Confidentiality for Health Centers Toolkit

First issued nearly two decades ago, the HIPAA Privacy Rule requires covered entities, including health centers, to protect patient health information from unauthorized uses and disclosures and to respond to patient requests to access, amend and account for disclosures of their health information.  To ensure compliance with the HIPAA Privacy Rule, covered entities must have a HIPAA Privacy Officer and develop written policies and procedures, training and education, reporting and investigation mechanisms, and strategies to mitigate the harmful effects of impermissible uses or disclosures.  In 2013, the Office for Civil Rights issued a “Final Rule” that strengthened the privacy and security protections for health information under HIPAA and finalized the Breach Notification Rule. These changes, and the possibility for additional changes soon, have left many health centers wondering how best to ensure they are HIPAA compliant.

In addition, as health centers add or enhance their substance use disorder services, they may also have to comply with the federal substance use disorder confidentiality regulations at 42 CFR Part 2 (“Part 2”).  Part 2 is more strict than the HIPAA Privacy Rule, requiring specific patient consent to disclose Part 2 protected records for purposes of treatment, payment and health care operations, unless one of a very limited number of exceptions applies. 

FTLF’s Confidentiality for Health Centers Toolkit is designed to help health centers maintain and improve compliance with applicable federal confidentiality and privacy laws and regulations, including the HIPAA Privacy Rule, the HIPAA Breach Notification Rule and Part 2.  The Toolkit includes customizable sample policies, procedures, and forms, including:

  • Privacy Officer Job Description: Sample
  • Authorization for Disclosure of PHI: Sample Form
  • Breach Analysis and Notification: Sample Policy and ProcedureBreach Notification to Affected Individuals: Sample Letter
  • Disclosing PHI to Business Associates: Sample Policy and Procedure
  • Business Associate Agreement: Sample

With greater attention to enforcement, the time to build or assess and improve your health center’s HIPAA Privacy compliance program is now. 

View the Table of Contents on the Agenda tab.

    Course summary
    Course opens: 
    08/24/2018
    Course expires: 
    12/31/2019
    Cost:
    $500.00

    TABLE OF CONTENTS

    HIPAA Privacy Documents
    42 CFR Part 2 Documents

    HIPAA Privacy Documents

    Administrative Requirements

    1. Personnel
    • Authority and Responsibilities of the Privacy Officer: Sample Policy and Procedure
    • Privacy Officer Job Description: Sample
    2. Training
    • HIPAA Privacy Education and Training: Sample Policy and Procedure 
    • HIPAA Privacy Education and Training Attendance Certification and Sign In Form: Sample    
    • HIPAA Privacy Education and Training Log: Sample
    • HIPAA Privacy Education and Training Material Distribution Log: Sample
    3. Safeguards
    • Safeguards to Protect the Privacy of PHI: Sample Policy and Procedure 
    4. Privacy Complaints
    • Reporting and Responding to Privacy Complaints: Sample Policy and Procedure
    • Prohibition on Waiver of Rights: Sample Policy and Procedure
    • Privacy Complaint Form: Sample
    • Privacy Complaint Summary: Sample
    • Privacy Complaint Log: Sample 
    • Investigating Privacy Complaints: Sample Policy and Procedure
    • Privacy Investigation Report: Sample
    5. Sanctions
    • Sanctioning Workforce Members: Sample Policy and Procedure 
    6. Mitigation of Violations
    • Mitigating the Effects of a HIPAA Violation: Sample Policy and Procedure
    7. Prohibiting Intimidation and Retaliation
    • Prohibiting Intimidation and Retaliation: Sample Policy and Procedure
    8. Policies and Procedures
    • Developing, Implementing and Revising HIPAA Policies and Procedures: Sample Policy and Procedure
    • Documenting HIPAA Privacy Practices: Sample Policy and Procedure

     

