1.1 This policy establishes the Organization's comprehensive framework for complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), and the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). The policy governs the permissible use, disclosure, and safeguarding of Protected Health Information in all forms, whether electronic, paper, or oral, and establishes the Organization's obligations as a Covered Entity or Business Associate under HIPAA.

1.2 This policy applies to all workforce members of the Organization, as defined under HIPAA, including full-time and part-time employees, contractors, consultants, volunteers, trainees, and any other individual whose conduct is under the direct control of the Organization, who create, receive, maintain, access, or transmit Protected Health Information in the course of their duties. The policy also governs the Organization's relationships with Business Associates, subcontractors, and any third party that performs functions or activities involving the use or disclosure of PHI on behalf of the Organization. This policy shall be applied in conjunction with the Organization's HIPAA Security Policy, Breach Notification Policy, and all applicable Business Associate Agreements.

1.3 The Organization shall designate a HIPAA Privacy Officer who shall be responsible for the development, implementation, maintenance, and enforcement of this policy and all related privacy policies and procedures required by the HIPAA Privacy Rule. The Privacy Officer shall serve as the Organization's primary point of contact for all HIPAA privacy matters, including the processing of individual rights requests, the investigation of privacy complaints, the coordination of breach notification activities, and liaison with the U.S. Department of Health and Human Services Office for Civil Rights. The Privacy Officer shall report to the Chief Compliance Officer or the Chief Executive Officer on the Organization's HIPAA compliance posture, privacy incident trends, and training completion rates on at least a quarterly basis.

2.1 The Organization shall use or disclose Protected Health Information only as permitted or required by the HIPAA Privacy Rule (45 CFR 164.502 and 164.512). Without obtaining individual authorisation, the Organization may use or disclose PHI for Treatment purposes, including the provision, coordination, and management of health care and related services, Payment purposes, including billing, claims management, and eligibility determinations, and Health Care Operations, including quality assessment, compliance activities, training, and business planning. All uses and disclosures for Treatment, Payment, and Health Care Operations shall comply with the minimum necessary standard, which requires that the Organization make reasonable efforts to limit PHI to the minimum amount necessary to accomplish the intended purpose, except where the minimum necessary standard does not apply, such as disclosures to the individual or disclosures required by law.

2.2 Uses and disclosures of PHI that do not fall within the Treatment, Payment, or Health Care Operations categories, and that are not otherwise permitted without authorisation under the HIPAA Privacy Rule, shall require a valid written authorisation from the individual. Authorisations must contain all elements specified in 45 CFR 164.508, including a description of the information to be used or disclosed, the persons authorised to make the disclosure and receive the information, the purpose of the disclosure, an expiration date or event, and the individual's signature and date. Authorisation is specifically required for uses and disclosures of psychotherapy notes, uses of PHI for marketing purposes, and sales of PHI, as defined under the HITECH Act. The Organization shall not condition treatment, payment, enrolment, or eligibility on the provision of an authorisation, except in the limited circumstances specified in the Privacy Rule. Individuals shall be informed of their right to revoke an authorisation in writing at any time.

2.3 The Organization shall apply the minimum necessary standard to all uses, disclosures, and requests for Protected Health Information, ensuring that workforce members access, use, and disclose only the minimum amount of PHI reasonably necessary to accomplish the intended purpose. The Organization shall implement role-based access policies that define the categories of PHI to which each workforce role requires access and the conditions under which access is appropriate. For routine and recurring disclosures, the Organization shall establish standard protocols that limit the PHI disclosed to the minimum necessary for the stated purpose. For non-routine disclosures, the Privacy Officer or a designated reviewer shall evaluate each request individually to determine the minimum necessary information. The minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment purposes, disclosures to the individual who is the subject of the information, uses or disclosures pursuant to a valid authorisation, disclosures to the Secretary of HHS for compliance investigation purposes, uses or disclosures required by law, and uses or disclosures required for HIPAA compliance.

