Get documents about "Hipaa Compliant Release Forms for Medical Records
Description
Hipaa Compliant Release Forms for Medical Records document sample
Document Sample
Department: Program/Function:
Program/Function HIPAA Status: ___ Health Care Provider ___ Health Care Plan ___Health Care Clearinghouse ___Trading Partner
___ Business Associate ___ Data Changes Impact ___ Affiliated Entity ___ Multi-functional Entity (Check appropriate box(es))
HIPAA PRIVACY
WITH CORRESPONDING
STATE LAW
WORKSHEET
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
A. PROJECT INITIATION (AWARENESS)
1- M Privacy Officer: Appoint an individual who will be your HIPAA Privacy Officer. [45 C.F.R. section 164.530(a)]
IPA - An employee is designated to be responsible for ensuring compliance with the provisions of the IPA. [Civ. Code section 1798.22 ]
STATE
LAW
B. INITIAL ASSESSMENT (INVENTORY)
2-M Map PHI: Map or flow chart the location, purpose, use and status of workforce who have access to PHI within your department, program or function [45
C.F.R. section 164.501]
3-M Business Associate PHI Exchange: Map or flow chart the PHI you exchange with the organizations with which you have business relationships [these
organizations will become your HIPAA business associates) [45 C.F.R. section 164.504(e)]
C. PREPARE PROJECT PLAN
4-D Detailed Project Schedule: Develop a detailed project schedule with functions needed to complete the milestones provided on this schedule.
D. DETAILED ASSESSMENT (GAP ANALYSIS)
5 -D DOCUMENTATION: Determine the applicability of HIPAA regulations [45 C.F.R. section 164.104], and document the decision factors finding your
department, programs, or functions as providers [45 C.F.R. section 164.500 & 160.103], health plans [45 C.F.R. section 164.500 & 160.103], clearinghouses
[45 C.F.R. section 164.500 & 160.103], business associates [45 C.F.R. section 164504(e)], hybrid entities [45 C.F.R. section 154.514(b)], affiliated entities
[45 C.F.R. section 164.504(d)], multi-functional entity [45 C.F.R. section 164.504(g)] or the status of not impacted by HIPAA [45 C.F.R. section 164.530(j)]
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
A. of employees maintained by health care providers, health care service plans or
CMIA - A written policy exists which provides that the medical information PROJECT INITIATION (AWARENESS)
contractors are confidential and protected from unauthorized use or disclosure [Civ. Code section 56.20] unless excepted by the law. [Civ. Code section
56.25]
STATE LAWS
IPA - The term agency means every state office, officer, department, division, bureau, board, commission, or other state agency, except that the term does
not include:
(1) The California Legislature
(2) Any agency established under Article VI of the Constitution
(3) The State Compensation Insurance Fund, except as to any records which contain personal information about employess of the State Compensation
Insurance Fund.
(4) A local agency, as defined in subdivision (b) of section 6252 of the Government Code. [Civ. Code section 1798.3(b)]
6-D Use of PHI: Identify and document permitted use of PHI for your business practices [45 C.F.R. section 164.512]
7-D Without Authorization: Identify and document PHI that may be used without authorization [45 C.F.R. section 164.502 & 164.530(j)]
8-M Staffing: Identify staff members or classifications of staff who have access to PHI [45 C.F.R. section 164.530(b) & 164.530(j)]
9-M Minimum Necessary: Identify the minimum amount of PHI necessary to perform the function for each staff member or classification of staff [45 C.F.R.
section 164.514(d) & 164.530(d)]
IPA - Each agency shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or
STATE
LAWS
authorized by the Ca. Constitution or statute or mandated by federal law. [Civ. Code section 1798.14]
10 - M Appropriate Access: Determine the appropriate access level to PHI for each staff member or classification of staff. [45 C.F.R. section 164.514(d) &
164.530(d)]
IPA - All records are reviewed and any records containing personal information that is not relevant and necessary to accomplish the agency purposes have
been deleted. [Civ. Code section 1798.14]
STATE
LAWS
IPA - Each agency shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or
authorized by the Ca. Constitution or statute or mandated by federal law. [Civ. Code section 1798.14]
11 - M Commercial Purposes: Identify any current uses of PHI for marketing [45 C.F.R. section 164.501 (definition of marketing) & 164.508(a)(3)] or fundraising
[45 C.F.R. section 164.514(f)] and develop policies that will limit uses.
