01/12/2024
MEDVIDI, INC. & MEDVIDI HEALTH P.C.

HIPAA PRIVACY AND SECURITY POLICY

Introduction

MEDvid Health P.C. (the “Company”) has adopted this policy to ensure compliance under HIPAA.

Members of the Company’s workforce may have access to the “protected health information” (as described below) of participants in relation to the services. The Company intends to fully comply with the HIPAA requirements, as administered by the United States Department of Health and Human Services (HHS), including HIPAA’s Privacy Rule and Security Rule. HIPAA restricts the Companies’ use and disclosure of protected health information.

“Protected health information” (“PHI”) means information that is created or received by the Company and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information concerning persons living or deceased. The Security Rule governs electronically conveyed PHI, or “E-PHI.” (“PHI” herein includes “E-PHI” unless “E-PHI” is specified.) Special aspects of Security Rule compliance are addressed at Article 2.12, below.

The Company has adopted this Privacy Policy and the Company’s separate HIPAA Use and Disclosure Procedures regarding the use and disclosure of PHI and individuals’ rights relating to their PHI. All members of the Company’s workforce who have access to PHI must comply with this Privacy Policy and the Company’s HIPAA Use and Disclosure Procedures. Individuals who would be considered part of the Company’s workforce under HIPAA are employees, independent contractors, volunteers, trainees, and other persons whose work performance is under the direct control of the Company, whether or not they are paid by the Company. The term “employee” herein includes all of these types of workers.

As further set forth in the Use and Disclosure Procedures, the Company adopts as a policy that all claims and benefit issues arising in any of the Company’s locations shall be referred to the Contact Person (or Privacy Official or Security Official where specifically designated in this Policy or the Use and Disclosure Procedures) for resolution. Therefore, any human resources personnel receiving inquiries regarding claims or benefits or any other questions regarding the the Notice of Privacy Practices or any related issue, shall not attempt to answer or address such inquiries, but shall refer such inquiries to a Contact Person, or Privacy or Security Official, as is specifically designated.

Article I. RESPONSIBILITIES AS COVERED ENTITY.

1.1. Privacy Official and Contact Person.

Oleg Gorbylev, COO, will be the Privacy Official for the Company. The Privacy Official will be responsible for the administration of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the Company’s HIPAA Use and Disclosure Procedures.

The Privacy Official has designated Oleg Gorbylev, COO, as the contact person (“Contact Person”) for all regular and routine matters, as set forth herein. The Contact Person will serve as the person available to participants who have questions, concerns, or complaints about their PHI, as specified in the Notice of Privacy Practices and as further detailed in the Use and Disclosure Procedures.

1.2. Security Official and Contact Person.

Oleg Gorbylev, COO, will be the Security Official. The Security Official will serve as the person available for any issues of a technical nature specific to the HIPAA Security implementation specifications.

Oleg Gorbylev, COO, will serve as Contact Person for Privacy and Security Rule regular and routine matters.

1.3. Persons with Access; Workforce Training.

It is the Company’s policy to limit access to PHI to those who have need and to train employees who have access to PHI on its privacy and security policies and procedures. The Privacy Official, Security Official and Contact Person will develop training schedules and programs so that employees who have access to PHI (including E-PHI) receive the training necessary and appropriate to permit them to carry out their functions within the Company. The Security Official will arrange supplemental training of Persons with Access in elements of Security Rule compliance.

1.4. Technical and Physical Safeguards and Firewall.

An analysis of all the Company’s information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats—internal or external, natural or artificial, electronic and non-electronic—that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination, and protection. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

All computer equipment and network systems are assets of the Company and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based on the following:

