Series No. 5000
CENTRAL
INTERMEDIATE
UNIT
POLICIES
Date Approved: 9/23/2010Date Revised: Date Amended:
Supersedes Series No:
TITLE:
HIPAA Compliance Plan (Partial Hospitalization Program)POLICY: 5505
It is the policy of the Central Intermediate Unit # 10 to retain clients’ health information and documentation of compliance with the HIPAA Privacy Regulations, pursuant to the following schedule:
Client’s Medical/Treatment Chart • Minimum of seven years from last date of treatment
• If the client is under the age of 18, the chart shall be retained for at least two years after the client’s 18th birthday
Client’s Billing File • Minimum of seven years from last date of treatment
• If the client is under the age of 18, the billing file shall be retained for at least two years after the client’s 18th birthday. ALL Documents Originated by
an Agency or Agencies Other Than CIU#10, and Psychotherapy Notes If and
Whenever Applicable
• Minimum of seven years from last date of treatment
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Crisis Logs, Quality Assurance and Utilization Review Materials, and Incident Reports
• Minimum of seven years from date of document
Each Version of Notice of Privacy Practices
• Seven years from last date in effect
Consents for Use/Disclosure of Health Information for Treatment, Payment or Health Care Operations
• Seven years from last date of treatment
• If revoked, document shall be retained with revocation form for seven years from date of revocation.
Authorization Forms • Seven years from expiration date
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Responses to Requests for Release of Client Information Pursuant to Authorization Form
• Seven years from date of response to request for release of information
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Warrants, Subpoenas, Court Orders and/or Administrative/Governmental Requests Concerning Release of Client Information
• Seven years from date of response
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Responses to Requests for Release of
Client Information Pursuant to Authorization Form
• Seven years from date of response to request for release of information
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Warrants, Subpoenas, Court Orders and/or Administrative/Governmental Requests Concerning Release of Client Information
• Seven years from date of response
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Responses to Warrants, Subpoenas, Court Orders and/or
• Seven years from date of response
Administrative/Governmental Requests Concerning Release of Client
Information
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Requests for Accounting • Minimum of seven years from date of accounting
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Disclosure Sheets • Minimum of seven years from
last date of treatment
• If disclosure sheets involve a client under the age of 18, all disclosure sheets shall be retained for at least two years after the client’s 18th birthday. Requests for Restriction on Uses and/or
Disclosures and/or for Confidential Communications
• Minimum of seven years from date of response to or denial of request
• If request involves a client under the age of 18, request forms shall be retained for at least two years after the client’s 18th birthday.
Denials of Requests for Restriction on Uses/Disclosures and/or for Confidential Communications
• Minimum of seven years from date of denial of request
• If response involves a client under the age of 18, response shall be retained for at least two years after the client’s 18th birthday.
Responses to Requests for Restriction on Uses/Disclosures and/or for Confidential Communications, where Request has been Granted
• Minimum of seven years from last date of treatment
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Complaint Forms Concerning Privacy Practices
• Minimum of seven years from date of response to complaint
• If complaint involves a client under the age of 18, complaint
forms shall be retained for at least two years after the client’s 18th birthday.
Responses to Complaint Forms Concerning Privacy Practices
• Minimum of seven years from date of response to complaint
• If complaint involves a client under the age of 18, response to complaint shall be retained for at least two years after the client’s 18th birthday. Requests for Amendment of Health
Information
• Minimum of seven years from date of response to request
• If request involves a client under the age of 18, request form shall be retained for at least two years after the client’s 18th birthday.
Responses to or Denials of Requests for Amendment of Health Information
• Minimum of seven years from date of response to complaint
• If complaint involves a client under the age of 18, response to request for amendment shall be retained for at least two years after the client’s 18th birthday. Requests for Access to Health
Information by Clients and/or Legal Representative
• Seven years from date of response to or denial of request, or from date of reviewing official’s letter of decision (if review requested)
Responses to or Denials of Requests for Access to Health Information by Clients and/or Legal Representative, with or without Requests for Review of Access Denial
• Seven years from the date of response to or denial of request, or from date of reviewing official’s letter of decision (if review requested)
Decisions of Reviewing Official on Review of Access Denial
• Seven years from the date of reviewing official’s letter of decision
Copies of Powers of Attorney, Guardianship Orders, Letters of Administration, Letters Testamentary, Custody Orders, or Other Proof of Status of Legal Representative
• As long as the client’s medical chart and/or consent for use/disclosure for treatment, payment or healthcare operations, is maintained Policies and Procedures Concerning • Seven years from last date
Maintaining, Retaining, Safeguarding, Requesting, Using and/or Disclosing Health Information and Related Documentation
policy or procedure was in effect
All Versions of The Matrix/Table of Workforce Access Determinations Pursuant to Minimum Necessary Standard
• Seven years from last date each version of The Table of
Workforce Access
Determinations, was in effect All Versions of Personnel and Other
Designations Made Pursuant to the HIPAA Privacy Regulations
• Seven years from last date each version of personnel or other designation was in effect Contracts with “Business Associates” as
Defined by HIPAA Privacy Regulations
• Seven years from expiration date of contract or from termination of contract, whichever occurs first Contracts with “Business Associates” as
defined by HIPAA Privacy Regulations
• Seven years from expiration date of contract or from termination of contract, whichever occurs first Correspondence to and/or Received from
HIPAA Business Associates Concerning Breach, Accounting of Disclosures, Amendment of Information, Termination of Agreement Due to Breach, Destruction or Return of Information, or Other
HIPAA-related Obligations
• Seven years from date of most recent correspondence
Certificates of Destruction by Third Party (including HIPAA Business Associates)
• Indefinitely
Destruction Log • Indefinitely
Documentation of Completion of Workforce Training
• Seven years from last date of employment
Personnel File Documentation of Workforce Privacy Sanctions Applied
• Seven years from date of completion of workforce sanction
It is further the policy of CIU # 10 that whenever destruction of client health information of any sort, or other related documents, is permitted pursuant to this retention schedule, destruction shall be completed pursuant to the following guidelines:
1. Documents shall only be destroyed by a process of shredding, leaving no readily readable portion of the document.
2. Immediately upon destruction of any documentation listed in the schedule above, the staff member charged with the duty of destruction shall immediately document in the Destruction Log: (1) the date of destruction; (2) a description of the documents
destroyed consistent with the titles in the schedule above, including where appropriate the name of the client(s) to whom individually identifiable health information relates; (3) the manner of destruction; and (4) the signature of the person completing the destruction.
Legal Reference: