COMPLIANCE PLAN
1. Privacy Officer
Sole Control, Inc. has appointed Mary E. Holloran as Privacy Officer. she will be responsible for the development and implementation of policies and procedures to safeguard the privacy of patients personal health information as required by federal and state laws and regulations.
The specific responsibilities of the Privacy Officer include:
Developing policies and procedures to implement this Compliance Plan;
Developing and conducting training programs on privacy policies and procedures;
Implementing and monitoring this Compliance Plan;
Responding to questions and/or concerns from staff and patients concerning privacy policies and procedures;
Serving as the contact person for any individuals who have complaints concerning any of the privacy policies described in The Notice of Privacy Practices;
Investigating and correcting violations of the privacy policies and procedures;
Developing and implementing any corrective action plans for violations of the privacy policies and procedures;
Developing sanctions for violations of this Compliance Plan; and
Developing and implementing, with management consent, any necessary updates and/or revisions to the Compliance Plan as necessary to comply with changes in the law or regulations.
2. General Staff Responsibilities
All staff are responsible for safeguarding the privacy of patient health information.
All staff members must:
Use and disclose protected health information only as authorized in their job description or as authorized by a supervisor or manager;
Conduct oral discussions of personal health information with other staff or with patients ands family members in a manner that complies with the minimum necessary disclosure standard;
Complete privacy training; and
Report suspected violations of the policies and procedures established under this Compliance Plan by staff members, independent contractors, or business associates.
3. Education and Training
The Privacy Officer will develop a training program for the Company s privacy policies and procedures.
The training program will include:
The definition and identification of protected health information;
The Notice of Privacy Practices form that is provided to all patients;
Using and disclosing protected health information for treatment, payment and health care operations;
Obtaining consent and authorization for the use and disclosure of personal health information;
Procedures for handling suspected violations of privacy policies and procedures;
Penalties for violations of privacy policies and procedures; and
Documentation required by federal and state privacy laws and regulations.
As changes in federal or state laws or regulations and/or private payor policy occur, it shall be the obligation of the Privacy Officer to communicate these changes to all staff. Initial training shall occur before April 14, 2003. Subsequently, annual training for a minimum of one hour shall be conducted for staff with access to personal health information. Also, when the company makes a material change in its privacy policies and/or procedures, it will provide additional training for staff who are affected by the change. Finally, all staff members will sign an acknowledgement that they have completed the required training.
4. Employee Communication/Complaint Process
All employees at all levels are encouraged to report concerns, questions, or possible violations of privacy policies and procedures to their supervisor or to the Privacy Officer; if reported to a supervisor, that individual shall promptly report to the Privacy Officer, who will investigate each matter so reported to determine its veracity. He/She will then draft and implement, with management approval, an action plan to address any compliance issues which require attention.
5. Enforcement and Discipline
The Company s management will ensure uniformity and consistent application of appropriate discipline in the event of a substantiated violation of its privacy policies and procedures. The type of disciplinary action shall be determined on a case-by-case basis. The action taken shall be commensurate with the particular offense and will also consider the severity and/or frequency of the offense, prior disciplinary action, and any damage resulting from the violation. No action shall be based in any way upon an employee s seniority or position within the company. The range of sanctions shall include: oral warnings; written warnings, probation with action plan; suspension with or without pay; and termination of employment.
Employees in a managerial or supervisory position who, in the usual performance of their duties, discover independently or through the reports of others, that a violation of the Company s privacy policies and procedures has occurred and who fail to investigate further and report the matter to the privacy Officer, will be subject to disciplinary action.
Any employee with direct knowledge that a violation has occurred and who fails to report this will be subject to disciplinary action.
Any reprisals taken against employees who have reported violations will subject the offender to disciplinary action.
6. Mitigation
Whenever it comes to know of a violation of its privacy policies or procedures, the Company will take all reasonable and necessary steps to mitigate any harmful effect of the use or disclosure of personal health information in violation of its privacy policies and procedures.
