1. Privacy Officer and Contact Person  
   Nancy Atman will be the Privacy Officer for the Company. The Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the Company's more detailed use and disclosure procedures. The Privacy Officer will also serve as the contact person for those who have questions, concerns or complaints about the privacy of their PHI.
2. Workforce Training
   The Company's policy is to train those employees who have access to PHI on its privacy policies and procedures. The Privacy Officer will develop training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions which may involve PHI.
3. Technical and Physical Safeguards
   The Company will establish appropriate technical (if and when PHI is stored electronically) and phys ical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards include limiting access to information by creating computer firewalls if and when PHI is stored electronically. Physical safeguards include locking doors or filing cabinets where PHI is stored.
4. Privacy Notice
   The Privacy Officer is responsible for developing and maintaining a notice of the Company's privacy practices that describes:
   
   
   • the uses and disclosures of PHI that may be made by the Company;
   • the individual's rights; and
   • the Company's legal duties with respect to the PHI.
   The notice of privacy practices will be made available to others upon written request.
5. Complaints
   The Privacy Officer, Nancy Atman, will be the Company's contact person for receiving complaints. The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Company's privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any employee or other individual upon request.
6. Sanctions for Violations of Privacy Policy>
   Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will be imposed in accordance with the Company's employment discipline policies and practices, up to and including termination.
7. Mitigation of Inadvertent Disclosures of Protected Health Information
   The Company shall mitigate, to the extent possible, any harmf ul effects that become known to it of a use or disclosure of an individual's PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee or anyone else becomes aware of a disclosure of PHI, either by an employee o f the Company or an outside consultant/contractor that is not in compliance with this Policy, that employee or anyone else should immediately contact the Privacy Officer so that the appropriate steps to mitigate harm can be taken.
8. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
   No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

   No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility for any benefit or any other product or service provided by the Company.

9. Documentation
   The Company's privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirem ents, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

   If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice. The Company shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual's privacy rights. The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form.

Policies on Use and Disclosure of PHI

1. Use and Disclosure Defined
   The Company will use and disclose PHI only as permitted under HIPAA. The terms "use" and "disclosure" are defined as follows:
   
   
   • Use. The sharing, employment, application, utilization, examination or analysis of individually identifiable health information by any employee or by a Business Associate (defined below) gained in connection with transacting the Company's business.
   • Disclosure. For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons necessary for the transaction of the Company's business.
2. Access to PHI is Limited to Certain Employees
   In addition to those with access to PHI in the course of conducting Company business, the following employees ("employees with access") have access to all PHI:
   
   
   • President
   • CFO
   • Vice President of IT and Project Management
   • Secretary
   • HR Manager
   • HR Assistants and Associates
   • Privacy Officer
   
   These employ ees, and their designees, may use and disclose PHI for the proper transacting of the Company's business. The enumerated individuals with access may not disclose PHI to employees (other than to other employees with proper access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy. Employees who have access to PHI must comply with this Policy.
3. Permitted Uses and Disclosures
   PHI of individuals may be disclosed for all proper purposes in transacting Compan y business which are consistent with HIPAA and this Policy.
4. Mandatory Disclosures of PHI: to Individual and DHHS
   PHI must be disclosed as required by HIPAA where the disclosure is made to the U.S. Department of Health and Human Services for purposes of enforcing of HIPAA.
5. Permissive Disclosures of PHI: for Legal and Public Policy Purposes
   PHI may be disclosed in certain circumstances, including the following circumstances without prior authorization, when specific requirements are satisfied, inc luding prior approval of the Company's Privacy Officer. Permitted disclosures are:



1. about victims of abuse, neglect, or domestic violence, if:
   
   
   • the individual agrees with the disclosure; or
   • the disclosure is expressly authorized by statute or regula tion and the disclosure prevents harm to the individual (or other victim) or the individual is incapacitated and unable to agree and information will not be used against the individual and is necessary for an imminent enforcement activity. In this case, t he individual must be promptly informed of the disclosure unless this would place the individual at risk or if the informing would involve a personal representative who is believed to be responsible for the abuse, neglect, or violence.
2. for judicial and administrative proceedings in response to:
   
   
   • an order of a court or administrative tribunal (disclosure must be limited to PHI expressly authorized by the order); and
   • a subpoena, discovery request, or other lawful process, not accompanied by a court order or administrative tribunal, upon receipt of assurances that the individual has been given notice of the request, or that the party seeking the information has made reasonable efforts to receive a qualified protective order.
3. for law enforcement purposes, if:
   
