hipaa privacy and security operational guide services, inc. hipaa privacy and security operational...

Ensign Services, Inc.

HIPAA Privacy and Security Operational Guide

This guide has been created for Ensign-affiliated facilities and entities to serve as an overview of

the daily operating policies and procedures with regard to maintaining compliance with the

Health Insurance Portability and Accountability Act (HIPAA).

This operational guide is intended to represent a simplified version of the company’s detailed

policies and procedures and is to be used by workforce members and management as a quick

reference to answer many of the daily questions that arise concerning HIPAA.

The HIPAA Privacy Rule creates national standards to protect a patient’s or resident’s medical

record and other personal health information. As healthcare providers we use and disclose

sensitive individually identifiable information daily and it is our duty to protect that information.

It is important we understand a few important concepts related to our handling of patient or

resident information in order to protect their privacy rights afforded under the HIPAA privacy

rule. An understanding of these concepts will also serve in implementation of policies and

procedures.

Protected Health Information (PHI) is defined as individually identifiable health information

that is transmitted or maintained by a facility/entity in any form or medium.

Individually Identifiable Information is defined as a subset of health information including

demographic information collected from a patient or resident and is created or received by us and

relates to the past, present, or future physical or mental health or condition of a patient or

resident and can be used to identify the patient or resident.

What Information Is Protected?

- Information doctors, nurses, therapists, consultants, and other health care providers

document in the medical record; both on paper and electronically

- Conversations about patient or resident care with others

- Billing and financial information

- Contact information including email address

- Photographs

- Most other health information that includes individually identifiable information

It is best to assume every piece of information is protected and to inquire as to whether or

not it can be used or disclosed for your intended purpose. When in doubt, please ask.

HIPAA Privacy and Security Operational Guide/August, 2016

CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP

USING PATIENT/RESIDENT INFORMATION

When we USE PHI we share, utilize, examine, and analyze information that remains WITHIN

our facility/entity. Examples of use include;

TREATMENT: discussing patient or resident care with physicians, during care conferences,

with nurses/therapists

PAYMENT: billing for services provided, collecting payment, verifying benefits

HEALTHCARE OPERATIONS: collecting data for quality improvement activities,

monitoring, and training activities.

These are all permissible (allowed) uses of a patient’s or resident’s health information.

Are we allowed to include patient/resident information in facility directories and post their

name on the door of their room?

Patients and residents receiving care in a SNF or ALF should be afforded the right to determine;

Whether or not their name is posted outside their room

If their information is shared with family and friends and identify those we may share

information (also applies to hospice and home health)

Whether or not callers may be given information

Whether or not clergy may be given information

At admission, ask the patient or resident to complete the Communication Method Request form

as part of the Notice of Privacy Practices.

Ensure staff are knowledgeable of the patient’s or resident’s preferred methods for

communication.

The following situations are NOT permitted when using PHI:

- Discussing patient or resident care in open, public areas or with others that should not

have the information

- Sharing more information than necessary to provide treatment or bill for services

- Accessing or copying records without a specific treatment, payment, or operational

purpose

What can you do to protect information while using it to care for our patients and

residents?

Limit information to the minimum necessary to accomplish the intended purpose of the

use

Discuss patient and resident care in private areas – when a private area is not available

lower voice and be aware of those that may overhear

When discussing care with the patient or resident in a shared room ask the patient or

resident if they object to the discussion - find a private location if an objection is

expressed

Secure documents from public view

Access only those records/documents needed to accomplish the task of providing

treatment, billing for services, or other operational functions



DISCLOSING PATIENT/RESIDENT INORMATION

We also DISCLOSE protected health information for treatment and payment purposes.

Disclosure is the release, transfer, provision of access to, or divulging of PHI OUTSIDE the

facility/entity in order for others to provide treatment or bill for services. These disclosures are

permitted under the HIPAA rule and include; sending records with the patient or resident to the

hospital or to an appointment, faxing PHI to a physician, and transmitting claims for payment.

