HIPAA policy

This policy ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its associated regulations. It limits medDARE AI SRL’s capabilities regarding the use and disclosure of protected health information (PHI).

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research.

PHI includes but is not limited to:

  • Participant’s medical record number
  • Participant’s images or video data
  • Participant’s demographic details (e.g., address, telephone number)
  • Entries made by doctors, nurses, and other healthcare providers in a participant’s medical record
  • Information stored about a participant in a provider’s or health insurer’s computer system
  • Any health information that could potentially identify an individual or allow reasonable inference of the individual’s identity based on the information’s content.

The Company is committed to fully comply with HIPAA requirements. As a result, all staff members and contractors with access to PHI are obligated to comply with this HIPAA Compliance Policy. For the purposes of this policy and the Company’s procedures regarding the use and disclosure of PHI, the term “workforce” includes employees, medical interns, doctors, subcontractors, and others whose work is directly controlled by medDARE AI SRL, regardless of whether they receive compensation from the company or not.

medDARE AI SRL can change this Policy at any time without notice. All staff members must comply with all applicable HIPAA privacy and information security policies. If after an investigation you are found to have violated the organization’s HIPAA privacy and information security policies then you will be subject to disciplinary action up to termination or legal consequences.

 
Responsibilities
I. HIPAA Privacy Officer

Data Protection Officer of the Company will be the HIPAA Privacy Officer for medDARE AI SRL. The HIPAA Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the Company’s use and disclosure procedures.

The HIPAA Privacy Officer will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI. The HIPAA Privacy Officer can be reached at dpo@meddare.com

II. Incident Response

In the event of a security incident results in a wrongful disclosure of PHI, the HIPAA Privacy Officer, in conjunction with the Incident Response Team will take appropriate actions to prevent further inappropriate disclosures. In addition, Legal may be consulted as part of the review team to assist in the review and investigation of privacy incidents when required. If the HIPAA Privacy Officer and Incident Response Team have not resolved the incident, the HIPAA Privacy Officer shall involve anyone determined to be necessary to assist in the resolution of the incident. If participants and\or clients need to be notified of any lost/stolen PHI, the HIPAA Privacy Officer will send PHI Theft/Loss Disclosure Letters to all possible affected individuals and\or entities.

III. Workforce Training

It is the Company’s policy to train all members of its workforce who have access to PHI on its privacy policies and procedures. All staff members receive HIPAA training. Whenever a privacy incident has occurred, the HIPAA Privacy Officer in collaboration with management will evaluate the occurrence to determine whether additional staff training is in order.

IV. Safeguards

The Company has established technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. All staff members can only access PHI by using their own login information. Company access policy ensures that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for their job functions and\or contract fulfillment, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.

Data Storage / Backup / Remote Access

Currently all data in the cloud data center is backed up using industry standards with off site storage of media. medDARE AI SRL currently utilizes technology that allows the IT team to quickly remove, disable and start staff member access to PHI.

V. Complaints

The HIPAA Privacy Officer will be the Company’s contact person for receiving complaints. The HIPAA Privacy Officer is responsible for creating a process for individuals and\or entities to lodge complaints about the Company’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint form shall be provided to any participant upon request.

VI. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

VII. Documentation

The Company’s privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations).

Any changes to policies or procedures must be promptly documented. The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form.

VIII. Electronic Health Records

Just like paper records, Electronic Health Records, created or lawfully obtained by the Company during the provision of Services to its Clients, must comply with HIPAA, and other applicable laws. Unlike paper records, electronic health records can be encrypted – using technology that makes them unreadable to anyone other than an authorized user – and security access parameters are set so that only authorized individuals can view them. 

IX. Access Authorization

medDARE AI SRL will grant access for users to PHI based on their job functions and responsibilities. The HIPAA Privacy Officer in collaboration with IT and senior management is responsible for the determination of which individuals and\or contractors require access to PHI and what level of access they require through discussions with the individual’s manager and or department head.

Use and Disclosure of PHI
I. Access to PHI Is Limited to Certain Employees

All staff who perform functions directly on behalf of the Company is related with PHI will have access to PHI as determined by their department and job description and\or individual contracts and as granted by IT. These employees with access may use and disclose PHI as required under HIPAA but the PHI disclosed must be limited to the minimum amount necessary to perform the job function.       

II. Disclosures of PHI

Pursuant to an Authorization PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with HIPAA and this Policy.

III. Complying With the “Minimum-Necessary” Standard

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure.

For making disclosures of PHI to any business associate or providers, or internal/external auditing purposes, only the minimum necessary amount of information will be disclosed. All other disclosures must be reviewed on an individual basis with the HIPAA Privacy Officer to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

IV. Disclosures of PHI to Business Associates

With the approval of the HIPAA Privacy Officer and in compliance with HIPAA, Company may disclose PHI to the Company’s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate that it will appropriately safeguard the information.

Business Associate is an entity that:

  • performs or assists in performing a Company function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.);
  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.
V. Disclosures of De-Identified Information

The Company may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers.

18 specific elements listed below:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual – including dates of admission, discharge, birth, death – and for persons >89 y.o., the year of birth cannot be used.
  • Telephone numbers
  • FAX numbers
  • Electronic mail addresses
  • Social Security Number
  • Medical Record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photos, and comparable images
  • Any unique identifying number, characteristic or code
VI. PHI Breach Reporting

The purpose of this section is to address the Company’s privacy requirements for reporting, documenting, and investigating a known or suspected action or adverse event resulting from unauthorized use or disclosure of individually identifiable health information.

A privacy breach is an adverse event or action that is unplanned, unusual, and unwanted that happens as a result of non-compliance with the privacy policies and procedures of the Company. A privacy breach must pertain to the unauthorized use or disclosure of health information, including ‘accidental disclosures’ such as misdirected e-mails or faxes.

The HIPAA Privacy Officer shall immediately investigate and attempt to resolve all reported suspected privacy breaches. Staff members are required to verbally report to his/her supervisor any event or circumstance that is believed to be an inappropriate use or disclosure of a participant PHI. If the supervisor is unavailable, the staff member must notify the HIPAA Privacy Officer within 24 hours of the incident. If the manager determines that further review is required, the manager and staff member will consult with the HIPAA Privacy Officer to determine whether the suspected incident warrants further investigation. In all cases an Incident Report must be filled out and submitted to the appropriate reviewer.

The HIPAA Privacy Officer will document all privacy incidents and corrective actions taken. Documentation shall include a description of corrective actions, if any are necessary, or explanation of why corrective actions are not needed, and any mitigation undertaken for each specific privacy incident. All documentation of a privacy breach shall be maintained with the HIPAA Privacy Officer and shall be retained for at least six years from the date of the investigation.

You have a question about our HIPAA practices or you want to report us an incident? Please contact our dedicated HIPAA Privacy Officer at dpo@meddare.com