HIPAA POLICIES SUMMARY

Use of Patient Health Records

As a general Rule patient’s information will be used or disclosed only for treatment, obtaining payment for treatment, or for internal health care operations, with a few exceptions required by law. This ensures that health information is not used for non-health purposes, and ensures that we provide only the minimum amount of information necessary to provide high quality health care for our patients. This policy also requires that we track the released information so that the patient is able to see if there information has been released to a third party.

Appointment of a HIPAA Security and Compliance Officer

Dr. Emily Wolkomir has accepted the responsibility of the HIPAA Security and Compliance Officer. She is responsible for making sure staff is knowledgeable, that appropriate staff have appropriate system and information clearances, and that staff and systems are up-to-date and compliant with HIPAA. Any questions regarding HIPAA compliance, violations of policy, patient requests or general concerns or questions should be immediately brought to her attention.

HIPAA Risk Analysis

PHI (Personal Health Information) and systems containing PHI will be continually assessed to ensure the confidentiality, integrity and availability of PHI. This includes reviewing logs of when information is accessed and by whom.

HIPAA Risk Management

It is the responsibility of the Security Officer to implement security measures to address threats that are either known or suspected. It is each employee’s responsibility to report potential or perceived threats to the Security Officer.

Disclosure of PHI to Subcontractors

There are very specific rules for disclosing PHI to subcontractors of Tri-Motion Rehab. There should be absolutely no disclosures to third parties unless specifically approved by Dr. Wolkomir who will ensure compliance with this policy.

Sanctions for HIPAA Violations

We are responsible for applying appropriate sanctions for any person responsible for the protection of PHI who either fails to comply or violates any HIPAA policies or laws. Compliance with HIPAA policies and laws is imperative as there can be internal, civil and criminal sanctions that may apply to violations, based on the level of violation.

HIPAA Minimum Necessary Standards

When PHI is disclosed, the minimum necessary standard rule must be used, unless the information is being used for treatment purposes or other requirements of HIPAA regulations. If you are in doubt of whether a disclosure falls under this standard, consult with Dr. Wolkomir.

Information System Activity Review

We must adopt and implement procedures for the regular review of records with regard to audit logs, user access reports, security incident tracking reports, and other relevant records.

Workforce Security Standards

This ensures that staff has appropriate access to PHI. This also provides guidance as to access points for this information such as computers, mobile devices, or other technology.

Privacy and Security Awareness and Training

All staff will be provided with privacy and security awareness training, so that they may fully comply with HIPAA regulations.

Security Incident Procedures

We are responsible for identifying and responding to HIPAA violation or security system security incidents. The Security Officer is also responsible to mitigate harmful effects of any violations or incidences.

Emergency Contingency Plan

We are responsible for adopting a contingency plan in case of emergency, disaster, loss or theft to ensure confidentiality, integrity and availability of PHI.

Workstation Use and Security

We must specify specific functions that may be performed by employees at specific work stations, and know where those workstations are at all times. This requires the assignment of unique log-ins and implementation of specific logon and logoff requirements for each employee. It also defines the acceptable use and disposal of electronic media.

Facility Access

We must limit physical access to our information systems and facilities to authorized staff.