1. No category

important information about the attached checklists and model forms

IMPORTANT INFORMATION ABOUT
THE ATTACHED CHECKLISTS AND MODEL FORMS
The attached documents were developed as tools to assist Participants with
understanding HIPAA’s Privacy Rule requirements. In utilizing these tools, Participants
must remember the following:
1.
The tools address only the requirements of HIPAA’s Privacy Rule.
They must be adapted to incorporate other relevant state and
federal laws, as well as Participants’ professional obligations.
2.
These tools have not been reviewed or approved by the
Department of Health and Human Services (HHS).
3.
The attached documents are based on the Proposed Rule for
Modifications to the HIPAA Privacy, Security and Enforcement
Rules under the HITECH Act, which is expected to be finalized
and published at the end of fall 2012. Therefore, the attached
tools must be reviewed for necessary changes based on new
information released by HHS.
Providers are encouraged to check our website –
www.psychprogram.com – for information about the final
modifications and other updates, as well as the Department of
Health
and
Human
Services
website
–
http://www.hhs.gov/ocr/privacy/index.html.
These documents should be considered examples of how Participants can start their
compliance efforts – they are intended to be used solely as vehicles for discussion to
help Participants develop their own compliance material. These documents are
provided as general guidance and do not constitute legal advice. Participants should
contact their own legal counsel to tailor the documents to meet their specific needs.
These documents are copyrighted.
07/2012
NOTICE OF PRIVACY PRACTICES
A Checklist for Providers
The HIPAA Privacy regulations create the right for patients to receive adequate written notice of:
(1) the uses and disclosures of protected health information (PHI) that may be made by a
provider; (2) the individual's rights; and, (3) the provider's legal duties with respect to PHI.
Covered entities (providers) must document compliance with the notice requirements by
retaining copies of the notices issued by the covered entity and, if applicable, any written
acknowledgements of receipt of the notice or documentation of good faith efforts to obtain such
written acknowledgement.
The regulations establish the following requirements for the content of the
Notice of Privacy Practices.
The Notice of Privacy Practices must:
_____ Be in writing.
_____ Be in plain language.
The Notice of Privacy Practices must contain:
_____ The following statement as a header or otherwise prominently displayed:
"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT
YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
_____ A description, including at least one example, of the types of uses and disclosures that the
provider is permitted to make for each of the following purposes: treatment, payment,
and health care operations. The description must include sufficient detail to place the
individual on notice of such uses and disclosures.
_____ A description of each of the other purposes for which the covered entity is permitted or
required to use or disclose PHI without the individual's written authorization. The
description must include sufficient detail to place the individual on notice of such
uses and disclosures.
[See DRAFTING NOTE #1 on page 89]
_____ A statement that other uses and disclosures will be made only with the individual's
written authorization and that the individual may revoke such authorization in writing
unless the provider has taken action in reliance on it.
_____ If the provider intends to do so, separate statements that the provider may contact the
individual to:
 Provide appointment reminders.
07/2012
 Provide information about treatment alternatives or other health-related services
that may be of interest to the individual.
 Raise funds for the provider.
_____ A statement of the individual's rights with respect to PHI and a brief description of how
the individual may exercise these rights, as follows:
 The right to request restrictions on certain uses and disclosures of PHI, including
a statement that the provider is not required to agree to a requested restriction.
However, the covered entity “must comply with the requested restriction if the
disclosure is to a health plan for purposes of carrying out payment or health care
operations (and is not for purposes of carrying out treatment); and the PHI
pertains solely to a health care item or service for which the health care provider
involved has been paid out of pocket in full.”;
[See DRAFTING NOTE #2 on page 89]
 The right to request to receive confidential communications of PHI at an
alternative location or by alternative means;
[See DRAFTING NOTE #2 on page 89]
 The right to inspect and copy PHI;
 The right to request amendment to PHI;
[See DRAFTING NOTE #2 on page 89]

The right to receive an accounting of disclosures of PHI and,
[See DRAFTING NOTE #2 on page 89]
 The right to obtain a paper copy of the Notice, including individuals who agreed
to receive the notice electronically.
_____ A statement of the provider's duties, including the requirements to:
 Maintain the privacy of PHI;
 Provide individuals with notice of the provider's legal duties and privacy
practices; and,
 Abide by the terms of the Notice currently in effect.
_____ A statement that the provider reserves the right to change the terms of its Notice and to
make the new Notice provisions effective for all PHI that it maintains.
_____ A description of how the provider will provide individuals with a revised Notice.
_____ A statement that individuals may complain to the provider and to the Secretary of the
Department of Health and Human Services if they believe their privacy rights have been
violated.
_____ A brief description of how the individual may file a complaint with the provider.
_____ A statement that the individual will not be retaliated against for filing a complaint.
07/2012
_____ The name, or title, and telephone number of a person or office to contact for further
information about the Notice.
_____ The date on which the Notice is first in effect.
[See DRAFTING NOTE #3 on page 89]
The Notice of Privacy Practices may contain:
_____ If the provider elects to limit the uses and disclosures that it is permitted to make by the
Privacy regulations, a description of the more limited uses and disclosures of PHI.
[See DRAFTING NOTE #4 on page 89]
The regulations establish the following requirements for the maintenance and
distribution of the Notice of Privacy Practices.
The provider must:
_____ Promptly revise and distribute its Notice whenever there is a material change to:
 The uses and disclosures;
 The individual's rights;
 The provider's legal duties; or,
 Other privacy practices stated in the Notice.
_____ Make the Notice of Privacy Practices available to any person.
_____ Make a good faith effort to have the patient sign an acknowledgement of receipt of a
Privacy Notice.
_____ If the provider has a direct treatment relationship with an individual (as defined in
Section 164.501 of the Privacy regulations):
 Provide the Notice to the individual no later than the date of the first delivery of
service, including service delivered electronically or by phone;
 Have the Notice available at the service delivery site for individuals to take with
them;
 Post the Notice in a clear and prominent location at service delivery sites; and,
 Whenever the Notice is revised, make it available, upon request, on or after the
effective date of the revision.
_____ Retain copies of Notices issued for six years from the date they were last in effect.
The regulations establish the following specific requirements for electronic
Notice of Privacy Practices.
07/2012
_____ If the provider maintains a website that provides information about the provider's
services, it must prominently post the Notice on the website and make it available
electronically through the website.
_____ A provider may provide the Notice by e-mail, if the individual agrees to electronic notice.
If the provider knows that the e-mail has failed, a paper copy of the Notice must be
provided.
_____ An individual who is a recipient of an electronic Notice retains the right to obtain a paper
copy, upon request.
_____ If the first service delivery is delivered electronically, the provider must provide
electronic Notice automatically and contemporaneously in response to a first request for
service.
DRAFTING NOTES FOR PROGRAM PARTICIPANTS:
1.
If a use or disclosure described above is prohibited or materially limited by other
applicable law, the description of such use or disclosure must reflect the more stringent
law.
2.
A covered provider may require the individual to submit the request in writing.
3.
This date may not be earlier than the date on which the Notice is printed or otherwise
published.
4.
A provider may not include a limitation affecting his/her right to use or disclose
protected health information as required by law or as necessary to prevent or lessen a
serious and imminent threat to the health or safety of a person or the public.
5.
Additional requirements apply to joint Notice of Privacy Practices for providers that
participate in organized health care arrangements. See section 164.520(d) of the Privacy
regulations for details.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF
HOW PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT
IS INTENDED TO BE USED SOLELY AS A VEHICLE FOR
DISCUSSION TO HELP PROVIDERS DEVELOP THEIR OWN
COMPLIANCE MATERIAL. THIS DOCUMENT IS PROVIDED AS
GENERAL GUIDANCE AND DOES NOT CONSTITUTE LEGAL
ADVICE. PROVIDERS SHOULD CONTACT THEIR OWN LEGAL
COUNSEL TO TAILOR THE DOCUMENT TO MEET THEIR
SPECIFIC NEEDS.
07/2012
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Drafting Notes for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
EXAMPLE
Notice of Privacy Practices for Protected Health Information
This notice describes how medical information about you may be used and disclosed and
how you can get access to this information. Please review it carefully!
The office/hospital is permitted by federal privacy laws to make uses and disclosures of your
health information for purposes of treatment, payment, and health care operations. Protected
health information is the information we create and obtain in providing our services to you.
Such information may include documenting your symptoms, examination, and test results,
diagnoses, treatment, and applying for future care or treatment. It also includes billing
documents for those services.
Examples of Uses of Your Health Information for Treatment Purposes are:
[See DRAFTING NOTE #1 on page 95]

