HIPPA Privacy Policy

This Privacy Program describes how covered medical information  may be used and disclosed by Carter BloodCare (CBC) and how you may get access to this information. Please review this notice carefully. If you have any questions about this Notice, please contact us at:

Carter BloodCare
Attention: Privacy Officer
2205 Highway 121
Bedford, TX 76021
(817) 412-5340

1. Overview

The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009) and related regulations, as revised, set forth national requirements and standards for the privacy and security of protected health information (PHI).

HIPAA/HITECH privacy regulations (as amended), also known as the “Privacy Rule,” apply to covered entities and their business associates. Covered entities include health care plans, health care clearinghouses and health care providers that transmit any health information in electronic form. Business associates are individuals and entities performing duties on behalf of a covered entity if those duties involve the creation, receipt, maintenance, use or disclosure of PHI.

Generally, the Privacy Rule prohibits the use or disclosure of PHI except in accordance with HIPAA regulations. The HIPPA regulations define and limit the circumstances under which covered entities may use or disclose PHI to others.

The privacy regulations specifically exempt the procurement or banking of organ, blood (including autologous blood), sperm, eyes or any other tissue of human product as they are not considered health care and the organizations that perform such activities would not be considered health care providers when conducting these functions.

Carter BloodCare (CBC) is not considered to be a “Covered Entity” that is subject to the HIPAA Privacy Rule, because entities that procure or bank blood are not considered health care providers that are subject to the law. See 45 CFR §160.103, 65 Fed. Reg. 82462, 82477 (Dec. 28, 2000). Functions performed by Reference & Transfusion Services, Clinical Apheresis Services and the Cellular Therapy Laboratory routinely expose staff to information that is subject to the HIPAA Privacy Rule.

CBC enters into Business Associate Agreements (BAAs) with certain hospitals and other providers. Through those BAAs, CBC assumes the role of a Business Associate and must comply with the obligations of the HIPAA Security Rule and a few elements of the HIPAA Privacy Rule.

While there are some elements of the HIPAA Privacy Rule that CBC must comply with, the majority of CBC’s HIPAA obligations are set forth in the HIPAA Security Rule. CBC’s compliance with these obligations is set forth within CBC’s HIPAA Security Policy. The HIPAA Security Rule generally addresses the ways that Business Associates must securely maintain, transmit and store PHI.

2. Definitions

2.1 Business Associate

A person or entity who, on behalf of a covered entity or an organized health care arrangement, performs or assists in the performance of one of the following:

• A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and

OR

• Other than as a member of the covered entity’s workforce, provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for such covered entity or organized health care

2.2 Business Associate Agreement (BAA)

A contract or other arrangement between a covered entity and a business associate that does all of the following:

• Establishes the permitted and required uses and disclosures of PHI, including electronic protected health information (EPHI), by the business
• Provides that the business associate will use PHI only as permitted by the agreement or as required by law, use appropriate safeguards, report any disclosures not permitted by the agreement, ensure that agents to whom it provides PHI will abide by the same restrictions and conditions, make PHI available to individuals and make its record available to S. Department of Health and Human Services (DHHS).
• Authorizes termination of the agreement by CBC if CBC determines that there has been a violation of the contract.

2.3 Covered Entity

A health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule, a health care plan or a health care clearinghouse.

2.4 Electronic Protected Health Information (EPHI)

Information in an electronic medium that comes within the definition of PHI as specified in this section.

2.5 Privacy Rule

The Federal privacy regulations promulgated under HIPAA, which created national standards to protect PHI, codified at 45 CFR, Part 164, Subparts A and E.

2.6 Protected Health Information (PHI)

Individually identifiable health information that is maintained or transmitted in any form or medium. PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA). For purposes of implementing HIPAA requirements, CBC intends to treat all individual records, including electronic records, as if they were health information and afford them the corresponding privacy protection.

2.7 Security Officer

CBC’s security/client information officer.

2.8 Security Rule

The Federal Security Regulations promulgated under HIPAA, which created national standards to protect the security of PHI, codified at 45 CFR, Part 164, Subpart C.

3. Minimum Necessary Standard

3.1 Purpose

CBC must restrict access and use of PHI to the minimum necessary to accomplish the intended purpose of the disclosure. See 45 CFR § 164.502(b).

