Protected Health Information (PHI) and HIPAA Compliance
DeKalb Medical takes the privacy and security of its patients and
their protected health information (“PHI”) very seriously. DeKalb
Medical expects its contractors, vendors, suppliers and members of the
media to exhibit the same commitment to maintaining the privacy and
security of its patients’ PHI.
DeKalb Medical has developed a comprehensive set of policies and
procedures relating to the use and disclosure of PHI. A full discussion
of those policies and procedures is beyond the scope of this document,
however, the following is a highlight of those policies.
- DeKalb Medical defines protected health information to mean “any
health information relating to (i) past, present, or future physical or
mental health or condition of an individual; (ii) the provision of
health care to an individual; (iii) the past, present, or future payment
for the provision of health care to an individual; or (iv) information
(data elements) which can be used to identify the individual.”
- DeKalb Medical only uses and discloses PHI in the most
appropriate fashion, defined by the limitations of job function and
“need to know". DeKalb Medical limits access to PHI to the “minimum
necessary” to achieve the intended purpose regarding the use or
disclosure of PHI.
- DeKalb Medical has implemented measures to secure PHI in all formats (including paper and electronic).
- DeKalb Medical has identified the specific uses and disclosures
of PHI that do not require a patient’s consent/authorization or an
opportunity to object to a use or disclosure.
- DeKalb Medical communicates its privacy policies to its patients
and has established processes for gaining patient consent and
authorization related to the use and disclosure of PHI, and provides
notification of the organization’s planned uses and disclosures.
- DeKalb Medical will not ask patients to waive their right to
complain about privacy violations, nor will they be denied access to
care/treatment based on a privacy complaint.
- DeKalb Medical will mitigate, to the extent practicable, any
harmful effect of a use or disclosure of PHI in violation of it privacy
and security policies.
- At a minimum, DeKalb Medical will maintain, in written or
electronic form, policies and procedures, written communications, and
documentation of any required action, activity or designation that
supports compliance to HIPAA regulations, for six (6) years from the
date of its creation or the date when it last was in effect, whichever
- DeKalb Medical does not condone and will not allow any
retaliatory acts toward any individual, including but not limited to,
patients and the organization staff for reporting any violation of the
organization’s privacy policies or a breach of the organization’s
All partners of DeKalb Medical, including its contractors, vendors
and suppliers are responsible for (i) complying with these policies and
procedures; non-compliance may result in disciplinary action up to and
including discharge, or termination of contract (ii) taking an active
role in enforcing privacy policies and reporting suspected violations
without fear of retaliation, if preferred, the Compliance Hotline may be
used for reporting suspected violations and breaches anonymously.