Privacy Policy

HIPAA COMPLIANT PRIVACY POLICIES & PROCEDURES

INTRODUCTION AND KEY DEFINITIONS

  1. PURPOSE.  This document outlines the Company’s policies and procedures (the “Policies and Procedures”) regarding patient and potential patient data privacy and security. These Policies and Procedures summarize the permitted uses and disclosures of patient-protected health information (“PHI”) as permitted by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule” or the “HIPAA Privacy Rule”), as amended by the Health Information Technology for Economic and Clinical Health Act, which is at Section 13400, et seq. of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. § 17921, et seq., (the “HITECH Act”) and any regulations promulgated thereunder, including the HIPAA omnibus final rule (the “HIPAA Final Rule”).
  2. SCOPE.  These Policies and Procedures apply to all Company staff members and Business Associates.
  3. PRIVACY POLICY STATEMENT
    1. The Company is committed to complying with the Privacy Rule.
    2. The Company recognizes the need to protect the privacy of PHI in order to facilitate the effective delivery of healthcare and wellness initiatives. These Privacy Policies and Procedures are designed and intended to ensure the Company’s compliance with the Privacy Rule. The Company adopts these Policies and Procedures to protect any PHI received from unauthorized use, disclosure, or access, and to maintain the confidentiality and integrity of that PHI. These Policies and Procedures also ensure that individuals have rights related to their PHI.
  4. KEY DEFINITIONS
    1. A “Business Associate” is a person or entity, other than a member of the Company’s workforce, that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity or Company for a function or activity regulated by HIPAA. The HIPAA Final Rule expands the definition of “Business Associate” to include subcontractors to a Business Associate that create, receive, maintain, or transmit PHI on behalf of a Business Associate. Business associate functions or activities on behalf of a covered entity include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.
    2. “Company” means Arabella Wellness Center Inc and its affiliates and subsidiaries, as applicable.
    3. “Covered Entity” means a health plan, a healthcare clearing house, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
    4. “Prominent Media Outlets” means the general interest newspaper(s), television station(s), and/or radio station(s) serving the state, county, or city on a daily basis (or on the most frequent basis).
    5. “Protected Health Information” or “PHI” is information that (1) identifies (or could be reasonably used to identify) an individual, (2) is created or received by a HIPAA covered entity (a health care provider, health plan or healthcare clearinghouse) and (3) relates to the past, present or future physical or mental health of the individual, the provision of healthcare to the individual, or the past, present or future payment for the provision of healthcare to the individual.
    6. “Representative” means any person that is authorized to act on behalf of the Company, including but not limited to the Company’s directors, officers, employees, contractors, subcontractors, service providers, and the employees, directors, and officers of the Company’s contractors, subcontractors, and service providers.

These Policies and Procedures will be amended and/or supplemented as necessary and appropriate to comply with changes in the law or regulations or other interpretations of the Company’s privacy-related obligations or to reflect changes related to the Company. The Company will document and implement changes to these Policies and Procedures whenever there is a change in the law, regulations, or interpretation of the Company’s privacy obligations and/or a material change to the uses or disclosures of PHI or other privacy practices that necessitate a change in these Policies and Procedures. These Policies and Procedures are effective as of January 1, 2025.

