1. Notice of Privacy Practices

This Notice Describes How Medical Information About You May Be Used And Disclosed And How You Can Get Access To This Information. Please Review It Carefully.

This HIPAA Policy outlines the policies and procedures of AC Health (the “Company” and/or “AdviceCoach”) for ensuring compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) when processing Protected Health Information (“PHI”) on behalf of its customers (“Covered Entities”).

2. Applicability

This policy applies to all Company employees, contractors, and subcontractors who access, process, or store PHI on behalf of Covered Entities.

3. Definitions

  • Business Associate: A person or entity that performs certain functions or activities on behalf of a Covered Entity that involve the use or disclosure of PHI.
  • Covered Entity: A health plan, healthcare provider, or healthcare clearinghouse that transmits health information in electronic form.
  • Protected Health Information (PHI): Individually identifiable health information that is transmitted by electronic means in connection with transactions related to healthcare.

4. Responsibilities

4.1. Company Responsibilities:

  • Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.
  • Enter into Business Associate Agreements (“BAAs”) with all Covered Entities.
  • Provide training to employees, contractors, and subcontractors on HIPAA requirements and Company policies.
  • Report HIPAA breaches to Covered Entities promptly.
  • Comply with all applicable HIPAA regulations and guidance.

4.2. Covered Entity Responsibilities:

  • Clearly identify PHI to the Company.
  • Provide the Company with written instructions for the handling of PHI.
  • Report any suspected HIPAA violations to the Company promptly.

5. Administrative Safeguards

  • Access controls: Implement access controls to ensure that only authorized personnel have access to PHI.
  • User authentication: Implement user authentication procedures to verify the identity of individuals who access PHI.
  • Activity logs: Maintain records of all access to and modifications of PHI.
  • Data security policies: Develop and implement data security policies and procedures.
  • Security awareness and training: Provide training to employees, contractors, and subcontractors on HIPAA requirements and Company policies.

6. Physical Safeguards

  • Secure facilities: Maintain physical security measures to protect PHI from unauthorized access, use, or disclosure.
  • Secure equipment: Implement safeguards to protect equipment containing PHI from unauthorized access.

7. Technical Safeguards

  • Encryption: Encrypt all PHI at rest and in transit.
  • Data integrity: Implement measures to ensure the integrity of PHI.
  • Backups and disaster recovery: Maintain backups of PHI and have a disaster recovery plan in place.
  • Access Audit: A log will be kept of all access to AC Health systems and data.

8. Data Disclosure

  • Treatment, Payment, and Healthcare Operations: Sharing PHI with the CE to fulfill their healthcare functions, such as treatment, billing, or care coordination.
  • Business Associates: Disclosing PHI to other BAs who assist the CE in performing their tasks, as outlined in a Business Associate Agreement (BAA).
  • Healthcare Oversight: Sharing PHI with government agencies for healthcare fraud and abuse investigations, or quality improvement activities.
  • Court Orders and Law Enforcement: Disclosing PHI in response to a valid court order or subpoena, or to report emergencies or crimes.

9. Business Associate Agreements

The Company will enter into BAAs with all Covered Entities before processing any PHI. BAAs will address the following topics:

  • The permitted uses and disclosures of PHI.
  • The security measures that the Company will implement to protect PHI.
  • The reporting of HIPAA breaches.

10. Reporting HIPAA Breaches

The Company will report all HIPAA breaches to Covered Entities promptly, no later than 60 days after discovery. The report will include the following information:

  • The date and time of the breach.
  • The nature and extent of the breach.
  • The affected individuals.
  • The steps taken to mitigate the breach.

11. Training

The Company will provide training to all employees, contractors, and subcontractors on HIPAA requirements and Company policies. The training will be conducted on an annuala regular basis and will be tailored to the specific roles and responsibilities of each individual.

12. Compliance Monitoring

The Company will conduct periodic audits to assess its compliance with HIPAA requirements. The results of these audits will be used to identify and address any deficiencies.

13. Disciplinary Action

The Company will take disciplinary action against any employee, contractor, or subcontractor who violates HIPAA requirements or Company policies.

14. Policy Review and Updates

This policy will be reviewed and updated periodically to reflect changes in HIPAA regulations or Company practices.

15. Access and Requesting Copies of Your Data

  • You have the right to access and request copies of your PHI that we hold. This includes any information related to your health, treatment, or payment for healthcare services that we collect or process through our platform.
  • To request a copy of your data, please submit a written request to the address found below. We will respond to your request within 60 days.

    DPO – AC Health
    15 Hampton Drive
    Woodbridge, CT 06525
  • In your request, please be as specific as possible about the type of information you wish to access. This will help us locate and provide the information to you efficiently.

16. Contact Information

For questions or concerns regarding this policy, please contact via email: DPO@ac-health.com