HIPAA · 45 CFR §164 Privacy and Security Rule

The Company is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and complies with the federal HIPAA Privacy and Security Rules issued by the U.S. Department of Health and Human Services, Office for Civil Rights.

The full Privacy and Security regulations are codified at 45 CFR Part 164, which includes:

• Subpart C: Security Standards for the Protection of Electronic Protected Health Information (administrative, physical, and technical safeguards)
• Subpart D: Notification in the Case of Breach of Unsecured Protected Health Information
• Subpart E: Privacy of Individually Identifiable Health Information (uses and disclosures, individual rights, notice of privacy practices, minimum necessary standard)

The current text of 45 CFR Part 164 is published and maintained by the federal government and is available at ecfr.gov, Title 45, Part 164. Guidance from the U.S. Department of Health and Human Services, Office for Civil Rights is available at hhs.gov/hipaa.

The Company maintains its own HIPAA Privacy and Security policies consistent with these regulations. For day to day expectations regarding patient information, see the HIPAA Privacy and Security topic in Section 4. Any suspected privacy or security incident must be reported to Human Resources or the Company Privacy Officer immediately.

Florida medical records confidentiality is reinforced by Florida Statutes Section 456.057 (records of health care practitioners) and Section 395.3025 (records held by licensed facilities). These Florida provisions apply alongside HIPAA.