Lumin Medical, LLC has adopted this Health Information Security Policy to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (hereinafter “HIPAA”); the Department of Health and Human Services (“DHHS”) security and privacy regulations; other federal and state laws protecting confidentiality of health information, and business associate contracts that we have entered into; and the Joint Commission on Accreditation of Healthcare Organizations accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. In addition, this Report Procedure Policy will assist Lumin Medical, LLC in fulfilling its obligation under the DHHS privacy regulations to mitigate damages caused by breach of individual privacy. All personnel of Lumin Medical, LLC must comply with this policy. Familiarity with the policy and demonstrated competence in the requirements of the policy are an important part of every Lumin Medical, LLC employee’s responsibilities.
This Health Information Security Policy is based on the following assumptions:
• A high level of accuracy and reliability of Lumin Medical, LLC’s health and business data is critical for the services that Lumin Medical, LLC provides to its clients.
• Individually identifiable health information is sensitive and confidential. Such information is protected from improper use and disclosure by HIPAA, its DHHS implementing regulations, other state and federal laws, accreditation requirements, and professional ethics.
• Loss, corruption, inaccuracy, or breach of confidentiality of such data may cause severe harm to the subject of the information, to Lumin Medical, LLC, and to its officers, agents, and employees.
• HIPAA, its implementing regulations, the HITECH Act, and good practice require Lumin Medical, LLC to perform a risk analysis for risks to the integrity and confidentiality of data that we maintain and/or transmit.
• Lumin Medical, LLC’s business operations, clients, client requirements, technology, equipment, and risks thereto, are likely to change over time.
• The Security Rule requires risk analysis defined as an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“EPHI”) held by the organization.
• The Security Rule requires risk management, the implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). That section requires Lumin Medical, LLC to (1) ensure the confidentiality, integrity, and availability of all EPHI that the covered entity creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and (4) ensure compliance by its workforce.
• The Security Rule requires periodic review of Lumin Medical, LLC’s security measures.
• Although the Privacy Rule, which applies to all protected health information (“PHI”) regardless of form or format, does not specify a requirement for risk analysis of paper PHI or other non-EPHI information, its requirement for appropriate safeguards to protect PHI from misuse strongly implies a duty to perform risk analysis on all PHI.
• It is the policy of Lumin Medical, LLC that all personnel must preserve the integrity and the confidentiality of medical and other sensitive information pertaining to our patients. The purpose of this policy is to ensure that Lumin Medical, LLC and its officers, employees, and agents have the necessary medical and other information to provide the highest quality medical care possible while protecting the confidentiality of that information to the highest degree possible so that patients do not fear to provide information to Lumin Medical, LLC and its officers, employees, and agents for purposes of treatment. To that end, Lumin Medical, LLC and its officers, employees, and agents will do the following:
o Collect and use individual medical information only for the purposes of providing medical services and for supporting the delivery, payment, integrity, and quality of those services. Lumin Medical, LLC and its officers, employees, and agents will not use or supply individual medical information for non-health care uses, such as direct marketing, employment, or credit evaluation purposes other than as authorized by the DHHS regulations in accordance with Lumin Medical, LLC’s Minimum Necessary Policy.
o Collect and use individual medical information only as follows:
To provide proper diagnosis and treatment.
With the individual’s knowledge and consent/authorization.
To receive reimbursement for services provided.
For research and similar purposes designed to improve the quality and to reduce the cost of health care.
As a basis for required reporting of health information.
o Recognize that medical information collected about patients must be accurate, timely, complete, and available when needed. Lumin Medical, LLC and its officers, employees, and agents will do the following:
Use their best efforts to ensure the accuracy, timeliness, and completeness of data and to ensure that authorized personnel can access it when needed.
Complete and authenticate medical records in accordance with the law, medical ethics, and accreditation standards.
Maintain medical records for the retention periods required by law and professional standards as specified in Lumin Medical, LLC’s retention policy.
Not alter or destroy an entry in a record, but rather designate it as an error while leaving the original entry intact and create and maintain a new entry showing the correct data.
Implement reasonable measures to protect the integrity of all data maintained about patients.
o Recognize that patients have a right of privacy. Lumin Medical, LLC and its officers, employees, and agents will respect patients’ individual dignity at all times. Lumin Medical, LLC and its officers, employees, and agents will respect patients’ privacy to the extent consistent with providing the highest quality medical care possible and with the efficient administration of the organization.
o Act as responsible information stewards and treat all individual medical record data and related financial, demographic, and lifestyle information as sensitive and confidential. Consequently, Lumin Medical, LLC and its officers, employees, and agents will do the following:
Treat all individual medical record data, protected health information (“PHI”) as confidential in accordance with the DHHS privacy regulations, other legal requirements, professional ethics, and accreditation standards.
Only use or disclose the minimum necessary health information to accomplish the particular task for which the information is used or disclosed in accordance with Lumin Medical, LLC’s Minimum Necessary Policy.
Not divulge medical record data unless the patient (or his or her authorized representative) has properly consented to the release or the release is otherwise authorized by the privacy regulations and/or other law, such as communicable disease reporting, child abuse reporting, and the like.
When releasing medical record data, take appropriate steps to prevent unauthorized redisclosures, such as specifying that the recipient may not further disclose the information without patient consent or as authorized by law.
Implement reasonable and appropriate measures to protect the integrity and confidentiality of medical and other information maintained about patients after performing a risk analysis in accordance with Lumin Medical, LLC’s Risk Analysis Policy and update such security measures when necessary.
Remove patient identifiers when appropriate, such as in statistical reporting and in medical research studies.
Not disclose financial or other patient information except as necessary for billing or other authorized purposes as authorized by the privacy regulations, other laws, and professional standards.
Recognize that some medical information is particularly sensitive, such as HIV/AIDS information, mental health and developmental disability information, alcohol and drug abuse information, and other information about sexually transmitted or communicable diseases and that disclosure of such information could severely harm patients, such as by causing loss of employment opportunities and insurance coverage, as well as the pain of social stigma. Consequently, Lumin Medical, LLC and its officers, employees, and agents will treat such information with additional confidentiality protections as required by law, professional ethics, and accreditation requirements.
• The Security Officer and the Privacy Officer are responsible for managing HIPAA compliance in accordance with HIPAA, this policy, other relevant polices, and guidance from senior management.
• The Company President will ensure that HIPAA compliance in accordance with this policy is a priority for Lumin Medical, LLC.
All officers, agents, and employees of Lumin Medical, LLC must adhere to this policy, and all supervisors are responsible for enforcing this policy. Lumin Medical, LLC will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with Lumin Medical, LLC’s medical information sanction policy and personnel rules and regulations.