Skip to content
ABA Ops Compass

Part I · Chapter 17

HIPAA

Organization-wide HIPAA compliance, PHI safeguards, and officer designation.

More actions

Policy Name: HIPAA

Policy Statement: The Company is committed to protecting the privacy and security of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and its subsequent amendments, as well as any other applicable state or federal regulations. This policy outlines the responsibilities of employees and contractors in safeguarding PHI and ensuring compliance with HIPAA regulations.

Scope

This policy applies to all employees, contractors, and workforce members of the Company who have access to, use, or disclose PHI. Compliance with HIPAA regulations is mandatory for all individuals covered by this policy.

Policy Compliance

  • Privacy and Security Officer: The Company designates a Privacy and Security Officer responsible for overseeing HIPAA compliance. Any concerns or questions regarding HIPAA should be directed to the Privacy and Security Officer.
  • Workforce Training: All employees and contractors will receive/obtain HIPAA training upon hire and annually thereafter. Training includes an overview of HIPAA regulations, the Company's policies and procedures, and the importance of protecting PHI.
  • Use and Disclosure of PHI: Employees and contractors will only use or disclose PHI as necessary to perform their job duties. Unauthorized use or disclosure of PHI is strictly prohibited.
  • Minimum Necessary Standard: Employees and contractors will adhere to the "minimum necessary" standard, meaning they will only access or disclose the minimum amount of PHI necessary to accomplish their job functions.
  • Patient Consent: PHI may not be used or disclosed without the patient's valid consent, except when otherwise permitted by law. All consents for PHI use and disclosure must be properly documented.
  • Physical Safeguards: Employees and contractors must protect physical records containing PHI from unauthorized access. This includes securing and locking file cabinets and ensuring computer screens are not visible to unauthorized individuals.
  • Electronic Safeguards: Electronic PHI must be protected through the use of secure passwords, encryption, and access controls. Workforce members are responsible for safeguarding their login credentials.
  • Reporting Incidents: Any security breaches or unauthorized disclosures of PHI must be reported immediately to the Privacy and Security Officer. This includes any lost, stolen, or compromised devices containing PHI.
  • Patient Rights: Employees and contractors must respect patients' rights regarding their PHI. This includes providing patients with access to their own PHI upon request.
  • Sanctions: Non-compliance with this policy may result in disciplinary action, up to and including termination for employees or termination of contracts for contractors, in accordance with Company policies and procedures.