AboutMaterna Healthcare (“the Organization”) is committed to protecting the privacy, confidentiality, integrity, and availability of Protected Health Information (PHI) as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its implementing regulations (Privacy Rule, Security Rule, Breach Notification Rule, and related regulations).
All workforce members, contractors, and business associates of Materna Healthcare must comply with this HIPAA Policy and associated procedures. The Organization will implement administrative, physical, and technical safeguards to reasonably and appropriately protect PHI, limit uses and disclosures to the minimum necessary, and ensure compliance with individual rights, breach notification, and oversight requirements.
This policy applies to all forms of PHI held or transmitted by Materna Healthcare including electronic (ePHI), paper, and oral communications. It applies to all workforce members, including employees, contractors, interns, volunteers, and third parties who have access to PHI.
PHI (Protected Health Information): Individually identifiable health information relating to the past, present, or future physical or mental health condition, treatment, or payment, which identifies an individual or for which there is a reasonable basis to believe it can be used to identify the individual.
ePHI: PHI in electronic form.
Minimum Necessary: When using, disclosing, or requesting PHI, only the minimum amount necessary to accomplish the intended purpose should be accessed or disclosed.
Covered Entity / Business Associate: Materna Healthcare (if it transmits electronic health transactions) is a covered entity. Any external vendor, contractor, or partner that creates, receives, maintains, or transmits PHI on behalf of Materna Healthcare is a Business Associate.
Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Organization, is under its direct control, whether or not they are paid.
The Organization designates a Privacy Officer responsible for development, implementation, monitoring, and enforcement of privacy policies and procedures. The Privacy Officer acts as the primary contact for patients or individuals with questions about privacy rights and PHI.
A Security Officer is designated to oversee the implementation and maintenance of the technical and physical safeguards for ePHI. The Security Officer is responsible for risk assessments, oversight of security controls, incident response, and ongoing compliance monitoring.
Before engaging any Business Associate that will handle PHI, Materna Healthcare must execute a Business Associate Agreement (BAA) to ensure they will safeguard PHI in compliance with HIPAA rules. The Privacy Officer and Security Officer must review and monitor Business Associate compliance and require BAAs with downstream subcontractors.
Uses or disclosures of PHI not permitted or required by law require a valid written authorization from the individual, specifying (among other things) what PHI is to be used or disclosed, to whom, purpose, expiration, and right to revoke.
When using, disclosing, or requesting PHI, only the minimum amount of information necessary for the purpose should be accessed or disclosed, unless otherwise required by law or regulation.
Materna Healthcare must provide a Notice of Privacy Practices that describes how PHI may be used and disclosed, the individual’s rights, and the covered entity’s duties. The notice must be posted prominently, made available on the website, and furnished to patients upon first encounter.
When possible, Materna Healthcare should de-identify PHI or use a “limited data set” (with a data use agreement) to minimize risk.
Regular audits, monitoring, and logging of system access, modifications, and security events must be conducted to detect unauthorized access or unusual activity.
All workforce members must receive initial and ongoing HIPAA training, covering privacy, security, breach response, and updates in regulation. Training records must be retained for six years.
Violations of this HIPAA Policy may result in disciplinary actions up to termination. Sanctions will be applied consistently and documented.
Maintain HIPAA-related records (risk assessments, training, incidents) for at least six years, including version control and review logs.
This policy shall be reviewed annually or when there are regulatory or operational changes. Revisions must be approved by leadership and communicated to all staff.
The Privacy Officer and Security Officer will lead implementation, coordinate with departments, and perform audits. Management must provide adequate resources for compliance.
