2.1 Protected Health Information (PHI). Protected health information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
2.2 HIPAA Privacy Officer. PALOMA HEALTH shall designate a member of its staff as the HIPAA Privacy Officer. The HIPAA Privacy Officer is the PALOMA HEALTH employee in charge of all procedures covered within this policy.
3. Assigning Privacy Responsibilities
4. Permitted uses and disclosures
PALOMA HEALTH shall only use or disclose PHI if either:
4.1 The HIPAA Privacy Rule specifically permits or requires it.
4.2 The individual who is the subject of the information gives authorization in writing.
4.3 For the following subset of health care operations activities of the recipient covered entity (45 CFR 164.501) without needing patient consent or authorization (45 CFR 164.506(c)(4):
· Conducting quality assessment and improvement activities
· Developing clinical guidelines
· Conducting patient safety activities as defined in applicable regulations
· Conducting population-based activities relating to improving health or reducing health care cost
· Developing protocols
· Conducting case management and care coordination (including care planning)
· Contacting health care providers and patients with information about treatment alternatives
· Reviewing qualifications of health care professionals
· Evaluating performance of providers and/or health plans
· Conducting training programs or credentialing activities
· Supporting fraud and abuse detection and compliance programs.
5. Minimum Necessary Use and Disclosure of Protected Health Information
PALOMA HEALTH shall ensure that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the patient or 2) as required by law for HIPAA compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. PALOMA HEALTH shall also ensure that non-routine uses and disclosures will be handled pursuant to established criteria. It is also PALOMA HEALTH’s policy that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request. Under HIPAA’s minimum necessary provisions, an organization must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request. (45 CFR 164.502(b)).
In the event that a Breach has or may have occurred PALOMA HEALTH will adhere to the rules stated in the Breach Notification Policy. It shall be the responsibility of the HIPAA Privacy Officer to implement and enforce the rules in the Breach Notification Policy.
7. Prohibited Activities-No Retaliation or Intimidation
PALOMA HEALTH shall ensure that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations.
The responsibility for designing and implementing procedures to implement this policy lies with the HIPAA Privacy Officer.
8. Verification of Identity
PALOMA HEALTH will ensure that the identity of all persons who request access to protected health information be verified before such access is granted.
PALOMA HEALTH will implement measures to ensure that the effects of any unauthorized use or disclosure of protected health information be mitigated to the greatest extent possible.
PALOMA HEALTH shall ensure that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.
11. Training and Awareness
11.1 PALOMA HEALTH will ensure that all members of the workforce are trained on the policies and procedures governing protected health information and compliance with the HIPAA Privacy and Security Rules. New members of the workforce shall receive training on these matters within a reasonable time after they have joined the workforce. Should any policy or procedure related to the HIPAA Privacy and Security Rule materially change PALOMA HEALTH shall provide new training to update the workforce on those changes. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, all training provided to the workforce will be documented indicating participants, date and subject matter.
11.2 Our HIPAA Privacy Officer will develop, coordinate, and facilitate initial and ongoing training programs on privacy, and coordinate privacy training with security training requirements. Each member of our workforce, including management, will be trained on our policies and procedures at least once annually in a formal setting, and regularly in an informal setting and as needed. Our HIPAA Privacy Officer will determine who needs additional training, the type of training that is appropriate, and the frequency with which such training will occur. New employees will participate in training within thirty (30) days following their first date of service.
11.3 All workforce members will participate in retraining on privacy policies and procedures related to the HITECH Act and the Breach Notification Rule, and on any other regulations related to the safeguarding of protected health information.
11.4 Upon completing training or retraining, each member of our workforce will sign an acknowledgement form that he or she participated in training and is aware of and understands our organization’s privacy policies and procedures.
12. Material Change
It is the policy of the Company that the term “material change” for the purposes of these policies is any change in our HIPAA compliance activities.
Individuals may submit complaints either directly to a supervisor or to the HIPAA privacy officer. There shall be a mechanism for complaints to be submitted anonymously. Complaints may also be submitted to the Secretary of HHS.
PALOMA HEALTH will determine and enforce sanctions upon any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Such sanctions will be recorded in the individual’s personnel file.
15. Retention of Records
PALOMA HEALTH maintains that the HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at PALOMA HEALTH’s discretion to meet with other governmental regulations or internal requirements.
16. Regulatory Currency
It is the policy of PALOMA HEALTH to remain current in our compliance program with HIPAA regulations.
18. Cooperation with Privacy Oversight Authorities
PALOMA HEALTH maintains that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this organization. PALOMA HEALTH will disclose protected health information as required by the HIPAA Privacy Rule, and to HHS when it is undertaking a compliance investigation or review or enforcement action. PALOMA HEALTH shall additionally ensure that all personnel cooperate fully with all privacy compliance reviews and investigations.