Overview - This policy is intended to relay the importance of security and protecting patient information and cardholder data.
Purpose - To establish The Livingston Clinic's policy for the secure handling of patient information and sensitive card holder data (including but not limited to magnetic strip data, Primary Account Numbers [PANs], expiration date, and service code).
Scope - This policy applies to all employees and systems of The Livingston Clinic.
Policies to Protect Patient Information
The responsibility of assuring compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be assigned to the Privacy/Security Officer.
The Office Manager is the designated HIPAA Officer for The Livingston Clinic and has authority to establish, implement, and enforce these policies and procedures for the security and privacy of our patients protected health information (PHI).
* Risk Assessment
- HIPAA Officer is responsible for conducting annual HIPAA privacy and security risk assessment and training.
- Additional risk assessments may be necessary each time (1) new software or hardware is acquired and placed in service; (2) when a new service or procedure is initiated; (3) when there is a significant change in an existing service or procedure; or (4) when there is a change or addition to the physical layout of our office.
- The HIPAA Officer will periodically but at least quarterly review the DHHS’s HIPAA website to determine if there have been any changes in the HIPAA rules and regulations and to determine if any changes or modifications to this policy and procedure is necessary due to changes in HIPAA rules, regulations or regulatory interpretations.
* Policy regarding physical access to building
- Employees access the office via the front door. Main entrance is locked after hours and is unlocked each morning 15 minutes prior to our start time. The back door remains locked and is accessed only via key. Employees or service personal may gain entrance through the employee entrance by knocking on the door or calling front desk and asking to be let in.
* Policy regarding confidentiality of all forms of PHI
All PHI regardless of its form, mechanism of transmission, or storage is to be kept confidential. Only individuals with a business need to know are allowed to view, read, or discuss any part of a patient’s PHI. During initial new hire orientation and at annual HIPAA training employees are reminded that any viewing, reading, or discussions of PHI that is not for business purposes is prohibited. An employee who violates this confidentiality policy will be subject to sanctions up to immediate termination. All employees are required to verify in writing that they have read and will comply with our policy regarding confidentiality of all forms of PHI.
* Policy regarding security of electronic PHI (e-PHI)
- Employees whose job functions require access to our computer system will be given a secure, unique password to access the system. Passwords to the office computers may not be changed by individual employees. Individual passwords for access to third-party web sites may be individually updated as required by the site without management authorization.
- Access will be immediately terminated for employees who leave our employment.
- All PHI transmitted to third parties will be transmitted on secured lines. The security of transmission lines will be verified via contract with third party responsible for transmitting our patient’s PHI.
- No digitally stored PHI shall leave this facility without being first encrypted; this includes laptops, flash drive devices, CDs, and e-mail.
* Patient request for accounting of all disclosures made by The Livingston Clinic
- Patients have a right to request an accounting of all disclosures of their PHI made. Information should be provided within 7-10 business days.
* Patient request for restriction of PHI paid for “out of pocket”
- Patients who pay for a procedure, test, or service out of pocket (fully paid for by patient with no reimbursement or additional payment by a third party), have a right to have all information regarding such procedure/test held confidentially and not released to third parties. To exercise this right the patient must (1) pay for test/procedure and (2) make known to their desire to have information regarding the procedure/test held in confidence and not released to third parties. Any employee who receives such a request must immediately make a visible note in the patients file. HIPAA allows for the release of restricted PHI (1) in compliance to a subpoena; (2) in compliance to statutory reporting requirement; or (3) upon receiving an unrestricted, HIPAA compliant authorization for release of medical records from the patient, patient’s legal representative, or executor of deceased patient’s estate.
* Policy regarding charges for e-copies of medical records
- The Privacy Rule permits reasonable, cost-based fees for paper copies.
* HIPAA Incident/Breach Investigation and Sanction Policy
Any incident in which the privacy/security of a patient’s PHI may have been compromised will be immediately reported to the Office Manager who will begin an investigation of the incident and take appropriate action up to and including immediate termination.
* Document Retention Policy
- All HIPAA documentation such as policy and procedures, risk assessment, incident investigation, breach notification, and training records will be maintained for at least six years.
Policies to Protect and Manage Cardholder Data
The importance of protecting cardholder data is paramount. Allowing data theft or destruction, inadvertently sharing confidential information, infecting system networks with viruses, misuse of company resources, allowing the theft of company property, and allowing the compromise of private or confidential company or client information are all very real examples of what might result from a security compromise.
* All sending of unencrypted Primary Account Numbers by end-user messaging technologies (i.e., email, instant messaging, and chat) are strictly prohibited. If a PAN must be sent by end-user messaging, only email is allowed and the PAN will be encrypted using WinZip. The WinZip password will be communicated to the end user by means other than end user messaging (phone or fax is allowed).
* Access to system components and cardholder data is limited to only those authorized individuals whose job require such access or have a need-to-know. This authority is granted by senior management and reviewed annually.
* All paper that contains cardholder data is to be identified and physically secured in a locked drawer. No electronic cardholder data will ever be stored.
* Strict control is to be maintained over the internal or external distribution of any kind of media that contains cardholder data.
- Media is classified and clearly marked as confidential.
- Media is sent by secured courier or other delivery method that can be accurately tracked.
* Management approval is to be obtained prior to moving any and all media containing cardholder data from a secured area.
* Strict control must be maintained over the storage and accessibility of media that contains cardholder data.
* Media containing cardholder data is to be destroyed when it is no longer needed for business or legal reasons.
- Paper materials are to be shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
- The general rule is that media containing cardholder data will be destroyed when over 180 days old. Exceptions to the rule must be approved by senior management.
* Policy Maintenance and Employee/Contractor Awareness
- Review of this policy will be conducted on an annual basis or as changes to the environment occur.
- Usage of employee-facing technologies such as remote access, wireless, electronic media, internet, PDA’s and wireless will adhere to the following:
~ No unauthorized equipment can be brought in or set up in The Livingston Clinic. This includes, but is not limited to modems, computers, or wireless devices.
~ Wireless devices must be set up securely by establishing secure accounts/passwords, disabling SSID broadcasts, and using the highest available encryption for the device.
* One or more employees will be designated with security responsibility.
- A written Agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service provider posses is required from each Service Provider.
* Due diligence is to be performed prior to the engagement of Service Providers.