Statement of Adherence to HIPAA
Data Protection Standards
July 24, 2023
1.0 Privacy Rule
We comply with the requirements of the Privacy Rule to:
- Notify patients and survey respondents about their privacy rights and how we use their information
- Adopt privacy procedures and train employees to follow them
- Assign an individual to make sure we’re adopting and following privacy procedures
- Secure patient records containing PHI so they aren’t readily available to those who don’t need to see them.
We also comply with the requirements of the Privacy Rule by protecting any PHI that we hold or transmit in any form, including electronic, paper, or verbal, which includes information about:
- Common identifiers, such as name, address, birth date, and SSN
- The patient’s past, present, or future physical or mental health condition
- Health care provided to the patient
- The past, present, or future payment for health care provided to the patient
2.0 Security Rule
We comply with the requirements of the Security Rule which protects patients’ electronic PHI (ePHI) confidentiality, integrity, and availability by:
- Developing reasonable and appropriate security policies
- Ensuring the confidentiality, integrity, and availability of all ePHI we create, get, maintain, or transmit
- Identifying and protecting against threats to ePHI security or integrity
- Protecting against impermissible uses or disclosures
- Analyzing security risks in the environment and creating appropriate solutions
- Reviewing and modifying security measures to continue protecting ePHI in a changing environment
- Ensuring employee compliance.
We developed compliant safety measures by considering:
- Size, complexity, and capabilities
- Technical, hardware, and software infrastructure
- The costs of security measures
- The likelihood and possible impact of risks to ePHI
3.0 Breach Notification Rule
We comply with the requirements of the Breach Notification Rule regarding notifying affected patients, HHS, and, in some cases, the media in the event of a PHI breach. We understand that in general, a breach is an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. We acknowledge that the unpermitted use or disclosure of PHI is a breach unless there’s a low probability the PHI has been compromised, based on a risk assessment of:
- The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or got the disclosed PHI
- Whether an individual acquired or viewed the PHI
- The extent to which we reduced the PHI risk
We will notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. We will also submit notifications of smaller breaches affecting fewer than 500 patients to HHS annually. We understand and would require that our business associates notify us of breaches at or by the business associate in compliance with the requirements of the Breach Notification Rule.