A nurse obtains treatment information about you and records it in a health record.

During the course of your treatment, the physician determines he/she will need to consult
with another specialist in the area. He/she will share the information with such specialist and
obtain his/her input.
[See DRAFTING NOTE #2 on page 95]
Example of Use of Your Health Information for Payment Purposes:
[See DRAFTING NOTE #1 on page 95]
We submit requests for payment to your health insurance company. The health insurance
company (or other business associate helping us obtain payment) requests information from us
regarding medical care given. We will provide information to them about you and the care
given.
Example of Use of Your Information for Health Care Operations:
[See DRAFTING NOTE #1 on page 95]
We obtain services from our insurers or other business associates such as quality assessment,
quality improvement, outcome evaluation, protocol and clinical guideline development, training
programs, credentialing, medical review, legal services, and insurance. We will share
information about you with such insurers or other business associates as necessary to obtain
these services.
07/2012
Your Health Information Rights
The health and billing records we maintain are the physical property of the office/hospital.
The information in it, however, belongs to you. You have a right to:

Request a restriction on certain uses and disclosures of your health information by delivering the
request to our office/hospital -- we are not required to grant the request, unless the requested
restriction is for the disclosure to a health plan for purposes of carrying out payment or health
care operations (and is not for purposes of carrying out treatment) and the PHI pertains solely to a
health care item or service for which we have been paid out of pocket in full;

Obtain a paper copy of the current Notice of Privacy Practices for Protected Health Information
("Notice") by making a request at our office/hospital;

Request that you be allowed to inspect and copy your health record and billing record – you may
exercise this right by delivering the request to our office/hospital;

Appeal a denial of access to your protected health information, except in certain circumstances;

Request that your health care record be amended to correct incomplete or incorrect information
by delivering a request to our office/hospital. We may deny your request if you ask us to amend
information that:

Was not created by us, unless the person or entity that created the information is no longer
available to make the amendment;

Is not part of the health information kept by or for the office/hospital;

Is not part of the information that you would be permitted to inspect and copy; or,

Is accurate and complete.
If your request is denied, you will be informed of the reason for the denial and will have an
opportunity to submit a statement of disagreement to be maintained with your records;

Request that communication of your health information be made by alternative means or at an
alternative location by delivering the request in writing to our office/hospital;

Obtain an accounting of disclosures of your health information as required to be maintained by
law by delivering a request to our office/hospital. An accounting will not include uses and
disclosures of information for treatment, payment, or operations; disclosures or uses made to you
or made at your request; uses or disclosures made pursuant to an authorization signed by you;
uses or disclosures made in a facility directory or to family members or friends relevant to that
person's involvement in your care or in payment for such care; or, uses or disclosures to notify
family or others responsible for your care of your location, condition, or your death.

Revoke authorizations that you made previously to use or disclose information by delivering a
written revocation to our office/hospital, except to the extent information or action has already
been taken.
If you want to exercise any of the above rights, please contact [insert name of designated staff
member, phone number, and address], in person or in writing, during regular, business hours. [S]he
will inform you of the steps that need to be taken to exercise your rights.
07/2012
Our Responsibilities
The office/hospital is required to:

Maintain the privacy of your health information as required by law;

Provide you with a notice as to our duties and privacy practices as to the information we collect
and maintain about you;

Abide by the terms of this Notice;

Notify you if we cannot accommodate a requested restriction or request; and,

Accommodate your reasonable requests regarding methods to communicate health information
with you.
We reserve the right to amend, change, or eliminate provisions in our privacy practices and access
practices and to enact new provisions regarding the protected health information we maintain. If our
information practices change, we will amend our Notice. You are entitled to receive a revised copy
of the Notice by calling and requesting a copy of our "Notice" or by visiting our office and picking
up a copy.
To Request Information or File a Complaint
If you have questions, would like additional information, or want to report a problem regarding the
handling of your information, you may contact [insert name, title, and telephone number of
internal contact person].
Additionally, if you believe your privacy rights have been violated, you may file a written complaint
at our office by delivering the written complaint to [insert internal staff member]. You may also
file a complaint by mailing it or e-mailing it to the Secretary of Health and Human Services, whose
street address and e-mail address is [insert street and e-mail addresses].

We cannot, and will not, require you to waive the right to file a complaint with the Secretary of
Health and Human Services (HHS) as a condition of receiving treatment from the office/hospital.

