Privacy Policy
Purpose
To comply with the Administrative Simplification Act component of HIPAA Privacy, to secure and maintain the confidentiality of Protected Health Information (PHI), maintain sensitive organizational information at Rapid City Medical Center and prevent and detect inappropriate and illegal uses and disclosures.
Policy
Rapid City Medical Center shall be responsible for implementation of the administrative requirements under the federal privacy rule.
Rapid City Medical Center will designate a privacy official to be responsible for the development and implementation of the policies and procedures of Rapid City Medical Center… [45 CFR 164.530(a)(1)(i)].
Definitions
HIPAA – Health Insurance Portability and Accountability Act of 1996
IIHI – Individually Identifiable Health Information: Information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer or health care clearinghouse.
- Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.; and
- That identifies the individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
PHI – Protected Health Information: PHI means IIHI that is held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper or oral.
DRS – Designated Record Set: Rapid City Medical Center facilities maintain a Designated Record Set. The DRS includes medical and billing records to which patients and/or his or her personal representatives have the right to access, inspect and copy. Records include any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a provider. Patient health care records are the property of Rapid City Medical Center but the information maintained within the record belongs to the patient.
Individual (for purposes of HIPAA) – The patient and his/her legal Personal Representative.
A Personal Representative is one who under law has the authority to act on behalf of a patient in making decisions related to health care (i.e., a parent, guardian or legal custodian under WI stat. 48.02(8) and (11)). Personal Representatives may have access to and/or request amendment of PHI relevant to their representative capacity unless there is a reasonable belief that the patient has been or may be subjected to domestic violence, abuse or neglect by such person, the release could endanger the patient, or in the exercise of professional judgment it is decided that it is not in the best interest of the patient to treat the person as the patient’s personal representative.
Treatment – The provision, coordination or management of health care and related services, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Payment – Activities undertaken by Rapid City Medical Center to obtain or provide reimbursement for the provision of health care. Activities for payment include eligibility of coverage determination, billing, claims management, collection activities, utilization review including precertification, preauthorization, concurrent and retrospective review of services, and specified disclosures to consumer reporting agencies.
Health Care Operations – Quality assessment and improvement activities; reviewing the competence, qualifications, performance of health care professionals, conducting training programs, accreditation, certification, licensing, credentialing, underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review, legal services and audition functions; business planning and development; business management.
Workforce – Under Section 160.103 of HIPAA, workforce means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Rapid City Medical Center, is under the direct control of Rapid City Medical Center, whether or not they are paid by Rapid City Medical Center.
Provider – Under Section 160.103 of HIPAA, a provider of medical or health services and any other person or organization who furnishes, bills or is paid for health care in the normal course of business. Providers at Rapid City Medical Center are those contracted, subcontracted or employed and provides services on behalf of Rapid City Medical Center.
Procedures
Rapid City Medical Center is committed to complying with the HIPAA Privacy Rule.
Rapid City Medical Center and its business affiliates create, store, maintain, use, transmit, collect and disseminate PHI in an environment that promotes confidentiality and integrity without compromising information availability.
Confidentiality policies and procedures are reinforced throughout Rapid City Medical Center and followed by all physicians and workforce members.
The HIPAA Privacy Officer oversees the HIPAA Privacy program.
The HIPAA Privacy Officer is responsible for the facilitation of functions which reinforce compliance with the HIPAA Privacy Rule, patient confidentiality, access laws and Rapid City Medical Center’s policies and procedures pertaining to them.
Rapid City Medical Center will implement, monitor and maintain a Business Associate Agreement with affiliate business entities when required by law.
All documentation related to and/or required by HIPAA, including but not limited to compliance enforcement, activities such as training, policies and procedures, complaint investigations, designated record sets, etc. are maintained for six years from the date of creation, or the date it was last in effect, whichever is later Documentation may be maintained in written or electronic form.
This training is intended as a general HIPAA overview. Employees will receive additional HIPAA training within the first 30 days of employment.