Effective Date: 04-23-2021
The purpose of this document is to help employees, business associates, contractors, and subcontractors ("Contracted Entity" for individual entities or "Contracted Entities" for multiple) of Infinipharm("Company"), become familiar with the requirements, and other information, which are part of the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Omnibus Rule (collectively "HIPAA").
The information in this HIPAA Policy are workplace policies that apply to all Infinipharm employees, business associates, contracted entities, and related covered entities and personnel.
Contracted Entities must be trained on HIPAA rules and regulations, from the content contained below, as well as the document entitled "Technology Security Training", within 30 days of being hired or contracted. Training must be recorded in the shared spreadsheet provided by the Security Officer, or upper management, by supervisors. Contracted Entities must be provided a copy of this policy, or a link to it, for review once a year, but are not required to have formal re-training on it, unless it is deemed necessary by their supervisor or upper management. Employee review of this policy must be recorded in the same shared spreadsheet for recording training. The Security Officer will be in charge of maintaining and printing out the spreadsheet, from time to time, to maintain a physical record of the training accomplished.
Some positions may require more specific, in-depth, training regarding specific rules for HIPAA, however the content which will be covered with all Contracted Entities include general information on the following: Security Rule, Privacy Rule, Breach Notification Rule, and Omnibus Rule. Many of the items covered in the content below are for Contracted Entities to be aware of, but the items which are applicable to their position or responsibilities are the Contracted Entities' responsibility to ensure compliance.
The purpose of the Security Rule is to help safeguard and protect electronically created, accessed, processed, or stored Protected Health Information (ePHI) when at rest and in transit. This rule applies to any person or system which has the means necessary to read, write, modify, or communicate ePHI, or any personal identifiers that could reveal the identity of a patient. The Security Rule has three parts: technical safeguards, physical safeguards and administrative safeguards.
Technical safeguards are focused on the technology that is used to
protect ePHI and provide access to the data. They include:
- Access control: user accounts, or some other means of user/password combinations to prevent unauthorized access
- Mechanisms to authenticate ePHI: to confirm whether ePHI has been altered or destroyed in an unauthorized manner.
- Encryption and decryption: our applications and systems must encrypt messages when they are sent beyond an internal fire walled server, and decrypt those messages when they are received.
- Activity logs and audit controls: to register attempted access to ePHI and record what is done with that data once it has been accessed. Logs are kept within the Company. Contracted Entities should not modify patient information, unless on behalf of a client, after obtaining written permission and instruction by the client to do so.
- Automated log-off of devices: authorized personnel are either automatically locked out of, or logged off of, the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.
Physical safeguards are focused on physical access to ePHI irrespective
of its location, as well as securing workstations and mobile devices
against unauthorized access. They include:
- Facility access controls: controls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. This is to be determined on a per location basis, unless otherwise specified by the Security Officer.
- Policy for use and placement of workstations: workstations are only to be used by Contracted Entities where ePHI is present, unless there is a user control system which would prevent any other user from accessing the information for the user on the workstation for a Contracted Entity of the Company. Workstations should be placed in a way individuals who are not authorized to view or use ePHI cannot access or view ePHI on the workstation.
- Policies and procedures for mobile devices: currently, the Company does not store any ePHI on mobile devices, other than in a temporary, encrypted format when performing consultations. As soon as consultations are done, no ePHI remains on the device. ePHI should not be stored on mobile devices, unless determined necessary by management. In which case, a record of all mobile devices containing ePHI must be kept. When the device is sold or disposed of, the information must be erased in a manner which resets the device back to its original condition or otherwise makes any ePHI unreadable and inaccessible.
- Inventory of hardware: an inventory of all hardware should be kept by the department head. Any device which stores ePHI must have a retrievable exact copy of ePHI made before equipment is moved.
Administrative safeguards are the policies and procedures which help
bring together the Privacy Rule and the Security Rule. They are meant to
govern the conduct of the workforce and require policies for risk mitigation.
- Conducting risk assessment: one of the Security Officer's main responsibilities is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
- Risk assessment policy: risk assessments must be performed minimum on an annual basis. Contracted Entities who fail to comply with HIPAA regulations, will be provided a written warning of compliance failures which are found as well as the requirement to fix the failure, where necessary, within a reasonable amount of time, based on the severity of the failure.
