Health Insurance Portability and Accountability Act (1996)was enacted on August 21st 1996 to protect the privacy and security of personal health data referred as PHI (Protected Health Information) by enforcing a set of standards, to improve the efficiency in healthcare delivery by standardizing electronic data interchange and streamlining transactions. The Health Information Portability and Accountability Act ensures that all HIPAA covered businesses prevent unauthorized access to “ProtectedHealth Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records.According to the Department of Health and Human Services, “HIPAARules apply to covered entities and business associates.”
HIPAA Privacy Rule
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”)issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).The Privacy Rule standards address the use and disclosure of individuals’ health information called “protected health information”by organizations subject to the Privacy Rule called “covered entities and Business Associates,” as well as standards for individuals' privacy rights to understand and control how their health information is used. It gives individuals greater access to their medical records and better protection of their personal health data. A major goal of the Privacy Rule is to ensure individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed including right to access information by an individual.
● Ensure Clineage, Inc. complies with the applicable statutes of the HIPAA Privacy Rule to protect the privacy of PHI (Protected HealthInformation) that Clineage, Inc. electronically creates, collects, maintains,uses, discloses or transmits.
● Define policies and procedures implemented by Clineage,Inc. to comply with the applicable statutes of the HIPAA Privacy Rule tomaintain the privacy of an individual’s protected health information.
● This policy applies to all organization’s employees, management, contractors, consultants, students, interns, and volunteers.
● This policy sets forth a framework on the applicable policies and procedures that help Clineage, Inc. comply with the applicable rules and regulations of the HIPAA Privacy Rule.
● The organization shall protect the privacy of an individual’s Protected Health Information or PHI in accordance with the Health Insurance Portability and Accountability Act of 1996(HIPAA) and State of Pennsylvania law. PHI generally will be used only for specific reasons as stated in the Business Associate Agreements or any other Business contracts such as Memorandum of Understanding between the covered entities and Clineage, Inc.
● The organization shall use the Minimum Necessary information except in limited situations specified bylaw. Other uses and disclosures of PHI shall not occur unless the individual or the covered entity authorizes them.
● Individuals will have the opportunity to access, inspect, copy, and amend their PHI as required by the HIPAA Law or as stated in the Business Contracts with the covered entities.
● Individuals can exercise the rights granted to them under HIPAA free from any intimidating or retaliatory acts.
● When PHI is shared with Business Associates providing services to the Clineage, Inc., they will be required to sign a Business Associate Agreement to maintain procedures that protect the PHI from improper uses and disclosures in conformance with HIPAA.
● Clineage shall adhere to its own stringent procedures to protect the PHI through: o Administrative and technical safeguards that limit access to PHI by a workforce member and the purpose for which they can use it;
o Rules for safeguarding PHI from improper disclosures;
o Processes to limit the disclosure of PHI to the Minimum Necessary;
o A verification process to identify and confirm the authority of persons requesting PHI;
o A training process on applicable privacy rules and regulations for the workforce members
o Receives and processes privacy complaints if any
● Clineage shall update this Policy and its Procedures at any time to reflect any change required bylaw. Any changes to this Policy and Procedures shall be effective for all PHI that Clineage maintains. This includes PHI that was previously created or received, not just PHI created or received after the Policy and Procedures are changed.
● All the workforce members must sign an NDA and a Business Associate Agreement prior to starting employment
● Clineage shall establish and implement a well defined and structured compliance program to ensure that all the workforce members are aware and adhere to the HIPAA Privacy requirements mandated under the Health Insurance Portability and AccountabilityAct of 1996.
● Disciplinary action/Sanction policies shall be imperative in case of non -compliance.
§164.502 Uses and disclosures of protected health information:general rules.
Permitted Uses and Disclosures ofProtected Health
● Clineage recognizes that a major purpose of the PrivacyRule is to define and limit the circumstances under which an individual’s protected health information may be used or disclosed by Clineage, Inc.
