POLICY NO. 1: SAFEGUARDS
It is SSHCO’s policy to implement Safeguards to protect the privacy of PHI and to protect against any intentional or unintentional Use or Disclosure of PHI that is not permitted by these HIPAA Policies.
TYPES OF SAFEGUARDS
SSHCO develops and implements Administrative, Technical, and Physical Safeguards to protect the privacy of PHI. These Safeguards protect PHI from intentional and unintentional unauthorized Uses or Disclosures and incidental Uses or Disclosures made pursuant to an otherwise permitted or required Use or Disclosure. SSHCO mitigates, to the extent practicable, any harmful effect that is known to SSHCO of a Use or Disclosure of PHI in violation of these HIPAA Policies or HIPAA. New or additional Safeguards will be implemented, as needed or as required by law, in order to mitigate future harms.
SSHCO determines potential risk areas and notifies members of the Workforce of appropriate Safeguards. Safeguards are set forth elsewhere in these HIPAA Policies and may be communicated to members of the Workforce from time to time by the Privacy or Security Officer(s).
Paper copies of PHI may be created and if so will be stored in secure locations on SSHCO’s premises or in secure electronic storage. Access to these secure locations is limited to authorized members of the Workforce. Paper copies of PHI are shredded prior to disposal.
ePHI is safeguarded in accordance with the Security Policies found in these HIPAA Policies.. No member of the Workforce will shred or destroy PHI without the prior written approval of the Privacy Officer.
IMPLEMENTATION OF SAFEGUARDS
Workforce members must implement the Safeguards as instructed by the Privacy or Security Officer(s) and may not attempt to circumvent Safeguards. Workforce members will promptly report to their supervisors or managers any attempts to circumvent Safeguards or any actual or potential violation of these HIPAA Policies.
SUBCONTRACTORS
SSHCO requires Subcontractors to safeguard PHI by using methods that are equally as stringent as SSHCO’s methods. SSHCO conducts due diligence on its Subcontractors to confirm its Safeguards are appropriate for the risk to and criticality of the PHI to which Subcontractors have access.
POLICY NO. 2: USES AND DISCLOSURES OF PHI
It is SSHCO’s policy to Use and Disclose PHI only in accordance with HIPAA and these HIPAA Policies, its contractual obligations, and as required by law.
CONTRACTUAL OBLIGATIONS
As a Business Associate, SSHCO may only Use and Disclose PHI as permitted or required by its Business Associate Agreements with its Covered Entity-contract counter parties or as required by law. SSHCO enters into Business Associate Agreements and service agreements with Covered Entities to document SSHCO’s permitted Uses and Disclosures of PHI.
Covered Entities are not permitted to authorize SSHCO to Use or Disclose PHI in a manner not permitted by HIPAA, and SSHCO does not Use or Disclose PHI in a manner that would violate HIPAA.
Generally speaking, SSHCO is authorized to Use or Disclose PHI for a Covered Entity’s health care operations purposes, as set forth in an applicable Business Associate Agreement. As a Business Associate, SSHCO does not perform treatment.
SSHCO may Use and Disclose PHI for its proper management and administration, in accordance with an applicable Business Associate Agreement. SSHCO may Use and Disclose PHI to carry out its legal responsibilities, including complying with HHS investigations and assisting Covered Entities in meeting their obligations.
The Privacy Officer is responsible for reviewing all Business Associate Agreements and for informing applicable members of the Workforce of how SSHCO is permitted or required to Use or Disclose PHI. Members of the Workforce must consult with the Privacy Officer before making any other Uses or Disclosures of PHI, including creating data sets, conducting analytics, de-identifying PHI, using PHI for marketing, or selling PHI or de-identified data. See Business Associates and Downstream Subcontractors Policy.
SSHCO notifies its Covered Entity-contract counter parties of any unauthorized Uses and Disclosures of PHI.
SUBCONTRACTORS
SSHCO Discloses PHI to Subcontractors and permits Subcontractors to create, receive, maintain, or transmit PHI on SSHCO’s behalf only if SSHCO receives satisfactory assurances that the Subcontractor will appropriately safeguard the PHI. SSHCO requires the Subcontractors to sign a downstream Business Associate Agreement. See Business Associates and Downstream Subcontractors Policy.
REQUIRED BY LAW
SSHCO discloses PHI to HHS in connection with investigations or to determine SSHCO’s compliance with HIPAA. See Government Investigations Policy. If requested by a Covered Entity-contract counter party, SSHCO discloses PHI to the Covered Entity, an Individual, or an Individual’s designee to assist the Covered Entity in complying with its HIPAA obligations.
To the extent necessary, Covered Entities are responsible for obtaining consent or authorization from Individuals prior to disclosing an Individual’s PHI to SSHCO. SSHCO does not obtain consent directly from Individuals. SSHCO does not request patient information relating to behavioral health, developmental disabilities, substance use disorders, psychotherapy, or sexually-transmitted or other communicable diseases. See also HIPAA Preemption Policy.
