HIPAA Privacy
Purpose: The following privacy policy is adopted to ensure that Pleasant Street Apothecary complies fully with all federal and state privacy protection laws and regulations. Protection of patient privacy is of paramount importance to this organization. Violations of any of these provisions may result in severe disciplinary action up to and including termination of employment and possible referral for criminal prosecution.
Effective Date: This policy is in effect as of March 1, 2005.
Expiration Date: This policy remains in effect until superceded or cancelled.
Policy Administrator: For questions or comments concerning this policy contact:
Daniele Lyman, Privacy Official
Pleasant Street Apothecary
259 Monroe Avenue
Rochester, New York 14607
(585) 210-4146
Assigning Privacy and Security Responsibilities: It is the policy of Pleasant Street Apothecary that specific individuals within our workforce are assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security Rule’s requirements. Furthermore, it is the policy of Pleasant Street Apothecary that these individuals will be provided sufficient resources and authority to fulfill their responsibilities. At a minimum it is the policy of Pleasant Street Apothecary that there will be a designated Privacy Official.
Uses and Disclosures of Protected Health Information: It is the policy of Pleasant Street Apothecary that protected health information may not be used or disclosed except when at least one of the following conditions is true:
1. The individual who is the subject of the information has authorized the use or disclosure.
2. The individual who is the subject of the information has received our Notice of Privacy Practices and acknowledged receipt of the Notice, thus allowing the use or disclosure and the use or disclosure is for treatment, payment or health care operations including, but not limited to, reminder calls, research and scheduling of treatment options, and research purposes in limited circumstances.
3. The individual who is the subject of the information agrees or does not object to the disclosure and the disclosure is to persons involved in the health care of the individual.
4. The disclosure is to the individual who is the subject of the information or to HHS for compliance-related purposes.
5. The use or disclosure is for one of the HIPAA “public purposes” (i.e. required by law, etc.).
Deceased Individuals: It is the policy of Pleasant Street Apothecary that privacy protections extend to information concerning deceased individuals.
Notice of Privacy Practices: It is the policy of Pleasant Street Apothecary that a notice of privacy practices must be published, that this notice and any revisions to it be provided to all individuals at the earliest practicable time, and that all uses and disclosures of protected health information be done in accord with this organization’s notice of privacy practices. We will attempt to gain written acknowledgement of the receipt of the notice from all individuals to whom we provide the notice of privacy practices and, if we fail, will document our attempts to gain such acknowledgement.
Restriction Requests: It is the policy of Pleasant Street Apothecary that serious consideration must be given to all requests for restrictions on uses and disclosures of protected health information as published in this organization’s notice of privacy practices. It is furthermore the policy of this organization that if a particular restriction is agreed to, then this organization is bound by that restriction.
Minimum Necessary Disclosure of Protected Health Information: It is the policy of Pleasant Street Apothecary that (except for disclosures made for treatment purposes) all disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the disclosure. It is also the policy of this organization that all requests for protected health information (except requests made for treatment purposes) must be limited to the minimum amount of information needed to accomplish the purpose of the request.
Access to Protected Health Information: It is the policy of Pleasant Street Apothecary that access to protected health information must be granted to each employee or contractor based on the assigned job functions of the employee or contractor. It is also the policy of this organization that such access privileges should not exceed those necessary to accomplish the assigned job function.
Access to Protected Health Information by the Individual: It is the policy of Pleasant Street Apothecary that access to protected health information must be granted to the person who is the subject of such information when such access is requested, or at the very least within the timeframes required by the HIPAA Privacy Rule and New York State law. It is the policy of Pleasant Street Apothecary to inform the person requesting access, of the location of protected health information if we do not physically possess such PHI but have knowledge of its location.
Amendment of Incomplete or Incorrect Protected Health Information: It is the policy of Pleasant Street Apothecary that all requests for amendment of incorrect protected health information maintained by this organization will be considered in a timely fashion. If such requests demonstrate that the information is actually incorrect, this organization will allow amending language to be added to the appropriate document and this addition will be done in a timely fashion. It is also the policy of this organization that notice of such corrections will be given to any organization with which the incorrect information has been shared.
Access by Personal Representatives: It is the policy of Pleasant Street Apothecary that access to protected health information must be granted to personal representatives of individuals as though they were the individuals themselves,
a. when the individual lacks capacity to consent, a person authorized pursuant to law to consent to healthcare for the individual,
b. when disclosure is authorized pursuant to a written release of confidential information signed by the individual,
c. except in cases of abuse where granting said access might endanger the individual or someone else.
We will conform to the relevant custody status and the strictures of state, local, case, and other applicable law when disclosing information about minors to their parents.