   
   • pursuant to a process and as otherwise required by law, but only if the information sought is relevant and material, the request is specific and limited to amounts reasonably necessary, and it is not possible to use de - identified information;
   • information requested is limited information to identify or locate a suspect, fugitive, material witness, or missing person;
   • information about a suspected victim of a crime (1) if the individual agrees to disclosure, or (2) without agreement from the individual, if the information is not to be used against the victim, if need for information is urgent, and if disclosure is in the best interest of the individual;
   • information about a deceased individual upon suspicion that the individual's death resulted from criminal conduct; or
   • information that constitutes evidence of criminal conduct that occurred on the Company's premises.
4. to a coroner or medical examiner about decedents, for the purpose of identifying a deceased person, determining the cause of death, or other duties as authorized by law;
5. that relate to workers' compensation programs, to the extent necessary to comply with laws relating to workers' compensation or other similar programs; and
6. for other legal or public policy purposes authorized by the HIPAA Privacy Regulations, 45 C.F.R. § 164.512.
6. Complying With the "Minimum-Necessary" Standard
   Minimum Necessary When Disclosing and Requesting PHI. For making disclosures or requests for PHI to any party for any purpose, information must be the minimum necessary to accomplish the purpose of the disclosure.

   The "minimum-necessary" standard does not apply to any of the following:
   
   

   • uses or disclosures made to the individual;
   • uses or disclosures made pursuant to a valid authorization;
   • disclosures made to the Department of Labor;
   • uses or disclosures required by law; and
   • uses or disclosures required to comply with HIPAA.
7. Disclosures of PHI to Business Associates
   Employees with access may disclose PHI to the Company's business associates and allow the Company's business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a "business associate," employees with access must contact the Privacy Officer and verify that a business associate contract is in place.

   Business Associate is an entity that:
   
   

   • performs or assists in performing function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.); or
   • provides legal, accounting, actuarial, consulting, d ata aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.
8. Disclosures of De-Identified Information
   The Company may freely use and disclose de -identified information. De -identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de -identified: either by professional statistical analysis, or by removing 18 specific identifiers specified in 45 C.F.R. § 164.514.
9. Requests for Disclosure of PHI From Spouses, Family Members, and Friends
   The Company will not disclose PHI to family and friends of any individual except as required or permitted by HIPAA. Generally, an authorization is required before another party, including spouse, family member, or friend, will be able to access PHI.

   If the request for disclosure of an individual's PHI is from a spouse, family member, or personal friend of an individual, and the spouse, family member, or personal friend is either (1) the parent of the individual and the individual is a minor child; or (2) the personal representative of the individual, then the PHI may be released by following the procedure below for "Verification of Identity of Those Requesting Protected Health Information."

   All other requests from spouses, family members, and friends must be authorized by the individual whose PHI is involved pursuant to the procedures for "Disclosures Pursuant to Individual Authorization."

10. Verification of Identity of Those Requesting Protected Health Information
    The identity of individuals who request access to PHI will be verified. The authority of any person requesting access to PHI will be verified if the identity or authority of such person is not known.

    Request Made by Individual. When an individual requests access to his or her own PHI, the individual must present a valid driver's license, passport, or other photo identification issued by a government agency, which will be copied and filed with the individual's designate d record set.

    Request Made by Parent Seeking PHI of Minor Child. When an individual parent requests access to the PHI of the parent's minor child, the person's relationship with the child will be verified, and the same identification procedure will be followed as for an individual request.

    Request Made by Personal Representative. When a personal representative requests access to an individual's PHI, a valid power of attorney will be copied and filed with the individual's designated record set.

    Request Made by Public Official. If a public official requests access to PHI, and if the request is for one of the purposes set forth above in "Mandatory Disclosures of PHI," or "Permissive Disclosures of PHI," the following steps will be followed to verify the official's identity and authority:




• An agency identification badge, other official credentials, or other proof of government status will be copied and filed with the individual's designated record set.
• If the request is in writing, it will be verified t hat the request is on the appropriate government letterhead.
• If the request is by a person purporting to act on behalf of a public official, a written statement on appropriate government letterhead will be requested stating that the person is acting under the government's authority, or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
• A written statement of the legal authority under which the information is requested or, if a written statement would be impracticable, an oral statement of such legal authority will also be required. If the individual's request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal, contact the Company's President.

::ODMA\PCDOCS\GRR\812829\3