RESTRICTED INTERNAL ACCESS TO PHI

  1. The Company has implemented reasonable safeguards, including appropriate administrative, technical, and physical measures to protect the privacy of PHI and to prevent impermissible uses and disclosures of PHI. The Company has limited access to PHI to only those Company employees and Business Associates who need to use or disclose PHI to carry out their duties.
  2. Access to PHI is limited to the following Company employees and Business Associates for the purpose(s) described herein.
    1. IT Personnel.  Information technology (“IT”) employees and contractors provide technical support to Covered Entities that perform functions that utilize PHI.
    2. Operations Department.  The Operations Department employees provide patient and provider scheduling and service management.
    3. Finance Department.  The Finance Department employees provide analytical and data services related to provider services to patients.
    4. Executive Leadership Team.  The executive leadership team oversees all Company operations, including various patient and patient care related issues.
    5. Payment Processing Systems
  3. Physical Layout and How Hardcopy PHI is Handled
    1. “Clean Desk” Rule.  To the extent that Company employees maintain paper documents containing PHI, they will observe a “clean desk” rule with respect to such materials, including (i) keeping such materials on their desktop only when in use; (ii) turning documents face-down on their desktop whenever possible; and (iii) at the end of each workday, putting all such materials away in their desk and locking the door to any office containing PHI. During any extended periods away from his or her desk, such as during a lunch break, an employee will place materials containing PHI in a locked drawer.
    2. Locked File Cabinets/Desk Drawers.  To the extent possible, hard-copy PHI will be maintained in filing cabinets or desk drawers, which are locked when not in use.
  4. Computer Security
    1. Email Security.  To the extent practicable, Company employees should avoid emailing or otherwise sharing PHI in electronic form, except as expressly authorized by their supervisor or by Company’s policies and procedures. If a Company employee must send an email containing PHI, the email should contain the minimum amount of PHI necessary to accomplish the work task.
    2. Password Protection.  All Company desktop computers and laptops will be password-protected, utilizing reasonably strong passwords (e.g., at least 8 characters with at least one capital letter and at least one symbol or numeral, etc.).
    3. Screen-Savers and Automatic Log-off. Company desktop computers and laptops will utilize screen-savers that will be activated, along with automatic log-off, when the computer is inactive after 20 minutes.
    4. Device Encryption. Company employees should never disable device encryption software used by the Company and should enable all updates to such device encryption software provided by the Company.
  5. Portable Devices.
    1. Company employees are permitted to take their laptops home but must never leave laptops unattended at home or in transit. Employees should never leave a laptop in an unlocked room or car, nor should a laptop be left in plain sight in a locked car.
    2. Securing Laptops. Company employees must never leave their laptops unattended or unsecured. Employees should ensure that their laptop is stored in a locked drawer or attached to a locked cable at the end of the workday.
    3. Fax Machines. When practicable, Company employees will call ahead to ensure that the appropriate person can receive a fax containing PHI. Incoming faxes, particularly those containing PHI, will be picked up immediately.
    4. Printers. Print jobs, particularly those containing PHI, will be picked up immediately.
    5. Copiers. Company employees will remove their copy jobs containing PHI from the machine when the job is completed.
  6. Secure Conversations.
    1. Company employees discuss PHI only with other employees who have access to it and only as required to perform their job responsibilities.
    2. Conversations that involve PHI are conducted using moderate voice tones.
    3. The IT employees only discuss PHI with the other Company employees to the extent necessary to provide technical support related to electronic PHI.
    4. Company employees do not discuss PHI with other Company employees who do not have access to PHI, except as provided for in these Policies and Procedures.
    5. Company employees may receive communications from individuals who wish to discuss their own PHI.
    6. Such conversations should be had in a private area where the PHI being discussed is unlikely to be overheard by a third party.
    7. Conversations that involve PHI should be conducted using moderate voice tones.
    8. If an individual orally contacts a Company employee to inquire about matters related to his/her PHI, the Company employee verifies the individual’s identity by requesting the individual’s date of birth and address.
  1.  
  1.  

UNLESS SPECIFICALLY AUTHORIZED AS ABOVE OR IN WRITING BY THE COMPANY, ALL OTHER EMPLOYEE ACCESS TO PHI IS UNAUTHORIZED, STRICTLY PROHIBITED, AND MAY RESULT IN SANCTIONS.

