Privacy Policies and Procedures


PRIVACY POLICIES AND PROCEDURES L.A. Gay & Lesbian Center Title: Safeguards No.: 1 Path/Filename: G:\Public\Health Services\LAGLC HIPAA Policies and Pocedures\3.1-Safeguards.doc Section III: Administration of HIPAA 3.1 SAFEGUARDS Background A. The Health Insurance Portability and Accountability Act Privacy Rule requires covered entities to have in place appropriate administrative, technical, and physical safeguards to reasonably protect the privacy of protected health information (PHI): 1. from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements related to HIPAA, and 2. reasonably limit incidental uses or disclosures of PHI made inadvertently as a consequence of an otherwise permitted or required use or disclosure. B. California’s Confidentiality of Medical Information Act requires health care providers that create, maintain, preserve, store, abandon, destroy, or dispose of medical records to do so in a manner that preserves the confidentiality of the information. Definitions A. Administrative safeguards are administrative actions, and policies and procedures, to manage: 1. the selection, development, implementation, and maintenance of security measures to protect electronic PHI, and 2. the conduct of the covered entity’s workforce in relation to the protection of that information. Examples of administrative safeguards include instructions to employees, rules for use of PHI, and training. B. Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Examples of physical safeguards include locking file cabinets, door locks, dividers between desks, and paper shredders. C. Technical safeguards are the technology, the policy, and the procedures that protect electronic PHI and control access to it. Examples of technical safeguards include computer pass codes and timing out for computer monitors. D. Workforce members means 1. employees, 2. volunteers (including interns), and 3. independent contractors (including consultants). PRIVACY POLICIES AND PROCEDURES L.A. Gay & Lesbian Center Title: Safeguards No.: 1 Path/Filename: G:\Public\Health Services\LAGLC HIPAA Policies and Pocedures\3.1-Safeguards.doc Section III: Administration of HIPAA E. Covered components refers to the following departments of L.A. Gay & Lesbian Center (LAGLC) subject to HIPAA Privacy Rule: 1. Health & Mental Health Services; 2. Health Education and Prevention; and 3. Finance. Policy L.A. Gay & Lesbian Center’s covered components make reasonable efforts to protect PHI by administrative, physical, and technical safeguards for 1. preventing uses or disclosures of PHI that violate Privacy Rule requirements, and 2. limiting incidental disclosures that may occur during the permitted uses or disclosures of PHI. Procedure A. General As applicable, workforce members within LAGLC’s covered components (hereafter “workforce members”) will: 1. make reasonable attempts to limit discussion of PHI in common areas and keep such conversations quiet; 2. take patients to a private area or speak quietly when discussing PHI (e.g., extensive discussions regarding treatment, medical history, and current problems should not be conducted in common areas); 3. avoid talking about patients outside of the health care setting (e.g., in elevators, hallways, or lobby); 4. limit use of PHI when communicating via e-mail. B. Answering machines 1. Workforce members will use sound judgment when leaving messages on answering machines. 2. When leaving answering machine messages related to appointments, workforce members will a. leave only their name, number, and only information that is necessary to confirm an appointment, or ask the individual to call back; b. avoid referencing that category of appointment (e.g., HIV, mental health, or sexually transmitted disease). C. Faxes Workforce members will 1. provide individuals and entities transmitting PHI only with RightFax numbers or with the phone numbers of secured fax machines located in Room 327 and the Pharmacy; PRIVACY POLICIES AND PROCEDURES L.A. Gay & Lesbian Center Title: Safeguards No.: 1 Path/Filename: G:\Public\Health Services\LAGLC HIPAA Policies and Pocedures\3.1-Safeguards.doc Section III: Administration of HIPAA 2. use cover sheets that label transmissions of PHI as confidential. D. Patient sign-in 1. PHI kept on sign-in sheets will be kept to the minimum necessary for signing in and will not include additional information (e.g., the medical problem for which the patient is seeing a provider). 2. Patients seeing other patients’ names on sign-in sheets at the time of signing are allowable incidental disclosures. E. Announcing patient information 1. Patient information announced publicly will be limited names called by staff members when summoning them from reception areas (see Procedure A.2, above). 2. Patients hearing other patients’ names called from reception areas are allowable incidental disclosures. F. Documents Workforce members will 1. take reasonable precautions to keep documents that contain PHI out of view of patients and reception areas; 2. shred documents containing PHI prior to disposal. G. Patient records 1. Workforce members will ensure that patient records are not kept in areas where unauthorized persons can view or access them. 2. Workforce members will ensure that patient records are locked up when not being used. 3. When there are multiple levels of patient record securability (e.g., a locked storage cabinet within a locked room within a locked larger area), the most secure level should be used. 4. Areas housing patient records will be locked or supervised at all times. 5. Access to areas housing patient records will be limited to personnel designated by the Patient Services Supervisor. 6. Personnel authorized to have keys to areas housing patient records will be limited to those designated by the Patient Services Supervisor. 