Authority: Clinical Director, Laura "Flint"

Responsibility: Clinic Director

It is crucial that every staff member understands the minimum necessary policy for use, disclosure and request of protected health information.

Healthcare providers and staff are entitled to use PHI consistent with their roles in this organization. Each staff member must also understand that with this right comes certain responsibilities such as limiting the viewing, use, disclosure and requesting to only that data necessary for patient treatment, reimbursement for treatment and healthcare operations. It is considered a breach of policy and the patient’s trust to seek information beyond what is appropriate for the staff role and the patient needs.

In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy.

The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to ensure our patients’ rights to the minimum necessary use and disclosure of their protected health information.

1. When using or disclosing protected health information or when requesting protected health information from another covered entity, each staff member of Specialty Physical Therapy must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

The requirement does not apply to disclosures to a healthcare provider for treatment, uses or disclosures made to the individual, uses or disclosures made pursuant to an authorization for release signed by the patient or the patients’ representative, disclosures made to the Secretary of Health and Human Services, disclosures that are required by law (as described by Section 164.512 (a) of the privacy regulations) and uses or disclosures that are required for compliance with the privacy regulations.

2. It is necessary that the different roles in Specialty Physical Therapy be defined so that each staff member understands their own rights and responsibilities.

Direct Healthcare Provider: A licensed healthcare professional who provides all the following, but not limited to, direct patient care: Lymphedema, Pelvic Floor and Orthopedic Protocols. In addition to protocols for indirect care or consulting services.

Technical Staff: Staff who provide patient care at the request of the Direct Healthcare Provider.

Direct Support Staff: Staff who work within the office providing a variety of professional and direct administrative support that involves the delivery of patient care or billing operations.

Indirect Support Staff: Staff who work within the office providing administrative support.

Full Health Information Access: Access to full health information as needed for health or payment operations. Staff in this category may access and read all appropriate information.

Summary Data Access: Access to summary data with treatment or diagnostic codes as needed to function. Staff in this category should confine the use of protected health information in the absolute minimum required.

Minimum Information Access: Access to patient demographic data with only minimum reference to treatment or diagnostic information as needed to function.

Emergency Information Access: Access to any individually identifiable health information should be granted in emergency situations.

Data Access Categories are assigned in accordance with the operational requirements for minimum necessary use.

Direct Healthcare Providers have access to full health information with the clear understanding that access and reading is limited to need for treatment, reimbursement or operations.

Technical Staff have access to full health information with the clear understanding that access and reading is limited to need for treatment, reimbursement or operations.

Direct Support Staff have access to full health information with the clear understanding that access and reading is limited to need for treatment, reimbursement or operations.

Indirect Support Staff have access to minimum health information with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations.

Specialty Physical Therapy will maintain a current office role directory that lists every defined position within the office. This will ensure that each position will be granted the correct access authorization as defined in the Usage Assignments section of this policy.

It is incumbent on every staff member to report any observed violation of these usage rules to the Clinical Director or another senior staff member. Every staff member must be trained in their roles and responsibilities with reference to the minimum use and access to patient data.

It is considered a breach of organization policies and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs.

In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy.

The regulations establish that routine and recurring disclosures of protected health information can be made for treatment, payment or health operations without specific patient authorization. The minimum necessary requirements still pertain to all of these disclosures.

Minimum necessary determination will be made for all routine and recurring disclosures for all categories (other than those that are excepted); these categories will include, for example, additional medical information for medical necessary determination, sample records for accreditation and audits, records review for protocol adherence, patient information for participation in the clinical trial, paper claims, phone referral certification information and other categories as determined necessary.

Full health information will be provided to routine and recurring request from:

1. Health plans

2. Healthcare Providers

3. Patients

4. Family Members involved in care

5. Worker's Compensation Providers

6. Insurers

7. Barton & Carey

8. Transcription Services

9. Cinaid

10. Eleanor C. Smith-Conmy

Summary data with treatment and or diagnostic codes will be provided to routine and recurring requests from:

1. Crossroads Medical Services

Minimum information patient demographic data with only minimum references to treatment or diagnostic information will be provided to routine and recurring requests from:

Every effort will be made to comply with these disclosure categories except where the cost of extracting information is not reasonable and the risk of breach of patient privacy is considered low. In all situations, the requestor will be informed of their responsibilities towards this data and appropriate agreements entered into.

All non-routine and/or non-requests will be considered on a case-by-case basis and determination of the level of response will take into account the minimum necessary requirements.

The regulation establishes that for routine and recurring request the responsibility for determining the minimum necessary data falls on the requestor, in all situations where data requested staff members must ensure that minimum necessary evaluation is made. In situations where the determination has not been made, questions should be directed first to Laura "Flint" and to the Clinical Director.

Minimum necessary determination will be made for all routine and recurring requests for all categories will include, for example:

Reason for visit Referral authorization (Non-Standard)

Vital medical stats Test Results

Medical records for referral Patient messages