HIPAA COMPLIANCE POLICY of Steldia Services Ltd
This Policy states full compliance with The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations and restrict Steldia Services Ltd (“Steldia”, “Company”) abilities to use and disclose protected health information (PHI).
Protected Health Information. Protected health information means information that is created or received by the Company from it’s Clients in relation of Services, provided by Company, and relates to the past, present, or future physical or mental health condition of a Patient/Client (“Participant”);
- the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant;
- and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant.
Protected health information includes information of persons living or deceased.
Some examples of PHI are:
- Participant’s medical record number
- Participant’s demographic information (e.g. address, telephone number)
- Information doctors, nurses and other health care providers put in a participant’s medical record
- Images of the participant
- Information doctors, nurses and other health care providers put in a participant’s medical record
- Information about a participant in a provider’s computer system or a health insurer’s computer system
- Billing information about a participant at a clinic
- Any health information that can lead to the identity of an individual or the contents of the information can be used to make a reasonable assumption as to the identity of the individual.
It is the Company’s policy to comply fully with HIPAA’s requirements. To that end, all staff members and\or contractors who have access to PHI must comply with this HIPAA Compliance Policy.
For purposes of this plan and the Company’s use and disclosure procedures, the workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, interns, subcontractors, board members and other persons whose work performance is under the direct control of Steldia, whether or not they are paid by Steldia. The term «employee» or “staff member” includes all of these types of workers.
Steldia reserves the right to amend or change this Policy at any time (and even retroactively) without notice. All staff members must comply with all applicable HIPAA privacy and information security policies. If after an investigation you are found to have violated the organization’s HIPAA privacy and information security policies then you will be subject to disciplinary action up to termination or legal ramifications if the infraction requires it.
SECTION 1: Responsibilities as Covered Entity
I. Privacy Officer
Data Protection Officer of the Company will be the HIPAA Privacy Officer for Steldia.
The Privacy Officer will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI. The Privacy Officer can be reached at [email protected]
II. Incident Response Team
The Incident Response Team is comprised of the CIO, COO, Site Managers and additional members deemed appropriate on an ad hoc basis in the reasonable judgment of the Privacy Officer.
In the event of a security incident results in a wrongful disclosure of PHI, the Privacy Officer, in conjunction with the Incident Response Team will take appropriate actions to prevent further inappropriate disclosures. In addition, Legal may be consulted as part of the review team to assist in the review and investigation of privacy incidents when required. If the Privacy Officer and Incident Response Team have not resolved the incident, the Privacy Officer shall involve anyone determined to be necessary to assist in the resolution of the incident. If participants and\or clients need to be notified of any lost/stolen PHI, the Privacy Officer will send PHI Theft/Loss Disclosure Letters to all possible affected individuals and\or entitys.
III. Workforce Training
It is the Company’s policy to train all members of its workforce who have access to PHI on its privacy policies and procedures. All staff members receive HIPAA training. Whenever a privacy incident has occurred, the Privacy Officer in collaboration with management will evaluate the occurrence to determine whether additional staff training is in order. Depending upon the situation, the Privacy Officer may determine that all staff should receive training that is specific to the privacy incident. The Privacy Officer will review any privacy training developed as part of a privacy incident resolution to ensure the materials adequately address the circumstances regarding the privacy incident and reinforce the Company’s privacy policies and procedures.
The Company has established technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets and periodically changing door access codes. Additionally all staff members can only access PHI by using their own login information. Firewalls ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for their job functions and\or contract fulfillment, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.
Data Storage / Backup / Remote Access
Currently all data in the local data center is backed up using industry standards with off site storage of media. Steldia currently utilizes technology that allows the IT team to quickly remove, disable and start staff member access to PHI.
The Privacy Officer will be the Company’s contact person for receiving complaints. The Privacy Officer is responsible for creating a process for individuals and\or entities to lodge complaints about the Company’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint form shall be provided to any participant upon request.
Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Plan will be imposed in accordance up to and including termination.