When disclosing PHI we must follow the Minimum Necessary standard. This standard is

defined as making reasonable efforts to limit the use or disclosure of, and requests for, protected

health information to the minimum necessary to accomplish the intended purpose.

Using or disclosing an entire medical record is not justified unless releasing it is reasonably

necessary to accomplish the purpose of the use or disclosure. An example of reasonably

necessary would be to release the entire record pursuant to a subpoena.

How do we account for these disclosures?

Use the Accounting of Disclosure log to document all disclosures of protected health information

except those for;

- For treatment, payment, and healthcare operations

- To the patient/resident (or personal representative)

- Pursuant to the patient’s/resident’s authorization

- For the facility/entity directory

- To persons involved in the patient’s/resident’s care

- For national security or intelligence purposes

- To correctional institutions or in law enforcement custodial situations

When does Minimum Necessary NOT apply?

You may disclose required PHI;

To healthcare providers for treatment purposes

To the patient or resident

Pursuant to a valid authorization

To the Secretary of the Department of Health and Human Services (DHHS)

As required by law

There are times when, with good intention, we inadvertently disclose information to the wrong

person. Examples of inadvertent disclosures to other HIPAA covered parties include;

Faxing PHI to the wrong physician

Sending one patient’s or resident’s PHI with another patient or resident to the hospital or

to an appointment



What do we do when these inadvertent disclosures occur?

Notify Privacy Officer or contact the Compliance Hotline

Secure the PHI by contacting the person/entity to which the PHI was faxed or sent and

inform them of the mistake

Notify the patient or resident, typically by writing and delivering a letter of apology

assuring them the PHI was secured and procedures were implemented to prevent another

mistake

When is a disclosure NOT permitted?

Ø Sharing information with family and/or friends

Ø Posting any patient and resident information, including photographs, on social media

sites

Ø Sending PHI to others that do not have authorization to receive that information

Ø Removing PHI from the facility/entity without it being secure and for a specific

treatment or billing purpose

______________________________________________________________________________

When you become aware of any disclosure resulting in a compromise of patient or resident

health or financial information report it immediately to the Privacy Officer or contact the

Compliance Hotline.

______________________________________________________________________________

Breaches of PHI

What is a breach?

The everyday definition of breach is an infraction or violation of a law, obligation, or standard.

HIPAA defines breach as the acquisition, access, use, or disclosure of protected health

information which compromises the security or privacy of the PHI.

Examples of possible breaches;

- Lost or stolen mobile device, including computers

- Sending/faxing/emailing PHI to someone other than a healthcare provider or authorized

patient/resident representative

- Stolen patient or resident documents from a home or car

- Posting PHI, including pictures, on a social media site

- Unsecured documents (not shredded, left open/unlocked)

- Texting PHI

- Discussing protected information with those that do not have a need to know



What must we do when we suspect a breach has occurred?

When we use or disclose PHI in a manner not permitted under the HIPAA rule we must assume a

breach has occurred (PHI has been compromised) and conduct a risk assessment to determine the

extent to which the PHI has been compromised. In some cases the patient or resident must be

notified through a sent letter and in others involving financial information, credit protection is

offered to provide the patient or resident the ability to monitor suspicious activity.

What is NOT a breach?

A breach is not an acquisition, access, or use made in good faith and within the scope of the

employee’s job function and does not result in further use or disclosure, such as;

- Employee unintentionally accesses the wrong medical record – the employee was

working within their job scope and did not use or disclose the information further

- A fax containing PHI was accidentally faxed to the wrong physician’s office - the

physician is a Covered Entity under HIPAA, therefore, must also abide by the HIPAA

rule, and the office notified us of the misdirected fax and shredded the document(s)

- Discussing care with family or friends involved in the patient’s or resident’s care and

known to the facility/entity

How do I protect our PHI from a possible breach?

