HIPAA Policy

At CR Health & Wellness, privacy is a core clinical competency. Additionally, we align with HIPAA Privacy and Security Rules. We also follow the Breach Notification and Omnibus Rules. Moreover, our program reflects OCR guidance. Policies are reviewed and updated annually. First, we run an enterprise risk analysis every year. Then, we reassess after significant changes. We document systems, data flows, and vulnerabilities. Next, we score risks and assign owners. Each mitigation task includes deadlines and evidence.

All workforce members complete role-based HIPAA training. Furthermore, training occurs at onboarding and annually. We test comprehension and track completion. Consequently, sanctions apply for repeated noncompliance. Leaders receive additional privacy accountability training. Access to ePHI follows least-privilege principles. Each user has unique credentials. Additionally, multi-factor authentication is enforced where feasible. Sessions automatically log off after inactivity. Terminated users lose access immediately.

We maintain detailed audit logs. Specifically, logs capture user, time, and activity. Alerts surface anomalous access behaviors. Subsequently, our Privacy Officer reviews exceptions weekly. Findings drive corrective actions and coaching. Technical safeguards protect PHI at all times. For example, data at rest uses AES-256 encryption. Likewise, data in transit uses TLS 1.3. We deploy endpoint protection and patch management. Intrusion detection aligns with NIST guidance. Physical safeguards protect facilities and devices. Notably, suites use badge access and monitoring. Also, devices are locked when unattended. Media is securely wiped or destroyed. Visitors are escorted and logged.

Vendors with PHI sign Business Associate Agreements. Additionally, we assess vendor controls annually. Subcontractors must meet equivalent safeguards. Data sharing follows minimum necessary standards. De-identification uses Expert Determination when appropriate.

We maintain an Incident Response Plan. Typically, alerts are investigated within twenty-four hours. Then, root causes are identified and addressed. Required notifications follow statutory timelines. Documentation supports each response step.

Patients may exercise privacy rights anytime. Generally, requests receive responses within thirty days. Our Notice of Privacy Practices explains rights. It is available online and onsite. Finally, contact our Privacy Officer with questions.