top of page

Timothy Groth MD PC Protected Health Information (PHI) Privacy and Security Policy

​

Effective Date: 1/1/2023​​

Reviewed and Approved by: Timothy Groth, CEO

 

1. Purpose

The purpose of this policy is to outline the guidelines and procedures for the protection and privacy of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and other applicable laws. This policy ensures that PHI is handled securely, is accessed only by authorized individuals, and is disclosed in accordance with the law.

 

2. Scope

This policy applies to all employees, contractors, volunteers, and business associates of Timothy Groth MD PC who may access, use, or disclose PHI in the course of their duties. This policy covers both paper-based and electronic PHI.

 

3. Definitions

  • Protected Health Information (PHI): Any individually identifiable health information that is created, received, maintained, or transmitted by Timothy Groth MD PC. This includes information related to the individual’s physical or mental health, healthcare services, and payment for healthcare services.

  • Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.

  • Business Associate: A third party that performs certain functions or activities on behalf of or provides services to the organization that involves access to PHI.

  • Workforce: Employees, volunteers, trainees, and other persons whose work is under the direct control of the organization, regardless of whether they are paid.

 

4. Access to PHI

  • Authorized Access: Only authorized individuals within the organization are permitted to access PHI. Access will be granted based on the minimum necessary standard, ensuring that employees can access only the PHI necessary to perform their job functions.

 

5. Use and Disclosure of PHI

  • Permitted Uses: PHI may be used and disclosed for purposes of treatment, payment, and healthcare operations as permitted by HIPAA.

  • Other Uses/Disclosures: Any use or disclosure of PHI not specifically authorized by HIPAA must have the patient's written consent or authorization. This includes uses for research, marketing, or fundraising.

  • Family/Friends: PHI may be shared with a patient's family or friends, but only if the patient has agreed or the disclosure is otherwise permitted by law.

 

6. Security of PHI

  • Physical Security: All paper-based PHI will be stored in a locked and secure environment, and access will be restricted to authorized personnel. Physical security measures will also apply to workstations and devices that store or access PHI.

  • Technical Security: ePHI will be encrypted both in transit and at rest. Access to electronic records will be protected by strong passwords and multi-factor authentication where appropriate. All staff are required to appropriately log out of all password protected systems at the end of their shift. No ePHI should be saved to any computer or electronic device. 

 

7. Employee Training and Awareness

  • Training Requirements: All employees, contractors, and other members of the workforce will receive training on PHI privacy and security upon hire, and at regular intervals thereafter. Training will cover:

    • The importance of PHI protection

    • The requirements of HIPAA and other relevant laws

​

  • How to handle PHI securely

  • What to do in the event of a suspected breach

  • Ongoing Education: Employees will receive refresher training as needed to stay current with evolving privacy and security practices.

 

8. Breach Notification

  • Definition of Breach: A breach occurs when there is an unauthorized access, use, or disclosure of PHI that compromises the security or privacy of the information.

  • Breach Reporting: In the event of a breach involving PHI, the workforce must immediately report the incident to the Director of Operations.

  • Breach Notification: If a breach is confirmed, affected individuals will be notified within 60 days, as required by HIPAA. In cases where a breach involves 500 or more individuals, the breach will also be reported to the U.S. Department of Health and Human Services (HHS) and the media as required by HIPAA.

 

9. Safeguards for PHI

  • Data Encryption: All electronic communications containing PHI, including email and file transfers, will be encrypted to prevent unauthorized access.

  • Access Controls: Access to PHI will be limited by role and function. Employees will be required to use unique logins and strong passwords to access systems containing PHI. The use of multi-factor authentication is encouraged where appropriate.

 

10. Business Associates

  • Business Associate Agreements (BAAs): The organization will enter into written agreement

bottom of page