USES AND DISCLOSURES OF PHI THAT ARE REQUIRED OR PERMITTED BY THE PRIVACY RULE- OR PERMITTED BY AUTHORIZATION

  1. REQUIRED USES AND DISCLOSURES.  The Company is required to use or disclose PHI in the following circumstances:
    1. Individual Access.  To the individual who is the subject of the PHI contained in the designated record set, provided the individual’s identity is reasonably verified by the Company employee, or if the request is to inspect and/or copy his/her PHI.
    2. Access by Secretary of HHS.  To the Secretary of the Department of Health and Human Services (“HHS”) when the Secretary investigates a complaint or monitors compliance. The Company will verify the identity of the HHS requester.
  2. DISCLOSURES TO FAMILY MEMBERS
    1. Spousal Access. A spouse must typically sign a HIPAA-compliant authorization releasing an individual’s PHI to his or her spouse. A template HIPAA-compliance authorization Form is contained in the Appendix to these Privacy Policies and Procedures. Company employees should verify whether any personal representatives have been designated by the individual prior to disclosing PHI to a spouse.
    2. Parental Access.  Parents or guardians (“Parents”) are generally considered the personal representatives of unemancipated minors. As such, the Company generally responds to parental inquiries and can provide Parents with access to the minors’ PHI. Company employees should verify whether any personal representatives have been designated by the individual prior to disclosing PHI to a Parent.
  3. USES AND DISCLOSURES OF PHI PERMITTED WHEN THE PATIENT IS DECEASED.  The Company may disclose PHI of a deceased patient to a family member, other relative, close personal friend, or other person previously identified by the patient as someone involved in the patient’s care or payment for health care before the patient’s death. PHI disclosed will be limited to what is relevant to the person’s involvement in the patient’s care. NOTE: If the Company knows that the disclosure of PHI would be inconsistent with a preference previously expressed by the patient, the PHI requested will not be disclosed. Prior to disclosing a deceased patient’s PHI at the direction of a personal representative, the Company will verify the individual’s legal authority to act on behalf of the deceased patient or the deceased individual’s estate. The PHI of a deceased patient is no longer considered to be PHI and is no longer subject to HIPAA after a period of 50 years following the death of the patient.
  4. USES AND DISCLOSURES PERMITTED FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS.  The Company may use or disclose a patient’s PHI for their treatment, payment, or health care operations without written authorization from the patient. An effort to obtain such consent prior to use is the Company’s best practice.
  5. USE AND DISCLOSURE OF PHI PERMITTED PURSUANT TO A VALID AUTHORIZATION. The Company will only use or disclose PHI to third parties for purposes other than treatment, payment, or health care operations, or as permitted by the Privacy Rule or otherwise required by law, upon receipt of a valid, written authorization by the appropriate person. Once a valid authorization is received, the Company will only use and disclose information consistent with the terms of the authorization. An individual may revoke, in writing, his or her signed authorization at any time, except to the extent that the Company has taken action in reliance on the authorization prior to revocation.
    1. Authorization Forms.  The Company should verify that an authorization is valid where an authorization is required. A template HIPAA authorization is contained in the Appendix to these Privacy Policies and Procedures. Valid HIPAA authorizations must contain the following information:
      1. A description of the information to be used or disclosed that describes the information in a specific and meaningful fashion.
      2. The name or other specific identification of the person(s) or class of person(s) authorized to use or disclose the information from the Company.
      3. The name or other specific identification of the person(s) or class of person(s) to whom the Company may use or disclose the information.
      4. A description of each purpose of the requested use or disclosure. If the individual initiates the authorization, the purpose may be described as “At the individual’s request.”
      5. An expiration date or event related to the individual’s purpose of the use or disclosure.
      6. Signature of the individual who is the subject of the PHI and the date. If the authorization is executed by a personal representative, it must include a description of a Representative’s authority to act for the individual.
      7. If the authorization is for the purpose of marketing and involves the direct or indirect payment from or on behalf of a third party whose product or service is being described:
        1. A statement that the Company is receiving a direct or indirect payment from or on behalf of a third party whose product or service is being described in the marketing efforts.
      8. If the authorization is for the purpose of selling PHI:
        1. A statement that the Company will receive financial remuneration.
      9. A statement that the individual may revoke the authorization in writing, and a reference to the Company’s notice of PHI use and disclosure.
      10. A statement that the Covered Entity shall not condition treatment, payment or eligibility for benefits on the authorization (unless one of the conditional exception applies, in which case that exception must be explained).
      11. A statement on the potential for information disclosed under the authorization to be subject to redisclosure by the recipient, and the fact that once the information is disclosed (to a non-covered entity) it is no longer protected by HIPAA.
      12. A statement informing the signatory authority that they are entitled to receive a copy of the signed authorization. 
  6. OTHER PERMITTED USE WITHOUT AUTHORIZATION.  The Company may use and disclose PHI for the proper management and administration of the Company; provided that such use or disclosures are required by law or will remain confidential. The Company may, in accordance with the Privacy Rule, de-identify PHI and further use and disclose such de-identified health information without regard to HIPAA. The Company may also provide data aggregation services relating to the health care operations of the Covered Entity.