We cannot, and will not, retaliate against you for filing a complaint with the Secretary of Health
and Human Services.
Other Disclosures and Uses
Directory

[Only for hospitals.] Unless you notify us that you object, we will use and disclose your name,
location, general condition, and religious affiliation in a hospital directory. This information may
be provided to members of clergy and, except for religious affiliation, to other people who ask
for you by name.
Communication with Family [See DRAFTING NOTE #3 on page 95]

Using our best judgment, we may disclose to a family member, other relative, close personal
friend, or any other person you identify, health information relevant to that person's involvement
in your care or in payment for such care if you do not object or in an emergency.
07/2012
Notification

Unless you object, we may use or disclose your protected health information to notify, or assist in
notifying, a family member, personal representative, or other person responsible for your care,
about your location, and about your general condition, or your death.
Research [See DRAFTING NOTE #3 on page 95]

We may disclose information to researchers when their research has been approved by an
institutional review board that has reviewed the research proposal and established protocols to
ensure the privacy of your protected health information.
Disaster Relief [See DRAFTING NOTE #3 on page 95]

We may use and disclose your protected health information to assist in disaster relief efforts.
Organ Procurement Organizations [See DRAFTING NOTE #3 on page 95]

Consistent with applicable law, we may disclose your protected health information to organ
procurement organizations or other entities engaged in the procurement, banking, or
transplantation of organs for the purpose of tissue donation and transplant.
Food and Drug Administration (FDA)

We may disclose to the FDA your protected health information relating to adverse events with
respect to food, supplements, products and product defects, or post-marketing surveillance
information to enable product recalls, repairs, or replacements.
Workers Compensation [See DRAFTING NOTE #3 on page 95]

If you are seeking compensation through Workers Compensation, we may disclose your
protected health information to the extent necessary to comply with laws relating to Workers
Compensation.
Public Health [See DRAFTING NOTE #3 on page 95]

As authorized by law, we may disclose your protected health information to public health or legal
authorities charged with preventing or controlling disease, injury, or disability; to report reactions
to medications or problems with products; to notify people of recalls; to notify a person who may
have been exposed to a disease or who is at risk for contracting or spreading a disease or
condition.
Abuse & Neglect [See DRAFTING NOTE #3 on page 95]

We may disclose your protected health information to public authorities as allowed by law to
report abuse or neglect.
Employers [See DRAFTING NOTE #3 on page 95]

We may release health information about you to your employer if we provide health care services
to you at the request of your employer, and the health care services are provided either to conduct
an evaluation relating to medical surveillance of the workplace or to evaluate whether you have a
work-related illness or injury. In such circumstances, we will give you written notice of such
release of information to your employer. Any other disclosures to your employer will be made
only if you execute a specific authorization for the release of that information to your employer.
07/2012
Correctional Institutions [See DRAFTING NOTE #3 on page 95]

If you are an inmate of a correctional institution, we may disclose to the institution or its agents
the protected health information necessary for your health and the health and safety of other
individuals.
Law Enforcement [See DRAFTING NOTE #3 on page 95]

We may disclose your protected health information for law enforcement purposes as required by
law, such as when required by a court order, or in cases involving felony prosecution, or to the
extent an individual is in the custody of law enforcement.
Health Oversight [See DRAFTING NOTE #3 on page 95]

Federal law allows us to release your protected health information to appropriate health oversight
agencies or for health oversight activities.
Judicial/Administrative Proceedings [See DRAFTING NOTE #3 on page 95]

We may disclose your protected health information in the course of any judicial or administrative
proceeding as allowed or required by law, with your authorization, or as directed by a proper
court order.
Serious Threat

To avert a serious threat to health or safety, we may disclose your protected health information
consistent with applicable law to prevent or lessen a serious, imminent threat to the health or
safety of a person or the public.
For Specialized Governmental Functions

We may disclose your protected health information for specialized government functions as
authorized by law such as to Armed Forces personnel, for national security purposes, or to public
assistance program personnel.
Coroners, Medical Examiners, and Funeral Directors

We may release health information to a coroner or medical examiner. This may be necessary, for
example, to identify a deceased person or determine the cause of death. We may also release
health information about patients of Covered Entities to funeral directors as necessary for them to
carry out their duties.
Other Uses

Other uses and disclosures, besides those identified in this Notice, will be made only as otherwise
required by law or with your written authorization and you may revoke the authorization as
previously provided in this Notice under "Your Health Information Rights."
Website

If we maintain a website that provides information about our entity, this Notice will be on the
website.
Effective Date: [Insert effective date of the Notice which may not be earlier than the date on which the note is
printed or otherwise published.]
07/2012
DRAFTING NOTES FOR PROGRAM PARTICIPANTS:
1. You must include at least one example of use for treatment, payment, and health care operations,
but you may provide more than one example. The examples provided are suggestions and should
be edited/or replaced to apply to the circumstances of your health care practice.
2. If you intend to disclose / use PHI for appointment reminders, treatment alternatives, or healthrelated benefits/services, include an example of such uses here.
3. There will probably be instances where there is a conflict between the Privacy Rule's provisions
and state law or even other federal confidentiality law. Covered providers must comply with
state and other federal laws which provide stronger privacy protections than the Privacy Rule.
Your Notice must include those applicable stronger privacy protections found in the other laws.
To help determine which other laws may need to be complied with instead of the Privacy Rule,
(and be referred to in your Notice) the American Health Lawyers Association recommends
checking the following:










State licensing laws and regulations
Mental health laws and regulations
Substance abuse laws and regulations
Electronic medical records laws and regulations
Genetic testing laws and regulations
HIV laws and regulations
Pharmacy licensing laws and regulations
Patient Bill of Rights
General patient confidentiality laws and regulations
State common law privacy protections
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF
HOW PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION
TO HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE
MATERIAL. THIS DOCUMENT IS PROVIDED AS GENERAL
GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE.
PROVIDERS SHOULD CONTACT THEIR OWN LEGAL COUNSEL TO
TAILOR THE DOCUMENT TO MEET THEIR SPECIFIC NEEDS.
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Drafting Notes for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
EXAMPLE
Acknowledgement of Receipt of Notice of Privacy Practices
I acknowledge that I have received a copy of Provider's Notice of Privacy Practices with the
effective date of [insert date].
_____________________________________
Signature of Patient/Patient Representative
______________________
Date
_____________________________________
Relationship to Patient
[Note: Providers are required to make good faith efforts to obtain acknowledgement that each
patient has received their Notice of Privacy Practices. The regulation does not specific how
that acknowledgement is documented. This example form is meant to serve as an example of
one way that a provider could document the required acknowledgement.]
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
EXAMPLE
Documentation of Good Faith Efforts
To obtain patient’s acknowledgment that they received provider’s
Notice of Privacy Practices
(For use when acknowledgment cannot be obtained from the patient.)
Patient Name: ________________________________________________________________
The patient presented to the office/hospital on [insert date] and was provided with a copy of
Covered Entity's Notice of Privacy Practices. A good faith effort was made to obtain from the
patient a written acknowledgment of his/her receipt of the Notice. However, such
acknowledgement was not obtained because:

Patient refused to sign.

Patient was unable to sign or initial because:
____________________________________
____________________________________

The patient had a medical emergency, and an attempt to obtain the
acknowledgment will be made at the next available opportunity.

