Sunlife Healthcare Services
The purpose of this policy is to ensure that Sunrise Healthcare Services ("SHC") complies with
the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the
Health Information Technology for Economic and Clinical Health (HITECH) Act, and any relevant
state and federal laws and regulations. This policy outlines SHC's commitment to protect the
privacy and security of protected health information (PHI), maintain the confidentiality of
medical records, and uphold patients' rights under HIPAA standards.
This policy applies to all SHC employees, contractors, volunteers, and any other individuals or
entities involved in the provision of healthcare services or the operation of SHC facilities.
Protected Health Information (PHI): Any individually identifiable health information that is
transmitted or maintained in any form or medium, including oral, written, or electronic formats.
1. Access to PHI: SHC will limit access to PHI to only those employees, contractors, and
volunteers who need the information to perform their job duties. Access will be granted
based on the minimum necessary standard, which means that individuals will only have
access to the minimum amount of PHI necessary to complete their tasks.
2. Training: All SHC employees, contractors, and volunteers who have access to PHI will
receive regular training on HIPAA regulations and SHC's policies and procedures for
safeguarding PHI.
3. Security Measures: SHC will implement administrative, physical, and technical
safeguards to protect the confidentiality, integrity, and availability of PHI. This includes,
but is not limited to, securing physical records and electronic systems, restricting access
to PHI, and monitoring and regularly reviewing system activity.
4. Breach Notification: In the event of a breach of unsecured PHI, SHC will notify affected
individuals, the U.S. Department of Health and Human Services (HHS), and, when
required, the media, in accordance with HIPAA regulations.
1. Permitted Uses and Disclosures: SHC may use and disclose PHI without the patient's
authorization for the following purposes:
a. Treatment: SHC may use and disclose PHI to provide, coordinate, or manage
healthcare and related services, including consultations and referrals between
healthcare providers.
b. Payment: SHC may use and disclose PHI to obtain payment for healthcare
services provided, including billing, claims management, and collection activities. c.
Healthcare Operations: SHC may use and disclose PHI for activities related to the
operation of SHC, such as quality assessment and improvement, training, accreditation,
and compliance activities.
2. Disclosures Requiring Authorization: Except for the purposes outlined above, SHC will
obtain written authorization from the patient before using or disclosing their PHI.
Patients may revoke their authorization at any time, in writing, except to the extent that
SHC has already taken action in reliance on the authorization.
3. Disclosures Requiring Opportunity to Object: SHC may disclose PHI to family members,
friends, or other individuals involved in the patient's care, or for notification purposes,
provided that the patient has been given the opportunity to object and has not done so.
If the patient is incapacitated or in an emergency situation, SHC may disclose PHI based
on its professional judgment and the best interests of the patient.
4. Disclosures Required by Law: SHC may use or disclose PHI as required by federal, state,
or local laws, including disclosures to public health authorities, law enforcement, or in
response to a court order or subpoena.
5. Disclosures for Special Purposes: SHC may use or disclose PHI for certain special
purposes, such as for research, provided that appropriate safeguards are in place and
the use or disclosure is permitted under HIPAA regulations. Other special purposes may
include disclosures for organ and tissue donation, worker's compensation, or to prevent
a serious threat to public health or safety.
6. Disclosures to Business Associates: SHC may disclose PHI to its business associates, who
provide services on behalf of SHC, such as billing or consulting services. SHC will ensure
that these business associates have signed a Business Associate Agreement and are
committed to protecting the privacy and security of PHI.
7. Minimum Necessary Standard: When using or disclosing PHI, SHC will make reasonable
efforts to limit the use or disclosure to the minimum necessary to accomplish the
intended purpose.
8. De-Identified Information: SHC may use or disclose de-identified health information
that is stripped of all identifiers that would allow the information to be linked to an
individual, in accordance with HIPAA regulations. De-identified information is not
considered PHI and may be used or disclosed without restrictions
1. Retention and Disposal: SHC will maintain medical records in a secure manner for the
duration required by applicable state and federal laws. After the required retention
period, SHC will securely dispose of medical records in a manner that ensures the
confidentiality of PHI is maintained.
