Page 50 - Privacy_Program
P. 50
PARTICIPANT PRIVACY HIPAA PHI SAFEGUARDS [DP102]
Back to Table of Contents
Scope: Enterprise
Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; Directors, Managers and
Supervisors; All Working Well Mental Health Services Employees and Others with Access to Protected Health Information (includes
Contractors, temporary employees and Interns)
Purpose: To provide an overview of safeguards under HIPAA Protected Health Information (PHI) in accordance with HIPAA. (See DP
113 “Identifying HIPAA Protected Health Information” for a definition of the meaning of PHI.) Those with access to PHI may include
those who provide ARMHS and/or SSI advocacy services; Finance or S&P staff who process payment or perform other administrative
functions involving participants receiving SSI advocacy services through GESMN. External Regulation or Standard: Health
Information Portability and Accountability Act
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Executive Leadership DP102.1 HIPAA requires all Covered Entities to appoint a HIPAA Privacy Official and a
Team HIPAA Security Official to be responsible for compliance with HIPAA. The
Executive Team has assigned the Director of Information Technology, Privacy
and Data Security is the HIPAA Privacy and Security Official. See DP110 – PRIVACY
LEADERSHIP and DP210 – SECURITY LEADERSHIP.
Employees with Access DP102.2 The following General PHI Use and Disclosure Rules will apply:
to Protected Health
Information (PHI)
Employees and others DP102.2a Participant Authorization for Use and Disclosure of PHI. Staff with
with Access to PHI access to PHI will only use and disclose PHI without obtaining participant
authorization as permitted in DP 113 “Identifying HIPAA Protected Health
Information” and as allowed in GESMN’s Privacy Policies, Data Security
Policies and other policies listed at the end of this policy. Note that except
for Emergency Treatment, participant Authorization is generally required.
All other uses and disclosures require participant authorization.
DP102.2b Access PHI Only to Perform Job. Staff with access to PHI will only
use and disclose PHI as necessary to perform their jobs. Staff are not
permitted to use or disclose PHI for any other reason, such as out of
concern for a coworker or participant, or out of curiosity.
DP102.2c Use and Disclose Minimum Necessary PHI. Other than for Treatment or
pursuant to participant Authorization, staff will only use and disclose the
Minimum Necessary PHI for the purpose at issue.
Employees and others DP102.3 Staff will obtain annual participant authorization for use and disclosure of PHI for
with Access to PHI treatment (other than Emergency Treatment), payment and health care
operations using the Standard Consent Form – Release of Health Information.
Prior to sharing any PHI with third parties, including other providers, referral or
funding sources, accrediting agencies, and other third parties, a specific
GES CONFIDENTIAL 46
