General Privacy Policy

1. Limited Data Set

A Limited Data Set is PHI that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual. A Limited Data Set excludes all of the following:

• Names
• Address information, other than town or city, state, and zip code
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images

2. PHI Beyond a Limited Data Set

If it is not practical to limit the information to a Limited Data Set, PHI beyond a Limited Data Set may be used, disclosed, or requested, as long as the PHI is limited to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

3. Exceptions to Minimum Necessary Standard

The minimum necessary standard does not apply to:

• Disclosures to or requests by healthcare providers for treatment
• Disclosures to the individual who is the subject of the information
• Uses or disclosures made in compliance with an authorization by the individual
• Disclosures to the Department of Health and Human Services
• Uses or disclosures required by law

4. Application of Minimum Necessary Standard

The minimum necessary standard does apply to:

• Employees who access PHI in the performance of their duties
• Requests for PHI from other organizations governed by HIPAA
• Disclosures that occur on a recurring basis
• Uses or disclosures of PHI that fall outside the scope of section “C” above

5. Requests for Entire Medical Record

Unless a specific justification is given, requests for an entire medical record should not be granted.

6. Reliance on Judgment of Requesting Party

You can rely on the judgment of the party requesting the disclosure to limit the amount of PHI to the minimum necessary when the request is made by:

• A public official
• Another organization governed by HIPAA
• A professional who is a workforce member or business associate of an organization governed by HIPAA and is seeking the information to provide services for that organization
• A researcher with appropriate documentation from an institutional review board or privacy board

7. Non-Routine Disclosures

Disclosures made on a non-routine basis are reviewed individually to determine that the disclosure or the request is the minimum necessary to accomplish the purpose of the disclosure.

8. Verification of Identity

PHI may be used to verify an individual’s identity.

Financial Remuneration

Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

OpenLoop can only use PHI for marketing purposes if OpenLoop obtains an individual’s authorization. The individual must authorize these marketing communications before they occur.

OpenLoop may not receive any financial remuneration in exchange for any PHI of an individual unless OpenLoop obtains an authorization from the individual which indicates that the individual’s PHI can be exchanged for remuneration to the OpenLoop from the entity receiving the PHI.

A. Exceptions

• When the purpose of the exchange is for public health purposes pursuant to 45 CFR 164.512(b) or 45 CFR 164.514(e)
• When the purpose of the exchange is for research purposes pursuant to 45 CFR 164.512(i) or 164.512(e), where the only remuneration received by OpenLoop is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
• When the purpose of the exchange is for treatment and payment purposes pursuant to 45 CFR 164.506(a)
• Where the purpose of the exchange is for the sale, transfer, merger, or consolidation of all or part of OpenLoop and for related due diligence and pursuant to 45 CFR 164.506(a)
• Where the exchange is to or by a business associate for activities that the business associate undertakes on behalf of OpenLoop, pursuant to 45 CFR 164.502(e) and 164.504(e), and the only remuneration provided is by OpenLoop to the business associate for the performance of such activities
• Where the exchange is to an individual when requested under 45 CFR 164.524 or 164.528
• Where the exchange is required by law as permitted under 45 CFR 164.512(a)
• Where the exchange is for any other purpose permitted by and in accordance with the applicable requirements of Subpart E of Part 164 of Title 45 of the Code of Regulations, where the only remuneration received by OpenLoop is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law

Evaluation and Authorization

Any communication that could be construed as being marketing will be evaluated by the Privacy Officer prior to the communication being sent. Legal counsel may also evaluate these communications.

If it is determined that the communication falls within the definition of marketing, a patient’s authorization will be obtained as required by 45 CFR 164.508.

No PHI may be provided to any third party in exchange for financial remuneration unless one of the exceptions listed above in Section D is applicable.

Procedure

An individual who believes his/her privacy rights have been violated may file a complaint with the Privacy Officer of OpenLoop or with the United States Secretary of the Department of Health and Human Services. Furthermore, all members of the workforce who believe that any HIPAA policies have been violated shall report such suspected violations to the Privacy Officer.

A. Investigation of Complaints

The Privacy Officer shall investigate all complaints in a timely manner. The investigation may include reviewing documents and conducting interviews of relevant witnesses. At the conclusion of the investigation, the Privacy Officer will prepare a written report which states the findings of the investigation and if there was a violation, any plan to address the violation. The Privacy Officer will then communicate that information in writing to the complaining party.

B. Documentation of Complaints

The Privacy Officer will maintain a log documenting the results of the investigation and resolution of all complaints.

