Corporate Compliance
View our Corporate Compliance Manual
Adopted by the Board of Trustees on November 25, 2008.
HIPAA Privacy Rule
Q & A
Q What is the purpose of the Notice of Privacy Practices?
A. The notice describes how medical information about the client may be used
and disclosed, how the client can get access to records, amend records and get
information about disclosures. Also the individual’s rights and FCCBH
Inc.’s legal duties with respect to protected health information (PHI).
Q. What is FCCBH, Inc.’s basic legal duty related
to the Privacy Rule?
A. Four Corners Community Behavioral Health, Inc. is required by law to maintain
the privacy of PHI and to provide individuals with notice of related legal duties
and practices.
Q. Can FCCBH, Inc. change the provisions in the Notice of Privacy Practices?
A. FCCBH, Inc. has the right to change the terms of the Privacy Notice and to
make the new notice provisions effective for all PHI that it maintains. If a
change is made an announcement must be posted in the clinic and the revised
Notice must be available at the next regular appointment.
Q. How is FCCBH, Inc. permitted to use PHI without keeping
track of disclosures or uses?
A. To carry out treatment, payment or healthcare operations. Health care workers
must take reasonable steps to limit the use or disclosure of PHI to the minimum
necessary to accomplish the intended purpose.
Q. What are uses of PHI that do not require authorization?
A. Written authorization from the client to use PHI is not required for the
following:
· Uses required for compliance with the standardized HIPAA transactions.
· Disclosures to the individual who is the subject of the information
· Emergency treatment situations – If based on professional judgment
a provider reasonably believes at the time an individual presents for treatment
that a delay involved in obtaining the patient’s consent to disclose information
would compromise care
· Information sought by law enforcement that is relevant to and material
to a legitimate law enforcement inquiry (must be specific and limited in scope)
· Information provided in good faith if necessary to lessen a serious
or imminent threat to the health and safety of a person or the public
· Uses or disclosures made pursuant to an authorization requested by
the individual
· Disclosures to the Department of Health and Human Services (HHS) when
disclosure is required under the rule for enforcement purposes
· Other uses or disclosures that are required by law
· Clients may be contacted to provide appointment reminders
· Information to fill a prescription may be telephoned in to pharmacies
· PHI may be provided to a specialist or hospital to which a client is
referred
· Statistical research and non-direct service data will be provided in
aggregate or summary form only
Q. When is written authorization required for disclosing
client information?
A. Uses or disclosures of PHI other than those listed above will be made only
with specific written authorization by the client. Authorization will be made
on the Release of Information Disclosure Authorization Form to use specified
PHI for specified purposes. Additional detail about required use of client authorization
is included in the FCCBH, Inc. policies.
Q. When can a client revoke authorization to disclose
information?
A. Authorization can be revoked at any time in writing. A revocation must be
submitted to the individual’s therapist and retained in the client file.
If a client has previously given authorization, the client may not revoke actions
that have already been taken which relied on a previously signed authorization
Q. What are the rules about clients seeing their own records?
A. Clients have a right to access their own PHI, to inspect and obtain a copy
of PHI for a designated set of records, for as long as the PHI is maintained
in the designated records except for:
· Psychotherapy notes
· Information compiled in reasonable anticipation of or for use in a
civil, criminal or administrative action and proceeding
A client request to access his or her PHI must be made in writing and submitted
to the therapist.
FCCBH, Inc. will accommodate reasonable requests by individuals to receive confidential
information about his or her protected health information. This includes receiving
such information by alternative means or at alternative locations.
Q. When can a client be denied access to his or her own
records and can they appeal?
A. Clients may be denied access without being provided with an opportunity for
review of the denial in the following circumstances:
· If the PHI was obtained from someone other than a health care provider
under a promise of confidentiality and the access would be reasonably likely
to reveal the source of the information
· If PHI is contained in records that are subject to the Privacy Act,
5 U.S.C.§ 552a and if the denial meets the requirements of that law
Q. Under what circumstance would a client be allowed to
appeal a denial to see records?
A. FCCBH, Inc. may deny an individual access to records provided that the individual
is given a right to have the denial reviewed in the following circumstances:
· A licensed health care professional has determined in the exercise
of professional judgment that the access requested is reasonably likely to endanger
the life or physical safety of the individual or another person.