Other reason (describe below):
____________________________________
____________________________________
Signature of Employee Completing Form: ________________________________
[Note: Providers are required to make good faith efforts to obtain acknowledgement that each
patient has received their Notice of Privacy Practices. Should the individual refuse to
acknowledge receipt of provider’s Notice of Privacy Practices, the provider should document
the “Good Faith Efforts” taken to obtain such acknowledgement. The regulation does not
specific how those “Good Faith Efforts” should be documented. This example form is meant
to serve as an example of one way that a provider could satisfy this requirement.]
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
PATIENT AUTHORIZATION FORM
A Checklist for Providers
The HIPAA Privacy regulation requires healthcare providers to obtain the Authorization of the
individual for any uses or disclosures of protected health information (PHI) not otherwise
permitted or required by the regulation. An Authorization is a specific, written permission for
these purposes.
The regulation establishes the following requirements for the content of
Authorization forms.
Authorization forms must:
_____ Be in writing.
_____ Be in plain language.
Authorization forms must contain at least the following core elements:
_____ A description of the information to be used or disclosed that identifies the information in
a specific and meaningful fashion.
_____ The name or other specific identification of the person(s), or class of persons, authorized
to make the requested use or disclosure.
_____ The name or other specific identification of the person(s), or class of persons, to whom
the covered entity may make the requested use or disclosure.
_____ A description of each purpose of the requested use or disclosure. (The statement “at the
request of the individual” is a sufficient description of the purpose when an individual
initiates the Authorization and does not, or elects not to, provide a statement of the
purpose.)
_____ An expiration date or an expiration event that relates to the individual or the purpose of
the use or disclosure.
_____ The signature of the individual.
_____ The date.
_____ If the authorization is signed by a personal representative of the individual, a description
of such representative’s authority to act for the individual.
07/2012
In addition to the core elements, the authorization must contain statements
adequate to place the individual on notice of all of the following:
_____ The individual’s right to revoke the Authorization in writing, and either:


The exceptions to the right to revoke and a description of how the
individual may revoke the Authorization; or
To the extent that the information about revocation is included in the
notice of privacy practices, a reference to the provider’s notice.
_____ The provider may not condition treatment on whether the individual signs
the Authorization, unless:


The treatment is research related and the Authorization is for the use or disclosure
of protected health information for such research; or
The treatment is solely for the purpose of creating protected health information
for disclosure to a third party on provision of an Authorization for the disclosure
of the protected health information to such third party.
_____ The potential for information disclosed pursuant to the authorization to be subject
to redisclosure by the recipient and no longer be protected.
Authorization forms for MARKETING must adhere to the following rules:
_____ A specific Authorization is required for use or disclosure of PHI for marketing,
except if the marketing communication is in the form of a face-to-face communication or
a promotional gift of nominal value.
_____ If the marketing involves direct or indirect remuneration to the provider from a third
party, the Authorization must state that remuneration is involved.
Compound authorizations must adhere to the following rules:
_____ An Authorization for the use or disclosure of protected health information for a research
study may be combined with any other type of written permission for the same research
study, including consent to participate in the study.
_____ An Authorization for a use or disclosure of psychotherapy notes may only be combined
with another Authorization for a use or disclosure of psychotherapy notes.
_____ Other than an Authorization for psychotherapy notes, an Authorization for a use or
disclosure of protected health information may be combined with any other such
Authorization, except when a provider has conditioned the provision of treatment on the
provision of one of the Authorizations.
_____ In other situations, an Authorization for use or disclosure of protected health information
may not be combined with any other document to create a compound Authorization.
07/2012
The regulation establishes the following requirements for the maintenance
and distribution of Authorization forms.
_____ The provider must provide the individual with a copy of the signed Authorization when
the Authorization is requested by the provider to use or disclose PHI.
_____ Signed Authorization forms must be retained for six years from the date of creation or the
date they were last in effect, whichever is later.
DRAFTING NOTES FOR PROGRAM PARTICIPANTS:
1.
You may want to add a provision where the patient specifically authorizes the release of
psychiatric records, drug and alcohol treatment information, and HIV/AIDS information.
2.
You must confirm that your form includes all elements required under your state’s law.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS-IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION TO
HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE MATERIAL.
THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES
NOT CONSTITUTE LEGAL ADVICE. PROVIDERS SHOULD CONTACT
THEIR OWN LEGAL COUNSEL TO TAILOR THE DOCUMENT TO MEET
THEIR SPECIFIC NEEDS.
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Drafting Notes for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
EXAMPLE
Authorization for [insert name of physician or clinic] to Use or Disclose My Health Information
Patient name: _____________________________________________ Date of birth:_________________
Previous name: ____________________________________________
I. My Authorization
You may use or disclose the following health care information (check all that apply):
 All my health information maintained by [insert name of physician or clinic]
 My health information relating to the following treatment or condition: __________________________
 My health information for the date(s):_____________________________________________________
[See Drafting Note #1 on page 103]
 Other:______________________________________________________________________________
[See Drafting Notes #2 and #3 on page 103]
You may disclose this health information to:
Name (or title) and organization___________________________________________________________
Address: ______________________________City ____________________State _________Zip_______
Reason(s) for this authorization (check all that apply):
 at my request
 other
(specify)________________________________________
_______________________________________________
_______________________________________________
This authorization ends:
 check here only when [insert physician or clinic name]
requests the authorization for marketing purposes
 check here only when [insert physician or clinic name]
will get something of value for providing health
information for marketing purposes
 on (date) __________________
 when the following event occurs ______________________________
II. My Rights
I understand I do not have to sign this authorization in order to get health care benefits (treatment,
payment or enrollment). However, I do have to sign an authorization form:
 To take part in a research study.

or
To receive health care when the purpose is to create health information for a third party.
I may revoke this authorization in writing. If I did, it would not affect any actions already taken by [insert
physician or clinic name] based upon this authorization. I may not be able to revoke this authorization if its
purpose was to obtain insurance. Two ways to revoke this authorization are:
 Fill out a revocation form. The form is available from the office.