● Clineage shall stringently commit to not use or disclose protected health information except either:
1. as the privacy rule permits or requires; or
2. as the individual who is the subject of the information (or the individual’s personal representative)authorizes in writing.
● Clineage shall be committed to:o Use, disclose, and request only the minimum amount of protected health information needed to accomplish an intended purpose;
o Obtain written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule;
● Clineage shall disclose PHI when required by the Secretary for the purpose of compliance and enforcement, (Subpart C of part 160), in their efforts to investigate and determine Clineage’s compliance with the applicable part of the rule.
● Clineage shall utilize the services of third-party organizations to create, maintain, transmit, or receive protected health information on their behalf. The services provided by and the actions of these organizations are those clearly defined within the Privacy Rule and in the Business Associate Agreements with them. Business Associates are only allowed to use or disclose protected health information as permitted in the BusinessAssociate Agreements executed by either of the parties or as required by law.
PROHIBITED USES AND DISCLOSURES
Clineage is aware of the restrictions for the disclosure of genetic information for underwriting purposes by a health plan and currently does not collect genetic information for a health plan.
MINIMUM NECESSARY RULE
It is the policy of Clineage that while using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, Clineage shall always make a reasonable effort to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Clineage also understands that there are times when the application of “minimum necessary” would not apply such as but not limited to:
● Disclosures to or request by a health care provider for treatment purposes;
● Disclosures made to the Secretary in accordance with subpart C for compliance and enforcement purposes;
● Other uses or disclosures as required by law.
Uses and disclosures of protected health information subject to an agreed upon restriction.
Clineage understands that the individuals have the right to restrict use or disclosure of their protected health information. Since Clineage is not a provider of medical care, any requests for the restriction of PHI shall come from the clients of Clineage and Clineage shall abide by those restrictions without question.
Uses and disclosures of de-identifiedprotected health information
Clineageshall not provide a code or other means that would enable de-identifiedprotected health information (health information that does not identify anindividual and with respect to which there is no reasonable basis to believethat the information can be used to identify an individual.) to bere-identified, as this would constitute a disclosure of protected health informationunless as specified in the terms of service by the clients of Clineage.
Disclosures to business associates
It is thepolicy of Clineage that, if Clineage engages a Business Associate,(sub-contractor) to create, maintain, transmit, or receive protected healthiformation on behalf of Clineage then, it is the responsibility of Clineage toobtain satisfactory assurance that PHI shall be appropriately safeguarded byexecuting Business Associate Agreements or other Business Contracts includingMemorandum Of Understanding.
Clineageshall be responsible to obtain substantiated proof of an organization’sabilities to protect PHI before executing BAA. Clineage shall also requiretheir Business Associates to obtain the same assurances from any subcontractorsor vendors that they may use in relation to PHI entrusted to Clineage Deceased individuals Clineageshall be responsible for the maintenance and security of protected healthinformation for individuals who may expire during the period of time that theirPHI was in the possession of the organization. While the following situationswould almost exclusively be requests made to the medical providers or ourclients, Clineage further understands that protected health information may bereleased to the coroners or medical examiners in order to identify a deceasedperson or to determine the cause of death or, to perform other functionsauthorized by law as deemed necessary. Clineage shall also provide thisinformation to funeral directors as and when needed. Confidential communications Clineage does not anticipate occasions when patients or personal representatives of patients would ask the organization to provide them with protected health information.In the event of such requests, it is the policy of Clineage that the organization shall permit individuals to request specific ways or places for receiving communications of protected health information even if, in our consideration, the method or destination is considered unsecured only after receiving the appropriate authorizations and specific instructions from the Client. Notice of Privacy Practices Clineage does not provide medical care and is not a covered entity hence the organization is not required to provide a Notice of Privacy Practices. Disclosures by whistleblowers andworkforce member crime victims It is thepolicy of Clineage that the organization shall not retaliate against a personexercising rights provided by the Privacy Rule, for assisting