Privacy Policy

Privacy of Health Information / Policy and Procedure

1.0 PURPOSE

The purpose of this policy is to provide you information about the Privacy Policy of Center for Aesthetic Medicine and Human Performance (“Center for Aesthetic Medicine and Human Performance”) regarding its compliance with the privacy and security standards of the Health Information Portability and Accountability Act (“HIPAA”) and to protect the rights of customers concerning the confidentiality of protected health information (“PHI”). Center for Aesthetic Medicine and Human Performance is not a health provider; however, it is a business associate of health providers therefore it must comply with HIPAA.

2.0 POLICY

It is the policy of Center for Aesthetic Medicine and Human Performance that confidential protected health information (“PHI”) maintained by Center for Aesthetic Medicine and Human Performance should be secured, maintained and released in accordance with applicable federal and state laws, rules and regulations, including HIPAA. All healthcare personnel who generate, use or otherwise deal with protected health information should uphold the patient’s right to confidentiality. This policy refers to all information resources, whether written, verbal, or electronic, and whether individually controlled, shared, stand alone or networked.

3.0 PROCEDURE: PRIVACY

3.1 Use and Disclosure.

3.1.1Use. Center for Aesthetic Medicine and Human Performance is permitted to use PHI for its own payment and healthcare operations activities. Center for Aesthetic Medicine and Human Performance is NOT a treatment provider.

3.1.2 Disclosure. Disclosure of PHI is permitted as outlined in SYS-IM-101, SYS‑IM‑106, and SYS-IM-107. A Center for Aesthetic Medicine and Human Performance entity is permitted to disclose PHI with other health care entities involved in the patient’s care without a specific authorization from the patient.

3.1.3.l Authorizations. A Center for Aesthetic Medicine and Human Performance entity is permitted to disclose PHI to other entities/individuals only when it has received a specific authorization to disclose the PHI for purposes other than treatment, payment or healthcare operations.

3.1.3.2 Minimum Necessary. The Minimum Necessary standard is not applicable to any PHI disclosures for which Center for Aesthetic Medicine and Human Performance has received an appropriate patient authorization. Center for Aesthetic Medicine and Human Performance is expected to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the disclosure.

3.1.3.2.1 Authorized access to PHI is to be based on minimum necessary standard depending on classification of data/information in question, level of information access authorized per role/position and official role/position of the person. 

3.1.3.2.2 Center for Aesthetic Medicine and Human Performance Health data/information will be identified into 3 major classifications: (i) Public – data/information containing directory or other content that is accessible to the public; (ii) Center for Aesthetic Medicine and Human Performance Confidential – data/information containing business sensitive and/or proprietary content; and (iii) PHI ‑ data/information classification results in following strict privacy and security guidelines for use and disclosure of applicable information.

3.2 Departmental Policies and Procedures. Policies and/or procedures governing collection, access, use, transmission, storage and/or destruction of PHI must clearly outline proper conduct for compliance with HIPAA regulations. Departments are responsible for creating, reviewing and maintaining internal policies and procedures regarding uses of PHI within their specific area to ensure privacy on an annual minimum basis or as new processes are introduced or modified.

3.3 Training.  All members of the workforce must attend general education and training regarding privacy and security of PHI. 

3.4 Individual Rights. Individual Rights include the following enumerated items. Administrative procedures are required to identify the process for each right.

3.4.1 The right to request restrictions on certain uses and disclosures of PHI. Center for Aesthetic Medicine and Human Performance is not required to agree to the requested restriction. 

3.4.2 The right to receive confidential communications of PHI. 

3.4.3 The right to inspect, copy and request an amendment of PHI. 

3.4.4 The right to receive an accounting of disclosures of PHI.

3.4.4.1 The accounting does not have to include the uses related to treatment, payment, or healthcare operations. 

3.4.4.2 All disclosures of PHI must be listed on the “accounting of disclosure” report. 

3.4.4.3 Disclosure of PHI must be centrally tracked in order to produce a complete “accounting of disclosure” report.

3.5 Business Associates. Business Associates are allowed to create and receive PHI on behalf of Center for Aesthetic Medicine and Human Performance only after Center for Aesthetic Medicine and Human Performance receives satisfactory assurance in the form of a written agreement that the Business Associate will safeguard the PHI. The Business Associates agreement is required to include specified elements outlining compliance with the HlPAA Privacy Standards.

3.6 Other PHI Restrictions and Exceptions. Vendors and Center for Aesthetic Medicine and Human Performance representatives are required to complete and abide by terms in agreement of confidentiality prior to access being granted. 

