The URL can be used to link to this page

Home My WebLink AboutR&R 102.04B REVISED 7-2017_HIPAAf i � 102.046 — Protected Health Information (HIPAA) Effective. 9/5/2012 Revised: 7/5/2017 Replaces: I. Guiding PhilosophX We understand the importance of patient confidentiality. We will maintain and protect patient confidentiality as required by all applicable federal, state, and local laws II. Purpose The purpose of this policy is to provide a system for ensuring compliance with federal, state, and local laws pertaining to the gathering, storage, and release of protected patient health information. Particular importance is given to the federal regulations found in the Healthcare Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress on April 21, 1996 (Public Law 104-191). III. Goals The goals of this policy are to: A. Detail the duties and responsibilities of the appointed BFR Privacy Officer and supporting positions. B. Describe the process for maintaining and securing protected health information (PHI). C. Define patient rights under these regulations. D. Describe the process to handle requests for patient information. IV. Definitions A. Covered Entity — Under HIPAA, a covered entity is defined as a health plan, a healthcare clearinghouse, or a healthcare provider which transmits any health information in an electronic format in connection with a HIPAA transaction. HIPAA compliance is required for any healthcare organization meeting the definition of "covered entity." B. HIPAA — The Healthcare Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress on April 21, 1996 (Public Law 104-191) has two main parts. Title I covers health insurance coverage for workers and their families when they change or lose their jobs. Title 11 of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data. C. Individually Identifiable Health Information — Any health information that specifically identifies an individual. This includes but is not limited to the patient's name, phone number, address, social security number, photographs, Medicare or Medicaid number, insurance number, vehicle license or ID, professional license number, fax number, driver's license number, email address, account numbers, device ID's, internet protocol addresses, biometric identifiers, or a patient's age if over 89 years old. D. Protected Health Information (PHI) — Individually identifiable health information which: 1. Is transmitted or maintained in any form or medium 2. Is held by a covered entity or its business associate 3. Identifies the individual or offers a reasonable basis for identification 4. Is created or received by a covered entity or an employer 5. Relates to a past, present, or future physical or mental condition. E. Protected Health Information Exclusions — Individually identifiable protected health information (PHI) exclusions under the law include: Education records covered by the Family Educational Rights and Privacy Act 2. Employment records held by a covered entity in its role as employer. V. Privacy Officer A. The J1::N1 AWNING llllll ,G , ,III °,, llf;Ill,,,,,,,,,lll , ,lll,,,lll,lll,lll °,,Ilf will be assigned the role of BFR Privacy Officer. The Privacy Officer has the authority to gain ready access to all patient records. The primary duties of the Privacy Officer are: 1. Be the fire department point of contact for: a. Patients and their representatives who have requests for information or access to their personal patient information. b. Complaints or concerns regarding the handling of PHI. c. Other agencies or individuals (not representing the patient) seeking the release of protected patient information. R&R 102.04B — Protected Health Information (HIPAA) Page 2 of 16 2. Review and authorize all changes to, or release of PHI, except those releases of information that are allowed for: a. Patient treatment b. Billing and payment needs c. Exceptions allowed in coordination with law enforcement (see Section VII). B. The Privacy Officer will be assisted in maintaining fire department compliance in the handling of PHI by the following individuals or groups: Department Investigators/Public Information Officers (District Chief & Captains) a. Assist the Privacy Officer in the day-to-day administration and oversight of the program. b. Assist as necessary to insure compliance. 2. Emergency Medical Program Manager (District Chief) a. Works closely with the Privacy Officer to ensure the fire department's policy stays current with the various laws regarding PHI. b. Works with the Emergency Medical Advisory Group to make recommendations for changes to the current policy, as needed. c. Oversees the quality assurance (QA/QI) program regarding patient documentation to ensure PHI is properly recorded and protected. Support Branch Director & EMS Training Coordinator (District Chief & Captain) a. Maintain monthly QA/QI as outlined in � 06 203.03 .11iliU001l" ilL ----------------------------------- illi iIIIIu:"lNS to ensure electronic records are completed in a manner that protects patient health information. b. Ensure that all fire department members receive initial and ongoing training regarding the handling of PHI. 4. Fire Administration (Fire Chief and administrative staff) a. Assist the Privacy Officer in securing records. b. Maintain records of all needed business agreements/contracts with vendors who have access to PHI. VI. Maintaining Patient Records & Security of Protected Health Information (PHI) A. Proper handling of PHI begins with the First Responder's understanding of what PHI is and how it needs to be safeguarded to ensure the privacy of sensitive patient information. All members will have access to these regulations in Laserfiche and: R&R 102.04B — Protected Health Information (HIPAA) Page 3 of 16 Are responsible for remaining current in these regulations and adhering the proper handling of PHI. 2. Will sign a department Confidentiality Agreement confirming that they have read, understand, and will comply with the current PHI policy (see Appendix A). Are responsible for being vigilant in adhering to PHI requirements. a. Failure to follow established regulations regarding PHI may lead to disciplinary action up to and including indefinite suspension. b. Mishandling or unauthorized release of PHI may also expose the City, fire department and/or individual member to civil or criminal consequences as covered under the provisions of law. B. During patient care, all members should be aware of their environment and take precautions to guard all patient information, both verbal and written, unless needed in the actual treatment of the patient. Patient information can be exchanged verbally as needed for patient care, but discretion should be used whenever possible to keep bystanders from overhearing PHI. a. Try and communicate in a low voice or avoid the use of personally identifiable information if not necessary when near others not involved in treatment. b. Consider waiting until a room or hallway clears as a reasonable safeguard if the information isn't urgent for treatment. c. Avoid using personally identifiable information away from the scene if it isn't a part of authorized record keeping or documentation. 2. Written information should be kept secured in a manner so that persons who do not need to know or have a right to know cannot read it. a. Written notes and documentation S1°IOU! lf;l Il llfl°, Ilfl°,IIIA Il131:l Illlf" Illlfl°,Illllfl°,Ilf;l IIS WMA"llf""'III"'Illi;°,Illlf;lllfl°,Ilf;l. b. All fire stations will be supplied with a paper shredder and all written material containing PHI shall be destroyed by shredding at the station prior to disposal. c. Written information can include but is not limited to: i. Reports ii. Pre -hospital care documents iii. Notes taken at the scene iv. Any typed or printed material containing PHI C. After the incident, security of written records must be maintained until the written information is destroyed. 1. Written notes or reports S1°III Illlf;l Il llfl°, Ilfl°,IIIA Il131:l IllIII"' Il llf;;°, Ill llfl°,Ilf;l IIS WMA"lI"'Illi;°,Illlf;lllfl°,Ilf;l at the station. R&R 102.04B — Protected Health Information (HIPAA) Page 4 of 16 2. Shredders will be provided at all stations, and all written records shall be destroyed by shredding before disposal. 3. All electronic records shall be secured at all times. a. All software that is used to access PHI will be password protected. b. All BFR members will have a unique password that will not be shared with others for accessing these programs and documents. c. Levels of security will be established and maintained for BFR members to access PHI on a need to know basis as listed below. Position PHI to be Accessed Conditions of Access Firefighter/EMT, CAD information, Firehouse report information, patient May access only as part of completion of patient care Driver/Operator care reports and post event documentation while on duty. CAD information, Firehouse May access as part of completion of patient care and Station Captain /Acting report information, patient post event documentation while on duty. May access Station Captain care reports Firehouse reports on duty to complete QA/QI information for their assigned areas of responsibility. CAD information, Firehouse Billing Staff report information, patient May access only as part of duties to complete any care reports, billing billing requirements while on actual work shift. information District Chief/Acting CAD information, Firehouse May access as part of completion of patient care and District Chief, Deputy report information, patient post event documentation while on duty. May access Chief/ Acting Deputy Chief care reports Firehouse reports on duty to complete QA/QI information for their assigned areas of responsibility. Support Branch Director, EMS Training CAD information, Firehouse May access for training needs as well as QA/QI Officer/Acting EMS report information, Patient purposes. All individually identifiable patient Training Officer (District Care reports, Billing information will be removed prior to release of Chief & Training information information for training purposes. Coordinators) Medical Program CAD information, Firehouse May access for training needs, QA/QI purposes, and Manager, Medical report information, Patient to monitor compliance issues. All individually Program Branch Manager Care reports, Billing identifiable patient information will be removed prior to information release of information for training purposes. R&R 102.04B — Protected Hea/th Information (HIPAA) Page 5 of 16 Department Privacy May access all information as needed to fulfill the Officer (Planning Section All PHI documents and files duties of Department Privacy Officer. Access to Chief, District Chief & information must be based on a work related need in designated Captains) accordance with all HIPAA guidelines. May access all information as needed to assist the Fire Administration (Fire Privacy Officer in his/her responsibilities, to evaluate Chief, Assistant Fire Chief, All PHI documents and files the QA/QI process, to accomplish supervision of Administration staff) personnel, and to monitor compliance. Access to information must be based on a work related need in accordance with all HIPAA guidelines. d. Fire station computers should be set to log off for periods of inactivity to ensure report privacy if another emergency causes the crew to leave the PC unattended while working on the report. e. All administrative staff must log off software containing PHI before leaving a PC unattended. f All software that contains PHI will be backed up on a regularly scheduled basis. 