HIPAA Compliance Policy

Effective Date: January 1, 2021

1. Application

This policy applies to all employees, contractors, and vendors while doing business with RXTRAIL and others who have access to Protected Health Information (“PHI”) in connection with RXTRAIL’s business associate activities.

2. Policy

RXTRAIL is committed to protecting the security, confidentiality, integrity, availability, and privacy of its information resources including PHI. PHI is an asset and shall be managed to ensure its security, confidentiality, integrity, availability, and privacy are maintained and use is for authorized purposes. All employees and contractors of RXTRAIL share the responsibility for safeguarding PHI to which they have access.

When performing commercial activities in support of RXTRAIL products and services (the “Business Associated Activities”), RXTRAIL may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use PHI which may trigger compliance with the provision applicable to business associates under the Health Insurance Portability and Accountability Act (“HIPAA”). This policy and the HIPAA Policies adopted hereunder are intended to support the mission of RXTRAIL and to facilitate Business Associate Activities that are important to RXTRAIL by:

  • Ensuring compliance with legal requirements imposed by HIPAA and RXTRAIL’s contractual obligations.
  • Providing for the establishment of HIPAA Policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, integrity, availability, and privacy of electronic PHI.
  • Setting forth the roles and responsibilities necessary for RXTRAIL to meet its obligations with respect to business associate activities and PHI.

3. Definitions

Business Associate Activities: Activities performed by RXTRAIL for or on behalf of a covered entity or an organized health care arrangement through which RXTRAIL receives, stores, processes, transmits, creates, or accesses and uses PHI for a function or activity regulated by HIPAA, as part of the RXTRAIL’s services.

HIPAA: The Administrative Simplification Section of the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. 1320d through d-9, and the requirements of any applicable regulations promulgated thereunder, and Title XIII of the American Recovery & Reinvestment Act of 2009 (the “HITECH Act”), as well as all the pertinent current and future regulations issued by the Department of Health and Human Services thereunder.

HIPAA Policies: The policies, procedures, rules, and/or guidelines, including information security and data privacy policies and procedures, adopted by RXTRAIL pursuant to this policy.

HIPAA Security Rule: The Federal Security Regulations promulgated under HIPAA and set forth in 45 CFR Part 164.

Protected Health Information (“PHI”): Any individually identifiable health information created or received by a health care provider. Health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse that related to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, which is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Individually identifiable health information is health information, including demographic information collected from an individual that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI excludes employment records held by a covered entity in its role as employer.

4. Roles and Responsibilities

Policy Adoption

RXTRAIL shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate HIPAA Policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and availability of electronic PHI and protect electronic PHI against reasonably anticipated threats or hazards and unauthorized uses or disclosures. All relevant RXTRAIL stakeholders shall cooperate with RXTRAIL in the development and implementation of the HIPAA Policies.

The RXTRAIL information security and data privacy policies are a component of the HIPAA Policies and implement controls which support HIPAA compliance.

HIPAA Security Officer

The HIPAA Security Officer shall have the responsibilities set forth in this Policy. The HIPAA Security Officer, in consultation with relevant stakeholders, is responsible for oversight of RXTRAIL’s HIPAA Compliance Program and may create, modify or revise the HIPAA Policies, and procedures as necessary to incorporate changes to HIPAA or the HIPAA Security Rule or to improve compliance. In addition, the HIPAA Security Officer is responsible for reviewing and approving or disapproving proposed projects or activities that may require RXTRAIL to receive, store, process, transmit, create or access and use PHI. The HIPAA Security Officer, in consultation with the project sponsor and other relevant stakeholders, is responsible for determining whether a proposed project includes Business Associate Activities and, where necessary, implementing a business associate agreement and monitoring compliance with its terms.

The HIPAA Security Officer is: Scott Taylor, Chief Security Officer, Staylor@RxTrail.org

5. Implementation

Data Protection

All HIPAA and PHI data will be accessible on a strict need-to-know basis. HIPAA and PHI data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.

  • Storage and Transmission: HIPAA and PHI must be encrypted, with strong cryptography, whenever stored on or transmitted by RXTRAIL systems.
  • Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse.
  • Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to HIPAA and the handling of PHI.

​Breach Notification

Notification of any reportable unauthorized use or disclosure of HIPAA protected information will be sent to affected parties in accordance with the HIPAA Breach Notification Rule, 45 CFR 164.400-414.

​All employees and contractors of RXTRAIL are responsible for understanding RXTRAIL’s HIPAA Policies and procedures, including Information Security Policies, and complying with their respective obligations thereunder.

6. Enforcement

The Chief Security Officer and CEO are responsible for the enforcement of this policy. Employees who may have questions should contact Tim Kerr or Scott Taylor as appropriate.

Disciplinary Action

Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.

Reporting

All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to recipient(s) or policy violation reports to RXTRAIL’s HIPAA Security Officer or CEO immediately.

As long as a report is made honestly and in good faith, RXTRAIL will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.