4.0 PROCEDURE: SECURITY

4.1 General. General provisions for security of PHI must meet and satisfy HlPAA regulations to assure that appropriate administrative procedures are in place to govern record processing, technical measures and physical access. 

4.1.1 Media Controls. Media controls of information systems/applications containing PHI must require data backups, access control, accountability, and data storage and disposal.

4.1.2 Record processing. Record processing must include integrity checks and other controls to necessary ensure privacy and security involving PHI. 

4.1.3 Physical Access. Physical access controls are required to limit access to areas containing PHI including use of door locks, cardkeys, and/or other means of restricting physical access.

4.1.4 Workstations/Work Areas. All workstations and/or work areas must be secured from the accidental and unauthorized use/disclosure of PHI including use of screen security, work station ergonomic/placement, etc. 

4.2 Reporting Requirements/Sanctions. Confirmed or suspected breaches in privacy regarding PHI must be promptly reported to the Corporate Compliance and/or a department head.

4.4.1Investigation. Confirmed and/or suspected breaches will be tracked and investigated and when necessary, follow -up action will be implemented.

4.4.2 Sanctions. Wrongful disclosure and/or use of PHI may result in immediate disciplinary action up to and including termination of employment, and/or legal action.

5.0 PROCEDURE: DESIGNATED PRIVACY OFFICER

Center for Aesthetic Medicine and Human Performance has appointed a Privacy Officer who will have primary responsibility for ensuring system-wide compliance with HlPAA privacy regulations. The Privacy Officer is also the Corporate Compliance Officer. The Center for Aesthetic Medicine and Human Performance Corporate Compliance and Privacy Officer can be reached at legal@Center for Aesthetic Medicine and Human Performance.com. The responsibilities of the Privacy Officer include, but are not limited to: (i) development and implementation of the policies and procedures of the entity; (ii) oversight of issues in conformance with privacy legislation; (iii) establishment of a process for receiving, documenting, tracking, investigating, taking action on complaints concerning privacy policies and procedures, and maintaining records of all complaints and their disposition; (iv) serving as a consultant to Internal Audit, Legal Services and Applications Systems Managers; (v) oversight of training for the employees, volunteers, medical and professional staff, contractors, business associates and other appropriate third parties; (vi) provision of privacy training seminars, as needed; (vii) promotion of activities to foster information privacy awareness with Center for Aesthetic Medicine and Human Performance; and (viii) assistance with the development of Business Associate Agreements, as well as other pertinent policies and procedures.

5.1 Complaint Process. Complaints of alleged privacy violations can be received through multiple channels: in person, in writing or by telephone. Upon receipt of a complaint, the Privacy Officer will take the following actions, as necessary: 

5.1.1 Document the complaint received, including in the documentation a brief description of and/or the basis for the complaint. 

5.1.2 Conduct an initial review to determine whether the complaint involves a suspected privacy violation. 

5.1.2.1 If it does not, the Privacy Officer will contact the complainant and refer them to the appropriate person for resolution of the complaint. 

5.1.2.2If it does involve a suspected privacy violation, the Privacy Officer will investigate the complaint and/or forward a copy of the complaint to appropriate personnel for investigation and reporting back to the Privacy Officer. Such investigation may include conducting reviews, contacting employees, workforce members or business associates, and working with other Center for Aesthetic Medicine and Human Performance resources as needed.

5.1.3 If the Privacy Officer determines that PHI was wrongfully used or disclosed by an employee, he/she will consult with the Center for Aesthetic Medicine and Human Performance Human Resources department and together, they will determine what sanctions, if any, will be imposed against the employee who committed the violation. 

5.1.4 If the PHI that was wrongfully used or disclosed is created or maintained by a business associate of Center for Aesthetic Medicine and Human Performance, the Privacy Officer will: 

5.1.4.1 Notify the business associate of the results of the investigation and any required action on the part of the business associate. 

5.1.4.2If the results of the investigation are that the business associate misused or improperly disclosed a patient’s PHI, prepare a recommendation for Center for Aesthetic Medicine and Human Performance Legal Counsel as to whether the business associate relationship between the business associate and Center for Aesthetic Medicine and Human Performance should continue. Document the resolution of the complaint.

5.1.5 Document the resolution of the complaint.

5.1.6 Contact the complainant to inform them of the resolution of the complaint. 

5.1.7 Document the communication with the complainant.

5.2 Record Retention. The complaint form and any documentation related to the complaint and the resolution thereof shall be retained for six (6) years.