in aninvestigation by HHS or another appropriate authority, or for opposing an actor practice that the person believes in good faith violates the Privacy Rule. Clineage alsoacknowledges that the organization shall not be in violation of this rule ifone of the workforce members becomes the victim of a crime. If an instanceshould occur, Clineage shall disclose protected health information to lawenforcement if: The protectedhealth information is about the suspected perpetrator of the crime; and The protected healthinformation disclosed is limited to: Name and address; Date and place of birth; Social security number; ABO blood type and RH factor; Type of injury; Date and time of treatment; Date and time of death, if applicable; and A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache),scars, and tattoos. §164.504Uses and disclosures: Organizational requirementsBusiness Associate Contracts It is the policyof Clineage that in case the organization engages the services of a BusinessAssociate, (sub-contractor), to create, maintain, transmit, or receiveprotected health information on behalf of the organization, Clineage shallobtain satisfactory assurances from the Business Associate by executing aBusiness Associate Agreements that the PHI generated by Clineage shall beapprpriately safeguarded. Clineage shall also require their BusinessAssociates to obtain the same assurances from any subcontractors they may usein relation to the PHI generated by Clineage. Clineageshall execute a Business Associates Agreement that must be signed by bothparties before any data is shared with the sub-contractor. Circumstances where the Clineage becomesaware f a patern of activity or practice of the Business Associate thatconstitutes a material breach or violation of the Business Associate’sobligation under the contract or other arrangement, Clineage shall takeimmediate steps to cure this practice or terminate the contract immediately. BusinessAssociate Agreement by Clineage shall also establish the permitted and requireduses and disclosures of protected health information by the Business Associateand their subcontractors. Clineage shall further establish requirements withany Business Associates that they engage that should a Business Associatebecome aware of any unauthorized disclosure of protected health information,they must reportthis to Clineage in accordance with § 164.410 Notification by a Business Associate. Clineage shall also require that all BusinessAssociates, (sub-contractors) be aware of and comply with regulationsrequiring; ● Properaccess to protected health information by individuals or their authorizedrepresentatives;● Theaccurate and timely amendment of protected health information and;● Theproper accounting of disclosures of protected health information if applicable. Clineageshall disclose only a limited data set to a Business Associate in order forthem to carry out certain specific functions on behalf of the organization. Inthese instances Clineage shall use a Data Use Agreement as given in theAnnexure 1 of this document with the Business Associate in compliance with §164.514 as described below: ● Agreement required. Acovered entity may use or disclose a limited data set under Business AssociateContracts of this section only if the covered entity obtains satisfactoryassurance, in the form of a data use agreement that meets the requirements ofthis section, that the limited data set recipient will only use or disclose theprotected health information for limited purposes. §164.506Uses and disclosures to carry out treatment, payment, or health careoperations.Permitted Uses and Disclosures It is the policy of Clineagethat with the exception of required authorizations for Psychotherapy Notes,Marketing, the sale of Protected Health Information and for the use anddisclosure of genetic information, Clineage shall be allowed to use and disclosePHI for the purposes of treatment, payment and healthcare operations withoutauthorization as long as the use and disclosure is consistent with therequirements of the client. Consent for Uses and Disclosures Permitted Clineage understands that there aresituations when the disclosure of protected health information requiresauthorization. However, Clineage shall use or disclose PHI only for thepurposes of treatment, payment or healthcare operations or those in conjunctionwith a health care provider who has requested the PHI for the care of the sameindividual. Clineage may also disclosepertinent information if asked to assist with an investigation into health carefraud. §164.508Uses and disclosures for which an authorization is required.Authorizations for Uses and Disclosures Itis the policy of Clineage to obtain authorizations to use or disclose protectedhealth information except for treatment, payment and healthcare operations. Theuse or disclosure must be in keeping with the authorizations granted to theorganization. Clineage acknowledges thatthere are very specific limitations on what can be disclosed. For example,there are limitations to the information that can be used or disclosed inrelation to psychotherapy notes, marketing, or the sale of protected healthinformation. In such instances, it isthe policy of Clineage to provide specifically worded releases that identifythe breadth and purposes of the data to be disclosed to the individual or theirauthorized representative and