HIPAA Compliance Policy

2.1 Protected Health Information (PHI) Individually identifiable health information that is transmitted or maintained in any form or medium by CareAligns.

2.2 Covered Entity Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.

2.3 Business Associate CareAligns, when performing services for Covered Entities that involve access to PHI.

3.1 Business Associate Status When CareAligns provides services to healthcare providers (Covered Entities), we function as a Business Associate and comply with all applicable HIPAA requirements.

3.2 Direct Service Provider When providing services directly to individuals, CareAligns may not be subject to HIPAA but voluntarily adopts HIPAA-level protections for all personal health information.

4.1 Minimum Necessary Standard CareAligns accesses, uses, and discloses only the minimum amount of PHI necessary to accomplish the intended purpose.

4.2 Administrative Safeguards

• Designated Privacy Officer responsible for HIPAA compliance

• Workforce training on PHI protection requirements

• Access controls limiting PHI access to authorized personnel

• Incident response procedures for potential breaches

4.3 Physical Safeguards

• Secure facilities with controlled access

• Workstation security controls

• Device and media controls for PHI storage

4.4 Technical Safeguards

• Access controls with unique user identification

• Audit logs of PHI access and modifications

• Integrity controls ensuring PHI is not improperly altered

• Transmission security for electronic PHI

5.1 Treatment Coordination PHI may be used and disclosed to facilitate treatment coordination between healthcare providers.

5.2 With Individual Authorization PHI may be disclosed with valid written authorization from the individual.

5.3 Required by Law PHI may be disclosed when required by federal, state, or local law.

6.1 Right to Access Individuals have the right to access their PHI maintained by CareAligns.

6.2 Right to Amendment Individuals may request amendments to their PHI.

6.3 Right to Restriction Individuals may request restrictions on the use or disclosure of their PHI.

6.4 Right to Confidential Communications Individuals may request communications of PHI by alternative means or at alternative locations.

6.5 Right to Accounting Individuals may request an accounting of disclosures of their PHI.

7.1 Breach Identification CareAligns maintains procedures to identify potential breaches of PHI.

7.2 Breach Assessment All potential breaches are assessed to determine if notification is required under HIPAA.

7.3 Notification Requirements

• Individuals: Within 60 days of discovery

• Covered Entities: Without unreasonable delay, but no later than 60 days

• HHS: Within 60 days of discovery (for breaches affecting 500+ individuals)

All CareAligns workforce members with access to PHI receive training on:

• HIPAA requirements and CareAligns policies

• PHI protection procedures

• Incident reporting requirements

• Individual rights under HIPAA

9.1 Regular Audits CareAligns conducts regular audits of PHI access and use.

9.2 Risk Assessments Annual risk assessments identify potential vulnerabilities in PHI protection.

9.3 Corrective Actions Appropriate corrective actions are implemented for any identified compliance issues.