  • Installed Software: All software packages that reside on computers and networks within the Company must comply with applicable licensing agreements and restrictions and must comply with the Company’s acquisition of software policies.
  • Virus Protection: Virus checking systems approved by the Security Official and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
  • Access Controls: Physical and electronic access to PHI is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Security Official and approved by the Company. Mechanisms to control access to PHI include (but are not limited to) the following methods:
  1. Authorization: Access will be user-based access whereby users of a system gain access based upon the identity of the user.
  2. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI. Users will be held accountable for all actions performed on the system with their user id.
    1. Authentication shall be by strictly controlled passwords.
    2. The user must secure his/her authentication control (e.g. password) such that it is known only to that user and possibly a designated security manager.
    3. An automatic timeout re-authentication must be required after a certain period of no activity.
    4. The workstation must freeze after three unsuccessful attempts to gain access.
    5. The user must log off or secure the system when leaving it.
  3. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features will be implemented:
    1. Encryption shall be utilized for emails where electronic PHI is transmitted.
    2. Benefits personnel shall use facsimile or telephone contact with the third-party administrator to the Company when dealing with electronic PHI in claims assistance.
  4. Remote Access: Access into the Company’s network from outside will be granted using the Company approved devices and pathways on an individual user and application basis. All remote access to systems which may access electronic PHI shall be made using a “virtual private network”. All other network access options to these systems are strictly prohibited.
  5. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.

    The following physical controls must be in place:

    1. Mainframe computer systems must be installed in an access-controlled area.
    2. File servers containing PHI must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
    3. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. The following policies regarding workstation use and physical safeguards are instituted:
      1. Position workstations to minimize unauthorized viewing of protected health information.
      2. Grant access to systems which may access electronic PHI only to those who need it in order to perform their job function.
      3. Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to PHI.
      4. Use automatic screen savers with passwords to protect unattended machines.
    4. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.
      1. Facility Security Company—Procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
      2. Access Control and Validation—Procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
      3. Maintenance records—Procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).
  6. Employee Hiring and Departures:

    1. The Company shall maintain its existing clearance procedures regarding the hiring of employees.
    2. The Company shall maintain its existing procedures regarding departing employees, which include promptly deactivating system access and recovering ID cards, remote access devices and other access items.
  7. Security Updates: The Company will provide periodic updates as appropriate, including security reminders regarding access security, virus protection and maintaining password protection.

    Equipment and Media Controls: The disposal of PHI must ensure its continued protection. The receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility shall be documented by Information Services personnel. The Company will maintain a record of the movements of hardware and electronic media and any person responsible therefor. PHI must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PCs, etc.) unless the devices have the following minimum security requirements implemented:

    1. Power-on passwords
    2. Auto logoff or screen saver with password
    3. Encryption of stored data or other acceptable safeguards approved by the Security Official
    4. Mobile computing devices must never be left unattended in unsecured areas

    Data Transfer/Printing: PHI must be stored in a manner that is inaccessible to unauthorized individuals. PHI must not be downloaded, copied, or printed indiscriminately or left unattended and open to compromise.

    Oral Communications: Company staff should be aware of their surroundings when discussing PHI. This includes the use of cellular telephones in public areas. Company staff should not discuss PHI in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

    Audit Controls: Logs that record and examine activity in information systems that contain or use PHI will be maintained. Records of information system activity will be reviewed weekly and available for review should a security incident have occurred or be suspected.

    Evaluation: The Company shall undertake periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of electronic PHI to ensure its continued protection.

1.5. Privacy Notice.

The Privacy Official will maintain the Company’s Notice of the Privacy Practices that describes the uses and disclosures of PHI that may be made by the Company; the individual’s rights with respect to use and disclosure of PHI; and the Company’s legal duties with respect to the PHI.

The Notice informs participants that the Company and certain third parties as described therein (insurers and third-party administrators) will have access to PHI in connection with administrative functions. The Notice also provides details of the Company’s complaint procedures specifically for HIPAA Privacy and Security, the name and telephone number of the Privacy Official, Contact Person and Security Official for further information and assistance; and the date of the notice, among other elements.

1.6. Complaints.

The Contact Person is responsible for administering a process for individuals to lodge complaints about the privacy and security procedures. A copy of the complaint procedure shall be provided to any participant upon request.

1.7. Sanctions for Violations of Privacy and Security Policy.

Sanctions for using or disclosing PHI in violation of this HIPAA Privacy and Security Policy will be imposed in accordance with the Company’s discipline policy.

