Lourdes Health Network

STANDARD
To establish a standard of practice to provide and make available the Notice of Privacy Practices (Notice) to individuals at the first delivery of services and to encourage and provide an opportunity for the individual to discuss any concerns related to their Protected Health Information (PHI) with their health care provider.

POLICY
Lourdes Health Network (LHN) shall provide patients with a Notice of Privacy Practices (Notice) of the individual's rights and the facility's duties with respect to PHI, in accordance with applicable privacy requirements in accordance with federal and state laws.

The Notice shall inform individuals of the Uses and Disclosures of PHI that may be made by LHN and of the patient's rights and the facility's legal duties with respect to PHI. LHN will document and implement procedures to ensure internal processes that create, use or disclose PHI in compliance with the Notice.

RIGHT TO NOTICE
An Individual has a right to Notice of the uses and disclosures of PHI that may be made by LHN, and a description of the patient's rights and the Facility's legal duties with respect to PHI.

CONTENT OF NOTICE
LHN must provide a Notice that is written in plain language, contains the individual's rights with a description on how the individual may exercise these rights with respect to PHI, and other required elements in accordance with federal and state laws.

COMPLAINTS
Individuals may complain to LHN and to the Secretary of the Department of Health and Human Services (DHHS) if they believe their privacy rights have been violated. The individual will not be retaliated against for filing a complaint.

IMPLEMENTATION AND MAINTENANCE OF NOTICE
1. The summary of the Notice of Privacy Practices shall be offered to individuals whenever they enter the facility seeking health care services. Individuals shall be provided the Notice in its entirety upon request.

2. Except in an emergency treatment situation, LHN shall provide the Notice of Privacy Practices to individuals at the first provision of services including but not limited to pre-registration, registration or admission.

At the time the Notice is provided, an offer should be made by facility staff to review the Notice with the patient or answer questions. The patient may also be asked if restrictions or confidential communications would be appropriate to ensure privacy. (P 73: Confidential Communications) for additional information on the process to secure these patient rights. The Privacy Officer is also available and responsible for responding to questions about specific statements made in the Notice.

4. Upon provision of the Notice facility staff shall, in good faith, attempt to obtain a written acknowledgement of receipt signed by the patient or the patient's personal representative. If the acknowledgement cannot be obtained, staff shall document their effort to obtain acknowledgement and the reason the acknowledgement was not obtained.

5. If the Notice cannot be provided and/or the acknowledgement is not signed due to an emergency situation, facility staff will provide the Notice and attempt to obtain the acknowledgement as soon as reasonably practical after the emergency treatment situation is resolved. The privacy rule exempts health care providers from having to make a good faith effort to obtain an individual's acknowledgment in emergency situations.

6. The Notice is posted in prominent locations such as patient access areas including inpatient and outpatient registration areas, and the emergency department.

7. In the event the first delivery of health care services occurs over the phone, the Notice is be mailed to the individual on the same day. An acknowledgement is included with the Notice and request that the individual sign the acknowledgement and mail it back.

DOCUMENTATION
The facility must document compliance with the privacy rule's Notice requirements, by retaining copies of the original and any subsequent revisions of the Notice issued by the facility for six years from the date of the document's creation or the date when it last was in effect, whichever is later. In addition, written acknowledgments of receipt of the Notice or documentation of good faith efforts to obtain such written acknowledgment must also be retained for six years from the date of creation.

RESPONSIBILITIES
1. The Privacy Officer is responsible for all updates or edits to the Notice of Privacy Practices and maintains the master copy and all versions of the Notice.

2. All department directors or managers are responsible for submitting suggested updates and edits to privacy practices to the Privacy Officer for review and approval prior to any changes in privacy policies, procedures and practices.

Right to Notice - Exception for inmates: An inmate does not have a right to Notice.

PROTECTED HEALTH INFORMATION

STANDARD: To establish a standard of practice that maintains appropriate systems and procedures necessary to protect the private and confidential health information of its patients and employees.

POLICY: In conjunction with its Mission, it is the policy of Lourdes Health Network (LHN) that all patient information is confidential.

PROCEDURE: LHN has developed a comprehensive, interdisciplinary Privacy Program, in accordance with federal regulations, that includes but is not limited to the following:

1. Implementation of Procedures that address:
A. Providing individuals with information about the uses and disclosures of their Protected Health Information (PHI), their rights and LHN's legal responsibility)
B. The process for an individual to discuss concerns related to their PHI
C. Uses and disclosures LHN is permitted to make:
• With the authorization of the individual
• For the purposes of treatment, payment, or health care operations
• That generally do not require a consent or authorization from the individual, e.g. Public Health, abuse, subpoena.
D. The individual's rights to:
• Access to PHI
• Request an accounting of Disclosures
• To request amendment of PHI
• For confidential communication
• Restrict the use and disclosure of PHI
E. Disclosures to group health plans and insurance providers
F. Limitations for use of PHI for marketing and fund raising
G. The use of PHI for a patient roster or directory
H. Communication with family, relatives, or friends
I. The use or disclosure of PHI to contracted business associates
J. What is included in the designated record set
K. De-identifying PHI
L. Complaints
M. Retention of records
N. Other safeguards, e.g. faxing, e-mailing, viewing computer screens, white boards, website privacy, security of medical records, confidentiality statements signed by staff

Informing the individual of his/her rights and LHN's responsibilities with respect to Protected Health Information (PHI.) The Notice of Privacy Practices (Notice) will be offered to all individuals at the first delivery of service and contains elements in accordance with applicable privacy requirements under State and Federal law.

2. Appointment by the Chief Executive Officer of a Privacy Officer to oversee LHN's privacy program. The Privacy Officer oversees the development, implementation, maintenance of and adherence to privacy principles, policies and procedures covering the privacy of, and access to, protected health information (PHI) in compliance with federal and state laws and LHN's information privacy practices. The Privacy Officer is responsible for coordinating all corporate activities with privacy implications, as well as monitoring all of the organization's services and systems to assure meaningful privacy practices. The Privacy Officer also advocates and protects patient privacy by serving as a key privacy advisor for patients, handling disputes and managing patient requests regarding their PHI.

3. Appointment by the Chief Executive Officer of an Information Security Officer to oversee design, development, and implementation of security changes and enhancements to the Information Technology (IT) computing environments in LHN. The Information Security Officer, working with the Privacy Officer, is responsible for determining appropriate security measures and creating policies and procedures that monitor and control access to system resources and data. The Information Security Officer updates security standards as necessary and is responsible for the prevention, detection, containment and correction of security breaches.

State Law Pre-Emption Note: The Privacy Program Policies have been prepared for the purpose of satisfying Federal privacy requirements under the privacy regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996. Efforts have been made to also reflect State law requirements. Section 160.203 of the privacy regulations provides that the Federal privacy regulations generally pre-empt contrary State law requirements. However, there are certain identified situations in which State laws are not pre-empted, including, without limitation, situations in which a State law related to the privacy of health information is more stringent than the corresponding Federal privacy requirement.