POLICIES AND PROCEDURES
A. General
1. The Company will use and disclose protected health information only as permitted by the HIPAA Privacy Standards and this Compliance Program. Protected health information (PHI) means individually identifiable health information that is transmitted or maintained in any format (written, electronic, or oral), that describes an individual s health status or other characteristics that identify or could be used to identify an individual. Covered information describes: (a) physical or mental health status; (b) specific health care provided; (c) payment for care provided; and/or (d) demographic information, such as age, sex or ethnicity.
2. The Company is required to disclose PHI, in accordance with the law, when an individual requests access to certain health information or an accounting of disclosures made. The Company must also disclose protected information when the Department of Health and Human Services (DHHS) requests information to determine the Company s compliance with HIPAA Privacy Standards. Any requests for access or an accounting or a request from DHHS will be forwarded to the Company s Privacy Officer who will coordinate the Company s response. The Privacy Officer shall keep a log of all such requests as well as the Company s response.
3. The Company may use or disclose PHI without patient consent only in certain public policy-related circumstances.
4. In general, for all other purposes, the Company must obtain an individual s consent or permission before it uses or discloses an individual s PHI. There are three (3) different forms for permission under the HIPAA Privacy Standards: consent, oral agreement and authorization.
5. The Company will use reasonable efforts in good faith to obtain a consent from a patient before it uses or discloses the patient s PHI for treatment, payment or health care operations.
6. The Company will use reasonable efforts in good faith to obtain the patient s verbal agreement before disclosing PHI to persons assisting in a patient s care. This agreement does not need to be in writing and may be inferred from circumstances.
7. The Company will permit an individual s legally authorized representative to exercise all of the rights of the individual represented.
B. Notice of Privacy Practices
1. The Company will follow its Notice of Privacy Practices, and the Privacy Officer shall be responsible for maintaining this Notice.
1. The Privacy Officer shall serve as the contact person for individuals who have questions about the contents of the Notice or complaints about how the Company has used or disclosed their PHI.
2. A copy of the Notice shall be distributed to each patient at the time of that patient s first visit after the HIPAA compliance deadline of April 14, 2003. It shall be the responsibility of the administrative staff at the front desk to ensure that this is accomplished. Additional copies of the Notice will be available to individuals upon request. A copy of the Notice will be displayed in the patient waiting area.
3. The Company s Notice of Privacy Practices form shall conform to all legally required elements.
4. The Notice will be promptly revised whenever there is a material change to the Company s practices as described in the Notice, whether or not this change is in response to a change in HIPAA and/or the Privacy Standards issued under HIPAA. Unless required by law, material revisions will not be implemented prior to the effective date of any revised Notice.
5. Copies of the Company s Notice, including any revised Notices, shall be retained for six (6) years from its last effective date.
C. Consent
1. The Company will obtain a consent form from a patient before it uses or discloses the patient s protected health information (PHI) for treatment, payment or health care operations.
2. The term, Payment, means activities undertaken by a health care provider to obtain reimbursement for the provision of health care services including, but not limited to:
a. billing, claims management, and collection;
b. review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care or justification for charges; and
c. utilization review.
3. The term health care operations, includes, but is not limited to:
a. conducting quality assessment and improvement activities;
b. evaluating practitioner or provider performance;
c. accreditation, certification, credentialing, or licensing activities;
d. conducting or arranging for medical reviews or auditing, including compliance auditing;
e. business planning and development; and
f. business management activities.
4. The Company may also use or disclose an individual s PHI for treatment, payment or health care operations without a consent:
g. in emergency treatment situations, if the Company attempt to obtain a consent as soon as is reasonably practical after the delivery of treatment;
h. if the Company is required by law to treat an individual, and the company attempts to obtain a consent but is unable to do so; or
i. if the Company makes reasonable, good faith efforts to obtain a consent but is unable to do so.
5. The Company may refuse to treat an individual who refuses to sign a consent.
6. The Privacy Standards permit an individual to revoke a consent in writing at any time. However, such a revocation is not effective against any use or disclosure of PHI made by the Company in reliance upon the consent. If an individual revokes his/her consent, the Company may refuse to treat that individual.
