Privacy Protections

New Hope CORPS HIPAA Privacy Policy 

Review Date: April 29, 2024 

  1. Designation of Privacy and Contact Officials

Definition 

  • Protected Health Information (PHI): Any individually identifiable information relating to a person’s health or that of a person’s healthcare provider that could be used to identify the person. 

In compliance with 45 CFR 164.530(a)(1)(i), New Hope CORPS has designated the following member of the staff as the agency’s privacy officer responsible for the development and implementation of HIPAA policies and procedures. Furthermore, New Hope CORPS has designated her as the Contact Person available to receive complaints and provide information about our Notice of Privacy Policy in accordance with 45 CFR 164.530(a)(1)(ii).: 

Maritza Carvajal, MCAP, BHCMS, FM
Director of QA/HR
New Hope CORPS, Inc.
1020 N Krome Avenue
Homestead, Fl 33030 

  1. Training and Documentation

New Hope CORPS shall ensure that all members of its staff receive training on the HIPAA Privacy Rule as specified by 45 CFR 164.530(b). New members shall receive training within a reasonable period of joining our workforce. Additionally, any changes to policies or procedures will be communicated and training provided in a timely manner. Documentation of such training is maintained in accordance with organizational policies and federal regulations. 

III. Complaint Process 

In line with 45 CFR 164.530(d)(1), New Hope CORPS has established the following process for individuals to lodge complaints concerning our privacy practices or our compliance with these practices. All complaints and their dispositions are documented as mandated by 45 CFR 164.530(d)(2). 

Procedure for Handling Privacy Complaints at New Hope CORPS 

Objective:
To establish a standardized procedure for handling complaints related to privacy practices at New Hope CORPS, in compliance with 45 CFR 164.530(d)(1) and 45 CFR 164.530(d)(2). 

Scope:
This procedure applies to all complaints received concerning the privacy practices of New Hope CORPS or its compliance with these practices. 

Procedure: 

  1. Receiving Complaints: 
  • Complaints may be submitted by individuals via email, postal mail, telephone, or in person. 
  • All complaints must be directed to the designated Privacy Officer at New Hope CORPS. 
  1. Logging Complaints: 
  • Upon receipt, the Privacy Officer logs each complaint in the Privacy Complaint Register. The register includes the date received, the nature of the complaint, and the contact information of the complainant. 
  • The Privacy Officer assigns a unique identifier to each complaint for tracking purposes. 
  • The privacy officer notifies all the parties involved, including individuals affected, funding sources and licensing body. 
  1. Acknowledgement of Complaints: 
  • The Privacy Officer acknowledges receipt of the complaint to the complainant within five business days, providing the complainant with the assigned complaint number and an overview of the complaint process. 
  1. Investigation: 
  • The Privacy Officer investigates the complaint, gathering relevant information and documentation. This may involve interviewing staff members, reviewing privacy policies, and other relevant actions. 
  • The investigation should be thorough and impartial, aiming to conclude within 30 days of the complaint receipt. 
  1. Resolution and Response: 
  • Upon completing the investigation, the Privacy Officer determines the appropriate course of action and documents the decision. 
  • The complainant is informed of the outcome of the investigation and any actions taken or to be taken. This communication should occur no later than five business days after the conclusion of the investigation. 
  1. Documentation: 
  • Detailed records of each complaint, the investigation process, and the resolution are maintained as required by 45 CFR 164.530(d)(2). 
  • All documentation is kept secure and confidential, accessible only to authorized personnel. 
  1. Review and Improvement: 
  • The Privacy Officer periodically reviews all lodged complaints and their dispositions to identify patterns or recurring issues that may require changes in privacy practices or additional staff training. 
  • Recommendations for improvements are submitted to the management team for consideration. 

Documentation Retention: 

  • All records related to privacy complaints and their resolutions are retained for a minimum of seven years from the date of their creation or the date when they were last in effect, whichever is later. 

Training: 

  • All staff members are trained on this complaint handling procedure as part of their initial onboarding and receive annual refresher training to ensure they understand their roles and responsibilities concerning privacy practices. 

This procedure ensures that New Hope CORPS remains compliant with HIPAA regulations, respecting the privacy and security of all personal information and handling any concerns promptly and effectively. 