or
Write a letter to the office.
07/2012
Once the office discloses health information, the person or organization that receives it may re-disclose it.
Privacy laws may no longer protect it.
______________________________________ __________________ ____________________
Patient or legally authorized individual signature
Date
Time
___________________________________________
_______________________________________
Printed Name if signed on behalf of the patient
Relationship (parent, legal guardian, personal representative, etc.)
Last Update: [insert date]
DRAFTING NOTES FOR PROGRAM PARTICIPANTS:
1.
You may want to add check boxes for the specific release of the following:
a. psychiatric records
b. drug abuse treatment information
c. alcohol abuse treatment information
d. HIV / AIDS information
e. Sexually transmitted disease information
2.
The release of psychotherapy notes (as specifically defined by the Privacy Rule) must be
specifically authorized.
3.
Authorizations for the release of psychotherapy notes cannot be combined with any other
authorization, such as for the release of the rest of the psychiatric record. So, to release
the entire record, including psychotherapy notes, you would need two authorization
forms signed by the patient - one authorizing the release of the psychiatric record, and a
second one authorizing the release of psychotherapy notes.
4.
You must confirm that your form includes all elements required under any applicable
state law.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION TO
HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE MATERIAL.
THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES
NOT CONSTITUTE LEGAL ADVICE. PROVIDERS SHOULD CONTACT
THEIR OWN LEGAL COUNSEL TO TAILOR THE DOCUMENT TO MEET
THEIR SPECIFIC NEEDS.
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Drafting Notes for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
CHECKLIST FOR RESPONSE BY PROVIDERS
RE: Requests for Access and/or Copies of PHI
An individual has a right to inspect and obtain a copy of PHI about the individual in a
designated record set, EXCEPT FOR:
____ Psychotherapy Notes;
____ Information compiled in anticipation of a civil, criminal, or administrative action;
____ PHI where access is prohibited by or exempt from Clinical Laboratory Improvements
Amendments of 1988, 42 U.S.C. 263a (CLIA);
____ PHI contained in records subject to the Privacy Act, 5 U.S.C. 552a, if the denial of access
under the Privacy Act would meet the requirements of that law;
____ PHI maintained by a correctional institution, or a provider acting under the direction of a
correctional institution, if access would jeopardize the health, safety, security, custody or
rehabilitation of the patient or other inmates, or the safety of persons at the institution or
those responsible for transporting the inmate;
____ PHI created or obtained by a covered health care provider in the course of research—that
includes treatment—and the access is temporarily suspended for as long as the research is
in progress, provided that the patient has agreed to the denial of access when consenting to
participate in the research that includes treatment, and the covered health care provider has
informed the patient that the right of access will be reinstated upon completion of the research;
____ PHI obtained from someone other than a health care provider under a promise of
confidentiality, and the access requested would be reasonably likely to reveal the source of
the information;
____ A licensed health care professional has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to endanger the life or physical
safety of the patient or another person; *
____ The PHI makes reference to another person (unless such other person is a health care
provider) and a licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to cause substantial
harm to such other person; or *
____ The request is made by the patient’s personal representative and a licensed health care
professional has determined, in the exercise of professional judgment, that the provision of
access to such personal representative is reasonably likely to cause substantial harm to the
patient or another person. *
* These grounds for denial of an individual’s right to access/copy PHI are reviewable upon request by the individual
as described in the last item (in Italics) under the section “Denial of Access” of this document.
07/2012
Requests for access and timely action:
____ A covered entity must permit an individual to request access to the individual’s
PHI maintained in a designated record set. The covered entity may require requests for
access to be in writing, provided individuals are informed of such a requirement (such as
in the Notice of Privacy Practices.)
____ The covered entity must act on a request for access within 30 days after receipt of
the request unless the PHI is not maintained or accessible on site, in which case the entity
must act within 60 days.
____ If unable to act within the time limits above, the covered may, within those times
limits, inform the individual in writing of the reasons for the delay and when, no later
than 30 additional days, the PHI will be made available.
Provision of access:
____ If access is granted, the covered entity must permit an inspection and/or copying
as requested, although if the PHI is maintained at more than one site, it only has to
produce it once.
____ The information must be provided in the form or format requested if it is readily
producible in such form or format, but, if not, it shall be produced in readable hard copy
or in any other form agreed to by the entity and the individual.
____ The covered entity may produce a summary of the PHI in lieu of access if the
individual agrees to it and any associated fees in advance.
____ The covered entity may provide an explanation of PHI that has been produced if
the individual agrees to it and any associated fees in advance.
____ The covered entity may discuss the scope, format, and other aspects of the request
for access with the individual to facilitate timely access, but any access must be within the
time limits described above.
____ The covered entity may impose a reasonable, cost-based fee, for copies, summaries and
explanations of PHI, provided it includes only the cost of copying, including supplies and
labor, any postage, and fees agreed to in advance by the individual for explanations or
summaries of the PHI.
Denial of Access:
____ If access is denied in whole or in part, the covered entity must, to the extent possible, grant
access to any other PHI requested after excluding the PHI to which access is denied.
____ Within the time limits described above, the covered entity must provide a written denial in
plain language containing the reason for the denial, a description of the individual’s right
to a review of the denial, if any, and a description of how to complain to the entity or to the
U.S. Secretary of HHS. The description must include the name, or title, and telephone
number of the person or office with the covered entity designated to receive complaints.
____ If the covered entity does not maintain the requested PHI and knows where it is
07/2012
maintained, the covered must inform the individual where to direct the request.
____ If the individual requests a review of the denial (for those denials that are reviewable as
described above) the covered entity must arrange for review by a licensed health care
professional who did not directly participate in the original decision to deny. The reviewer
shall determine within a reasonable time whether to provide access, and the covered entity
must promptly provide the individual with written notice of the reviewer’s decision.
Documentation:
____ A covered entity must document designated record sets subject to access by individuals and
the titles of the person or offices responsible for receiving and processing requests for
access to PHI.
REMINDERS FOR PROGRAM PARTICIPANTS:
1.
State law may have more stringent requirements (such as response time requirements)
that must be complied with.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION TO
HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE MATERIAL.
THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES
NOT CONSTITUTE LEGAL ADVICE. PROVIDERS SHOULD CONTACT
THEIR OWN LEGAL COUNSEL TO TAILOR THE DOCUMENT TO MEET
THEIR SPECIFIC NEEDS.
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Reminders for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
A CHECKLIST FOR RESPONSE BY PROVIDERS
RE: Request to Amend PHI
____ Physician must permit a patient or an authorized representative to request an amendment of
the PHI maintained by or on behalf of the practice in the designated record set.
____ Physician may require requests for amendment to be made in writing and to include a reason to
support the request.
____ A request to amend PHI must be handled within 60 calendar days after the physician
receives the request.
____ If there is a delay due to unusual circumstances (e.g. if the record is in use) specify in
writing, within the 60 calendar days, to the patient:

The reason for the delay

The date the information will be available—but no later than 90 calendar days from the
date the request was received.
____ Patients must be informed of the disposition of the request. If the request is denied—in
whole or in part—they must be informed in writing (see sample denial letter).
____ If the request is approved:

Patients must be informed in a timely manner that the amendment is accepted;

The amendment must be made in the appropriate record;

Mark the affected record as amended;

Append or provide a link to the amended information;

Obtain the patient’s identification of any persons the patient wants notified of the
amendment, and take reasonable steps to notify such persons within a reasonable time;

Take reasonable steps to notify any other persons the physician knows have the PHI that
is the subject of the amendment and could rely on the un-amended information to the
detriment of the patient.
____ If the request is denied, the written denial must specify one or more of the following
permissible reasons to deny any part of a patient’s request.

