HIPAA Privacy Policy

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) C&S Contract Speech Language Pathology Services, Inc. d/b/a Blair Therapies (herein “Blair Therapies”) is considered to be a “covered entity.” Blair Therapies employees have access to the individually identifiable health information of patients on behalf of Blair Therapies. 

HIPAA as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and its implementing regulations restrict Blair Therapies’ ability to use and disclose protected health information. “Protected health information” (PHI) means information that is created or received by Blair Therapies and relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care, including physical, occupational, and speech pathology therapy services to a patient; or the past, present, or future payment for the provision of health care health care, including physical, occupational, and speech pathology therapy services to a patient; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information of persons living or deceased. 

It is the policy of Blair Therapies to comply fully with HIPAA’s requirements for the privacy of PHI. To that end, all Blair Therapies employees who have access to PHI must comply with this Privacy Policy. For purposes of this Privacy Policy and Blair Therapies’ more detailed use and disclosure procedures, Blair Therapies’ workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of Blair Therapies, whether or not they are paid by Blair Therapies. The term “employee” includes all of these types of workers. Additionally, any subcontractors that provide services to Blair Therapies, which involve the creation, receipt, maintenance, or transmission of PHI on behalf of Blair Therapies to fulfill its contractual duties, must comply fully with HIPAA’s requirements. 

No third-party rights (including but not limited to rights of patients or business associates) are intended to be created by this Policy. Blair Therapies reserves the right to amend or change this Privacy Policy at any time (and even retroactively) without notice. To the extent this Privacy Policy establishes requirements and obligations above and beyond those required by HIPAA, the Privacy Policy shall be aspirational and shall not be binding upon Blair Therapies. This Privacy Policy does not address requirements under other federal laws or under state laws. To the extent that this policy is in conflict with the HIPAA privacy rules, the HIPAA privacy rules shall govern. 

Blair Therapies Responsibilities as a Covered Entity 

1. Privacy Officer and Contact Person 

Blair Therapies shall designate an individual as the Privacy Officer. 

The Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and Blair Therapies’ more detailed use and disclosure procedures. The Privacy Officer will also appoint those employees who will serve as the contact persons for patients who have questions, concerns, or complaints about the privacy of their PHI. 

The Privacy Officer is responsible for ensuring that Blair Therapies complies with the provisions of the HIPAA privacy rules regarding business associates, including the requirement that Blair Therapies have a HIPAA-compliant Business Associate Agreement in place with all business associates. The Privacy Officer shall also be responsible for monitoring compliance by all business associates with the HIPAA privacy rules and this Privacy Policy. 

II. Workforce Training 

It is Blair Therapies’ policy to train all of its employees on its privacy policies and procedures. The Privacy Officer is charged with developing training schedules and programs so that all employees receive the training necessary and appropriate to permit them to carry out their functions in compliance with HIPAA. 

III. Administrative, Technical and Physical Safeguards and Firewall 

Blair Therapies will establish appropriate administrative, technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards include implementing procedures for use and disclosure of PHI. See Blair Therapies’ Privacy Use and Disclosure Procedures. Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets. 

Firewalls will ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules. 

IV. Privacy Notice 

The Privacy Officer is responsible for developing and maintaining a notice of Blair Therapies privacy practices that describes: 

(a) the uses and disclosures of PHI that may be made by Blair Therapies; 

(b) the rights of individual patients under the HIPAA privacy rules; (c) Blair Therapies’ legal duties with respect to PHI; and (d) other information as required by the HIPAA privacy rules. 

The privacy notice will inform patients that Blair Therapies will have access to PHI in connection with its provided services. The privacy notice will also provide a description of Blair Therapies complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice. 

The notice of privacy practices will be individually delivered: 

(a) at the time of patient’s request for services; (b) to a person requesting the notice; and (c) within 60 days after a material change to the notice. 

Blair Therapies will also provide notice of availability of the privacy notice (or a copy of the privacy notice) at least once every three years in compliance with the HIPAA privacy regulations. 

V. Complaints 

The Privacy Officer will be the Blair Therapies contact person for receiving complaints. 

The Privacy Officer is responsible for creating a process for individuals to lodge complaints about Blair Therapies privacy procedures and for creating a system for handling such complaints. 

VI. Sanctions for Violations of Privacy Policy 

Sanctions for using or disclosing PHI in violation of HIPAA or this HIPAA Privacy Policy will be imposed in accordance with Blair Therapies’ discipline policy, up to and including termination. 

