HIPAA Compliance Policy And Notice Of Privacy Practices
Your Information. Your Rights. Our Responsibilities.
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
In providing excellent customer service, it is sometimes necessary for us to collect health information and share that information with your insurance company. We take our commitment to privacy and security seriously. Attached to this document is the full HIPAA compliance policy of Technology Insurance Associates.
You have the right to:
- Get a copy of your health and claims records in our possession
- Correct your health and claims records by contacting your health care provider
- Request confidential communication
- Get a list of those with whom we’ve shared your information
- Get a copy of this privacy notice
- Choose someone to act for you
- File a complaint if you believe your privacy rights have been violated
You have some choices in the way that we use and share information as we:
- Answer coverage questions from your family and employer
- Market our services and sell your information
Our Uses and Disclosures
We may use and share your information as we:
- Help manage the health care treatment you receive
- Run our organization
- Pay for your health services
- Administer your health plan
- Help with public health and safety issues
- Do research
- Comply with the law
- Respond to organ and tissue donation requests and work with a medical examiner or funeral director
- Address workers’ compensation, law enforcement, and other government requests
- Respond to lawsuits and legal actions
Changes to the Terms of this Notice
We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request and on our web site.
Other Instructions for Notice
Questions can be sent to our General Counsel, Michael Levenson at MLevenson@insureyourcompany.com
HIPAA COMPLIANCE POLICY AND NOTICE OF PRIVACY PRACTICES
I. Policy Statement
Technology Insurance Associates is committed to protecting the security, confidentiality, integrity and availability of its information resources, including protected health information. Protected health information is necessary to the procuring of insurance products, handling of claims, resolution of client issues and general operation of our business. All employees of Technology Insurance Associates share the responsibility of safeguarding protected health information to which they have access.
II. Governing Standards
45CFR 164 et. Seq. governs the requirements applicable to covered entities in the handling of protected health information and the implementation of administrative safeguards. This policy is to be read in conjunction with 45 CFR 164 et. seq. and the practices described herein are applicable to all sections of those codes, even if not specifically referenced. The complete regulations can be found at https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C.
§ 164.308 Administrative safeguards
(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
– This requirement is addressed by performing an initial assessment of current systems in place to determine potential risks and vulnerabilities based upon existing software and employee practices. A review of the methods by which we collect and share data is analyzed and employees are interviewed. Whenever a new protocol, software or practice is implemented, management and/or general counsel shall be advised. Management and/or General Counsel will then assess the risks and vulnerabilities of the new protocol, software or practice and update the HIPAA policy if necessary.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
– This requirement is addressed by the following security measures to reduce risks and vulnerabilities:
- General Counsel and/or management shall conduct an initial assessment in accordance with §164.308 (a)(1)(ii)(A). This shall involve speaking with employees and management regarding their practices, reviewing federal HIPAA statutes, determining areas where improvement is needed, drafting appropriate policies for all employees to follow, and educating employees on HIPAA policies.
- Whenever a new protocol, software or practice is implemented, management and/or General Counsel shall be advised. Management and/or General Counsel will then assess the risks and vulnerabilities of the new protocol, software or practice and update the HIPAA policy if necessary.
- Access to protected health information shall be restricted to employees granted access by the system administrator. Access shall be given to any employee who may reasonably require it for the performance of their job functions.
- All protected health information is to be stored on a server maintained by Technology Insurance Associates. That server and any backups retained on site are to be kept in the office and not removed unless necessary to avoid damage or loss of the information contained in the Server. The office in which the server is to be kept shall remain locked at all times when not in use.
- Technology Insurance Associates shall take reasonable measures to secure the server, including restricting access to the server, installing security software and not making the server publically accessible. Access to the server shall be restricted to those employees who may reasonably require access for the performance of their job functions.
- All employees shall be advised of the HIPAA policy. Management and/or General Counsel shall be available to answer any employee questions concerning the HIPAA policy.
- Transmitting health information is necessary aspect of our business. Employees shall only transmit health information for the purpose of procuring insurance coverage, addressing questions by clients and covered persons, submitting claims and other tasks necessary for the performance of the employees job function.
- Employees shall not access or distribute health information for any reason unrelated to their job functions.
– Any employee who fails to comply with the security policies and procedures shall be subject to sanctions based upon the severity of the infraction and the resulting implications. This determination shall be made at the discretion of management. Sanctions include but are not limited to:
- Verbal warning
- Written warning
- Education courses
- Monetary fines
- Payment of fines, fees, assessments and penalties assessed against Technology Insurance Associates for non-compliance.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
– At least once per year, management and/or General Counsel shall review the hardware, software, information, data, applications, communications, and people related to the collection and distribution of health information. This shall be accomplished in a manner similar to the initial evaluation.