PAHRA - Lab test results are not used for commercial purposes without consent of the patient. [Health and Safety Code section 123148(g)]
STATE
LAWS
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
12 - D Preemption: Identify, review and document whether any of the state A. PROJECT INITIATION (AWARENESS)
laws governing your programs are preempted by HIPAA [45 C.F.R. section 160.202]
IPA - Have an agreement with the Dept. of General Services, if the agency stores record with DGS, that the requirements of the IPA will apply to those
records. [Civ. Code section 1798.64]
PAHRA - The Information Practices Act prevails over the requirements of the Patients Access to Health Records Act. [Health and Safety Code section
STATE LAWS
123140]
PAHRA - State law prevails over applicable federal laws governing privacy and security of electronic personal health record if federal law permits. [Health
and Safety Code section 123148(d)]
PAHRA - The Confidentiality of Medical Information Act, the Insurance Information and Privacy Protection Act, and the Information Practices Act are not
relieved by the Patients Access to Health Records Act. [Health and Safety Code section 123135]
CMIA - Disclosure of medical information is also governed by the Information Practices Act commencing with Section 1798.24. [Civ. Code section 56.29]
PAHRA - This Act does not relieve employers of the requirements of the CMIA, relieve any persons subject to the Insurance Information and Privacy
Protection Act (IIPPA) or relieve government agencies of the requirements of the IPA. [Health and Safety Code section 123135]
13 - M Preemption: Develop a process to submit exception determinations to CalOHI for processing, if necessary. [45 C.F.R. section 164.204]
14 - D Preemption: Develop legislative proposals, etc. to change state laws for preempted state laws.
15 - M Copies of Records - Develop a process to provide copoies and a policy on the amount to be charged for copies of medical information records. [45 C.F.R.
section 164.524(c)(4)]
CMIA - Provide copies of records when demanded by the patient or authorized individual. [Civ. Code section 56.12]
CMIA - A process has been established to provide copies of medical profiles, summaries or other information maintained. [Civ. Code section 56.06]
IPA - A process is in place that permits individuals to have exact copies of information within 15 days of inspection. [Civ. Code section 1798.34(b)]
STATE LAWS
IPA - The amount of fees charged for copies of records, if any, has been established. [Civ. Code section 1798.33]
PAHRA - Individuals receive copies of their patient records at no cost if needed to support eligibility for a public benefit program unless the individual is
represented by a private attorney. [Health and Safety Code section 123100(d)]
PAHRA - When individual's appeal is successful, you may bill for the cost of the copies. [Health and Safety Code section 123110(e)]
PAHRA - Patients are advised of any charges for electronically accessing lab results. [Health and Safety Code section 123148(c)]
PAHRA - Patients are not charge any fee for electing to receive lab test results in mediums other than electronic form. [Health and Safety Code section
123148(i)]
PAHRA - Individuals have access to copies of their records upon receipt of a written request for a fee not to exceed $.25 per page for paper records or $.50
for microfilm records within 30 days. [Health and Safety Code section 123110(b) and (f)]
16 - M Penalties: Develop a policy establishing the treatment of violations of the HIPAA rules. [U.S.C. section 1320(d)(5)]
IPA - A process is in place to respond to any civil action or suits brought against the agency under the penalty, intentional disclosures, false pretenses, sale
STATE
LAWS
of information, etc., provisions of the IPA. [Civ. Code section 1798.45 - 60]
PAHRA - Patients have the right to bring legal action against health care providers for violation of Health and Safety Code section 123110. [Health and
Safety Code section 123120]
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
PROJECT AND IMPLEMENTATION
A.E. TESTINGINITIATION (AWARENESS)