The requested health information was not created by the physician’s office (unless the
patient provides a reasonable basis to believe that the originator of the PHI is no longer
available to act on the request.)

The patient cannot have access to the health information, and therefore the patient may
not amend it. Examples of when a patient may be denied access to PHI include:1
i. The information is psychotherapy notes;
ii. Access to the PHI is prohibited by or exempt from Clinical Laboratory Improvements
Amendments of 1988, 42 U.S.C. 263a (CLIA);
iii. Access to PHI contained in records subject to the Privacy Act, 5 U.S.C. 552a, if the
denial of access under the Privacy Act would meet the requirements of that law;
1
See s. 164.524. These specific examples do not have to be disclosed to the patient. However, sometimes it may be advisable to do so.
07/2012
iv. Access to PHI maintained by a correctional institution, or a provider acting under the
direction of a correctional institution, if access would jeopardize the health, safety,
security, custody or rehabilitation of the patient or other inmates, or the safety of
persons at the institution or those responsible for transporting the inmate;
v. Access to information compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or proceeding;
vi. The PHI was created or obtained by a covered health care provider in the course of
research—that includes treatment—and the access is temporarily suspended for as
long as the research is in progress, provided that the patient has agreed to the denial
of access when consenting to participate in the research that includes treatment, and
the covered health care provider has informed the patient that the right of access will
be reinstated upon completion of the research;
vii. The PHI was obtained from someone other than a health care provider under a
promise of confidentiality, and the access requested would be reasonably likely to
reveal the source of the information;
viii. A licensed health care professional has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to endanger the life or
physical safety of the patient or another person;
ix. The PHI makes reference to another person (unless such other person is a health care
provider) and a licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to cause
substantial harm to such other person; or
x. The request is made by the patient’s personal representative and a licensed health
care professional has determined, in the exercise of professional judgment, that the
provision of access to such personal representative is reasonably likely to cause
substantial harm to the patient or another person.

The request does not pertain to the patient’s medical and financial records.

The existing health information is accurate and complete.
____ If the request is denied:

The written denial must include the basis for the denial;

The written denial must offer the individual an option to file a statement of disagreement
and tell the individual how to file it;

The written denial must inform the individual that if he or she does not submit a
statement of disagreement, the individual may request that the covered entity include the
request for amendment and the denial with any future disclosures of the PHI that is the
subject of the requested amendment; and

The written denial must include a description of how the individual may complain to the
covered entity or to the U.S. Secretary of HHS. It must also include the name, or title,
and telephone number of the contact or person with the covered entity responsible for
receiving complaints.

The physician may, but need not, prepare a written rebuttal to a statement of
disagreement and must provide the individual with a copy of any rebuttal.

The covered entity must identify the record that is disputed, and append or otherwise link
to it the request for amendment, the denial of the request, the statement of disagreement,
if any, and the rebuttal statement, if any.
07/2012
____ Future disclosures of PHI must include:

The request, the denial, any statement of disagreement, and any rebuttal or, at the
physician’s option, an accurate summary of the information; but

If no statement of disagreement is filed, the request and the denial (or an accurate
summary) can be included ONLY upon request by the patient; and

When the future disclosure is made using a standard transaction that does not permit the
additional material described in (a) and (b) to be included, the physician may separately
transmit such material.
____ If notified by another health care entity that an amendment has been made to a patient’s PHI
then:

The amendment must be made in the appropriate record; and,

The record affected by the change marked as amended; and

The affected record shall be attached or linked or shall otherwise indicate where in the
record the amended information is located.
____ The physician must document the titles of the persons or offices responsible for receiving and
processing requests for amendments by patients and retain the documentation in the manner
required by section 164.530 (j).
REMINDERS FOR PROGRAM PARTICIPANTS:
1.
State law may have more stringent requirements (such as response time requirements)
that must be complied with.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS- IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION
TO HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE
MATERIAL. THIS DOCUMENT IS PROVIDED AS GENERAL
GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE.
PROVIDERS SHOULD CONTACT THEIR OWN LEGAL COUNSEL TO
TAILOR THE DOCUMENT TO MEET THEIR SPECIFIC NEEDS.
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Reminders for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
EXAMPLE
Request for [insert physician/clinic name] to Amend Health Information
Patient Name:_______________________________ Date of birth:______________________
Previous Name:________________________________
Patient Mailing Address:________________________________________________________
I request a change to my records.
Please explain what the information in your record should say to be more accurate or complete. If
you need additional space, please include a separate page. Date of record: ____________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_____________________________________________________________________________
_____________________________________________
Patient or legally authorized individual signature
______________________________
Date
______________________________________________________________________________
Relationship to patient if signed on behalf of the patient by parent, legal guardian, personal
representative, etc.
We will review your request and respond within 60 days [see Drafting Note #1 on page 113] of
receiving your request. A copy of your request will be added to your record.
If we make the change and you agree, we will send it to anyone we know has received the
information in the past. We will also send the amendment to anyone you identify.
--------------------------------------------------------------------------------------------------------------------To be completed by [insert clinic/healthcare facility name]
Date Received
Correction/Amendment has been:
 Accepted
 Denied – Letter Sent
Review of this request has been delayed due to ___________________________________.
Your request will be processed by the following date ______________ (not later than 90 days
[see Drafting Note #1 on page 113.] after the request).
If denied, check reason for denial:
 This health information was not created by
 This request does not pertain to the patient’s medical and
this organization
financial records.
 By law, this health information is not available  The existing health information is accurate and complete
to the patient and cannot be amended.
07/2012
____________________________________________
Name of reviewing department or position
_______________________
Date
DRAFTING NOTES FOR PROGRAM PARTICIPANTS:
1.
State law may have more stringent requirements, such as shorter time requirements,
which must be complied with.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF
HOW PROVIDERS CAN START THEIR COMPLIANCE EFFORTS- IT
IS INTENDED TO BE USED SOLELY AS A VEHICLE FOR
DISCUSSION TO HELP PROVIDERS DEVELOP THEIR OWN
COMPLIANCE MATERIAL. THIS DOCUMENT IS PROVIDED AS
GENERAL GUIDANCE AND DOES NOT CONSTITUTE LEGAL
ADVICE. PROVIDERS SHOULD CONTACT THEIR OWN LEGAL
COUNSEL TO TAILOR THE DOCUMENT TO MEET THEIR SPECIFIC
NEEDS.
S DOCUMENT SHOULD BE CONSIDERED ONE EX THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS
Copyright © 2002 Professional Risk Management Service, Inc. (PRMS). All rights reserved. No part of the document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system. This document was originally produced by the Physician
Insurers Association of America (PIAA) and revised by Professional Risk Management Services, Inc. as follows:
"Drafting Notes for Program Participants" were added. Professional Risk Management Services, Inc. is solely
responsible for those changes to the original document.
07/2012
EXAMPLE
SAMPLE LETTER DENYING REQUEST TO AMEND PHI
Name
Company
Street
City/ST/ZIP
Dear
:
We received your request to amend your health information record. We reviewed your request.
Unfortunately, we cannot honor your request because:
___ This health information was not created by this organization.
___ By law, you may not access the health information and may not amend it.
___ Your request does not pertain to your medical and financial records.
___ The existing health information is accurate and complete.
You may contact [insert name/title of person] at our office at [insert telephone number and
address] if you want to write a brief statement of disagreement to be added to your medical
record. This is your right. It may include:
 the reason(s) you believe the health information should be amended;
 why you disagree with this decision to deny your request.
If you do not submit a statement of disagreement, you may request that in future disclosures we
include a copy of:
 your original request to amend the health information, and
 this letter.
If you wish to make this request:
 sign here ______________________________________; and
 return this form to us.
If you believe your privacy rights have been violated, you may deliver a written complaint to
[insert name/title of person] at our office at [insert telephone number and address]. You may
also file a complaint with the Secretary of Health and Human Services.
We respect your right to file a complaint with us or with the Secretary of Health and Human
Services. If you choose to take this action, we will not retaliate against you!
Sincerely,
[Officer of the Covered Entity]
07/2012
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS- IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION
TO HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE
MATERIAL. THIS DOCUMENT IS PROVIDED AS GENERAL
GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE.
PROVIDERS SHOULD CONTACT THEIR OWN LEGAL COUNSEL TO
TAILOR THE DOCUMENT TO MEET THEIR SPECIFIC NEEDS.
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
Covered Entity’s Workforce Access to Protected Health Information
“MINIMUM NECESSARY”
The HIPAA Privacy regulation requires organizations to limit workforce access to protected health
information (PHI) to the minimum amount of PHI necessary to do their jobs.
Use this worksheet to identify your job categories (including volunteers), the PHI individuals in those
categories currently can access, the minimum needed to do their jobs effectively, information currently
accessed that is not needed, and any conditions that should apply to their access to PHI. 2
Job category
e.g., Appointment
Scheduler
Categories of PHI
Currently Accessed
Entire medical record
Minimum PHI
Needed for Job
Demographic,
Billing
Current PHI Accessed
But
Not Needed for Job
Clinical information
Conditions
On Access
Demographic and billing
information may only be
accessed for appointment
scheduling purposes.
______________________________
2
NOTE: This analysis will be different for every health care organization, depending on the various functions each
job category performs.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT IS INTENDED
TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION TO HELP
PROVIDERS DEVELOP THEIR OWN COMPLIANCE MATERIAL. THIS
DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES NOT
CONSTITUTE LEGAL ADVICE. PROVIDERS SHOULD CONTACT THEIR
OWN LEGAL COUNSEL TO TAILOR THE DOCUMENT TO MEET THEIR
SPECIFIC NEEDS.
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
IDENTIFY YOUR BUSINESS ASSOCIATES
Guidance to Covered Entities
The HIPAA Privacy regulation allows you to share patient information with your Business
Associates in order to conduct health care operations, but only if you have a Business Associate
contract with them. The regulation defines Business Associates as persons outside of your
workforce who:

On your behalf, perform or assist in the performance of a function or activity involving
the use or disclosure of individually identifiable health information (e.g., claims
processing, data analysis, quality assurance, billing, practice management); or

Provide legal actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation or financial services, where the service involves the
disclosure of individually identifiable health information.
Some examples of your Business Associates may be:














Accountants
Attorneys
Billing companies
Clearinghouses
Consultants
Collection agencies
Transcription services
Data analysis or aggregation services
Information technology service providers
Temporary staffing agencies
Copy services
Document storage and destruction vendors
Professional liability insurers
Insurance agents and brokers
This list is not exhaustive. Think broadly when you are identifying your Business Associates.
The attached form will help you identify the Business Associates of your organization and
document your relationship with them. Ask yourself:





Who are your Business Associates?
What function do they serve?
What information is disclosed to them?
Do you currently have some form of contract with them?
If so, when is the contract due to be renewed or renegotiated?
07/2012
IDENTIFY YOUR BUSINESS ASSOCIATES
Business Associate
Functions Served
Patient Info Disclosed
Current
Contract?
(Y/N)
Contract
Renewal Date
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION
TO HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE
MATERIAL. THIS DOCUMENT IS PROVIDED AS GENERAL
GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE.
PROVIDERS SHOULD CONTACT THEIR OWN LEGAL COUNSEL TO
TAILOR THE DOCUMENT TO MEET THEIR SPECIFIC NEEDS.
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
BUSINESS ASSOCIATE AGREEMENT (Satisfactory Assurances)
A Checklist for Providers
The regulations established the following requirements for the Business Associate
Agreement (Satisfactory Assurances):
Business Associate Agreement must:
_____ Be in writing.
_____ State permitted and required uses and disclosures.
_____ Prohibit uses and disclosures not allowed in the Business Associate Agreement or by law or that
would be a violation of the Privacy Regulations if done by the Covered Entity (CE).
_____ Require Business Associate (BA) to use appropriate safeguards to prevent any unauthorized use
or disclosure.
_____ Require BA to report to the CE following the discovery of the breach. A business associate must
provide notice to the covered entity without unreasonable delay and no later than 60 days from
the discovery of the breach. To the extent possible, the business associate should provide the
covered entity with the identification of each individual affected by the breach as well as any
information required to be provided by the covered entity in its notification to affected
individuals.
_____ Require that, any agents, including a subcontractor, to whom BA provides protected health
information received from the CE, or created or received by BA on behalf of the CE, agree to the
same restrictions and conditions that apply to the BA with respect to such protected health
information unless disclosures are required by law or unless disclosures are for BA's proper
management or administration and BA obtains the "reasonable assurances" described below from
such downstream user.
_____ Require BA to make available protected health information to the Individual in the Designated
Record Set in accordance with 45 C.F.R. §164.524. [While these provisions must be in the
Business Associate Agreement, actual access is not required if Business Associate does not
possess protected health information in the original Designated Record Set. See, Sample
Business Associate Contract Provisions, paragraph (f), 67 F.R. at p. 53265.]
_____ Require BA to make available and to incorporate any amendment to protected health information
in the Designated Record Set in accordance with 45 C.F.R. §164.526. [While these provisions
must be in the Business Associate Agreement, actual amendment is not required if Business
Associate does not possess protected health information in the original Designated Record Set.
See, Sample Business Contact Provisions, paragraph (g), 67 F.R. at p. 53265.]
_____ When requested by CE, require BA to make available to CE the information required to allow the
CE to provide an accounting of disclosures in accordance with 45 C.F.R. §164.528.
_____ Require BA to make its internal practices, books, and records available to the Secretary of Health
and Human Services for purposes of determining the CE's compliance with the Privacy Rule to
the extent related to the uses and disclosure of protected health information received from, or
created or received by the BA on behalf of, the CE.
_____ Require return or destruction of protected health information at end of contract, if feasible; but, if
return or destruction is not feasible, extend the protection of the BA Agreement to the information
and limit further uses and disclosures to the purposes listed in the BA Agreement.
07/2012
_____ Authorize termination of Agreement if BA violates material term of Business Associate
Agreement.
Optional Terms
_____ This Business Associate Agreement may permit the BA to use PHI for the proper management
and administration of the BA or to carry out its legal responsibilities.
_____ The Business Associate Agreement may permit the BA to disclose protected health information if
needed for the proper management and administration of the BA or to carry out the legal
responsibilities of the BA if:
1.
The disclosure is required by law,
or,
2.
The BA obtains reasonable assurances from the person to whom PHI is disclosed that the
PHI will be held confidentially and used or further disclosed only as required by law or
for the purposes for which it was disclosed to the person and the person agrees to notify
the BA of any instances of which it is aware in which the confidentiality of the PHI has
been breached.
_____ The Business Associate Agreement may allow BA to provide Data Aggregation Services relating
to CE's health care operations.
_____ The Business Associate Agreement may define Protected Health Information.
_____ The Business Associate Agreement may define Designated Record Set.
Reminders:
1. If CE has entered into an agreement prior to October 15, 2002, and if the agreement does not
expire or is not renegotiated between October 15, 2002 and April 14, 2003, then such Agreement
