MetaMed RESEARCH, INC.
POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE
MetaMed Research, Inc. (“MetaMed Research”) is committed to protecting the privacy and confidentiality of its clients. Consequently, MetaMed Research intends to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (as modified by the Health Insurance Technology and Economic and Clinical Health Act) and its implementing regulations at 45 C.F.R. Parts 160 and 164 (together, “HIPAA”) and applicable New York law and regulations.
II. Physical Security
Each health care record maintained by MetaMed Research in physical form will be kept appropriately secured in a locked location when not in use by MetaMed Research personnel.
Each electronic health care record maintained by MetaMed Research shall be kept in a secure environment and protected by appropriate electronic safeguards. Specifically:
- As a general rule, the secure MetaMed Research shared drive is to be used to store any documents containing protected health information (“PHI”).
- PHI may be stored on the personal computers of MetaMed Research personnel, but only in exceptional circumstances (e.g., when the shared drive is unavailable), on a temporary basis and only if the PHI is protected by a password. Passwords are individual-specific and are not to be shared by or be accessible to more than one individual.
- Any document containing PHI sent via electronic mail must be secured by a password. The recipient of the PHI must receive this password by separate communication from the MetaMed Research personnel transmitting the PHI.
- MetaMed Research personnel must ensure that PHI cannot be accessed by another user of their personal computer.
Electronic transmission devices, including computers, fax machines and other electronic equipment over which PHI may be received, transmitted or stored are to be maintained in secure sites and/or away from public access. Computer screens containing protected health information are to be inaccessible to public view. Computers that store PHI are to be secured before being left unattended.
Special care is to be taken in securing laptop computers because of their easy portability and the frequency with which they are targeted by thieves. Anytime a MetaMed Research employee or contractor travels with a laptop containing PHI, it is the MetaMed Research employee’s/contractor’s responsibility to properly secure the laptop against unauthorized use or theft when the laptop is not in the personal possession of the employee or contractor.
Health information may only be accessed by authorized MetaMed Research personnel. It is the responsibility of each MetaMed Research employee and contractor to identify those persons or classes of persons who are authorized to access, use or disclose health information and specifically to identify the health information to which they may have access.
An employee’s, contractor’s or vendor’s physical access to controlled areas and user accounts that provide access to PHI are to be revoked (a) upon termination, or (b) when such access is no longer required.
The unauthorized access to or unauthorized use or disclosure of PHI may subject the responsible employee or contractor to disciplinary action up to and including termination of employment or contract.
All MetaMed Research employees or contractors who may use, disclose or have access to identifiable health information contained in any health record must, as a condition of continued employment or contract period, complete a training program that outlines employee/contractor responsibility under HIPAA and MetaMed Research’s business associate agreements.
Paper documents containing PHI must be shredded or otherwise destroyed so as to make them unreadable before they can be disposed.
III. Use and Disclosure of PHI
It is the policy of MetaMed Research that an individual’s PHI may be used by MetaMed Research only as authorized in the business associate agreement between MetaMed Research and the covered entity with whom it is working.
MetaMed Research may also use and disclose an individual’s health information without prior permission or authorization where the health information has been sufficiently “de-identified,” so as to hide the identity of the individual(s), is part of a “limited data set,” or for other uses where allowable by law.
Access to health information maintained by MetaMed Research is limited to those who have a valid business or medical need for the information or otherwise have a right to know the information.
MetaMed Research personnel must follow any/all restrictions on contacting clients that have been made known to MetaMed Research.
IV. Designation of Privacy and Security Officers
In order to implement this policy and oversee MetaMed Research’s compliance with federal and State privacy laws and regulations, MetaMed Research shall designate a Privacy Officer and a Security Officer.
V. Assessment and Periodic Review of Compliance with HIPAA Privacy and Security Rules
MetaMed Research shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI. Such assessment shall be periodically revisited on at least an annual basis to ensure compliance with HIPAA and State law and regulations. MetaMed Research shall implement security measures sufficient to reduce the risks and vulnerabilities identified by these periodic risk assessments.