HIPAA COMPLIANCE POLICY
The Board, its officers, and the employees of Lineagen are committed to protecting the privacy and confidentiality of their patients’ protected health information (“PHI”). Lineagen fully supports and complies with all applicable federal and applicable state statutes and rules regulating the use, maintenance, transfer, and disposition of PHI. These policies and procedures are designed to assist all responsible parties with this commitment.
In order to administer and enforce this policy, Lineagen has appointed a Chief Privacy and Security Officer.
PROTECTED HEALTH INFORMATION (PHI). PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by Lineagen. Individually identifiable health information includes demographic information collected from an individual, and is created or received by a health care provider, health plan, or health care clearinghouse; and, relates to any past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and that can be used to identify an individual; or, with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
BUSINESS ASSOCIATE. A “Business Associate” is an individual or corporate "person" that is not a member of the Covered Entity's workforce; who performs a function or activity on behalf of the Covered Entity; where the function or activity involves the disclosure of individually identifiable health information, by the Covered Entity, to the person.
BUSINESS ASSOCIATE AGREEMENT (BA AGREEMENT). A “Business Associate Agreement” is a formal written contract between Lineagen and a Business Associate that requires each party to comply with specific requirements related to the protection of PHI.
COVERED ENTITY. A “Covered Entity” is a health plan; health care clearinghouse; or, a health care provider who transmits any health information in electronic form in connection with a billing transaction and that must comply with the HIPAA Privacy Rule.
Maintenance and Review of Healthcare Records and Patient Rights
Inspection and Copies of PHI
Except as noted below, it is the policy of Lineagen to allow individuals to inspect and obtain copies of their own PHI and to request an amendment of their PHI which is maintained by or at Lineagen. Additionally, Lineagen allows individuals to request an accounting of disclosures of their PHI.
Amendments to PHI
Lineagen will allow an individual to amend information in such individual’s health record where the information in question was created by Lineagen and is inaccurate or incomplete. Otherwise, Lineagen will allow an individual to request an amendment of such individual’s health record, which may be reviewed by a licensed health care professional at the requestor’s expense. Amendment requests should be directed in writing to Lineagen’s Privacy and Security Officer, who will determine whether to grant the amendment request. If the request is denied, Lineagen will provide the individual a written explanation and allow the individual to submit a statement of disagreement to become a part of such individual’s health record.
To the extent practicable, Lineagen will accommodate the written request of an individual to have such individual’s PHI communicated to such individual at a time, place, and in a manner of such individual’s choosing. If the request is impractical or impossible for Lineagen to accommodate, this will be clearly communicated to the individual requesting the accommodation.
Lineagen allows individuals to request restrictions on the use and disclosure of their PHI for treatment, payment, and healthcare operations. Following review by authorized Lineagen personnel, Lineagen may choose not to agree to the requested restrictions. Lineagen will adhere, however, to any restrictions to which it agrees. Any agreed upon restrictions arising out of a notification will remain in effect until revoked by the individual or until the individual is notified by Lineagen that Lineagen will no longer honor the agreed upon restrictions.
Authorization and Revocations of Authorization
Authorizations are valid only for the conditions outlined in the document and may not be used for any purpose or purposes not specifically stated and agreed to by the signing individual. Lineagen will allow an individual to revoke his or her authorization at any time by submitting a written request. However, any such revocation shall not be retroactive to the extent that Lineagen has already relied and acted on a prior authorization.
Accounting of Disclosures
Except for health care information released pursuant to a signed authorization or otherwise exempted by statute, Lineagen will, upon request, provide an individual with information regarding the release of such individual’s PHI to third parties that was made for purposes other than treatment, payment, and healthcare operations (as defined in HIPAA). Reasonable attempts will be made to provide this information in a format requested by the individual. Otherwise, it may be provided in any format mutually agreed upon.