Ensure all computers and mobile devices are encrypted by only accessing PHI from a

device provided by the IT department

Do not save any PHI on an external drive

Lock PHI in a secure file bag in the trunk when transporting

o Use the PHI in Transit Log to document PHI moving in/out of your facility/entity

Lock medication cart computers in cart when not in use

Use only Tiger Text or Secure Conversations in Point Click Care as a secure means of

texting PHI and educate staff to use only Tiger Text or Secure Conversations in Point

Click Care for texting PHI

When traveling with a computer lock in trunk when not in use

When sending emails containing PHI outside the network, encrypt by typing

[ENCRYPT] in the subject like of the email

Lock the medical records room when unattended and overnight

Shred documents immediately

Remove documents from fax machines immediately after faxing

Verify fax numbers before sending a fax and call the recipient to ensure receipt

Check documents carefully prior to releasing them

Verify identity and authority of those requesting and accepting PHI

Use an approved fax cover sheet

Educate staff about using cell phones in patient and resident care areas within the

facility/entity

Educate staff to refrain from taking photographs or videos of patients or residents

Obtain patient’s/resident’s written consent for all photographs and videos when used for

approved facility/entity activities



How do I encrypt an email containing PHI sent outside the company’s network?

In the subject line of the email type [ENCRYPT]

Do not include any PHI in the subject line

Patient/Resident Privacy Rights Afforded Under HIPAA

Patients and residents have the right to make informed choices when seeking care and

reimbursement for care and on how their personal health information may be used. They have

the right to:

Ask to see and get a copy of their health records; including electronic records

Have corrections added to their health information

Receive a notice that tells them how their health information may be used and shared

(this is call the Notice of Privacy Practices)

Give permission before their health information can be used or shared for certain

purposes, such as for marketing

Revoke their permission to share their PHI

Request that healthcare providers communicate with them about medical matters in a

certain way or at a certain location

Decide which friends and family members may have information related to their care

Receive a report on when and why their health information was shared for certain

purposes (this is call an Accounting of Disclosures)

File a complaint with their provider, health insurer, or the Office for Civil Rights

Does a patient or resident automatically have access to every document in their record?

No, there are circumstances in which we can deny a patient or resident access to their

information;

o Psychotherapy notes

o Information compiled in anticipation of, or for use in, a civil, criminal, or administrative

action or proceeding

o In cases where the facility or entity is acting under the direction of a correctional

institution, deny the request of an inmate if such access would endanger the health or

safety of the individual or anyone else

o The information was obtained from someone under a promise of confidentiality, and the

access requested would be reasonably likely to reveal the source of the information

o A licensed health care professional, in the exercise of professional judgment, finds that

access would likely endanger the life or physical safety of the patient/resident, or cause

substantial harm to the patient/resident or another person

o The information references another person (other than a health care provider) and the

access would likely cause substantial harm to that person

o The access request is made by a personal representative and the personal representative

would likely cause harm to the patient/resident or another person



Can the patient or resident appeal our decision to deny access?

A patient or resident reserves the right to appeal our decision to deny them access to their PHI in

the following circumstances;

- A licensed health care professional, in the exercise of professional judgment, finds that

access would likely endanger the life or physical safety of the patient/resident, or cause

substantial harm to the patient/resident or another person

- The information references another person (other than a health care provider) and the

access would likely cause substantial harm to that person

- The access request is made by a personal representative and the personal representative

would likely cause harm to the patient/resident or another person

A denial letter will be drafted by Compliance and must be provided to the patient or resident

describing the reason for the denial.

The patient or resident must be afforded the opportunity to appeal the denial by completing the

Denial of Access to PHI and Appeal Form

Please contact the Privacy Officer for guidance in these circumstances.

How do I afford patients and residents their rights while in my care?