3.2 Policy

• CBC will determine electronic and manual access to PHI by the scope and responsibilities of an employee’s
• General rule: With a few exceptions, use and disclosure of PHI is limited to the minimum necessary to meet the purpose of the
• CBC will not use, disclose or request an entire medical record except when the entire medical record is necessary to accomplish the purpose of the use, disclosure or
• Exceptions to the Minimum Necessary Standard

The following are exceptions to the minimum necessary standard:

• Disclosures to or requests by a health care provider for
• Disclosures made to the
• Disclosures made under authorizations requested by the
• Disclosures made to the Secretary of DHHS that are related to the compliance and enforcement of the administrative simplification provisions of
• Uses and disclosures that are required by law or court order so long as any restrictions provided by law are complied

3.3 Procedure

3.3.1     As necessary, the Security Officer will determine whether a use or disclosure is limited to the amount of PHI necessary to achieve the purpose of the use or disclosure.

4.0 Responding to Privacy Requests

4.1 Purpose

Individual patients may submit requests to CBC relating to the use or disclosure of their PHI. CBC has developed general policies and procedures to address how to handle patient requests and requests for accommodations from CBC covered entities.

4.2 Policy

CBC will accommodate requests for amendment to PHI, access to PHI, restrictions on the use of or disclosure of PHI and requests for alternative means of communication that are received from the CBC covered entity client. In the event that CBC receives a request for amendment of PHI, access to PHI, restriction on the use or disclosure of PHI or alternative means of communication directly from a patient, CBC will direct the patient to the covered entity.

4.3 Procedure

Amendment to PHI:

CBC will accommodate all requests for amendment to PHI received from a covered entity. CBC will adhere to the time frame for accommodating such requests as set forth in the BAA with the covered entity. If no time frame is specified in the BAA, action on a request for an amendment must be taken no later than 30 days after the receipt of the request from the covered entity. In the event that CBC receives a request for amendment to PHI directly from a patient, CBC shall forward the request for amendment to the covered entity that is providing health care services to the patient.

Access to PHI:

CBC will accommodate all requests for a patient to access PHI that are received from a covered entity. CBC will adhere to the time frame for accommodating such requests as set forth in the BAA with the covered entity. If no time frame is specified in the BAA, action on a request for access must be provided no later than 30 days after the receipt of the request from the covered entity. In the event that CBC receives a request for access to PHI directly from a patient, CBC shall forward the request for access to the covered entity that is providing health care services to the patient.

Restrictions on the Use or Disclosure of PHI:

If a covered entity has notified CBC that the covered entity has agreed to an individual’s request to restrict certain uses and disclosures of PHI, CBC shall comply with the terms of such restriction. CBC shall honor the terms of the agreed-upon restriction until informed by the covered entity that the restriction is terminated. If CBC receives a request for a restriction, CBC shall promptly forward such request to the appropriate covered entity in accordance with the applicable BAA. CBC shall inform the individual that his/her request has been forwarded to the covered entity for response. If the request for a restriction is granted by the applicable covered entity, for as long as the restriction is in place, CBC will abide by the restriction.

Alternative Means of Communication:

If a covered entity has notified CBC that the covered entity has agreed to an individual’s request for confidential communications, CBC shall comply with the terms of such agreement. CBC shall honor the terms of the agreement until informed by the covered entity that the agreement is terminated. If CBC receives a request for confidential communications, CBC shall promptly forward such request to the appropriate covered entity in accordance with the applicable BAA. CBC shall inform the individual that his/her request has been forwarded to the covered entity for response. If the request for confidential communications is granted by the applicable covered entity, for as long as the agreement is in place, CBC will abide by the agreement.

• Consult with the Security Officer about any questions or
• Knowledge of a violation or a potential violation of this policy must be reported directly to the Security

5. Accounting of Disclosures

5.1 Policy

CBC will uphold the right of individuals to receive an accounting of disclosures of PHI made by CBC about the individual, in accordance with HIPAA.

5.2 Procedure

CBC will track disclosures of PHI in accordance with HIPAA, any applicable BAA and this policy.

