**1. Introduction**

1.1. This HIPAA (Health Insurance Portability and Accountability Act) Policy outlines the procedures and guidelines to ensure the confidentiality, integrity, and security of Protected Health Information (PHI) within our aesthetic injection and wellness practice.

**2. Definitions**

2.1. Protected Health Information (PHI): Any individually identifiable health information, including demographic data, medical history, test results, insurance information, and other information that relates to the past, present, or future physical or mental health or condition of an individual and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

2.2. Covered Entity: Our aesthetic injection and wellness practice, including all employees, contractors, and affiliated entities who have access to PHI.

**3. Privacy Officer**

3.1. We designate Austin Steppey as the Privacy Officer responsible for overseeing HIPAA compliance within our practice.

3.2. The Privacy Officer is responsible for:

   - Developing and implementing HIPAA policies and procedures.

   - Conducting staff training on HIPAA regulations and privacy practices.

   - Responding to privacy inquiries and complaints.

   - Ensuring compliance with HIPAA requirements for PHI handling, storage, and transmission.

**4. Use and Disclosure of PHI**

4.1. PHI may only be used or disclosed as permitted by HIPAA regulations and authorized by the patient or as required by law.

4.2. Patients must provide written authorization for the release of PHI, except in cases where disclosure is required for treatment, payment, or healthcare operations.

4.3. PHI may be disclosed to other healthcare providers involved in the patient's treatment, payment, or healthcare operations, with the patient's consent.

4.4. PHI may be disclosed for public health activities, law enforcement purposes, and other limited circumstances as permitted by HIPAA regulations.

**5. Safeguarding PHI**

5.1. All employees must adhere to strict confidentiality standards when handling PHI, whether in electronic, paper, or verbal form.

5.2. PHI must be stored securely and accessible only to authorized personnel on a need-to-know basis.

5.3. Electronic PHI (ePHI) must be encrypted and protected with strong passwords to prevent unauthorized access.

5.4. Physical safeguards, such as locked file cabinets and restricted access to work areas, must be implemented to protect paper PHI from unauthorized access.

**6. Patient Rights**

6.1. Patients have the right to access their own PHI and request amendments to inaccuracies, as permitted by HIPAA regulations.

6.2. Patients have the right to request restrictions on the use or disclosure of their PHI, although the practice reserves the right to deny unreasonable requests.

6.3. Patients have the right to receive an accounting of disclosures of their PHI made by the practice, except for disclosures made for treatment, payment, or healthcare operations.

**7. Training and Education**

7.1. All employees, including new hires and contractors, must receive HIPAA training upon hire and periodically thereafter to ensure awareness of privacy and security policies and procedures.

7.2. Training sessions will cover topics such as patient privacy rights, handling of PHI, security awareness, and breach reporting procedures.

**8. Breach Notification**

8.1. In the event of a breach of unsecured PHI, the Privacy Officer must promptly investigate and assess the breach to determine the extent and potential harm to affected individuals.

8.2. If a breach poses a significant risk of harm to individuals, the practice will notify affected individuals, the Department of Health and Human Services (HHS), and other required entities in accordance with HIPAA breach notification requirements.

**9. Enforcement**

9.1. Violations of this HIPAA Policy may result in disciplinary action, up to and including termination of employment or contractual relationship.

9.2. Employees who become aware of potential HIPAA violations must report them to the Privacy Officer for investigation and resolution.

**10. Policy Review and Updates**

10.1. This HIPAA Policy will be reviewed annually and updated as needed to ensure compliance with changes in HIPAA regulations, business operations, or security threats.

10.2. Employees will be notified of any updates or changes to the HIPAA Policy and provided with appropriate training and education.

**11. Conclusion**

11.1. Compliance with HIPAA regulations is essential to maintaining patient trust and confidentiality within our aesthetic injection and wellness practice. All employees are expected to adhere to the provisions outlined in this HIPAA Policy to protect the privacy and security of PHI and uphold the highest standards of ethical conduct in patient care.

______________________________

STEPPEY AESTHETICS AND WELLNESS

Date: 06/10/2024