1.8. Mitigation of Inadvertent Disclosures of Protected Health Information.

Company shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of PHI that violates this Policy, either by an employee of the Company or a third-party administrator or insurer, the employee may contact the Privacy Official so that the appropriate steps can be taken to mitigate the harm to the participant. (See “Use and Disclosure Procedures”.)

1.9. Breach Notification Requirements.

The Company will comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and its implementing regulations with respect to notifications in the event of a breach of unsecured PHI. As a result, if an employee becomes aware of a potential breach of unsecured PHI, the employee shall contact the Privacy Official. Promptly after a report of suspected breach of unsecured PHI, the Privacy Official shall direct and undertake an investigation and risk assessment to determine if a breach of unsecured PHI occurred and the scope of such breach. There is a reportable breach only if all of the following have occurred, as determined by the Privacy Official:

  • There is a violation of the HIPAA Privacy Rules involving “unsecured” PHI.
  • The violation involved unauthorized access, use, acquisition, or disclosure of unsecured PHI.
  • The violation resulted in a compromise of the security or privacy of the PHI.
  • No exception applies under applicable law.

If the Privacy Official determines that there is a low probability that the PHI was compromised, the Company will document the determination in writing and keep the documentation on file.

The Company shall, following the discovery of a breach of unsecured PHI that is required to be reported, notify each individual whose unsecured PHI has been, or is reasonably believed by the Company to have been, accessed, acquired, used, or disclosed as a result of such breach as well as the Secretary of HHS.

For a breach of unsecured PHI involving 500 or more residents of a state or jurisdiction, the Company shall notify prominent media outlets serving the state or jurisdiction.

For a breach of unsecured PHI involving 500 or more individuals, the Company shall notify the Secretary of HHS contemporaneously with the notice to affected individuals and in the manner specified on the HHS website.

The above notices shall be provided without unreasonable delay and in no case later than 60 days after discovery of the breach and shall comply with the requirements of the HITECH Act and its implementing regulations with respect to the content and method of notification.

A business associate is required to do the same.

Breach Notification Definitions

  • Breach. The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA and its implementing regulations which compromises the security or privacy of the PHI. If an unauthorized use or disclosure of PHI occurs, the security or privacy of PHI is presumed to have been compromised unless the Company demonstrates that there is a low probability that the PHI has been compromised. This determination is made through a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.
  • A use or disclosure of PHI that does not include the identifiers listed at 45 CFR § 164.514(e)(2), date of birth, and zip code does not compromise the security or privacy of the protected health information. Breach excludes:

    1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under HIPAA and its implementing regulations.
    2. Any inadvertent disclosure by a Person with Access and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under HIPAA and its implementing regulations.
    3. A disclosure of PHI where the Company has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
  • Unsecured PHI. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS in the guidance issued under Section 13402(h)(2) of the HITECH Act on the HHS website.

1.10. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy and Security.

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive their privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility.

1.11. Company Documents.

The Company Documents include provisions to incorporate descriptions, as set forth in the Use and Disclosure Procedures, of the permitted and required uses and disclosures of PHI by the Company for Company administrative purposes. Specifically, the Company Documents require the Company to:

  • not use or further disclose PHI, other than as permitted by the Company Documents or as required by law;
  • ensure that any agents or subcontractors to whom it provides PHI received from the Company agree to the same restrictions and conditions that apply to the Company;
  • not use or disclose PHI for employment-related actions or in connection with any other employee benefit Company (except as permitted within any “organized health care arrangement” or among the affiliated companies, as required for workers’ compensation purposes);
  • report to the Privacy Official any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
  • make PHI available to Company participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures;
  • make the Company’s internal practices and records relating to the use and disclosure of PHI received from the Company available to HHS upon request; and
  • if feasible, return or destroy all PHI received from the Company that the Company still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

The Company Documents as amended also require the Company to (1) certify that the Company Documents have been amended to include the above restrictions and that the Company agrees to those restrictions; (2) provide adequate firewalls; and (3) provide the administrative, physical and technical safeguards (including written policies and procedures) that reasonably protect the confidentiality, integrity and availability of electronic PHI it creates, receives, maintains, or transmits.

