A covered entity must make a “good faith effort” to obtain a written acknowledgment of receipt (from the patient) of a facility’s Notice of Privacy Practices (NPP) at the earliest possible encounter. If the patient refuses to sign, the provider needs to show that every effort was made to obtain a signature.
The NPP can be a summary statement of the provider’s comprehensive NPP with reference to the entire NPP being available to the patient for examination.
A general document giving health care providers permission to use & disclose all PHI for treatment, payment or health care operations (TPO)
It gives permission only to the provider, and not to any other person or business associate
Not required, but optional
A customized document giving covered entities permission to use specified PHI for specified purposes, or to disclose specified PHI to a third party. It is more specific & detailed than consent, and it is usually time sensitive.
Walk through facility from the patient’s point of view. Look for visible or audible PHI, including information on tables & desks, in waste cans, on computer monitors, on fax machines, or overheard on telephones.
CMU is a hybrid entity: Some parts of the university must comply fully as a covered entity (e.g.: Speech & Hearing Clinics), other portions are not affected at all by HIPAA (e.g.: English Dept.), and other parts are indirectly affected (e.g.: Accounts Receivable).
As a single, hybrid entity, if any one part of the university is found to be out of compliance, all other covered parts can be investigated.
HIPAA is designed to empower the patient/consumer.
HIPAA ideally will minimize cost over the long term.