 

  1. Non-Intimidation and Non-Retaliation

New Hope CORPS refrains from any acts of intimidation or retaliation against individuals exercising their rights under HIPAA, as stated in 45 CFR 164.530(g). 

  1. Non-Waiver of Rights

New Hope CORPS does not require individuals to waive their rights under HIPAA as a condition of treatment or benefits eligibility, adhering to the stipulations of 45 CFR 164.530(h). 

  1. Amendments to PHI

In accordance with 45 CFR 164.526(a)(1), New Hope CORPS has created the following procedures to amend protected health information as requested or agreed upon. 

Procedure: 

  1. Request for Amendment: 
  • Individuals wishing to request an amendment to their PHI must submit their request in writing to the Privacy Officer. The request must clearly identify the information to be amended and the basis for the amendment. 
  • A standard form for requesting amendments will be provided to individuals upon request and is also available on the New Hope CORPS website. 
  1. Receipt and Logging of Requests: 
  • The Privacy Officer logs each request upon receipt, recording the date received, the nature of the request, and the requester’s contact information. 
  • The requester is provided with an acknowledgment of receipt within five business days. 
  1. Review of Request: 
  • The Privacy Officer reviews the request to determine if the amendment is warranted under the HIPAA guidelines, which typically include reasons such as the information being inaccurate or incomplete. 
  • The Privacy Officer may consult with relevant healthcare providers or the person who originally recorded the information, if necessary, to assess the validity of the request. 
  1. Decision and Notification: 
  • The decision to amend or deny the request must be made no later than 60 days after receipt of the request. If additional time is needed, the requester may be notified of the delay and the reasons for it, and the decision period may be extended by no more than 30 additional days. 
  • If the amendment is approved, New Hope CORPS will make the appropriate amendment to the PHI and inform the requester that the changes have been made. 
  • If the request is denied, the requester will be informed in writing of the decision and the reasons for the denial, along with their rights to submit a written disagreement and to have the request and denial, along with any statement of disagreement, appended to their PHI. 
  1. Implementation of Amendments: 
  • If an amendment is made, New Hope CORPS will make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the individual as needing the amended information, and to persons, including business associates, who might have relied on, or could foreseeably rely on, the information to the detriment of the individual. 
  • All amendments will be documented in the individual’s health records, including the date of amendment and a link or reference to the original information. 
  1. Documentation and Record-Keeping: 
  • Documentation of all requests, communications, decisions, and actions related to amendments of PHI will be maintained by the Privacy Officer for at least seven years from the date of its creation or the date when it was last in effect, whichever is later. 
  • These records will be maintained in a manner that preserves their confidentiality and security. 

This procedure ensures that New Hope CORPS remains compliant with the HIPAA regulations concerning the amendment of PHI, respecting the rights of individuals to correct their health information and ensuring the accuracy and integrity of the records maintained by New Hope CORPS. 

 

VII. Accounting of Disclosures 

New Hope CORPS maintains records and provides accounting of disclosures of protected health information as required by 45 CFR 164.528. 

VIII. Safeguarding PHI 

New Hope CORPS follows the Administrative Safeguards set forth in 45 CFR 164.308 to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). 

  1. Business Associate Agreements

Appropriate assurances are obtained from business associates and subcontractors who handle ePHI on behalf of New Hope CORPS, fulfilling the requirements of 45 CFR 164.308(b)(1) and (b)(2), as well as the relevant sections of the HITECH Act. 

  1. Sanctions Policy

Pursuant to 45 CFR 164.308(a)(1)(ii)(C) and 164.530(e)(1), New Hope CORPS has a sanctions policy to address non-compliance with HIPAA policies by workforce members or business associates. 

Procedure for Implementing Sanctions for HIPAA Non-Compliance at New Hope CORPS 

Objective:
To outline a clear and enforceable sanctions policy at New Hope CORPS for addressing non-compliance with HIPAA policies by workforce members or business associates, in accordance with 45 CFR 164.308(a)(1)(ii)(C) and 164.530(e)(1). 

