PREFACE
Whereas Immediate Credit Recovery performs services for “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) its relationship to “covered entities” is that of a “business associate.” While Immediate Credit Recovery is not directly subject to the requirements of HIPAA, as a business associate of covered entities, ICR may be contractually required to safeguard protected health information (PHI) in the same manner as a covered entity is required to do so. Accordingly, the purpose of this program (HIPAA-BA PHI Security Program) is to provide basic documentation of ICR’s efforts to ensure that any PHI which is provided to it by any covered entity is appropriately protected and used only in accordance with appropriate activities as an authorized business associate of a covered entity.
PHI SECURTIY COORDINATOR
In order to ensure compliance with this program a “Security Coordinator” shall be appointed to oversea and help direct security policy. Wendy Bianco is hereby designated “Security Coordinator.”
PROTECTED HEALTH INFORMATION
HIPAA broadly defines protected health information (PHI) as individually identifiable health information (IIHA) created or received by a covered entity which is transmitted by electronic media, maintained in electronic media or maintained in any other form or medium. All covered entities may only use PHI for treatment, payment and healthcare operation (TPO) purposes. Covered entities who engage business associates to collect payment must take reasonable efforts to ensure that BA maintains the privacy of PHI. PHI may include:
Name,
Address,
Telephone and Fax Numbers
Social Security Number
E-mail address
Name of employer
Date of Birth
Account Number
Health Plan & Health Plan identification numbers
License Number
Vehicle serial/license plate number
Web address
Credit and debit card numbers
Medical record numbers
Medical records
Biometric identifiers (finger or voice prints)
Date of death
Any other unique identifier or code.
USE AND DISCLOSURE OF PHI
ICR as a BA receives PHI from covered entities (CE). ICR shall only use and disclose PHI in an appropriate manner. Thus ICR will not disclose PHI in a manner inconsistent with any CE’s obligations under HIPAA. It is the policy of this company to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.
PHI may be used in ordinary activity involving treatment, payment and healthcare operations (TPO). Any activity involving PHI not coming under ordinary activity involving TPO would most likely constitute “disclosure.”
Disclosure for any purpose other then TPO, excluding limited situations such as emergencies and national priorities under defined circumstances, without written authorization is an inappropriate use. ICR will not disclose PHI to any person or entity without prior written authorization from the person who is the subject of the PHI or their personal representative. This policy on disclosure applies to both written and oral communications involving PHI. Communication with a person or the authorized representative (i.e. parent of a minor) of the subject of the PHI shall not constitute disclosure.
SECURITY OF PHI
REASONABLY FORESEEABLE SECURITY RISKS AND SAFEGUARDS
Whereas this office receives and uses PHI it is necessary to identify risks to the confidentiality and integrity of such information from both internal and external standpoints as well as to provide safeguards against such risks.
INTERNAL RISKS
For the purposes of this policy “internal risks” shall be defined as those risks which can result in an employee or office member misusing, misappropriating, or breaching the integrity of consumer and client information.
Whereas certain employees and office members have access to confidential information including but not limited to a debtor’s social security number, credit reports, bank account numbers, debit and credit card information, health and health insurance information, debt information and other personal financial and employment records, risk exists that such information may be negligently used or used for improper and illegal purposes.
Such risks include:
1> Personnel with access to health, health insurance, treatment or other medical information negligently and/or intentionally mishandling, processing or disclosing said information
2> Personnel with access to credit and debit card information negligently handling or processing said information or misappropriating said information for personal use, sale, and other intentional misuse of said information.
3> Personnel with access to bank account information negligently handling
or processing said information, misappropriating said information for personal
use, sale, and other intentional misuse of said information.
4> Personnel with access to social security numbers negligently handling or processing said information, misappropriating said information for personal use, sale, and other intentional misuse of said information.
5> Personnel with access to debt information improperly altering said information to either increase or decrease said debt or otherwise misuse said debt information for improper purposes.
6> Careless handling of nonpublic information in that there is a risk of said information not being properly filed or discarded such that it may inadvertently end up in public view.
INTERNAL SAFEGUARDS
1> Beginning in the interview process informing all prospective employees, office members and independent contractors that this company’s business involves the handling of confidential nonpublic information which must be used only for proper purposes.
2> Upon hiring or contracting with an individual or entity informing them of the importance of safeguarding the above confidential information and ensuring that they understand the importance and necessity maintaining the confidentiality and integrity of such information. Assurance may be based upon company training and education or the person’s prior experience, including having employees acknowledge and sign appropriate confidentiality agreements.
A section on such safeguards has been incorporated into ICR’s confidentiality agreement. In order to further protect against said internal risks a section on PHI has been created and incorporated into ICR’s intense training program for all personnel, both new and existing. If it appears that a person’s understanding of what is nonpublic information and how to handle it is not sufficient, that person shall not be allowed access to said information until the supervisor of such person is satisfied that they have received sufficient training and have reached an appropriate level of understanding to handle the information they will have access to.
3> Including in the training of personnel the appropriate amount of education regarding the proper use to which they may put such information and the knowledge to use such information properly.
4> Limiting the personnel who can access and use confidential information to those who must necessarily see and use said information in their employment or business capacity. Further limiting access to “on premises access,” excluding key employees who may need to access information from off site.
5> Limiting the personnel who process financial transactions and interact with other financial institutions.
