The Health Insurance Portability and Accountability Act (HIPAA) mandated that the Department of Health and Human Services create federal regulations to set standards for the use, disclosure, safeguarding, tracking and disposal of Protected Health Information (PHI). In order to assure adherence to those regulations Metro Medical Billing, Inc. has adopted the following policies and procedures.

B. Privacy Rules Summary

1. Identify what information and entities are covered
2. Define which health information may be used and disclosed with and without the patients consent
3. Requires providing written notice to the patient describing the covered entity’s privacy policies
4. Requires a good faith effort to secure the patient signature on the privacy rights notice
5. Authorizes patients to request a restricted use and disclosure of certain health information
6. Gives patients the rights to review their health records
7. Requires covered entities to track and log certain disclosures of health information
8. Requires the appointment of a privacy officer
9. Requires covered entities to establish written agreement with their business associates
10. Mandates reasonable safeguards for the handling of patients records
11. Allows the states to adopt and enforce privacy rules if they are more stringent that federal rules

B. Uses of PHI - With patient authorization. PHI may also be used for any purpose authorized in writing in advance by the patient. If Metro Medical Billing, Inc. intends to use the PHI for any purpose other that described in above, a written authorization, signed by the patient is required. The authorization must identify all uses to which Metro Medical Billing Inc. intends or expects the PHI may be used and for whom the PHI may be disclosed. A signed copy of the authorization will be kept in the patient medical record.

1. Refusal to sign - use of PHI. If the patient declines to sign the authorization form, Metro Medical Billing Inc. is nevertheless permitted to make disclosures of PHI consistent with the privacy policy. 2. Refusal to sign - documented. If the patient declines to sign an authorization form, that refusal to sign will be noted on the form and a copy of the form will be placed in the patients file. If a patient declines to sign an authorization, the PHI can only be used for limited purposes described above.

1. Uses. It is Metro Medical Billing Inc. policy that a signed authorization must be obtained before any PHI is used for any purpose other than that permitted by the privacy regulations. 2. Conditional Authorizations. Metro Medical Billing Inc. will not require a patient to sign any authorization as a condition of health care billing.

C. Authorizations - Reliance on Third Parties. If a third party provides Metro Medical Billing Inc. any PHI for the purposes other than permitted in The privacy rule, Metro Medical Billing, Inc. shall require that third party to Provide it with a current valid authorization signed by the patient which expressly permit’s the intended use of the PHI.

1. Disclosure to Third Parties. No Employee is permitted to disclose PHI to any third party unless such disclosures are required in order to carry out the employee’s job and only in accordance with these policies.

C. Electronic PHI (EPHI overview- see the full policy covering EPHI)

1. Storage. Access to all PHI created or stored in electronic format, shall be protected by commercially appropriate anti-hacker and anti-virus software. The data shall be backed up per Metro Medical Billing Inc. policy and stored in a secure off site location. All archived PHI shall be maintained at a site with appropriate security to prevent unauthorized access.
2. Access. All PHI access shall be exclusively through the use of Pre-assigned controls solely to authorized employees. Temporary access may be granted to consultants and others as deemed necessary. Unique passwords will be given and then removed after completion of assigned work.

1. Storage of all PHI shall be in locked file cabinets or locked Rooms which are secured to prevent access by unauthorized Access.

F. Destruction and Disposal. When Metro Medical Billing Inc. no longer requires PHI in whatever form, it shall be returned to the appropriate party as may be called for in a written agreement. Otherwise, all PHI whether paper or electronic or copies shall be destroyed in a commercially reasonable fashion designed to assure that it cannot be read or accessed.

B. Accounting For Disclosures. Metro Medical Billing Inc shall maintain a written record of all disclosures of PHI using a disclosure log, (except for those described in the privacy policy, permitted incidental disclosures and disclosures made in accordance with a valid ’Business Associate Agreement’)

1. Reporting Disclosures to patients. By regulation, each patient is permitted a single accounting of PHI disclosures once a year. All accountings to patient shall be made in writing and only if the request is received in writing and signed by the patient.

B. Patient Request. Patients have a right to request their PHI be corrected. However, Metro Medical Billing Inc. is required to make corrections requested by a patient only if the request is necessary to correct a material error in the PHI.

1. In Writing. Any patient request to change PHI shall be in writing, signed and dated by the patient and must state with clarity the reason for the reason for the requested changed. If Metro Medical Billing Inc. declines to make the requested change, the patient will be informed of the decision and the reason for the action.
2. Decisions. Any decision to approve or refuse a patient's request shall be made to the security officer. The patient shall also be advised that Metro Medical Billing Inc. reserves the right to inform all third parties to whom the inaccurate PHI was previously provided.

B. Metro Medical Billing Inc. Policy. Under some circumstances, Metro Medical Billing Inc. can be held liable for the actions of its employees which violate the privacy rules. Metro Medical Billing Inc. has therefore established specific internal discipline for employees.

A. Employees - Non Disclosure. A violation of an internal policy or procedure which does not result in a prohibited use or disclosure of PHI. First Offense - Letter of reprimand. Second Offense - punishment up to but not including termination. Third Offense - Termination

B. Disclosure. A violation of an internal policy or procedure which does result in a disclosure of PHI:
Negligent disclosure - first offense: up to suspension
Second offense: Termination
Reckless or intentional disclosure - First offense: up to and including
Termination. Second offense: Termination
Disclosure for profit. First offense: Termination
Disclosure that results in embarrassment or ridicule to the patient or
Was intended to have such a result - First offense: Termination
Disclosure to the Media with the intent or expectation that it would Be published - First offense: Termination.