Confidentiality for Health Centers Toolkit

First issued nearly two decades ago, the HIPAA Privacy Rule requires covered entities, including health centers, to protect patient health information from unauthorized uses and disclosures and to respond to patient requests to access, amend and account for disclosures of their health information.  To ensure compliance with the HIPAA Privacy Rule, covered entities must have a HIPAA Privacy Officer and develop written policies and procedures, training and education, reporting and investigation mechanisms, and strategies to mitigate the harmful effects of impermissible uses or disclosures.  In 2013, the Office for Civil Rights issued a “Final Rule” that strengthened the privacy and security protections for health information under HIPAA and finalized the Breach Notification Rule. These changes, and the possibility for additional changes soon, have left many health centers wondering how best to ensure they are HIPAA compliant.

In addition, as health centers add or enhance their substance use disorder services, they may also have to comply with the federal substance use disorder confidentiality regulations at 42 CFR Part 2 (“Part 2”).  Part 2 is more strict than the HIPAA Privacy Rule, requiring specific patient consent to disclose Part 2 protected records for purposes of treatment, payment and health care operations, unless one of a very limited number of exceptions applies. 

The Office of the National Coordinator for Health IT (ONC)’s Cures Act (Info Blocking) Final Rule requires “actors,” including health center, to respond to requests for access, exchange and use of electronic health information (EHI) without unreasonable delay, unless an exception applies.  The ONC’s Cures Act Final Rule defines eight exceptions that offer actors certainty that, when their practices with respect to accessing, exchanging, or using EHI meet the conditions of one or more exceptions, such practices will not be considered information blocking.  If an actor’s response does not meet the exception, allegations of information blocking require a fact-based assessment as to whether a delay or denial of a request for access, exchange or use of EHI would be considered an interference under the ONC’s Cures Act Final Rule.  That assessment would also determine whether the interference is with the legally permissible access, exchange, or use of EHI; whether the actor engaged in the practice with the requisite intent; and whether the practice satisfied the conditions of an exception. 

FTLF’s Confidentiality for Health Centers Toolkit is designed to help health centers maintain and improve compliance with applicable federal confidentiality and privacy laws and regulations, including the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, Part 2, and the ONC's Cures Act.  The Toolkit includes customizable sample policies, procedures, and forms, including: 

  • Privacy Officer Job Description: Sample
  • Authorization for Disclosure of PHI: Sample Form
  • Breach Analysis and Notification: Sample Policy and Procedure
  • Breach Notification to Affected Individuals: Sample Letter
  • Disclosing PHI to Business Associates: Sample Policy and Procedure
  • Business Associate Agreement: Sample

With greater attention to enforcement, now is the time to build or assess and improve your health center’s compliance with the applicable federal confidentiality and privacy laws and regulations. 

View the Table of Contents on the Agenda tab.

    Course summary
    Course opens: 
    08/24/2018
    Course expires: 
    01/01/2024
    Cost:
    $500.00

    TABLE OF CONTENTS

    HIPAA Privacy Documents
    42 CFR Part 2 Documents
    ONC's Cures Act (Info Blocking) Documents

    HIPAA Privacy Documents

    Administrative Requirements

    1. Personnel
    • Authority and Responsibilities of the Privacy Officer: Sample Policy and Procedure
    • Privacy Officer Job Description: Sample
    2. Training
    • HIPAA Privacy Education and Training: Sample Policy and Procedure 
    • HIPAA Privacy Education and Training Attendance Certification and Sign In Form: Sample    
    • HIPAA Privacy Education and Training Log: Sample
    • HIPAA Privacy Education and Training Material Distribution Log: Sample
    3. Safeguards
    • Safeguards to Protect the Privacy of PHI: Sample Policy and Procedure 
    4. Privacy Complaints
    • Reporting and Responding to Privacy Complaints: Sample Policy and Procedure
    • Prohibition on Waiver of Rights: Sample Policy and Procedure
    • Privacy Complaint Form: Sample
    • Privacy Complaint Summary: Sample
    • Privacy Complaint Log: Sample 
    • Investigating Privacy Complaints: Sample Policy and Procedure
    • Privacy Investigation Report: Sample
    5. Sanctions
    • Sanctioning Workforce Members: Sample Policy and Procedure 
    6. Mitigation of Violations
    • Mitigating the Effects of a HIPAA Violation: Sample Policy and Procedure
    7. Prohibiting Intimidation and Retaliation
    • Prohibiting Intimidation and Retaliation: Sample Policy and Procedure
    8. Policies and Procedures
    • Developing, Implementing and Revising HIPAA Policies and Procedures: Sample Policy and Procedure
    • Documenting HIPAA Privacy Practices: Sample Policy and Procedure