7. Patient records will not be held or left overnight anywhere outside of designated medical records storage areas. a. Jeffrey Goodman Special Care Clinic i. Patient records will be returned to designated holding areas daily before 6:45 PM, when designated staff members will return them to secured overnight storage locations. PRIVACY POLICIES AND PROCEDURES L.A. Gay & Lesbian Center Title: Safeguards No.: 1 Path/Filename: G:\Public\Health Services\LAGLC HIPAA Policies and Pocedures\3.1-Safeguards.doc Section III: Administration of HIPAA ii. Medical providers who are unable to complete patient records by 6:45 PM will store them overnight in the provider room (327-B); the last provider to leave the room for the day will ensure that the room is locked. Charts stored in the provider room will be locked inside custodial providers’ overhead storage bins. iii. To facilitate actions that may need to be taken on patient records the next business day, the provider will send an email or place a note in the appropriate person’s message box indicating where the records are located and what needs to be done. (For example, place a note on the prescription refill computer station indicating that there are charts for refills that are in the providers’ room). b. Mental Health Services i. Patient records will be returned to designated holding areas by staff clinicians daily prior to leaving. ii. Clinicians who are unable to complete patient records prior to leaving will store them overnight in the MHS Medical Record room (402-E). The last clinician to leave the room for the day will ensure that the room is locked. c. Sexual Health Program (SHP) i. SHP patient records will be transported from the chart room in the designated cart. ii. The cart will be emptied and rolled into the SHP nurse’s office. iii. Patient records will be processed during the evening clinic. iv. At the end of the evening clinic, all patient records used during the clinic will be placed in the cart and locked. v. This locked cart will then be locked within the designated SHP office. vi. Patient records in the cart will be processed the following morning. vii. The cart will then be emptied and returned to the chart room for the next evening’s chart collection. viii. All other PHI, regardless of location and state of completion, will be returned to the chart room for storage at the end of each evening. d. Research Research patient records will be stored in locked file cabinets located in locked offices assigned for Research use (316, 317, 318, and 319). H. Sanctions for noncompliance Sanctions will be applied (as described in the “Employee Discipline” section of LAGLC’s Employee Handbook) against workforce members who fail to safeguard PHI in accordance with this policy. PRIVACY POLICIES AND PROCEDURES Los Angeles LGBT Center Title: Electronic Communications No.: H 3.2 Path/Filename: G:\8. Health Services\Onboarding Documents\Electronic Communications.doc Section III: Administration of HIPAA Page 1 of 5 H 3.2 ELECTRONIC COMMUNICATIONS Definitions A. Electronic Data Interchange (EDI): a means for transmitting data between computer systems. B. E-mail: messages, usually text, sent from one person to another via computer. C. Facsimile Transmission (FAX): the electronic transmission of images through a facsimile (FAX) machine. D. Minimum Necessary: a principle that disclosure of PHI is limited to that which is necessary to satisfy a particular purpose or carry out a specific function. E. Individually Identifiable Health Information (IIHI): information that 1. is created or received by a provider, health plan, or clearing house; 2. identifies an individual; and 3. is related to the health condition of an individual, or the provision of health care to the individual, or payments for health care services. F. Protected Health Information (PHI): IIHI that is under the control of one or more of LAGLC’s covered components (see Policy 1.2, “Hybrid Entity”). G. Text: Written, audio or picture messages typically sent to and from mobile devices. Policy A. Patients have the right to request communication by alternative means, however, the Los Angeles LGBT Center (the Center) is not obligated to agree to the request. B. PHI is safeguarded against unauthorized use or disclosure. C. All electronic communication is subject to monitoring by the Center’s administrative units. D. For the purpose of this policy, the Minimum Necessary principle applies to all electronic correspondence that contains PHI. PRIVACY POLICIES AND PROCEDURES Los Angeles LGBT Center Title: Electronic Communications No.: H 3.2 Path/Filename: G:\8. Health Services\Onboarding Documents\Electronic Communications.doc Section III: Administration of HIPAA Page 2 of 5 E. This policy applies to all usage of electronic mail systems within the Center where the mail either originated from or is forwarded into a Center computer or network. It applies to all e-mail users including, but not limited to, staff, consultants, and volunteers. F. FollowMyHealth (Patient Portal) will be the approved application used for two- way communication using secure email. G. i2i Tracks and Phreesia will be the approved application used to generate one- way email notification to clients. H. CareMessage and Red Oxygen will be the approved applications used to generate outgoing text messages to clients. I. Texting and e-mailing PHI to patients outside of these approved applications is not permitted, except in instances of public health significance or when contacting clients by other means could prevent client endangerment and/or adverse health outcomes. 