Confidential Communications Channels: It is the policy of Pleasant Street Apothecary that confidential communications channels be used, as requested by the individuals, to the extent possible.
Disclosure Accounting: It is the policy of Pleasant Street Apothecary that an accounting of all disclosures subject to such accounting of protected health information be given to individuals whenever such an accounting is requested.
Marketing Activities: It is the policy of Pleasant Street Apothecary that any uses or disclosures of protected health information for marketing activities will be done only after a valid authorization is in effect. It is the policy of this organization to consider marketing any communication to purchase or use a product or service where an arrangement exists in exchange for direct or indirect remuneration, or where this organization encourages purchase or use of a product or service. This organization does not consider the communication of alternate forms of treatment, or the use of products and services in treatment to be marketing. Furthermore, this organization adheres to the HIPAA Privacy Rule that a face to face communication made by us to the patient, or a promotional gift of nominal value given to the patient does not require an Authorization.
Judicial and Administrative Proceedings: It is the policy of Pleasant Street Apothecary that information be disclosed for the purposes of a judicial or administrative proceeding only when: accompanied by a court or administrative order or grand jury subpoena; when accompanied by a subpoena or discovery request that includes either the authorization of the individual to whom the information applies, documented assurances that good faith effort has been made to adequately notify the individual of the request for their information and there are no outstanding objections by the individual, or a qualified protective order issued by the court. If a subpoena or discovery request is submitted to us without one of those assurances, we will seek to notify the individual, obtain his or her authorization, or obtain a qualified protective order before we disclose any information. In no case will we disclose information other than that required by the court order, subpoena, or discovery request.
De-Identified Data and Limited Data Sets: It is the policy of Pleasant Street Apothecary to disclose de-identified data only if it has been properly de-identified by removing all the relevant identifying data. We will make use of limited data sets, but only after the relevant identifying data have been removed and then only to organizations with which we have adequate data use agreements and only for research, public health, or health care operations purposes.
Authorizations: It is the policy of Pleasant Street Apothecary that a valid authorization will be obtained for all disclosures that are not for: treatment, payment, health care operations, to the individual or their personal representative, to persons involved with the individual’s care, to business associates in their legitimate duties, to facility directories, or for public purposes (ie: required reporting to the Department of Health). This authorization will include all the mandatory elements and any authorizations generated from outside this organization will be checked to see if they are valid.
Complaints: It is the policy of Pleasant Street Apothecary that all complaints relating to the protection of health information be investigated and resolved in a timely fashion. Furthermore, it is the policy of Pleasant Street Apothecary that all complaints will be addressed to the Grievance Official who will be duly authorized to facilitate the investigation of complaints and implementation of resolutions if the complaint stems from a valid area of non-compliance with the HIPAA Privacy and Security Rule.
Prohibited Activities: It is the policy of Pleasant Street Apothecary that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of this organization that no employee or contractor may condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information.
Responsibility: It is the policy of Pleasant Street Apothecary that the Privacy Official is responsible for developing and implementing privacy policies and procedures. All policies and procedures are subject to approval by the Medical Director and President.
Verification of Identity: It is the policy of Pleasant Street Apothecary that the identity of all persons who request access to protected health information be verified before such access is granted.
Mitigation: It is the policy of Pleasant Street Apothecary that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.
Safeguards: It is the policy of Pleasant Street Apothecary that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. These safeguards will include physical protection of premises and PHI, technical protection of PHI maintained electronically and administrative protection. These safeguards will extend to the oral communication of PHI. These safeguards will extend to PHI that is removed from this organization.
Business Associates: It is the policy of Pleasant Street Apothecary that business associates must be contractually bound to protect health information to the same degree as set forth in this policy. It is also the policy of this organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.
Training and Awareness: It is the policy of Pleasant Street Apothecary that all members of our workforce have been trained on the policies and procedures governing protected health information and how Pleasant Street Apothecary complies with the HIPAA Privacy and Security Rule. It is also the policy of Pleasant Street Apothecary that new members of our workforce receive training on these matters within a reasonable time after they have joined the workforce. It is the policy of Pleasant Street Apothecary to provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, it is the policy of Pleasant Street Apothecary that training will be documented indicating participants, date and subject matter.
Sanctions: It is the policy of Pleasant Street Apothecary that sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies.
Retention of Records: It is the policy of Pleasant Street Apothecary that the HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this organization’s discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.
Cooperation with Privacy Oversight Authorities: It is the policy of Pleasant Street Apothecary that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this organization. It is also the policy of this organization that all personnel must cooperate fully with all privacy compliance reviews and investigations.