· The PHI makes reference to another person and a licensed health care
professional has determined in the exercise of professional judgment that the
access is reasonably likely to cause substantial harm to such other person
· The request for access is made by the individual’s personal representative
and a licensed health care professional has determined in the exercise of professional
judgment that the provision of access to such personal representative is reasonably
likely to cause substantial harm to the individual or another person
Q. Who conducts a review of a denial to see records and
how much time is allowed for the review?
A. If access is denied for the three items directly above the client has the
right to have the denial reviewed by a licensed health care professional who
did not participate in the original decision to deny access and who is designated
by FCCBH, Inc. to act as a reviewing official. FCCBH, Inc. must provide or deny
access in accordance with the determination of the reviewing official. FCCBH,
Inc. shall act within sixty days to provide a denial, access to or a copy of
PHI or provide a written statement of delay, limited to thirty days, the reasons
for the delay and the date it will be provided.
Q. Does the client have to pay for copies of their records?
A. Individuals eligible to receive copies of PHI are provided with copies at
no charge one time within a twelve-month period. Each subsequent request for
copies by the same individual within the same twelve-month period carries a
reasonable fee. The client will be advised of the fee in advance.
Q. Can a client ask for a list of who has received PHI
about them?
A. An individual has the right to receive an accounting of disclosures of PHI
made by FCCBH, Inc. in the six years prior to the date on which the accounting
is requested except for disclosures (as provided by law):
· To carry out treatment, payment, and health care operations
· To the individual about his or her own PHI
· To person’s involved in the individual’s care
· For notification purposes
· For national security or intelligence purposes
· To correctional institutions or law enforcement officials as defined
in policy
· That occurred prior to the compliance date
· That are incidental if reasonable measures are taken to safeguard information
Q. Are certain investigations allowed to remain confidential
to the client?
A. FCCBH, Inc. may temporarily suspend an individual’s right to receive
an accounting of disclosures to an health oversight agency or law enforcement
if such provides a written statement of investigation as allowable by law and
defined in policy.
Q. What is the obligation of FCCBH, Inc. if there is a denial to receive
a list of disclosures?
A. FCCBH, Inc. will act within sixty days to provide a denial or an accounting
of disclosures or a written statement of delay, not to exceed thirty days.
Q. Does the client have to pay for a list of disclosures?
A. Individuals eligible to receive an accounting of disclosures of PHI will
be provided with such at no charge one time within a twelve-month period. Each
subsequent request for an accounting by the same individual within the same
twelve-month period carries a reasonable fee. The client will be advised of
the fee in advance. (This can include the cost of time spent preparing a list.)
Q. Can clients ask to have their records changed?
A. Individuals have the right to amend PHI or a record about the individual
in a specific set of records, as long as the set of records is retained. FCCBH,
Inc. may deny request for amendment:
· If it is determined that the PHI or record was not created by FCCBH,
Inc., unless the individual provides a reasonable basis to believe that the
originator is no longer available to take action
· If the PHI is not part of the designated set of records
· If PHI would not be available to access according to PHI rules stated
in this notice
· If the PHI is found to be accurate and complete as it is
Q. What should I know about individual’s rights to complain?
A. Individuals may complain to FCCBH, Inc. and the Secretary of Health and Human
Services if they believe their rights have been violated. A HIPAA Privacy Rule
Complaint and Resolution Form may be obtained from the therapist or member of
the office staff. The Four Corners Compliance Officer will review the complaint.
Individuals will not be retaliated against for filing a complaint. Status of
the resolution will be provided within ten (10) days. For more information the
Compliance Officer can be reached at 435-637-7200.
Q. Can the client’s PHI rights be summarized?
A. Statement of individual’s PHI rights:
· Clients of FCCBH, Inc. have individual rights for PHI and notification
· Uses or disclosures of PHI other than those allowed by law for treatment,
healthcare operations and payment will be made only with specific written authorization
by the client.
· If a client has previously given authorization to disclose, the client
may not revoke actions that have already been taken which relied on a previously
signed authorization
· If at some time client revokes authorization in writing, this information
should be put in the client file attached permanently with the previous authorization.
· Any client may request restrictions on uses or disclosures of health
information
· FCCBH, Inc. is not required to agree to the restriction requested,
but FCCBH, Inc. is bound by any restriction to which both parties agree
· Any such restrictions should be discussed with the HIPAA Compliance
Officer and prominently displayed in the client file
· All FCCBH, Inc. clients must be given a Notice of Privacy Practices
to review
· Individuals have the right to amend PHI or a record about the individual
in a specific set of records, as long as the set of records is retained. FCCBH,
Inc. may deny request for amendment.