1. When texting outside of CareMessage or Red Oxygen: a. Only Center provided mobile phones may be used. b. Texting clients from personal cell phones is prohibited. c. Documentation will be entered into the EHR outlining date, time and method of communication as well as any clinically relevant information that was obtained or sent. 2. When using e-mail outside of FollowMyHealth: a. Clinically relevant e-mail messages including any responses are printed in full and filed in the patient’s medical record. b. E-mail containing PHI is not to be auto-forwarded to any provider’s or authorized staff’s non-lalgbtcenter.org e-mail account (including but not limited to personal and commercial e-mail accounts such as AOL, Yahoo, MSN, etc.). c. No distribution list is to be used for e-mail that contains PHI. d. Access to lalgbtcenter.org e-mail accounts through the Internet is by secure connections. PRIVACY POLICIES AND PROCEDURES Los Angeles LGBT Center Title: Electronic Communications No.: H 3.2 Path/Filename: G:\8. Health Services\Onboarding Documents\Electronic Communications.doc Section III: Administration of HIPAA Page 3 of 5 e. All two-way e-mail communications from the Center to the patient will be encrypted. J. When cell phones are provided by a sponsor or funder for participant communication in a specific clinical research study, the Research Sr. Program manager or designee will provide HIS with the following information during study start-up: 1. Name of study; funder/sponsor; what type of cellular device is being used; time frame of study. Procedure E-mail A. Communication guidelines will be defined between the provider and the patient, including 1. how often e-mail will be checked, 2. instructions for when and how to escalate to phone calls and office visits, 3. types of transactions appropriate for e-mail. B. E-mail message content will include 1. the subject of the message in the subject line, i.e., prescription refill, appointment request, etc., and 2. clear patient identification including patient name, telephone number and patient identification number in the body of the message. C. All e-mail messages sent to external (non-lalgbtcenter.org) e-mail accounts will be encrypted by one of the following methods: 1. Mimecast encryption add-in within Outlook (preferred method) or 2. by typing “”—without quotation marks—in the subject line. D. The following confidentiality statement will be included in all e-mails that are sent from the Center (format should be Verdana font, at least 10-point size, with only italic or no special text formatting applied): This communication, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is legally protected from disclosure. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly PRIVACY POLICIES AND PROCEDURES Los Angeles LGBT Center Title: Electronic Communications No.: H 3.2 Path/Filename: G:\8. Health Services\Onboarding Documents\Electronic Communications.doc Section III: Administration of HIPAA Page 4 of 5 prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return email and delete this message from your computer. Text messages E. Text message sent through the internet or over phone systems may not be encrypted or secure and could result in unauthorized persons accessing PHI. F. Whenever possible, providers or authorized staff will discuss the following with patients and/or personal representatives who want to communicate by text message: 1. Texting should be done during weekday business hours. If patients have to text after hours, their texts will not be responded to until the following business day. 2. Patients will not send texts threatening to harm themselves or others. If they have thoughts of suicide or harming others, they will call 911 or proceed to the nearest Emergency Department. 3. Text messaging is not appropriate for communicating diagnoses or lab results to a staff member, and they will not receive their health information via text. This also includes pictures of insurance cards or any other identifying information. 4. Patients have the right to stop communication via text at any time. 5. Content of texts will be in regard to health maintenance or coordination of services only. If necessary, patients and staff will be instructed not to send jokes, pictures, or other non-health related content. 6. Failure to comply will result in patient phone numbers being blocked, and they will no longer be able to communicate via text. FAX G. All staff initiating a fax will confirm that the fax number dialed connects to a facsimile machine that is 1. secured and 2. authorized to receive PHI. PRIVACY POLICIES AND PROCEDURES Los Angeles LGBT Center Title: Electronic Communications No.: H 3.2 Path/Filename: G:\8. Health Services\Onboarding Documents\Electronic Communications.doc Section III: Administration of HIPAA Page 5 of 5 H. A cover page containing the following message (format should be Arial font, at least 8-point font, with only italic or no special text formatting applied) will be used with all faxes that are sent: *IMPORTANT MESSAGE* This communication may contain information that is legally protected from unauthorized disclosure. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received these documents in error, please notify the sender immediately and arrange for the return or destruction of these documents. I. Senders will be advised of items that have been received in error, and the received items will be destroyed. EDI J. EDI communication will occur only with covered entities or business associates (see Policy 1.1, “Business Associates”). K. EDI communication will occur along secure communications channels or will be encrypted with password protection prior to transmission on public networks. L. All HIV antibody-positive patients whose data is transmitted via EDI to L.A. County Division of HIV and STD Programs will first sign a Consent to Release Information to Casewatch Agencies form. Receipt and status of acknowledgement will be recorded in the Casewatch system. Health Services STAFF MEMBER ACKNOWLEDGMENT OF RECEIPT OF PRIVACY POLICIES Los Angeles LGBT Center STAFF MEMBER ACKNOWLEDGMENT OF RECEIPT OF PRIVACY POLICIES Name: ID: HS0180 (Rev. 6/14) My signature below acknowledges that I have received copies of the following Los Angeles LGBT Center Privacy Policies: ( ) Safeguards ( ) Electronic Communications _________________________________________ _____________________ Staff member signature Date _________________________________________ Staff member name (printed) _________________________________________ _____________________ Agency representative signature Date _________________________________________ Agency representative name (printed)

Leave this empty:

Signature arrow sign here


Signature Certificate
Document name: Privacy Policies and Procedures
lock iconUnique Document ID: 48e7df78280c8f17aa0689c7b9722b2497950472
Timestamp Audit
April 12, 2024 10:37 am PDTPrivacy Policies and Procedures Uploaded by Sam Middleton - [email protected] IP 174.74.121.18