HIPAA Privacy Policy THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. EMS Management and Consultants, Inc. NOTICE OF PRIVACY PRACTICES EMS Management and Consultants, Inc. is committed to safeguarding the privacy and confidentiality of patients' protected health information (PHI). It is our policy to be in compliance with the requirements of federal and state laws related to protecting the privacy of health information, including the Standards for Privacy of Individually Identifiable Health Information (45 CFR, Parts 160 and 164, commonly called the “HIPAA Final Privacy Rule”). This notice explains how that information may be used and shared with others. It also explains your privacy rights regarding this kind of information. The terms of this notice apply to health information created or received by EMS Management and Consultants, Inc. We are required by law to make sure that medical information that identifies you is kept private; give you this notice of our legal duties and privacy practices with respect to medical information about you; and follow the terms of the notice that is currently in effect. EMS Management and Consultants, Inc. is a covered entity providing billing and collection services. Payment activities may include but is not limited to: determining eligibility or coverage, coordination of benefits, billing and collections, medical necessity or coverage review, utilization review, or disclosing information to collection agencies. EMS Management and Consultants, Inc. will make reasonable efforts so that no more than the “minimum necessary” PHI is used or disclosed. EMS Management and Consultants, Inc. may disclose PHI to Public Health entities for disease control, injury prevention and other epidemiological activities as required by federal, state or local law. EMS Management and Consultants, Inc. may disclose PHI to another covered entity or healthcare provider for payment activities. EMS Management and Consultants, Inc., as a covered entity, is responsible to comply with all HIPAA requirements and under these requirements is permitted to receive reports and information relating to service and treatment of patients. Your medical information may be used and disclosed for the following purposes: Payment: We may use and disclose PHI about you so that the treatment and services you received may be billed and payment may be collected from you, an insurance company, or another third party. For example, we may need to give your health plan information about treatment and services performed so your health plan will pay us or reimburse you for the treatment and services. Required by Law: Medical information about you will be disclosed when required by federal, state or local laws. To Business Associates: Some services are provided by or to EMS Management and Consultants, Inc. through contracts with business associates. Examples include EMS Management and Consultants, Inc. attorneys, consultants, collection agencies, and couriers. We may disclose information about you to our business associate so that they can perform the job we have contracted with them to do. To protect the information that is disclosed, each business associate is required to sign an agreement to appropriately safeguard the information and not to disclose the information unless specifically permitted by law. Your medical information may be released in the following special situations: Military and Veterans: If you are a member of the armed forces, we will release medical information about you as requested by military command authorities if we are required to do so by law, or when we have your written consent. We may also release medical information about foreign military personnel to the appropriate foreign military authority as required by law or with written consent. Workers' Compensation: We may release medical information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness. We are permitted to disclose this information to the parties involved in the claim without any specific consent, so long as the information is related to a workers' compensation claim. Public Health: We may disclose medical information to public health authorities about you for public health activities. These disclosures generally include the following: •Preventing or controlling disease, injury or disability •Reporting births and deaths •Reporting child abuse or neglect, or abuse of a vulnerable adult •Reporting reactions to medications or problems with products •Notifying people of recalls of products they may be using •Notifying a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition •Reporting to the FDA as permitted or required by law Lawsuits and Disputes: If you are involved in a lawsuit, dispute, or other judicial proceeding, we will disclose medical information about you only in response to a valid subpoena, court order, administrative order, or a grand jury subpoena, or with your written consent. Law Enforcement: We may release medical information if asked to do so by a law enforcement official in response to a valid subpoena, court order, grand jury subpoena, or warrant, or with your written consent. In addition, we are required to report certain types of wounds, such as gunshot wounds and some burns. In most cases, reports will include only the fact of injury, and any additional disclosures would require your consent or a court order. We may also release information to law enforcement that is not a part of the health record (in other words, non-medical information) for the following reasons: •To identify or locate a suspect, fugitive, material witness, or missing person; if you are the victim of a crime, if, under certain limited circumstances, we are unable to obtain your agreement •About a death we believe may be the result of criminal conduct •About criminal conduct at our facility •In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime Coroners, Medical Examiners, and Funeral Directors: We will release medical information to a coroner or medical examiner in the case of certain types of death, and we