does not have to include the HIPAA Business Associate Agreement (Satisfactory Assurances)
until the earlier of:
a. the date the Agreement is renewed or renegotiated; or,
b. April 14, 2004.
2. "Evergreen Contracts," those that renew automatically without any change in terms or other
action by the parties, and that exist prior to October 15, 2002, are eligible for the "extension"
explained in #1 of this section. The automatic renewal does not terminate qualification for the
additional time for compliance.
3. The Appendix to the final modifications to the HIPAA Privacy Rule issued August 14, 2002 (67
F.R. 53,182 et seq.) contain sample Business Associate Agreement provisions. See, 67 F.R.
53,262-53,266. Be aware, they are not sufficient in and of themselves to create a binding
contract.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS- IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION TO
HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE MATERIAL.
THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES
NOT CONSTITUTE LEGAL ADVICE. PROVIDERS SHOULD CONTACT
THEIR OWN LEGAL COUNSEL TO TAILOR THE DOCUMENT TO MEET
THEIR SPECIFIC NEEDS.
07/2012
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
ACCOUNTING OF DISCLOSURES OF PHI
A Checklist for Providers
The HIPAA Privacy regulation gives patients the right to obtain an accounting of
disclosures of their protected health information (PHI) made by healthcare
providers. Accountings must include disclosures of PHI made in the six years prior
to the date on which the accounting is requested, unless the patient requests an
accounting of disclosures for a period less than six years.
Accountings do not need to include disclosures of PHI made:
_____ Prior to April 14, 2003;
_____ To carry out treatment, payment or healthcare operations;
_____ To the patient or their legally authorized representative;
_____ Incident to an otherwise permitted use or disclosure;
_____ Pursuant to an Authorization;
_____ For facility directory purposes;
_____ For national security or intelligence purposes (as provided by the regulation);
_____ To correctional institutions or law enforcement officials (as provided by the regulation);
_____ As part of a limited data set (as defined by the regulation);
Accountings must include the following information (except as provided above):
_____ Disclosures to or by business associates of the provider;
_____ The date of the disclosure;
_____ The name of the entity or person who received the PHI and, if known, their address;
_____ A brief description of the PHI disclosed; and
_____ A brief statement of the purposes of the disclosure that reasonably informs the individual
of the basis for the disclosure or, in lieu of such statement, a copy of a written request for
disclosure.
_____ If the provider has made multiple disclosures of PHI to the same person or entity for a
single purpose, the accounting may provide:

The information required for the first disclosure;

The frequency, periodicity, or number of disclosures made during the accounting
period; and

The date of the last disclosure.
07/2012
The provider must act on the request for an accounting no later than 60 days after
receipt of a request by:
_____ Providing the accounting requested; or
_____ If unable to provide the accounting within 60 days, providing the patient with a written
statement of the reasons for the delay and the date by which the provider will provide the
accounting (no longer than 90 days from the date of the request).
The provider must provide the first accounting requested by a patient in any
12-month period without charge. A reasonable, cost-based fee may be charged for
subsequent accountings within the 12-month period if the provider:
_____ Informs the patient in advance of the fee; and
_____ Provides an opportunity for the patient to withdraw or modify the request for a
subsequent accounting in order to avoid or reduce the fee.
The provider must document and retain for six years from the date of creation or the date they
were last in effect:
_____ The information required to be included in an accounting;
_____ Accountings provided to patients;
_____ The titles of the persons or offices responsible for receiving and processing requests for
accountings.
NOTE: Special rules apply to accountings of PHI made for research purposes. See section
164.528 for details.
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS - IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION
TO HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE
MATERIAL. THIS DOCUMENT IS PROVIDED AS GENERAL
GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE.
PROVIDERS SHOULD CONTACT THEIR OWN LEGAL COUNSEL TO
TAILOR THE DOCUMENT TO MEET THEIR SPECIFIC NEEDS.
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012
EXAMPLE
Accounting of Disclosures of Protected Health Information
Patient Name: __________________________ ID# ________________Date:_____________
There are some situations in which [insert physician/organization name] is required or permitted
by law to disclose your health information to persons outside of our office. In response to your
request, we are providing you with this accounting of disclosures we have made of your
information.
Disclosure
Date

We have made no disclosures of your health information that require an
accounting.

We have made the following disclosures:
Recipient Name
Recipient Address
Description of
PHI Disclosed
Purpose of
Disclosure
Frequency of
Disclosure/Date of Last
Disclosure
This accounting does not include disclosures we have made to carry out treatment, payment or
health care operations or disclosures you have specifically authorized. It also does not include
any disclosures the law exempts from our accounting requirements.
If you have questions about this accounting, please contact [insert name and title of contact
person] at [insert phone number].
THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW
PROVIDERS CAN START THEIR COMPLIANCE EFFORTS- IT IS
INTENDED TO BE USED SOLELY AS A VEHICLE FOR DISCUSSION TO
HELP PROVIDERS DEVELOP THEIR OWN COMPLIANCE MATERIAL.
THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES
NOT CONSTITUTE LEGAL ADVICE. PROVIDERS SHOULD CONTACT
THEIR OWN LEGAL COUNSEL TO TAILOR THE DOCUMENT TO MEET
THEIR SPECIFIC NEEDS.
Copyright © 2002 Physician Insurers Association of America (PIAA). All rights reserved. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or any information storage and retrieval system.
07/2012

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz