CareSync

Januray 2025  
HIPAA Privacy Policy and Procedures   

Noble Telehealth LLC

TABLE OF CONTENTS

1……… Introduction. 1

2……… Definitions. 2

3……… General 3

4……… Privacy Official 4

5……… Safeguards. 6

6……… Workforce Member Training and Sanctions. 8

7……… Complaints to Privacy Official and Inquiries. 110

8……… Use and Disclosure of Protected Health Information. 154

9……… Minimum Necessary. 165

10……. Limited Data Set 17

11……. De-Identification of PHI 210

12……. Authorizations for the Use and Disclosure of PHI 232

13……. Subcontractors. 265

14……. Access to PHI 28

15……. Confidential Communications. 37

16……. Restrictions on Uses and Disclosures of PHI 38

17……. Amendment of Medical Record. 43

18……. Accounting of Disclosures. 521

19……. Breach Notification Policy. 56

20……. Marketing. 67

21……. Sale of PHI 69

22……. Law Enforcement Disclosures. 721

23……. Retention. 75

1.          Introduction

Noble Telehealth LLC (“Noble Telehealth”) is fully committed to protecting the privacy of health information. Noble Telehealth provides services for or on behalf of a Covered Entity and thus is currently regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing privacy regulations (the “Privacy Rule”). To that end, Noble Telehealth has enacted policies and procedures to ensure the confidentiality of individuals’ Protected Health Information and personal information. These policies and procedures guard against the potential for inappropriate use or disclosure of PHI by Noble Telehealth and its subcontractors.

Noble Telehealth has chosen to adopt and implement these policies and procedures to apply to their Workforce Members.

In addition to the adoption of these policies and procedures, Noble Telehealth has also designated John Parks as the Privacy Official. All questions, concerns, complaints, and privacy related matters should be forward to the Privacy Official’s attention. The Privacy Official can be reached at:

John Parks

(877) 399-3371

support@nobletelehealth.com

2.          Definitions

Breach” means the unauthorized access, acquisition, use, or disclosure, of Protected Health Information (“PHI”) in a manner that is not permitted under 45 C.F.R. Part 164, subpart E, which compromises the security or privacy of such information.

“Business Associate” meansan entity such asNoble Telehealth, which has entered into a contract with a Covered Entity or other third party and that provides certain services on behalf of such Covered Entity or third party that require Noble Telehealthto create, receive, maintain, or transmit PHI.

Disclosure” means the sharing of PHI by an individual within Noble Telehealth with a person or entity outside Noble Telehealth.

Electronic Protected Health Information” (“ePHI”) is a subset of Protected Health Information and means PHI that is transmitted by or maintained in any electronic media or form.

Protected Health Information” or “PHI” means any information that is created or received by Business Associate from or on behalf of Covered Entity, whether oral or recorded in any form or medium: (I) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used or disclosed to identify the individual, as further defined in 45 C.F.R. § 160.103.

Required by Law” shall have the same meaning as the phrase “required by law,” which is defined in 45 C.F.R. § 164.103, including federal and state laws and the rules and regulations promulgated by regulators which have jurisdiction over Noble Telehealth including self-regulatory authorities, as defined in federal securities and commodities laws.

Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Subcontractor” means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Workforce of such Business Associate.

Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under Section 13402(h)(2) of Public Law 111-5.

Workforce Members” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.

All terms not otherwise defined in these policies will have the meaning set forth in 45 C.F.R. § 160.103 and the Privacy Rule.

3.          General

Policy:

Noble Telehealth shall ensure that their use and/or disclosure of PHI is in accordance with applicable law. Before using or disclosing PHI, Noble Telehealth will obtain the appropriate authorization from the individual or will make a determination that an exception to such requirement applies.

The Privacy Rule restricts the use and disclosure of PHI by Covered Entities, and their Business Associates, such as Noble Telehealth, unless specifically authorized by law or by patient authorization. As a Business Associate, Noble Telehealth, will not use or disclose individuals’ PHI except as permitted by the applicable Business Associate Agreement between Covered Entity and Noble Telehealth, the Privacy Rule, and other applicable federal and state confidentiality laws, or as required by law.