THE MINIMUM NECESSARY REQUIREMENT

  1. APPLICABILITY OF THE MINIMUM NECESSARY REQUIREMENT.  The Company will apply the minimum necessary standard to all uses and disclosures of PHI, except as follows:
    1. Disclosures to or requests by a health care provider for treatment purposes;
    2. Permitted and required disclosures to the individual who is the subject of the information;
    3. Uses or disclosures pursuant to a valid authorization executed by the individual;
    4. Disclosures made to the Secretary of HHS in accordance with the Privacy Rule; or
    5. Uses and disclosures required by law and uses and disclosures required for compliance with the Privacy Rule.
  2. IDENTIFICATION OF EMPLOYEES
    1. Identified Employees.  The Company employees who need access to PHI are identified in the Company’s Policies on Personnel Designations and Restricted Internal Access to Protected Health Information. No other Company employees may have access to PHI unless authorized in writing and/or as necessary for the performance of their job duties.
    2. Restrictions on Employee Access.  The Company employees who need access to PHI only have access to the PHI necessary for their job duties unless specifically authorized in writing.
  3. MINIMUM  NECESSARY  REQUIREMENT  APPLIED  TO  USES  AND DISCLOSURES OF PHI.
    1. Reliance on Scope of Request as Minimum Necessary.  Company may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:
      1. Making disclosures to public officials for purposes permitted under 45 CFR §164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);
      2. The information is requested by another Covered Entity owner of such PHI; or
      3. The information is requested by a researcher with appropriate documentation from an Institutional Review Board.
  4. REQUESTS FOR PHI AND THE MINIMUM NECESSARY REQUIREMENT. Requests for PHI initiated by the Company shall seek only the minimum necessary to accomplish the purpose for which the request is made.
  5. LIMITATION REGARDING USING,  DISCLOSING  OR  REQUESTING ENTIRE MEDICAL RECORD.  For all uses, disclosures, or requests to which the minimum necessary requirements apply, the Company will not use, disclose, or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

BUSINESS ASSOCIATE RELATIONSHIPS

  1. BAA.  Before the Company discloses PHI to a Business Associate or permits a Business Associate to create, maintain, or transmit PHI on its behalf, the Company enters into the required Business Associate Agreement (“BAA”), a contractual agreement by any name that requires the Business Associate to guard any received PHI with HIPAA security compliance. The Company or a Representative is responsible for identifying those vendors that require BAAs and ensuring that such BAAs are entered into. Upon execution, a copy of the BAA must be sent to the appropriate Company personnel.
  2. MONITORING AND NON-COMPLIANCE. The Company monitors Business Associates’ compliance with their obligations only if they have a reasonable belief that a Business Associate has violated its BAA. Any Company employee or Business Associate or agent who becomes aware that a Business Associate may be violating its obligations to the Company must immediately report such alleged violation to the Company, who may investigate the matter and, if warranted, take reasonable steps to cure the violation.
    1. Investigation.  The Company may designate a Representative to take the following steps as appropriate if they become aware of a possible violation of a BAA: (1) interview Company employees who may have knowledge of the alleged violation; (2) interview the Business Associates’ employees who may have knowledge of the alleged violation; (3) collect any documentation from the Company or the Business Associate that relates to the alleged violation; (4) contact the Business Associate to obtain information related to the alleged violation; (5) review the documents that pertain to the alleged violation; and (6) take any other actions that a Representative deems appropriate.
    2. Response If Violation Has Occurred. If the Company determines that the Business Associate has violated the agreement, the Company may:
      1. Sanction any Company employee involved with the violation;
      2. Request that the Business Associate sanction any of its employees who were involved with the violation;
      3. Coordinate with the Business Associate to perform a risk assessment for potential notification of Breach purposes in accordance with the Company’s breach notification policy;
      4. Mitigate any harmful effect that the Company knows of resulting from the improper use or disclosure of the PHI;
      5. Take any remedial steps provided for by the BAA; 
      6. Work with the Business Associate to cure the violation and ensure such violation will not occur again. But, if the reasonable steps taken to cure the violation are unsuccessful, the Company may terminate the contract with the Business Associate and/or
      7. Cancel the BAA.