The written accounting provided to the individual or to the covered entity as specified in the BAA will include:

• The date of disclosure.
• The name of the entity or person who received the PHI and, if known, the address of such entity or person.
• The address, if known, and the entity or person who received the
• A description of the PHI
• A brief statement of the purpose of each disclosure that reasonably informs the individual of the basis for the disclosure or a copy of the request for disclosure, or in lieu of such statement, a copy of a written request for disclosure.

If multiple disclosures of PHI are made to the same entity or person for a single purpose, the reference to these disclosures in the accounting may be limited to:

• The information required for the first disclosure only.
• The frequency or number of the disclosures made during the accounting period.

The date of last disclosure.

Unless stated otherwise in an applicable BAA, CBC does not need to track the following disclosures, as HIPAA does not require them to be included on an accounting of disclosures:

• Disclosures made to carry out treatment, payment and health care operations.
• Disclosures to the individual or the individual’s personal representive.
• Disclosures made incidental to a use or disclosure otherwise permitted or required.
• Disclosures made pursuant to an authorization.
• Disclosures for a facility directory or to persons involved in the individual’s health care or for other notification purposes.
• Disclosures for national security or intelligence purposes.
• Disclosures to correctional facilities or law enforcement officials regarding individuals in their custody.
• Disclosures from a limited data set, as the term is used in HIPPA.
• Disclosures that occurred more than 6 years prior to the request for an accounting.

A patient requesting an accounting of disclosures will complete HIPAA Appendix 1 – Request for Accounting of Disclosures. Any workforce member receiving a request for an accounting of an individual’s PHI shall promptly notify the workforce member’s supervisor or the Security officer.

The terms of the BAA will determine if an accounting of disclosures requested by an individual should be given directly to the individual or to the covered The Security Officer will provide the requesting covered entity or individual with an accounting of disclosures of the PHI within the time period required by the BAA. If the BAA does not specify a time period, the accounting must be provided within 60 days of the date of request. CBC may extend the time to provide the accounting by no more than 30 days under HIPAA, but will need to provide the individual or covered entity, as applicable, with the reasons for the delay and the date by which CBC will provide the accounting. CBC cannot extend the time to provide an accounting more than once.

CBC will document and retain for a period of at least 6 years from the date of its creation or the date when it last was in effect, whichever is later, the information required to be included in an accounting, the written accounting that is provided to the individual and the title of the persons or officers responsible for receiving and processing requests for an accounting by an individual.

6.0 Anti-Retaliation

6.1 Purpose

CBC is committed to preventing retaliation against individuals for exercising their rights under HIPAA and other applicable federal, state and local laws and regulations. To support this commitment, CBC will maintain and update, as appropriate, written policies and procedures to prevent retaliation.

6.2 Policy

CBC shall comply with HIPAA whistleblower protections.

6.3 Procedure

CBC will not intimidate, threaten, coerce, discriminate against or take retaliatory action against:

• Any individual for the exercise of any right or participation in any process established under the Privacy Rule.
• Any individual or other person for filing a complaint under the Privacy Rule, testifying, assisting or participating in an investigation, compliance review, proceeding or hearing or opposing any act or practice made unlawful under the Privacy Rule.

Knowledge of a violation or potential violation of this policy must be reported directly to the Security Officer and CEO.

7. Document Privacy and Security
7.1 Purpose

The HIPAA privacy and security regulations require that documents containing PHI and documents pertaining to CBC in its role as a health care provider be kept confidential.

7.2 Policy

• This policy must not impede service delivery or prevent efficient practices (telephone messages, faxes). The policy must protect information in the individual’s record and limit incidental disclosures.
• All documents (including paper and electronic documents) containing identifying information must be kept confidential and secure.
• Identifying information includes: names, addresses, social security numbers, employee numbers, other identification numbers, account numbers, email addresses, internet addresses, fax numbers, vehicle ID numbers, birth dates, employment dates, photographs/descriptions of persons that could identify a specific individual.

