Privacy Policy

SECTION I: HIPAA STANDARDS & PRIVACY POLICY

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict Bridgeside Telehealth, LLC’s abilities to use and disclose protected health information (PHI).

Protected Health Information. Protected health information means information that is created or received by the Company and relates to the past, present, or future physical or mental health condition of a

Patient/Client (“Participant”); the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information about persons living or deceased.

Some examples of PHI are:

• Participant’s medical record number
• Participant’s demographic information (e.g. address, telephone number)
• Information doctors, nurses, and other health care providers put in a participant’s medical record.
• Images of the participant
• Conversations a provider has about a participant’s care or treatment with nurses and others.
• Information about a participant in a provider’s computer system or a health insurer’s computer system
• Billing information about a participant at a clinic
• Any health information that can lead to the identity of an individual or the contents of the information can be used to make a reasonable assumption as to the identity of the individual

It is the Company’s policy to comply fully with HIPAA’s requirements. To that end, all staff members who have access to PHI must comply with this HIPAA Privacy and Security Plan. For purposes of this plan and the Company’s use and disclosure procedures, the workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, the term “employee” or “staff member” includes all of these types of workers.

All staff members must comply with all applicable HIPAA privacy and information security policies. If after an investigation you are found to have violated the organization’s HIPAA privacy and information security policies, then you will be subject to disciplinary action up to termination or legal ramifications if the infraction requires it.

SECTION 1: Responsibilities as Covered Entity

• Privacy Officer

The CEO will be the HIPAA Privacy Officer for Bridgeside Telehealth, LLC. The Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the Company’s use and disclosure procedures. The Privacy Officer will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI.

Privacy Officer Contact:

Email: [email protected]

Phone: 817-396-5498

Mail: 2133 Weatherbee, Fort Worth, TX 76110

• Plan Document

The Plan document includes provisions to describe the permitted and required uses and disclosures of PHI by Bridgeside Telehealth, LLC. Specifically, the Plan document requires Bridgeside Telehealth, LLC to:

• Not use or further disclose PHI other than as permitted by the Plan documents or as required by law;
• ensure that any agents or subcontractors to whom it provides PHI received from the Company agree to the same restrictions and conditions that apply to Bridgeside Telehealth, LLC;
• report to the Privacy Officer any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
• make PHI available to Participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures;

• Workforce Training

It is the Company’s policy to train all members of its workforce who have access to PHI on its privacy policies and procedures. All staff members receive HIPAA training. Whenever a privacy incident has occurred, the Privacy Officer in collaboration with management will evaluate the occurrence to determine whether additional staff training is in order.

• Safeguards

The Company has established technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Technical safeguards include limiting access to information by creating computer firewalls. Additionally, all staff members can only access PHI by using their login information.

Firewalls ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for their job functions, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.

Data Storage / Backup / Remote Access

Currently, all data in the local data center is backed up using industry standards with off-site storage of media. Bridgeside Telehealth, LLC currently utilizes technology that allows the IT team to quickly remove, disable, and start staff member access to PHI.

• Privacy Notice

The Privacy Officer is responsible for developing and maintaining a notice of the Company’s privacy practices that describes:

• the uses and disclosures of PHI that may be made by the Company;
• the individual’s rights; and
• the Company’s legal duties with respect to the PHI.

The privacy notice will inform participants that the Company will have access to PHI. The privacy notice will also provide a description of the Company’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The notice of privacy practices will be individually delivered to all participants:

• on an ongoing basis, at the time of an individual’s enrollment into a Company program or at the time of treatment and consent; and
• within 60 days after a material change to the notice.

The Company will also provide notice of availability of the privacy notice at least once every three years.

• Complaints

The Privacy Officer will be the Company’s contact person for receiving complaints. The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Company’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint form shall be provided to any participant upon request.

• Sanctions for Violations of Privacy Policy

Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Plan will be imposed in accordance up to and including termination.

• Mitigation of Inadvertent Disclosures of Protected Health Information

Bridgeside Telehealth, LLC shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of a Participant’s PHI in violation of the policies and procedures set forth in this Plan. As a result, if an employee becomes aware of a disclosure of protected health information, either by a staff member of the Company or an outside consultant/contractor that is not in compliance with this Policy, immediately contact the Privacy Officer so that the appropriate steps to mitigate the harm to the participant can be taken.

• Documentation

The Company’s privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice.

Bridgeside Telehealth, LLC shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights.

The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form.