PERSONAL REPRESENTATIVES

  1. GENERAL RULE.  Generally, the Company must grant a personal representative the same right to access and control uses and disclosures of PHI that would be allowed to the patient they represent.
    1. Examples of Personal Representatives.
      1. An adult who has legal authority over an individual with respect to health care decisions (e.g., a parent or guardian);
      2. An emancipated minor acting on behalf of the individual (e.g., an underage parent of a child);
      3. A legal representative of a deceased individual (e.g., an administrator or executor of an individual’s estate);
      4. Any other person authorized under applicable state law to make decisions related to health care on behalf of the individual; and
      5. Any individual designated in accordance with HIPAA as a personal representative.
    2. Exceptions.  If a patient contacts the Company directly and expresses the desire to revoke a personal representative designation (where such is revocable under HIPAA), the Company will not share PHI with such a personal representative.

INDIVIDUAL REQUESTS/RIGHTS UNDER HIPAA

  1. RIGHT TO INSPECT AND COPY PHI. The Company may accommodate an individual’s request to inspect and/or copy his/her PHI.
  2. REQUESTS FOR CONFIDENTIAL COMMUNICATIONS OF PHI AND/OR ALTERNATIVE MEANS OF COMMUNICATIONS. The Company may accommodate an individual’s reasonable request to receive communications of PHI in a confidential manner or at an alternative location. If the individual clearly and reasonably states that the disclosure of all or part of that information could endanger the individual, the Company will accommodate the individual’s request.
  3. REQUESTS TO RESTRICT USES AND DISCLOSURES OF PHI.  All requests will be forwarded to the appropriate Company personnel. The Company may accommodate an individual’s reasonable request to restrict uses and disclosures of their PHI to carrying out treatment, payment, or health care operations or disclosures to a relative or individual identified by the patient.
  4. REQUESTS FOR ACCOUNTING OF PHI DISCLOSURES
    1. STANDARD TO REQUEST AN ACCOUNTING.  Individuals have a right to receive an accounting from the Company that lists certain disclosures of their PHI made by the Company during the six (6) year period prior to the request.
    2. CONTENTS OF THE ACCOUNTING.
      1. Accounting Requirements. The accounting will be written and will contain the following information:
        1. Disclosures of PHI that occurred in the last six (6) years;
        2. The date of the disclosure. If multiple disclosures were made to the same person or entity, then the date of the first disclosure, the frequency or number of disclosures made, and the date of the last disclosure;
        3. The name of the person or entity who received PHI and their address, if known;
        4. A brief description of the PHI disclosed; and
        5. A brief statement of purpose for making the disclosure.
        6. If PHI disclosures were made for research purposes in accordance with 45 C.F.R § 164.512(i) for 50 or more individuals, the accounting may also provide:
          1. The name of the protocol or research activity;
          2. A plain language description of the research, including the purpose and the criteria for selecting records;
          3. A brief description of the type of PHI that was disclosed;
          4. The date or period of time of the disclosures, including the last date that occurred during the accounting period;
          5. The name, address, and telephone number of the entity that sponsored the research and the researcher to whom such information was disclosed;
          6. A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity.
      2. Items Excluded. The accounting for disclosures will not include the following disclosures:
        1. Disclosures for carrying out treatment, payment, or health care operations;
        2. Disclosures pursuant to a valid authorization executed by the individual;
        3. Disclosures of PHI to the individuals;
        4. Disclosures to persons involved in the individual’s care or for other notification purposes;
        5. Disclosures for national security or intelligence purposes; or
        6. Disclosures to correctional institutions or law enforcement officials.
    3. ACCOUNTINGS INVOLVING BUSINESS ASSOCIATE DATA.  The Company shall obtain any necessary information held or maintained by a Business Associate required for an accounting.
  5. AMENDMENT REQUESTS
    1. STANDARD FOR AMENDMENT REQUESTS.  An individual has the right to request that the Company amend his/her PHI maintained in the designated record set.
  6. DOCUMENTATION.  Information related to any individual requests will be retained for 10 years in accordance with the Company’s document and data retention policy.

