HIPAA PROCEDURES

1. HIPAA Notification Procedures:

a. Both parties agree to notify each other promptly if they or their corporate affiliates, or Business Associates, indicate that there is a suspected disclosure of Protected Healthcare Information (PHI) as defined in the 1996 federal law referred to as HIPAA. This requirement extends to disclosures that may occur by Payors or insurance organizations ("Covered Entities") that contract through MCO and that involve PROVIDER patients.

b. Such notification shall occur within the next eight business hours after a potential disclosure is discovered.

c. Notification should be to the respective Privacy Officers identified as follows:

    i. For Managed Care Organization: ______________ (person name)
    ______________ (address)
    ______________ (address)
    ______________ (address)
    ______________(email address)
    ______________ (phone)
    _______________ (fax)

    ii. For PROVIDER: ______________ (person name)
    ______________ (address)
    ______________ (address)
    ______________ (address)
    ______________ (email address)
    ______________ (phone)
    _______________ (fax)

2. HIPAA Remediation Procedures:

a. When notification occurs, the party notifying will provide the following information over a secure and encrypted transmission method:

    i. Patient(s) name(s)
    ii. Patient Identification numbers, contact information, Health Plan or Group numbers, and any other identifying information, etc.
    iii. The specific types of PHI disclosed -- the amount, and general content.
    iv. Steps taken to secure any remaining information and/or to recapture PHI that may have been disclosed, if any.
    v. Patient/family member statements or actions, if any.
    vi. Identification of other patients whose PHI may have been involved or similarly disclosed (with information as in i. - v. above).
    vii. Steps taken to prevent additional PHI disclosures.
    viii. Plans to be taken to discuss the PHI disclosure with the patient(s) and/or family(s) or to involve other parties in the remediation efforts or any special notifications. [PROVIDER would like to be consulted before any discussion with patients occur]. A joint plan of action will be developed to manage communications to affected patients or families.
    ix. Mass disclosures (such as, an email containing PHI for more than ten people) will require coordinated action plans by the parties - MCO, PROVIDER, payors and related insurance organizations or TPA's.

b. Use of ADR procedures for management of patient(s)/family(s) or attorney HIPAA disclosure complaints:

    i.Every effort will be made by the parties to provide for confidential management of any PHI disclosure issues raised by patients or families. Mediation will be the preferred approach to Alternative Dispute Resolution in these instances. MCO will make reasonable efforts to convince payors and related insurance organizations or TPA's of the advisability of Mediation.
    ii. Confidentiality requirements will be observed during Mediation by all involved parties.

©2003 Health Systems Direct