Scope:
This procedure applies to all workforce members, including employees, volunteers, trainees, and other persons whose conduct, in the performance of work for New Hope CORPS, is under the direct control of New Hope CORPS, whether or not they are paid by the organization. It also extends to business associates if stipulated in the respective business associate agreements. 

Procedure: 

  1. Identification of Non-Compliance: 
  • Non-compliance can be identified through routine audits, compliance reviews, incident reporting systems, or during investigations of reported breaches. 
  • All identified cases of non-compliance must be reported immediately to the designated Privacy Officer. 
  1. Initial Assessment: 
  • The Privacy Officer conducts a preliminary assessment to determine the severity of the non-compliance. 
  • If the non-compliance involves a business associate, the Privacy Officer will review the terms of the business associate agreement to determine the appropriate response. 
  1. Investigation: 
  • A formal investigation is initiated if the initial assessment indicates potential serious non-compliance. 
  • The investigation will gather all relevant facts, including interviewing witnesses, reviewing relevant documents, and other necessary actions. 
  • The investigation must be impartial and thorough, aiming to conclude within an established timeframe, typically no longer than 30 days from the initiation. 
  1. Decision on Sanctions: 
  • Based on the investigation findings, the Privacy Officer, in consultation with Human Resources and legal counsel if necessary, determines the appropriate sanction(s). 
  • Sanctions may range from written warnings to termination of employment or contract, depending on the severity of the violation. 
  • Factors considered in determining sanctions include the nature and extent of the harm resulting from the violation, the history of previous violations by the individual or entity, and whether the violation was intentional or unintentional. 
  1. Implementation of Sanctions: 
  • Sanctions are promptly implemented according to the decision. 
  • In cases involving business associates, actions may include modification of the contract terms, suspension of services, or termination of the agreement, as stipulated in the business associate agreement. 
  1. Notification and Documentation: 
  • The individual or entity subject to sanctions will be notified in writing of the decision and the reasons for the sanctions. 
  • All decisions and actions related to sanctions will be documented, including the rationale for the level of sanction applied. These documents will be retained for a minimum of six years from the date of the sanction implementation. 
  1. Appeal Process: 
  • The sanctioned party has the right to appeal the decision. The appeal must be submitted in writing to the Privacy Officer within 15 days of receiving the sanction notification. 
  • The appeal will be reviewed by a panel composed of the Privacy Officer, a representative from Human Resources, and another senior management member not involved in the initial decision. 
  • The decision of the appeal panel is final and will be communicated to the appellant within 30 days of the appeal submission. 
  1. Training and Awareness: 
  • All workforce members and relevant business associates are trained on this sanctions policy as part of their initial training and through annual refresher courses. 
  • This training emphasizes the importance of compliance with HIPAA regulations and the consequences of non-compliance. 

This procedure ensures that New Hope CORPS maintains a robust compliance environment that addresses and corrects HIPAA non-compliance effectively, thereby protecting the privacy and security of all protected health information handled by the organization. 

 

  1. Security Management

New Hope CORPS has appointed a Security Official responsible for the development and implementation of policies and procedures required by 45 CFR 164 Subpart C. The appointed security official is: 

James Doughterty, BA
Director of Operations
New Hope CORPS
1020 N Krome Avenue
homestead, Florida 33030
Tel 786-243-1003 Ext 217 

XII. Risk Analysis and Management 

Consistent with 45 CFR 164.308(a)(1)(ii)(A) and (B), New Hope CORPS conducts thorough risk analyses and implements security measures to mitigate identified risks as outlined in its plan. 

XIII. Facility and Technical Safeguards 

New Hope CORPS implements Physical and Technical Safeguards as per 45 CFR 164.310 and 164.312 to protect ePHI. 

XIV. Notice of Privacy Practices 

New Hope CORPS provides a Notice of Privacy Practices that meets the content requirements of 45 CFR 164.520(b) and is made available to individuals per 45 CFR 164.520(c). 

  1. Amendments to the Policy

New Hope CORPS reserves the right to amend this policy and will provide individuals with a revised notice. 