VII. Mitigation of Inadvertent Disclosures of Protected Health Information 

Blair Therapies shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of HIPAA or the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of PHI, either by an employee or a business associate, that is not in compliance with this policy or HIPAA, the employee shall immediately contact the Privacy Officer so that the appropriate steps to mitigate the harm to the patient can be taken. 

VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy 

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. 

No individual shall be required to waive his or her privacy rights under HIPAA as a condition of service or payment. 

IX. Documentation 

Blair Therapies privacy policies and procedures shall be documented and maintained for at least six years from the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must promptly be documented. 

Blair Therapies shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights. 

If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice. 

The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. Blair Therapies must maintain such documentation for at least six years. 

Policies on Use and Disclosure of PHI 

I. Use and Disclosure Defined 

4 

Blair Therapies will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows: 

Use. The sharing, employment, application, utilization, examination, or analysis of PHI by any employee of Blair Therapies, or by a Business Associate (defined below) of Blair Therapies. 

Disclosure. For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed Blair Therapies, or not a Business Associate (defined below) of Blair Therapies. 

II. Employees are Required to Comply With Blair Therapies Policies and Procedures 

All employees who have access to PHI must comply with this Policy and with Blair Therapies’ more detailed use and disclosure procedures, which are set forth in a separate document. 

III. Access to PHI Is Limited to Certain Employees 

The following employees (“employees with access”) have access to PHI: 

(a) Any employee who performs services directly for and on behalf of patients of Blair Therapies and school districts that have contracted Blair Therapies; and 

(b) Any individual who has access to PHI on behalf of a Business Associate that performs services for and on behalf of patients of Blair Therapies and school districts that have contracted Blair Therapies. 

The same employees may be named or described in the above two categories. These employees with access may use and disclose PHI for patient service and payment functions, and they may disclose PHI to other employees with access for such functions. Notwithstanding the foregoing, PHI disclosed must be limited to the minimum amount necessary to perform the patient services or payment functions. Employees with access may not disclose PHI to employees (other than employees with access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy and any associated procedures. 

IV. Permitted Uses and Disclosures: Payment and Patient Services 

Blair Therapies may disclose PHI to insurers or other third parties financially responsible for payment for services for Blair Therapies’ own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity. 

The term “payment” includes activities undertaken to obtain or provide reimbursement for services provided to patients by Blair Therapies. Payment also includes: 

(a) eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims; 

(b) billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing; and 

(c) any other payment activity permitted by the HIPAA privacy regulations. 

PHI may be disclosed to another covered entity for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the patient and the PHI requested pertains to that relationship. 

“Healthcare operations” means any of the following activities to the extent that they are related to services provided to patients: 

(a) conducting quality assessment and improvement activities; 

(b) conducting or arranging for medical review, legal services and auditing functions; 

(c) business planning and development; 

(d) business management and general administrative activities; 

(e) to de-identify the PHI in accordance with HIPAA Rules as necessary; and 

(f) any other payment activity permitted by the HIPAA privacy regulations. 

V. Mandatory Disclosures of PHI: to Individuals and the U.S. Department of Health and Human Services 

A patient’s PHI must be disclosed as required by HIPAA in three situations: 

6 

(a) The disclosure is to the individual who is the subject of the information; 

(b) The disclosure is required by law, or 

(c) The disclosure is made to HHS for purposes of enforcing of HIPAA. 

VI. Other Permitted Disclosures of PHI 

PHI may be disclosed in the following situations without a patient’s or patient’s legal guardian’s authorization, when specific requirements are satisfied. The requirements include prior approval of the Privacy Officer. Permitted are disclosures include the following: 

(a) disclosures concerning victims of abuse, neglect or domestic violence; (b) disclosures for treatment purposes; (c) disclosures for judicial and administrative proceedings; (d) disclosures for law enforcement purposes; (e) disclosures for public health activities; (f) disclosures for health oversight activities; (g) disclosures concerning deceased persons; (h) disclosures concerning cadaveric organ, eye or tissue donation purposes; (i) disclosures for certain limited research purposes; (j) disclosures necessary to avert a serious threat to health or safety; (k) disclosures for specialized government functions; and (l) disclosures that relate to workers’ compensation programs. 

VII. Disclosures of PHI Pursuant to an Authorization 

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the patient or the patient’s legal guardian. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. 

VIII. Compliance With the “Minimum-Necessary” Standard 

7 

HIPAA requires that when PHI is used or disclosed, the amount of PHI disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure. 

The “minimum-necessary” standard does not apply to any of the following: 

(a) uses or disclosures made to the individual patient; (b) uses or disclosures made pursuant to a valid authorization; (c) disclosures made to DHHS; (d) uses or disclosures required by law; and (e) uses or disclosures required to comply with HIPAA. 

Minimum Necessary When Disclosing PHI. When disclosing PHI subject to the minimum necessary standard, Blair Therapies shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI that is necessary for the requestor is disclosed. All disclosures must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure. 

Minimum Necessary When Requesting PHI. When requesting PHI subject to the minimum-necessary standard, Blair Therapies shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary for specific patient services or payment is requested. All requests must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure. 

IX. Disclosures of PHI to Business Associates 

Employees may disclose PHI to Blair Therapies business associates and allow Blair Therapies business associates to create or receive PHI on its behalf. However, prior to doing so, Blair Therapies must first obtain assurances from the business associate that it will appropriately safeguard all PHI. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” employees must contact the Privacy Officer and verify that a business associate contract is in place. 

A “Business Associate” is an entity that: 

(a) performs or assists in performing a function or service involving the use and disclosure of PHI (including claims processing or administration, etc.); 

(b) provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where  the performance of such services involves giving the service provider access to PHI; 

(c) health information organizations; 

(d) e-prescribing gateways; 

(e) other entities that provide data transmission services with respect to PHI and require routine access to PHI; 

(f) entities that offer a personal health record to one or more individuals on behalf of a covered entity; or 

(g) entities that maintain PHI, whether or not the entities actually review the PHI. 

X. Disclosures of De-Identified Information 

Blair Therapies may freely use and disclose de-identified information in accordance with HIPAA privacy regulations. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a business associate can determine that information is de-identified: either by professional statistical analysis, or by removing specific identifiers. 

XI. Physical Access Controls/Guidelines to Guard PHI 

Blair Therapies will maintain strict physical access controls to its information systems at all times and under all conditions. This includes the physical security of electronic and paper data. 

Blair Therapies will terminate access to information systems and other sources of PHI, including access to rooms or buildings where PHI is located, when an employee, agent, contractor, or Business Associate ends his/her employment or engagement with Blair Therapies. The Employer will terminate access to specific types of PHI when the status of any member of the workforce no longer requires access to those types of information. 

Cleaning personnel: 

9 

Cleaning personnel do not need PHI to accomplish their work. Whenever reasonably possible, PHI will be placed in locked containers, cabinets or rooms before cleaning personnel enter an area. When it is not reasonably possible to lock up PHI, it must be removed from sight before cleaning personnel enter an area and a supervisor must be present. 

Computer Screens: 

Computer screens at each workstation must be positioned so that only authorized users at that workstation can read the display. When screens cannot be relocated, filters, hoods, or other devices shall be employed. Computer displays will be configured to go blank, or to display a screen saver, when left unattended for more than a brief period of time. The period of time will be determined by the Privacy Officer. Wherever practicable, reverting from the screen saver to the display of data will require a password. Computer screens left unattended for longer periods of time will log off the user. The period of time will be determined by the Privacy Officer. 

Conversations: 

Conversations concerning individual care or other PHI must be conducted in a way that reduces the likelihood of being overheard by others. Wherever reasonably possible, barriers will be used to reduce the opportunity for conversations to be overheard. 

Photocopy medical records and other PHI: 

When PHI is photocopied, only the information that is necessary to accomplish the purpose for which the photocopy is being made, may be copied. This may require that part of a page be masked. 

Desks and countertops: 

All documents that may display patient identifiers and other “keys” to information should be placed face down on counters, desks, and other places where individuals or visitors can see them. Wherever it is reasonably possible to do so, medical reports and other documents containing PHI will not be left on desks and countertops after business hours. Blair Therapies will take reasonable steps to provide all work areas where PHI is used in paper form with lockable storage bins, lockable desk drawers or other means to secure PHI during periods when the area is left unattended. In areas where locked storage after hours cannot reasonably be accomplished, PHI must be kept out of sight. The Privacy Officer must be present whenever someone who is not authorized to have access to that data is in the area. 

10 

Disposal of paper with PHI: 

Paper documents containing PHI must be shredded when no longer needed. If retained for a commercial shredder, they must be kept in a locked bin. 

Home office: 

All employees who are authorized to work from a home office must assure the Privacy Officer that the home office complies with all applicable policies and procedures regarding the security and privacy of PHI, including these guidelines. 

Key policy: 

The Privacy Officer will develop a list of which employees will have access to specific access keys. This includes keys to storage cabinets, storage rooms and buildings. All keys must be signed out. Keys must be surrendered upon termination of employment. The Privacy Offer will ensure that locks are changed whenever there is evidence that a key is no longer under the control of an authorized employee, and its loss presents a security threat that justifies the expense. 

Phones, Tablets and Laptops: 

This Privacy Policy applies to all PHI that is stored on cell phones, tablets, laptops, and all other electronic storage devices. Users of such electronic devices are responsible for assuring that the PHI on their devices is kept secure and private. Any loss or theft of an electronic device thought to contain PHI must be reported to the Privacy Officer immediately. Users of cell phones who store PHI on their devices will receive special training in the risks of this practice, and measures that they can take to reduce the risks (such as use of passwords). 

Printers and Fax Machines: 

Printers and fax machines must be located in secure areas, where only authorized employees can have access to documents being printed. 

Records removed from Blair Therapies facilities 

When PHI is removed from Blair Therapies facilities, it must be signed out and signed in. When an employee has custody of PHI outside of Blair Therapies facilities, it may not be left unattended unless it is in a locked vehicle, in an opaque, locked container. Locking the vehicle alone is not sufficient. 

Record Storage: 

All areas where records and other documents that contain PHI are stored must be secure. Wherever possible, PHI will be stored in locking cabinets. Where locking cabinets are not available, the storage area must be locked when no employee is present to observe who enters and leaves. No unauthorized personnel may be left alone in such areas without supervision. 

Employee Vigilance: 

All Blair Therapies employees are responsible for watching for unauthorized use or disclosure of PHI, to act to prevent the action, and to report suspected breaches of privacy and security policies to the Privacy Officer. 

Visitors: 

Visitors to areas where PHI is being used must be accompanied by an employee. 

XII. Breach Notification Requirements 

Blair Therapies will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if Blair Therapies or one of its business associates discovers a breach of unsecured PHI. 

Policies on Individual Rights 

I. Access to PHI and Requests for Amendment 

HIPAA gives patients and their legal guardians the right to access and obtain copies of their PHI (or electronic copies of PHI) that Blair Therapies (or its business associates) maintains in designated record sets. HIPAA also provides that patients or their guardians may request to have their PHI amended. Blair Therapies will provide access to PHI and it will consider requests for amendment that are submitted in writing by patients or their legal guardians. 

“Designated Record Set” is a group of records maintained by or for the Blair Therapies that includes: 

(a) the enrollment, payment, and claims adjudication record of an individual maintained by or for Blair Therapies; or 

(b) other PHI used, in whole or in part, by or for Blair Therapies to make decisions about a patient. 

II. Accounting 

A patient or his or her guardian has the right to obtain an accounting of certain disclosures of the patient’s own PHI. This right to an accounting extends to disclosures made in the last six years, other than disclosures: 

(a) to carry out treatment, payment or health care operations; 

(b) to patients or their guardians about the patient’s own PHI; 

(c) incident to an otherwise permitted use or disclosure; 

(d) pursuant to an authorization; 

(e) to persons involved in the patient’s care or other notification purposes; 

(f) to correctional institutions or law enforcement when the disclosure was permitted without authorization; 

(g) as part of a limited data set; 

(h) for specific national security or law enforcement purposes; or 

(i) disclosures that occurred prior to the compliance date. 

Blair Therapies shall respond to an accounting request within 60 days. If the Plan is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the patient or patient’s guardian notice (including the reason for the delay and the date the information will be provided) within the original 60-day period. 

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to reasonably inform the patient or patient’s guardian of the basis of the disclosure. 

The first accounting in any 12-month period shall be provided free of charge. The Privacy Official may impose reasonable production and mailing costs for subsequent accountings. 

III. Requests for Alternative Communication Means or Locations 

Patients or their legal guardians may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, patients or their guardians may ask to be called only at work rather than at home. Such requests may be honored if the requests are reasonable. However, Blair Therapies shall accommodate such a request if the patient or the patient’s guardian clearly provides information that the disclosure of all or part of the PHI could endanger the patient. The Privacy Officer has responsibility for administering requests for confidential communications. 

IV. Requests for Restrictions on Uses and Disclosures of Protected Health 

Information 

A patient or his or her guardian may request restrictions on the use and disclosure of the patient’s PHI. It is the policy of Blair Therapies to attempt to honor such requests if, in the sole discretion of the Blair Therapies, the requests are reasonable. Blair Therapies is charged with responsibility for administering requests for restrictions and shall communicate any restrictions to the Privacy Officer.