HIPAA Privacy Policy

Sunlife Healthcare Services

I. Purpose

The purpose of this policy is to ensure that Sunrise Healthcare Services ("SHC") complies with

the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the

Health Information Technology for Economic and Clinical Health (HITECH) Act, and any relevant

state and federal laws and regulations. This policy outlines SHC's commitment to protect the

privacy and security of protected health information (PHI), maintain the confidentiality of

medical records, and uphold patients' rights under HIPAA standards.

II. Scope

This policy applies to all SHC employees, contractors, volunteers, and any other individuals or

entities involved in the provision of healthcare services or the operation of SHC facilities.

III. Definitions

Protected Health Information (PHI): Any individually identifiable health information that is

transmitted or maintained in any form or medium, including oral, written, or electronic formats.

IV. Privacy and Security of Protected Health Information (PHI)

1. Access to PHI: SHC will limit access to PHI to only those employees, contractors, and

volunteers who need the information to perform their job duties. Access will be granted

based on the minimum necessary standard, which means that individuals will only have

access to the minimum amount of PHI necessary to complete their tasks.

2. Training: All SHC employees, contractors, and volunteers who have access to PHI will

receive regular training on HIPAA regulations and SHC's policies and procedures for

safeguarding PHI.

3. Security Measures: SHC will implement administrative, physical, and technical

safeguards to protect the confidentiality, integrity, and availability of PHI. This includes,

but is not limited to, securing physical records and electronic systems, restricting access

to PHI, and monitoring and regularly reviewing system activity.

4. Breach Notification: In the event of a breach of unsecured PHI, SHC will notify affected

individuals, the U.S. Department of Health and Human Services (HHS), and, when

required, the media, in accordance with HIPAA regulations.

V. Use and Disclosure of Protected Health Information (PHI)

1. Permitted Uses and Disclosures: SHC may use and disclose PHI without the patient's

authorization for the following purposes:

a. Treatment: SHC may use and disclose PHI to provide, coordinate, or manage

healthcare and related services, including consultations and referrals between

healthcare providers.

b. Payment: SHC may use and disclose PHI to obtain payment for healthcare

services provided, including billing, claims management, and collection activities. c.

Healthcare Operations: SHC may use and disclose PHI for activities related to the

operation of SHC, such as quality assessment and improvement, training, accreditation,

and compliance activities.

2. Disclosures Requiring Authorization: Except for the purposes outlined above, SHC will

obtain written authorization from the patient before using or disclosing their PHI.

Patients may revoke their authorization at any time, in writing, except to the extent that

SHC has already taken action in reliance on the authorization.

3. Disclosures Requiring Opportunity to Object: SHC may disclose PHI to family members,

friends, or other individuals involved in the patient's care, or for notification purposes,

provided that the patient has been given the opportunity to object and has not done so.

If the patient is incapacitated or in an emergency situation, SHC may disclose PHI based

on its professional judgment and the best interests of the patient.

4. Disclosures Required by Law: SHC may use or disclose PHI as required by federal, state,

or local laws, including disclosures to public health authorities, law enforcement, or in

response to a court order or subpoena.

5. Disclosures for Special Purposes: SHC may use or disclose PHI for certain special

purposes, such as for research, provided that appropriate safeguards are in place and

the use or disclosure is permitted under HIPAA regulations. Other special purposes may

include disclosures for organ and tissue donation, worker's compensation, or to prevent

a serious threat to public health or safety.

6. Disclosures to Business Associates: SHC may disclose PHI to its business associates, who

provide services on behalf of SHC, such as billing or consulting services. SHC will ensure

that these business associates have signed a Business Associate Agreement and are

committed to protecting the privacy and security of PHI.

7. Minimum Necessary Standard: When using or disclosing PHI, SHC will make reasonable

efforts to limit the use or disclosure to the minimum necessary to accomplish the

intended purpose.

8. De-Identified Information: SHC may use or disclose de-identified health information

that is stripped of all identifiers that would allow the information to be linked to an

individual, in accordance with HIPAA regulations. De-identified information is not

considered PHI and may be used or disclosed without restrictions

VI. Medical Records

1. Retention and Disposal: SHC will maintain medical records in a secure manner for the

duration required by applicable state and federal laws. After the required retention

period, SHC will securely dispose of medical records in a manner that ensures the

confidentiality of PHI is maintained.