Requests Regarding PHI
Requests for access to PHI, requests to amend PHI, or requests for an accounting of disclosure of PHI shall be in writing and shall be made to Lineagen’s Privacy and Security Officer. Initial responses to such requests typically will occur within thirty days of an access request or sixty days in the case of request for amendment or for an accounting of disclosure. In the event of denial, the response will include an explanation of the denial and will inform the individual of such individual’s right to and the process for appeal. Lineagen may, at its discretion, charge a requestor a fee, not to exceed the actual cost of compiling, copying, and mailing requested information.
Any PHI record maintained by Lineagen in physical form will be kept appropriately secured in a locked location. Any electronic PHI record maintained by Lineagen shall be kept in a secure environment and protected by appropriate electronic safeguards. Protected PHI stored in computers is to be password protected. Passwords are individual specific and are not to be shared by or accessible to more than the owner of the password. It is the responsibility of each holder of a Lineagen-issued password to carefully protect it and to notify the security officer immediately if the password’s security has been compromised so that it may be cancelled and so that, if warranted, an investigation as to any breach can be initiated.
Electronic transmission devices, including computers, fax machines, and other electronic equipment over which protected PHI may be received or transmitted are to be maintained in secure sites and/or away from public access. Computer screens containing protected PHI are to be inaccessible to public view. Computers that store protected PHI are to be secured before being left unattended.
PHI MAY ONLY BE ACCESSED BY AUTHORIZED PERSONNEL. With the exception of the use and disclosure of PHI directly related to treatment and to the extent practicable, access to PHI by Lineagen employees is restricted to the minimum necessary to execute their job responsibilities. It is the responsibility of each Lineagen department, division or unit to identify those persons or classes of persons who are authorized to access, use or disclose PHI and specifically to identify to what PHI to which they may have access.
Physical access to controlled areas and user accounts that provide access to PHI are to be revoked upon the termination of an employee or when others, such as contractors and vendors, no longer require access. Also, when documents and information containing PHI are discarded, they should be shredded. When equipment containing data that includes PHI is discarded, PHI should be safeguarded by erasing or otherwise making the information unreadable or undecipherable before disposal, or by removing disc drives.
The unauthorized access to or unauthorized use or disclosure of PHI that exists in any Lineagen health record may subject the responsible employee to disciplinary action up to and including termination of employment. This extends to the unauthorized use or disclosure of PHI that is overheard during the course of business or PHI that is otherwise learned or secured by any Lineagen employee by virtue of such employee’s employment.
Lineagen employees that become aware of the unauthorized use or disclosure of protected PHI that causes or reasonably could cause harm should immediately report the incident to the Lineagen Privacy and Security Officer. To the extent practicable, Lineagen will attempt to minimize the known harmful effects and/or correct known instances of harm and will endeavor to comply with applicable laws relating to breaches.
All Lineagen employees who may use, disclose, or have access to PHI contained in any health record must, as a condition of continued employment, complete a training program within 30 days of their date of hire and annually thereafter. The training will cover employee responsibility and patient rights under the statutory privacy regulations contained in HIPAA and other applicable laws and regulations.
Use and Disclosure of PHI
It is the policy of Lineagen that an individual’s PHI may only be used within Lineagen or disclosed to a Covered Entity or a Business Associate, bound by an executed BA agreement, outside Lineagen. Access to PHI maintained by Lineagen is limited to those who have a valid business or medical need for the information or otherwise have a right to know the information. With the exception of purposes related to treatment, access to an individual’s PHI or the use or disclosure of an individual’s PHI must, to the extent practicable, be limited to only the minimum necessary to accomplish the intended purpose of the approved use, disclosure or request (as defined by HIPAA).
PHI may be used or disclosed without an individual’s acknowledgment of receipt of these policies and procedures in the event of an emergency or where a communications barrier makes prior permission or notification impossible. Further, Lineagen may use and disclose an individual’s PHI without prior permission or authorization if the PHI has been sufficiently “de-identified”, so as to hide the identity of the individual(s), or is part of a “limited data set”, or for other uses where allowable by law.
Communication of PHI
It is the policy of Lineagen to inform individuals about Lineagen’s privacy practices as they relate to PHI that may be maintained by Lineagen in order to safeguard PHI in Lineagen’s possession, and to protect the communication of PHI, including oral information, from intentional or unintentional use or disclosure. It is further Lineagen’s policy to accommodate, to the extent practicable, the requests of individuals regarding the place, time, and method of communicating to them their own PHI.
Lineagen will not knowingly use or disclose PHI in a manner inconsistent with these policies and procedures, except to the extent that emergency patient care would be compromised. Lineagen reserves the right to amend these policies and procedures without notice, as deemed necessary or advisable and, to revise the Notice of Privacy Practices to reflect any material changes and the effective date of such changes. These policies and procedures constitute an official policy statement and may not be amended, or otherwise altered, without the written approval of an authorized Lineagen official.
PHI that is communicated in any form is to be treated as confidential and in a manner that reasonably protects the communication from being intentionally or unintentionally overheard or intercepted by those who do not have a need or right to know the information. It is the responsibility of each Lineagen department, division or unit to implement practices that protect the confidentiality of oral, written and electronic communications.
Lineagen will recognize personal representatives authorized by individuals, the courts, or by state law for purposes of communicating PHI. Personal representatives may be parents or legal guardians of minor children or persons who are legally authorized or specifically identified by individuals, such as a close friend or family member, to act on behalf of the individual. Lineagen may, without prior authorization of an individual, and where necessary due to emergency or other professionally sound reason, communicate PHI with persons directly involved in the care of the individual. Lineagen may refuse to provide information to personal representatives, or to the individuals themselves, where it is determined that access to the information may be detrimental to or otherwise not in the best interest of the individual, may endanger or breach the confidentiality of a third party or is precluded by statute.
Violation of this policy or negligence on behalf of any Lineagen employee resulting in or having the potential to result in the unauthorized release of PHI may result in disciplinary action up to and including termination of employment.
Marketing and Public Relations
It is the policy of Lineagen not to use or disclose PHI for marketing or public relations purposes without the authorization of the individuals to whom the PHI relates. It is further the policy of Lineagen to allow individuals to choose not to have their PHI used for such purposes.
Notification and Authorization
It is the policy of Lineagen that an individual’s PHI may typically only be used or disclosed pursuant to notification to and/or authorization granted by the individual, unless otherwise permitted or required by statute or government regulation.
Except in emergency situations where patient care might be compromised, Lineagen will not use or disclose PHI in a manner inconsistent with these policies and procedures.
Only approved forms may be used for providing notification and no additions, deletions, or modifications may be made to the forms without the written approval of an authorized Lineagen official.
All documentation related to HIPAA policy, procedures, notice, acknowledgments, patient rights, complaints to Lineagen, personnel actions, etc. will be retained by Lineagen for a minimum of six years.
In the event Lineagen receives more than one authorization or permission from an individual that appear to be in conflict with each other, Lineagen will abide by the more restrictive patient permission, until the conflict is resolved. Lineagen will attempt to determine the true intentions of the affected individual and thus resolve the conflicting permissions as soon as is practicable.
An individual’s PHI may be used or disclosed by Lineagen for purposes other than treatment, payment, and health care operations, such as for research. Use and disclosure for such purposes requires a valid, signed authorization specifically detailing what information will be used or disclosed, how and by whom the information will be used or disclosed, and during what time period the information will be needed or a statement indicating there is no defined duration.
Lineagen discloses PHI to other public or private entities with which Lineagen has contracted to provide services to Lineagen. PHI provided to such a Business Associate must be pursuant to an assurance that the Business Associate, and its sub-contractors, will use the information only for the purpose(s) intended, will restrict access to the information on a “need to know” basis only, and will otherwise use, disclose and secure PHI according to the standards of safeguards required by HIPAA and HITECH. There must be a valid, signed BA Agreement in place before PHI may be provided.