Contact Information for Privacy Concerns: 

Privacy Official: Maritza Carvajal
Tel 786-243-1003 Ext 223
email: mcarvajal@newhopecorp.org 

XVI. Individual Rights 

New Hope CORPS acknowledges and upholds individual rights under HIPAA, including but not limited to: 

  • The right to request restrictions on uses and disclosures of PHI (45 CFR 164.520(b)(1)(iv)(A)). 
  • The right to receive confidential communications (45 CFR 164.520(b)(1)(iv)(B)). 
  • The right to inspect and copy PHI (45 CFR 164.520(b)(1)(iv)(C)). 
  • The right to amend PHI (45 CFR 164.520(b)(1)(iv)(D)). 
  • The right to receive an accounting of disclosures (45 CFR 164.520(b)(1)(iv)(E)). 

XVII. Notice of Privacy Practices 

New Hope CORPS’s Notice of Privacy Practices: 

  • Is written in plain language (45 CFR 164.520(b)(1)). 
  • Includes all required elements as listed in the CFR and as pertains to New Hope CORPS. 
  • Is available upon request and prominently posted and available at service delivery sites (45 CFR 164.520(c)(2)(iii)(A) and (B)). 

XVIII. Changes to Privacy Practices 

New Hope CORPS reserves the right to change its privacy practices as stated in the notice (45 CFR 164.520(b)(1)(v)©). 

XIX. Filing Complaints 

Individuals may file complaints directly with New Hope CORPS or with the Secretary of the U.S. Department of Health and Human Services if they believe their privacy rights have been violated. New Hope CORPS will not retaliate against anyone for filing a complaint (45 CFR 164.520(b)(1)(vi)). 

  1. Contact Information for Filing Complaints

For further information or to file a complaint, please contact:
Privacy Official: Maritza Carvajal
1020 N Krome Avenue
Homestead, FL 33030
Tel 786-243-1003 Ext 223
email: mcarvajal@newhopecorp.org 

 

XXI. Effective Date and Notice 

New Hope CORPS will alert individuals to any policy changes and provide them with the updated policy as required (45 CFR 164.520(b)(1)(viii)). 

XXII. Documentation and Record Retention 

New Hope CORPS will maintain all records related to its HIPAA compliance efforts, including training documentation, complaint records, and policies and procedures updates. All documentation will be retained for the time period required by law, which is typically six years from the date of its creation or the date when it last was in effect, whichever is later (45 CFR 164.530(j)). 

XXIII. Data Breach Procedures 

In accordance with 45 CFR 164.410 and the Business Associate Agreement Section 3.b.(ii), New Hope CORPS has implemented the following policies and procedures to report any unauthorized use or disclosure of PHI. In case of a breach, New Hope CORPS will notify affected individuals, the Secretary of Health and Human Services, licensing body, funding sources and potentially, the media, in a manner consistent with the law and without unreasonable delay. 

 

These Data Breach Policies and Procedures are established to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, particularly 45 CFR 164.410, the Business Associate Agreement with SFBHN, and Standard Contract ME225-XX-37. They outline the steps New Hope will take to identify, report, and mitigate potential or actual breaches of protected health information (PHI). 

Definitions 

  • Breach: The unauthorized acquisition, access, use, or disclosure of PHI. 
  • Potential Breach: An event that poses a risk of unauthorized access to PHI. 

Identifying a Breach 

New Hope shall implement these procedures to detect and investigate potential or actual breaches of PHI. This may include: 

  • Regular security risk assessments 
  • Monitoring system activity logs 
  • Employee training to identify and report suspicious activity. 
  • Receiving reports from individuals suspecting a breach 

Reporting a Breach 

In the event of a suspected or confirmed breach, New Hope will take the following actions: 

  1. Internal Notification: 
  • Immediately notify internal personnel, including the Security Officer, Privacy Officer, and relevant managers. 
  • Initiate an investigation to determine the nature and scope of the breach. 
  1. Reporting to SFBHN: 
  • Notify the SFBHN Security Officer, Privacy Officer, and Contract Manager within four (4) business days of determining a potential or actual breach. 
  • The notification will include details of the breach, including the date, affected individuals (if known), and the steps New Hope is taking to mitigate the breach. 
  1. Notification to Department of Health and Human Services (HHS): 
  • New Hope will follow the Department of Health and Human Services (HHS) guidelines to determine if notification to HHS is required. 
  • If HHS notification is required, New Hope will notify the SFBHN Privacy Officer and Contract Manager within twenty-four (24) hours of receiving notification from HHS. 
  1. Notification to Affected Individuals: 
  • If the breach affects a significant number of individuals (as defined by HHS regulations), New Hope will provide written notification to the affected individuals within thirty (30) days of determining the breach. 
  • The notification will explain the nature of the breach, the affected information, steps individuals can take to protect themselves, and contact information for New Hope. 