COMPLAINTS

  1. PROCEDURE TO FILE A COMPLAINT WITH THE COMPANY
    1. REPORTING.  Individuals may report a complaint to the Company as follows:
      1. An individual must make a complaint in writing to the Company and may elect to use the Privacy Rights Complaint Form, set forth in the Appendix to these Privacy Policies and Procedures. The complaint must include the individual’s name, address, and date of birth, a description of the individual’s complaint, and any documentation that supports his/her complaint. The Company will direct inquiries to the appropriate personnel to discuss any questions the individual might have about the complaint procedure.
    2. INVESTIGATION.  When an individual makes a complaint, a Representative will promptly investigate the circumstances related to the report.
      1. Reasonable Steps.  A Representative may take the following steps, as they deem appropriate, to investigate the alleged violation: (1) interview the individual complainant; and (2) interview the Company employees or Business Associates who may have knowledge of the alleged violation and review any relevant documents that pertain to the alleged violation. These procedures are not exclusive.
      2. Confidentiality.  Confidentiality will be maintained throughout the investigative process to the extent practicable and consistent with the need to undertake a full investigation.
      3. Results of Investigation. If a Representative determines that a violation has occurred, they may take action as is necessary and supported by the facts, including:
        1. Sanctioning the Company employees who have acted improperly and requesting that any Business Associate employees who have acted improperly be sanctioned by the Business Associate;
        2. Working with a Business Associate to cure any violation by the Business Associate, or terminating the Business Associate Agreement if no cure is possible; and
        3. Mitigating any harmful effect that the Company knows of resulting from the improper use or disclosure of PHI as per the Company’s mitigation policy.
      4. Determination.  Upon completion of the investigation, appropriate action will be taken, as necessary, and supported by the facts.
  2. PROCEDURE TO FILE A COMPLAINT WITH SECRETARY OF HHS.  To file a complaint with the Secretary of HHS, the individual should use the online complaint portal at https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
  3. DOCUMENTATION. The Company will document information related to each complaint received and its disposition, and that documentation will be retained for 10 years.

MITIGATION

  1. REPORTING REQUIREMENTS. Any person, including Company employees or Business Associates, who becomes aware that an improper disclosure was made must immediately:
    1. Limit any further improper disclosure; and
    2. Report the matter to the Company.
  2. MITIGATION STRATEGY.
    1. Process.  In order to mitigate any harmful effects of an improper use or disclosure that the Company knows of, a Representative may take any of the following steps:
      1. Immediately request the return or destruction of the PHI by the disclosing party and/or the party who received the PHI;
      2. Create additional safeguards for protecting PHI;
      3. Discipline the Company employees who have acted improperly;
      4. Work with a Business Associate who may be involved to cure a violation, including requesting that the Business Associate discipline any involved employees; and
      5. Terminate a Business Associate Agreement if the violation does not cease and/or consider all other possible remedial actions.

