(Axia Technologies, LLC.)
Axia (Axia Technologies, LLC.)
Policy No. 002
Approved By: Kevin Kidd, President
Original Date: July 1, 2014
Effective Date: July 1,2014
Updated: June 30, 2017
Responsible Party/Official: Bart Falzarano
“Protected health information” means information, including demographic information collected from an individual, related to an individual’s past, present or future physical or mental condition, medical treatment or payments for medical treatment, and that identifies, or can reasonably be used to identify, the individual.
1. Privacy Officer
Axia has appointed a Privacy Officer, who is responsible for the development and implementation of policies and procedures relating to privacy, and for monitoring and ensuring the organization’s compliance with state and federal law and Axia’s privacy policies and procedures. The Privacy Officer will also serve as the contact person for individuals who have questions, concerns or complaints about the privacy of their information.
The Privacy Officer’s contact information is:
Bart Falzarano, 4183 State Street, Santa Barbara, CA 93110, 805-679-8110, firstname.lastname@example.org
Reference: 45 C.F.R. § 164.530(a).
2. Use and Disclosure
Axia and its workforce members will use and disclose protected health information only as permitted under HIPAA and in accordance with the terms of any applicable business associate agreement to which it is a party, or as otherwise required by state or federal law. The term “use” and “disclosure” are defined as follows:
“Use” means the sharing, employment, application, utilization, examination, or analysis of individually
identifiable health information within Axia.
“Disclosure” means the release, transfer, provision of access to, or divulging in any manner of information outside Axia.
References: 45 C.F.R. §§ 160.103 and 164.504(e)(2).
3. Minimum Necessary
When using or disclosing protected health information or when requesting protected health information from another entity, Axia will, in accordance with the terms of any applicable business associate agreement to which it is a party, make reasonable efforts to limit the request, use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
The minimum necessary standard does not apply to any of the following:
• Uses or disclosures made to the individual who is the subject of the information;
• Uses or disclosures made pursuant to a valid authorization;
• Disclosures made to the Secretary of Health and Human Services;
• Uses or disclosures required by law; and
• Uses or disclosures required to comply with HIPAA.
Please contact the Privacy Officer should you have any questions concerning the application of the minimum necessary standard to any particular, use, disclosure or request for protected health information.
Reference: 45 C.F.R. § 164.502(b).
4. Reasonable Safeguards
Only employees with an officially granted account may access Axia computer systems and networks requiring passwords. Each employee with access to a computer system or application must maintain the confidentiality and integrity of the information he or she accesses at all times. Each employee is expected not to leave protected health information on a computer screen where an unauthorized individual may view it.
Paper records containing protected health information should not be stored in public or widely used employee areas where personnel can inappropriately access, view, copy or remove pages or portions of protected health information. Copy and fax machines used to copy and transmit protected health information may need to be placed in rooms other than the general mail-service rooms. Protected health information should not be accessible or easily viewed by the public or other unauthorized persons.
Any breach or threat to the confidentiality of protected health information must be reported immediately to the employee’s supervisor or to the Privacy Officer.
Upon termination of employment, all employees are required to return or destroy all protected health information.
Reference: 45 C.F.R. § 164.530(c).
5. Workforce Training
Axia will train all members of its workforce (including management) on privacy and security issues and Axia’s policies and procedures regarding protected health information. Training will be appropriate for Axia personnel to carry out their function within the company. The Privacy Officer is responsible for developing training schedules and programs so that all workforce members receive training necessary and appropriate to permit them to carry out their functions. Such program shall include an initial training program for all new employees and periodic on-going training on an as-needed basis. Every employee at Axia will be required to sign a certification form or training log upon completion of both the new employee and periodic training. Additional training will be given to those employee who are affected by a material change in law and/or policy and procedure prior to the date such changes become effective.
All training materials, including all certifications, must be documented and maintained for a minimum of six years.
Reference: 45 C.F.R. § 164.530(b)(1).
Axia will apply appropriate sanctions against employees or other staff who fail to safeguard or who inappropriately use or disclose protected health information. Failure to adhere to Axia’s policies and procedures regarding the confidentiality of protected health information and/or applicable state and federal laws regarding the confidentiality of protected health information will result in disciplinary action, up to and including termination of employment or contractual agreement.
Reference: 45 C.F.R. § 164.530(e).