    Uses and Disclosures 

    1. Uses and Disclosures for Treatment, Payment and Health Care Operations: Sample Policy and Procedure
    2. Uses and Disclosures Required by Law: Sample Policy and Procedure
    3. Uses and Disclosures for Public Health Activities: Sample Policy and Procedure 
    4. Disclosures about Victims of Abuse, Neglect or Domestic Violence: Sample Policy and Procedure
    5. Uses and Disclosures for Health Oversight Activities: Sample Policy and Procedure
    6. Disclosures for Judicial and Administrative Proceedings: Sample Policy and Procedure
    7. Disclosures for Law Enforcement Purposes: Sample Policy and Procedure
    8. Uses and Disclosures about Decedents: Sample Policy and Procedure 
    9. Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation Purposes: Sample Policy and Procedure
    10. Uses and Disclosures to Avert a Serious Threat to Health or Safety: Sample Policy and Procedure
    11. Uses and Disclosures for Specialized Government Functions: Sample Policy and Procedure 
    12. Disclosures for Workers' Compensation: Sample Policy and Procedure

    Authorizations

    1. Authorization for Use and Disclosure of PHI: Sample Policy and Procedure*
    2. Authorization for Disclosure of PHI: Sample Form
    3. Revocation of Authorization: Sample Form 
    4. Verifying Identity and Authority Prior to Disclosing PHI: Sample Policy and Procedure
    5. Identity Verification: Sample Form

    Responding to Patient Requests

    1. Requests for Restrictions: Sample Policy and Procedure*
    2. Requests for Restriction: Sample Form 
    3. Requests for Confidential Communications: Sample Policy and Procedure
    4. Requests for Confidential Communications: Sample Form
    5. Requests for Access: Sample Policy and Procedure*
    6. Request for Access: Sample Form*
    7. Requests to Amend: Sample Policy and Procedure
    8. Requests to Amend: Sample Form
    9. Requests for an Accounting of Disclosures: Sample Policy and Procedure
    10. Requests for an Accounting of Disclosures: Sample Form
    11. Designation and Authority of Personal Representatives: Sample Policy and Procedure

    Notice of Privacy Practices

    1. Contents of the Notice of Privacy Practices: Sample Policy and Procedure 
    2. Providing the Notice of Privacy Practices: Sample Policy and Procedure
    3. Acknowledgement of Receipt of Notice of Privacy Practices: Sample Form
    4. Acknowledgement of Receipt of Notice of Privacy Practices Not Obtained: Sample Form

    Minimum Necessary

    1. Minimum Necessary for Use of PHI by Workforce Members: Sample Policy and Procedure 
    2. Workforce Access Categories: Sample Form
    3. Workforce Directory Chart: Sample Form 
    4. Minimum Necessary for Disclosures and Requests of PHI: Sample Policy and Procedure

    Breach

    1. Breach Analysis and Notification: Sample Policy and Procedure
    2. Breach Notification to Affected Individuals: Sample Letter
    3. Breach Log: Sample 
    4. Breach Notification Report to HHS: Sample Form

    Business Associates

    1. Disclosing PHI to Business Associates: Sample Policy and Procedure 
    2. Business Associate Agreement: Sample*
    3. Business Associate Agreement Log: Sample Form
    4. Business Associate Agreement Checklist: Sample Form

    Compliance Programs 

    1. Board Resolution Designating the Privacy Officer:  Sample Form
    2. HIPAA Privacy Compliance Monitoring and Auditing: Sample Policy and Procedure
    3. Cooperating with HHS: Sample Policy and Procedure

    Other Privacy Concepts

    1. Uses and Disclosures of Limited Data Sets: Sample Policy and Procedure
    2. Data Use Agreement for Limited Data Sets: Sample
    3. Uses and Disclosures for Fundraising: Sample Policy and Procedure
    4. Workforce Confidentiality Agreement: Sample Form 
    5. Site Visitor Confidentiality Agreement: Sample Form

    *Updated to reflect the ONC's Cures Act Final Rule (2021).


    42 CFR Part 2 Documents

    Applicability

    1. Determining Applicability of 42 CFR Part 2: Sample Policy and Procedure
    2. Determining whether the Health Center Operates a Part 2 Program - Sample Form

    Program Requirements

    1. Providing Notice to Patients of 42 CFR Part 2 Confidentiality Requirements: Sample Policy and Procedure
    2. Notice to Patients of Federal Confidentiality Requirements under 42 CFR Part 2: Sample Form
    3. Acknowledgment of Receipt of Notice of Federal Confidentiality Requirements under 42 CFR Part 2: Sample Form
    4. Security for Records Protected by 42 CFR Part 2: Sample Policy and Procedure
    5. Request for Access to Records Protected by 42 CFR Part 2: Sample Policy and Procedure
    6. Disposition of Records by Discontinued Programs: Sample Policy and Procedure

    Disclosures with Patient Consent

    1. Obtaining Patient Consent for Disclosure of Patient Information Protected by 42 CFR Part 2: Sample Policy and Procedure
    2. Initial Consent to Disclose Records from Health Center’s Part 2 Program: Sample Form
    3. Consent to Disclose Records Protected by 42 CFR Part 2: Sample Form
    4. Consent to Disclose Records Protected by 42 CFR Part 2 to a Health Information Exchange: Sample Form
    5. Consent to Disclose Records Protected by 42 CFR Part 2 to the Criminal Justice System for Referred Patients: Sample Form

    Disclosures without Patient Consent

    1. Disclosures for Medical Emergencies: Sample Policy and Procedure
    2. Disclosures for Research: Sample Policy and Procedure
    3. Disclosures for Audits and Evaluations: Sample Policy and Procedure
    4. Audit and Evaluation of Records Not Copied, Removed, Downloaded or Forwarded: Sample Agreement
    5. Audit and Evaluation of Records Copied, Removed, Downloaded or Forwarded: Sample Agreement

    Court Orders Authorizing Disclosure and Use

    1. Court Orders Authorizing Disclosure and Use: Sample Policy and Procedure

    QUALIFIED SERVICE ORGANIZATIONS

    1. Disclosures to Qualified Service Organizations: Sample Policy and Procedure
    2. Qualified Service Organizations Agreement: Sample Addendum to Business Associate Agreement

    ONC's Cures Act (Info Blocking) Documents

    Responding to Requests to Access, Exchange and Use EHI

    1. Responding to Requests to Access, Exchange and Use EHI in Compliance with the ONC’s Cures Act Final Rule: Sample Policy
    2. Educating Patients on Risks Related to Access, Exchange and Use of EHI: Sample Policy and Procedure

    Administrative Elements

    1. Education and Training for Employees, Contractors and Volunteers: Sample Policy and Procedure
    2. Reporting and Responding to Non-Compliance with the ONC's Cures Act Final Rule: Sample Policy and Procedure

    Preventing Harm Exception

    1. Preventing Harm Exception to Access, Exchange and Use of EHI: Sample Policy and Procedure

    Privacy Exception

    1. Privacy Exception to Access, Exchange and Use of EHI: Sample Policy and Procedure

    Security Exception

    1. Security Exception to Access, Exchange and Use of EHI: Sample Policy and Procedure

    Infeasibility Exception

    1. Infeasibility Exception to Access, Exchange and Use of Electronic Health Information: Sample Policy and Procedure
    2. Determining Whether the Infeasibility Exception Applies: Sample Form
    3. Notice to Patient of Request Denial: Sample Notice