NOTICE OF UNAUTHORIZED USES AND DISCLOSURES
SSHCO investigates and, if required, notifies its Covered Entity-contract counter parties and other applicable Persons when it discovers unauthorized Uses and Disclosures of PHI. See also the Breach Notification Policy.
DE-IDENTIFICATION OF PHI
SSHCO creates de-identified data from PHI only if permitted by a Business Associate Agreement. PHI that has been de-identified in accordance with HIPAA is no longer PHI.
POLICY NO. 3: MINIMUM NECESSARY
It is SSHCO’s policy to limit Uses and Disclosures of PHI to the minimum amount of PHI necessary to accomplish the intended purpose of the Use or Disclosure.
MINIMUM NECESSARY AND EXCEPTIONS
SSHCO limits its Use or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the intended purpose of the Use or Disclosure. Uses or Disclosures to an Individual, pursuant to a valid HIPAA authorization, required by law, or required for compliance with HIPAA are not subject the minimum necessary requirement.
REQUESTS OF COVERED ENTITY-CUSTOMERS
When entering into arrangements with Covered Entity-contract counter parties, SSHCO does not request more than the minimum amount of PHI necessary to accomplish the intended purpose of the Use or Disclosure. For routine arrangements with Covered Entity-contract counter parties, SSHCO determines the minimum amount necessary and, if requested by the Covered Entity, represents that the information requested is the minimum necessary for the stated purpose.
If a member of the Workforce wishes to make a non-standard request of PHI from a Covered Entity-contract counter party, the member of the Workforce must work with the Privacy Officer to limit its request of PHI to the information reasonably necessary to accomplish the purpose. The Privacy Officer will consider at least the following criteria:
- The purpose of the Disclosure
- Whether less PHI may be Disclosed to accomplish the same purpose
- Whether de-identified information may be Disclosed to accomplish the same purpose.
The Privacy Officer will document its determination and communicate the determination to the relevant member of the Workforce or the Covered Entity-contract counter party, as applicable.
USES OF PHI
SSHCO reviews its Uses of PHI to confirm the PHI is the minimum of PHI necessary to accomplish the intended purposes. SSHCO implements Safeguards to limit unnecessary Access to PHI. SSHCO documents which members of the Workforce need Access to PHI to carry out their duties, the categories or types of PHI that such members of the Workforce require, and any limitations on their Access. SSHCO documents this information and informs relevant members of the Workforce of these requirements and limitations.
DISCLOSURES OF PHI
SSHCO documents any Disclosures of PHI that it makes on a routine basis and limits the PHI Disclosed to the amount reasonably necessary to achieve the purpose of the Disclosure. SSHCO documents these Disclosures and the PHI necessary and informs relevant members of the Workforce of these requirements.
If a member of the Workforce wishes to make a non-routine Disclosure of PHI, the member of the Workforce must work with the Privacy Officer to limit the PHI to the information reasonably necessary to accomplish the purpose.
The Privacy Officer will consider at least the following criteria:
- The purpose of the Disclosure
- Whether less PHI may be Disclosed to accomplish the same purpose
- Whether de-identified information may be Disclosed to accomplish the same purpose.
The Privacy Officer will document its determination and communicate the determination to the relevant member of the Workforce or the recipient of the PHI, as applicable.
MARKETING, FUNDRAISING, AND PROHIBITION ON SALE OF PHI
It is SSHCO’s policy to refrain from Using or Disclosing PHI for marketing, fundraising, or remuneration purposes, except when a special agreement is documented in writing.
MARKETING AND FUNDRAISING
SSHCO refrains from using or disclosing an Individual’s PHI for marketing or fundraising purposes, unless SSHCO and the applicable Covered Entity-contract counter party agree otherwise in a Business Associate Agreement.
If a member of the Workforce wishes to Use or Disclose PHI for marketing or fundraising purposes, the member of the Workforce must contact the Privacy Officer. The Privacy Officer may prohibit the marketing or fundraising activity, or the Privacy Officer may choose to request permission to Use or Disclose the PHI for marketing or fundraising purposes from the applicable Covered Entity. If the Covered Entity and SSHCO agree that the activity is permissible, the Covered Entity will be responsible for obtaining a valid HIPAA authorization from the Individual to permit the marketing activity. SSHCO and the Covered Entity will document the arrangement in writing.
All members of the Workforce understand that Covered Entities cannot require Individuals to grant an authorization and that requesting authorization from an Individual for marketing or fundraising purposes is an extraordinary ask. Any requests to Use of Disclose PHI for marketing and fundraising purposes is likely to be denied.
SALE OF PHI
SSHCO refrains from directly or indirectly requesting, receiving, or paying any remuneration in exchange for PHI.
Remuneration can consist of the exchange of money (such as cash or checks) and other forms of non-financial payment (such as bartering). The prohibition on the sale of PHI does not apply to services that SSHCO undertakes on behalf of its Covered Entity-contract counter parties where the only remuneration provided is by the Covered Entity to SSHCO for the performance of such services.