Infiniwell.ai Privacy Policy
Privacy 1.0 HIPAA Privacy Program
Organization’s Privacy Officer oversees organization’s compliance with the HIPAA Privacy Rule. The Privacy Officer oversees organization’sefforts to secure and maintain the confidentiality of protected health information (PHI), maintain sensitive organization information, and prevent and detect inappropriate and illegal uses and disclosures of PHI. Employees must be familiar with the Privacy Officer’s job functions, and must contact the Privacy Officer when this Policy requires that they do so.
§164.530 HIPAA Privacy Program
Privacy 2.0 Accounting of Disclosures
Individuals have the right to receive an accounting of disclosures of their protected health information (“PHI”) that have been made by organization to another entity, including disclosures to or by business associates. Individuals can exercise this right by making a written request to organization for an accounting. Organization must properly respond to the request, and send the accounting when appropriate.
45 CFR § 164.528(a) Accounting for Disclosures
Privacy 3.0 Business Associates
Organization relies on business associates, which are vendors that handle organization functions that require access to PHI. This policy covers how organization’s workforce determines who is a business associate. The policy then covers the details and requirements of the business associate contract the organization and a business associate must enter into.
§ 164.502(e)(1) Disclosures to Business Associates
§ 164.504 Uses and Disclosures: Organizational Requirements
Privacy 4.0 Judicial and Administrative Proceedings
Organization must disclose a patient’s PHI when that PHI is sought in a judicial or administrative proceeding. Such proceedings include court proceedings, and proceedings before government agencies, such as the Department of Health and Human Services ("HHS") and the Centers for Medicare and Medicaid Services ("CMS"). Employees will be trained as to how to respond to requests for PHI sought in these proceedings.
§164.512(e) Use and Disclosure of PHI for Judicial and Administrative Proceedings
Privacy 5.0 Uses and Disclosures for Marketing
Organization may use or disclose PHI for certain marketing purposes. Organization may not use or disclose PHI for marketing activities that are purely commercial. Employees will be trained as to when PHI can be disclosed for marketing activities.
164.508 (a)(3) Uses and Disclosures for Which an Authorization is Required: Marketing
Under the minimum necessary standard, organization may only use, request, or disclose that PHI that is necessary to fulfill a request, or perform a job function. Employees will be trained on this standard so that PHI is used, requested, or disclosed only to the extent that is legally required.
§164.502(b)(1) Minimum Necessary Standard
§164.514(d)(3) Minimum Necessary Disclosures of Protected Health Information
§164.524(a) Access to Protected Health Information
Privacy 7.0 Uses and Disclosures for Which an Authorization is Required
Under certain circumstances, written patient authorization is necessary prior to organization’s use or disclosure of that patient's individual’s PHI. Written patient authorization must be validly obtained. This policy describes when written authorization is required, and what constitutes a valid authorization.
§164.508 Uses and Disclosures for Which an Authorization is Required
Privacy 8.0 Uses and Disclosures, No Authorization Required
Under certain circumstances, organization may use and disclose PHI when neither authorization nor an opportunity for a patient to agree or object is required. This policy informs employees of what those circumstances are, and what steps employees must take to fulfill requests for PHI.
§164.501 Uses and Disclosures for Health Care Operations
§164.512 Consent or Authorization Not Required
Privacy 9.0 Uses and Disclosures Requiring Patient Opportunity to Agree or Object
Under some circumstances, organization must provide a patient the opportunity to agree or object to disclosure of PHI. This policy covers how organization responds to such requests made when these circumstances apply.
§164.510 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object
Privacy 10.0 Complaints About Organization
Organization must have a complaint process, under which individuals may make complaints about organization’s compliance with the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, and organization’s policies and procedures related to these rules.
45 CFR 164.530(d) Complaints
Privacy 11.0 Sanctions
Workforce members who violate organization’s privacy policy and procedures are subject to sanctions. Sanctions are disciplinary measures intended to deter future violations. Organization, in deciding upon the appropriate sanction, may review the severity of the violation, the impact of the violation, and the workforce member’s work history. Sanctions imposed should be consistent, and proportional with the severity of the offense.
45 CFR 164.530(e) Sanctions
45 CFR 164.530(f) Mitigation
Privacy 12.0 No Retaliation; No Waiver of Rights
Organization shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who exercises his or her rights under the Privacy Rule, including the right to file a complaint about organizations privacy policies, practices, and procedures. In addition, organization shall not require any person to waive these rights as a condition of the provision of treatment or payment for healthcare.
45 CFR 164.530(g) Refraining from Intimidating or Retaliatory Acts
45 CFR 164.530(h) Waiver of Rights
Privacy 13.0 Uses and Disclosures for Treatment, Payment, and Healthcare Operations
Organization is not required to obtain written patient authorization to use or disclose PHI under certain circumstances. When organization uses or discloses PHI for purposes of treatment, payment, or healthcare operations, organization need not obtain such authorization, except for certain exceptions, and when required to do so by state law.
45 CFR 164.506 Treatment, Payment, or Healthcare Operations
Privacy 14.0 Sale of PHI
Organization will not engage in activities constituting the sale of patient PHI, unless prior written patient authorization is obtained. “Sale of PHI” is the indirect or direct receipt of remuneration, including non-financial benefits such as in-kind benefits, in exchange for patient PHI.
45 CFR 164.508(a)(4) Sale of PHI
Privacy 15.0 Policy for Disclosures by Whistleblowers and Workforce Member Crime Victims
Workforce members and business associates have the right to disclose PHI if they believe another workforce member or business associate has engaged in conduct that violates the HIPAA regulations, or organization’s policies and procedures relate to those regulations. In addition, workforce members who are the victim of a crime may disclose PHI about the suspected perpetrator to law enforcement officials.
45 CFR 164.502(j) Disclosures by Whistleblowers and Workforce Member Crime Victims
Privacy 16.0 Use or Disclosure of PHI for Specialized Government Functions
Organization may use and disclose PHI without written patient authorization for the following specialized government functions:
-
Military and veterans’ activities;
-
National security and intelligence activities;
-
Protective services for the President and others;
-
Medical suitability determinations; and
-
Correctional institutions and other law enforcement custodial situations.
45 CFR 164.512(k) Uses and Disclosures for Specialized Government Functions
Privacy 17.0 Limited Data Set and Data Usage Agreements
Organization may share a limited data set, which is a set of PHI with certain identifiers removed, to a requesting party who seeks the PHI disclosure for purposes of research, public health, or healthcare operations. Such disclosure may only be made if the organization obtains a signed, written Data Use Agreement (DUA) from the person or entity to whom the limited data set is to be disclosed.
45 CFR 164.514(e) Limited Data Set and Data Use Agreement