4. Telephone, FAX, and email of PHI must be in strict accordance with authorized release of information. a. The identity of anyone seeking information over the telephone INSI"' Il131:;; /III.;;°,Ill llll°°Illllf;;°,Ilf;l before the release of PHI. Information over �fllhm jg.!.9 pftone wIiIiIAllnot mmI .f....riiv Il.mf...ff ....Iluu.................. .....w............11.h..m................ft.not been nfiiri d .................................................................................................................h....................................w.......................................................................................................................................... as mviu b. Unverifiable individuals seeking information shall not receive PHI and shall be forwarded to the Privacy Officer to process their request. c. All fax machines shall be located in secure areas that are not accessible by the public or any City employee who has not signed the Confidentiality Agreement. d. All fax and email recipients ..I.M............................. l ;llf°'„ Ilf; 1:::: /III.;Ill llllIllllf;;°;Ilf; before sending the ......................................................... information. The information should contain a FAX cover sheet or email message with the following Confidentiality Notice: Confidentiality Notice: If the reader of this notice is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, disclosure, distribution, or copying of this communication is strictly prohibited. Please notify the sender by email or facsimile that you have received this information in error and delete it from your files. R&R 102.04B — Protected Hea/th Information (HIPAA) Page 6 of 16 D. Documents used for administrative purposes require equal consideration for privacy and security. 1. Whenever possible, it is best to leave PHI in electronic form as opposed to printed form for general use. This minimizes the chance of a printed document being left unattended or unsecured. 2. All printed copies of patient reports used for administrative purposes or legal proceedings shall be destroyed by shredding prior to disposal. 3. All printed archive copies shall be destroyed by shredding prior to disposal once the required retention period has been reached. Generally this is a six year period following the incident. E. All vendors who do business with the City and have access to PHI will be required to enter into a Business Associate Agreement. The Logistics Section Chief is responsible for coordinating with the Fire Chief on completing such agreements. 1. HIPAA requires this agreement before any PHI can be given to a vendor. 2. A separate agreement can be utilized or an existing contract with the vendor can be modified to fulfill this requirement. A list will be compiled and maintained of all vendors who have access to PHI. VII. Authorized Disclosure of PHI A. Prompt treatment of the patient's immediate health needs is always the primary concern. PHI can be transferred as needed to ensure quick and effective healthcare treatment for the patient and no delay in treatment should be caused by fear of PHI handling. B. PHI can be used in the process of billing for provided healthcare services. C. PHI can be released for healthcare operations including but not limited to: 1. Quality assurance 2. Employee review 3. Training of personnel or students R&R 102.04B — Protected Health Information (HIPAA) Page 7 of 16 4. Licensing 5. Public health purposes 6. Medical control oversight D. On the emergency scene, PHI can be released to the patient's family or representatives that are DIRECTLY INVOLVED in the patients care. [f tlh Ipatl nt li f sound i mliind and ireasonllng fl*n tlI Ipatl nt sIMWd be asIlked If flbj t to flI it 111 f III°1111°111111. E. PHI can be released Vllf;;°Jll 11 III,,,,III,,,,Y in certain situations to law enforcement even ......................................................................... though the Police Department is not considered a Covered Entity under HIPAA. These instances include: 1. The patient is the victim of a crime. 2. The patient is in the custody of the Police. 3. Reporting of legally specified wounds (gunshot, stabbing, etc). 4. Fire personnel reasonably believe the patient is a victim of abuse, neglect or domestic violence. In these situations release of information can also be made to other agencies authorized by law to receive reports on these types of situations (social services, protective service organizations, etc.) so long as it does not endanger the patient further. If disclosure of PHI is necessary to alert law enforcement officials to the commission of a crime or to the facts pertaining to a crime. 6. If the patient is deceased and the Police are handling the release of information to the next of kin or in the investigation of the incident. 7. If the patient is suspected of being a danger to themselves or a danger to fire department personnel. 8. If the patient has a reportable communicable disease that law enforcement personnel have been exposed to. 9. In response to a law enforcement officer's request for the purpose of identifying or locating a suspect, fugitive of the law, material witness, or missing person. 