Designate a HIPAA Liaison within your facility/entity to serve as the contact for

questions and requests

At admission, provide every patient and resident (or representative) a copy of our Notice

of Privacy Practices

If you have a website, post the Notice of Privacy Practices there

Post the Notice of Privacy Practices for patients and residents in a visible location within

your facility/entity (be sure this is at wheelchair height)

Provide copies of the Notice of Privacy Practices on request

At admission, complete the Communication Method Request form with the patient or

resident to understand how and with whom they want their information shared

o Ensure all staff are aware of the patient’s or resident’s wishes

Provide patients and residents access to their medical information, including electronic

documents

o Arrange a time and location with patient or resident

Provide patients and residents the right to request changes to their medical information

when they believe it is incorrect (Request for Amendment of Records)

Allow patients and residents to exercise their right to receive confidential

communications

Provide patients and residents the right to restrict the information we share

Provide patients and residents the right to know with whom we have shared their

information (Accounting of Disclosures)

Be transparent with patients and residents on how to exercise their right to file a

complaint when they believe their rights have been violated

Obtain a signed authorization from the patient or resident (or representative) prior to

releasing records



Are we permitted to charge the patient/resident (or there representative) to copy their

record?

Yes, you may charge a reasonable, cost-based fee for copying records. The fees may only be

applied to the actual labor for copying, supplies, and postage when records are sent. You may

not charge for the time it takes to locate the record. You may not default to state allowances.

Fees must be calculated;

- Per case (labor and supply costs dependent on size of record)

- As an average and applied to all patients and residents, or

- Defaulting to a charge of $6.50 for each case

You may not charge another healthcare entity when records are requested for continuity of

care.

HIPAA does not override those State laws that provide patients and residents with greater

rights of access to their health information than the HIPAA Privacy Rule does. If your state

provides the patient or resident the right to receive their first copy free of charge, you must

comply with the state’s allowance.

What is an authorization?

An authorization is a document obtained from the patient or resident granting us permission to

release their PHI. The authorization must contain specific elements and be signed and dated by

the patient or resident to be considered valid. A valid authorization form is available on the

portal.

When do I need authorization from the patient or resident?

To release psychotherapy notes (unless used for treatment or training purposes)

For marketing

To sell PHI

To release information to a third party at the patient’s or resident’s request

When do I NOT need authorization from the patient or resident?

Treatment purposes: you may use or disclose PHI when providing treatment or

discussing treatment with other healthcare providers

Payment purposes: you may use or disclose PHI when processing and submitting

information to receive payment for services provided

Operational purposes: you may use PHI internally for activities such as; quality

improvement, data analysis

Providing information to the Department of Health and Human Services (DHHS)

As required by law

Public health activities

Reporting abuse or neglect

Health oversight activities

Judicial and administrative proceedings

Disclosure for decedents

Disclosure for cadaveric organ, eye, or tissue donation purposes



Disclosure to avert serious threat to health or safety

Disclosure for Worker’s compensation

Authorization is not requested of the patient or resident to gain access to or copy their PHI.

This request is processed through the Request for Access to PHI form.

How do I document compliance with the HIPAA Rule?

When the patient or resident has designated a personal representative to act on their behalf, the

personal representative must be granted the same rights as the patient or resident

At admission, ask the patient or resident (or representative) to acknowledge receipt of the

Notice of Privacy Practices by signing the acknowledgement form

At admission, ask the patient or resident to complete the Communication Method Request

form

Ask the patient or resident to complete and sign the Request to View and Copy PHI form

with requests to access/inspect/copy records

Obtain a signed/dated authorization before disclosing PHI

When a patient or resident believes information in their record is incorrect and requests

an amendment ask the patient or resident to complete and sign a Request For Amendment

of Records form

When a patient or resident wishes to receive confidential communications in a specific

method ask the patient or resident to complete and sign a Request for Confidential

Communication form

Account for disclosures of PHI

Obtain written consent for all photographs and videos used for approved facility/entity

purposes

Ask staff to complete the PHI in Transit log when transporting PHI

Ensure staff complete and attest to completing all HIPAA training

Complete the Breach log for all breaches and notify the Privacy Officer of all breaches

Document discipline provided in response to HIPAA violations

Provide patient or resident with copies of signed documents

File all documentation in the patient’s or resident’s medical record

How do I store my closed medical records?

