HIPAA Privacy, Security, and Breach Notification Policy

​

Lifespan Health
Effective Date: 8/1/2025

​

1. Purpose

​

This policy establishes Lifespan Health’s commitment to safeguarding the privacy, security, and integrity of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and applicable state privacy laws.

​

2. Scope

​

This policy applies to all members of the Lifespan Health workforce, including employees, contractors, interns, volunteers, and business associates, who create, receive, maintain, transmit, or otherwise access PHI in any form (oral, paper, or electronic).

​

3. Definitions

​

• Protected Health Information (PHI): Individually identifiable health information, in any form, that relates to a patient’s past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare services.

• Electronic PHI (ePHI): PHI that is transmitted or maintained in electronic form.

• Workforce: All employees, medical staff, volunteers, trainees, contractors, and others under the direct control of Lifespan Health, whether or not they are paid.

• Business Associate: Any person or entity performing services for Lifespan Health that involves access to PHI, who is not part of our workforce.

• Minimum Necessary Standard: The principle that access to PHI is limited to the least amount of information necessary to perform a specific job function.

 

4. Policy Statement

​

Lifespan Health will:

​

1. Safeguard PHI in compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.

2. Limit PHI use and disclosure to the minimum necessary for treatment, payment, and healthcare operations (TPO), unless authorized by the patient or required by law.

3. Provide patient rights regarding access, amendments, and accounting of disclosures.

4. Implement physical, administrative, and technical safeguards to protect ePHI from unauthorized access, alteration, deletion, or transmission.

5. Train all workforce members in HIPAA compliance and privacy practices.

6. Report and mitigate breaches of unsecured PHI in accordance with federal and state requirements.

 

5. Privacy Rule Compliance

​

5.1 Permitted Uses and Disclosures

​

Lifespan Health may use or disclose PHI without patient authorization for:

​

• Treatment: Coordination or management of healthcare and related services.

• Payment: Activities to obtain reimbursement for care provided.

• Healthcare Operations: Quality assessment, training, credentialing, and administrative functions.

 

Other disclosures without authorization include those:

​

• Required by law.

• For public health activities.

• For abuse, neglect, or domestic violence reporting.

• For judicial or administrative proceedings.

• For law enforcement purposes.

• For organ/tissue donation.

• For research (with applicable safeguards).

• To avert serious threats to health or safety.

• For workers’ compensation claims.

 

5.2 Patient Authorization

​

Any use or disclosure of PHI not described above requires a valid, written patient authorization.

​

5.3 Minimum Necessary

​

All workforce members must make reasonable efforts to limit PHI use, disclosure, or request to the minimum necessary to accomplish the intended purpose.

​

6. Patient Rights

​

Patients have the right to:

​

1. Access their PHI.

2. Request amendments to their PHI.

3. Receive an accounting of certain disclosures.

4. Request restrictions on uses and disclosures.

5. Request confidential communications by alternative means or locations.

6. Receive a Notice of Privacy Practices (NPP) describing their rights and Lifespan Health’s practices.

 

7. Security Rule Compliance

​

7.1 Administrative Safeguards

​

• Assign a HIPAA Privacy Officer and HIPAA Security Officer.

• Conduct regular risk assessments for PHI/ePHI security.

• Implement security awareness training for all staff.

• Establish workforce sanctions for HIPAA violations.

 

7.2 Physical Safeguards

​

• Restrict physical access to PHI storage areas.

• Secure workstations and mobile devices containing ePHI.

• Dispose of PHI securely (shredding, secure deletion).

 

7.3 Technical Safeguards

​

• Implement access controls (unique user IDs, passwords, role-based access).

• Enable audit controls to record system activity.

• Use encryption for ePHI in transit and at rest.

• Maintain automatic log-off for devices with ePHI access.

 

8. Breach Notification Rule

 

8.1 Breach Definition

​

A breach is any acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA that compromises the security or privacy of the PHI.

​

8.2 Breach Response

​

If a breach is suspected:

​

1. Notify the HIPAA Privacy Officer immediately.

2. Investigate to determine the nature and extent of the breach.

3. Assess the risk using the factors outlined in 45 CFR §164.402.

4. If confirmed, notify affected individuals without unreasonable delay, and no later than 60 calendar days after discovery.

5. Notify the Secretary of HHS and, when applicable, prominent media outlets if more than 500 residents of a state/jurisdiction are affected.

 

9. Workforce Responsibilities

​

• Access PHI only as necessary for assigned job duties.

• Never share passwords or login credentials.

• Report any suspected HIPAA violations or security incidents immediately.

• Complete required HIPAA training upon hire and annually.

 

10. Sanctions

​

Workforce members who fail to comply with this policy may face:

​

• Verbal or written warnings.

• Suspension or termination.

• Civil and/or criminal penalties as permitted under HIPAA.

 

11. Documentation & Retention

​

Lifespan Health will maintain HIPAA-related policies, procedures, training records, and breach documentation for at least six years from the date of creation or last effective date.

​

12. Policy Review

​

This policy will be reviewed annually and updated as necessary to remain compliant with applicable laws and regulations.