Under the HIPAA Privacy Rule, ACS is considered a Business Associate. This ACS HIPAA Compliance Statement is intended to inform our customers, most of whom are Covered Entities under HIPAA, that we are aware of their HIPAA requirements, understand the sensitivities and the seriousness associated with keeping patient healthcare data private and secure, and will do our part to help ensure that their patient data is kept confidential.
We have instituted policies and procedures to ensure that such data is kept confidential, including but not limited to the following:
Administrative Safeguards (HIPAA 164.308).
- Implementing a security management program including a risk analysis, a risk management plan, a sanction policy, an information system activity review, and evaluation
- Designating the security responsibilities of creating, maintaining, and training regarding our HIPAA policies and procedures to a HIPAA Security Officer
- Ensuring that all workforce members have appropriate access to Protected Health Information on a minimum necessary and need to know basis
- Training workforce members on an annual basis of security issues, HIPAA rules, and ACS Policies regarding such
- Executing a security incident program including response and reporting
- Annually reviewing procedures for a contingency plan including data backup, disaster recovery, and emergency mode operation
- Maintaining Business Associate Agreements with our providers considered Covered Entities and with our own Business Associates in the event that confidential information will be disclosed
Physical Safeguards (HIPAA 164.310).
- ACS facilities and its data center are physically secure and limited in access
- Access to the buildings, data processing, and data center may be independently controlled via keypad PIN and/or card access at each level, preventing walk-up intrusion, especially after hours
- Specific workstation usage and security measures are in place
- Policies are also in place to guard against equipment disposal and reuse which may inadvertently compromise sensitive information
- Archive and backup tapes are encrypted and stored in a secured location in a fireproof safe
Technical Safeguards (HIPAA 164.312).
- Requiring unique user identifications, automatic logoff, encryption where it is deemed necessary and appropriate
- Having audit controls in place
- Verifying backups
- Entity authentication programs, including increasing measures to provide better data integrity and encryption
- Not using or disclosing any PHI except in the course of meeting our contractual obligations or as required by law
- Rights of an individual to request restriction of uses and disclosures of their PHI
- Affording access of individuals to copies of their PHI and for the individual to amend their PHI when applicable
- Complying with the Accounting of Disclosures standard
Breach Notification Rule:
- Report any breach “the acquisition, access use, or disclosure of protected health information in a manner not permitted under HIPAA which compromises the security or privacy of the protected health information” of which we become aware to the Covered Entity
- Comply with all breach notification requirements set forth in the Business Associate Agreement
HIPAA TRANSACTION CODE SET RULE:
- HIPAA compliant EDI transactions are used when applicable
- HIPAA compliant Code Sets are used when applicable
This HIPAA Compliance Statement is not intended to take the place of a Business Associate Agreement. If a Covered Entity does not have a BAA of its own we will provide one for them. If required by the Covered Entity we will make the necessary changes to our BAA to ensure our HIPAA compliance meets their needs.
As necessary, we will adjust our policies to adhere to our clients’ needs and to adjust to any changes in the HIPAA rules. If you have any questions concerning our HIPAA compliance policies, please contact ACS’s Privacy & Security Officer and Certified HIPAA Professional,
Jaime Gagnon at email@example.com or 337-706-1557.
If you believe that your (or someone else’s) health information privacy rights have been violated or another violation of the Privacy Rule was committed, please feel free to fill out this complaint form so that it can be further investigated: COMPLAINT FORM
You may return the form to the HIPAA Privacy & Security Officer at firstname.lastname@example.org or mail it to Jaime Gagnon/HIPAA Privacy & Security Officer/324 Dulles Drive/Lafayette, LA 70506.