HIPAA requires the physical security of medical records from fire or water damage, erroneous

destruction and theft.

Individual states also outline storage requirements to include; storage of records IN the facility,

patient health record cannot be removed from the facility unless the record is being moved into

an offsite storage facility, and medical records shall be stored safely to provide protection from

loss, damage, unauthorized use and disclosure.

Short-term storage: lock in a file cabinet in a locked office (double lock standard)

Long-term storage: Catalog and send to a secure, off-site storage facility (example-Iron

Mountain)

Ø Storage sheds do not offer the protection needed to avoid damage or theft



What is a Business Associate?

A business associate is a person who creates, receives, maintains, or transmits PHI on our behalf.

They are a separate entity providing a contracted service for us.

Includes those vendors that process claims, bill for services, analyze data, provide coding of

documentation, transmit data, manage benefits, provide quality improvement analysis

When do I need a Business Associate Agreement (BAA)?

When anyone, other than a healthcare provider rendering treatment, that creates, receives,

maintains, or transmits PHI on your behalf a BAA is required.

How do I get a BAA?

Email contracts at [email protected]

Who is not a Business Associate?

- A healthcare provider

- A government agency for determining eligibility for or enrollment in a government health

plan

- A workforce member defined as employees, volunteers, students, medical residents, and

trainees under direct control of the facility/entity, whether or not they are paid by the

facility or entity

If someone is a non-employee how are they granted access to my PHI?

Non-employee workforce members must complete the HIPAA training in Ensign U and sign a

User Agreement outlining their responsibilities related to accessing, using, and disclosing PHI as

part of their function for the facility or entity. Once HIPAA training is complete and the user

agreement signed IT will grant access to electronic systems consistent with the non-employee

workforce member’s role.

What can I do to help?

Remind others to;

o Never post patient or resident information to social media sites

o Discuss patient or resident care in private areas or to lower voices in common areas

o Use only encrypted computers and mobile devices

o Avoid using personal devices in patient and resident care areas

o Verify fax numbers prior to sending PHI via fax

o Double check documents prior to releasing them to another person or facility

o Verify we have permission from the patient or resident to release documents

o Secure PHI at all times

o Secure computers and mobile devices at all times

o Never discuss patient or resident care outside of work

o Report concerns with patient or resident privacy

mailto:[email protected]



Are there fines associated with HIPAA violations?

Fines may be imposed in the following manner;

Violation Category Per Patient – per

violation penalty

Annual cap for all violations of

identical provision

Did not know $100 to $50,000 $1.5 million

Reasonable Cause $1,000 to $50,000 $1.5 million

Willful neglect -

corrected

$10,000 to $50,000 $1.5 million

Willful neglect - not

corrected

$50,000 $1.5 million

What are my next steps?

□ Print and make this operational guide available to your staff

□ Ensure staff are familiar with all HIPAA policies, procedures, and forms available on the

portal

o You may print and make a HIPAA binder if you wish

□ Designate a HIPAA Liaison for your facility/entity

o Compliance can conduct training with this individual as requested

□ Print your personalized Notice of Privacy Practice (NPP) from the portal and post in a

public area within your facility/entity

o Also post on website as applicable

□ Remove all old versions of the NPP from admission documents and replace with the

newest version

□ Determine if texts containing PHI are being sent and ensure encryption through secure

application

□ Ensure staff understand encryption of email containing PHI sent outside the secure

network

□ Determine if staff are using phones in patient and resident care areas and educate to not

using phones to take pictures or record videos of patients or residents

□ Ensure all staff complete HIPAA training as assigned

□ Ensure all active and closed medical records are secure

□ Make secure shred bins readily available to all staff

□ Determine your methodology for charging reasonable fees for copying records and