10. The patient's driver license information, insurance card, and hospital destination if they were involved in a motor vehicle collision. R&R 102.04B — Protected Health Information (HIPAA) Page 8 of 16 F. PHI CANNOT be released IIID„ Ill 1I°;;III;III;;;;';II III°° _III 111 „ to law enforcement agencies without a subpoena, subpoena duces tectum or authorized medical release. • Receive any Jlf;_&JII 1111[;III;;;;III;;III I1::::',IIf; _III IIS containing PHI • Be allowed to physically view anyIIf;IIII IIIIII IIf;III;;;;1) III I1::::';IIf; 1R III .................. containing PHI Without a subpoena, subpoena duces tecum or authorized medical release filed with the 11::31::::]R 11::1 R1 III°° III°° 1G1E1R! G. Exceptions to F above: 1. If a patient record has been redacted, then the information can be shared. To comply with this requirement, all "individually identifiable health information" has to be completely removed from the report. 2. PHI can be released as required by law (power of attorney, subpoena, court order, etc.). VIII. Patient Rights A. The Notice of Privacy Practices (see Appendix B) should be made available to any individual who requests it from the Beaumont Fire/Rescue Services. B. Authorization forms (medical releases) should be completed by the patient or their legal representative for all non -routine use of PHI. C. Patients who contact the BFR Privacy Officer have the right to: Access their health records. Adult patients or the legal guardians of minor patients will be given a copy of their medical records when the proper identification is provided and the "Request for Access to Protected Health Information" form (see Appendix C) has been completed and signed. 2. Request an amendment to their health record. a. Requests to amend records must be made in writing to the BFR Privacy Officer. b. The fire department may deny a patient request to alter the information if the fire department was not the originator of the R&R 102.04B — Protected Health Information (HIPAA) Page 9 of 16 information or if the fire department believes the information is/was accurate at the time the patient was treated or evaluated. c. Patients who knowingly give false identification to emergency personnel and then request that the information be changed in their records will be referred to law enforcement officials to verify the corrected identification. d. If ain aIrni n lrni nl Is authoirilzed and lana , a inote WlH be appended to the irecoird to lindicate the dhainge, Ifbul the oirii lii nall lilrnlolnrnal'oolrn MHIIIN( )" l BE ; E1 ETE. ............................................................... e. If a patient's request to amend information is denied then an explanation will be given to the patient and it will be noted in the record. 3. Receive an accounting of certain disclosures made of their record (usually for a six year period following the treatment). a. Requests must be made in writing and must contain the signature of the patient. b. The information will list: i. The dates of disclosure ii. To whom the information was sent iii. A description of what information was sent iv. The purpose of the disclosure c. Certain disclosures may be withheld from the accounting process as allowed by law. 4. Request restriction on use and on method of communicating PHI. a. The fire department may decline requests if they are not listed among the restrictions imposed by law. b. 11 he fire depairtrneint shoUld ou"nlly agiree to slp dli4ll Ir slrlicl'oolrns lii n 'RI,,,,,, , I I ; iii. All employees will comply with the investigating agency's request as coordinated by the Privacy Officer. c. U.S. Department of Health and Human Services 2. The Privacy Officer will insure all complaints are investigated. a. Complaints will be investigated and follow-up actions taken in accordance with � 6'I02.0 °-'- 1� )0.11i1[`1[ J , �T2_)�_._1 I �I�)I� b. The Emergency Medical Program Manager will be notified if there is a need for individual or group training based on the investigation findings. 3. All complaints will be logged for tracking and compliance purposes. IX. Requests for Release of Information A. Requests to disclose PHI will be treated as Freedom of Information Act requests. Parties will be directed to the City Clerk's office to submit their request. B. The BFR Privacy Officer or designee will forward the "Request for Access to Protected Health Information" form (see Appendix C) to the party to determine a disposition on the request. C. The Privacy Officer or designee will evaluate all requests for information and either: 1. Grant the request. 2. Deny the request with a written response detailing the reason(s) for denial. R&R 102.04B — Protected Health Information (HIPAA) Page 1 1 of 16 Appendix A — BFR Employee Confidentiality Agreement BEAUMONT FIRE/RESCUE SERVICES EMPLOYEE CONFIDENTIALITY AGREEMENT Given the nature of our service, it is imperative that we maintain the confidentiality of protected patient information that we receive during the course of our work. Beaumont Fire - Rescue Services prohibits the release of any protected patient information to anyone outside the organization unless required for purposes outlined in R&R 102.0413 -Protected Health Information (HIPAA). Acceptable uses of Protected Health Information (PHI) within the organization include but are not limited to: exchange of patient information as needed for efficient treatment of the patient; billing for provided health care; peer review; internal audits; and quality assurance (QA/QI) activities. I understand that Beaumont Fire -Rescue Services provides care to patients that is private and confidential, and that I have a crucial role in