DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 1 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
SCOPE: All Company-affiliated facilities including, but not limited to, hospitals, ambulatory surgery
centers, home health agencies, physician practices, patient account service centers and Medicare
service centers.
PURPOSE: The purpose of this policy is to establish general requirements and provide definitions
for the more complex aspects of the Health Insurance Portability and Accountability Act (HIPAA)
Standards for Privacy of Individually Identifiable Health Information (Privacy Standards).
To establish the requirements for each Company-affiliated facility to protect patients’ privacy rights
and their individually identifiable health information as required by the HIPAA Privacy Standards, 45
CFR Parts 160 and 164, and all Federal regulations and interpretive guidelines promulgated
thereunder.
This is the first in a series of patient privacy policies designed to ensure compliance with the HIPAA
Privacy Standards, HIM.PRI.001 through HIM.PRI.009. The HIPAA Privacy Standards underlie
each policy in the series, and individuals affected by the policies are encouraged to consult these
regulations for further information and guidance regarding patients’ privacy rights and their
individually identifiable health information.
POLICY: All Company-affiliated facilities must work to balance business needs and uses of
protected health information (PHI) with patients’ rights outlined in the HIPAA Privacy Standards. In
addition to implementing the Company’s patient privacy policies in this series, each facility must
develop and implement facility-specific policies regarding the privacy of, and access to, patient health
information. These governing policies must support compliance with applicable federal and state
regulations.
HIPAA Privacy Standards information, guidance, tools and sample facility policies (the Sample
Facility Policies are available on the Company’s Intranet at:
http://shortlink.hca.corpad.net/0a1a10ca192a4d405323162041d4aa3a.
DEFINITIONS
The following definitions apply to all of the Company’s patient privacy policies and procedures.
Affiliated Covered Entity (ACE) – Entities under common ownership or control may designate
themselves as an Affiliated Covered Entity (ACE). Uses and disclosures of PHI are permitted
without consent or authorization under the functions of treatment, payment or health care operations.
Facilities in a shared clinical market (e.g., based on a shared online medical record system, referred to
as the Clinical Patient Care System or CPCS) will be designated as Affiliated Covered Entities.
Business Associate – A person, business or other entity who, on behalf of an organization covered by
the regulations, performs or assists in performing a function or activity involving the use or disclosure
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 2 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
of PHI. A business associate is not someone in a hospital’s or ambulatory surgery center’s own
workforce, such as an employee, volunteer, or trainee. Patient account service centers, Medicare
service centers and the supply chain organization are Business Associates of the facilities and ACEs.
Covered Entity – A health plan (e.g., an individual or group plan that provides or pays the cost of
medical care), a health care clearinghouse, or a health care provider who transmits any health
information in connection with a transaction covered by HIPAA.
Designated Record Set (DRS)
1. The medical records and billing records about individuals maintained by or for a covered health
care provider used, in whole or in part, by or for the covered entity to make decisions about
individuals.
2. For purposes of this definition, the term record means any item, collection, or grouping of
information that includes PHI and is maintained, collected, used, or disseminated by or for a
covered entity.
Disclosure – The release, transfer, provision of access to, or divulging in any other manner of
information outside the entity holding the information.
Group Health Plan – An employee welfare benefit plan as defined in ERISA, including insured and
self-insured plans, to the extent that the plan provides medical care. The plan must have 50 or more
participants or be administered by an entity other than the employer that established and maintains the
plan. (See definition of “health plan.”)
Health Care Clearinghouse – An entity that processes health information received from another
entity in a nonstandard format into a standard format or vice versa.
Health Care Operations (HCO) – Any of the following activities of the covered entity to the extent
that the activities are related to covered functions (i.e., functions the performance of which makes the
entity a health plan, health care provider, or health care clearinghouse), and any of the following
activities of an organized health care arrangement in which the covered entity participates:
1. Conducting quality assessment activities;
2. Reviewing the competence or qualifications of healthcare professionals;
3. Conducting training programs;
4. Underwriting, premium rating, and other activities relating to renewal or replacement of
health insurance or health benefits;
5. Conducting or arranging for medical review, legal services, and auditing functions, including
fraud and abuse detection and compliance;
6. Business planning and development; or
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 3 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
7. Business management and general administrative activities of the entity.
See Attachment B for detail and specific HCO examples.
Health Care Provider – A provider of services (as defined in Section 1861(u) of the Act, 42 U.S.C.
1395x(u)); a provider of medical or health services (as defined in section 1861(s) of Act, 42 U.S.C.
1395x(s)); and any other person or organization who furnishes, bills, or is paid for health care in the
normal course of business.
Health Plan – An individual or group plan that provides, or pays the cost of medical care. Health
plans include a group health plan (see definition above), an HMO, Medicare Parts A and B, and
Medicaid, among others. Examples of programs that are not health plans include workers’
compensation, disability insurance, life insurance, automobile insurance, and coverage for on-site
medical clinics. A complete listing of inclusions and exclusions is provided in the regulations.