• Electronic Health Records

Electronic Health Records must comply with HIPAA and other state and federal laws. Unlike paper records, electronic health records can be encrypted – using technology that makes them unreadable to anyone other than an authorized user – and security access parameters are set so that only authorized individuals can view them. Further, EHRs offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them. Currently Bridgeside Telehealth, LLC contracts with Dr Chrono EMR.

• Access Authorization

Bridgeside Telehealth, LLC will grant access to PHI based on their job functions and responsibilities.

The Privacy Officer in collaboration with IT and senior management is responsible for the determination of which individuals require access to PHI and what level of access they require through discussions with the individual’s manager and or department head.

SECTION 2: USE AND DISCLOSURE OF PHI

• Use and Disclosure Defined

The Company will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:

• Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Company, or by a Business Associate of the Company.
• Disclosure. For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within Bridgeside Telehealth, LLC with a business need to know PHI.

• Disclosures of PHI Pursuant to an Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

• Permissive Disclosures of PHI: for Legal and Public Policy Purposes

PHI may be disclosed in the following situations without a participant’s authorization, when specific

requirements are satisfied. The Company’s use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. Permitted are disclosures:

• about victims of abuse, neglect, or domestic violence;
• for judicial and administrative proceedings;
• for law enforcement purposes;
• for public health activities;
• for health oversight activities;
• about decedents;
• for cadaver organ, eye, or tissue donation purposes;
• for certain limited research purposes;
• to avert a serious threat to health or safety;
• for specialized government functions; and
• that relate to workers’ compensation programs.

• Complying With the “Minimum-Necessary” Standard

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure.

The “minimum-necessary” standard does not apply to any of the following:

• uses or disclosures made to the individual;
• uses or disclosures made pursuant to a valid authorization;
• disclosures made to the Department of Labor;
• uses or disclosures required by law; and
• uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI. For making disclosures of PHI to any business associate or providers, or for internal/external auditing purposes, only the minimum necessary amount of information will be disclosed.

All other disclosures must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from business associates, providers, or participants for purposes of claims payment/adjudication or internal/external auditing purposes, only the minimum necessary amount of information will be requested.

All other requests must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

• Disclosures of PHI to Business Associates

With the approval of the Privacy Officer and in compliance with HIPAA, employees may disclose PHI to the Company’s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” employees must contact the Privacy Officer and verify that a business associate contract is in place.

• Disclosures of De-Identified Information

The Company may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual, and with respect to this, there is no reasonable basis to believe that the information can be used to identify an individual.

There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis or by removing 18 specific identifiers.

18 specific elements listed below – relating to the participant, employee, relatives, or employer – must be removed, and you must ascertain there is no other available information that could be used alone or in combination to identify an individual.

1. Names
2. Geographic subdivisions smaller than a state
3. All elements of dates (except year) related to an individual – including dates of admission, discharge, birth, and death – and for persons >89 y.o., the year of birth cannot be used.
4. Telephone numbers
5. FAX numbers
6. Electronic mail addresses
7. Social Security Number
8. Medical Record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. Internet protocol addresses
16. Biometric identifiers, including finger and voice prints
17. Full-face photos, and comparable images
18. Any unique identifying number, characteristic, or code

A person with appropriate expertise must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual. And this person must document the methods and justification for this determination.

The following safeguards are required of all employees when working from a non-Bridgeside Telehealth, LLC site:

• When outside the facility, only work on health information in a secure private environment.

• Keep the information with you at all times while in transit.
• Do not permit others to have access to the information.
• Never email participant information.
• Don’t save participant information to your home computer.
• Do not print records of any type.
• Do not record login information on or near the computer.
• Return all information the next business day or as soon as required.

SECTION 3: PARTICIPANT INDIVIDUAL RIGHTS

• Access to Protected Health Information and Requests for Amendment

HIPAA gives participants the right to access and obtain copies of their PHI that the Company or its business associates maintain. HIPAA also provides that participants may request to have their PHI amended. The Company will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants.

• Accounting

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to accounting extends to disclosures made in the last six years, other than disclosures:

• to carry out treatment, payment, or health care operations;
• to individuals about their own PHI;
• incident to an otherwise permitted use or disclosure or pursuant to an authorization;
• for purposes of creation of a facility directory or to persons involved in the participant’s care or other notification purposes;
• as part of a limited data set; or
• for other national security or law enforcement purposes.

The Company shall respond to an accounting request within 60 days. If the Company is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12-month period shall be provided free of charge. The Privacy Officer may impose reasonable production and mailing costs for subsequent accountings. The Privacy Officer is responsible for responding to a request for Accounting.

Requests for Restrictions on Uses and Disclosures of Protected Health Information

A participant may request restrictions on the use and disclosure of the participant’s PHI. It is the Company’s policy to attempt to honor such requests if, in the sole discretion of the Company, the requests are reasonable. The Privacy Officer is charged with responsibility for processing requests for restrictions.