respecting the privacy rights of our patients. I understand that patients provide sensitive information that is protected by federal, state, and local laws and is considered strictly confidential in nature. This information provided for us includes but is not limited to: electronic, verbal, written, and photographic information which identifies the individual treated. I agree that I will comply with all confidentiality policies and procedures set in place by the Beaumont Fire -Rescue Services during my employment and subsequent association with the Beaumont Fire -Rescue Services. If I, at any time, knowingly or inadvertently breach the patient confidentiality policies and procedures, I agree to notify the Privacy Officer of the Beaumont Fire -Rescue Services immediately. In addition, I understand that a breach of patient confidentiality may result in disciplinary action up to and including indefinite suspension based on the severity and the facts associated with the incident. Furthermore, if I leave the employment of the Beaumont Fire -Rescue Services for any reason, I agree to return any and all confidential Beaumont Fire -Rescue Services patient information in my possession. I have read and understand R&R 102.0413 -Protected Health Information (HIPAA). I agree to abide by the policy or be subject to disciplinary actions up to and including indefinite suspension of employment as well as any possible criminal or civil penalties associated with the mishandling of Protected Health Information (PHI). Signature: Printed Name: Date: R&R 102.04B — Protected Health Information (HIPAA) Page 12 of 16 Appendix B — BFR Notice of Privacy Practices BEAUMONT FIRE -RESCUE SERVICES NOTICE OF PRIVACY PRACTICES III IIIIII°'OIII"'III"' IIS"'III This document serves to give you notice as to how personal protected health information about you may be used or disclosed. It also lists specific patient rights that you have concerning your protected health information. Please review this information carefully. Protected Health Information Protected Health Information (PHI) is any personal information obtained about your care or treatment that clearly identifies you as an individual in relation to the care you receive. The City of Beaumont Fire -Rescue Services is required by law to maintain the privacy of confidential health care information, and to provide you with a notice of our legal duties and privacy practices with respect to your Protected Health Information (PHI). Uses and Disclosures Protected Health Information (PHI) may be used without your permission for the purposes of your treatment, billing for services provided, and in maintaining the quality of our health care operations. The following are some examples of our use of PHI as mentioned above: For Treatment: This includes such things as obtaining verbal and written information about your medical condition and treatment from you as well as from others, such as doctors and nurses who give orders to allow us to provide treatment to you. We may give your PHI to other health care providers involved in your treatment, and may transfer your PHI via radio or telephone to the hospital or dispatch center. The primary objective in this sharing of information is that you receive the most efficient treatment for your care without delay. For Payment: This includes any activities we must undertake in order to get reimbursed for the services we provide to you, including such things as submitting bills to insurance companies, making medical necessity determinations and collecting outstanding accounts. For Maintaining Quality Health Care Operations: This includes quality assurance activities, licensing, and training programs to ensure that our personnel meet our standards of care and follow established policies and procedures as well as certain other management functions necessary to ensure we are providing you the best quality health care. Beaumont Fire -Rescue Services is also permitted to use PHI without your written authorization, or opportunity to object, in certain situations, and unless prohibited by a more stringent state law, including: For the treatment, payment or healthcare operations activities of another health care provider who treats you. • For health care and legal compliance activities. To a family member, or other relative, or close personal friend or other individual involved in your care if we obtain your verbal agreement to do so or if we give you an opportunity to object to such a disclosure and you do not raise any objection, and in R&R 102.04B — Protected Health Information (HIPAA) Page 13 of 16 certain other circumstances where we are unable to obtain your agreement and believe the disclosure is in your best interests. • To a public health authority in certain situations as required by law (such as to report abuse, neglect or domestic violence). • For health oversight activities including audits or government investigations, inspections, disciplinary proceedings, and other administrative or judicial actions undertaken by the government (or their contractors) by law to oversee the health care system. • For judicial and administrative proceedings as required by a court or administrative order, or in some cases in response to a subpoena or other legal process. • For law enforcement activities in limited situations, such as when responding to a warrant. • For military, national defense and security and other special government functions. • To avert a serious threat to the health and safety of a person or the public at large. • For workers' compensation purposes, and in compliance with workers' compensation