Summary of Privacy Practices

We understand that your medical information is personal to you, and we are committed to protecting the information about you. As our patient, we create medical records about your health, our care for you, and the services and/or items we provide to you as our patient. By law, we are required to make sure that your protected health information is kept private.

How will we use or disclose your information? Here are a few examples (for more detail please refer to the Notice of Privacy Practices that follows this summary):

• For medical treatment
• To obtain payment for our services
• For appointment and patient recall reminders

If you believe your privacy rights have been violated, you may file a complaint with the Practice or with the Secretary of the Department of Health and Human Services. To file a complaint with the Practice, contact our administrator. All complaints must be submitted in writing. You will not be penalized for filing a complaint.

You have certain rights regarding the information we maintain about you. These rights include:

• The right to inspect and copy
• The right to request restrictions
• The right to amend
• The right to a paper copy of this notice
• The right to an accounting of disclosures
• The right to request confidential communications

For more information about these rights please see the detailed Notice of Privacy Practices that is available by asking a receptionist.

SECURITY POLICIES

Introduction
This document outlines the Matossian Eye Associates (MEA) practice policies, procedures, and standards of conduct designed to ensure our compliance with applicable federal laws and regulations. Failure to abide by the rules, policies and procedures or behavior in violation of any HIPAA law, regulation or rule may result in disciplinary action, as outlined in the Personnel Policy Manual.

Willful failure by any employee to comply with these policies and procedures will result in enployment dismissal.

Compliance Mission Statement
MEA strives at all times to maintain the highest degree of integrity in its interactions with patients and the delivery of quality health care. The practice and its employees will at all times strive to maintain compliance with all laws, rules, regulations, and requirements affecting the practice of medicine and the handling of patient information. Protecting the security of an individual’s electronic protected health information (“e-PHI”) is a critical concern to this practice, and to the trust our patients offer in our treatment of their medical issues.

Expectation of Privacy
The practice periodically reviews logins, and audits its systems for securing e-PHI and PHI. No employee should have any expectation for any privacy in any material stored, sent or retrieved from or in any workstation. Thus, only information that furthers the mission of the practice should be downloaded from the Internet. (See the practice Internet and E-mail policy in the Personnel Policy Manual). Likewise, there should never be any retrieval of or transmission of any e-PHI, except as specifically authorized by practice policies.

Administrative Safeguards
The practice has implemented administrative policies and procedures to prevent, detect, contain, and correct security violations. These policies and procedures are described in the following sections.

1. Security Management Process

1. Risk Analysis
   The practice periodically conducts assessments of the potential risks and vulnerabilities of the confidentiality, integrity, and availability of e-PHI held in its computer system including both on-site attacks and Internet attacks. When the Security Officer believes any risks exist, the Security Officer addresses each risk. The practice has security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule as detailed in this document. Such measures include fire alarms, sprinkler protection, firewalls, anti-virus software and server operating system updates. Only authorized personnel may access certain levels of the computer system. Unauthorized or malicious access may be subject to legal action or employment sanctions as set forth herein.
2. Risk Management
   As part of its risk management procedure, the practice tracks authorized and unauthorized access to any part of the computer system. In addition, the practice’s computer system is designed to automate proper access for certain personnel and deny access to all unauthorized personnel.
3. Sanction Policy
   The practice will apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures. Unauthorized access by workforce members may result in removal from the premises, termination of employment and legal action.
4. Information System Activity Review and Login Monitoring
   The practice regularly reviews system information activity. The Security Officer periodically reviews various files contained on practice computers and observes employee conduct for inappropriate access.

2. Assigned Security Responsibility

MEA has appointed a Security Officer to oversee the security of the practice’s information and technology systems. The Security Officer will serve until the practice’s Board of Directors replaces him/her or until such time as he/she resigns from the position. While there is a specific job description for the Security Officer, generally he/she is charged with the following responsibilities:

• Oversee and monitor implementation of the Security components of the HIPAA Compliance Plan;
• Prepare and present reports to the Board of Directors of the practice on practice compliance;
• Develop and implement a training program focusing on the security components of the HIPAA Compliance Program, and ensure that training materials are appropriate for all practice employees;
• Ensure that independent contractors who furnish information services to the practice are aware of the requirements of the practice’s HIPAA Compliance Plan.
• Coordinate security compliance efforts within the practice and establish methods such as periodic audits, both to improve the practice’s efficiency and quality of services and to reduce the practice’s vulnerability to security abuse.
• Revise the HIPAA Compliance Program periodically, in light of changes in the needs of the practice or changes in the law of government and private payor plans.
• Develop mechanisms to receive and investigate reports of non-compliance and monitor subsequent corrective action and/or compliance.
• Develop policies and procedures that encourage employees to report non-compliance without fear of retaliation.

3. Workforce Security

1. Authorization, Supervision, Clearance Procedure
   The Security Officer determines which workforce members appropriately have access to e-PHI. All employees who are allowed access to e-PHI are assigned a specific level of access, so that some people may be permitted greater access to e-PHI than other individuals. Likewise, the security officer may assign passwords for various individuals. Those passwords are to be used only by the individual to whom they are assigned and only during office hours. No other person may share either a login or a password with any other person. Passwords and logins should be committed to memory and not written down in any discoverable location.
   
