HIPAA Security Policies
The following policies for ReFocus Management Services, LLC, and its affiliated practices(“Organization,”) set forth the reasonable and appropriate security measures the Organization will use to implement the standards and implementation specifications of the Health Insurance Portability and Availability Act (“HIPAA”), Security Standards for the Protection of Electronic Protected Health Information (“HIPAA Security Rule”) (45 Code of Federal Regulations, Part 164, Subpart C).Last Revision Date: 4/28/2022Definitions and Abbreviations Identifiable Health Information: Defined in 45 CFR 160.103 as information that:(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and(i) That identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Information Systems: Integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products. Patient Record: A written account of a patient’s examination and treatment that includes the patient’s medical history and complaints, the healthcare professional’s physical findings, the results of diagnostic tests and procedures, and medications and therapeutic procedures.
Protected Health Information (PHI): Identifiable Health Information that is transmitted by electronic media, maintained in electronic media, transmitted or maintained in any other form or media, excluding information that comes within the paragraphs (1) and (2) of the definition of protected health information 45CFR 160.103.
Electronic Protected Health Information (EPHI): Protected health information that is transmitted by electronic media or maintained in electronic media.
Sensitive Information: Information that may, if combined with other accessible information, reasonably identify an individual’s health information; or information that may be used to compromise administrative, physical, or technical safeguards implemented to protect protected health information. Workforce Members: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
Assigned Security Responsibility The Organization shall assign an individual to serve as the security officer (the “HIPAA Security Officer”).The HIPAA Security Officer is responsible for maintaining and enforcing the security policies, investigating any suspected violations, responding to workforce questions and complaints, and communicating the policies to the Organization’s workforce members. The HIPAA Security Officer will keep the Organization reasonably informed of matters arising under the policies. The Organization may at times engage business associate(s) to manage or execute procedures necessary to implement these policies, and the HIPAA Security Officer is responsible for ensuring procedures managed or executed by business associate(s) are executed according to the Organization’s security policies.• Standard: Assigned Security Responsibility (45 C.F.R. § 164.308(a)(2))• HIPAA Security Procedures Section(s):o Assigned Security Responsibility Security Management Process The Organization will implement policies and procedures to prevent, detect, contain, and correct security violations. When the security management process is executed or managed by business
associate(s), the HIPAA Security Officer will review and approve the policies and procedures implemented by the business associate(s) to ensure compliance with this section.• Standard: Security Management Process (45 C.F.R. § 164.308(a)(1)(i))• HIPAA Security Procedures Section(s):o Risk Analysis and Management
Risk Analysis The Organization will conduct a risk analysis, an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information annually or when major information systems are implemented, business processes change, or emerging threats warrant a more frequent assessment. When a risk analysis is executed or managed by business associate(s), the HIPAA Security Officer will review and approve the procedures for performing the risk analysis; assess the likelihood, impact, and risk of threats and vulnerabilities presented in the risk analysis; and determine which security measures may be reasonable and appropriate to reduce identified risks.• Risk Analysis (Required) (45 C.F.R. § 164.308(a)(1)(ii)(A))• HIPAA Security Procedures Section(s):o Risk Analysis and Management
Risk Management The Organization will implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule. The HIPAA Security Officer will review reports and associated security measure data provided periodically by workforce members, contractors, or business associate(s) to assess ongoing risks and vulnerabilities. When security measures are implemented or managed by business associate(s), the HIPAA Security Officer will review and approve the procedures for implementing risk management strategies, which include the report(s) and data to be provided to the HIPAA Security Officer.• Risk Management (Required) (45 C.F.R. § 164.308(a)(1)(ii)(B))• HIPAA Security Procedures Section(s):o Risk Analysis and Management
Sanctions Policy The Organization will apply appropriate sanctions against workforce members who fail to comply with its security policies and procedures. The HIPAA Security Officer will manage the investigation into policy violations according to the Organization’s Human Resource (“HR”) policies. Sanctions will be applied to the Organization’s workforce members as appropriate under the HR policies. Sanctions will be applied as appropriate to business associate(s) under the Business Associates section of this policy and agreements in effect at the time of the compliance violation.