laws. • To coroners, medical examiners, and funeral directors for identifying a deceased person, determining cause of death, or carrying on their duties as authorized by law. • If you are an organ donor, we may release health information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ donation and transplantation. • We may also use or disclose health information in a way that does not personally identify you or reveal who you are. Any other use of disclosure of PHI, other than those listed above will only be made with your written authorization. You may revoke your authorization at any time, in writing, except to the extent that we have already used or disclosed medical information in reliance on that authorization. Patient Rights As a patient, you have a number of rights with respect to your PHI, including: The Right to Access, Copy or Inspect Your PHI. This means you may inspect and copy most of the medical information about you that we maintain. We will normally provide you with access to this information within 30 days of your request. We may also charge you a reasonable fee to copy any medical information that you have the right to access. In limited circumstances, we may deny you access to your medical information, and you may appeal certain types of denials. We have available forms to request access to your PHI and we will provide a written response if we deny you access and let you know your appeal rights. You also have the right to receive confidential communications of your PHI. If you wish to inspect and copy your medical information, you should contact our Department Privacy Officer. R&R 102.04B — Protected Health Information (HIPAA) Page 14 of 16 The Right to Amend your PHI. You have the right to ask us to amend written medical information that we may have about you. We generally amend your information within 60 days of your request and will notify you when we have amended the information. We are permitted by law to deny your request to amend your medical information only in certain circumstances, like when we believe the information you have asked us to amend is correct. If you wish to request that we amend the medical information that we have about you, you should contact our Department Privacy Officer. The Right to Request an Accounting. You may request an accounting from us of certain disclosures of your medical information that we have made in the six years prior to the date of your request. We are not required to give you an accounting of information we have used or disclosed for purposes of treatment, payment or health care operation, or when we share your health information with our business associates, like our billing company or a medical facility from/to which we have transported you. We are also not required to give you an accounting of our uses of protected health information for which you have already given us written authorization. If you wish to request an accounting, contact our Department Privacy Officer. • The Right to Request that We Restrict the Uses and Disclosures of Your PHI. You have the right to request that we restrict how we use and disclose your medical information that we have about you. Beaumont Fire/Rescue Services is not required to agree to any restrictions you request, but any restrictions agreed to by Beaumont Fire/Rescue Services in writing are binding on Beaumont Fire/Rescue Services. • Internet, Electronic Mail, and the Right to Obtain a Copy of Paper Notice on Request. If we maintain a web site, we will prominently post a copy of this Notice on our web site. If you allow us, we will forward you this Notice by electronic mail instead of on paper and you may always request a paper copy of the Notice by contacting our Department Privacy Officer. • Revisions of the Notice. Beaumont Fire/Rescue Services reserves the right to change the terms of this Notice at any time, and the changes will be effective immediately and will apply to all protected health information that we maintain. Any material changes to the Notice will be promptly posted in our facilities and posted to our web site, if we maintain one. You can get a copy of the latest version of this Notice by contacting our Department Privacy Officer. • Your Legal Rights and Complaints. You also have the right to complain to us, the Texas Department of State Health Services, or to the Secretary of the United States Department of Health and Human Services if you believe your privacy rights have been violated. You will not be retaliated against in any way for filing a complaint with us or to the government. Should you have any questions, comments or complaints you may direct all inquiries to the BFR Privacy Officer. BFR PRIVACY OFFICER CONTACT INFORMATION: 113eaumont Ilf°Inure Rescue Seii4lces ,,,,,,,,ttentJoil :: III°1riiivacy Offliicer 0 W lllunut 113eaumontu "llf" X'77'701 ,,,88G,,,0 R&R 102.04B — Protected Health Information (HIPAA) Page 15 of 16 Appendix C — Request for Access to Protected Health Information (PHI) BEAUMONT FIRE -RESCUE SERVICES REQUEST FOR ACCESS TO PROTECTED HEALTH INFORMATION Your Name: Your Address: City: State: Zip Code: Patient Name: Patient Social Security Number: Date of Service(s): What is your relationship to the patient? (You wflllll be irogUliirod to show proof of Ideiiatity aund'lor relationship 'fo the Ipafliianf Ipriiior to iraoalii iIng any IProfaofad III°Illaalllfllh IInforunm fliion) What is the purpose of your request? (To release, amend, or view protected health information) Signature: Date: Printed Name: Phone number where you can be reached: R&R 102.04B — Protected Health Information (HIPAA) Page 16 of 16