6> Limiting the personnel who can adjust debt information. Adjusting debt information for this purpose means changing rates, fees and amounts owed. It does not include applying payments received on a debt.
7> Maintaining a zero tolerance for intentional and fraudulent misuse of confidential information.
8> Periodically monitoring personnel to ensure compliance.
9> Maintaining good accounting practices and addressing any abnormal or suspicious activity promptly.
10>Requiring employees to adhere to written company policy and procedure.
11>Instructing employees to make sure physical records are properly stored and out of public view and maintaining a secure office environment during off hours; including shredding sensitive documents which are no longer needed and slated for destruction. In accordance with such instructions every ICR staff member has been provided with a separate disposal container for use at their workstations and additional large containers have been placed in strategic locations throughout the office including by copiers, fax machines and in the mail room. ICR has an existing contract with a shredding company which does the shredding on premises and documentation of the process is stored and secured accordingly.
12> The information systems officer shall maintain current electronic and computer security including firewalls, encryption and password security as present standards and prudence dictates.
EXTERNAL RISKS
For the purposes of this policy “external risks” shall be defined as those risks which can result in confidential nonpublic information being accessed by an improper outside source which could cause improper disclosure, misuse, misappropriating, or breaching the integrity of consumer and client information.
Whereas this company receives, maintains and appropriately discloses, hard copy records, electronic records, computer records and other records of confidential information including but not limited to a debtor’s social security number, credit reports, bank account numbers, debit and credit card information, health and health insurance information, debt information and other personal financial and employment records, risk exists that such information may be accessed by an improper outside source and, negligently used and/or used for improper and illegal purposes.
Such risks include:
1> Improper physical storage, transmittal, and disposal of nonpublic information.
2> Improper outside access to electronic, network, or computer information systems containing nonpublic information.
3> Improper transmittal of electronic or computer information.
EXTERNAL SAFEGUARDS
1> Except when in use, physical records of nonpublic information shall be kept out of plain view, meaning in files, folders or an office of which the public does not have access to. Further when nonpublic records are to be discarded they should be shredded or otherwise properly destroyed. In accordance with such policy every ICR staff member has been provided with a separate disposal container for use at their workstations and additional large containers have been placed in strategic locations throughout the office including by copiers, fax machines and in the mail room. ICR has an existing contract with a shredding company which does the shredding on premises and documentation of the process is stored and secured accordingly.
2> Proper care should be used in sending and receiving information, including making sure addresses and numbers are correct and fax cover sheets are used. Likewise proper care should be used in ensuring nonpublic information is not visible to outside agencies.
3> Only key and necessary employees shall have access to computer and network systems from off premises.
a. Proper outside agencies such as clients who have access to nonpublic information shall have their access limited to what they may rightfully see and appropriate electronic security shall be maintained.
b. The information systems officer shall maintain current electronic and computer security including firewalls, encryption and password security as present standards and prudence dictates.
c. Continuous monitoring of computer and network systems to ensure no breach has occurred.
AUTHORIZATIONS FOR DISCLOSURE
When an individual who is the subject of PHI requests that PHI be disclosed for a purpose other than TPO, ICR shall not disclose PHI without prior written authorization from the person. For an authorization to be valid and accepted for use, it must be signed and contain a meaningful and specific description of the information to be used or disclosed, contain the name of the person or entity to whom the disclosure may be made, the purpose for the disclosure and an expiration date if one exits or any other restrictions the individual desires to place on the disclosure. The authorization must also include a statement that the person understands they have the right to revoke said authorization prospectively. If the authorization is to be signed by a personal representative, said authorization must be accompanied by a description of the representative’s authority to act and where appropriate proof of said authority.
RIGHT OF ACCESS TO PHI
Individuals have the right to access their own PHI, excluding psychotherapy notes and other limited exclusions. Requests may be oral or in writing, if ICR requires requests to be in writing it shall inform individuals who make oral requests that their request must be in writing. ICR shall respond to request in accordance with HIPAA’s requirements.
DOCUMENTATION
ICR shall document all disclosures of PHI not made in the ordinary use of TPO as well as any individual’s requests for access to their own PHI. Written authorizations shall be kept in either hard copy form or electronic form for no less than six years in accordance with HIPAA.
ADAPTABLE IMPLEMENTATION
Whereas ICR services the accounts of multiple covered entities which may have different PHI procedures for use, disclosure and PHI access, ICR shall upon written request or in compliance with its BA contract adapt its practices to conform with any such requests from a CE, so long as the request remains within the bounds of HIPAA.
HIPAA-BA TRAINING
It is the policy of ICR to provide HIPAA-BA training to
all members of its workforce, agents and contractors as necessary and appropriate
to carryout their functions. Training shall be documented. Records demonstrating
that employees have received training shall be maintained for six years.
EVALUATION AND ADJUSTMENT OF HIPAA-BA SECURITY PROGRAM
Information security is an ongoing process which should be evaluated and adjusted as needed. This program ought to be evaluated no fewer than four times per year and adjusted as necessary. Evaluation shall consist of the PHI Security Coordinator discussing the state of the program with the management and the information technology officer and maintaining and/or adjusting policy as is deemed prudent. Upon the discovery of any significant breach the cause of the breach shall be corrected as soon as reasonably possible and adjustments to policy shall always be made if the breach was a result of a problem with the policy.
Date of Implementation: 06-01-03
Date of Last Review: 01-01-05
Policy or Procedure Updated: NO