top of page
HIPAA Policy for Bella Mae Plastic Surgery

 

1. Introduction

This document outlines the Health Insurance Portability and Accountability Act (HIPAA) policy for Bella Mae Plastic Surgery. This policy is designed to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI) and to comply with all applicable federal and state regulations. All employees, contractors, and agents of Bella Mae Plastic Surgery must adhere to this policy.

 

2. Definitions

  • PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form or medium (electronic, paper, or oral).

  • Covered Entity: [Your Practice Name] is a Covered Entity under HIPAA.

  • Business Associate: A person or entity that performs functions or activities on behalf of, or provides services to, a Covered Entity that involves the use or disclosure of individually identifiable health information.

  • Designated Record Set: A group of records maintained by or for a Covered Entity that is: (1) the medical records and billing records about individuals maintained by or for a Covered Entity; (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) other records that are used, in whole or in part, by or for the Covered Entity to make decisions about individuals.

  • Notice of Privacy Practices (NPP): A document informing patients of their rights concerning their PHI and how Bella Mae Plastic Surgery may use and disclose their PHI.

 

3. Privacy Rule

 
3.1 Use and Disclosure of PHI

Bella Mae Plastic Surgery will use and disclose PHI only as permitted or required by the HIPAA Privacy Rule. This includes, but is not limited to:

  • Treatment: Using and disclosing PHI for the provision, coordination, or management of health care and related services.

  • Payment: Using and disclosing PHI to obtain payment for health care services.

  • Healthcare Operations: Using and disclosing PHI for activities such as quality assessment, improvement activities, training programs, and business planning.

  • Patient Authorization: Disclosing PHI when the patient has provided written authorization.

  • Required by Law: Disclosing PHI when required by law (e.g., judicial and administrative proceedings, law enforcement purposes, public health activities).

  • Public Interest and Benefit Activities: Disclosing PHI for public health activities, victims of abuse or neglect, health oversight activities, judicial and administrative proceedings, law enforcement purposes, decedents, organ donation, research, serious threat to health or safety, and workers' compensation.

 

3.2 Patient Rights

Patients have the following rights concerning their PHI:

  • Right to Access: Patients have the right to inspect and obtain a copy of their PHI in a Designated Record Set.

  • Right to Amend: Patients have the right to request an amendment to their PHI if they believe it is inaccurate or incomplete.

  • Right to an Accounting of Disclosures: Patients have the right to receive an accounting of certain disclosures of their PHI.

  • Right to Request Restrictions: Patients have the right to request restrictions on certain uses and disclosures of their PHI.

  • Right to Request Confidential Communications: Patients have the right to request to receive communications of PHI by alternative means or at alternative locations.

  • Right to a Paper Copy of the NPP: Patients have the right to obtain a paper copy of the Notice of Privacy Practices.

3.3 Notice of Privacy Practices (NPP)

Bella Mae Plastic Surgery will provide a Notice of Privacy Practices to all patients at their first service encounter. The NPP will be posted in a prominent location in the waiting area and will be available on the practice's website.

 

4. Security Rule

 

4.1 Administrative Safeguards

Bella Mae Plastic Surgery will implement administrative safeguards to protect PHI, including:

 

  • Security Management Process: Implementing policies and procedures to prevent, detect, contain, and correct security violations. This includes risk analysis and risk management.

  • Assigned Security Responsibility: Designating a Security Officer responsible for the development and implementation of security policies and procedures.

  • Workforce Security: Implementing policies and procedures to ensure that all workforce members who have access to PHI have appropriate authorization and access levels. This includes authorization and supervision, workforce clearance procedures, and termination procedures.

  • Information Access Management: Implementing policies and procedures for authorizing access to electronic PHI (ePHI).

  • Security Awareness and Training: Providing regular security awareness and training to all workforce members.

  • Security Incident Procedures: Implementing policies and procedures to address security incidents.

  • Contingency Plan: Establishing a plan for responding to emergencies or other occurrences that damage systems containing ePHI.

  • Evaluation: Performing periodic assessments of the effectiveness of security measures.

  • Business Associate Agreements (BAAs): Ensuring that all Business Associates who handle PHI have appropriate BAAs in place.

 

4.2 Physical Safeguards

Bella Mae Plastic Surgery will implement physical safeguards to protect PHI, including:

 

  • Facility Access Controls: Implementing policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that authorized access is allowed.

  • Workstation Use: Implementing policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.

  • Workstation Security: Implementing physical safeguards for all workstations that access ePHI to restrict access to authorized users.

  • Device and Media Controls: Implementing policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.

 

4.3 Technical Safeguards

Bella Mae Plastic Surgery will implement technical safeguards to protect PHI, including:

 

  • Access Control: Implementing technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.

  • Audit Controls: Implementing hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

  • Integrity: Implementing policies and procedures to protect ePHI from improper alteration or destruction.

  • Person or Entity Authentication: Implementing procedures to verify that a person or entity seeking access to ePHI is the one claimed.

  • Transmission Security: Implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.

 

5. Breach Notification Rule

 

In the event of a breach of unsecured PHI, Bella Mae Plastic Surgery will comply with the HIPAA Breach Notification Rule, which requires notification to affected individuals, the Secretary of Health and Human Services (HHS), and in some cases, the media.

 

6. Training

 

All workforce members will receive HIPAA training upon hiring and annually thereafter. Training will cover the Privacy Rule, Security Rule, and Breach Notification Rule, as well as the specific policies and procedures of Bella Mae Plastic Surgery.

 

7. Sanctions for Non-Compliance

 

Any workforce member who violates this HIPAA policy will be subject to disciplinary action, up to and including termination of employment, in accordance with Bella Mae Plastic Surgery's disciplinary policy. Violations may also result in civil and criminal penalties under HIPAA.

 

8. Policy Review

 

This HIPAA policy will be reviewed and updated at least annually, or more frequently as needed, to ensure ongoing compliance with HIPAA regulations and best practices.

 

9. Contact Information

 

For questions or concerns regarding this HIPAA policy, please contact:

 

Privacy Officer/Security Officer: Nanette Evangelista
Title: Office Administrator
Email: nevangelista@bellamaeplasticsurgery.com
Phone: 203-336-9862

 

 


Effective Date: November 1st, 2023
Last Reviewed/Revised: October 15th, 2025

  • Facebook
  • Twitter
  • Instagram

© 2024 Bella Mae Plastic Surgery

311 North St, White Plains, NY 10605

bottom of page