shall also declare whether the organization willreceive any form of remuneration for that data. Theauthorizations shall be provided to the individual prior to any release of PHIand shall contain all of the required elements of a valid authorization as definedby the rule. Clineage shall not release the PHI until the signed release hasbeen provided to the organization. The authorization shall be written in plainlanguage and a copy of the authorization shall be provided to the individual ortheir authorized representative. §164.510Uses and disclosures requiring an opportunity for the individual to agree or toobject. It is the policy of Clineage that incase the organizationdesires to use or disclose protected health information, a clear and conciselywritten authorization shall be provided for the individual’s review andsignature and shall also allow all individuals to agree or object to the useand disclosure of their information. Clineage shall always require a written authorization from the individualon use and disclosure of PHI of an individual. Clineage recognizes that there are numerous scenarios wherethe organization must decide the proper use and/or disclosure of protectedhealth information. It is the policy of Clineage that the organization shallalways attempt to obtain written permission from the individual or theirauthorized representative in advance of these situations. Clineage also realizes that there are goingto be situations where this may not be possible. Obtaining authorization when present with theindividual or their representative is a clear procedure. If the individual isnot present, or incapacitated, if the situation is related to disaster reliefor if the individual in question is deceased, Clineage shall take every actionpossible to obtain appropriate authorizations. If the situation is such that a decision must be made absent ofcustomary authorizations, Clineage shall make decisions based on theprofessional assessment of the situation and what is considered to be in thebest interest of the patient, their family or the general public. §164.512Uses and disclosures for which an authorization or opportunity to agree orobject is not required. Clineage’s policiesacknowledge that the organization may use or disclose protected healthinformation without the individual’s authorization in those situations such asfor judicial and administrative proceedings and for law enforcement purposeswhich could include by statute, regulation, or court order. Clineage shall also disclosespecific information in those circumstances where the disclosures involvevictims of abuse, neglect or domestic violence. Clineage shall never releasePHI unless the organization believes that it is a permitted disclosure based onthe individual situation. Prior to thedisclosure of any PHI, the organization shall attempt to gain approval from theindividual or the Client but also realizes that victims are many at times reticentabout disclosing the nature and extent of the abuse or treatment. Clineage shall always attempt to maintainregulatory compliance but if necessary, will use the professional judgement infavor of the wellbeing of the individual and release only that information thatthe organization feels is necessary for authorities to act on the individual’sbehalf. Clineage shall cooperate withrecognized health authorities and are permitted to share protected healthinformation in certain specific situations such as the prevention orcontrolling of disease, a public health investigation or intervention or othersituations as defined in the Privacy rule. Clineage shall always require proper identification and/or documentationprior to the release of any PHI. Our Company policy allows usto recognize that for purposes of legally authorized health oversightactivities such as audits or other types of administrative or criminalproceedings, we may disclose protected health information to those oversightagencies as defined in the Rule. Clineage shall release only that PHI which isexpressly authorized and a proof of documentation such as court orders orsubpoenas is provided. Clineage shall also want appropriate assurance that theparty whose information is requested has been notified of the request and,where appropriate, that the attempt has been made to provide a qualifiedprotective order. Clineage is specifically forbidden to provide PHI related tothe person’s dental records. Clineage under certaincircumstances, may disclose protected health information in the facilitationand/or donation and transplantation of organs, tissue or eyes of deceasedpersons whose Personally Identifiable Information is available with Clineage. Clineage recognizes thatresearch is any systematic investigation designed to develop or contribute togeneralizable knowledge. The Privacy Rule permits Clineage to use or discloseprotected health information for research purposes, without an individual’sauthorization, provided that we obtain certain documentation andrepresentations from the researcher that the use or disclosure sought is solelyfor research. These representationsinclude but are not limited to facts demonstrating that the information soughtwill be used for research only and not disclosed elsewhere. Additionally, we will not release anyprotected health information for any research project unless we are provideddocumentation showing that the research has been