Purpose of Policy:  To ensure that all H3-Hope, Health and Healing, LLC, Business Associates agree to abide by the The HIPAA Privacy, Security, and Breach Notification Rules.

Definitions:

Business Associate:A "business associate" is generally a person or entity who "creates, receives, maintains, or transmits" protected health information (PHI) in the course of performing services on behalf of the covered entity (e.g., contracted employees, consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; and malpractice insurers).With very limited exceptions, a subcontractor or other entity that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate.

Breach: A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

•The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

•The unauthorized person who used the protected health information or to whom the disclosure was made;•Whether the protected health information was actually acquired or viewed; and

•The extent to which the risk to the protected health information has been mitigated.

•Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate,or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Reporting of Breaches:

Human Health Services (HHS)also known as “Secretary”:  If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.

CivilPenalties:Mandatory for Willful NeglectThe Office for Civil Rights (“OCR”) is required to impose HIPAA penalties if the business associate acted with willful neglect, i.e., with “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA requirements.

Tiered Penalty Structure:Penaltyin the event that the business associate;

•Did not know and, by exercising reasonable diligence, would not have known of the violation is $100 to $50,000 per violation;

•Up to $1,500,000 per identical violation per year

•Violation due to reasonable cause and not willful neglect is $1,000 to $50,000 per violation;

•Up to $1,500,000 per identical violation per year

•Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violationMandatory fine of $10,000 to $50,000 per violation;

•Up to $1,500,000 per identical violation per year

•Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violationMandatory fine of not less than $50,000 per violation;

•Up to $1,500,000 per identical violation per year

Example:  A single action may result in multiple violations. The loss ofa laptop containing records of 500 individuals may constitute 500 violations.

The Business Associate who does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty; timely correction is an affirmative defense.

Business Associates are responsible for any HIPAA Violations and this May Be A Crime. Federal law prohibits any individual from improperly obtaining or disclosing PHI from a covered entity without authorization; violations may result in thefollowing criminal penalties:

•Knowingly obtaining or disclosing PHI without authorization can be up to $50,000 fine and one year in prison

•If done under false pretenses, is up to $100,000 fine and five years in prison

•If done with intent to sell, transfer, or use the PHI for commercial advantage, personal gain or malicious harm will be up to $250,000 fine and ten years in prison

Policy:

From herein the Business Associates are defined as any individual entering into a Business Agreement Contract with H3-Hope, Health and Healing, LLC.H3-Hope, Health and Healing, LLC will be defined as covered entity here forward, where stated.Human Health Services (HHS) will be known as the Secretary.

oCovered entities and their business associates may not use, access, or disclose PHI without the individual’s valid, HIPAA-compliant authorization, unless the use or disclosure fits within an exception.

oHIPAA contains exceptions that allow disclosures of PHI to the extent another law requires disclosures or for certain public safety and government functions, including: reporting of abuse and neglect, responding to government investigations, or disclosures to avoid a serious and imminent threat to the individual; however, before making disclosures for such purposes, the business associate should consult with the covered entity.

oEven where disclosure is allowed, business associates must generally limit their requests for or use or disclosure of PHI to the minimum necessary for the intended purpose.o

Perform a Security Rule risk analysis. Unlike the Privacy Rule, business associates are directly obligated to comply with the Security Rule.  

oBusiness associates must conduct and document a risk analysis of their computer and other information systems to identify potential security risks and respond accordingly.

oBusiness associates must implement Security Rule safeguards, which includes  the specific administrative, technical and physical safeguards required by the Security Rule.

oBusiness associates must notify the covered entity in a timely manner, any reported security incidents and breaches that pose a threat or violation of PHI.

oBusiness associates must report breaches of unsecured protected PHI to the covered entity immediately upon recognition of breach, so the covered entity may investigate the risk level of the breach and follow the reporting procedures per the HHS guidelines.

oThe business associate must report uses or disclosures that violate the business associate agreement with the covered entity, which would presumably include uses or disclosures in violation of HIPAA even if not reportable under the breach notification rules.

oH3-Hope, Health and Healing, LLC  must then follow HHS HIPAA procedures by reportingthe breach to affected individual(s), HHS, and, in certain cases, to the media.

oIf a breach of unsecured protected health information affects fewer than 500 individuals, the covered entity must notify the HHS  of the breach within 60 days of the end of the calendar year in which the breach was discovered.

oThe covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.

oBusiness associates must report “security incidents,” which is defined to include the “attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system.”

oThe covered entity will conduct a thorough investigation into any PHI violation and will follow the guidelines of reporting any HIPAA/PHI violations as required.

oThe covered entity reserves the right, based upon the HIPAA violation and outcome of the investigation and HHS findings, to immediate termination of the business associates contract.

oThe consequences for failure to report a known breach would likely constitute willful neglect, thereby subjecting the covered entity or business associate to the mandatory civil penalties.

Subcontracting on behalf of Business Associates:

•Business associate will not use subcontractors or other entities to provide any services for the covered entity involving PHI.  

•The business associate must disclose to the owner of H3-Hope, Health and Healing, LLC and execute business associate agreements with the subcontractors, which agreements must contain terms required by the regulations.

•The subcontractor becomes a business associate subject to HIPAA.

•The subcontractor agreement cannot authorize the subcontractor to do anything that the business associate could not do under the original business associate agreement with the covered entity.

•Thus, business associate obligations are passed downstream to subcontractors and must  comply with privacy rules.

Release of Client File/Documentation:

•Clients reserve the right to their documentationor request letters on their behalf; however a release must be signed, dated and noted with what documents they are requesting.  

•The client will fill out a form requesting the documentsthey need and sign a release before the request is followed through on with the covered entity, meaning front desk staff for file copies or therapist for letterson the client’s behalf.

•The covered entity reserves the right to have up to 48 business hours to complete the requestand will call the client or give a date the documents will be ready for pick up..

•The clients of the covered entity will be able to pick up their documents with a valid picture ID at the time the documents are ready.  

•The front desk staff will collect the money for the documents whether it is the copy of their file or documents the therapists have created.

H3-Hope, Health and Healing,LLC

Business Associate Contract and HIPAA Training Protocol

CEO

Reviews Business Associate Contract with new contractor and overview of HIPAA and PHI via the HIPAA Compliance Information Sheet.

Business Associate

Signs business associate agreement contractand HIPAA Compliance Information Sheet.

Follow all HIPAA and PHI guidelines Reports any HIPAA violation immediately to the CEO/Rights Officer.

Rights Officer

Investigateswhat has been violated

(With respect to an impermissible use ordisclosure, a coveredentity should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.”)

Follows up with Health and Human Services (HHS), the client and or the media as necessary based upon the guidelines for HIPAA violations.

Fills out the HHS form for fewer than 500 breaches at:  https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=trueT

erminates contract with business associate, if necessary.Makes necessary changes in security of PHI and trains staff on any new changes in protocols.

‍