PURPOSE. The purpose of this Circular is to establish Indian Health Service (IHS) policy and procedures for implementing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Privacy Act requirements. This Circular provides instructions and guidance regarding:
 

BACKGROUND. The HIPAA Privacy Rule requires the IHS to implement new procedures for protecting protected health information (PHI) created by the IHS, or in its possession or control. The implementation of these new procedures requires the use of new forms that have been developed for that purpose.

The HIPAA Privacy Rule requires the IHS to provide all beneficiaries a Notice of IHS services regarding how their PHI may be used and disclosed, how the individual can get access to such information, and the obligations the IHS has to patients regarding the use and disclosure of such information. In addition, the IHS must attempt to receive acknowledgment from patients that they have received the Notice prior to the IHS providing treatment to the extent possible.

Patient health information must be transmitted in accordance with the requirements of the Privacy Act of 1974,5 United States Code (U.S.C.), Section 552a, and the HIPAA Privacy Rule, 45 Code of Federal Regulations (CFR) Part 164. Note: Due to the complex and distinct issues related to computer-based electronic transmission of health information, this Circular is not intended to address the safeguards necessary to ensure the confidentiality of that particular form of health information transmission.
 

AUTHORITY.
 

POLICY 
 

It is the policy of the IHS to fully comply with the requirements of the HIPAA Privacy Rule on the compliance date of April 14,2003.
 

It is the policy of the IHS to provide every patient, who receives services at an IHS facility, a copy of the IHS “Notice of Privacy Practices.” The patient shall be asked to acknowledge its receipt when given a copy of the IHS “Notice of Privacy Practices.”
 

It is the policy of the IHS to ensure the confidentiality of all patients’ records that are transmitted by fax.
 

RESPONSIBILITIES.
 

Director, IHS. The Director ensures that the IHS is in compliance with all requirements of the HIPAA legislation.
 

Director, Office of Public Health. The Director, Office of Public Health (OPH) is clinically and administratively responsible for direct health care. The Director, OPH, is responsible to the Director, IHS, for reporting HIPAA privacy and other documentation issues that could affect health care delivery.
 

Area Director. Each Area Director ensures their Area is in compliance with HIPAA regulations. The Area Director is responsible for providing an annual H P A A activity report to IHS Headquarters on HIPAA implementation and ongoing training activities of each IHS facility within their respective Area. Area Directors are responsible for the development of Area HIPAA policies and procedures.
 

 Health Record Consultants. Health Record Consultants advise Area Directors, Area staff, Service Unit Directors (SUD), and service unit staff on health record issues. The Headquarters Health Record Consultant advises the Director, OPH, on HIPAA activities and consults with Area Health Record Consultants on HIPAA activities. Area Health Record Consultants are responsible for advising the Area Director, SUD, and their staff on HIPAA implementation activities within their geographic areas. Health Record Consultants shall consult with the IHS Privacy Act Officer on overlapping HIPAA Rule and Privacy Act issues.
 

Service Unit Directors. Each SUD is responsible for ensuring compliance with HIPAA regulations including the development of policies, procedures, and reporting the status of HIPAA compliance, complaints, violations, implementation, and ongoing training status of each IHS facility within their respective service unit to their respective Area Director.
 

Others. The Headquarters Privacy Act Officer, Area Privacy Act Advocates, Privacy Act Liaisons (service unit), and Area HIPAA Coordinators in consultation with Health Record Consultants are responsible for HIPAA implementation and compliance within their geographic area. Area Privacy Act Advocates advise service unit staff on Privacy Act and HIPAA privacy rule issues and resolves differences with HIPAA privacy rules and incidences where Privacy Act of 1974 and its subsequent amendments overlap with HIPAA. Some Health Record Consultants (if not all) also serve as Area Privacy Act Advocates. Area Privacy Advocates report directly to the Area Director and advise the IHS Privacy Officer of any HIPAA violations, non-compliance, complaints, and resolutions. The IHS Privacy Officer will inform the Director, OPH, and the Director, Division of Regulatory and Legal Affairs, on any potential HIPAA compliance problems for action.
 

DEFINITIONS.
 

Health Information. Health information means any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearing house, and relates to the past, present, or future physical or mental condition of an individual, or the provision of health care to an individual, and the past, present, or future payment for the provision of health care to an individual.
 

Highly Sensitive Health Information. Highly sensitive health information is any patient health information relating to:
 

Designated Record Set. A designated record set is a group of records maintained by or for the IHS that is:
 

The medical records or billing records about individuals maintained by or for the IHS.
 

The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for the IHS that is used, in whole or in part, by or for the IHS to make decisions about individuals.
 

Emergency Medical Condition. An emergency medical condition is a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:
 

Placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy.
 

Serious impairment to bodily functions.
 

Serious dysfunction of any bodily organ or part.
 