7. The Company s consent form shall conform to all legally required elements.
8. Copies of the consent form as well as all signed patient consent forms, shall be retained for six (6) years.
D. Oral Agreement
6. The Company will use reasonable efforts to obtain an individual s oral agreement before it discloses PHI to a patient s family member, relative, close personal friend, or other person identified as assisting in the patient s care.
7. In order to obtain the patient s oral agreement, the Company shall inform said individual that it would like to disclose PHI to a person assisting in that patient s care and give that patient the opportunity to object to the disclosure. If the patient does not object, the Company may make the disclosure.
8. Upon obtaining such oral agreement, a note to this effect shall be placed in the patient s chart.
E. Authorizations
9. The company will obtain an authorization from an individual when it seeks to use or disclose PHI for any purpose other than treatment, payment or health care operations.
10. The company s authorization form will contain all of the legally necessary elements.
11. The Privacy Standards permit an individual to revoke an authorization in writing at any time. However, such a revocation is not effective against any use or disclosure of PHI made by the Company in reliance upon the authorization.
12. Copies of the authorization form as well as all signed patient authorization form, shall be retained for six (6) years.
F. Minimum Necessary Requirements
The Company will make reasonable efforts not to use, disclose, or request other than the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.
G. Business Associates
13. The Company will not disclose PHI to business associates unless it has first executed a written contract with the business associate in which the business associate agrees to protect PHI in the same manner as the Company.
14. If the Company becomes aware of a breach of the business associate s duties under the aforementioned contract, the Company will take reasonable steps to end the violation and remedy any damages.
H. Patient Requests
15. The Company will permit patients or their authorized representatives to make requests to restrict the Company s use and disclosure of PHI for treatment, payment and health care operations.
16. However, it is the policy of the Company to refuse such requests.
17. The Company will permit patients or their authorized representatives to request that it provide confidential information, including PHI, to that individual or authorized representative.
18. The Company shall require the patient or authorized representative to make a request for the communication of any confidential information in writing.
19. The Company will give patients or their authorized representatives access to their PHI contained in designated record sets as long as such requests are made in writing and signed by the patient or authorized representative. Designated record sets include a patient s medical record, billing record, and any other document or record used to make decisions about the patient. The Privacy Officer shall be responsible for receiving and processing all such records, and he/she shall retain copies of all such requests and the Company s response thereto for six (6) years from the date of such request.
20. Patients have a right to request an amendment to their PHI which is contained in designated record sets (see above for definition) as long as such request shall be made in writing stating a reason(s) for the request. All requests for amendment will be subject to the approval of the Privacy Officer, who shall consult with the Company s chief orthotist or prosthetist as appropriate in making such determination. The Privacy Officer shall maintain this documentation, along with the request for amendment, statements of denial, rebuttals, and reasons therefore, for a period of six (6) years.
21. Patients have the right to an accounting of disclosures made by the Company and its business associates for disclosures other than those (a) for treatment, payment or health care operations; (b) to a patient concerning that patient s PHI; (c) to persons assisting in the patient s care made pursuant to an agreement; (d) made pursuant to state or federal legal requirements; or (e) disclosures made prior to April 14, 2003. All such requests for accounting shall be made in writing and signed by the patient or authorized representative. The Privacy Officer shall be responsible for receiving and processing all such requests, and he/she shall retain copies of all such requests and the Company s response thereto for six (6) years from the date of such request.
I. Legal
22. The Company will institute administrative, technical and physical safeguards to protect the privacy of PHI, and it will take all reasonable steps to safeguard PHI from any intentional or unintentional use or disclosure in violation of HIPAA.
23. The Company will comply with all laws relating to the use and disclosure of PHI, including state laws. If there is a conflict between HIPAA requirements and state law(s), the Company shall follow the law which provides the greatest protection to the information of the patient.
Sole Control, Inc
9712 Watson Road
St. Louis, MO 63126
314-822-9494
solecontrolorthotics.com
