PATIENT PRIVACY PLAN
 CONSTITUTION EYE SURGERY CENTER, LLC

Constitution Eye Surgery Center, LLC (Constitution) is committed to protecting the privacy of our patients' health care information. Patients have an expectation that their individually identifiable medical information will be kept confidential. Constitution intends to comply with the legal requirements regarding patient privacy, including implementation rules for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the applicable federal and state laws and regulations.

Failure to maintain the privacy of patient information can result in embarrassment, humiliation, adverse employment and financial consequences, and Constitution may incur legal and financial penalties plus loss of reputation and business interests. All Constitution employees, staff physicians, and Business Associates are required to maintain patient privacy.

Definition of Individually Identifiable Health Information

The privacy of individually identifiable health information is protected by Constitution. Identifiers include the patient's name, address, birth date, telephone or fax number, e-mail address, social- security number, account number, or other unique data that might allow identification and association of a patient with their health care information by unauthorized individuals.

Notice of Health Information Practices

Constitution's " Notice of Health Information Practices" gives a description of the possible uses and disclosures of patients' individually identifiable health information. The Notice provides more detailed information about current Constitution practices regarding the handling of patient data. The Notice also contains a list of patients' rights concerning their medical information. The Notice will be posted at Constitution's offices in an area visible to patients [and on the Constitution website].

Authorization for Release of Information

To allow for any release health care information other than for routine treatment, payment and health care operations and as specified in the "Notice of Health Information Practices," a patient needs to sign an " Authorization for Release of Information." For example, if a lawyer's office requests reports, billing information, or images, a signed Authorization is required. Constitution will employ standard authorization forms for these purposes.

Minimum Necessary Standard

A patient's full medical record may be disclosed to other health care providers involved in the patient's treatment, or with limited exceptions, to the patient himself or herself. However, other disclosures, such as billing/insurance and routine health care operations, should be kept to the minimum necessary to accomplish the intended function. The Constitution Privacy Officer will develop standards from time to time as to what constitutes the "minimum necessary" disclosure in certain recurring or routine situations. Any staff member with a question as to the permitted scope of a particular disclosure should consult with the Privacy Officer.

Business Associates

In regard to patient privacy under HIPAA, a Business Associate of Constitution is anyone other than a Constitution employee or staff physician who, on behalf of Constitution performs or assists Constitution in the performance of a function involving the use and disclosure of individually identifiable health information. Examples include third-party billing companies, lawyers, accountants, etc. Constitution will maintain written contracts with such Business Associates to ensure that the associates maintain appropriate safeguards so that the disclosed health information is not used or disclosed for purposes other than as provided by the contract or in violation of the law. Patient data is subject to a "chain of trust" so that when the data is passed to a Business Associate confidentiality is still maintained by that associate, and by any other Business Associates to whom they may subsequently pass the data. Business Associate contract forms will be developed by the Privacy Officer in consultation with Constitution legal counsel.

Non-Constitution Personnel in Constitution Offices

On occasion, individuals who are not Constitution employees or physicians and who are not Constitution Business Associates (Constitution doesn't intentionally disclose patient information to them to perform functions on behalf of Constitution) will be present in Constitution's offices. These personnel may inadvertently see or hear patients' private health information while performing their duties in the Constitution offices. Such personnel may include cleaning people, equipment repair people, students, training representatives for new equipment, and any other non-patients who stay at Constitution for longer than just a walk-through and may be expected to see/hear patient data. These individuals may be asked to sign a " Confidentiality Agreement" to be kept on file at Constitution.

Privacy Officer

The Constitution Administrator/Business Manager will be the Constitution Privacy Officer and will report to the Board of Managers. The Privacy Officer will be responsible for the implementation and maintenance of the Constitution Patient Privacy Plan. Privacy Officer responsibilities include:

  1. Develop, implement, and maintain security procedures for all Constitution systems and media carrying individually identifiable patient data, such as computers, electronic storage media and paper records.
  2. Work on the development of Business Associate contracts and chain of trust patient privacy agreements.
  3. Store and provide access to documents as required in this Patient Privacy Plan.
  4. Address the education/training of Constitution employees and staff physicians regarding compliance with patient data security procedures/safeguards and with the requirements of HIPAA and other patient privacy laws.
  5. Act as the initial contact person for employees, physicians, and patients who have routine daily questions or problems regarding patient privacy.
  6. Informally monitor the effectiveness of patient data security procedures.
  7. Assist in formal audits from time to time of the effectiveness of patient data security procedures.
  8. Respond to complaints and known breaches of patient privacy, and implement corrective action.
  9. Maintain current knowledge of applicable federal and state patient privacy laws.

