The purpose of this policy is to ensure that WBK Healthcare Services (“WBK”) complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and any relevant state and federal laws and regulations. This policy outlines WBK’s commitment to protect the privacy and security of protected health information (PHI), maintain the confidentiality of medical records, and uphold patients’ rights under HIPAA standards.
This policy applies to all WBK employees, contractors, volunteers, and any other individuals or entities involved in the provision of healthcare services or the operation of WBK facilities.
Protected Health Information (PHI): Any individually identifiable health information that is transmitted or maintained in any form or medium, including oral, written, or electronic formats.
- Privacy and Security of Protected Health Information (PHI)
- Access to PHI: WBK will limit access to PHI to only those employees, contractors, and volunteers who need the information to perform their job duties. Access will be granted based on the minimum necessary standard, which means that individuals will only have access to the minimum amount of PHI necessary to complete their tasks.
- Training: All WBK employees, contractors, and volunteers who have access to PHI will receive regular training on HIPAA regulations and WBK’s policies and procedures for safeguarding PHI.
- Security Measures: WBK will implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. This includes, but is not limited to, securing physical records and electronic systems, restricting access to PHI, and monitoring and regularly reviewing system activity.
- Breach Notification: In the event of a breach of unsecured PHI, WBK will notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, when required, the media, in accordance with HIPAA regulations.
- Use and Disclosure of Protected Health Information (PHI)
- Permitted Uses and Disclosures: WBK may use and disclose PHI without the patient’s authorization for the following purposes:
a. Treatment: WBK may use and disclose PHI to provide, coordinate, or manage healthcare and related services, including consultations and referrals between healthcare providers.
b. Payment: WBK may use and disclose PHI to obtain payment for healthcare services provided, including billing, claims management, and collection activities.
c. Healthcare Operations: WBK may use and disclose PHI for activities related to the operation of WBK, such as quality assessment and improvement, training, accreditation, and compliance activities.
- Disclosures Requiring Authorization: Except for the purposes outlined above, WBK will obtain written authorization from the patient before using or disclosing their PHI. Patients may revoke their authorization at any time, in writing, except to the extent that WBK has already taken action in reliance on the authorization.
- Disclosures Requiring Opportunity to Object: WBK may disclose PHI to family members, friends, or other individuals involved in the patient’s care, or for notification purposes, provided that the patient has been given the opportunity to object and has not done so. If the patient is incapacitated or in an emergency situation, WBK may disclose PHI based on its professional judgment and the best interests of the patient.
- Disclosures Required by Law: WBK may use or disclose PHI as required by federal, state, or local laws, including disclosures to public health authorities, law enforcement, or in response to a court order or subpoena.
- Disclosures for Special Purposes: WBK may use or disclose PHI for certain special purposes, such as for research, provided that appropriate safeguards are in place and the use or disclosure is permitted under HIPAA regulations. Other special purposes may include disclosures for organ and tissue donation, worker’s compensation, or to prevent a serious threat to public health or safety.
- Disclosures to Business Associates: WBK may disclose PHI to its business associates, who provide services on behalf of WBK, such as billing or consulting services. WBK will ensure that these business associates have signed a Business Associate Agreement and are committed to protecting the privacy and security of PHI.
- Minimum Necessary Standard: When using or disclosing PHI, WBK will make reasonable efforts to limit the use or disclosure to the minimum necessary to accomplish the intended purpose.
- De-Identified Information: WBK may use or disclose de-identified health information that is stripped of all identifiers that would allow the information to be linked to an individual, in accordance with HIPAA regulations. De-identified information is not considered PHI and may be used or disclosed without restrictions.
- Medical Records
- Retention and Disposal: WBK will maintain medical records in a secure manner for the duration required by applicable state and federal laws. After the required retention period, WBK will securely dispose of medical records in a manner that ensures the confidentiality of PHI is maintained.
- Requests for Access and Amendment: Patients have the right to access their medical records and request amendments to correct inaccurate or incomplete information. WBK will respond to these requests in a timely manner and in accordance with HIPAA regulations.
VII. Patient Rights
- Notice of Privacy Practices: WBK will provide all patients with a Notice of Privacy Practices, which outlines how their PHI may be used and disclosed, their rights under HIPAA, and WBK’s legal responsibilities for protecting their PHI.
- Restriction Requests: Patients have the right to request restrictions on the use and disclosure of their PHI. WBK will evaluate these requests on a case-by-case basis and comply with the restrictions when required by law.
- Confidential Communications: Patients have the right to request that WBK communicates with them about their healthcare in a specific way or at a specific location, such as only contacting them at work or via email. WBK will accommodate reasonable requests.
- Accounting of Disclosures: Patients have the right to request an accounting of disclosures of their PHI made by WBK in the past six years, except for disclosures made for treatment, payment, healthcare operations, or as authorized by the patient. WBK will provide this accounting within 60 days of receiving the request.
VIII. Enforcement and Compliance
WBK will regularly review and update this policy to ensure continued compliance with HIPAA standards. WBK will investigate and address any potential violations of this policy or HIPAA regulations promptly. Violations may result in disciplinary action, up to and including termination of employment or contractual relationships.
- WBK’s Legal Duties and Responsibilities
- Legal Compliance: WBK is required by federal and state laws, including HIPAA, to maintain the privacy and security of PHI, ensure the confidentiality of medical records, and uphold patients’ rights. WBK is also subject to other federal and state privacy laws and regulations that may impose additional requirements.
- Notice of Privacy Practices: As required by law, WBK will provide patients with a Notice of Privacy Practices that explains how their PHI may be used and disclosed, their rights under HIPAA, and WBK’s legal duties and responsibilities for protecting their PHI.
- Changes to Privacy Practices: WBK is required to abide by the terms of the current Notice of Privacy Practices. If WBK needs to make material changes to its privacy practices, it will revise the Notice of Privacy Practices and distribute the updated notice to affected individuals in a timely manner, as required by law.
- Reporting and Responding to Violations: WBK is legally obligated to report and respond to any potential violations of this policy or HIPAA regulations promptly. Violations may result in disciplinary action, up to and including termination of employment or contractual relationships, and may also lead to civil or criminal penalties under applicable laws.
- Retaliation and Intimidation Prohibited: WBK is required by law to refrain from retaliating or intimidating any individual who exercises their rights, files a complaint, or reports a violation of this policy or HIPAA regulations in good faith.
- Cooperation with Regulatory Authorities: WBK will cooperate with the U.S. Department of Health and Human Services (HHS) and other regulatory authorities in the investigation and resolution of privacy and security complaints or concerns, and will comply with any corrective actions or penalties imposed by such authorities.
- Documentation and Record Retention: WBK is required to maintain documentation of its privacy and security policies, procedures, and activities, as well as documentation related to patients’ rights and the use and disclosure of PHI, for a minimum of six years, or as otherwise required by law.
By adhering to these legal duties and responsibilities, WBK Healthcare Services is committed to maintaining the privacy of patients’ protected health information and ensuring compliance with all applicable laws and regulations.
- Reporting Concerns
Employees, contractors, volunteers, patients, and other individuals who believe there has been a violation of this policy or HIPAA regulations should report their concerns to WBK’s Privacy Officer. Reports can be made anonymously, and WBK will not retaliate against any individual for reporting a concern in good faith.
- Privacy Officer
WBK has designated a Privacy Officer who is responsible for the development and implementation of policies and procedures to comply with HIPAA regulations, as well as handling any privacy-related complaints and concerns. The Privacy Officer can be contacted at:
WBK Healthcare Services
Address: 114 Werner St Bridgeville PA 15017
- Amendments to this Policy
WBK reserves the right to amend this policy at any time. Any changes to this policy will be communicated to affected individuals in a timely manner, as required by law.
XII. Effective Date
This policy is effective as of April 6th, 2023.