This policy is in effect and is updated as of August 15, 2012.
It is the policy of the Company to adopt, maintain and comply with our privacy practices of customer and end-user data, which shall be consistent with HIPAA and California law.
Notice of Privacy Practices
Assigning Privacy and Security Responsibilities
It is the policy of the Company that privacy protections extend to information concerning deceased individuals.
Minimum Necessary Use and Disclosure of Protected Health InformationIt is the policy of the Company that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the customer, client or end-user or 2) as required by law for HIPAA compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. It is also the policy of the Company that non-routine uses and disclosures will be handled pursuant to established criteria. It is also the policy of the Company that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request.
It is the policy of the Company that any uses or disclosures of protected health information for marketing activities will be done only after a valid authorization is in effect.
Prohibited Activities-No Retaliation or IntimidationIt is the policy of the Company that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of the Company that no employee or contractor may condition payment on the provision of an authorization to disclose protected health information except as expressly authorized under federal and state regulations.
It is the policy of the Company that the responsibility for designing and implementing procedures to implement this policy lies with the Privacy Official.
Verification of Identity
It is the policy of the Company that the identity of all persons who request access to protected health information be verified before such access is granted.
It is the policy of the Company that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.
It is the policy of the Company that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.
It is the policy of the Company that business associates must be contractually bound to protect health information to the same degree as set forth in this policy. It is also the policy of the Company is organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.
Training and Awareness
It is the policy of the Company that all members of our workforce have been trained by the compliance date on the policies and procedures governing protected health information and how the Company complies with the HIPAA Privacy and Security Rules. It is also the policy of the Company that new members of our workforce receive training on these matters within a reasonable time after they have joined the workforce. It is the policy of the Company to provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, it is the policy of the Company that training will be documented indicating participants, date and subject matter.
It is the policy of the Company that the term “material change” for the purposes of these policies is any change in our HIPAA compliance activities.
It is the policy of the Company that sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Such sanctions will be recorded in the individual’s personnel file.
Retention of Records
It is the policy of the Company that the HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this Company’s discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.
It is the policy of the Company to remain current in our compliance program with HIPAA regulations.
Cooperation with Privacy Oversight Authorities
It is the policy of the Company that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this Company. It is also the policy of the Company that all personnel must cooperate fully with all privacy compliance reviews and investigations.