7. Disclosures to Business Associates/Subcontractors
Axia may disclose protected health information to its vendors and subcontractors (known as “business associates”) who require access to such information, provided the business associates provide reasonable assurances that they will appropriately safeguard the privacy and security of the information. Before sharing protected health information with outside consultants, contractors or vendors who meet the definition of a “business associate,” employees must contact the Privacy Officer to verify that a Business Associate Agreement is in place.
The Business Associate Agreement must include contractual provisions that:
• Establish and describe the permitted and required uses and disclosures of information;
• Prohibit the business associate from using or disclosing protected health information except as specified in the agreement and as permitted by law;
• Require the business associate to implement the administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the protected health information that it creates, receives, maintains or transmits on behalf of Axia as required by the Privacy Rule, the Security Rule, and the Health Information Technology for Economic and Clinical Health Act (HITECH Act);
• Require the business associate to agree to use, disclose, and request only the limited data set of protected health information, or if needed by the entity, the minimum necessary information to accomplish the intended purpose of the use, disclosure or request;
• Require the business associate to report to Axia any privacy violation or security incident, including any use or disclosure of protected health information not provided by the Business Associate Agreement and any breach of unsecured protected health information, with all relevant details, and be prepared to respond to and mitigate, to the extent practicable, any harmful effect of such an incident;
• At termination of the Business Associate Agreement, require the business associate, if feasible, to return or destroy all protected health information (and any copies of such information) in its possession. When return or destruction of protected health information is not feasible, the business associate will extend contractual protections to such information and limit further uses and disclosures of the information to those purposes that make its return or destruction infeasible;
• Provide that the business associate will comply, where applicable, with the requirements of the Security Rule with respect to electronic protected health information it receives, creates, maintains or transmits on behalf of Axia;
• Ensure that any subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to such information, including compliance with the Security Rule with respect to any electronic protected health information;
• Agree to make available protected health information to individuals requesting access in accordance with 45 C.F.R. § 164.524, for amendment in accordance with 45 C.F.R. § 164.526, and for an accounting of disclosures in accordance with 45 C.F.R. § 164.528;
• State that the business associate will make internal practices, books and records relating to the use and disclosure of protected health information from, or created or received by the business associate on behalf of, Axia available to the Secretary of HHS for the purpose of determining Axia’s compliance with HIPAA; and
• Authorize termination of the contract by Axia if it determines that the business associate has violated a material term of the contract.
“Business Associate” is an entity that:
• On behalf of Axia, performs or assists in performing a function or activity involving the use or disclosure of protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or
• Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for Axia, where the performance of such services involves giving the service provider access to protected health information.
A business associate includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
“Subcontractor” means a person to whom a business associate delegates a function, activity, or service,
other than in the capacity of a workforce member of such business associate.
References: 45 C.F.R. § 160.103; 45 C.F.R. § 164.314(a); 45 C.F.R. § 164.504(e).
The Privacy Officer is the contact person for receiving complaints. The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the company’s privacy procedures and for creating a system for handling such complaints. The Privacy Officer will investigate all complaints received and document their disposition.
Reference: 45 C.F.R. § 164.530(d).
9. Mitigation of Unauthorized Uses and Disclosures of Protected Health Information
Reference: 45 C.F.R. § 164.530(f).
10. No Intimidating or Retaliatory Acts
Axia will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practices under HIPAA.
Reference: 45 C.F.R. § 164.530(g).
11. Patient Rights
Amendment and Access
The HIPAA Privacy Rule gives individuals the right to amend, access and receive a copy of their protected health information that is maintained in a Designated Record Set. Because Axia does not maintain protected health information in a Designated Record Set, all requests for access or amendment must be forwarded to the covered entity on whose behalf Axia is providing services in accordance with the terms of the parties’ business associate agreement. Axia shall notify the individual requesting access or amendment that the facility that provided the service will be contacted and made aware of his or her request and that all copies of any records will come from such facility and not from Axia.
“Designated Record Set” means a group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for a covered entity to make decisions about individuals. For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
References: 45 C.F.R. §§ 164.501; 164.504(e)(2)(ii)(E) and (F); 164.524; and 164.526.
Accounting of Disclosures
The HIPAA Privacy Rule also gives individuals the right to request an accounting of certain disclosures of their protected health information. Axia will make such information available to the covered entity on whose behalf it is providing services, in accordance with the terms of the parties’ business associate agreement.
This right to an accounting extends to disclosures made in the last six years, other than disclosures:
• To carry out treatment, payment or health care operations;
• To individuals about their own protected health information;
• Incident to an otherwise permitted use or disclosure or pursuant to an authorization;
• To persons involved in the patient’s care or other notification purposes;
• As part of a limited data set; or
• For national security or intelligence purposes.
All requests for an accounting of disclosures must be forwarded to the Privacy Officer (or designee), who will determine the appropriate response to such request.
The accounting must include, at a minimum, the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).
If the terms of the company’s business associate agreement require that Axia provide an accounting of disclosures directly to the individual, Axia must provide the first accounting within a twelve month period without charge. Axia may charge a reasonable, cost-based fee for each subsequent request for an accounting by the individual within the same twelve month period, provided that Axia informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request.
References: 45 C.F.R. §§ 164.504(e)(2)(ii)(G); 164.528.
Individuals may request restrictions on the use and disclosure of the their protected health information. All such requests for restrictions, either by the individual or a covered entity for whom Axia is performing services, shall be forwarded to the Privacy Officer (or designee), who shall determine, in accordance with the terms of the company’s business associate agreement, how to respond to such request. Unless otherwise required by law, Axia will comply with all requests for restrictions on disclosures to a health plan if the disclosure is for purposes of payment or health care operations and pertains solely to a health care item or service for which the individual has paid his or her health care provider out of pocket in full.
Reference: 45 C.F.R. § 164.522(a).
12. Reporting Unauthorized Disclosures, Security Incidents and Breaches of Unsecured Protected Health Information
Axia will report to the covered entity on whose behalf Axia is providing services each of the following incidents:
1. Any use or disclosure of protected health information not provided for by its business associate agreement with such covered entity, or in violation of applicable state or federal privacy law;
2. Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (“Security Incident”); and
3. Any Breach of Unsecured Protected Health Information (defined below).
The Privacy Officer must be notified immediately following the discovery of a potential Breach or violation. The Privacy Officer will be responsible for investigating and documenting the potential Breach or violation and coordinating reporting efforts in accordance with the terms of Axia’s business associate agreement with the covered entity. The terms of the company’s business associate agreement generally will specify when reports to the covered entity must be made and the type of information that must be reported. The business associate agreement may also require that Axia send notices to individuals, or assist the covered entity in sending notices to individuals, following a Breach or state law security breach.
Axia will mitigate, to the extent practicable, any harmful effect that is known to it of any Breach, Security Incident or unauthorized use or disclosure of protected health information.
“Breach” means the acquisition, access, use or disclosure of protected health information in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the protected health information. A Breach excludes:
1. Any unintentional acquisition, access or use of protected health information by a workforce member or person acting under the authority Axia if such acquisition, access or use was made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule;
2. Any inadvertent disclosure by a person who is authorized to access protected health information at Axia to another person authorized to access protected health information at Axia, or organized health care arrangement in which Axia or the client participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; or
3. A disclosure of protected health information where Axia has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
“Unsecured Protected Health Information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use or technology or methodology specified by the Secretary of HHS in guidance.
References: 45 C.F.R. §§ 164.314(a)(2)(C), 164.504(e)(2)(ii)(C); 164.402; and 164.410.
14. Sale of Protected Health Information
Axia prohibits the sale of protected health information for any purpose without written authorization from the individual.
“Sale” of protected health information means a disclosure of protected health information where the seller directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the information.
The term “sale” does not include a disclosure of protected health information: (a) For public health purposes; (b) for research purposes (where the only remuneration received is a reasonable cost-based fee); (c) for treatment and payment purposes; (d) for the sale, transfer, merger or consolidation of all or part of the entity and for related due diligence; (e) to or by a business associate for activities that the business associate undertakes on behalf of Axia (where the only remuneration provided is by Axia to the business associate for the performance of such activities); (f) to an individual; (g) when required by law; or (h) for any purpose permitted by and in accordance with the applicable requirements of the HIPAA Privacy Rule (where the only remuneration received is a reasonable cost-based fee).
References: 45 C.F.R. § 164.502(a)(5)(ii) and 164.508(a)(4).
Axia’s privacy policies and procedures must be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
Axia will make its internal practices, books, and records relating to the use and disclosure of protected health information available to the Secretary of the U.S. Department of Health and Human Services, upon request, for purposes of determining compliance with the HIPAA Privacy Rule.
Reference: 45 C.F.R. § 164.530(j); 45 C.F.R. § 164.504(e)(2)(ii)(I).