5.3 No Retaliation. Center for Aesthetic Medicine and Human Performance will not intimidate, threaten, coerce, discriminate, penalize, or take other retaliatory action against a patient who exercises his/her rights under HlPAA or against any who participates in a process governed by the HlPAA Privacy Regulations. 

5.4 OCR Process. If the patient wants to file his/her complaint with the Secretary of HHS, he/she should be directed to and follow the steps provided on the Office for Civil Rights website (www.hhs.gov/ocr/hipaa).

6.0 SCOPE

This policy applies to all organizations and personnel within Center for Aesthetic Medicine and Human Performance. 

7.0 Definitions and Terms

7.1 Business Associate – is defined as an individual or entity (other than a member of the Center for Aesthetic Medicine and Human Performance workforce) that performs or assists Center for Aesthetic Medicine and Human Performance in the performance of a function or activity involving the use or disclosure of individually identifiable health information, and may include, but is not limited to, consultants, accountants, lawyers, transcriptionists, third- party billing companies, and accreditation services).

7.2 Covered Entity (CE) – is defined as a healthcare provider, health plan, or clearinghouse.

7.3 Designated Record Set – is defined as information used by CE to make decisions about individuals. For providers, the designated record set includes medical records and billing records. For health plans, the designated record set includes enrollment records, payment records, claims adjudication records, and case management records

7.4 De-Identified lnformation – is defined as healthcare information that has been stripped of information that would identify an individual and with respect to which there is no reasonable basis to believe it can be used to identify an individual. An alternative method of de- identification is permitted to entities with appropriate statistical experience and expertise that can certify that the chance of re-identification of data is low. De‑identified data can be used and disclosed freely. Covered entities are encouraged to create de-identified health information by removing, encoding, encrypting, or otherwise concealing potential identifiers.

7.5 Disclosure – is defined as the release, transfer, provision of access to, or divulging in any other manner of information outside the covered entity holding the information.

7.6 Healthcare Operations – includes any of the following activities: quality assessment and improvement activities, competence and performance reviews, training, accreditation, certification, licensing, credentialing and other related activities, underwriting and other insurance related activities, medical review, legal services, auditing functions including fraud and abuse detection and compliance programs, business planning and development, business management and general administration activities.

7.7 Individually Identifiable Health information (Protected Health Information) ‑ is defined as any information, including demographic information collected from an individual, that (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and– (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

7.8 Privacy Standards – means the final privacy standards issued by the Department of Health and Human Services, as amended from time to time.

7.9 Protected Health lnformation – is defined as individually identifiable health information that is transmitted electronically, maintained electronically or transmitted or maintained in any other form or medium and includes:

 Names – Individual, relatives, employers or household members of the individual;

 Geographic identifiers – Subdivisions smaller than a state, including street address(es), city, county, and precinct;

 Zip code – at any level other than the initial 3 digits (e.g.,731XX-XXXX). Geographical areas of 20,000 or less must be reported as 000;

 All date elements (Year is permitted except in reference to patients over age 89) – Birth date, Admission date, Discharge date, and Date of death. All ages over 89, including year are considered personal identifiers (such ages and elements may be represented in aggregated reporting as single category “age 90 or older”);

 Personal numbers -Telephone numbers, Fax numbers, Social security numbers, Medical Record numbers, Health plan beneficiary numbers, Account numbers, Credit Card numbers;

 Web identifiers – Electronic mail addresses, Web Universal Resource Locators (URLs), and Internet Protocol (10) address numbers;

 Biometric identifiers – including finger, iris and voice prints;

 Full-face photographic images and any comparable images;

 Any other unique identifying number, characteristic or code.

7.10 Use – is defined as sharing, employment, application, utilization, examination or analysis of individually identifiable information within the entity that maintains the information.

7.11 Workforce – is defined to include employees, volunteers, trainees and other persons under the direct control of an entity.

8.0 International Data Transfer

For residents of the EEA or Switzerland, please note that the personal data information we obtain from or about you may be transferred, processed and stored outside of the EEA or Switzerland for the purposes described in this Privacy Policy, including in the United States of America. We take the privacy of our users seriously and therefore take steps to safeguard your information, including ensuring an adequate level of data protection in accordance with E.U. standards. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA in accordance with European Union data protection laws. We have implemented similar appropriate safeguards with our third party service providers and partners and further details can be provided upon request.

9.0 Contact

We do not disclose your personal information to third parties for the purpose of directly marketing their goods or services to you unless you first agree to such disclosure. If you have any questions regarding this policy, or would like to change your preferences, you may contact us at the following email: info@camhplv.com