Indirect Treatment Relationship – A relationship between an individual and a health care provider
in which the health care provider:
1. Delivers health care to the individual based on the orders of another health care provider; and
2. typically provides services or products, or reports the diagnosis or results associated with the
health care directly to another health care provider, who provides the services or products or
reports to the individual.
Law Enforcement Official – An officer or employee of any agency or authority of the United
States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is
empowered by law to:
1. Investigate or conduct an official inquiry into a potential violation of law; or
2. Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an
alleged violation of law.
Marketing
1. To make a communication about a product or service that encourages recipients of the
communication to purchase or use the product or service, EXCEPT:
i) To describe a health-related product or service (or payment for such product or service)
that is provided by a facility making the communication, including communications about
the entities participating in a health care provider network;
ii) For treatment of the individual; or
iii) For case management or care coordination for the individual, or to direct or recommend
alternative treatments, therapies, health care providers, or settings of care to the
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 4 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
individual.
2. An arrangement between a facility whereby the facility discloses PHI to another entity, in
exchange for direct or indirect remuneration, for the other entity or its affiliate to make a
communication about its own product or service that encourages recipients of the communication
to purchase or use that product or service.
Organized Health Care Arrangement (OHCA) – This option, under the HIPAA Privacy Standards,
allows the sharing of information for treatment, payment and health care operations between
healthcare providers. The OHCA is defined as a clinically integrated care setting in which
individuals typically receive health care from more than one health care provider. The U.S.
Department of Health and Human Services (HHS) identifies the facility setting as “the most common
example of this type of health care arrangement” because the facility and physicians with privileges at
the facility “together provide treatment to the individual.” HHS recognizes that the facility and its
privileged physicians must be able to share information for treatment purposes and for their joint
health care operations.
Payment – Activities undertaken by a health care provider to obtain reimbursement for the provision
of health care. Examples include, but are not limited to: determining eligibility or coverage
(including coordination of benefits or the determination of cost sharing amounts); billing, claims
management, collection activities, obtaining payment; reviewing health care services with respect to
medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
utilization review activities, including precertification and preauthorization of services, concurrent
and retrospective review of services.
Personal Representatives – A person who has the authority to act on behalf of an individual in
making decisions related to that individual’s health care.
Protected Health Information – Any oral, written or electronic individually-identifiable health
information collected or stored by a facility. Individually-identifiable health information includes
demographic information and any information that relates to past, present or future physical or mental
condition of an individual.
Required by Law – A mandate contained in law that compels a covered entity to use or disclose
PHI which is enforceable in a court of law. Required by law includes, but is not limited to, court
orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a
governmental or tribal inspector general, or an administrative body authorized to require the
production of information; a civil or an authorized investigative demand; Medicare conditions of
participation with respect to health care providers participating in the program; and statutes or
regulations that require the production of information, including statutes or regulations that require
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 5 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
such information if payment is sought under a government program providing public benefits.
Treatment – The provision, coordination, or management of health care and related services by one
or more health care providers, including the coordination or management of health care by a health
care provider with a third party; consultation between health care providers relating to a patient; or
the referral of a patient for healthcare from one health care provider to another.
Use – With respect to individually identifiable health information, is the sharing, employment,
application, utilization, examination, or analysis of such information within an entity that maintains
such information.
Additional Definitions – Please refer to the HIPAA Privacy Standards, 45 CFR Parts 160.101 and
164.501, for additional definitions.
PROCEDURE:
Facility Privacy Program responsibilities include, but are not limited, to:
a. Compliance with all policies and procedures related to the Privacy Program.
b. Implementation of policies and procedures for patient privacy designed to comply with the
HIPAA Privacy Standards.
c. Creation of, and revisions to, facility-specific policies and procedures as necessary to comply
with changes in the law. Changes must be documented and implemented. When policies and
procedures are revised, the previous versions of the policies and procedures must be retained
for six (6) years.
d. Adherence to health plan policies that address the protection of medical information related to
the Company health plans offered to our employees. These policies primarily affect the
facility HR personnel and may be found on the Company Intranet at:
http://shortlink.hca.corpad.net/0a1a10ca2f38ccc9532e9e178629435b
1. Business Associate Requirements – Company-affiliated facilities must have written agreements
with their Business Associates. The Facility Privacy Official (FPO) or designee at each facility
must establish a process to identify its Business Associates. Business Associate language must be
added to existing contracts and be incorporated into new and renewing contracts, in consultation
with the facility’s Operations Counsel. See the Company’s Business Associate Agreement on
Atlas at:
http://atlas2.medcity.net/portal/content/hipaa/HIPAA/Business%2520Associate%2520Agreement/business
assocagreemtpriv1.DOC.