2. Requests for Access and Amendment: Patients have the right to access their medical
records and request amendments to correct inaccurate or incomplete information. SHC
will respond to these requests in a timely manner and in accordance with HIPAA
regulations
1. Notice of Privacy Practices: SHC will provide all patients with a Notice of Privacy
Practices, which outlines how their PHI may be used and disclosed, their rights under
HIPAA, and SHC legal responsibilities for protecting their PHI.
2. Restriction Requests: Patients have the right to request restrictions on the use and
disclosure of their PHI. SHC will evaluate these requests on a case-by-case basis and
comply with the restrictions when required by law.
3. Confidential Communications: Patients have the right to request that SHC
communicates with them about their healthcare in a specific way or at a specific
location, such as only contacting them at work or via email. SHC will accommodate
reasonable requests.
4. Accounting of Disclosures: Patients have the right to request an accounting of
disclosures of their PHI made by SHC in the past six years, except for disclosures made
for treatment, payment, healthcare operations, or as authorized by the patient. SHC will
provide this accounting within 60 days of receiving the request.
1. SHC will regularly review and update this policy to ensure continued compliance with
HIPAA standards. SHC will investigate and address any potential violations of this policy
or HIPAA regulations promptly. Violations may result in disciplinary action, up to and
including termination of employment or contractual relationships.
1. Legal Compliance: SHC is required by federal and state laws, including HIPAA, to
maintain the privacy and security of PHI, ensure the confidentiality of medical records,
and uphold patients' rights. SHC is also subject to other federal and state privacy laws
and regulations that may impose additional requirements.
2. Notice of Privacy Practices: As required by law, SHC will provide patients with a Notice
of Privacy Practices that explains how their PHI may be used and disclosed, their rights
under HIPAA, and SHC's legal duties and responsibilities for protecting their PHI.
3. Changes to Privacy Practices: SHC is required to abide by the terms of the current
Notice of Privacy Practices. If SHC needs to make material changes to its privacy
practices, it will revise the Notice of Privacy Practices and distribute the updated notice
to affected individuals in a timely manner, as required by law.
4. Reporting and Responding to Violations: SHC is legally obligated to report and respond
to any potential violations of this policy or HIPAA regulations promptly. Violations may
result in disciplinary action, up to and including termination of employment or
contractual relationships, and may also lead to civil or criminal penalties under
applicable laws.
5. Retaliation and Intimidation Prohibited: SHC is required by law to refrain from retaliating or intimidating any individual who exercises their rights, files a complaint, or reports a violation of this policy or HIPAA regulations in good faith.
6. Cooperation with Regulatory Authorities: SHC will cooperate with the U.S. Department of Health and Human Services (HHS) and other regulatory authorities in the investigation and resolution of privacy and security complaints or concerns, and will comply with any corrective actions or penalties imposed by such authorities.
7. Documentation and Record Retention: SHC is required to maintain documentation of its privacy and security policies, procedures, and activities, as well as documentation related to patients' rights and the use and disclosure of PHI, for a minimum of six years, or as otherwise required by law. By adhering to these legal duties and responsibilities, Sunrise Healthcare Services is committed to maintaining the privacy of patients' protected health information and ensuring compliance with all applicable laws and regulations.
Employees, contractors, volunteers, patients, and other individuals who believe there has been
a violation of this policy or HIPAA regulations should report their concerns to Sunrise’s Privacy
Officer. Reports can be made anonymously, and Sunrise Healthcare will not retaliate against any
individual for reporting a concern in good faith.
SHC has designated a Privacy Officer who is responsible for the development and
implementation of policies and procedures to comply with HIPAA regulations, as well as
handling any privacy-related complaints and concerns.
The Privacy Officer can be contacted at:
Privacy Officer
Sunrise Healthcare Services
Address: 322 North Shore Drive Suite Pittsburgh, PA 15212
Phone: 724-340-8456
Email: [email protected]
SHC reserves the right to amend this policy at any time. Any changes to this policy will be
communicated to affected individuals in a timely manner, as required by law.
This policy is effective as of May 1st, 2024.