Noble Telehealth and its Workforce Members will adhere to these policies and procedures and federal and state law. Noble Telehealth will also require Business Associates to comply with the terms of the applicable Business Associate Agreement(s) and federal and state law.

Appropriate physical, administrative, and technical safeguards will be utilized to protect individuals’ PHI pursuant to these policies and procedures. See Noble Telehealth’s Security Policies and Procedures for specific safeguards related to electronic PHI (“EPHI”).

Procedure:

Noble Telehealth’s obligation is to ensure that information concerning individuals’ health care is kept confidential, except where use or disclosure is permitted and/or required by applicable law. Workforce Members shall be mindful that the obligation to maintain privacy and confidentiality continues after Noble Telehealth is no longer providing services to the Covered Entity or individual. In addition, Workforce Members are required to keep individuals’ information confidential even after Workforce Members are no longer employed or associated with Noble Telehealth.

When Noble Telehealth discloses PHI to a Subcontractor to create, receive, maintain, or transmit PHI on Noble Telehealth’s behalf, Noble Telehealth must enter into a Business Associate Agreement with the Subcontractor requiring the Subcontractor to comply with the terms of such Business Associate Agreement.

Questions regarding this Policy or knowledge of a violation or potential violation of this Policy must be reported directly to the Privacy Official.

If any provisions outlined in these policies and procedures conflict with the terms of a Business Associate Agreement, the terms of the Business Associate Agreement shall control as long as those terms comply with the Privacy Rule and all other applicable law.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

4.          Privacy Official

Policy:

Noble Telehealth has designated a Privacy Official responsible for the development and implementation of these policies and procedures, along with other duties that may be set forth in the policies and procedures, including receiving complaints regarding PHI. The Privacy Official’s contact information is as follows: John Parks (877) 399-3371 support@nobletelehealth.com

Procedure:

The Privacy Official will be trained on these policies and procedures within a reasonable time period after being designated as the Privacy Official or after any material change in the Privacy Official’s duties for Noble Telehealth. The training will incorporate the unique specifications and implications of Noble Telehealth’s routine business activities.

The Privacy Official is responsible for:

  • Ensuring appropriate access to PHI, in conjunction with the Security Official.
  • Facilitating the secure management of PHI, in conjunction with the Security Official.
  • Overseeing and monitoring Noble Telehealth’s policies and procedures and maintaining the integrity of the policies and procedures at all times.
  • Arranging appropriate training on these policies and procedures for all existing Workforce Members and new hires.
  • Monitoring the proper use and disclosure of PHI.
  • Ensuring that Noble Telehealth obtains individual authorization for the use or disclosure of PHI when required.
  • Developing and maintaining Business Associate Agreements with Business Associates.
  • Monitoring Noble Telehealth’s compliance with the policies and procedures and applicable Business Associate Agreements.
  • Ensuring that Noble Telehealth has processes in place to facilitate individual rights regarding PHI, to the extent required by the applicable law.
  • Overseeing, along with the Security Official, the investigation and response to security incidents and breaches and other improper uses or disclosures of PHI.
  • Maintaining current knowledge of applicable federal and state laws relating to the privacy of PHI.
  • Cooperating with the Office for Civil Rights, the Centers for Medicare and Medicaid Services, and other oversight agencies regarding the privacy and security of PHI.
  • Managing complaints relating to the privacy of PHI.
  • Overseeing the implementation and enforcement of Noble Telehealth’s sanctions policy related to the Privacy Rule.
  • Maintaining documentation required by the Privacy Rule for a minimum of 6 years, including maintaining these policies and procedures for 6 years from creation or from the date when these policies and procedures are last in effect, whichever is later.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

5.          Safeguards

Policy:

Noble Telehealth is required to implement safeguards to protect the privacy of individuals’ PHI. The Privacy Rules permit “incidental” uses or disclosures made in the course of otherwise permissible uses or disclosures. These incidental uses and disclosures are not permitted, however, if Noble Telehealth does not have reasonable safeguards in place to limit the occurrence of incidental uses and disclosures of PHI. For additional safeguards related to electronic PHI, see Noble Telehealth Security Policies and Procedures.