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 6 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
2. Structural Options Under the HIPAA Privacy Standards
A. Affiliated Covered Entity (ACE) – Each facility within a market (e.g., CPCS) has been
designated as an ACE. Each facility within a market must document its ACE affiliation in
Market Security Committee meeting minutes and notify the FPO of this affiliation. A single
notice of privacy practices may be utilized throughout the ACE.
B. Organized Health Care Arrangement (OHCA) – A facility, physicians with privileges at
that facility, and departments of the facility that are not owned or operated by the facility are
all considered an OHCA. The OHCA enables the sharing of PHI. The OHCA covers
activities only at the integrated delivery setting. For example, physicians with staff privileges
are part of the OHCA only when they are rendering care at the facility. The physicians’
private offices are not part of the OHCA. (Physicians, therefore, in their private offices, must
issue their own notice of privacy practices, obtain consent from their own patients, and
develop and comply with their own policies and procedures.)
3. Required Language for Conditions of Admission Forms – Conditions of Admission Forms
must include the following statements which must be initialed by the patient or the patient’s
representative:
I acknowledge the Facility/Surgery Center will use my information for the purposes of
treatment, payment, and health care operations.
I acknowledge that I have been given the Facility’s/Surgery Center’s Notice of Privacy
Practices. I understand that if I have questions or complaints I may contact the Facility
Privacy Official.
4. Personal Representatives – If a person has the authority to legally act on behalf of an adult or
emancipated minor, that person must be treated as if he or she were the person being represented.
If a person has the authority to legally act on behalf of an unemancipated minor, that person must
be treated as if he or she were the unemancipated minor, except when the minor has the authority
to act as an individual with respect to PHI when:
The minor consents to the health care;
The minor and a court or another person authorized by law consent to such health care
service; or
The parent, guardian or personal representative agree to confidentiality between the health
care provider and the minor.
In situations involving abuse, neglect, or endangerment situations, a facility may elect not to treat
a person as the personal representative of an individual if:
The facility has a reasonable belief that:
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 7 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
The individual has been or may be subjected to domestic violence, abuse, or neglect
by such person; or
Treating such person as the personal representative could endanger the individual; and
The facility, in the exercise of professional judgment, decides that it is not in the best interest
of the individual to treat the person as the individual’s personal representative.
State laws regarding personal representatives, emancipated minors, and unemancipated minors
vary; contact Operations Counsel for specific advice.
5. Designated Record Set (DRS) – Information used by a facility to make decisions about an
individual is to be integrated into the DRS. When a facility has information from another facility
that has been sent to the facility via fax or mail during the patient’s visit, the information will be
considered part of the DRS at the receiving facility, and therefore, may be accessed by the patient.
The recommendation is that any piece of paper that makes its way into the facility’s paper record
be considered part of the DRS.
6. Guidelines for Employment-related Testing and Assessment – Although Employment-related
testing and assessments are part of the individual’s DRS, the information and results are
maintained by the Employee Health Department of the employing facility and are not used for any
other purposes. As such, a notice of privacy practices is not provided. The Employee Application
should indicate that employment-related testing and assessments will be maintained within the
Employee Health Department only and will be used to validate eligibility and continued
employment.
7. Research – A Company-affiliated facility may disclose information to researchers when an
institutional review board that has reviewed the research proposal and established protocols to
ensure the privacy of PHI has approved their research or has provided a waiver of patient
authorization.
8. Fundraising – A Company-affiliated facility may use or disclose to a business associate or to an
institutionally-related foundation the following PHI for the purpose of raising funds for its own
benefit, without an authorization meeting the requirements of Sec. 164.508:
Demographic information relating to an individual; and
Dates of health care provided to an individual.
Individuals may opt out of having their PHI used for fundraising purposes by completing the Opt
Out Form which may be obtained from the admission staff or FPO.
9. Marketing – Company-affiliated facilities may communicate to patients via newsletters, mail
outs or other means regarding treatment options, health related information, disease-management
1/2006
DEPARTMENT: Health Information POLICY DESCRIPTION: Patient Privacy – Program
Management Services Requirements
PAGE: 8 of 8 REPLACES POLICY DATED: April 1, 2003
EFFECTIVE DATE: February 1, 2006 REFERENCE NUMBER: HIM.PRI.001
programs, wellness programs, or other community-based initiatives or activities in which the
facility is participating. For media relations information (giving out patient information to the
media) please refer to the Patients’ Right to Opt Out of the Directory Policy (Attachment B).
10. Refraining from Retaliatory Acts – Company-affiliated facilities may not intimidate, threaten,
coerce, discriminate against, or take other retaliatory action against individuals for exercising any
rights under the HIPAA Privacy Standards.