    Uses and Disclosures 

    1. Uses and Disclosures for Treatment, Payment and Health Care Operations: Sample Policy and Procedure
    2. Uses and Disclosures Required by Law: Sample Policy and Procedure
    3. Uses and Disclosures for Public Health Activities: Sample Policy and Procedure 
    4. Disclosures about Victims of Abuse, Neglect or Domestic Violence: Sample Policy and Procedure
    5. Uses and Disclosures for Health Oversight Activities: Sample Policy and Procedure
    6. Disclosures for Judicial and Administrative Proceedings: Sample Policy and Procedure
    7. Disclosures for Law Enforcement Purposes: Sample Policy and Procedure
    8. Uses and Disclosures about Decedents: Sample Policy and Procedure 
    9. Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation Purposes: Sample Policy and Procedure
    10. Uses and Disclosures to Avert a Serious Threat to Health or Safety: Sample Policy and Procedure
    11. Uses and Disclosures for Specialized Government Functions: Sample Policy and Procedure 
    12. Disclosures for Workers' Compensation: Sample Policy and Procedure

     

    Authorizations

    1. Authorization for Use and Disclosure of PHI: Sample Policy and Procedure
    2. Authorization for Disclosure of PHI: Sample Form
    3. Revocation of Authorization: Sample Form 
    4. Verifying Identity and Authority Prior to Disclosing PHI: Sample Policy and Procedure
    5. Identity Verification: Sample Form

     

    Responding to Patient Requests

    1. Requests for Restrictions: Sample Policy and Procedure
    2. Requests for Restriction: Sample Form
    3. Requests for Confidential Communications: Sample Policy and Procedure
    4. Requests for Confidential Communications: Sample Form
    5. Requests for Access: Sample Policy and Procedure
    6. Requests to Amend: Sample Policy and Procedure
    7. Requests to Amend: Sample Form
    8. Requests for an Accounting of Disclosures: Sample Policy and Procedure
    9. Requests for an Accounting of Disclosures: Sample Form
    10. Designation and Authority of Personal Representatives: Sample Policy and Procedure

     

    Notice of Privacy Practices

    1. Contents of the Notice of Privacy Practices: Sample Policy and Procedure 
    2. Providing the Notice of Privacy Practices: Sample Policy and Procedure
    3. Acknowledgement of Receipt of Notice of Privacy Practices: Sample Form
    4. Acknowledgement of Receipt of Notice of Privacy Practices Not Obtained: Sample Form

     

    Minimum Necessary

    1. Minimum Necessary for Use of PHI by Workforce Members: Sample Policy and Procedure 
    2. Workforce Access Categories: Sample Form
    3. Workforce Directory Chart: Sample Form 
    4. Minimum Necessary for Disclosures and Requests of PHI: Sample Policy and Procedure

     

    Breach

    1. Breach Analysis and Notification: Sample Policy and Procedure
    2. Breach Notification to Affected Individuals: Sample Letter
    3. Breach Log: Sample 
    4. Breach Notification Report to HHS: Sample Form

     

    Business Associates

    1. Disclosing PHI to Business Associates: Sample Policy and Procedure 
    2. Business Associate Agreement: Sample 
    3. Business Associate Agreement Log: Sample Form
    4. Business Associate Agreement Checklist: Sample Form

     

    Compliance Programs 

    1. Board Resolution Designating the Privacy Officer:  Sample Form
    2. HIPAA Privacy Compliance Monitoring and Auditing: Sample Policy and Procedure
    3. Cooperating with HHS: Sample Policy and Procedure

     

    Other Privacy Concepts

    1. Uses and Disclosures of Limited Data Sets: Sample Policy and Procedure
    2. Data Use Agreement for Limited Data Sets: Sample
    3. Uses and Disclosures for Fundraising: Sample Policy and Procedure
    4. Workforce Confidentiality Agreement: Sample Form 
    5. Site Visitor Confidentiality Agreement: Sample Form

    42 CFR Part 2 Documents

    Applicability

    1. Determining Applicability of 42 CFR Part 2: Sample Policy and Procedure
    2. Determining whether the Health Center Operates a Part 2 Program - Sample Form

    Program Requirements

    1. Providing Notice to Patients of 42 CFR Part 2 Confidentiality Requirements: Sample Policy and Procedure
    2. Notice to Patients of Federal Confidentiality Requirements under 42 CFR Part 2: Sample Form
    3. Acknowledgment of Receipt of Notice of Federal Confidentiality Requirements under 42 CFR Part 2: Sample Form
    4. Security for Records Protected by 42 CFR Part 2: Sample Policy and Procedure
    5. Request for Access to Records Protected by 42 CFR Part 2: Sample Policy and Procedure
    6. Disclosures to Qualified Service Organizations: Sample Policy and Procedure

