The Health Insurance Portability and Accountability Act of 1996(HIPAA) Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Learn details on the Privacy Rule at http://www.hhs.gov/ocr/privacy/index.html
EFFECTIVE AS OF 9/1/2013
A Company Employee who ceases to provide services to the Company for any reason, including disability, change of work assignment, or termination of employment for any reason, shall immediately return to the Company his or her security clearance, passwords, and all other equipment, device or information that enables him or her to access, download, modify, or destroy Personal Information.
For purposes of this policy "Personal Information" or “PI” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any:
In general, any and all statements, faxes, emails, documents or information of any kind which contain PI and are maintained, used or disclosed by the Company in the course of the Company’s business shall not be maintained, used or disclosed other than as necessary to conduct its business or as otherwise permitted or required by law. All Company Employees are required to comply with the following guidelines:
All Company Employees shall be trained as necessary to apply the terms of these policies. Privacy Officer shall be responsible for providing training to some or all of the employees as necessary and appropriate for each employee to carry out his or her job. All Company Employees who undergo training shall sign a sheet evidencing their participation in the training.
The Privacy Officer shall have sole authority and discretion to resolve any questions or disputes concerning the interpretation or application of these policies, subject to applicable requirements of law.
The Company shall maintain business records for as long as required by applicable law, and as necessary and appropriate in the determination of Privacy Officer. When retention of such records is no longer required by law, or is no longer deemed necessary and appropriate by Privacy Officer], the Privacy Officer shall take all reasonable steps to destroy, or arrange for the destruction of such records by (1) shredding, (2) erasing, or (3) otherwise modifying the PI in those records to make it unreadable or undecipherable through any means. If the Company hires a vendor to provide this destruction function, it shall take reasonable steps to ensure the vendor is reputable and is licensed to perform such services, if such license is required by law.
In the event the Company obtains services from a vendor, and the services require the vendor to have access to PI, the Company shall obtain written assurances from the vendor that it will implement reasonable safeguards to protect the privacy and security of the PI, and disclose and dispose of PI only as required by law. Any such agreement must be approved by Privacy Officer. The original copy of any such agreement, executed by all parties, shall be maintained pursuant to the Company’s record retention policy. Prior to disclosing any PI outside of the Company’s normal services to patients, the Privacy Officer shall confirm that an agreement consistent with this policy is on file and that the disclosure is permitted under it.