For these purposes, “Company Documents” mean the documents of the Company.

1.12. Documentation and Document Retention.

The Company’s and the Company’s privacy policies and procedures must be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must promptly be documented.

If a change in law impacts the Notice, the Notice must promptly be revised and made available to the necessary parties. Such change is effective only with respect to PHI created or received after the effective date of the Notice. The Company and the Company shall document certain events and actions (including authorizations, requests for information, sanctions, complaints) relating to an individual’s privacy rights, as further set forth in the Use and Disclosure Procedures. The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. Covered entities must maintain such documentation for at least six years, beginning with documents created on or after April 14, 2003.

Article II. POLICIES ON USE AND DISCLOSURE OF PHI.

2.1. Use and Disclosure Defined.

The Company and the Company will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:

  • Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any Persons with Access of the Company, by the Insurers for the fully insured benefits as set forth in the Notice, or by a Business Associate (defined below) of the Company.
  • Disclosure. For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons who are not Persons with Access of the Company.

2.2. Workforce Must Comply with Company’s Policy and Procedures.

HIPAA Use and Disclosure Procedures are set forth in a separate document.

2.3. Workforce Must Comply with Company’s Policy and Procedures.

As set forth in Article I, above, only the Persons with Access shall have regular and recurring access to and use of PHI.

Persons with Access may use and disclose PHI for Company administrative functions, and they may disclose PHI to other Persons with Access for Company administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the Company administrative function). Persons with Access may not generally disclose PHI to employees (other than other Persons with Access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy and the Company’s HIPAA Use and Disclosure Procedures.

2.4. Permitted Uses and Disclosures: Payment and Health Care Operations.

PHI may be disclosed for the Company’s own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity.

Payment. Payment includes activities undertaken to obtain Company contributions or to determine or fulfill the Company’s responsibility for provision of benefits under the Company, or to obtain or provide reimbursement for health care. Payment also includes: eligibility and coverage determinations, including coordination of benefits and adjudication or subrogation of health benefit claims; risk adjusting based on enrollee status and demographic characteristics; and billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing.

PHI may be disclosed for purposes of the Company’s own health care operations. PHI may be disclosed to another covered entity, administrator, or insurer, for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship. (See Article 2.10, below, regarding disclosures to “business associates”.)

Health Care Operations. Health care operations means any of the following activities to the extent that they are related to Company administration: conducting quality assessment and improvement activities; reviewing health Company performance; underwriting and premium rating; conducting or arranging for medical review, legal services, and auditing functions; business planning and development; reallocating employee claims from the Company to workers’ compensation, as appropriate; and general administrative activities.

2.5. No Disclosure of PHI for Non-Health Company Purposes.

PHI may not be used or disclosed for the payment or operations of the Company’s “non-health” benefits except required workers’ compensation disclosures (e.g., long-term disability, family and medical leave, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

PHI may not be used or disclosed for personnel purposes or administration of benefits not within the Company (except workers’ compensation-required disclosures), unless the participant has provided an authorization for such uses and disclosure (as discussed in “Disclosures Pursuant to an Authorization.”)

2.6. Mandatory Disclosures of PHI to Individual and HHS.

A participant’s PHI must be disclosed as required by HIPAA in two situations:

  • The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Health Information and Requests for Amendment”, below); and
  • The disclosure is made to HHS for purposes of enforcing HIPAA.

2.7. Permissive Disclosures of PHI for Legal and Public Policy Purposes.

PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. The Company’s HIPAA “Use and Disclosure Procedures” will describe specific requirements that must be met before these types of disclosures may be made, including prior approval of the Company’s Privacy Official. The permissive disclosures are:

  • about victims of abuse, neglect, or domestic violence;
  • for judicial and administrative proceedings;
  • for law enforcement purposes;
  • for public health activities;
  • for health oversight activities;
  • about decedents;
  • about crime on Company premises;
  • for cadaveric organ, eye or tissue donation purposes;
  • for certain limited research purposes;
  • to avert a serious threat to health or safety;
  • for specialized government functions; and
  • that relate to workers’ compensation programs.