Mitigation Procedures 

New Hope will take steps to mitigate any potential harm caused by a breach. This may include: 

  • Resetting passwords or access codes 
  • Offering credit monitoring or identity theft protection services to affected individuals. 
  • Implementing additional security measures to prevent future breaches. 

Subcontractor Requirements 

New Hope will require all subcontractors to comply with these Data Breach Policies and Procedures. This will be achieved through contractual agreements that require subcontractors to: 

  • Implement procedures to identify and report breaches. 
  • Notify New Hope of any breaches involving New Hope data. 
  • Cooperate with New Hope’s breach response efforts. 

Training 

New Hope will provide regular training to all employees on HIPAA regulations and these Data Breach Policies and Procedures. The training will emphasize the importance of protecting PHI and how to identify and report potential breaches. 

Review and Updates 

New Hope will periodically review and update these Data Breach Policies and Procedures to ensure they remain compliant with HIPAA regulations and best practices. 

Recordkeeping 

New Hope will maintain records of all breaches, including the nature of the breach, the affected individuals, the actions taken to mitigate the breach, and any communications with SFBHN or HHS. 

By implementing these Data Breach Policies and Procedures, New Hope is committed to protecting the privacy and security of PHI. We will take all necessary steps to identify, report, and mitigate any potential or actual breaches of PHI. 

XXIV. Mitigation of Harm 

In the event of a use or disclosure of PHI that is in violation of the policy, New Hope CORPS will mitigate, to the extent practicable, any harmful effect that is known. This includes taking immediate corrective actions to prevent further unauthorized use or disclosure and addressing any harmful consequences that may have occurred as a result of the breach (Business Associate Agreement, Amendment. 3. Section 3.d.). 

 

XXV. Privacy Policy Notice Distribution 

New Hope CORPS shall provide the Notice of Privacy Practices to all individuals at the first service delivery and upon request. The notice will also be posted on the New Hope CORPS website to ensure accessibility (45 CFR 164.520(c)(2)(iii)(A) and (B)). 

XXVI. Updates to Privacy Policy 

New Hope CORPS acknowledges its duty to maintain up-to-date privacy policies. If New Hope CORPS decides to revise its privacy practices, the changes will be effective for all PHI that it maintains. Individuals will be informed of any significant changes to the policies through a revised notice that will be made available upon request and on the New Hope CORPS website (45 CFR 164.520(b)(1)(v)(C)). 

XXVII. Policy Availability and Acknowledgment 

A copy of this policy and any subsequent revisions shall be available to all members of the workforce, individuals receiving services, and other stakeholders as applicable. Acknowledgment of receipt of this policy will be documented for each individual served upon the first service delivery or enrollment. 

XXVIII. Oversight and Enforcement 

New Hope CORPS’s Privacy Officer is responsible for ongoing oversight and enforcement of the HIPAA Privacy Policy. This includes periodic risk assessments, monitoring compliance with the privacy practices, and ensuring that any privacy issues are resolved in accordance with the established procedures. 

XXIX. Relations with Business Associates 

New Hope CORPS ensures that all business associates who handle PHI on behalf of the organization agree to the same restrictions and conditions that apply to the organization regarding such information, as stipulated in 45 CFR 164.504(e) and the HITECH Act. 

XXX. Governing Law 

This HIPAA Privacy Policy shall be governed by and construed in accordance with federal HIPAA standards, state privacy laws, and any other applicable regulations. Should any conflict arise between state and federal laws, the law that provides the greater protection for PHI will be followed. 

New Hope CORPS is committed to upholding the privacy and security of PHI and to adhering to the requirements set forth by HIPAA and the HITECH Act. This policy will be reviewed annually or upon the enactment of significant regulatory changes, and training will be provided to all members of the workforce to ensure continued compliance.