Except to the extent that patient care might be compromised, the use or disclosure of PHI by a Business Associate must comply with these policies and procedures. In addition, except to the extent that patient care might be compromised, the use and disclosure of an individual’s PHI by a Business Associate must comply with any restrictions beyond the scope of these policies and procedures found in the BA Agreement
BA Agreements must be in writing and must contain Lineagen-approved HIPAA compliant language and authorized signatures.
Lineagen is not liable for the privacy violations of Business Associates. However, if at any time Lineagen determines that a Business Associate has violated a material term or obligation under the agreement relating to HIPAA compliance, Lineagen shall seek to immediately remedy the breach or, if that is not possible, to alter or terminate the BA agreement.
It is the responsibility of each Lineagen department, division, or operating unit contracting for services with third parties with whom PHI will be shared to assure that valid BA Agreements are executed.
If any patient believes that such patient’s PHI has been used and/or disclosed in violation of this policy or as set forth under HIPAA, such patient has the right to file a complaint as described below.
STEP ONE: SUBMIT COMPLAINT TO PRIVACY AND SECURITY OFFICER
The patient should submit a complaint in writing directly to the Lineagen Privacy and Security Officer. The complaint should include a detailed description of how the patient believes such patient’s PHI was used and/or disclosed in violation of this policy.
The Privacy and Security Officer will investigate the details of the complaint and respond in writing to the customer within 30 business days. If the Privacy and Security Officer determines that a violation has occurred, the employee(s) who participated in the violation may be subject to disciplinary action provided for earlier in this policy.
If the Privacy and Security Officer determines that no violation has occurred, and if the patient submitting the complaint is not satisfied that the complaint has been resolved satisfactorily, the patient may file a request for additional review to Step Two of this process.
STEP TWO: REQUEST ADDITIONAL REVIEW BY THE CEO
At the patient’s request, the Privacy and Security Officer will provide the background information concerning the complaint as well as the results of the Step One investigation to Lineagen’s CEO. If the CEO determines that a violation has occurred, the employee(s) who participated in the violation may be subject to disciplinary action as provided for earlier in this policy.
Patients are entitled to file a complaint with the Secretary of the Department of Health and Human Services at any time. All complaints must be submitted in writing.
Whistle Blower Protection
It is Lineagen’s policy not to intimidate, threaten, coerce, discriminate against, or take other retaliatory action against:
PATIENTS who are attempting to exercise their rights under HIPAA, or who file a complaint about Lineagen’s alleged failure in regard to those rights; or
EMPLOYEES, who testify, assist or otherwise participate in an investigation of a possible HIPAA violation.
Employees are encouraged to object to any Lineagen practice where they have a good faith belief that the practice is unlawful, as long as the method of objection is "reasonable" and does not result in a further disclosure of PHI. Where use or disclosure of PHI is considered essential to establish a violation, it must be limited to the minimum necessary to achieve the reporting.
Patients and employees may elect to proceed directly to the US Department of Health and Human Services (DHHS) with their complaints. However, they are encouraged to file an internal compliant under the complaint procedures outlined above.
Document Retention of PHI
State law generally governs how long PHI records are to be retained. The State of Utah guidelines can be found in the Utah Administrative Code, Rule R432-100-33 which covers Medical Records. This Rule states that the PHI records of minors shall be kept until the age of 18 plus seven years, for a total of 25 years. Privacy will be maintained even after the record retention timelines have expired. Lineagen will also maintain a master patient/person index according to Utah Administrative Code guidelines.
Notice of Privacy Practices
Lineagen is required by law to keep PHI private and to provide Patients with a Notice of Privacy Practices at the date of first service. The Notice of Privacy Practices describes how we may use and disclose your PHI to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI.