HIPAA Policy

This Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Policy (“Policy”) establishes the standards and procedures adopted by [Company Name] (“Covered Entity” or “Organization”) to ensure compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and all applicable implementing regulations.

The purpose of this Policy is to safeguard the confidentiality, integrity, and availability of Protected Health Information (“PHI”) and Electronic Protected Health Information (“ePHI”), and to ensure that all workforce members adhere to federal and state privacy and security obligations.

This Policy applies to:

• All employees, officers, directors, contractors, volunteers, and agents (“Workforce Members”)
• All systems, devices, and environments that create, receive, maintain, or transmit PHI/ePHI
• All business processes involving patient information, including intake, billing, transportation, documentation, and communications

• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including demographic data, medical history, treatment information, and billing records.
• Electronic PHI (ePHI): PHI that is created, stored, transmitted, or received electronically.
• Minimum Necessary Standard: The requirement to limit PHI use, disclosure, and access to the minimum necessary to accomplish the intended purpose.
• Business Associate: A third party that performs functions involving PHI on behalf of the Organization.
• Security Incident: Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information.

The Organization may use and disclose PHI without patient authorization only for:

• Treatment
• Payment
• Healthcare Operations

All other uses or disclosures require a valid, written authorization from the individual, unless otherwise permitted or required by law.

Workforce Members shall:

• Access only the PHI necessary to perform assigned duties
• Avoid unnecessary disclosure of patient information
• Utilize role-based access controls

Patients are entitled to:

• Access and obtain copies of their PHI
• Request amendments to inaccurate records
• Request restrictions on disclosures
• Receive an accounting of disclosures
• Request confidential communications

Requests must be processed within regulatory timeframes (generally 30 days).

The Organization shall:

• Maintain and distribute a Notice of Privacy Practices
• Clearly outline patient rights and organizational obligations
• Make the notice available upon request and on the company website (if applicable)

The Organization shall implement:

• A designated Security Officer
• Workforce training and awareness programs
• Risk analysis and risk management procedures
• Sanction policies for non-compliance
• Contingency planning (data backup, disaster recovery, emergency mode operations)

Measures include:

• Controlled facility access
• Secure workstation usage
• Device and media controls (disposal, reuse, accountability)
• Restricted access to areas where PHI is stored

The Organization shall enforce:

• Unique user identification and authentication
• Role-based access controls
• Encryption of ePHI in transit and at rest (where applicable)
• Audit controls and system activity monitoring
• Automatic logoff mechanisms
• Integrity controls to prevent unauthorized alteration

A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

In the event of a breach:

• Affected individuals must be notified without unreasonable delay, and no later than 60 days
• The U.S. Department of Health & Human Services (HHS) must be notified
• Media notification is required for breaches affecting more than 500 individuals

A breach risk assessment must evaluate:

• Nature and extent of PHI involved
• Unauthorized person who accessed PHI
• Whether PHI was actually acquired or viewed
• Extent to which risk has been mitigated

The Organization shall:

• Execute Business Associate Agreements (BAAs) with all vendors handling PHI
• Ensure Business Associates comply with HIPAA Security Rule requirements
• Monitor and document third-party compliance

All Workforce Members must:

• Complete HIPAA training upon hire
• Participate in periodic refresher training
• Acknowledge understanding of privacy obligations

Violations of this Policy may result in:

• Disciplinary action up to and including termination
• Civil and/or criminal penalties under applicable law

The Organization shall:

• Retain PHI in accordance with federal and state regulations
• Securely dispose of PHI using approved methods (shredding, secure deletion, etc.)
• Maintain records of disposal activities where applicable

All suspected or confirmed security incidents must be:

• Reported immediately to the Privacy or Security Officer
• Investigated promptly
• Documented thoroughly
• Mitigated to prevent recurrence

This Policy shall be:

• Reviewed annually or upon regulatory changes
• Updated as necessary to maintain compliance
• Distributed to all Workforce Members

All Workforce Members must acknowledge receipt and understanding of this Policy and agree to comply with all provisions herein.

For questions or concerns about this Privacy Policy, please contact us at:

• Phone: 215.500.3070
• Email: dynamicambulance@gmail.com
• Address: 140 Tomlinson Road, Unit B, Huntingdon Valley, PA 19006