   Information should not be shared with workforce members who do not need access to e-PHI, or who otherwise cannot obtain such access because they are not intended to have such access.
2. Termination Procedures
   When an individual’s employment with the practice ends for any reason, that employee’s access to e-PHI and the facility is terminated by removing his or her user ID from the practice computers and seeking the return of any other means of physical access (keys, ID numbers, etc.). In addition, the employee is required to turn in any other relevant property.

4. Information Access Management/Isolating Healthcare Clearinghouse Function.

MEA currently does not perform any healthcare clearinghouse functions. However, in the future, if the practice does perform clearinghouse functions, a procedure will be developed to ensure data security, reliability, and integrity. In addition, the practice requires any clearinghouse it works with to be HIPAA compliant.

5. Security Awareness and Training

1. Security Reminders
   MEA will conduct periodic security awareness training with two goals.
   
   All employees will receive training on how to perform their jobs in compliance with the security policies of the practice and any applicable regulations: and
   
   Each employee will understand that HIPAA security compliance is a condition of continued employment.
2. Protection From Malicious Software
   The MEA computers have anti-virus software installed. Updates to that software are periodically installed when available. No employee may at any time download any non-practice related material from the Internet. All employees are required to review the email and Internet use section in the Personnel Policy Manual.

6. Security Incident Procedures, Response, and Reporting

The Security Officer notes any security issues he/she is aware of in the practice’s incident log, and addresses them on a case by case basis. Each employee will be contacted directly and individually if a problem arises. The steps for responding to potential security violations are: isolate the problem, report the incident, log the incident, and correct the issue (if possible).

7. Contingency, Data Backup, Disaster Recovery, Emergency Mode Operations, Testing and Revisions

MEA periodically backs up its computer systems, and the backup is taken each night to a safe, off-site location. n addition, MEA's patient data base is automtically backed up to an off site server facility. If an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) damages the practice operational systems, hardware or software that contain e-PHI, the Security Officer (or designated representative) shall take the backup copy along with any other necessary data to a reliable computer and operate the system from that location, if feasible. Otherwise, existing equipment would be repaired or replaced on-site.

8. Evaluation

The Security Officer (or designated representative) performs a periodic (usually quarterly) technical and non-technical evaluation of the procedures in this document, or any time there are significant environmental or operational changes affecting the security of e-PHI. The practice’s policy is to review all facets of data security, integrity, reliability and system functionality during such review.


Physical Safeguards
MEA has implemented physical safeguard related policies and procedures to prevent, detect, contain, and correct security violations. These policies and procedures are described in the following sections.

1. Facility Access Controls
   Computers, to the greatest extent possible, are kept in private secure locations. The building is secure from unauthorized access, and the office premises are securely locked at the end of the day. Access to the building after hours requires a unique access card. The distribution of the card is based on a “need” only basis.
2. Workstation Use
   Workstations are to be used exclusively for practice operations. You may not send email or use instant messaging without the prior approval of the Security Office. Consult the email and Internet policy in the Personnel Policy Manual for additional information. In addition, the practice has implemented security rights and policies within the computer infrastructure to protect against malicious attempts on the system.
3. Workstation Security
   Workstation access is restricted to authorized users only. Only those personnel who require access to those systems are authorized to use them. In addition, monitors are positioned so they are turned away from unauthorized users, including patients. All workstations are located in secure areas. If you have access to a workstation, you must use a screen saver that is activated when your station becomes idle.
4. Device and Media Controls
   The Security Officer (or designated representative) oversees the movement, receipt, and removal of all hardware and electronic media on an as-needed basis. The Security Officer also oversees the final disposition of any hardware or electronic media, and erases disks and other media as needed upon disposal or in preparation for re-use. In addition, the Security Office (or designated representative) creates a retrievable, exact copy of e-PHI, when needed, before movement of equipment.

Technical Safeguards
Our practice has implemented procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. These mechanisms include failed login reports and account activity reports.

1. Access Control
   Each employee is assigned a unique name and /or number for identifying and tracking user identities. You must keep your ID secure and you must not share it with anyone. Each employee shall have his or her own user ID. User IDs shall be unique to the individual, not to the job function.
2. Audit Controls
   The practice has computer server mechanisms that record activity in information systems.
3. Integrity
   The practice has implemented procedures to protect e-PHI from improper alteration or destruction, to corroborate that e-PHI has not been altered or destroyed in an unauthorized manner, and to verify that a person or entity seeking access to e-PHI is the one claimed.
4. Person or Entity Authentication
   As outlined above, the practice has measures, via login authorization, to verify that anyone trying to access e-PHI is the person he/she claims to be. Therefore, it is of utmost importance that you do not share your access codes with anyone.
5. Transmission Security
   The practice utilizes software that ensures that transmissions of e-PHI are secure. You must not transmit e-PHI (via email or otherwise) unless you are directed to do so by your supervisor.