C. Submitting Complaints

Complaints may be submitted to the Privacy Officer via U.S. mail, fax, or e-mail:

Mail: 317 6th Ave Ste 400 Des Moines, IA 50309

E-mail: reports@openloophealth.com

D. Filing Complaints with the OCR

Individuals who wish to file a complaint with the Secretary of the Department of Health and Human Services must send their complaint to the Office of Civil Rights (OCR) headquarters:

Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201

No person filing a complaint or providing information relevant to the investigation with the Privacy Officer or the OCR will be subject to retaliation or intimidation.

Procedure - A. Authorization Requirements

A patient’s authorization is required in all of the following situations:

• Prior to enrollment in a health plan, if necessary for determining eligibility
• For the use and disclosure of psychotherapy notes (with specific exceptions)
• For disclosures to an employer for use in employment related determinations
• For research purposes unrelated to the patient’s treatment
• For marketing
• For the sale of protected health information
• For any situation in which a third party requests records or OpenLoop plans to disclose PHI and such disclosure is not permitted under policies for which an authorization is not required.

Procedure

OpenLoop may use and disclose PHI without a patient authorization in all of the situations listed below. If you receive a request to release PHI outside of the organization and you are not typically involved in releasing such information, you must contact the Privacy Officer before any PHI can be released.

A. Treatment, Payment, and Health Care Operations

In accordance with the Policy on Uses and Disclosures for Treatment, Payment, and Health Care Operations.

B. Required by Law

When the use or disclosure is required by law and is limited to the relevant requirements of such law.

C. Disclosures for Public Health Activities

• To a public health authority that is authorized by law to collect, receive, or report such information.
• To a public health authority authorized by law to receive reports of child abuse or neglect.
• To a person subject to the authority of the FDA (for adverse events, tracking, recalls, etc.).
• To a person who may have been exposed to or may be at risk of contracting or spreading a communicable disease.
• To an employer about an individual who is a member of the employer’s workforce (under specific conditions regarding work-related illness/injury or medical surveillance).
• To a school, about an individual who is a student or prospective student (limited to proof of immunization).

D. Disclosures about Victims of Abuse, Neglect or Domestic Violence

PHI about an individual who is believed to be a victim of abuse, neglect, or domestic violence may be disclosed to a governmental authority, including a social or protective services agency, if required by law, if the individual agrees, or if necessary to prevent serious harm.

E. Uses and Disclosures for Health Oversight Activities

PHI may be disclosed to a health oversight agency for oversight activities authorized by law including audits, inspections, licensure, or disciplinary actions.

F. Disclosures for Law Enforcement Purposes

• In response to a court order, warrant, subpoena, or summons.
• To identify or locate a suspect, fugitive, material witness, or missing person (limited information).
• About an individual who is a victim or suspected victim of a crime.
• About an individual who has died if there is suspicion that the death is the result of criminal conduct.
• If there is a good faith belief that the information is evidence of criminal conduct that occurred on OpenLoop’s premises.
• In response to a medical emergency to alert law enforcement of a crime.

G. Uses and Disclosures about Decedents

• To coroners, medical examiners, and funeral directors.
• To a family member, other relative, or close personal friend involved in the deceased’s care or payment, unless inconsistent with prior expressed preference.

H. Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes

To an organ procurement organization to facilitate organ, eye or tissue donation and transplantation.

I. Uses and Disclosures for Research Purposes

In accordance with 45 C.F.R. 164.512(i).

J. Uses and Disclosures to Avert a Serious Threat to Health or Safety

If there is a good faith belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, or to identify/apprehend an individual who admitted to a violent crime.

K. Uses and Disclosures for Specialized Government Functions

• Military and veterans activities.
• National security and intelligence activities.
• Protective services for the President or foreign heads of state.
• Correctional institutions or law enforcement officials having custody of an inmate.

L. Disclosures for Workers’ Compensation

To the extent necessary to comply with laws relating to workers’ compensation.

Procedure

OpenLoop must notify an individual if their unsecured PHI was accessed, used, or disclosed in a way not allowed under the HIPAA privacy rule, unless OpenLoop can demonstrate a low probability that the PHI has been compromised.

B. Definitions

Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA privacy rule, which compromises the security or privacy of the PHI.

Unsecured PHI means PHI that has not been rendered unusable, unreadable, or indecipherable to persons who are not authorized to access it, by encryption.

C. Reporting of Suspected Breach

Any member of the workforce or agent of OpenLoop who discovers a potential Breach shall report it to the Privacy Officer.

D. Investigation of Suspected Breach

The Privacy Officer shall review the circumstances to determine if an exception applies or if there is a low probability of compromise.