    Disclosures with Patient Consent

    1. Obtaining Patient Consent for Disclosure of Patient Information Protected by 42 CFR Part 2: Sample Policy and Procedure
    2. Initial Consent to Disclose Records from Health Center’s Part 2 Program: Sample Form
    3. Consent to Disclose Records Protected by 42 CFR Part 2: Sample Form
    4. Consent to Disclose Records Protected by 42 CFR Part 2 to a Health Information Exchange: Sample Form

    Disclosures without Patient Consent

    1. Disclosures for Medical Emergencies: Sample Policy and Procedure
    2. Disclosures for Research: Sample Policy and Procedure
    3. Disclosures for Audits and Evaluations: Sample Policy and Procedure

    Court Orders Authorizing Disclosure and Use

    1. Court Orders Authorizing Disclosure and Use: Sample Policy and Procedure

    ABOUT THE AUTHORS

    Attorneys from Feldesman Tucker Leifer Fidell LLP provide a full range of counseling services for the development, evaluation, implementation, operation, and support of effective HIPAA Privacy programs, informed by decades of experience advising federally qualified health centers, behavioral health providers, primary care associations, and health-center controlled networks.


    DIANNE PLEDGIE

    As Partner and Compliance Counsel with the firm’s health law practice group, Dianne advises health centers on implementing effective compliance programs and on addressing top compliance risk areas. Dianne counsels health centers and other organizations on developing compliance programs that include the OIG’s seven elements, respond to identified compliance risk areas, and reflect the organization’s culture.  Dianne also advises health centers and other organizations on patient privacy and confidentiality, including the HIPAA Privacy Rule and 42 CFR Part 2.  She has experience responding to privacy and security incidents, including determining whether there has been a breach, notifying patients and the government, and creating corrective action plans. [Full Bio]

    MOLLY EVANS  

    A partner in the firm’s health law practice group, Molly advises health centers on the management of clinical, employment and workforce related risks, with a particular focus on professional liability, Federal Tort Claims Act, and HIPAA matters. From her experience as both a private attorney and in-house counsel, Molly knows the importance of managing liability and risk issues in mission-driven organizations. [Full Bio]

    There are no continuing education credits or other attendance records associated with this product.

    Available Credit

    Accreditation Period

    Course opens: 
    08/24/2018
    Course expires: 
    12/31/2019

    Price

    Cost:
    $500.00
    Please login or register to take this course.

    ACCESS PERIOD

    Purchasing this Toolkit provides access for one calendar year. This access includes any updates or additions FTLF makes to Toolkit resources throughout the year at no extra charge.

    APPROVAL PROCESS

    We require approval for all Toolkit purchases. We aim to review all requests as quickly as possible, but there are occasional delays. Please allow up to 3-5 business days for approval.

    Toolkit subscriptions are for use within your organization only. If you are interested in purchasing Toolkit subscriptions for more than one organization, please Contact Us for bulk pricing options.

    DISCLAIMER

    By purchasing this Toolkit, you acknowledge and agree to our Terms of Use and Privacy Policy. This Toolkit has been prepared by attorneys at Feldesman Tucker Leifer Fidell LLP (FTLF) and includes original materials developed by FTLF. This Toolkit is designed as a resource and the materials are not intended to be adopted word for word; FTLF recommends that each organization tailor the materials to fit your health center's legal, financial, administrative, and programmatic needs. Failing to modify the original materials to the specific needs of your program may have adverse consequences. 

    By purchasing this Toolkit, you acknowledge and agree that the materials contained herein do not constitute legal advice and your purchase does not create an attorney-client relationship between you and FTLF, nor is it intended to do so. If legal advice or other expert assistance is required, your organization should enter into an engagement agreement with FTLF or seek the services of another competent professional. Each legal problem is different, and past performance does not guarantee future results.

    By purchasing this Toolkit, you acknowledge and agree that, unless otherwise indicated, FTLF owns the copyright to the resources in this Toolkit. All such materials are for personal/non-commercial use only and, any other use or disclosure is a violation of federal copyright law and is punishable by the imposition of substantial fines. Unless otherwise noted, all materials in this Toolkit remain the intellectual property of FTLF and are protected under the copyright of Feldesman Tucker Leifer Fidell LLP. Copyright is claimed in all original material, including but not limited to the sample forms, policies and procedures, and similar resources. Any and all such copyrighted materials may not be republished for or distributed to any third party at any time or in any form without written permission from FTLF.