must disclose health records upon the request of the coroner or medical examiner. This may be necessary, for example, to identify you or determine the cause of death. We may also release the fact of death and certain demographic information about you to funeral directors as necessary to carry out their duties. Other disclosures from your health record will require the consent of a surviving spouse, parent, a person appointed by you in writing, or your legally authorized representative. National Security and Intelligence Activities: We will release medical information about you to authorized federal officials for intelligence, counter-intelligence, and other national security activities only as required by law or with your written consent. Protective Services for the President and Others: We will disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state, or conduct special investigations only as required by law or with your written consent. Correctional Institution: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we will release medical information about you to the correctional institution or law enforcement official only as required by law or with your written consent. Right to an Accounting of Disclosures: You have the right to request an “accounting of disclosures.” This is a list of the disclosures we made of medical information about you. This list will not include disclosures for treatment, payment, and health care operations; disclosures that you have authorized or that have been made to you; disclosures for facility directories; disclosures for national security or intelligence purposes; disclosures to correctional institutions or law enforcement with custody of you; disclosures that took place before April 14, 2003; and certain other disclosures. To request this list of disclosures, you must submit your request in writing to EMS Management and Consultants, Inc., HIPAA Privacy Officer. Your request must state a time period for which you would like the accounting. The accounting period may not go back further than six years from the date of the request, and it may not include dates before April 14, 2003 . You may receive one free accounting in any 12-month period. We may charge you for additional requests. Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this notice. You may print a copy of this notice from our website, www.emsbilling.info Changes to This Notice The effective date of this notice is April 14, 2003. We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you, as well as any information we receive in the future. If the terms of this notice are changed, EMS Management and Consultants, Inc. will post the revised notice on our web site and in designated locations at EMS Management and Consultants, Inc. Other Uses of Medical Information Except as described above, EMS Management and Consultants, Inc. will not use or disclose your protected health information without a specific written authorization from you. If you provide us with this written authorization to use or disclose medical information about you, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose medical information about you for the reasons covered by your written authorization, except to the extent we have already relied on your authorization. We are unable to take back any disclosures we have already made with your permission, and we are required to retain our records of the care that was provided to you. Complaints If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with EMS Management and Consultants, Inc., you must submit your request in writing to our HIPAA Privacy Officer at the address below. You will not be penalized for filing a complaint. Attention: HIPAA Privacy Officer EMS Management and Consultants, Inc. 2540 Empire Drive Winston-Salem, NC 27103 Email: [email protected] Phone: 336-766-4448 Fax: 336-740-9791 HIPAA Security Standards for the Protection of Electronic Protected Health Information (ePHI) THIS NOTICE DESCRIBES HOW ELECTRONIC MEDICAL INFORMATION ABOUT YOU IS PROTECTED TO ENSURE THAT ONLY THOSE WHO SHOULD HAVE ACCESS TO EPHI WILL HAVE ACCESS TO IT WITH REGARDS TO APPROPRIATE ADMINISTRATIVE, PHYSICAL AND TECHNICAL SAFEGUARDS. PLEASE REVIEW IT CAREFULLY. EMS Management and Consultants, Inc. NOTICE OF SECURITY STANDARDS PRACTICES EMS Management and Consultants, Inc. is committed to safeguarding the privacy and confidentiality of patients' electronic protected health information (ePHI). It is our policy to be in compliance with the requirements of federal and state laws related to protecting electronic health information, including the Security Standards for the Protection of Electronic Protected Health Information. (45 CFR, Parts 160 and 164, Subparts A and C, commonly called the “Security Rule”). This notice explains how ePHI that is provided to us, maintained by us, and shared with others by us is safeguarded to protect the confidentiality, integrity and availability of the data while in an electronic format. We are required by law to make sure that ePHI that identifies you is kept private, complete, and assessable with reasonable administrative, physical, and technical safeguards. EMS Management and Consultants, Inc. is a covered entity providing billing and collection services. We will use appropriate security measures that will prohibit against inappropriate use or disclosure, improper altercation or destruction, and establish recovery processes that will ensure ePHI is available when needed. Administrative Safeguards – Section 164.308 Security Management Processes •Assess, analyze, and manage the risk of concepts and practices •Employ security measures sufficient to reduce risk •Uphold a sanction policy against workforce members who fail to comply with security policies •Conduct procedures to regularly review records of information systems activities Assigned Security Responsibility •Identify the security official who is responsible for the development of the policies and procedures Workforce Security •Establish procedures for the authorization and/or supervision