Board Resolution on Compliance, Adopted By The Board of Trustees November 20, 2001
Statement of Purpose
It is the policy of Four Corners Community Behavioral Health, Inc. to follow
the highest ethical standards. FCCBH, Inc. has an ongoing commitment to ensure
corporate integrity, compliance with law and regulation and to prevent fraud,
abuse and waste through effective internal compliance practices that provide
adequate controls, privacy and security.
To further this commitment to compliance and to protect its employees and other affiliated parties, FCCBH will implement a Corporate Compliance Program to establish a framework for legal and corporate compliance. The Corporate Compliance Plan will establish: 1. Overarching principles 2. Key issues 3.The scope of concerns 4.Delegation of compliance oversight and 5.Priorities for action.
Delegation of Compliance Oversight
The Board of Trustees participates in corporate compliance activities through
designating a representative to the Corporate Compliance Committee, establishing
policy associated with compliance and reviewing corporate compliance activity
reports provided by the Compliance Officer. The Board is accountable for governing
the corporation with knowledge of compliance expectations, practices, identified
risk issues and plans for corrective action and to ensure corporate integrity
through the exercise of their fiduciary responsibility.
The Corporate Compliance Committee provides general oversight for corporate compliance assessment, planning, monitoring and evaluation and advises the Compliance Officer. The Executive Director appoints this committee.
The Corporate Compliance Officer provides leadership and technical assistance for the review, revision and formulation of policies and procedures to guide all activities and functions of FCCBH, Inc. that involve issues of corporate compliance. The Compliance Officer also assists in the development and delivery of training, review of compliance issues, provides recommendations and reports, develops and tracks the Corporate Compliance Plan and coordinates activities, initiatives and strategies included in the plan. The Compliance Officer reports directly to the Board and receives confidential employee compliance reports.
Priorities
The Corporate Compliance Plan places priority on the regulatory issues likely
to be of most consequence to Center operations. Specific strategies to respond
to issues and ensure corporate integrity, compliance and prevention of fraud
include:
- Research and understand industry risk.
- Establish staff cooperation with compliance activities and a long-term commitment to effective internal compliance practices. Survey staff and develop a training plan and schedule and other activities to meet needs and to create a culture supportive of corporate compliance.
- Create a baseline and a gap analysis of areas related to clinical services and relevant areas of risk and inventory of existing or available resources.
- Develop a FCCBH, Inc. baseline compliance profile.
- Target factors contributing to and mitigate risk and liability.
- Develop and implement an ongoing monitoring and assessment plan for risk areas and operational issues.
- Create mechanisms to hold management responsible for compliance in their areas of responsibility and to hold employees accountable.
- Establish a mechanism to receive and review employee compliance reports and concerns.
- Align policy and action for employee discipline, corrective actions and consequences that provide proper responsiveness to complaints.
- Consult with legal counsel when expert review is necessary to analyze risk issues.
Four Corners Community Behavioral Health, Inc.
HIPAA Compliance Program Personnel and Information
Clients and employees have the right to make complaints about lack of compliance with the HIPAA "Privacy Rule" or other laws and regulations. This includes a client's right to access records, responses to requests for access, appropriate security, privacy of Personal Health Information (PHI), maintaining compliant treatment, billing and operational systems and adequate policies, procedures and practices as required by law. FCCBH, Inc. will not intimidate, threaten, coerce, discriminate or take other retaliatory action against an individual who exercises the right to complain as long as it is an objection made in good faith, in a reasonable way.
If a client, employee or anyone interfacing with our office has a complaint or question regarding the HIPAA policies of FCCBH, Inc. or other areas of corporate compliance he or she should direct complaints to:
Four Corners Community Behavioral Health, Inc.
For Compliance Issues contact:
Karen Dolan
105 West 100 North
Price, UT 84501
435-637-7200 Phone
435-637-2377 Fax
kdolan@fourcorners.ws
All reports are strictly confidential.
An individual making a report will be contacted by the Compliance Officer to ensure thorough follow up. A Privacy Rule / Compliance Complaint Form can be obtained from the office secretary or on this web site.