STANDARD: To establish a standard of practice that maintains appropriate systems and procedures necessary to protect the private and confidential health information of its patients and employees.
POLICY: In conjunction with its Mission, it is the policy of Lourdes Health Network (LHN) that all patient information is confidential.
PROCEDURE: LHN has developed a comprehensive, interdisciplinary Privacy Program, in accordance with federal regulations, that includes but is not limited to the following:
1. Implementation of Procedures that address:
A. Providing individuals with information about the uses and disclosures of their Protected Health Information (PHI), their rights and LHN’s legal responsibility)
B. The process for an individual to discuss concerns related to their PHI
C. Uses and disclosures LHN is permitted to make:
• With the authorization of the individual
• For the purposes of treatment, payment, or health care operations
• That generally do not require a consent or authorization from the individual, e.g. Public Health, abuse, subpoena.
D. The individual’s rights to:
• Access to PHI
• Request an accounting of Disclosures
• To request amendment of PHI
• For confidential communication
• Restrict the use and disclosure of PHI
E. Disclosures to group health plans and insurance providers
F. Limitations for use of PHI for marketing and fund raising
G. The use of PHI for a patient roster or directory
H. Communication with family, relatives, or friends
I. The use or disclosure of PHI to contracted business associates
J. What is included in the designated record set
K. De-identifying PHI
M. Retention of records
N. Other safeguards, e.g. faxing, e-mailing, viewing computer screens, white boards, website privacy, security of medical records, confidentiality statements signed by staff
Informing the individual of his/her rights and LHN’s responsibilities with respect to Protected Health Information (PHI.) The Notice of Privacy Practices (Notice) will be offered to all individuals at the first delivery of service and contains elements in accordance with applicable privacy requirements under State and Federal law.
2. Appointment by the Chief Executive Officer of a Privacy Officer to oversee LHN’s privacy program. The Privacy Officer oversees the development, implementation, maintenance of and adherence to privacy principles, policies and procedures covering the privacy of, and access to, protected health information (PHI) in compliance with federal and state laws and LHN’s information privacy practices. The Privacy Officer is responsible for coordinating all corporate activities with privacy implications, as well as monitoring all of the organization’s services and systems to assure meaningful privacy practices. The Privacy Officer also advocates and protects patient privacy by serving as a key privacy advisor for patients, handling disputes and managing patient requests regarding their PHI.
3. Appointment by the Chief Executive Officer of an Information Security Officer to oversee design, development, and implementation of security changes and enhancements to the Information Technology (IT) computing environments in LHN. The Information Security Officer, working with the Privacy Officer, is responsible for determining appropriate security measures and creating policies and procedures that monitor and control access to system resources and data. The Information Security Officer updates security standards as necessary and is responsible for the prevention, detection, containment and correction of security breaches.
State Law Pre-Emption Note: The Privacy Program Policies have been prepared for the purpose of satisfying Federal privacy requirements under the privacy regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996. Efforts have been made to also reflect State law requirements. Section 160.203 of the privacy regulations provides that the Federal privacy regulations generally pre-empt contrary State law requirements. However, there are certain identified situations in which State laws are not pre-empted, including, without limitation, situations in which a State law related to the privacy of health information is more stringent than the corresponding Federal privacy requirement.