2.4 The Organization shall maintain an accounting of disclosures of PHI as required by 45 CFR 164.528. The accounting shall include all disclosures of PHI made during the six years preceding the date of the accounting request, excluding disclosures for Treatment, Payment, or Health Care Operations, disclosures made pursuant to a valid authorisation, disclosures to the individual, disclosures for the Organization's facility directory, disclosures for national security or intelligence purposes, and disclosures to correctional institutions or law enforcement officials. For each reportable disclosure, the accounting shall record the date of the disclosure, the name and address of the entity or person who received the PHI, a brief description of the PHI disclosed, and the purpose of the disclosure or a copy of the request. The Organization shall respond to accounting requests within 60 days and shall provide the first accounting in any 12-month period at no charge to the individual.

3.1 The Organization shall provide individuals with a Notice of Privacy Practices, as required by 45 CFR 164.520, that describes how the Organization may use and disclose the individual's PHI, the individual's rights with respect to their PHI, the Organization's legal duties to protect PHI, the Organization's contact information for privacy inquiries and complaints, and the effective date of the notice. The Notice shall be provided to each individual no later than the date of the first service delivery, and shall be made available on the Organization's website. The Organization shall make a good faith effort to obtain a written acknowledgement of receipt from each individual. The Notice shall be updated whenever there is a material change to the Organization's privacy practices, and the revised Notice shall be made available and, where required, distributed to affected individuals.

3.2 Individuals have the right to access, inspect, and obtain a copy of their PHI maintained in a designated record set, as provided by 45 CFR 164.524. The Organization shall act on access requests within 30 days of receipt, with one 30-day extension permitted upon written notice to the individual stating the reasons for the delay and the expected completion date. PHI shall be provided in the form and format requested by the individual, if readily producible in that form, or in a readable alternative format agreed upon by the Organization and the individual. The Organization may charge a reasonable, cost-based fee that covers the cost of copying, postage, and preparation of an explanation or summary if the individual has agreed to such a summary. The Organization may deny access only in the limited circumstances specified in the Privacy Rule, including psychotherapy notes and information compiled for legal proceedings, and shall inform the individual of their right to have the denial reviewed by a licensed health care professional designated by the Organization.

3.3 In addition to the right of access, individuals are afforded the following rights under the HIPAA Privacy Rule, which the Organization shall honour in accordance with the applicable regulatory provisions. The right to request an amendment to their PHI in a designated record set under 45 CFR 164.526, which the Organization shall act upon within 60 days. The right to request restrictions on certain uses and disclosures of their PHI under 45 CFR 164.522, which the Organization may accept or decline except where the restriction relates to a disclosure to a health plan for payment or health care operations purposes and the PHI pertains solely to a service for which the individual has paid in full out of pocket. The right to request to receive communications of PHI by alternative means or at alternative locations under 45 CFR 164.522. The right to file a complaint with the Organization's Privacy Officer or with the Secretary of HHS if the individual believes their privacy rights have been violated. The Organization shall not retaliate against any individual for exercising their rights under this policy or the HIPAA Privacy Rule.

4.1 The Organization shall implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect PHI in all forms against reasonably anticipated threats, hazards, and impermissible uses or disclosures, as required by the HIPAA Security Rule (45 CFR 164.306) and the HIPAA Privacy Rule (45 CFR 164.530(c)). Administrative safeguards shall include workforce training, access management procedures, security incident response procedures, and contingency planning. Physical safeguards shall include facility access controls, workstation use policies, and device and media controls. Technical safeguards shall include access controls, audit controls, integrity controls, and transmission security measures including encryption of electronic PHI in transit and at rest. The Organization's safeguard implementation shall be informed by a comprehensive risk analysis conducted in accordance with NIST SP 800-30 and updated at least annually or following significant changes to the Organization's information systems or operating environment.

4.2 The Organization shall identify all Business Associates, as defined under HIPAA and the HITECH Act, that create, receive, maintain, or transmit PHI on behalf of the Organization or provide services involving the use or disclosure of PHI. Before sharing PHI with any Business Associate, the Organization shall execute a HIPAA-compliant Business Associate Agreement that contains all required provisions of 45 CFR 164.504(e), including the permitted and required uses and disclosures of PHI, the requirement for appropriate safeguards, the obligation to report breaches and security incidents, the requirement to ensure that subcontractors agree to the same restrictions, the availability of PHI for access requests and amendments, and the return or destruction of PHI upon termination. The Privacy Officer shall maintain a register of all active Business Associate Agreements and shall review each BAA at least annually and upon renewal to ensure continued compliance with HIPAA requirements and the HITECH Act's expanded Business Associate provisions.

4.3 All workforce members who handle or have access to PHI shall receive comprehensive HIPAA privacy and security training within 30 days of commencing their role and annually thereafter, as required by 45 CFR 164.530(b). Training shall cover the provisions of this policy and the Organization's HIPAA compliance program, permissible and impermissible uses and disclosures of PHI, the minimum necessary standard and its application, individual rights under the Privacy Rule, administrative, physical, and technical safeguard requirements, breach identification, reporting, and notification procedures, the Organization's sanctions policy for privacy and security violations, and the individual's right to file complaints without retaliation. Additional role-specific training shall be provided to workforce members with specialised PHI handling responsibilities, including the Privacy Officer, Security Officer, and personnel involved in health information management. Training completion shall be documented and records shall be retained for a minimum of 6 years.

5.1 The Organization shall investigate all suspected breaches of unsecured PHI in accordance with 45 CFR 164.402 and the four-factor risk assessment to determine whether there is a low probability that PHI has been compromised. Where a breach is confirmed, the Organization shall provide notification to each affected individual without unreasonable delay and no later than 60 calendar days from the date of discovery, notification to the Secretary of HHS concurrently with individual notification for breaches affecting 500 or more individuals, or annually for breaches affecting fewer than 500 individuals, and notification to prominent media outlets serving the affected individuals' state or jurisdiction for breaches affecting 500 or more residents of that state or jurisdiction. Breach notifications shall contain the elements specified in 45 CFR 164.404(c), including a description of the breach, the types of information involved, steps individuals should take to protect themselves, the Organization's mitigation actions, and contact procedures for further information.

5.2 All workforce members shall report any suspected or confirmed breach of PHI, privacy incident, or security incident involving PHI to the HIPAA Privacy Officer or through the Organization's designated incident reporting channel immediately upon discovery, and in no case later than 24 hours after becoming aware of the incident. Reports shall include the date and time of the incident, the nature and scope of the PHI involved, the individuals affected or potentially affected, and the circumstances of the incident. The Privacy Officer shall initiate an investigation within 24 hours of receiving a report and shall coordinate with the Security Officer, Legal Counsel, and senior management as appropriate. Failure to report a known or suspected breach constitutes a violation of this policy and shall result in sanctions as defined in the Organization's HIPAA sanctions policy. The Organization strictly prohibits retaliation against any workforce member who reports a suspected breach in good faith.

5.3 The Organization shall apply sanctions against any workforce member who violates this policy, the HIPAA Privacy Rule, the HIPAA Security Rule, or the Organization's HIPAA policies and procedures, as required by 45 CFR 164.530(e). Sanctions shall be proportionate to the nature, severity, and wilfulness of the violation and may include mandatory retraining and probationary monitoring, formal written warning, suspension of access to PHI and related systems, suspension from employment, termination of employment, and, where applicable, reporting to professional licensing boards or law enforcement. Violations that constitute wilful neglect of HIPAA requirements may subject the Organization to civil monetary penalties of up to $2,067,813 per violation category per calendar year, as adjusted for inflation by HHS. The Privacy Officer shall document all sanctions applied and shall review the Organization's sanctions log annually to identify trends and systemic issues.

5.4 This policy shall be reviewed comprehensively at least once every 12 months by the HIPAA Privacy Officer, in consultation with the Security Officer, Legal Counsel, the Compliance department, and relevant operational leaders. Reviews shall assess the policy's continued compliance with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and applicable state health information privacy laws, as well as any new guidance issued by the HHS Office for Civil Rights. The policy shall be updated to reflect changes in HIPAA regulations, HHS enforcement trends, the Organization's operations and service offerings, Business Associate relationships, and findings from risk analyses, audits, and breach investigations. In accordance with HIPAA's documentation requirements under 45 CFR 164.530(j), this policy, all revisions, and all records of actions, activities, and designations required by the policy shall be retained for a minimum of 6 years from the date of creation or the date when the policy was last in effect, whichever is later.