HIPPA POLICIES SUMMARY
Use of Patient Health Records
As a general Rule patient’s information will be used or disclosed only for treatment, obtaining payment for treatment, or for internal health care operations, with a few exceptions required by law. This ensures that health information is not used for non-health purposes, and ensures that we provide only the minimum amount of information necessary to provide high quality health care for our patients. This policy also requires that we track the released information so that the patient is able to see if there information has been released to a third party.
Appointment of a HIPPA Security and Compliance Officer
Dr. Emily Wolkomir has accepted the responsibility of the HIPPA Security and Compliance Officer. She is responsible for making sure staff is knowledgeable, that appropriate staff have appropriate system and information clearances, and that staff and systems are up-to-date and compliant with HIPPA. Any questions regarding HIPPA compliance, violations of policy, patient requests or general concerns or questions should be immediately brought to her attention.
HIPPA Risk Analysis
PHI (Personal Health Information) and systems containing PHI will be continually assessed to ensure the confidentiality, integrity and availability of PHI. This includes reviewing logs of when information is accessed and by whom.
HIPPA Risk Management
It is the responsibility of the Security Officer to implement security measures to address threats that are either known or suspected. It is each employee’s responsibility to report potential or perceived threats to the Security Officer.
Disclosure of PHI to Subcontractors
There are very specific rules for disclosing PHI to subcontractors of Tri-Motion Rehab. There should be absolutely no disclosures to third parties unless specifically approved by Dr. Wolkomir who will ensure compliance with this policy.
Sanctions for HIPPA Violations
We are responsible for applying appropriate sanctions for any person responsible for the protection of PHI who either fails to comply or violates any HIPPA policies or laws. Compliance with HIPPA policies and laws is imperative as there can be internal, civil and criminal sanctions that may apply to violations, based on the level of violation.
HIPPA Minimum Necessary Standards
When PHI is disclosed, the minimum necessary standard rule must be used, unless the information is being used for treatment purposes or other requirements of HIPPA regulations. If you are in doubt of whether a disclosure falls under this standard, consult with Dr. Wolkomir.
Information System Activity Review
We must adopt and implement procedures for the regular review of records with regard to audit logs, user access reports, security incident tracking reports, and other relevant records.
Workforce Security Standards
This ensures that staff has appropriate access to PHI. This also provides guidance as to access points for this information such as computers, mobile devices, or other technology.
Privacy and Security Awareness and Training
All staff will be provided with privacy and security awareness training, so that they may fully comply with HIPPA regulations.
Security Incident Procedures
We are responsible for identifying and responding to HIPPA violation or security system security incidents. The Security Officer is also responsible to mitigate harmful effects of any violations or incidences.
Emergency Contingency Plan
We are responsible for adopting a contingency plan in case of emergency, disaster, loss or theft to ensure confidentiality, integrity and availability of PHI.
Workstation Use and Security
We must specify specific functions that may be performed by employees at specific work stations, and know where those workstations are at all times. This requires the assignment of unique log-ins and implementation of specific logon and logoff requirements for each employee. It also defines the acceptable use and disposal of electronic media.
We must limit physical access to our information systems and facilities to authorized staff.