HIPAA Compliance Policy

Scope

This policy applies to all employees, contractors, volunteers, and business associates of OPEN MRI of Camden who handle PHI, including patient records, imaging results, and billing information.

Definitions

• Protected Health Information (PHI): Any individually identifiable health information, in any form (electronic, paper, or oral), related to a patient’s health condition, treatment, or payment.
• Business Associate: A person or entity performing functions involving PHI on behalf of OPEN MRI of Camden (e.g., billing services, IT vendors).
• Minimum Necessary Standard: The least amount of PHI needed to accomplish a specific purpose.

Policy

1. Privacy Rule Compliance

1.1 Patient Rights

• Notice of Privacy Practices (NPP): All patients will receive a clear, written NPP explaining how their PHI is used, disclosed, and protected. The NPP will be provided at the first visit and available upon request.
• Access to Records: Patients have the right to access, inspect, and obtain copies of their PHI within 30 days of a written request, subject to limited exceptions.
• Amendments: Patients may request amendments to their PHI. Requests will be reviewed and responded to within 60 days.
• Accounting of Disclosures: Patients may request an accounting of non-routine PHI disclosures made in the past six years.
• Restrictions and Confidential Communications: Patients may request restrictions on PHI use or disclosure and specify alternative communication methods (e.g., email or
  phone).

1.2 Use and Disclosure of PHI

• Permitted Uses: PHI may be used or disclosed for treatment, payment, and healthcare operations (TPO) without patient authorization.
• Authorizations: Written patient authorization is required for non-TPO disclosures, except as permitted by law (e.g., public health reporting).
• Minimum Necessary Standard: Employees will access, use, or disclose only the minimum PHI necessary for their role.
• De-identification: PHI will be de-identified when possible to protect patient privacy for non-TPO purposes.

2. Security Rule Compliance

2.1 Administrative Safeguards

• HIPAA Privacy Officer: A designated Privacy Officer will oversee HIPAA compliance, conduct risk assessments, and handle complaints.
• Training: All employees will receive annual HIPAA training on privacy and security practices, with documentation of completion.
• Risk Assessments: Regular risk assessments will identify and mitigate vulnerabilities to PHI in electronic and physical systems.
• Restrictions and Confidential Communications: Patients may request restrictions on PHI use or disclosure and specify alternative communication methods (e.g., email or
  phone).

2.2 Physical Safeguards

• Facility Access Controls: Access to areas containing PHI (e.g., imaging equipment, servers, and records) will be restricted to authorized personnel via keycards or passwords.
• Workstation Security: Computers and imaging devices will be secured with passwords, automatic logoff, and encryption.
• Document Security: Paper records will be stored in locked cabinets and shredded when no longer needed.

2.3 Technical Safeguards

• Access Controls: Electronic PHI (ePHI) systems will use unique user IDs and strong passwords to restrict access.
• Encryption: ePHI will be encrypted during storage and transmission (e.g., when sharing imaging results with referring physicians).
• Audit Trails: Systems will log access and modifications to ePHI for monitoring and auditing.
• Data Backup and Recovery: ePHI will be backed up regularly, with disaster recovery plans to ensure data integrity.

3. Business Associate Agreements

• All business associates (e.g., IT vendors, billing services) will sign Business Associate Agreements (BAAs) to ensure HIPAA compliance.
• OPEN MRI of Camden will monitor business associates for compliance and terminate agreements if violations occur.

4. Breach Notification

In the event of a PHI breach, the Privacy Officer will:

• Assess the breach and notify affected patients within 60 days.
• Report to the Department of Health and Human Services (HHS) if the breach affects 500 or more individuals.
• Notify local media if required by law.
• Mitigation steps will be taken to prevent future breaches.

5. Employee Responsibilities

Employees must:

• Complete HIPAA training annually.
• Report suspected breaches or violations to the Privacy Officer immediately.
• Follow all policies regarding PHI access, use, and disclosure.

Violations may result in disciplinary action, up to and including termination.

6. Policy Enforcement

• The Privacy Officer will conduct regular audits to ensure compliance.
• Non-compliance by employees or business associates will result in corrective action, retraining, or termination of contracts.

7. Documentation and Recordkeeping

• All HIPAA-related policies, training records, risk assessments, and breach notifications will be documented and retained for six years.

Contact

For questions or to report a violation, contact the HIPAA Privacy Officer at OPEN MRI of Camden: Contact Us

Review and Updates

This policy will be reviewed annually or as required by changes in HIPAA regulations to ensure ongoing compliance.