• When a Participant Requests a Copy of his/her Record

A participant can request a copy of his/her medical record by completing a Request for Accessing/Inspecting/Copying Health Information form and submitting it to the Department that maintains the information being requested. The Department in collaboration with the Privacy Officer must process and respond to the request.

Participants can receive this form from Patient Services or by going directly to the department that maintains their records.

• Acceptable Methods of Verification of Identity for Release of Personal Health Information (PHI):

When the Requestor is the Participant

The Company will take reasonable steps and exercise professional judgment to verify the identity of the individual making a request for access to his/her own PHI.

1. If the request is made over the telephone, verification will be accomplished by requesting identifying information such as social security number, birth date, and medical record number and confirming that this information matches what is in the participant’s record. Or, verification will occur through a callback process using phone numbers documented in the participant record to

validate the caller’s identity.

1. If the request is made in writing, verification will be accomplished by requesting a photocopy of photo identification if a photocopy of the ID is not available, the signature on the written request must be compared with the signature in the participant record. In addition, Bridgeside Telehealth, LLC will need to verify the validity of the written request by contacting the participant by telephone.

V1II. When the requestor is the participant legally Authorized Representative

Verification of identity will be accomplished by asking for a valid photo identification (such as a driver’s license) if the request is made in person. Once identity is established, authority in such situations may be determined by confirming the person is named in the medical record or the participant’s profile as the participant’s legally authorized representative. Or, if there is no person listed in the medical record as the participant’s legally authorized representative, the authority may be established by the person presenting an original of a valid power of attorney for health care or a copy of a court order appointing the person guardian of the participant and a valid photo I.D. A copy of the I.D. and legal notice must be attached to the request and placed in the participant’s record.

IX. Other Methods

The Company may use any other method of verification that, in the Company’s discretion, is reasonably calculated to verify the identity of the person making the request. Some acceptable means of verification

include, but are not limited to:

1. Requesting to see a photo ID
2. Requesting a copy of a power of attorney
3. Confirming personal information with the requestor such as date of birth, policy number, or social security number
4. Questioning a child’s caretaker to establish a relationship with the child
5. Calling the requestor back through a main organization switchboard rather than a direct number

Summary Guidelines for Safeguarding the Privacy of Health Information

These are guidelines centered on how to safeguard health information and ensure confidentiality when using normal business communications, such as conversations, telephone, faxes, mail, and electronic mail. Wherever practical, the material containing Protected Health Information (PHI) should be labeled as confidential on the document, diskette, CD, or other medium. PHI maintained electronically should be password-protected in all media.

Also, when using and disclosing PHI, you must take reasonable measures to ensure the information is protected. Below are simple safeguarding tasks that should be used when communicating in a work environment that necessitates access to and use and disclosure of PHI. Remember to limit your communications of PHI to the minimum necessary for the intended purpose. Restrict your communications to those who have a valid “need to know” the information. If you have questions about these safeguards and how to protect PHI communications, please discuss them with your supervisor.

Oral Conversations – in-person

• Discuss the participant’s PHI in private. Use an office with a door whenever possible or leave areas where others can overhear.
• Be aware of those around you and lower your voice when discussing participants’ health information.
• If possible, point out health information on paper or on-screen non-verbally when discussing participants’ health information.

Oral Conversations – telephone

• Follow the above guidelines for “Oral Conversations”-in-person”
• Don’t use names instead say; “I have a question about a client”.
• Never give PHI over the phone when talking to unknown callers but call back and verify information.
• Never leave PHI on voice messages; instead, leave a message requesting a return call to discuss a participant giving only your name and phone number.
• Do not discuss PHI over unencrypted cellular or portable (wireless) phones or in an emergency, as the transmissions can be intercepted. Fax
• Put fax machines in a safe location, not out in the open or in a public area with high traffic or easy access and visibility.
• Use a cover sheet clearly identifying the intended recipient and include your name and contact information on the cover sheet.
• Include a confidentiality statement on the cover sheet of faxes that contain PHI.
• Do not include or reference PHI on the cover sheet.
• Confirm the fax number is correct before sending.
• Send a fax containing participant health information only when the authorized recipient is there to receive it whenever possible.
• Verify that the fax was received by the authorized recipient; check the transmission report to ensure the correct number was reached and when necessary contact the authorized recipient to confirm receipt.
• Deliver received faxes to the recipient as soon as possible. Do not leave faxes unattended at the fax machine.

