar programs. − Public Health Risks. We may disclose medical information about a patient for public health activities. These activities generally include the following:
- to prevent or control disease, injury or disability.
- to report births and deaths.
- to report child abuse or neglect.
- to report reactions to medications or problems with products.
- to notify people of recalls of products they may be using.
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
- to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if the patient agrees or when required or authorized by law.