HIPAA WORKFORCE TRAINING

  1. NEW EMPLOYEES.
    1. The individual(s) responsible for hiring, training new hires (and new independent contractors with access to any Company PHI) on HIPAA issues and related policies and procedures (including, without limitation, these Policies and Procedures). The HIPAA training program shall include discussions regarding patient privacy rights, Company privacy rule obligations, security reminders, procedures for guarding against, detecting, and reporting malicious software, procedures for monitoring log-in attempts and reporting discrepancies, and procedures for creating, changing, and safeguarding passwords. The training program will also consist of an overview of the Company’s HIPAA Privacy and Security Policies and Procedures, sanctions policies, individual security responsibilities, and common security threats and vulnerabilities.
    2. Training of a new employee or independent contractor (the “Trainee”) must occur prior to the trainee being given unsupervised access to any Company PHI. Once training is completed, the trainee must sign a statement indicating that training was provided and that the trainee has a reasonable understanding of the information conveyed. New employees will be required to sign an acknowledgment of training, acknowledging they have reviewed HIPAA laws and regulations and these Privacy Policies and Procedures regarding permissible use of information technology systems containing electronic PHI.
  2. CURRENT EMPLOYEES. Current employees and independent contractors with access to PHI that have not received the training discussed above must receive that training within ninety (90) days after the effective date of these Policies and Procedures. Employees will be required to sign a statement acknowledging they have reviewed HIPAA laws and regulations and these Privacy Policies and Procedures regarding permissible use of information technology systems containing electronic PHI.
  3. ONGOING TRAINING AND ALERTS. A Representative shall implement and maintain an ongoing training program for all Company employees and all independent contractors with access to PHI. The ongoing training program shall include, at a minimum, (a) frequent email alerts communicating new HIPAA developments; (b) periodic email reminders reinforcing HIPAA policies and procedures; and (c) yearly HIPAA Privacy and Security refresher courses.
  4. DOCUMENTATION. The Company shall document compliance with this policy by maintaining records of all formal training sessions. For contractors, such documentation shall be maintained in the relevant contractor file.

