The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires comprehensive federal protections governing the privacy and confidentiality of individually identifiable health information. HIPAA and its implementing regulations specify when and to whom covered entities, such as Hero, may disclose the information.
The purpose of this Policy is to comply with the HIPAA Privacy Rule, which requires safeguards to protect the privacy of individuals’ medical records and protected health information.
It is a policy of Hero that the Company and every employee, intern/ extern, contractor, and vendor understand and abide by Company and individual obligations under HIPAA, including the below.
PHI is individually identifiable health information that is transmitted or maintained in electronic, written, or oral form. PHI relates to the past, present, or future physical or mental health or condition of a patient, the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and that identifies the patient or for which there is a reasonable basis to believe the information can be used to identify the patient. Protected health information includes information of persons living or deceased.
The Company may use and disclose PHI for different purposes, including treatment, payment, health care operations, or when required by law.
The Compliance Department is responsible for the development and implementation of policies and procedures relating to privacy. The Compliance Department also partners with the Privacy Officer to resolve HIPAA complaints.
The Office Manager is the Privacy Officer for each Practice. The Privacy Officer will be responsible for enforcing policies and procedures relating to privacy in each practice. The Privacy Officer will also serve as the contact person for patients who have questions, concerns, or complaints about the privacy of their PHI.
Each practice maintains and makes available to patients/ guardians a Notice of Privacy Practices (“Notice”) that describes how health information about patients may be used and disclosed and how patients can get access to this information. The Notice also describes the legal rights of patients with respect to PHI and the Company’s legal duties with respect to PHI. The Notice will also provide a description of the Practice’s complaint procedure and the name and telephone number of the contact person for further information.
All members of the workforce must be trained on HIPAA and the protection of PHI upon hire and annually. The People Services Team monitors annual training status. The Privacy Officer at each practice is responsible for ongoing HIPAA training and coaching opportunities.
The Company has established appropriate technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Technical safeguards include limiting access to information by technology access control such as unique user identification, role-based access, twofactor authentication, logoff requirements, encryption, and the use of audit controls. Physical safeguards include controlling building access, using screen blockers to prevent public view of PHI, shredding unnecessary documents containing PHI, and requiring employees to be mindful of HIPAA and PHI requirements in all communications.
When PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure. The “minimum necessary” standard does not apply to uses or disclosures made to the individual, uses or disclosures made pursuant to a valid authorization, disclosures required by law, or disclosures required to comply with HIPAA.
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
HIPAA requires a specific kind of agreement called a BAA to be entered into with every business associate, or person or entity that performs a certain function or activity for Hero involving the use or disclosure of PHI. Before a Business Associate receives PHI, Hero and the BAA must sign a BAA, which specifies each party’s obligations under HIPAA with respect to PHI.
The Privacy Officer is responsible for receiving questions, concerns, or complaints about the privacy of patient PHI. Upon the Privacy Officer’s receipt of a HIPAA Complaint, the Compliance Department also receives such complaints. The Compliance Department partners with the Privacy Officer for complaints to be investigated, and for disciplinary action to be taken.
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.