educate staff to the process

□ Ensure there is a process for maintaining all HIPAA-relevant documentation

□ Make a list of all workforce members (employees, volunteers, students, medical

residents, and trainees under direct control of the facility/entity, whether or not they are

paid by the facility or entity)

o If these workforce members have access to PHI, either on paper or

electronically, ensure there is a signed user agreement in place

o For employees, ensure HIPAA training is complete



□ Make a list of all business associates (anyone, other than healthcare providers rendering

treatment, that creates, receives, maintains, or transmits PHI on your behalf)

o Obtain a business associate agreement if one is not in place

Where do I go with questions or for more information?

Become familiar with all HIPAA policies, procedures, and forms

o These are found on the portal

Complete annual HIPAA training

Participate in other available training related to HIPAA

Contact IT at 949-540-1200

Contact the Privacy Officer, Shelley Johnson at 314-852-4143

Contact the Lead Compliance Partner, Casey Bastemeyer at 949-201-3395

Contact the Security Officer, Tyler Douglas at 949-285-2511

Contact the Chief Compliance Officer at 949-540-1212

How do I report a concern?

Contact the Compliance Hotline – 866-256-0955

HIPAA today is so much more than just refraining from discussing

patient/resident information in public areas and protecting passwords.

Taking your knowledge of HIPAA to the next level is critical for ensuring we are

following the numerous regulations.

Please use this guide and other available resources to better understand your

role and responsibility in protecting our patient’s and resident’s health

information.



Definitions and Acronyms

This guide should be considered as a supplementary reference for understanding definitions and

acronyms when using and understanding company policies and procedures associated with

HIPAA.

Office for Civil Rights (OCR) shall be defined as the branch of the DHHS that is responsible for

federal oversight of the privacy regulations.

Health Insurance Portability and Accountability Act (HIPAA) shall be defined as policies,

procedures and guidelines for maintaining the privacy and security of individually identifiable

health information as well as outlining numerous offenses relating to health care and sets civil

and criminal penalties for violations.

Protected Health Information (PHI) shall be defined as individually identifiable health

information that is transmitted or maintained by a Covered Entity in any form or medium.

Electronic Protected Health Information (e-PHI) shall be defined as individually identifiable

health information maintained in electronic form.

Unsecured Protected Health Information shall be defined as protected health information

(PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized persons

through the use of technology or other methodology.

Individually Identifiable Health Information (IIHI) shall be defined as a subset of health

information including demographic information collected from an individual and is created or

received by a health care provider and relates to the past, present, or future physical or mental

health or condition of an individual.

Disclosure shall be defined as the release, transfer, provision of access to, or divulging

information outside the entity holding the information.

Incidental Disclosure shall be defined as a secondary disclosure that occurs when disclosing

other PHI.

Use shall be defined as sharing, utilization, examination, or analysis of protected information

within a covered entity that maintains such information.

Access shall be defined as the ability or the means necessary to read, write, modify, or

communicate data/information or otherwise use any system resource.



Confidentiality shall be defined as data or information is not made available or disclosed to

unauthorized persons or processes.

Encryption shall be defined as the use of an algorithmic process to transform data into a form in

which there is a low probability of assigning meaning without use of a confidential process or

key.

Administrative Safeguards shall be defined as administrative actions, and policies and

procedures, to manage the selection, development, implementation, and maintenance of security

measures to protect electronic protected health information and to manage the conduct of the

covered entity's or business associate's workforce in relation to the protection of that information.

Physical safeguards shall be defined as physical measures, policies, and procedures to protect a

covered entity's or business associate's electronic information systems and related buildings and

equipment, from natural and environmental hazards, and unauthorized intrusion.

De-identification shall be defined as the removal of any individually identifiable data that may

allow someone to connect the data in question with a specific person.