BREACH NOTIFICATION AND INVESTIGATION

  1. POLICY.  The Company ensures that it investigates and notifies each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of a breach by the Company or one of its Business Associates, in accordance with the procedures for notifying individuals in 45 C.F.R §164.404. The Company also provides notification to the media as required by 45 C.F.R. §164.406 if a breach of unsecured PHI involves more than 500 residents of one state or jurisdiction, provides notification of all breaches of unsecured Personal Information in accordance with the State of Texas’ Identity Theft Enforcement and Protection Act, and provides notification of all breaches of unsecured PHI to the Secretary of HHS as required by 45 C.F.R. §164.408.
  2. PROCEDURE
    1. Investigation of Potential Breach.
      1. Company workforce members will immediately report any suspected unauthorized use or disclosure of PHI or Personal Information to the Company.
      2. A Representative will investigate all reported unauthorized uses or disclosures of PHI to determine whether a breach has occurred. An unauthorized use or disclosure of PHI is presumed to be a breach unless a Representative demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
        1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
        2. The unauthorized person who uses the PHI or to whom the disclosure was made;
        3. Whether the PHI was actually acquired or viewed; and
        4. The extent to which the risk to the PHI has been mitigated.
      3. A Representative will investigate all reported unauthorized acquisition of personal information to determine the likelihood that the personal information has been or will be misused. The Company will give notice as soon as possible to each affected person, the state Attorney General, and/or consumer reporting agencies, in accordance with the process set forth below, unless the investigation determines that the misuse of information about the person(s) has not occurred and is not reasonably likely to occur.
      4. If a Representative determines a breach of unsecured PHI has occurred, the Company will notify patients, local media, the Secretary of HHS, and/or state agencies as required by HIPAA or state laws in accordance with the process set forth below.
    2. NOTIFICATION OF BREACH.
      1. To Individuals.
        1. The Company will notify the individual in writing of the breach without unreasonable delay and in no case later than thirty (30) days after the date of discovery of the breach.
        2. The date of discovery of the breach is the first day that the Company knew about the breach or would have known about the breach if the Company had exercised reasonable diligence in implementing effective internal policies for discovering breaches of unsecured PHI or personal information.
        3. The Company will contact legal counsel if it is unsure of (i) the date of discovery of the breach or (ii) whether an individual who caused the breach is an employee or agent of the Company.
        4. The notice to the individual (whether in written or substitute form, as described below) will include the following elements, to the extent possible:
          1. A brief description of what happened, including the date of discovery of the breach, if known;
          2. A description of the types of unsecured PHI or personal information that were involved in the breach (such as whether the individual’s full name, social security number, date of birth, home address, diagnosis, disability code, or other types of information were involved);
          3. Any steps the individual should take to protect the individual from potential harm resulting from the breach;
          4. A brief description of what the Company is doing to investigate the breach, mitigate harm to individuals, and protect against any further breaches; and
          5. Contact procedures for the person to ask questions or learn additional information, including a toll-free telephone number, e-mail address, website, or postal address.
        5. The Company will send the written notification by first-class mail to the person at the last known address of the person or to the person’s email address if the person has previously agreed to electronic notice.
        6. If the person is deceased, the Company will send the written notification to the next of kin or personal representative of the person if the Company has contact information for the next of kin or personal representative.
        7. If the person’s contact information is unavailable or out-of-date, making the person unreachable by mail, the Company will use a substitute form of notice that the Company believes will reach the individuals.
          1. If there are fewer than ten persons who cannot be reached by mailed written notice, the Company will use an alternative form of notice, such as e-mail, telephone, or other means.
          2. If there are ten or more persons who cannot be reached by mailed written notice, the Company will post the notice conspicuously on the home page of the Company’s website or in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. The notice will be posted for at least 90 consecutive days and will include a toll-free phone number that remains active for at least 90 days, which a person can call to learn whether the individual’s unsecured PHI may be involved in the breach.
      2. To the Media.
        1. The Company will notify the prominent media outlets in each state or jurisdiction of a breach involving 250 or more individuals. The prominent media outlets would be the major television stations, newspapers, and radio stations serving the residents of that area.
        2. The Company will provide the notice to the media without reasonable delay and in no case later than thirty (30) calendar days after the date of discovery of the breach.
        3. The notice to the media will include the same information required for the written notification to the individual but without individual PHI involved in the breach. The notice may be in the form of a press release.
      3. To the State Attorney General.  If a breach of personal information affects 250 or more individuals, the Company will submit a notice of breach to the State Attorney General via the state’s online portal within 30 days from which the Company determines that a security breach occurred.
      4. To the Consumer Reporting Agencies.  If a breach of personal information affects 1000 or more individuals, the Company will notify Consumer Reporting Agencies that compile and maintain consumer files nationwide. The Company shall not unreasonably delay notification and will notify the Consumer Reporting Agencies of the anticipated date of notification to individuals.
      5. To the Secretary of Health and Human Services.
        1. The Company shall maintain a log of all breaches of unsecured PHI involving less than 500 individuals.
        2. The log shall include the following information regarding each breach to the extent possible:
          1. Date of the breach;
          2. Date of discovery of the breach;
          3. Approximate number of individuals affected by the breach;
          4. Type of breach;
          5. Location of the breached PHI;
          6. Type of PHI involved in the breach;
          7. Brief description of the breach;
          8. Safeguards in place prior to the breach;
          9. Dates the individual notice was provided;
          10. Whether substitute notice was required;
          11. Whether media notice was required, and
          12. Actions taken in response to the breach.
        3. Within 60 days of the end of the calendar year in which the breaches were discovered, Company shall submit electronically a breach notification form for each breach on the Secretary HHS’s website.
        4. If a breach affects 500 or more individuals, Company will submit electronically a breach notification form at the Secretary of HHS’s website at the same time that Company notifies the affected individuals.

Join Us in Making a Difference

Make a Difference