of workforce members •Demonstrate that the access of a workforce member is appropriate •Properly remove access when employment ends or is no longer deemed appropriate Information Access Management •Ensure proper protection from unauthorized access from other parts of our organization •Grant appropriate access to ePHI through access to a workstation, transaction, program, or process •Review authorization policies for a user’s right of access to a workstation, transaction, program, or process Security Awareness and Training •Conduct security awareness and training programs for all members of our company •Guard against and detect malicious software programs •Monitoring log-in attempts and guard against intrusions •Engage in creating, changing, and safeguarding passwords Security Incident Procedures •Identify and respond to suspected or known security incidents •Report and document security incidents and their outcomes Contingency Plan •Respond to emergency or other occurrences that damage systems that contain ePHI •Conduct a data backup plan that will create and maintain retrievable exact copies of ePHI •Participate in and implement procedures to avoid and recovery data in the event of a disaster •Engage in procedures that will enable continuation of critical business processes for protection of ePHI while in the operation of emergency mode •Participate in periodic testing and revision of backup, continuation, and recovery plans •Continue to assess the relative criticality of specific applications and data in support of contingency plan components Evaluation •Periodically review and maintain reasonable and appropriate security measures to comply with the Security Rule Business Associate Contracts and Other Arrangements •When we must enter into a contract or other arrangement with persons or businesses that meet the definition of business associate we will appropriately safeguard ePHI by obtaining assurance that the business associate will meet applicable requirements through a written contract Physical Safeguards – Section 164.310 Facility Access Controls •Safeguard and limit physical access of our ePHI and the facilities in which they are housed •Allow facility access in support of data and system restoration in the event of disaster recovery •Secure all facilities against unauthorized access •Validate a person’s access to facilities based on their roles and functions •Document repairs and modifications to the physical components of the facilities which are related to security Workstation Use •Engage in proper functions to be preformed, the manner in which the functions are to be preformed and the physical attributes surrounding the workstations Workstation Security •Workstation use and accessibility will be restricted to authorized users only Device and Media Control •Secure and govern the receipt and removal of hardware and electronic media that contain ePHI Technical Safeguards – Section 164.312 Access Control •Allow access on systems that contain ePHI to only those persons or software programs that have been granted access •Track and identify user by name and/or number when accessing information systems •Document procedures for obtaining necessary ePHI during an emergency •Electronically terminate all person or software session after a predetermined time of inactivity •Employ methods to encrypt and decrypt ePHI when necessary •Record and examine activity in information systems that contain ePHI Integrity •Protect ePHI from improper alteration and destruction •Automatically check for data integrity with check sum verifications or digital signatures Person or Entity Authentication •Verify that person or entity seeking access is authentication by proper identification Transmission Security •Guard against unauthorized access to ePHI that is being transmitted over electronic communication networks •Secure ePHI to ensure that it is not improperly modified through proper communication protocols •Implement technologies to encrypt ePHI Organization Requirements – Section 164.314 Business Associates Contracts or Other Arrangements •Ensure that any business associates will provide safeguards to protect ePHI and ensure that the associate agrees to implement reasonable protection of ePHI Policies and Procedures and Documentation Requirements – Section 164.316 •Policies and Procedures will reflect the mission and culture of our organization thereby enabling our company to use current standard business practices for policy development and implementation Documentation •We will maintain the policies and procedures in written form and if action, activity or assessment is required to be documented we will maintain a written record of that Time Limit •We will retain this document for six years from the date of its creation or the date when it last was in effect, whichever is later Availability •This document is available to those persons responsible for implementing the procedures to which the document pertains Updates •We will review this documentation periodically and update it as needed, in response to environment and operational changes affecting the security of the ePHI. Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this notice. You may print a copy of this notice from our website, www.emsbilling.info Changes to This Notice The effective date of this notice is April 20, 2005. We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you, as well as any information we receive in the future. If the terms of this notice are changed, EMS Management and Consultants, Inc. will post the revised notice on our web site and in designated locations at EMS Management and Consultants, Inc. Complaints If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with EMS Management and Consultants, Inc., you must submit your request in writing to our HIPAA Security Officer at the address below. You will not be penalized for filing a complaint. Attention: HIPAA Security Officer EMS Management and Consultants, Inc. 2540 Empire Drive Winston-Salem, NC 27103 Email: [email protected] Phone: 336-766-4448 Fax: 336-740-9791