2.8. Disclosures of PHI Pursuant to an Authorization.

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. The Contact Person will have a supply of the authorization form.

2.9. Complying with the “Minimum-Necessary” Standard.

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure, as determined by the Privacy Official case-by-case, or, in the instance of routine and recurring disclosures, as set forth in the Uses and Disclosures Policy.

The “Minimum Necessary” Standard does not apply to any of the following:

  • uses or disclosures made to the individual;
  • uses or disclosures made pursuant to a valid authorization;
  • disclosures made to the DOL;
  • uses or disclosures required by law;
  • uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI. For making routine and recurring disclosures of PHI, the Company’s HIPAA “Use and Disclosure Procedures” will establish specific procedures. For routine and recurring disclosures developing prospectively, the Privacy Official (or Contact Person if directed by the Privacy Official) will direct an analysis of such disclosures and further, specific standards will be developed.

All other disclosures must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from [list insurers and TPAs] for purposes of claims, claims reports, stop loss insurance and other payment and health care operations, the Use and Disclosure Procedures will outline policies and procedures designed to limit the amount requested to the amount reasonably necessary to accomplish the purpose for which the disclosure is requested.

All other requests must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

2.10. Disclosures of PHI to Business Associates.

Persons with Access may disclose PHI to the Company”s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate (in the form of business associate agreements) that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate”, employees must contact the Contact Person and verify that a business associate agreement is in place.

A “Business Associate” is an entity or person who:

  • performs or assists in performing a Company function or activity involving the use and disclosure of protected health information (including claims processing or administration; data analysis, underwriting, etc.); or
  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services to the Company, where the performance of such services involves giving the service provider access to protected health information.

2.11. Disclosures of De-identified Information and Limited Data Sets.

The Company may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers under HIPAA.

2.12. Policies Specific to E-PHI/Security Rule.

The Company has performed a risk analysis and assessment and developed a document called the HIPAA Security Risk Analysis and Assessment document, including recommended administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of electronic PHI the Company creates, receives, maintains or transmits.

[List specific administrative, physical and technical safeguards as suggested by Security Rule Evaluation and Assessment document.]

Article 3. POLICIES ON INDIVIDUAL RIGHTS.

3.1. Access to Protected Health Information and Requests for Amendment.

HIPAA gives participants in the Company the right to access and obtain copies of their PHI that the Company (or its business associates) maintains in designated record sets. HIPAA also provides that participants may request to have their PHI amended. The Company will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants as set forth in the Notice of Privacy Practices.

A “Designated Record Set” is a group of records maintained by or for the Company that includes:

  1. the enrollment, payment, and claims adjudication record of an individual maintained by or for the Company; or
  2. other protected health information used, in whole or in part, by or for the Company to make coverage decisions about an individual.

3.2. Accounting

An individual has the right to obtain an accounting of certain disclosures of their own PHI. This right to an accounting extends to disclosures made in the last six years, other than disclosures:

  • to carry out treatment, payment or health care operations;
  • to individuals about their own PHI;
  • incident to an otherwise permitted use or disclosure;
  • pursuant to an authorization;
  • for purposes of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;
  • as part of a limited data set; or
  • for national security or law enforcement purposes.

The Company shall respond to an accounting request within 60 days. If the Company is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12-month period shall be provided free of charge. The Contact Person may impose reasonable production and mailing costs for subsequent accountings.

3.3. Requests for Requested Confidential Communications.

Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may ask to be called only at work rather than at home. Such requests shall be honored if, in the sole discretion of the Company, the requests are reasonable.

However, the Company shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant. The Contact Person has responsibility for addressing requests for confidential communications.

3.4. Requests for Restrictions on Uses and Disclosures of PHI.

A participant may request restrictions on the use and disclosure of the participant’s PHI. It is the Company’s policy to attempt to honor such requests if, in the sole discretion of the Company, the requests are reasonable. The Contact Person is charged with responsibility for addressing requests for restrictions.

3.5. Requests for Amendment.

No third-party rights (including, but not limited to rights of Company participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. The Company reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon the Company. This Policy does not address requirements under other Federal laws or under state laws.