vetted and approved by anInstitutional Research Board. Clineage understands that theorganization is permitted to disclose protected health information for certainessential government functions including but not limited to: assuring properexecution of a military mission, conducting intelligence and national securityactivities, providing protective services to the President, etc. Clineagerecognizes that when dealing with members of the Armed Forces or othergovernment agencies, there are specialized provisions that must be followed.Clineage shall never release patient information without proper documentationbeing provided and recognize that the rule provides guidance so that theorganization can accommodate these situations in a compliant manner. §164.514Other requirements relating to uses and disclosures of protected healthinformation. Clineage understands theremight be instances when the information to be transmitted is for a specialpurpose and identifying items of the data are not necessary. Our policy is to protect, (de-identify), thisdata by removing the identifiers before transmission for such purposes.Clineage shall not transmit any kind of re-identifying mechanism with thisdata. Clineage shall also take efforts to de-identify PHI even during internalcirculation within the organization. The process manuals, user manuals andother documents that Clineage maintains shall contain de-identifiedinformation. The PHI( if any found) in screen shots in these manuals shall bede-identified before publishing it internally. Clineage believes in theprinciple of “minimumnecessary”and shall ensure that only minimal amount of information is disclosed whenrequested for any PHI by a Covered Entity or their Business Associates afterappropriate review of the request. Clineage believes in following the principleof “minimumnecessary”even internally between the workforce members. Clineage shall provide a DataUse Agreement that will specifically identify the use of data in limited dataset for research, public health or healthcare operations and shall alsoevaluate the responsibilities of the organization whom Clineage releases thedata. It is the policy of Clineage that the organization shall not releaselimited data set unless the Data Use Agreement meets all of the criteria of thePrivacy Rule. The recipient of such datashall not be allowed to disclose the data provided to them without the expresspermission of Clineage and in a manner that meets all of the securitystipulations of the Privacy Rule. Further, the recipient shall be required to report any real or imaginedunauthorized disclosures of data to Clineage. Clineage does not foresee anycircumstances that would lead to a fundraising program but in case of a needthat requires PHI for a fundraising program, it is the policy of Clineage thatindividuals whose PHI is being used for fundraising program shall be provided witha very clearly worded notice of intention of Clineage and shall be given anopportunity to opt out of the proposed fund-raising program and/or not toreceive future notifications for fund raising programs. In case of a request for PHIshould seem to come from public officials, it is the policy of Clineage to takeappropriate measures that the organization deems necessary to not only identifythe public official or their representative but also their authority to obtainconfidential information on the PHI entrusted to Clineage. In, rare circumstances, if the request isurgent and time has not permitted the production of official documents,Clineage shall rely on their professional judgement and may release the requested information togovernment officials with the understanding that the information cannot bedisclosed to any other parties. §164.520Notice of Privacy Practices for protected health information Clineage is not a healthcareprovider and therefore there would be no reason to provide a Notice of PrivacyPractices to anyone. §164.522Rights to request privacy protection for protected health information Clineage understands thatindividuals have the right to request restriction, disclosure or use of theirprotected health information for multiple reasons such as limiting disclosuresto treatment, payment or healthcare operations. However, their rights to request restrictions go beyond this and Clineageshall abide by the restrictions as they are identified under the Rule. SinceClineage are not providers of healthcare, the organization cannot conceive atime when a request to restrict the disclosure of PHI shall be received by theorganization from the individual. Ifthis should ever occur, Clineage shall agree to the requested restrictions inconsensus with their clients and shall abide by the decision unless it is for avery specific instance such as the individual requiring emergency medical treatment. Clineage recognizes that theorganization abides by the wishes of individuals if they were to request thatthe organization’s communications with them are in a particular format ordelivered to a location that Clineage believes to be less than secure inconsensus with the clients. It is thepolicy of Clineage that the organization shall accommodate such requests inconsensus with the clients and may condition the participation of theorganization by requiring the individual to provide their request in writingalthough the organization is not allowed to require an explanation for