17 -D DOCUMENTATION: Document and maintain policies, procedures, communications (such as disclosures), activities, actions or designations with respect to
protecting health information. [45 C.F.R. section 164.530(j)]
PAHRA - Policies and procedures have been established for uniform transmittal of x-rays and other records that prevent discrimination. [Health and Safety
Code section 123110(i)]
18 - M Notice: Develop an adequate notice of privacy practices that explains the use and disclosures of PHI and issue to customers. [45 C.F.R. section 164.520]
IPA - A notice of privacy of individual information has been developed and the notice is provided to individuals when information is requested. [This can be
STATE
accomplished by an annual notice in tax-related booklets.) [Civ. Code section 1798.17]
LAW
IPA - Notices utilized by the agency have been reviewed and edited to provide the title, address of the individual responsible for maintaining the records,
how to access and contest contents of records. [Civ. Code Section 1798.32]
IPA - The privacy notice that was developed includes:
o The name of the agency and division within agency requesting information
o The title, address, telephone number of agency official responsible for records
STATE LAW
o The authority allowing maintenance of the information
o Voluntary or mandatory nature of submission of information requested
o Consequences if information is not provided
o Principal purpose for use of the information
o Any known or foreseeable disclosures of the information
o Individual’s right to access of records
[Civ. Code section 1798.17]
19 - D Policies and Procedures: Develop and make available your HIPAA privacy policies and procedures. [45 C.F.R. section 164.530(i)]
CMIA - Have in place a policy which outlines when providers can respond to inquiries about specific patients and what information can be provided. [Civ.
STATE
Code section 56.16]
LAW
IPA - Guidelines have been published or regulations have been adopted that specify the procedures necessary to implement the IPA. [Civ. Code section
1798.30]
20 - D Training: Train and document the receipt of training by staff/workforce. [45 C.F.R. section 164.530(b)]
IPA - Persons involved with personal information have received instructions on the IPA rules. [Civ. Code section 1798.20]
STATE
LAW
IPA - Rules of conduct have been established for persons involved with personal information. [Civ. Code Section 1798.20]
21 - D Sanctions: Add consequences for violation of HIPAA privacy laws to employee's duty statements/functions. [45 C.F.R. section 164.530 (e)]
CMIA - Staff are aware of the penalties for unauthorized disclosure of medical information. [Civ. Code section 56.36]
STATE
LAW
Transition: Develop a process to transition existing consents or authorizations to HIPAA-compliant consents or authorizations. [45 C.F.R. section 164.532]
22 - M
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
23 - M A. PROJECT INITIATION PHI. [45 C.F.R. section 164.530(c)]
Safeguards: Have in place administrative, technical and physical safeguards to protect the privacy of(AWARENESS)
IPA - Reasonable administrative, technical and physical safeguards are in place that ensure the security and confidentiality requirements have been
instituted. [Civ. Code section 1798.21]
IPA - Safeguards are in place that will not allow information about another individual to be released to individuals requesting information about themselves.
[Civ. Code section 1798.42]
IPA - Safeguards are in place to ensure that no records are modified, transferred, or destroyed to avoid compliance with the IPA. [Civ. Code section
STATE LAW
1798.45]
CMIA - Safeguards are in place to prevent disclosure of medical information without obtaining an authorization, unless exempt from the authorization
requirement in the CMIA. [Civ. Code section 56.10]
CMIA - Special safeguards are in place to protect confidentiality of psychotherapy notes [Civ. Code section 56.104]
CMIA - Safeguards exist to preserve the confidentiality of medical information created, maintained, preserved, store, abandoned, destroyed, or disposed.
[Civ. Code section 56.101]
PAHRA - Safeguards, including policies and procedures, are in place to ensure the safety and integrity of electronic patients' records as provided by this
section. [Health and Safety Code section 123149]
PAHRA - Secure personal identification numbers are used when provision of lab test results are posted on the Internet or accessed by other electronic
manners. [Health and Safety Code section 123148(b)]
PAHRA - Test results for HIV antibody, hepatitis, drug abuse, or processed tissues are not transmitted electronically. [Health and Safety Code section
123148(f)]
24 - D Consent: Determine the policy on use of consent forms for functions that have health care providers. If a consent is to be used, develop a consent form for
patients to authorize use of their PHI for treatment, payment and health care operations (Use of the consent form is optional) [45 C.F.R. section 164.506]
25 - D Designated Records Set: Define the designated records set that will be accessible by individuals [45 C.F.R. section 164.501]
IPA - The records of personal information are maintained with accuracy, relevance, timeliness, and completeness. [Civ. Code section 1798.19]
IPA - All records are reviewed and those containing personal information that is not relevant and necessary to accomplish agency purpose have been
deleted. [Civ. Code section 1798.14]
IPA - For electronically collected information, a process has been developed that will retain the source of the information. [Civ. Code section 1798.16]
STATE LAW
IPA - A process has been developed to maintain the sources of personal information in the agency when the source is other than the individual. [Civ. Code
section 1798.16]
PAHRA - Any medical information transmitted via telemedicine becomes part of the patient's medical record. [Health and Safety Code section 123149.5]
PAHRA - Test results are recorded in the patient's record and reported to the patient in a reasonable time period. [Health and Safety Code section
123148(e)]
PAHRA - Notations are made to mental health records when patients request access. [Health and Safety Code section 12311(b)(4)]
26 - M Minimum Necessary: Define a process to limit PHI disclosed and received to the minimum necessary for the purpose. [45 C.F.R. section 164.514(d)]
IPA - All records are reviewed and those containing personal information that is not relevant and necessary to accomplish agency purpose have been
STATE
deleted. [Civ. Code section 1798.14]
LAW
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
27- M A. PROJECT INITIATION (AWARENESS)
Access: Develop a process that will allow individuals access to inspect and/or copy their PHI, including denial of access when appropriate. [45 C.F.R.
section 164.522(a) & section 164.524]
IPA - A process exists to allow individuals access to their personal information maintained by the state agency. [Civ. Code section 1798.32]
PAHRA - Individuals are entitled to inspect their patient records upon receipt of a written request. [Health and Safety Code section 123110(a)]
CMIA - Employees or their authorized representatives are furnished copies of medical information when requested. [Civ. Code section 56.22]
PAHRA - Individuals have access to lab test results from the health care professional who requested the test, in oral or written form. [Health and Safety
Code section 123148(a)]
PAHRA - Individuals have access to copies of x-rays or tracings upon written request at reasonable cost. [Health and Safety Code section 123110(c)]
PAHRA - Inspection and copies are allowed of mental health records to licensed physicians, psychologists, marriage and family therapists or clinical social
workers when requested by the individual. [Health and Safety Code section 123115(b)(2)]
PAHRA - A summary of the health care record is provided to the patient at the health care providers discretion rather than access to the record. [Health
and Safety Code section 123130]
IPA - A process has been developed that allows the sources of personal information to be available to the individual in a readily accessible form. [Civ. Code
STATE LAW
section 1798.34(e)]
IPA - Identities of sources of information prior to July 1, 1978 are held in confidence. [Civ. Code section 1798.38]
IPA - Information is available at locations close to the home of the individual requesting access to their personal information. [Civ. Code section 1798.34(e)]
IPA - A process is in place to allow individuals access to review records in a reasonably comprehensible form within 30 days of a request. [Civ. Code
Section 1798.34[a) & (c)]
PAHRA - Individuals are denied access to records when adverse or detrimental consequences are expected to result from the access to a written record.
[Health and Safety Code section 123115(b)]
IPA - Personal information is not disclosed in the excepted circumstances provided in the IPA. [Civ. Code section 1798.40]
PAHRA - Access to alcohol and drug abuse records that are subject to federal law is not allowed. [Health and Safety Code section 123125(a)]
PAHRA - Inspection and provision of copies of records is not provided when prohibited by existing law governing confidentiality of records regarding
communicable disease carriers. [Health and Safety Code section 123125(b)]
PAHRA - Notices are sent to individuals when access to records is denied. [Health and Safety Code section 123115(b)(3)]
IPA - A process is instituted when a determination is made that information is exempt from access, including responding to the individual in writing within 30
days. [Civ. Code section 1798.41]
IPA - Part of the process for information that is exempt is allowing individuals access to that portion of the information that is not exempt. [Civ. Code section
1798.43]
IPA - Patient records are not withheld pending payment of unpaid bills for health care services. [Health and Safety Code section 23110(j)]
28 - M Identity: Develop a process to verify the identity of individuals requesting access, amendment or accounting of PHI. [45 C.F.R. section 164.514(h)(1)(i)]
PAHRA - Reasonable identification of the individual is verified before patient record access or copies are provided. [Health and Safety Code section
STATE
123110(g)]
LAW
IPA - A process is in place to require the individual requesting access to information to provide adequate identification. [Civ. Code Section 1798.34(d)]
29 - M Confidential: Develop a process to allow individuals confidential access or receipt of PHI. [45 C.F.R. section 164.50(h) & 164.522(b)(1)]
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
30 - M A. to PHI, including denial of (AWARENESS)
Amendments: Develop a process for individuals to request amendmentsPROJECT INITIATIONchanges and rebuttal statements. [45 C.F.R. section
164.526]
IPA - A process has been established that allows individuals to make amendments to the personal information maintained by the agency. [Civ. Code
section 1798.28]
IPA - Individuals are allowed to request in writing amendments to their record. [Civ. Code section 1798.35]
IPA - Corrections are made in accordance with the individuals request, if appropriate. [Civ. Code section 1798.35]
IPA - A process is in place to allow individuals to remove their name and address from any mailing list created by the agency. [Civ. Code section 1798.62]
STATE LAW
PAHRA - Patients are allowed to provide written addendums to their records when they believe the record to be incomplete or incorrect. [Health and Safety
Code section 123111(a)]
IPA - Individuals are informed as to the reason for the denial of the correction. [Civ. Code section 1798.35]
IPA - Statement of reasons for disagreement on amendments to records is disclosed when information is provided to authorized individuals. [Civ. Code
section 1798.37]
IPA - Individuals are allowed to submit a statement setting forth the reasons for the disagreement concerning a denial of an amendment and the statement
of reasons is maintained in the record. [Civ. Code section. 1798.36]
PAHRA - Patients' addendums are attached to the record whenever the record is disclosed. [Civ. Code section 123111(b)]
31 - D Business Associate: Develop a business associate contract or contract language to add to existing contracts that will require business associates to
comply with HIPAA. (Compliance may be extended until April 14, 2004)[45 C.F.R. section 164.504(e)and 164.532(e)(2)(ii)]
IPA - All contracts with organizations that maintain or use personal information have been amended to require the contractor to adhere to the IPA
requirements. [Civil Code section 1798.19]
PAHRA - Third parties to whom lab test results are disclosed are covered by the IPA. [Health and Safety Code section 123148(h)]
32 - D Authorization: Develop an authorization form for patients' signatures that allows disclosure of PHI. [45 C.F.R. section 164.508]
IPA - A process is in place to ensure that information is not disclosed unless allowed to be disclosed in the IPA without information being de-identified. [Civ.
