CCSS PRO: 016
Effective Date: 4.14.03
Revised: 5.2.16
Reviewed: 4.25.16
Section: HIPAA
Regarding: Notice of Privacy Practices for Protected Health Information (PHI)
PURPOSE
Callaway County Special Services (CCSS) will protect the privacy of individually identifiable health information in compliance with federal and state laws governing the use and disclosure of protected health information (PHI) pursuant to the requirements of the Health Insurance Portability & Accountability Act (HIPAA) 45 CFR Section 164.502 et seq. Therefore, all consumers (or their legal guardian) should be provided access to the most current Notice of Privacy Practices, and that a good faith attempt must be made to have each consumer acknowledge the Notice of Privacy Practices as required in 45 CFR Section 164.520.
PROCEDURE
CCSS Notice of Privacy Practices Form 040 should be given to the consumer, and when applicable their guardian, no later than the date of the first delivery of, or appearance for, service from CCSS. This timing is considered the initial moment of contact between a consumer and CCSS. The sending of information on the agency or an application for services is not considered the point of first delivery of or appearance for service.
1) Obligation to Document Acknowledgement of Notice
When the consumer seeks services, CCSS will obtain written acknowledgment of the receipt of the Notice of Privacy Practices.
A) Form 1089, Individual Rights Receipt and Consent to Services is to be completed and signed by the consumer then removed from the Notice and filed in the consumer file/designated record set. The full Notice of Privacy Practices is then given to the consumer.
B) If an established consumer transfers from one CCSS program to another, or enrolls in an additional program offered through CCSS then no new Notice of Privacy Practices shall be required. If the consumer is discharged and then reapplies for services a new Notice of Privacy Practices is given. If the consumer has been placed on “inactive” status, then a new Notice of Privacy Practices shall be given at the time of service re-initiation.
C) If CCSS does not obtain the acknowledgement, then they shall document our efforts to obtain the acknowledgment, and on the Form 901, Individual Rights Receipt and Consent to Services, reason(s) why the acknowledgment was not obtained.
2) Provision of the Notice of Privacy Practices to Established Consumers of CCSS
Beginning April 14, 2003, for current consumers of CCSS, a copy of the Notice of Privacy Practices shall be presented at the annual individual plan review or at the 60-day individual plan review (whichever comes first). A copy of the “CCSS HIPAA Privacy Practices” brochure may be provided to the consumer as well. CCSS will also mail copies of the Notice of Privacy Practices to current consumers who do not have individual plans.
A) A copy of the Notice of Privacy Practices shall be posted at all CCSS locations.
B) Whenever the Notice of Privacy Practices is revised, the revised Notice must be made available upon request by a consumer.
3) Developing and Updating Notice of Privacy Practices
CCSS Privacy Officer, in conjunction with agency Record Review Committee will be responsible for developing and updating, as necessary, the Notice of Privacy Practices.
A) When a material change is made, CCSS must make that revised Notice available upon request, and the revised Notice must be posted at all CCSS locations.
B) CCSS Privacy Officer shall maintain a historical record of all versions of the Notice of Privacy Practices, and the applicable dates for each.
4) Sanctions
Any CCSS workforce member found to have violated this policy shall be subject to sanctions and disciplinary proceedings up to and including dismissal.
016-2