Business Associate (BA) shall be defined as a person or organization, other than a member of a

covered entity's workforce, that performs certain functions or activities on behalf of, or provides

certain services to, a covered entity that involve the use or disclosure of individually identifiable

health information or a subcontractor that creates, receives, maintains, or transmits protected

health information on behalf of another business associate.

Business Associate Agreement (BAA) shall be defined as a contract that serves to clarify and

limit, as appropriate, the permissible uses and disclosures of protected health information by the

business associate, based on the relationship between the parties and the activities or services

being performed by the business associate.

Limited Data Set shall be defines as a set of data in which most individual identifiers have been

removed.

Minimum necessary shall be defined as making reasonable efforts to limit the use or disclosure

of, and requests for, protected health information to the minimum necessary to accomplish the

intended purpose.

Good faith shall be defined as the effort made, information given, or transaction done, honestly

and without a deliberate intention to wrong another party



Breach shall be defined as the acquisition, access, use, or disclosure of protected health

information (PHI) in a manner not permitted under the Privacy Rule which compromises the

security or privacy of the PHI and is presumed to be a breach unless the covered entity or

business associate, as applicable, demonstrates that there is a low probability that the PHI has

been compromised based on a risk assessment.

Covered Entity shall be defined as a healthcare provider who transmits any health information

in electronic form.

Workforce shall be defined as employees, volunteers, trainees, and other persons whose

conduct, in the performance of work for a covered entity or business associate, is under the direct

control of such entity, whether or not they are paid by the covered entity or business associate.

Reasonable accommodation shall be defined as an adjustment made to accommodate an

individual based on a proven need.

Authorization shall be defined as permission given by the individual to use and/or disclose

protected health information about the individual. The requirements of a valid authorization are

defined in the HIPAA regulations.

Designated record set (DRS) shall be defined as a group of records maintained by or for the

facility/entity that consists of the medical and billing records created during care for a

patient/resident and is used, in whole or in part, by or for the facility/entity to make decisions

about the patient/resident.

Record shall be defined as any item, collection, or grouping of information that includes PHI

and is maintained, collected, used, or disseminated by or for the facility/entity.

Healthcare Operations shall be defined as activities of the company related to covered

functions including, but not limited to; quality assessment/process improvement,

development/evaluation of clinical guidelines, patient safety, protocol development, case

management, care coordination, review of professional qualifications, evaluation of

performance, training, accreditation/certification, medical reviews, legal services, compliance

programming, business planning, business management, and audit functions.

Payment shall be defined as activities undertaken by the company related to covered functions

including, but not limited to; obtaining reimbursement for provision of healthcare services,

billing, claims management, collections, and utilization review.

Treatment shall be defined as activities of the company related to covered functions including,

but not limited to; provision, coordination, and management of healthcare and related services,

consultation, and referrals of a patient for healthcare.



Personal representative shall be defined as someone with the legal authority to act on behalf of

an incompetent adult patient/resident, a minor patient or a deceased patient/resident or the

patient’s/resident’s estate in making health care decisions or in exercising the patient’s/resident’s

rights related to protected health information.

Health Care Agent shall be defined as someone who is appointed via a document signed by a

patient giving the Agent the authority to communicate certain medical decisions in the event that

the patient becomes incapable of making those decisions. A Health Care Agent’s authority is

limited to communicating decisions about life support and comfort care measures. Therefore, the

Health Care Agent’s access to the patient’s medical information is limited to the information

needed to address these decisions.

Health Care Representative shall be defined as someone appointed via a document signed by

the patient and witnessed by two adults giving the Representative authority to decide any and all

health care decisions including decisions about the withdrawal of life support and/or nutrition

and hydration, and decisions to accept or refuse any treatment, service or procedure used to

diagnose or treat the person’s physical or mental condition in the event that that patient becomes

incapable of making such decisions.

Legally Authorized Representative shall be defined as a person authorized either by state law

or by court appointment to make decisions, including decisions related to health care, on behalf

of another person.

hipaa privacy and security operational guide services, inc. hipaa privacy and security operational...

Documents