The Law Offices of Owen Hathaway, LLC (OHLaw) takes privacy very seriously. We share a commitment with our clients, who include consumers, business owners, nonprofit organizations, professionals, and several different types of health care organizations subject to HIPAA Rules and Regulations, to protect the privacy and confidentiality of personally identifiable information (PII) that we obtain.
This Policy is provided to help you better understand how we at OHLaw, use, disclose, and protect PII in accordance with the terms of Business Associate Agreements.
At all times, our treatment of PII remains subject to the strictest confidentiality as required under Rule 1.6 of the Colorado Rules of Professional Conduct. We will never disclose personally identifiable information in violation of that rule.
Business Associate Agreement (BA Agreement). A Business Associate Agreement is a formal written contract between OHLaw and a HIPAA Covered Entity or Business Associate that requires OHLaw to comply with specific requirements related to protected health information (PHI).
Covered Entity. A Covered Entity is a health plan, health care provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.
General Data Protection Regulation (GDPR). GDPR is a data privacy rule enacted by the European Union concerning personal data of people in the EU. You can learn more at these link: EUGDPR.org and Wikipedia’s page.
Personally Identifiable Information (PII). PII includes all information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
Protected Health Information (PHI). PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.
Use and Disclosure of PII
We will only use PII we collect in the following ways:
- to deliver the services our clients have engaged us to provide
- to communicate with our clients and prospective clients about the services we provide
- to secure payment for our services
- to third-parties with the permission of the information owner
Statement on GDPR
All of our services involve solving problems using the United States legal system. We do not offer any services that would be useful to anyone outside the U.S., and we decline to represent any person who is in the E.U. We therefore take the position that GDPR does not apply to our business.
Use and Disclosure of PHI
We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by a BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate the Privacy Rule.
In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.
We may also use PHI to report violations of law to appropriate federal and state authorities.
We use appropriate safeguards to prevent the use or disclosure of PII including those provided for in the various BA Agreements. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PII that we create, receive, maintain, or. Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting PII over the Internet;
- Utilizing appropriate storage, backup, disposal and reuse procedures to protect PII;
- Utilizing appropriate authentication and access controls to safeguard PII;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PII we hold is available when needed.
Mitigation of Harm
In the event of a use or disclosure of PII that is in violation of this policy, the requirements of a BA agreement, or other law, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:
- Reporting any inappropriate use or disclosure of PII and any security incident of which we become aware to the appropriate people or entities; and
- To the extent permitted by the Colorado Rules of Professional Conduct, documenting such disclosures of PII and information related to such disclosures to enable our clients to respond to a request for an accounting of disclosure of PII.
Access to PHI
Where necessary, we will make available to our clients’ information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.