11. Health Plan Information – Facility personnel may come in contact with protected health
information that is related to the Company health plans. An example of such an encounter would
be helping an employee with a benefit claim. For policies and procedures related to the protection
of health plan information, please refer to the policies posted on Atlas/Company
Information/HIPAA Program/Human Resources.
REFERENCES:
Health Insurance Portability and Accountability Act, Standards for Privacy of Individually
Identifiable Health Information, 45 CFR Parts 160 and 164
Privacy Official Policy, HIM.PRI.002
Patient Privacy –Protection Policy, HIM.PRI.003
Patient Privacy – Patients’ Right to Access Policy, HIM.PRI.004
Patient Privacy – Patients’ Right to Amend Policy, HIM.PRI.005
Patient Privacy – Right to Request Privacy Restrictions Policy, HIM.PRI.006
Notice of Privacy Practices Policy, HIM.PRI.007
Patient Privacy – Patients’ Right to Confidential Communications Policy, HIM.PRI.008
Patient Privacy - Accounting of Disclosures Policy, HIM.PRI.009
Records Management Policy, EC.014
Enforcement and Discipline Policy, IS.AA.015
Business Associate Tools, available on the Company Intranet at:
http://shortlink.hca.corpad.net/0a1a10ca2f38ccc95329a9e68d3f4dc2
Facility Sample Policies are available on the Company Intranet at:
http://shortlink.hca.corpad.net/0a1a10ca192a4d405323162041d4aa3a
1/2006
Attachment A
Sample Facility Policies
Attachment to HIM.PRI.001
Sample Facility Policies
Attachment B
Health Care Operations (HCO) Definition with Examples
HCO means any of the following activities of the covered entity to the extent that the activities are related to covered functions (i.e.,
functions the performance of which makes the entity a health plan, health care provider, or health care clearinghouse).
Regulation inclusions Facility Examples (not inclusive)
(1) Conducting quality assessmentand improvement activities Quality management activities such as
Including outcomes evaluation and development of clinical guidelines performance improvement.
Risk Management Occurrence Reporting
Provided that obtaining generalizable knowledge is not the primary purpose of any Patient Access QA audits
studies resulting from these activities. Random charge integrity audits
Gallup surveys
Population based activities relating to improving health or reducing health care costs ACoS Cancer registry
ORYX reporting
Case management and care coordination Case management
Utilization review
Contacting of health care providers and patients with information about treatment Letters sent to patients with new treatments
alternatives that can be provided for specific diseases
Related functions that do not include treatment/
(2) Reviewing the competence or qualifications of health care professionals, Peer review
evaluating practitioner and provider performance Credentialing and Privileging Activities
Evaluating health plan performance Detailed analysis of A/R aging by payer
Conducting training programs in which students, trainees, or practitioners in areas of Medical student training
health care learn under supervision to practice or improve their skills as health care Residency programs
Attachment to HIM.PRI.001
Attachment B
Regulation inclusions Facility Examples (not inclusive)
providers Nursing / ancillary student training
Case conferences for residency program
Ongoing training for practitioners
Training of non-health care professionals HIM student training programs
Routine Education Department activities
Accreditation JCAHO
Certification
Licensing State Agency surveys
HCFA surveys
Credentialing Physician credentialing
(3) Underwriting, premium rating and other activities relating to the creation, Management of Employee Health Benefit
renewal or replacement of contract of health insurance or benefits Plans
Ceding, securing or placing a contract for reinsurance of risk relating to claims for Would apply mainly to health plans
health care (including stop loss insurance and excess of loss insurance) provided that
the requirements of 164.514g are met
(4) Conducting or arranging or medical review, legal services and auditing functions Legal review
including fraud and abuse detection and compliance programs Internal Audit functions
HIM services audit functions
Risk Management Claims Management
Lab billing compliance audits
(5) Business planning and development, such as cost management and planning-
related analysis related to managing and operating the entity, including formulary
development and administration, development or improvement of methods of
Attachment to HIM.PRI.001
Sample Facility Policies
Attachment B
Regulation inclusions Facility Examples (not inclusive)
payment or coverage policies
(6) Business management and general administrative activities of the entity
including, but not limited to:
Management activities relating to implementation of and compliance with the
requirements of this subchapter
Customer service, including the provision of data analysis for policy holders, plan
sponsors and other customers,
Resolution of internal grievances, Patient Relations Program
Due diligence in connection with the sale or transfer of assets to a potential
successor in interest, if the potential successor in interest is a covered entity or,
following completion of sale or transfer will become a covered entity
Consistent with the applicable requirements of 164.514, creating de-identified health
information, fundraising or the benefit of the covered entity, and marketing for
which an individual authorization is not required as described in 164.514(e)(2).
Auditing user access and resolution of HR
disciplinary actions related to policy and
procedure violation.
Attachment to HIM.PRI.001
Sample Facility Policies