Code section 1798.24]
CMIA - Requires a valid authorization as described in the Act before allowing access to or releasing any medical information. [Civ. Code section 56.11]
CMIA - Uses or disclosures of medical information of employees are allowed with valid authorizations. [Civ. Code section 56.12]
CMIA - Organizations or individuals that underwrite or sell annuity contracts or contracts insuring, guaranteeing or indemnifying against loss, harm, damage,
illness, disability or death do not disclose medical information [Civ. Code section 56.265] unless the disclosure is appropriate under Civ. Code section 56.27
and 56.30. [Civ. Code section 56.265]
CMIA - Authorizations are required to disclose medical information to persons or organizations insuring, responsible for, or defending professionals against
STATE LAW
claims of professional negligence. [Civil Code section 56.105], [Civ Code section 56.10(c)(11) & Insurance Code section 791.06]
CMIA - Communicate to authorized recipients any limitations that may exist for the use of disclosed information. [Civ. Code section 56.14]
CMIA - Persons receiving medical information that is authorized by the employee are informed about any limitations on the use of the information. [Civ.
Code section 56.23]
CMIA - Recipients of medical information pursuant to an authorization are informed that they may not further disclose the medical information without
another authorization. [Civ. Code section 56.245]
CMIA - Ensure that authorized recipients of medical information are informed that they cannot further disclose the information. [Civil Code section 56.13]
CMIA - Allow individuals to cancel or modify authorizations for release of medical information when requested in writing. [Civ. Code section 56.15]
Projected End
Actual End
Completed
Start Date
Number
Percent
Date
Date
Milestone Description
A. PROJECT information with a written request.
CMIA - Individuals are allowed to cancel or modify authorizations for release of medicalINITIATION (AWARENESS) [Civ. Code section 56.24]
PAHRA - Patients or physicians can revoke consent at any time without penalty. [Health and Safety Code section 123148(j)]
PAHRA - Representatives of minors are not allowed to inspect or obtain copies of a minor patient's records when the minor has the right to inspect or when
STATE LAW
the health care provider has determined that a detrimental effect on the minor would occur as a result of the release of the records. [Health and Safety
Code section 123115]
CMIA - Receipt of health care services is not conditional upon signing an authorization, release, consent, or waiver of release of medical information. [Civ.
Code section 56.37]
CMIA - Have in place policies preventing disclosure of genetic test results that also outline the penalties for inappropriate disclosure. This includes use of
the appropriate authorization format. [Civ. Code section 56.17]
33 - M Restrict Release: Implement a process that allows individuals to restrict release and use of PHI. [45 C.F.R. section 164.522(a)(2)]
CMIA - No health care providers' employees are discriminated against for refusal to sign an authorization to release health information. (Civ. Code section
STATE
LAW
56.20)
34 - M Accounting: Develop a process to provide an accounting of disclosures of PHI for the prior 6 years if requested. [45 C.F.R. section 164.528]
IPA - An accurate accounting of each disclosure is being recorded. (Civ. Code section 1798.25)
STATE
LAW
IPA - Accountings of disclosures are retained for at least three years. (Civil Code section 1798.27)
35 - M Complaints: Institute a process for individuals to file complaints concerning privacy policies and procedures, including documentation of complaints. [45
C.F.R. section 164.530(d)]
36 - M Retaliation: Develop a policy to prevent intimidating or retaliatory acts for filing a complaint. [45 C.F.R. section 164.530(g)]
37 - M De-Identification: Develop a process to identify and de-identify PHI for research. [45 C.F.R. section 164.514(a)]
38 - M Retention: Implement a retention period of 6 years for HIPAA required documentation. [45 C.F.R. section 164.530(j)]
PAHRA - Records are preserved for a minimum of seven years for health care providers who have ceased operation. Persons injured by the destruction of
STATE
LAW
such records before the seven years have the right to bring court action. (Health and Safety Code Section 123145)
Yellow highlighting represents State Laws.
M = Milestone D = Deliverable
The state laws provided in these worksheets are not all inclusive. Many other state laws governing health information privacy exist for different
programs. You should consult with your legal counsel concerning other state laws governing privacy or confidentiality that may apply to your
programs.
Related docs