Procedures

To implement the Patient Privacy Plan, procedure protocols will be maintained for handling the documents and situations listed below. The Privacy Officer will have the protocols on file and make them available on request.

  1. Notice of Health Information Practices
  2. Authorization for Release of Information
  3. Patient request for confidential communications
  4. Patient request to inspect or copy records
  5. Patient request to amend records
  6. Patient request for accounting of their medical information disclosures
  7. Patient request to restrict or revoke Consent or Authorization
  8. Privacy complaint by patient
  9. Breaches of patient privacy and other Patient Privacy Plan problems
  10. E-mail communication
  11. Non-Constitution personnel in Constitution offices

Security Safeguards

In order to protect the privacy of individually identifiable patient data, physical and procedural safeguards will be developed, implemented and maintained by the Privacy Officer. Staff will be educated with respect to these standards as a component of their overall education, training and orientation. Staff will be advised as to revisions to security standards affecting their duties. Data subject to security safeguards includes all patient records, billing information, and other unique information that can be used to identify an individual patient, whether in electronic, paper or other form. The Privacy Officer will keep a record of the current security safeguards in effect.

Training/Education

All Constitution employees and staff physicians will receive initial training and education regarding the Patient Privacy Plan, Depending on an individual's job function with Constitution, specific instruction will be given regarding protocols as noted under the Procedures and Security Safeguards sections of this Plan. Training/education may be provided by face-to-face meetings, written communications and notices, or other media. The Plan will be included as a component of Constitution's overall Compliance Program and in the Constitution Employee Manual. The Privacy Officer will maintain available a current copy of the Patient Privacy Plan. Retraining to particular staff will be provided as necessary periodically and when changes are made to the Plan, procedures, or security safeguards.

Monitoring/Auditing

All Constitution employees and physicians have a duty to report to the Privacy Officer breaches of patient privacy and other real or potential problems with the Patient Privacy Plan and the security of patient health care data. Periodic monitoring and formal audits will be done to evaluate the effectiveness of the Patient Privacy Plan and Constitution's security safeguards in maintaining the confidentiality of patient information. Constitution employees and physicians may be monitored, including monitoring their computer file accesses and other computer use.

Corrective Actions

A use or disclosure of a patient's individually identifiable health information, other than as allowed by law or authorized by a signed "Authorization for Release of Information" constitutes a breach of privacy and should be reported to the Privacy Officer. The Privacy Officer will take actions to minimize any harmful effects of any privacy violation and to notify the patient, if appropriate. Deficiencies of the Patient Privacy Plan or of the procedure and security safeguards used to implement the Plan, whether found by formal monitoring/audit or otherwise, should be brought to the attention of the Privacy Officer. Appropriate procedure and security safeguard changes will be made by the Privacy Officer. Appropriate Plan changes require the additional approval of the [Constitution Compliance Committee].

Sanctions

Actions against Constitution personnel for patient Privacy Plan violations may involve sanctions up to and including dismissal, as described in the Constitution Employee Manual and Compliance Program. A Business Associate who fails to appropriately safeguard personal health information disclosed to it by Constitution, or who otherwise fails to maintain the "chain of trust" regarding that information as required by their contract with Constitution, must take appropriate corrective action, have its contract terminated, or be reported to the federal Department of Health and Human Services, as determined by the Constitution Privacy Officer, in consultation with the [Constitution Compliance Committee] and legal counsel.

Recordkeeping

The Constitution Privacy Officer is responsible for maintaining the documents listed below, available for review on request at Constitution offices. The documents must be kept for a minimum of 6 years beyond the date of events to which they pertain or a minimum of 6 years beyond the last effective date for any plan, contract policy or procedure.

  1. Constitution Patient Privacy Plan
  2. Business Associate contracts
  3. Notices of Health Information Practices (current and prior)
  4. Authorizations for Release of Information
  5. Confidentiality Agreements (for non-Constitution personnel who are not Business Associates in Constitution offices)
  6. Patient requests for confidential communications
  7. Patient requests for amendment of record
  8. Patient data disclosures for other than routine treatment, payment, and health care operations and not covered by
    signed Authorization (such as mandated by law)
  9. Patient medical information disclosure accountings
  10. Patient request for restrictions or revocation of Authorization (actions taken)
  11. Privacy complaints by patients (corrective actions, sanctions)
  12. Breaches of patient privacy and other Patient Privacy Plan problems (corrective actions, sanctions)
  13. Procedures. (as listed in Procedures section of Patient Privacy Plan)
  14. Security safeguards (as listed in Security Safeguards section of Patient Privacy Plan)