2. Requests for Access and Amendment: Patients have the right to access their medical

records and request amendments to correct inaccurate or incomplete information. SHC

will respond to these requests in a timely manner and in accordance with HIPAA

regulations

VII. Patient Rights

1. Notice of Privacy Practices: SHC will provide all patients with a Notice of Privacy

Practices, which outlines how their PHI may be used and disclosed, their rights under

HIPAA, and SHC legal responsibilities for protecting their PHI.

2. Restriction Requests: Patients have the right to request restrictions on the use and

disclosure of their PHI. SHC will evaluate these requests on a case-by-case basis and

comply with the restrictions when required by law.

3. Confidential Communications: Patients have the right to request that SHC

communicates with them about their healthcare in a specific way or at a specific

location, such as only contacting them at work or via email. SHC will accommodate

reasonable requests.

4. Accounting of Disclosures: Patients have the right to request an accounting of

disclosures of their PHI made by SHC in the past six years, except for disclosures made

for treatment, payment, healthcare operations, or as authorized by the patient. SHC will

provide this accounting within 60 days of receiving the request.

VIII. Enforcement and Compliance

1. SHC will regularly review and update this policy to ensure continued compliance with

HIPAA standards. SHC will investigate and address any potential violations of this policy

or HIPAA regulations promptly. Violations may result in disciplinary action, up to and

including termination of employment or contractual relationships.

IX. SHC's Legal Duties and Responsibilities

1. Legal Compliance: SHC is required by federal and state laws, including HIPAA, to

maintain the privacy and security of PHI, ensure the confidentiality of medical records,

and uphold patients' rights. SHC is also subject to other federal and state privacy laws

and regulations that may impose additional requirements.

2. Notice of Privacy Practices: As required by law, SHC will provide patients with a Notice

of Privacy Practices that explains how their PHI may be used and disclosed, their rights

under HIPAA, and SHC's legal duties and responsibilities for protecting their PHI.

3. Changes to Privacy Practices: SHC is required to abide by the terms of the current

Notice of Privacy Practices. If SHC needs to make material changes to its privacy

practices, it will revise the Notice of Privacy Practices and distribute the updated notice

to affected individuals in a timely manner, as required by law.

4. Reporting and Responding to Violations: SHC is legally obligated to report and respond

to any potential violations of this policy or HIPAA regulations promptly. Violations may

result in disciplinary action, up to and including termination of employment or

contractual relationships, and may also lead to civil or criminal penalties under

applicable laws.

5. Retaliation and Intimidation Prohibited: SHC is required by law to refrain from retaliating or intimidating any individual who exercises their rights, files a complaint, or reports a violation of this policy or HIPAA regulations in good faith.

6. Cooperation with Regulatory Authorities: SHC will cooperate with the U.S. Department of Health and Human Services (HHS) and other regulatory authorities in the investigation and resolution of privacy and security complaints or concerns, and will comply with any corrective actions or penalties imposed by such authorities.

7. Documentation and Record Retention: SHC is required to maintain documentation of its privacy and security policies, procedures, and activities, as well as documentation related to patients' rights and the use and disclosure of PHI, for a minimum of six years, or as otherwise required by law. By adhering to these legal duties and responsibilities, Sunrise Healthcare Services is committed to maintaining the privacy of patients' protected health information and ensuring compliance with all applicable laws and regulations.

X. Reporting Concerns

Employees, contractors, volunteers, patients, and other individuals who believe there has been

a violation of this policy or HIPAA regulations should report their concerns to Sunrise’s Privacy

Officer. Reports can be made anonymously, and Sunrise Healthcare will not retaliate against any

individual for reporting a concern in good faith.

IX. Privacy Officer

SHC has designated a Privacy Officer who is responsible for the development and

implementation of policies and procedures to comply with HIPAA regulations, as well as

handling any privacy-related complaints and concerns.

The Privacy Officer can be contacted at:

Privacy Officer

Sunrise Healthcare Services

Address: 322 North Shore Drive Suite Pittsburgh, PA 15212

Phone: 724-340-8456

Email: [email protected]

XI. Amendments to this Policy

SHC reserves the right to amend this policy at any time. Any changes to this policy will be

communicated to affected individuals in a timely manner, as required by law.

XII. Effective Date

This policy is effective as of May 1st, 2024.

Privacy Policy

Copyright © 2024 Sunrise Healthcare, Inc. All rights reserved.