E. Breach Notification to Individuals

Written notice will be sent without unreasonable delay, but no later than 60 days after discovery. Notice will include a description of the breach, types of PHI involved, steps to protect oneself, and steps OpenLoop is taking.

F. Breach Notification by Publication

If a Breach involves 500 or more residents of the same state or jurisdiction, OpenLoop should notify prominent media outlets.

G. Breach Notice to HHS

Immediate Notice: If a Breach involves 500 or more individuals, notify HHS at the same time notice is given to individuals.

Annual Notice: For fewer than 500 individuals, maintain a log and report to HHS no later than 60 days after the end of the calendar year.

H. Documentation

OpenLoop shall maintain all documentation related to investigations of suspected and actual breaches for at least six (6) years.

Procedure - A. Confidential Communications

Individuals have the right to request confidential communications of their PHI. All reasonable requests must be accommodated.

• Mailing or telephoning regarding appointment reminders.
• Mailing bills or statements of payments due.
• Sending test results.
• Prescription refill reminders.

A. Right to Accounting

An individual has the right to receive an accounting of disclosures of PHI in the six years prior to the date on which the accounting is requested, subject to specific exceptions.

B. Limited Data Set

Defines a Limited Data Set as PHI excluding direct identifiers.

C. Suspension of Right to Receive Accounting

An individual’s right to receive an accounting may be temporarily suspended by a health oversight agency or law enforcement official.

D. Content of the Accounting

• Date of the disclosure.
• Description of information disclosed.
• Name of party who received the PHI and, if known, the address of such party.
• A brief statement of the purpose of the disclosure.

E. Accounting for Research Disclosures

Specific provisions apply for research disclosures involving fifty or more individuals.

F. Responding to a Request for Disclosure

The requesting party will receive the accounting in writing from the Privacy Officer within 60 days. The first accounting in any 12-month period is free.

H. Contact Information for Accounting Requests

All requests by individuals for an accounting of disclosures of PHI must be directed to the Privacy Officer at:

Desireé Peoples, Privacy Officer

515-612-9839

317 6th Ave Ste 400, Des Moines, IA 50309

reports@openloophealth.com

Procedure

Requests for amendments must be submitted in writing to the Privacy Officer. OpenLoop will respond within 60 days.

C. Accepting an Amendment

If accepted, OpenLoop will make the amendments, inform the individual, and notify relevant authorized people and business associates.

D. Denials of Amendments

A request may be denied if the PHI was not created by OpenLoop, is not part of a Designated Record Set, is not available for inspection, or is accurate and complete.

Procedure

OpenLoop shall provide a form for individuals who request access to PHI. The request shall be submitted and processed by the Privacy Officer.

B. Exceptions to the Right of Access

• Psychotherapy notes.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

E. Allowing Access to PHI

If accepted, the individual must be provided with the access requested. A summary may be provided if agreed upon. Electronic copies must be provided if readily producible.

F. Response to Request

OpenLoop must respond no later than thirty (30) days after receipt of the request.

Procedure

• A person who has the authority under the law to act on behalf of the deceased individual or for their estate will be treated as the decedent’s personal representative.
• Disclosures of PHI to medical examiners, coroners, and funeral directors are allowed.
• Disclosure requests from a health provider for treating a surviving relative are allowed.
• Disclosure requests from a public health authority are allowed.
• Disclosure requests from a researcher must include certification of necessity and death.
• Disclosure of PHI may be made regarding an individual after 50 years following death.
• PHI of a deceased may be disclosed to a family member or friend involved in care/payment, unless inconsistent with prior expressed preference.

Procedure

• A person who has the authority under the law to act on behalf of the deceased individual or for their estate will be treated as the decedent’s personal representative.
• Disclosures of PHI to medical examiners, coroners, and funeral directors are allowed.
• Disclosure requests from a health provider for treating a surviving relative are allowed.
• Disclosure requests from a public health authority are allowed.
• Disclosure requests from a researcher must include certification of necessity and death.
• Disclosure of PHI may be made regarding an individual after 50 years following death.
• PHI of a deceased may be disclosed to a family member or friend involved in care/payment, unless inconsistent with prior expressed preference.

A. Definitions

Health care operations means activities such as quality assessment, reviewing competence, underwriting, legal/auditing functions, business planning, and general administrative activities.

Payment means activities to obtain premiums, determine responsibility for coverage, and obtain or provide reimbursement.

Treatment means the provision, coordination, or management of health care and related services.

