To print - open the HIPAA Form here.

Limbic Resources, Inc.
dba Lewis Bay Associates, Bourne Pond Asspciates, and The Memory Center & Professional Profiles
119 Cedar Street, Hyannis, MA 02601
(774) 470-4535
September 1, 2015 (last modified 06/22/18)


Re: Policy and Procedures

I. Designating Required Personnel S 164.530(a):

Privacy officials must be established. They are point person(s) for policy implementation, development and complaints process. Both a Privacy Officer and Privacy Contact need to be designated and documented as such (they may be same or a different person).
A. (Dr. Gerald Elovitz) is the Privacy Officer and has the following job duties:
1. Maintains awareness of relevant laws and regulation of HIPAA, including changes that may affect privacy practices.
2. Develops, revises, implements and administers privacy policy and procedures; makes necessary updates as changes take place.
3. Assures implementation of privacy activities and HIPAA compliance.
4. Educates and trains workforce on privacy issues and practices.
B. (Dr. Gerald Elovitz) is the Privacy Contact and has the following duties:
1. Receives and handles complaints from patients regarding privacy issues.
2. Provides further information and assistance regarding privacy practices.
3. Reports and documents privacy activities.
II. Training the Workforce: S 164.530(b) of employees in privacy and security--All members of workforce are required to receive training on the policies and procedures and forms with respect to PHI as necessary and appropriate for their role. As stated above the Privacy Officer is charged with overseeing the following:
A. CE implements policy and procedures for training. CE provides training on privacy activities, policy, procedure, and forms. CE documents that training has been provided. Initial training must be done by compliance date. Training for new members of workforce must be within a reasonable time (not defined). Retraining of workforce whose duties are related to material changes in policy/procedures.

III. Safeguards [S 164.530(c)] must limit intentional, unintentional, and incidental disclosure of PHI to persons other than the intended recipient. No specific measures are required.
A. Adopt policy and procedures that include administrative, technical, and physical safeguards (storage, access, use, disclosure process, training).
1. Access to Office
a. Cleaning Service, Gail Quinn, M.Ed., Craig Hunt, B.A., Denise Bence, Rebecca Johnson.
2. Record Keeping
a. On site in locked file cabinets
b. On-site computers
i. 1860 Santuit-Newtown Road (508) 420-9989 Cotuit, MA 02635
ii. Connected to a local (on-site) server backed up to Mac.com





B. Must protect against any intentional or unintentional use or disclosures in violation of the rule or implementation specifications
1. Must limit any incidental uses or disclosures
C. Limitations on access to PHI must work with the minimum necessary standard and policy should reflect this coordination; must provide training necessary to assure competent security.
1. No information is available to persons with access to office.
2. Patient consent required for any non-routine disclosure
a. Consent forms located in patient file or database in office
D. Ensure measures are in place to prevent employees, patients, and others are not subject to intimidation, threats, coercion, discrimination or retaliation for complying with HIPAA or filing a complaint. (see separate section on Sanctions below)
E. Ensure patients, clients, workforce aren’t required to waive their right to file a complaint (separate section immediately below).
IV. Complaints Process [S 164.530(d)] requires CE to have a mechanism for receiving internal complaints from individuals concerning violations of the CE’s privacy practices and the requirements of the privacy standards.
A. Develop and implement formal process for persons to make complaints.
B. Develop process for plan of correction to process improvement when complaint is received or when a mistake is identified.
C. Must have an identified contact person for complaint process.
D. Prohibit retaliation against persons for filing a complaint or exercising any right of the rule.
E. Must maintain a record of complaints and brief explanation of nature and resolution if any.
F. Must be prepared to respond to complaints that may be filed with the Secretary of HHS.
V. Sanctions against members of workforce who fail to comply with privacy policies or procedures of the CE or requirements of the rule. Does not apply to whistleblowers and business associates. They are addressed separately in 164.504.
A. CE must develop and impose sanctions appropriate to the nature of the violation based on nature, severity, intentional/unintentional and if pattern of improper use or disclosure.
1. CE will consult with professional peers on a case by case basis
B. Must have written policy and procedures for the application of appropriate sanctions
C. Must document sanctions and violations.
VI. Refraining from Intimidating or Retaliatory Acts [§ 164.530(g)]: A CE may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against
A. an individual for filing a complaint or participating in a process prescribed by the Rule or
B. individuals and others for
1. filing a complaint with the Secretary,
2. testifying, assisting or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI, or
3. opposing any act or practice made unlawful by Rule, provided the individual…made the complaint in good faith belief that an unlawful act happened and that the opposition was made in a reasonable manner without disclosing PHI in violation of the Rule.
VII. Duty to Mitigate Breaches of confidentiality-must alleviate any harmful effect of a use of disclosure of PHI that is known to the CE. Applies to CE’s policy and procedures and violations of the requirements of the rule. CE responsible to act on harm caused by workforce or by business associates.