- Developing and testing a contingency plan: the contingency plan named "Emergency Protocol for PHI" will be used in the event of emergencies which require the use of a contingency plan. It must be verified and tested on a regular basis, at minimum on an annual basis, to ensure backups are accurate and not corrupted, as well as assess the relative criticality of all components of the Company software.
- Restrict third party access: access to ePHI by third parties is limited to business partners which require access to the ePHI and have entered into a Business Associate Agreement with the Company.
- Reporting security incidents: any actual and suspected PHI or ePHI data breaches or unauthorized access or disclosures must be immediately reported to the Security Officer, at (435) 770-8486.
The Privacy Rule protects all PHI which is held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This includes, but is not limited to, a person's name, address, date of birth, social security number, phone number, and email address.
Employees and other contracted entities which have access to ePHI are allowed to use and disclose protected health information, without an individual's authorization, limited to the following purposes or situations:
- To the individual (unless required for access or accounting of disclosures)
- Treatment, payment, and health care operations
- Opportunity to agree or object
- Incident to an otherwise permitted use and disclosure, including helping clients with questions and issues related to their account or the the Company software
- Public interest and benefit activities
- Limited data set for the purposes of research, public health or health care operations
In the unlikely event a patient asks the Company directly for their information, although we can provide their information, we recommend requests should be directed to the pharmacy they do business with first, since that is where the original source of their information and where the information on the patient within the Company is updated from if there are any changes.
Discipline for Privacy Violation
Discipline for privacy violations shall be overseen, enforced, and executed by the Privacy Officer, Sean Durham at (435) 770-8486. Employees and Contracted Entities may be subject to discipline, up to and including dismissal, for violations of either the HIPAA Privacy Rule or the policies and procedures set forth in this Policy. Managers or supervisors may also be subject to discipline, up to and including dismissal, if they contribute to a subordinate's privacy violation due to a flagrant lack of supervision.
The amount of disciplinary action taken will be dependent on the gravity of the violation, and the consultation of the Privacy Officer and the supervisor of the individual who committed the violation, as well as potentially other individuals within the Company who would be prudent in consulting. However, the decision will ultimately be up to the Privacy Officer.
Breach Notification Rule
The Breach Notification Rule requires the Company to provide notification following a breach of unsecured protected health information. A breach is an impermissible use or disclosure of PHI under the Privacy Rule which compromises the security or privacy of the PHI.
The following must be included in a breach notification:
- The nature of the PHI involved, including any specific personally identifiable categories of information.
- If known, the person or entity which accessed or used the PHI or to whom the disclosure was made.
- If known, whether the PHI was only viewed or actually acquired.
- In what ways the risk of damage has been mitigated.
In the event of a breach, the Company must inform all clients whose ePHI was breached no later than 60 days following the breach. All efforts should be made to inform of a breach sooner rather than later. Clients are responsible for informing their patients about the breach, unless they choose to request help from the Company in contacting their patients via email or traditional mail.
All Contracted Entities shall comply with the modifications to the HIPAA Privacy and Security Rules promulgated January 25, 2013 (the, "Omnibus Rule"), found at https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf , including, but not limited to:
- To the extent a Contracted Entity is to carry out one or more of Company's obligation(s) under Subpart E of 45 CFR Part 164, Company shall comply with the requirements of Subpart E that apply to Company in the performance of such obligation(s).
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Contracted Entities will ensure that any subcontractors that create, receive, maintain, or transmit PHI or ePHI on behalf of in writing to the same restrictions and conditions that apply through this HIPAA Policy with respect to such information.
- A Contracted Entity shall not de-identify any PHI or ePHI except as expressly authorized by Company.
- A Contracted Entity will report to the Company's Security Officer, Sean Durham at (435) 770-8486, any Breach of Unsecured Protected Health Information without unreasonable delay and in no case later than five (5) calendar days after discovery of a breach, or unauthorized disclosure of PHI or ePHI.
- Patient information may never be used for marketing, fundraising, or research, as specified in the Omnibus Rule; research is not to be interpreted as including research into client account issues or questions, or software issues or improvements.
An audit of all HIPAA related procedures and policies, and the compliance of them, will be conducted on an annual basis by the Company's Security Officer and Privacy Officer. Auditing may be conducted on an ongoing basis, in segments, or all at once. Regardless of the method or frequency, a full audit of all policies, procedures, and compliance of them must be completed and recorded at least once within a calendar year.