B. Disclosures

OpenLoop may use or disclose PHI for its own treatment, payment, or health care operations.

PHI may be disclosed for the treatment activities of another health care provider.

PHI may be disclosed to another entity for payment activities.

PHI may be disclosed to another entity for health care operations if both have a relationship with the individual.

Procedure

• OpenLoop may disclose to a family member, other relative, or any other person identified by the individual, the PHI directly relevant to such person’s involvement with the individual’s care or payment.
• OpenLoop may use or disclose PHI to notify a family member or personal representative of the individual’s location, general condition, or death.
• If the individual is present, OpenLoop may disclose if it obtains agreement, provides opportunity to object, or reasonably infers no objection.
• If the individual is not present or incapacitated, OpenLoop may determine if disclosure is in the best interest of the individual.
• OpenLoop may use or disclose PHI to a disaster relief entity.
• If an individual is deceased, OpenLoop may disclose PHI to involved family/friends unless inconsistent with prior preference.

Procedure

• PHI in paper records, film or hard copy materials must be shredded, burned, pulped, or pulverized. Redaction is prohibited.
• Electronic media must be disposed of in accordance with OpenLoop’s Security Policy.
• All workforce members must follow this disposal policy at all times.

Procedure

• If any member of the workforce receives notice that the Secretary is requesting information, they shall immediately notify the Privacy Official and Security Official.
• Officials ensure compliance with requests.
• Workforce shall cooperate fully and in a timely manner.
• OpenLoop will permit access by the Secretary during normal business hours (or anytime in exigent circumstances).
• If information is held by another agency who refuses to furnish it, OpenLoop must certify efforts made to obtain it.

Procedure

A. PHI in paper records, film, or hard copy materials must be shredded, burned, pulped, or pulverized so that the PHI is rendered unreadable and otherwise cannot be reconstructed.

Electronic media (discs, phones, thumb drives, hard drives, and copy machines) and all other ePHI must be disposed of in accordance with OpenLoop’s Security Policy on Disposal of ePHI.

All workforce members must follow this disposal policy at all times.

Procedure

A. If any member of the workforce of OpenLoop receives notice in any form that the Secretary is requesting information or documents from OpenLoop, the member shall immediately notify OpenLoop’s Privacy Official and Security Official.

The OpenLoop Privacy Official and Security Officials shall be in charge of ensuring that OpenLoop and all employees comply with the requests of the Secretary.

OpenLoop and all members of OpenLoop’s workforce shall cooperate fully and in a timely manner with the Secretary during the investigation.

OpenLoop will permit access by the Secretary during normal business hours to OpenLoop’s facilities, books, records, accounts, and other sources of information, including protected health information (PHI).

If any information required of OpenLoop during an investigation is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, OpenLoop must so certify and set forth what efforts OpenLoop has made to obtain the information.

Procedure

A. OpenLoop may de-identify PHI via statistical methods determined by a qualified person, or by removing specific identifiers (Safe Harbor method).

B. Identifiers to be removed include names, geographic subdivisions smaller than a State (with zip code exceptions), dates directly related to an individual (except year), telephone/fax numbers, emails, SSNs, medical record numbers, and more.

C. OpenLoop may assign a code to allow re-identification provided the code is not derived from the individual's information and the mechanism is not disclosed.

Procedure

• OpenLoop may use or disclose demographic information, dates of health care, department of service, treating physician, outcome information, and health insurance status for fundraising without authorization.
• OpenLoop must include a statement in the Notice of Privacy Practices regarding fundraising and the right to opt out.
• Fundraising communications must include a clear description of how to opt out.
• OpenLoop must ensure individuals who opt out are not sent further communications.
• OpenLoop may not condition treatment or payment on the choice to opt out.

Procedure

• Access to PHI is granted only to workforce members who need it to perform job functions (Minimum Necessary Policy).
• Paper documents containing PHI must be secured in a locked cabinet when not in use.
• Fax machines receiving PHI must be in secure locations.
• Faxes containing PHI must contain a confidentiality statement.
• Mailed PHI must use a tracking service and be sealed.
• Phone discussions of PHI should occur in private areas.
• Offices containing PHI must be locked after hours.
• Visitors must check in and be escorted.
• Workforce members are prohibited from removing paper PHI from the office.
• Paper PHI must be disposed of via shredding/burning (not regular trash).
• Workforce members must comply with Security policies regarding electronic PHI (passwords, logging off, etc.).

Exceptions

Requests for an exception to this Policy must be submitted to the IT Manager for approval.

Violation and Enforcement

Any known violations of this policy should be reported to the IT Manager. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.