    Health IT Performance Exception

    1. Health IT Performance Exception to Access, Exchange and Use of Electronic Health Information: Sample Policy and Procedure

    Content and Manner Exception

    1. Content and Manner Exception to Access, Exchange and Use of Electronic Health Information: Sample Policy and Procedure

    Fees Exception

    1. Fees Exception to Access, Exchange and Use of Electronic Health Information: Sample Policy and Procedure

    Licensing Exception

    1. Licensing Exception to Access, Exchange and Use of Electronic Health Information: Sample Policy and Procedure

     

    ABOUT THE AUTHORS

    Attorneys from Feldesman Tucker Leifer Fidell LLP provide a full range of counseling services for the development, evaluation, implementation, operation, and support of effective HIPAA Privacy programs, informed by decades of experience advising federally qualified health centers, behavioral health providers, primary care associations, and health-center controlled networks.


    DIANNE PLEDGIE

    As Partner and Compliance Counsel with the firm’s health law practice group, Dianne advises health centers on implementing effective compliance programs and on addressing top compliance risk areas. Dianne counsels health centers and other organizations on developing compliance programs that include the OIG’s seven elements, respond to identified compliance risk areas, and reflect the organization’s culture.  Dianne also advises health centers and other organizations on patient privacy and confidentiality, including the HIPAA Privacy Rule and 42 CFR Part 2.  She has experience responding to privacy and security incidents, including determining whether there has been a breach, notifying patients and the government, and creating corrective action plans. [Full Bio]

    MOLLY EVANS  

    A partner in the firm’s health law practice group, Molly advises health centers on the management of clinical, employment and workforce related risks, with a particular focus on professional liability, Federal Tort Claims Act, and HIPAA matters. From her experience as both a private attorney and in-house counsel, Molly knows the importance of managing liability and risk issues in mission-driven organizations. [Full Bio]

    There are no continuing education credits or other attendance records associated with this product.

    Price

    Cost:
    $500.00
    Please login or register to take this course.

    ACCESS PERIOD

    Purchasing this Toolkit provides access for one calendar year. This access includes any updates or additions FTLF makes to Toolkit resources throughout the year at no extra charge.

    APPROVAL PROCESS

    We require approval for all Toolkit purchases. We aim to review all requests as quickly as possible, but there are occasional delays. Please allow up to 3-5 business days for approval.

    Toolkit subscriptions are for use within your organization only. If you are interested in purchasing Toolkit subscriptions for more than one organization, please Contact Us for bulk pricing options.

    DISCLAIMER

    By purchasing this Toolkit, you acknowledge and agree to our Terms of Use and Privacy Policy. This Toolkit has been prepared by attorneys at Feldesman Tucker Leifer Fidell LLP (FTLF) and includes original materials developed by FTLF. This Toolkit is designed as a resource and the materials are not intended to be adopted word for word; FTLF recommends that each organization tailor the materials to fit your health center's legal, financial, administrative, and programmatic needs. Failing to modify the original materials to the specific needs of your program may have adverse consequences. 

    By purchasing this Toolkit, you acknowledge and agree that the materials contained herein do not constitute legal advice and your purchase does not create an attorney-client relationship between you and FTLF, nor is it intended to do so. If legal advice or other expert assistance is required, your organization should enter into an engagement agreement with FTLF or seek the services of another competent professional. Each legal problem is different, and past performance does not guarantee future results.

    By purchasing this Toolkit, you acknowledge and agree that, unless otherwise indicated, FTLF owns the copyright to the resources in this Toolkit. All such materials are for personal/non-commercial use only and, any other use or disclosure is a violation of federal copyright law and is punishable by the imposition of substantial fines. Unless otherwise noted, all materials in this Toolkit remain the intellectual property of FTLF and are protected under the copyright of Feldesman Tucker Leifer Fidell LLP. Copyright is claimed in all original material, including but not limited to the sample forms, policies and procedures, and similar resources. Any and all such copyrighted materials may not be republished for or distributed to any third party at any time or in any form without written permission from FTLF.