HIPPA Disclaimer

Your Health Information, Safeguarded

1. Purpose and Policy Statement

1.1 Purpose

Materna Healthcare (“the Organization”) is committed to protecting the privacy, confidentiality, integrity, and availability of Protected Health Information (PHI) as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its implementing regulations (Privacy Rule, Security Rule, Breach Notification Rule, and related regulations).

1.2 Policy Statement

All workforce members, contractors, and business associates of Materna Healthcare must comply with this HIPAA Policy and associated procedures. The Organization will implement administrative, physical, and technical safeguards to reasonably and appropriately protect PHI, limit uses and disclosures to the minimum necessary, and ensure compliance with individual rights, breach notification, and oversight requirements.

2. Scope and Definitions

2.1 Scope

This policy applies to all forms of PHI held or transmitted by Materna Healthcare including electronic (ePHI), paper, and oral communications. It applies to all workforce members, including employees, contractors, interns, volunteers, and third parties who have access to PHI.

2.2 Definitions

PHI (Protected Health Information): Individually identifiable health information relating to the past, present, or future physical or mental health condition, treatment, or payment, which identifies an individual or for which there is a reasonable basis to believe it can be used to identify the individual.

ePHI: PHI in electronic form.

Minimum Necessary: When using, disclosing, or requesting PHI, only the minimum amount necessary to accomplish the intended purpose should be accessed or disclosed.

Covered Entity / Business Associate: Materna Healthcare (if it transmits electronic health transactions) is a covered entity. Any external vendor, contractor, or partner that creates, receives, maintains, or transmits PHI on behalf of Materna Healthcare is a Business Associate.

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Organization, is under its direct control, whether or not they are paid.

3. Roles and Responsibilities

3.1 Privacy Officer

The Organization designates a Privacy Officer responsible for development, implementation, monitoring, and enforcement of privacy policies and procedures. The Privacy Officer acts as the primary contact for patients or individuals with questions about privacy rights and PHI.

3.2 Security Officer

A Security Officer is designated to oversee the implementation and maintenance of the technical and physical safeguards for ePHI. The Security Officer is responsible for risk assessments, oversight of security controls, incident response, and ongoing compliance monitoring.

3.3 Workforce

  • Receive training on HIPAA privacy and security policies and procedures
  • Comply with rules of access, usage, and disclosure of PHI
  • Report suspected breaches, security incidents, or policy violations
  • Acknowledge understanding and agree to adhere to these policies

3.4 Business Associates

Before engaging any Business Associate that will handle PHI, Materna Healthcare must execute a Business Associate Agreement (BAA) to ensure they will safeguard PHI in compliance with HIPAA rules. The Privacy Officer and Security Officer must review and monitor Business Associate compliance and require BAAs with downstream subcontractors.

4. Privacy Safeguards and Use/Disclosure of PHI

4.1 Permitted Uses and Disclosures without Authorization

  • For treatment, payment, and healthcare operations (TPO)
  • To the individual
  • Incident to an otherwise permitted use or disclosure
  • For public health activities
  • For reporting abuse or neglect as required by law
  • For judicial or administrative proceedings
  • For law enforcement purposes
  • For research, with appropriate safeguards
  • To avert a serious threat to health or safety

4.2 Authorization Required

Uses or disclosures of PHI not permitted or required by law require a valid written authorization from the individual, specifying (among other things) what PHI is to be used or disclosed, to whom, purpose, expiration, and right to revoke.

4.3 Minimum Necessary Standard

When using, disclosing, or requesting PHI, only the minimum amount of information necessary for the purpose should be accessed or disclosed, unless otherwise required by law or regulation.

4.4 Individual Rights

  • Right to access: Individuals may inspect or obtain a copy of their PHI (with limited exceptions)
  • Right to amendment: Individuals may request corrections or amendments to their PHI
  • Right to an accounting of disclosures
  • Right to request restrictions on uses/disclosures of PHI
  • Right to request alternative communication
  • Right to receive a paper copy of the Notice of Privacy Practices

4.5 Notice of Privacy Practices (NPP)

Materna Healthcare must provide a Notice of Privacy Practices that describes how PHI may be used and disclosed, the individual’s rights, and the covered entity’s duties. The notice must be posted prominently, made available on the website, and furnished to patients upon first encounter.

4.6 De-identification and Limited Data Sets

When possible, Materna Healthcare should de-identify PHI or use a “limited data set” (with a data use agreement) to minimize risk.

5. Security Safeguards (ePHI)

5.1 Administrative Safeguards

  • Conduct risk analyses and implement management plans
  • Perform workforce training on security and HIPAA
  • Implement access management and contingency plans
  • Maintain incident response and reporting procedures

5.2 Physical Safeguards

  • Facility access controls and visitor management
  • Workstation security and device/media disposal
  • Secure disposal of paper PHI and hardware

5.3 Technical Safeguards

  • Access controls and user authentication
  • Encryption of ePHI in transit and at rest
  • Audit and integrity controls
  • Transmission security (TLS/SSL, VPN)

5.4 Monitoring and Auditing

Regular audits, monitoring, and logging of system access, modifications, and security events must be conducted to detect unauthorized access or unusual activity.

6. Breach Notification and Incident Management

  • All suspected breaches must be reported immediately
  • Security Officer investigates and mitigates risks
  • Notify affected individuals and HHS per HIPAA timelines
  • Maintain documentation for all incidents

7. Training and Awareness

All workforce members must receive initial and ongoing HIPAA training, covering privacy, security, breach response, and updates in regulation. Training records must be retained for six years.

8. Sanctions and Compliance

Violations of this HIPAA Policy may result in disciplinary actions up to termination. Sanctions will be applied consistently and documented.

9. Documentation and Recordkeeping

Maintain HIPAA-related records (risk assessments, training, incidents) for at least six years, including version control and review logs.

10. Policy Review and Updates

This policy shall be reviewed annually or when there are regulatory or operational changes. Revisions must be approved by leadership and communicated to all staff.

11. Implementation and Compliance

The Privacy Officer and Security Officer will lead implementation, coordinate with departments, and perform audits. Management must provide adequate resources for compliance.