VII. Mitigation of Inadvertent Disclosures of Protected Health Information
Company shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of an Participant’s PHI in violation of the policies and procedures set forth in this Plan. As a result, if an employee becomes aware of a disclosure of protected health information, either by a staff member of the Company or an outside consultant/contractor that is not in compliance with this Policy, immediately contact the Privacy Officer so that the appropriate steps to mitigate the harm to the participant can be taken.м
VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.
The Company has developed an Incident Report form. This form is used to document reports of privacy breaches that have been referred to the Privacy Officer from staff members who have reviewed or received the suspected incident. After receiving the Incident Report form from staff members, the Privacy Officer classifies the incident and its severity and analyzes the situation. Documentation shall be retained by the Company for a minimum of six years from the date of the reported incident. If the Privacy Officer is able to resolve the incident, the Privacy Officer shall also document the actions taken to resolve the issue in the Incident Report form.
X. Electronic Health Records
Just like paper records, Electronic Health Records, created or lawfully obtained by the Company during the provision of Services to it’s Clients, must comply with HIPAA, and other applicable laws. Unlike paper records, electronic health records can be encrypted — using technology that makes them unreadable to anyone other than an authorized user — and security access parameters are set so that only authorized individuals can view them. Further, EHRs offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them.
XI. Access Authorization
Steldia will grant access to PHI based on their job functions and responsibilities. The Privacy Officer in collaboration with IT and senior management is responsible for the determination of which individuals and\or contractors require access to PHI and what level of access they require through discussions with the individual’s manager and or department head. The IT department will keep a record of authorized users and the rights that they have been granted with respect to PHI. IT keeps a comprehensive matrix of how and to who rights are granted.
SECTION 2: Use and Disclosure of PHI
I. Use and Disclosure
Defined The Company will use and disclose PHI only as permitted under HIPAA. The terms «use» and «disclosure» are defined as follows:
- Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Company, or by a Business Associate of the Company.
- Disclosure. For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other 30
II. Access to PHI Is Limited to Certain Employees
All staff who performs functions directly on behalf of the Company is related with PHI will have access to PHI as determined by their department and job description and\or individual contracts and as granted by IT.
These employees with access may use and disclose PHI as required under HIPAA but the PHI disclosed must be limited to the minimum amount necessary to perform the job function. Employees with access may not disclose PHI unless an approved compliant authorization is in place or the disclosure otherwise is in compliance with this Plan and the use and disclosure procedures of HIPAA.
III. Disclosures of PHI
Pursuant to an Authorization PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with HIPAA and this Policy.
IV. Permissive Disclosures of PHI
For Legal and Public Policy Purposes PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied.
The Company’s use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made.
Permitted are disclosures:
- about victims-of abuse, neglect or domestic violence;
- for judicial and administrative proceedings;
- for law enforcement purposes;
- for public health activities;
- for health oversight activities;
- about decedents;
- for cadaver organ, eye or tissue donation purposes;
- for certain limited research purposes;
- to avert a serious threat to health or safety;
- for specialized government functions;
- that relate to workers’ compensation programs.
V. Complying With the «Minimum-Necessary» Standard
HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the «minimum necessary» to accomplish the purpose of the use or disclosure. The «minimum-necessary» standard does not apply to any of the following:
- uses or disclosures made to the individual;
- uses or disclosures made pursuant to a valid authorization;
- disclosures made to the Department of Labor;
- uses or disclosures required by law;
- uses or disclosures required to comply with HIPAA.
Minimum Necessary When Disclosing PHI. For making disclosures of PHI to any business associate or providers, or internal/external auditing purposes, only the minimum necessary amount of information will be disclosed. All other disclosures must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.
Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from business associates, providers or participants for purposes of claims payment/adjudication or internal/external auditing purposes, only the minimum necessary amount of information will be requested. All other requests must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.
VI. Disclosures of PHI to Business Associates
With the approval of the Privacy Officer and in compliance with HIPAA, Company may disclose PHI to the Company’s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate that it will appropriately safeguard the information.
Business Associate is an entity that:
- performs or assists in performing a Company function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.);
- provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.
VII. Disclosures of De-Identified Information
The Company may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers.
18 specific elements listed below:
- Geographic subdivisions smaller than a state
- All elements of dates (except year) related to an individual — including dates of admission, discharge, birth, death — and for persons >89 y.o., the year of birth cannot be used.
- Telephone numbers
- FAX numbers
- Electronic mail addresses
- Social Security Number
- Medical Record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers, including finger and voice prints
- Full face photos, and comparable images
- Any unique identifying number, characteristic or code
A person with appropriate expertise must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual. AND this person must document the methods and justification for this determination.
VIII. Removing PHI from Company Premises
When Company deems it necessary for an employee and\or contractor to work from a location other than one of our sites, PHI may be accessed and/or removed under the following circumstances:
1. Before removing PHI for company business you must receive the approval from your department Director and IT.
2. Steldia will only allow the paper (participant records, reports) removal of PHI when transported in a secure lock box and when approved by the department Director and the Privacy Officer.
3.Steldia will provide laptop computers and\or such an software enviroment for employees and\or contractors required to work offsite and access PHI in a nonAxis setting. Any files saved on these computers are saved to the network and are therefore secure.
4. The electronic removal of PHI (using flash drives) for the purposes of working from a non-Axis setting may be approved in advance by IT only. In the very rare circumstance that it becomes necessary, the PHI should be rigorously safeguarded physically as well as electronically, including employee-performed encryption of all files. Most flash drives have the capability to assign a password.
The following safeguards are required of all employees and\or contractors when working from a non-Steldia site:
• When outside the facility, only work on health information in a secure private environment.
• Keep the information with you at all times while in transit.
• Do not permit others to have access to the information.
• Never email participant information.
• Don’t save participant information to your home computer.
• Do not print records of any type.
• Do not record login information on or near the computer.
• Return all information the next business day or as soon as required.
PHI Breach Reporting
The purpose of this section is to address the Company’s privacy requirements for reporting, documenting, and investigating a known or suspected action or adverse event resulting from unauthorized use or disclosure of individually identifiable health information.
A privacy breach is an adverse event or action that is unplanned, unusual, and unwanted that happens as a result of non-compliance with the privacy policies and procedures of the Company. A privacy breach must pertain to the unauthorized use or disclosure of health information, including ‘accidental disclosures’ such as misdirected e-mails or faxes.
The Privacy Officer shall immediately investigate and attempt to resolve all reported suspected privacy breaches. Staff members are required to verbally report to his/her supervisor any event or circumstance that is believed to be an inappropriate use or disclosure of a participant PHI. If the supervisor is unavailable, the staff member must notify the Privacy Officer within 24 hours of the incident. If the manager determines that further review is required, the manager and staff member will consult with the Privacy Officer to determine whether the suspected incident warrants further investigation. In all cases and Incident Report must be filled out and submitted to the appropriate reviewer.
The Privacy Officer will document all privacy incidents and corrective actions taken. Documentation shall include a description of corrective actions, if any are necessary, or explanation of why corrective actions are not needed, and any mitigation undertaken for each specific privacy incident. All documentation of a privacy breach shall be maintained with the Privacy Officer and shall be retained for at least six years from the date of the investigation.
Such documentation is not considered part of the participant’s health record. If the participant is not aware of a privacy incident, the Privacy Officer shall investigate the incident thoroughly before determining whether the participant should be informed. If the participant is aware of a privacy incident, the Privacy Officer shall contact the participant within three (3) business days of receiving notice of the incident. The method of contact is at the discretion of the Privacy Officer, but resulting communications with the participant must be documented in the incident report. In addition, any privacy incident that includes a disclosure for which an accounting is required must be documented and entered into accounting. Staff who fail to report known PHI/security incidents, or fail to report them promptly, may be subject to disciplinary action up to termination.
You have a question about our HIPAA practices or you want to report us an incident?
Please contact our dedicated Privacy Officer at [email protected]