– Whenever a new protocol, software or practice is implemented, management and/or General Counsel shall be advised. Management and/or General Counsel will then assess the risks and vulnerabilities of the new protocol, software or practice and update the HIPAA policy if necessary.
– Any employee who suspects a breach of data shall immediately notify management and/or General Counsel.
– If a security breach is suspected or confirmed, a security incident report shall be created. This report shall be reviewed by management and/or General Counsel and adjustments to the HIPAA policy shall be made, if necessary.
– The names of all employees with the authority to access health data shall be made available to management and/or General Counsel upon request by management and/or General Counsel.
(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.
– The security official responsible for the development and implementation of the policies and procedures required by this subpart is the individual occupying the role of General Counsel. If there is no such individual or if General Counsel is unable to fulfill this duty, then the obligation shall fall to the Vice President of Operations.
(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4)of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
– Management, their sole discretion, shall determine the employees who may reasonably require access to health data for the performance of their job function.
– Access to health information shall only be available via the computer of an authorized user and via the general server.
– Access to the general server shall be restricted to only those employees who may reasonably require access to the general server for the performance of their job functions.
– All employees shall be instructed not to access the computer of any other employee unless necessary for the performance of a job function. Any employee who refuses to acknowledge this policy and agree to not access the computer of any other employee shall be subject to sanction, as expressed in 45 CFR 308 (a)(1)(ii)(C).
– Security software is installed on all computers to help protect against data breach.
– All employees are responsible for the security of their own computers. Employees must not allow others to use their computers or access health information for non-work related purposes.
– Computers are to be used in accordance with the company’s computer and internet policy.
– Only users who are specifically authorized are permitted to access the main server.
(ii) Implementation specifications:
(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
– The procedure for the authorization and supervision of workforce members who work with electronic protected health information is as follows:
- Management shall determine which employees shall have access to health information. The basis of determination shall be whether the employee may reasonably require access to health information for the performance of their job functions.
- All health information is to be stored on the private server. The server is only to be accessible by the Managing Director, General Counsel, VP of Operations or other employees who may reasonably require access for the performance of their job functions.
- The private service shall only be accessed for the purposes of carrying out employment functions, for maintaining the integrity of the server and for backing up the server.
– The procedure to determine that the access of a workforce member to electronic information is appropriate is as follows:
- Management shall make a determination whether access to electronic information is appropriate based upon whether the employee may reasonably require access for the performance of their job functions.
- Management shall make such determination for each individual employee. Factors to be considered are the employee’s role in the company, the employee’s receipt of the HIPAA policy, their agreeing to the HIPAA policy and discussions with General Counsel (if warranted).
(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.
– If the employment of a workforce member ends, their access to protected health information shall be terminated within 24 hours. This will include revoking their authority to access server data on any computer, revoking remote access to the server and prohibiting the former workforce member from using any computer within the office.
(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
(ii) Implementation specifications:
- Isolating health care clearinghouse functions (Required).If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
– Management shall make a determination whether access to electronic information is appropriate based upon whether the employee may reasonably require access for the performance of their job functions.
– Access to protected electronic health information shall be done through the employee’s individual computer which has established access to the main server. It may also be done via remote access to the main server.
(C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity‘s or the business associate‘s access authorization policies, establish, document, review, and modify a user‘s right of access to a workstation, transaction, program, or process.
– A user’s right of access to a workstation, transaction program or process shall be established upon their hiring or implementation of this policy, whichever comes later. The modification of that right shall be reviewed when the user’s need changes. The documentation of a user’s right to access to access a workstation, transaction program or practice shall be reflected in the privileges granted by the system administrator.
(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
– Security awareness and training shall be conducted by General Counsel to all employees. Periodic updates to training and awareness updates shall be provided as needed, as determined by General Counsel.
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
– Periodic security updates shall be provided to all employees as needed.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
– The system administrator shall install security software on all computers and servers where protected health information is accessible.
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
– The system administrator shall monitor log in attempts and report suspicious activity to management and/or General Counsel. Suspicious activity may include multiple incorrect login attempts, login attempts from unexpected locations, attempts to use credentials from a former employee and other activity which would indicate unauthorized attempts to access protected data.
(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
– All passwords are to be maintained by the individual user and kept private. In the event of a data breach, all passwords are to be changed.
– Passwords must be kept confidential and not shared with anyone outside Technology Insurance Associates
(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.
(ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
– When a security incident is made known, the system administrator shall, to the extent reasonably possible, prevent further access to protected information. This shall be accomplished by whatever means are best suited to accomplish this task, as determined by the system administrator at the time. Potential actions include restricting access to the server, taking the server off line, restricting access to company computers, running security software, attempting to recover breached data or any other method(s) which may help mitigate the harmful effects of a security incident made known to Technology Insurance Associates.
(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
(ii) Implementation specifications:
(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
– The main server shall be regularly backed up in at least 1 separate hard drive to protect against system failure, fire, vandalism, disaster, etc.
(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
– Upon notification of an emergency, the system administrator shall, as soon as is safely practicable, assess the server for damage and functionality.
– If damage or impeded functionality is recognized, the system administrator shall attempt to restore the server.
– If the system administrator is unable to restore the server, the system administrator shall contact outside IT professionals in an attempt to recover compromised date.
(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
– In an emergency, the particular actions taken will depend upon the severity of the emergency and the ability to access the network. The procedure is subject to change based on the specific emergency at hand, but may include:
- Communicating remotely
- Technology Insurance Associates maintains the @Insureyourcompany.com email address through Gmail.com. Access is available anywhere that Gmail.com can be utilized. Business operations shall continue, to the extent possible, utilizing the web-based Gmail.com platform.
- Remote access to servers
- Technology Insurance Associates has in place the ability to access each desktop remotely via Logmein.com. If physical access to the building is restricted, business operations shall continue, to the extent possible, remotely via this service.
- Recovery of physical servers
- As soon as is practicable after an emergency, the physical servers shall be assessed and evaluated for functionality. If necessary, attempts will be made to repair and restore the server.
(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
– At least once per year, the contingency plan delineated in this section shall be tested and reevaluated. Revisions shall be made if necessary.
(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity‘s or business associate‘s security policies and procedures meet the requirements of this subpart.
(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity‘s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
– Protected health information shall only be disclosed as necessary for the purpose of obtaining insurance coverage, answers questions on behalf of insured individuals and policy holders and processing claims.
(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.
(3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).
– If protected health information is to be disclosed for a purpose other than as necessary for the purpose of obtaining insurance coverage, answers questions on behalf of insured individuals and policy holders and processing claims, a business associate agreement shall be executed in accordance with 45 CFR 314.
§ 164.310 Physical safeguards.
(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
(2) Implementation specifications:
(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
– Data stored on the server shall be backed up regularly.
– In the event of an emergency, data shall be available remotely via logmein.com, so long as the server remains online.
– In the event the server is not online, the system administrator shall take measure to restore the service to functioning status as soon as practicable after notification.
- The server on which protected health information is stored shall be housed in the executive offices. The office shall remain locked at all times when unoccupied.
(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person‘s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- This shall be accomplished vis-à-vis the other provisions of this policy.
- Visitors shall be escorted by employees at all times when in an area where protected health information is accessable.
(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
– Records of repairs and modifications to the physical components of the facility shall be maintained by managements.
(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
– Functions performed at workstations are to be consistent with the employee’s job functions. Employees shall not download any software or install any device which may result in the improper transmission of protected health information.
– No employee shall allow any other person to access their computer
– The front door to any office where a computer capable of accessing protected health information is located shall be locked when not occupied.
– No employee shall share their personal passwords with anyone other than the system administrator.
(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
– Hardware and electronic media that contain electronic protected health information shall not be removed from the facility unless it is necessary to do so for a business function or to preserve the integrity of the hardware or electronic media.
– Any electronic media containing protected health information that is removed from the facility shall be returned to the facility immediately upon completion of the task for which is was removed, or as soon as is practicable, whichever is later.
– Movement of Hardware and electronic media that contain electronic protected health information, if necessary, shall only be done by the system administrator and his/her designee(s).
(2) Implementation specifications:
– If electronic protected health information and/or the hardware of electronic media needs to be disposed of, it shall be done so securely.
– Electronic protected health information that is to be deleted shall be permanently deleted from all individual computers on which a copy is saved as well as from the main server.
– Hardware, if and when it requires disposal, shall be done by the system administrator in a manner that renders any protected health information inaccessible.
- If any electronic media is to be reused, the system administrator shall ensure that any protected health information present in the electronic media is permanently deleted or otherwise inaccessible before reuse.
- The system administrator shall keep track of the movement of hardware and electronic media.
(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
- Whenever possible, the administrator shall ensure that all electronic protected health information has been backed prior to the movement of equipment.
Michael S. Levenson
Effective Date: August 18, 2016