7.3 Procedure

• All PHI delivered via intraoffice, interoffice or outside mail delivery should be sent in sealed This applies to areas that are accessible to the public during the process of picking-up and delivering mail. This does not apply to mail distribution areas/rooms or mail on someone’s desk.
• All documents containing identifying information must be shredded prior to Shredding or otherwise destroying PHI must render the PHI essentially unreadable, indecipherable and otherwise incapable of being reconstructed prior to it being placed in a trash receptacle. For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging or destroying the media (disintegration, pulverization, melting, incinerating or shredding) in accordance with CBC’s security policies.
• All floppy diskettes, CDs, flash drives and other media and devices that contain identifying information must be destroyed prior to disposal in accordance with CBC’s security A shredding service may be used for disposal of paper documents, floppy diskettes or both.
• All documents containing identifying information must be kept in a locked file cabinet or in a locked office when This does not apply to offices located in secure buildings or to areas of buildings where public access is not permitted (e.g., employee access only).
• All email and facsimile (fax) communications containing identifying information must contain a confidential warning regarding unintended access to the information.
• CBC will document and retain all HIPAA-related policies, procedures and privacy notices, client requests for accounting, restriction, amendment, alternate means of communication, requests to access his/her information and responses and dispositions related to these client requests, as well as complaints and related responses and dispositions to complaints, disclosures required to be tracked, lists of records clients may access and any other documents the Privacy Rule requires be created or CBC will retain such documentation for at least 6 years from the date of its creation or the date when it last was in effect, whichever is later.
• Knowledge of a violation of this policy must be reported directly to the Security Officer.

8.0 General Business Practices

8.1 Purpose

HIPAA Privacy and Security regulations require that PHI be kept confidential and secure in daily practice.

8.2 Policy

All staff must maintain the confidentiality and security of PHI in daily practice and must promptly report suspected breaches to the privacy office/legal services regarding suspected breaches.

8.3 Procedure

• All staff must speak quietly and confidentially when discussing PHI.
• All staff must avoid discussing PHI in hallways, elevators or other common areas.
• All staff must apply the minimum necessary For example, staff must leave only the minimum information on voice mail or an answering machine.
• All staff must use passwords, screen savers and other appropriate personal computer access protections.
• All staff must utilize a cover sheet and confirm fax numbers prior to sending Incoming and outgoing faxes containing PHI must be retrieved immediately.
• All staff must check copiers to be sure that originals are not forgotten.
• Knowledge of a violation of this policy must be reported directly to the Security Officer.

9. Compliance Assessments and Monitoring

9.1 Purpose

The Privacy Rule permits the DHHS to conduct compliance reviews to evaluate a covered entity’s compliance with the Privacy Rule.

9.2 Policy

CBC will conduct periodic compliance reviews to measure, monitor and document compliance with the Privacy Rule.

9.3 Procedure

• Compliance assessments and quality monitoring are periodically conducted on at least an annual basis.
• Compliance assessments, quality assessments, reports and other documentation must be provided to the Security Officer.
• The Security Officer may revise this policy to support compliance with HIPPA.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with CBC or the Secretary of the Department of Health and Human Services. To file a complaint with CBC contact our Privacy Officer at the address and phone number above. All complaints must be submitted in writing. You will not be retaliated against for filing a
complaint.

SMS Terms and Conditions

Text INFO to 94569 to receive informational alerts from Carter BloodCare. Approx 3msgs/mo. Message and Data Rates May Apply.

For additional information, text HELP to 94569. You may opt out at anytime by sending STOP to 94569. Contact us at donor.services@carterbloodcare.org.

Subscription Service available on most carriers including U.S. Cellular, AT&T, Cellular One, T-Mobile, Sprint, Boost, MetroPCS, Verizon Wireless, Alltel Wireless and Virgin Mobile. Msg&Data Rates May Apply. Requires text-enabled handset. You may cancel your subscription by texting STOP to 94569. You can also get info directly on your phone by texting HELP to 94569 or contacting us at donor.services@carterbloodcare.org. Service will continue until customer cancels. Carriers are not responsible for delayed or undelivered messages.

Privacy
Carter BloodCare respects your privacy. We will not share or use your mobile number for any other purpose. We will only use information you provide to transmit your text message. Nonetheless, we reserve the right at all times to disclose any information as necessary to satisfy any law, regulation or governmental request, to avoid liability, or to protect our rights or property. When you complete forms online or otherwise provide us information in connection with the Service, you agree to provide accurate, complete and true information. You agree not to use a false or misleading name or a name that you are not authorized to use. If we, in our sole discretion, believe that any such information is untrue, inaccurate or incomplete, we may refuse you access to the Service and pursue any appropriate legal remedies.