Protected Health Information (PHI) and HIPAA Compliance
DeKalb Medical takes the privacy and security of its patients and their protected health information (“PHI”) very seriously. DeKalb Medical expects its contractors, vendors, suppliers and members of the media to exhibit the same commitment to maintaining the privacy and security of its patients’ PHI.
DeKalb Medical has developed a comprehensive set of policies and procedures relating to the use and disclosure of PHI. A full discussion of those policies and procedures is beyond the scope of this document, however, the following is a highlight of those policies.
- DeKalb Medical defines protected health information to mean “any health information relating to (i) past, present, or future physical or mental health or condition of an individual; (ii) the provision of health care to an individual; (iii) the past, present, or future payment for the provision of health care to an individual; or (iv) information (data elements) which can be used to identify the individual.”
- DeKalb Medical only uses and discloses PHI in the most appropriate fashion, defined by the limitations of job function and “need to know". DeKalb Medical limits access to PHI to the “minimum necessary” to achieve the intended purpose regarding the use or disclosure of PHI.
- DeKalb Medical has implemented measures to secure PHI in all formats (including paper and electronic).
- DeKalb Medical has identified the specific uses and disclosures of PHI that do not require a patient’s consent/authorization or an opportunity to object to a use or disclosure.
- DeKalb Medical communicates its privacy policies to its patients and has established processes for gaining patient consent and authorization related to the use and disclosure of PHI, and provides notification of the organization’s planned uses and disclosures.
- DeKalb Medical will not ask patients to waive their right to complain about privacy violations, nor will they be denied access to care/treatment based on a privacy complaint.
- DeKalb Medical will mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of it privacy and security policies.
- At a minimum, DeKalb Medical will maintain, in written or electronic form, policies and procedures, written communications, and documentation of any required action, activity or designation that supports compliance to HIPAA regulations, for six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
- DeKalb Medical does not condone and will not allow any retaliatory acts toward any individual, including but not limited to, patients and the organization staff for reporting any violation of the organization’s privacy policies or a breach of the organization’s security infrastructure.
All partners of DeKalb Medical, including its contractors, vendors and suppliers are responsible for (i) complying with these policies and procedures; non-compliance may result in disciplinary action up to and including discharge, or termination of contract (ii) taking an active role in enforcing privacy policies and reporting suspected violations without fear of retaliation, if preferred, the Compliance Hotline may be used for reporting suspected violations and breaches anonymously.