Notice of Privacy Practices. The “Notice of Privacy Practices” (Notice) is a document describing:
 

How an individual’s PHI that is created and maintained by or for the IHS at an IHS health program facility may be used and disclosed by the IHS.
 

The individual’s rights, including how to access the information.
 

The IHS’ responsibilities with respect to PHI.
 

Psychotherapy Notes. Psychotherapy notes are notes recorded (in any medium) by a health care provider, who is a mental health professional, documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family session, that are maintained and separated from the rest of the individual ‘s medical record for the sole use of the health professional only.
 

PROCEDURES. The following procedures will be used to ensure compliance with HIPAA regulation at the service unit level.
 

Designation of Privacy Official and Contact Person. Each IHS facility shall designate a Privacy Official (Officer) and/or a contact person who shall be responsible for the development of local policies and procedures for HIPAA compliance within the service unit area. The Privacy Officer and the contact person can be the same individual. The Privacy Officer and/or contact person must be knowledgeable and able to provide information covered in the “IHS Notice of Privacy Practices” and receive complaints and possibly resolve HIPAA issues.
 

Training. All IHS facilities must provide initial HIPAA overview training to all employees, volunteers, and onsite contractors. New employees must receive training as soon as possible, but no later than 30 days after entering on duty. Function specific training must also be provided to other categories of staff such as health information, management staff, business office, and nursing and medical staff. Training must also be provided to designated staff when policies and procedures are revised. Training provided to staff shall be documented and maintained in writing or electronically for 6 years.
 

Safeguards. All IHS facilities shall put in place policies and procedures to safeguard PHI in accordance with the Privacy Act and HIPAA regulations for both electronic and paper records to include administrative, technical and physical safeguards. Examples:
 

Administrative safeguards includes orientation and termination policies, incident reporting polices, access, contingency, and disaster recovery.
 

Technical safeguards include user access and restrictions, user monitoring, authentication, and password issuance.
 

Physical safeguards include physical access, control during and after hours, shredding policies, and health record removal from facility.
 

Complaints. All complaints regarding HIPAA and Privacy Act violations shall be addressed to the SUD/Chief Executive Officer or designee. The complaints must be documented, maintained, filed, and a brief explanation of resolution, if any. Note: Individuals may file complaints directly to the Secretary, Department of Health and Human Services (HHS).
 

Sanctions. All IHS facilities shall develop policies and procedures using current IHS policies and procedures, including employee Standards of Conduct (5 CFR Part 3635), Privacy Act (45 CFR Appendix A - Part 5b) and the HIPAA Privacy Rule (45 CFR Part 164).
 

Employees must be made aware of these policies and procedures during training. Sanctions could range from warning to termination depending on the level of violation.
 

Facilities must document the sanctions that are applied, if any.
 

Prohibited Sanctions. The IHS and its facilities shall not invoke sanctions against employees, volunteers, and/or onsite contractors under the following conditions:
 

Whistleblower. If an employee discloses PHI provided he or she believes (in good faith) that the facility is in violation of HIPAA or other clinical or health care standards, or that facility activities or conditions could potentially endanger one or more patients, workers or members of the public, to:
 

Law Enforcement. Disclosure by employees who are victims of a crime to a law enforcement official provided that PHI disclosed is about the suspected criminal and PHI disclosed is limited to the following:
 

Name and address
 

Date and place of birth
 

Social security number
 

ABO blood type and Rh factor
 

Type of injury
 

Date and time of treatment
 

Date and time of death, if applicable
 

A description of distinguishing physical appearance including height, weight, gender, race, hair or eye color, and the presence or absence of facial hair, scars, and tattoos.
 

Mitigation. When an IHS facility becomes aware of possible violation of the use or disclosure of PHI by its employee or business associate, the facility shall take reasonable steps to ensure mitigation of the disclosure or violation. For example, when PHI has been improperly disclosed, steps shall be taken to mitigate its improper use based on knowledge on how such information might be used.
 

Refraining From Intimidating or Retaliatory Acts. The IHS shall not intimidate, threaten, coerce, discriminate against, or take retaliatory action against patients for exercising their rights under the HIPAA Privacy Rule, or against any person including employees, volunteers, and on-site contractors, for participating in any process established for:
 

filing privacy complaints with the Secretary, HHS.
 

testifying, assisting or participating in an investigation, compliance review, proceeding, or hearing related to the Privacy Rule.
 

opposing any act or unlawful practice under the Privacy Rule and the manner of opposition is reasonable and does not involve a disclosure of PHI not permitted.
 

Waiver of Rights. All IHS facilities shall not require individuals to waive their rights under the HIPAA Privacy Rule, including but not limited to their rights to file complaints with the Secretary, HHS, as a condition for the provision of treatment, payment, eligibility (Contract Health Service), or other benefits.
 

SUPERSEDURE. None
 

EFFECTIVE DATE. This Circular is effective upon date of signature.