A. CE will:
1. Interview relevant persons and review documents
2. Consult with peers and/or attorney about appropriate actions
3. Communicate in written form to all parties asking for documentation that specific breach have been addressed as well as causes of breach.

VIII. Patient Rights – specific rights have practice or procedural elements that need policy and procedure development and documentation.
A. Written notice of privacy practices and posting
B. Designated record set
1. On site patient records
2. Off site computer records
C. Requests for restrictions on disclosure
1. The Privacy Officer will inform clients that they must submit a written request for restrictions on disclosure.
2. The Privacy Officer will review the appropriate subparts of the Privacy Rule and give the client a written response according to the Rule’s requirement.
3. Note: CE has the right to refuse to agree to a client’s request re: uses and disclosures. But if a CE agrees, then the CE must adhere to the agreement. A CE can later change its mind but the changes only apply to information received after notification of the change to the client.

D. Requests for confidential communication
1. The CE will accommodate reasonable requests for clients to receive communications from the CE by alternative means or locations.
2. A health plan only has to do this if the client provides a statement that the PHI will endanger the individual if not sent to the alternative requested.
E. Requests for access and copying PHI Sec. 164.524
1. Individuals have right to inspect and obtain a copy of PHI as long as it is maintained as part of a designated record set except for
a. psychotherapy, interview, & testing notes or raw data & reports
    b. information compiled in reasonable anticipation of , or for use in, a civil, criminal, or administrative action or proceeding,
    c. two technical exceptions related to the Clinical Laboratory Improvements Amendments.
       i. these exceptions will be documented
   2. Requests will be acted upon in 30 days or in 60 days if the records are not on site.
   3. A summary may be provided if the person requesting the information agrees.
   4. A reasonable cost-based fee may be imposed for copying, labor and postage. 
   5. Documentation will be retained for at least 6 years from the date of the creation or date document was last in effect, whichever is later.
F. Requests for amending and correcting PHI
   1. Clients have the right with many exceptions to get CEs to amend a record.
   2. Such requests may be denied
     a. if the CE determines that the PHI is accurate and complete,
    b. when the CE didn’t create the PHI (unless the originator isn’t available to make the amendments),
     c. when the information isn’t part of the designated record set.
   3. The CE may require requests for amendment in writing and will act on a request within 60 days.    
4. If the CE grants the amendment the CE will identify which records are affected and amend, append, and/or provide a link to the location of the amendment.
   5. If the CE denies the amendment, the CE will provide the individual with a written denial stating the basis of the denial, the patient’s right to submit a written statement disagreeing, the patient’s right to request that the CE provide a copy of the request for amendment and the denial response with any future disclosures of the PHI, and how the patient may file a complaint via the CE’s complaint process or the Secretary of HHS.
   6. If the CE is informed of another CE’s amendment to a client’s record, that first CE must amend also.
7. Dr. Gerald Elovitz is the designated officer responsible for receiving and processing requests for amendments. 
G. Requests for an accounting of PHI disclosures
1. Individuals have the right to receive an accounting of disclosures of PHI made by a CE in the 6 years prior to the request except:
      a. to carry out TPO,
      b. disclosures already made to the individual requesting it,
      c. facility directory,
      d. national security or intelligence,
      e. correctional/law enforcement,
      f. part of a limited data set,
      g. information gathered prior to compliance date,
      h. pursuant to an authorization,
      i. any information released incidental to a use or disclosure “otherwise permitted in this subpart”.
    2. The CE will document for each disclosure over the last 6 years:
a. the date of each disclosure, names, description of what was disclosed, if it was a regular release then the frequency, date of the first and the last.
    3. The CE will have 60 days to give the accounting and will document and retain an accounting of the disclosures.
    4. The first “accounting of disclosures” must be made free of charge.
H.HIPAA is a federal floor. Substance Abuse Treatment Acts still apply and will be considered in light of HIPAA standards.

IX. Notice of privacy practices- The Privacy Notice will be offered to each client when seen in person.

X. Business associate relationship.

  1. A. See G. Elovitz for the Business Associate Contract (for contracting officers only)

XI. Oral communications
A. All oral communications will be between the CE and the patient, or via the office coordinator or technical assistant.

RapidWeaver Icon

Made in RapidWeaver