HIPAA

1. Purpose
   NCG Medical is committed to protecting the privacy and confidentiality of all individuals’ health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This policy is intended to inform employees of their responsibility to comply with HIPAA regulations to safeguard protected health information (PHI) and to ensure the company’s compliance with federal privacy and security requirements.
   
   
2. Scope
   This policy applies to all employees, contractors, interns, volunteers, and any other individuals with access to PHI or involved in activities requiring the use of PHI within NCG Medical.
   
   
3. HIPAA Compliance Overview
   HIPAA is a federal law that sets standards for protecting sensitive patient information from being disclosed without the patient’s consent or knowledge. The law includes the following key components:
   
   
   • Privacy Rule: Regulates the use and disclosure of PHI.
   • Security Rule: Establishes standards to safeguard electronic PHI (ePHI).
   • Breach Notification Rule: Requires notification to affected individuals and the Department of Health and Human Services (HHS) in the event of a breach.
   • Enforcement Rule: Details penalties for non-compliance.
   
   
4. Employee Responsibilities
   All employees are required to:
   Understand HIPAA Requirements: Employees must familiarize themselves with HIPAA’s key provisions and how they apply to their roles.
   
   
   • Safeguard PHI: Employees must take reasonable steps to protect the confidentiality of all PHI, including physical and electronic forms. This includes ensuring that PHI is not disclosed to unauthorized individuals, stored securely, or disposed of improperly.
   • Limit Access to PHI: Employees should only access PHI that is necessary to perform their job duties. Accessing or attempting to access PHI without a valid reason is strictly prohibited.
   • Report Violations: Employees must promptly report any suspected HIPAA violations, data breaches, or security incidents to the HIPAA Privacy Officer or their supervisor. Failure to report may result in disciplinary action.
   • Maintain Confidentiality: Employees must not discuss, share, or disclose PHI outside the scope of their work responsibilities. This includes discussions in non-secure environments (e.g., public spaces, social media, etc.).
   
   
5. Protected Health Information (PHI)
   PHI includes any information, whether oral or recorded in any form or medium, that:
   
   
   • Relates to an individual’s physical or mental health condition, the provision of health care, or the payment for health care.
   • Identifies or can be used to identify an individual.
   
   
6. Disciplinary Action for Non-Compliance
   Non-compliance with HIPAA regulations or this policy may result in disciplinary action, up to and including termination of employment, depending on the severity of the violation. Violations may also subject employees to civil and criminal penalties as outlined by HIPAA and related laws.
   
   
7. Training and Awareness
   All employees will receive HIPAA training upon hire and on an ongoing basis as required by company policy and applicable law. Employees are required to complete these training sessions in a timely manner and demonstrate a basic understanding of HIPAA regulations.
   
   
8. Use and Disclosure of PHI
   
   
   • Authorized Use: Employees are only permitted to use and disclose PHI for purposes directly related to their job duties, including treatment, payment, or healthcare operations as defined under HIPAA.
   • Prohibited Use: Employees are prohibited from using or disclosing PHI for personal purposes, or for any purpose not expressly authorized by HIPAA.
   
   
9. Security of Electronic PHI (ePHI)
   Employees must take appropriate precautions to secure ePHI, including but not limited to:
   
   
   • Using strong passwords and secure methods of authentication.
   • Ensuring that devices containing ePHI are encrypted or otherwise protected.
   • Not leaving devices with ePHI unattended or accessible to unauthorized individuals.
   
   
10. Acknowledgment of Receipt and Understanding
    All employees must acknowledge that they have received, read, and understand this policy. A signed acknowledgment form will be maintained in each employee’s personnel file.

Policy No.  526