Email

• Do not include PHI in the subject line or the Body of the email.
• Transmit PHI only in a password-protected attachment (MS Word and MS Excel provide password protection).
• Include a confidentiality statement on emails that contain any PHI in email attachments.
• Do not send attachment passwords in the same email as the attachment.
• Include your contact information (name and phone number minimum) as part of the email.
• Set email-sending options to request an automatic return receipt from your recipient(s).
• Request that email recipients call to discuss specific participant data.
• Do not store emails or email attachments with PHI on your hard drive but copy and store them to a secure server. Delete the email and the attachments when they are no longer needed.

Courier and Regular Mail

• Use sealed secured envelopes to send PHI.
• Verify that the authorized person has received the package.
• Deliver all mail promptly to the recipient.
• Mailboxes must be in safe areas and not located in public or high-traffic areas.

Inter-Office Mail

• Put PHI in closed inter-office envelopes. As an added precaution, put PHI in a sealed envelope inside the inter-office envelope.
• Identify the recipient by name and verify the mail center address.
• Distribute inter-office mail promptly to recipients. Do not leave unattended in mailboxes.
• Where practical, use lockable containers (e.g. attaches) to transmit correspondence that contains participant PHI.

Computer Workstations

• Use password-protected screen savers, turn off the computer, or log out of the network when not at your desk.
• Position screens so they are not visible to others.
• Secure workstations and laptops with passwords.
• Change passwords on a regular basis.
• Do not leave laptop or work-related participant PHI visible or unsecured in a car, home office, or in any public area.
• Ensure that all PHI used outside work premises is protected using appropriate measures such as locked desks, and file cabinets.
• Never remove original copies of PHI from the agency without your supervisor’s approval for specific purposes.
• Store files that contain PHI on a secure server, not on your workstation hard drive.

Disposal of PHI

• Shred all hard copies containing PHI when the copies are no longer needed.
• Place hardcopies to be recycled in locked recycle bins if available.
• Delete all soft copy files containing PHI from your computer and the server when the information is no longer needed within the record retention requirements.
• Destroy all disks, CDs, etc., that contain PHI before disposing of them.
• Do not reuse disks, or CDs that contain PHI without sanitizing them first.
• Contact IT before transporting or transferring equipment for proper procedures to move equipment and to sanitize hard drives and other media.
• Return the PHI to the sender, if this requirement is stipulated in any contractual agreements.

Work Areas

• Do not leave PHI (files, records, Rolodex, reports) exposed, open, or unattended in public areas, conference rooms, mailboxes, wall trays, etc.
• Store all PHI securely in locked file cabinets, desk drawers, offices, or suites when you are not in your work area.

THIS IS A SUMMARY OF OUR NOTICE OF PRIVACY PRACTICES, WHICH DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Our pledge to protect your privacy:

Bridgeside Telehealth, LLC is committed to protecting the privacy of your medical information. Your care and treatment is recorded in a medical record. So that we can best meet your medical needs, we share your medical record with the providers involved in your care. We share your information only to the extent necessary to collect payment for the services we provide, to conduct our business operations, and to comply with the laws that govern health care. We will not use or disclose your information for any other purpose without your permission.

Participant Rights – You have the following rights regarding your medical information:

• to request to inspect and obtain a copy of your medical records, subject to certain limited exceptions;
• to request to add an addendum to or correct your medical record;
• to request an accounting of Bridgeside Telehealth, LLC’s disclosures of your medical information;
• to request restrictions on certain uses or disclosures of your medical information;
• to request that we communicate with you in a certain way or at a certain location;
• and to receive a copy of the full version of our Notice of Privacy Practices.

We may use and disclose medical information about you for the following purposes:

• to provide you with medical treatment and services;
• to bill and receive payment for the treatment and services you receive;
• for functions necessary to run Bridgeside Telehealth, LLC, and assure that our participants receive quality care;
• to provide basic contact information (no medical information is provided) to our development office for purposes of fundraising for Bridgeside Telehealth, LLC;
• to support our standing as a federally qualified health center;
• and as required or permitted by law.

There are additional situations where we may disclose medical information about you without your authorization, such as:

• for workers’ compensation or similar programs;
• for public health activities (e.g., reporting abuse or reactions to medications);
• to a health oversight agency, such as the Texas Department of Health Services;
• in response to a court or administrative order, subpoena, warrant, or similar process;
• to law enforcement officials in certain limited circumstances;
• to a coroner, medical examiner, or funeral director; and
• to organizations that handle organ, eye, or tissue procurement or transplantation.

Our Notice may be revised or updated from time to time. Please see our full Notice of Privacy Practices for a more detailed description of our privacy practices, your rights regarding your medical information, and pertinent contact information.