thebasis of their request. §164.524Access of individuals to protected health information It is the policy of Clineagethat if a request should be made by an individual or their authorizedrepresentative, the organization in consensus with the client shall direct themto their provider with the explanation that Clineage does not maintain theirpatient record. Clineage also understandsthat when a request is made for protected health information, providers havethe right to exercise certain exemptions of information such as psychotherapynotes, certain laboratory or research results, or some information they believeaccess would cause harm to the individual or others. All requests shall be handled by the HIPAAPrivacy Officer. §164.526Amendment of protected health information Clineage understands thatindividuals have the right to amend their protected health information whenthey believe that information is incorrect or incomplete. Clineage alsoacknowledges that any such amendment is expected to be provided to persons thatthe individual has identified as needing it and to those persons or entitiesthat the organization knows might rely on the information to the individual’sdetriment. Since Clineage is not aprovider of medical care, and therefore does not maintain patient medicalrecords, any requests for amendment of PHI by an individual shall be directed back to their provider inconsensus with the client. §164.528Accounting of disclosures of protected health information Clineage understands thatindividuals have a right to an accounting of any disclosures of their protectedhealth information made by the organization or any of the Business Associates.It is the policy of Clineage to maintain an accounting of disclosure asdocumented in Annexure 2 of this document, in recognition of the numerousopportunities for disclosure. It is the policy of Clineagethat when a request for the accounting of disclosures of PHI is properly made,the organization shall notify the individual(s) of acceptance or denial oftheir request within 60 days. In case of a denial of request, an explanationshall be provided in writing. If the timingof the request is particularly difficult due to unforeseen circumstances,Clineage in consensus with the Client shall notify the individual(s) in writingof a delay of no more than 30 days and shall not delay beyond that extendedperiod. §164.530Administrative requirements The HIPAA Privacy officer for Clineage: Joshua Horton. Position within the Company: CEO Complaints will be directed to: HIPAA Privacy Officer, Joshua Horton Email:email@example.com Or may be directed to the following address:Clineage, Inc.,111 SIndependence Mall E Suite 500, Philadelphia, PA 19106, United States Clineage shall train allmembers of their workforce on these policies and procedures with respect toprotected health information as required by this Rule, as necessary andappropriate for the members of the workforce to carry out their functionswithin the organization at the earliest possible date after the hiring of theworkforce member.Clineage shall haveappropriate administrative, technical, and physical safeguards to protect theprivacy of protected health information and the policies and proceduresdocumented in this manual are specifically for that purpose.Clineage shall adopt aprogressive Sanction policy. Depending on the severity of the violation, at afirst offense, Clineage would attempt to counsel with the employee anddetermine if additional training might be in order. At a second offense, and again, depending onthe severity of the violation, a written report shall be filed in theemployee’s personnel file with the possibility of additional disciplinaryactions up to and including termination. Multiple offenses would lead toautomatic termination depending on the severity of the offense. Any sanction applied shall be documentedincluding the incident that led to the sanctions, the steps taken and theoutcome. It is the policy of Clineagethat should the organization become aware of a deviation from the establishedpolicies and procedures by either a member of the workforce or by a BusinessAssociate, immediate steps shall be taken to correct the situation and makeappropriate changes to the documentation if required. However, Clineage shallnot retaliate against a workforce member or entity for assisting in aninvestigation or for opposing an act or practice that the person believes ingood faith violates the Privacy Rule. Clineage shall periodicallyreview and update the policies and procedures especially if there aresubstantial administrative or environmental changes to the operations or inresponse to changes in the laws governing the privacy and security of ProtectedHealth Information. All the documentation shall be maintained in an electronicformat. § 164.532Transition provisions Clineage does not have anycontracts that were in effect prior to January 25, 2013 and therefore would nothave any agreements not under the guidance of the HITECH Act.Policy Compliance The HIPAA Privacy Officeralong with the HIPAA security officer shall periodically review and update thepolicies and procedures incase of any operational, legal or environmentalchanges affecting the organization. Any non -compliance to thepolicy and procedures shall attract appropriate sanctions. The documentation shall bemaintained in an electronic format for a period of six (6) years.