Procedure:

The Privacy Official will coordinate with and support the efforts of the Security Official and other appropriate personnel, as necessary, to review and implement appropriate safeguards for PHI. These safeguards shall be reviewed routinely and the reasonableness of such safeguards shall be determined through engaging in the security risk management process and considering the financial and administrative burdens of particular safeguards.

Reasonable safeguards may include, but are not limited to:

  • Whenever possible, Noble Telehealth and other verbal conversations are conducted in areas where an individual’s PHI cannot be overheard by visitors or unauthorized Workforce Members.
  • When it is unavoidable to discuss PHI in a public area, it is done in a manner that protects the individual’s privacy as much as possible. For example, avoiding speakerphone conversations.
  • Locations that maintain and store PHI are secured in a manner that prevents access by unauthorized individuals. For example, doors are closed or locked when an area is unattended, file cabinets are closed or locked, etc.
  • Printed PHI should not be left unattended, such as on copiers, fax machines, desktops, or printers for an extended period of time. All Workforce Members should protect the privacy of printed materials containing PHI by assuring that such printed materials are properly secured, such as in a locked cabinet, or destroyed as applicable, when leaving a workstation during the workday and at the end of each workday.
  • Workforce Members who must transmit PHI to another Workforce Member(s) should assure that delivery is completed and received by the other Workforce Member(s).
  • When it is necessary to leave voice messages that include individuals’ PHI, such information should be limited to the minimum information necessary.
  • Shred documents containing PHI when no longer needed.
  • Documents containing PHI should not be brought to or printed at a Workforce Member’s home unless necessary for work purposes, in which case the PHI should be destroyed after use. When PHI is taken outside of Noble Telehealth’s facility, it must be transported in a secure manner.
  • When Workforce Members terminate employment, all access to PHI shall be immediately terminated. If the Workforce Member has a key/swipe card or keys to facilities, those items shall be immediately retrieved from the terminated employee.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

6.          Workforce Member Training and Sanctions

Policy:

All Workforce Members shall be trained in the appropriate use and disclosure of PHI as set forth in these policies and procedures. Training will be based upon the information necessary and appropriate for the Workforce Members to carry out the functions of their specific position. Workforce Members will be sanctioned for improper use or disclosure of PHI. However, Noble Telehealth shall not engage in intimidating or retaliatory acts for the exercise of certain rights under and/or compliance with the requirements of HIPAA.

Procedure:

The Privacy Official will document all Workforce Member trainings and maintain such documentation for a period of at least 6 years from the date of training. Training should be conducted:

  • Within 30 days following a hire or assignment to Noble Telehealth, for all new Workforce Members; or
  • Within a reasonable period of time following a material change in these policies and procedures, for all Workforce Members whose functions are affected by the change;
  • At the discretion of the Privacy Official; and
  • Annually.

Sanctions:

The Privacy Official is responsible for identifying improper use or disclosure of PHI by a Workforce Member(s) and informing the Human Resources Department and/or Management so that a determination of the severity of Workforce Member sanctions can be made in compliance with this Policy.

  • The sanction applied will vary depending on: (1) the severity of the violation; (2) whether the violation was intentional or unintentional; (3) whether the violation indicates a pattern or practice of improper access; (4) the type of use or disclosure; and (5) any other appropriate factors.
  • Depending upon the nature and circumstances of the violation, Workforce Member sanctions may include a warning, a suspension, termination of employment, and/or reporting to appropriate agencies.
  • All sanctions will be documented and retained by Noble Telehealth for a period of at least 6 years from the date of discipline or when the discipline was last in effect, whichever is later.

The sanctions do not apply when Workforce Members appropriately exercise their right to:

  • File a privacy-related complaint with the Secretary of the United States Department of Health and Human Services (“HHS”); or
  • Testify, assist, or participate in an investigation, compliance review, proceeding, or hearing as specified under 45 C.F.R. Part 160; or
  • Oppose any act made unlawful by the Privacy Rule, provided the person has a good faith belief that the act opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Rule; or
  • Disclose PHI to (i) an appropriate health oversight agency, public health authority, or health care accreditation organization to report failure to meet professional standards or misconduct, or (ii) an attorney retained by the person for purposes of determining legal options with regard to whistleblower activity, provided the person has a good faith belief that Noble Telehealth or the applicable Covered Entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided potentially endanger patients, workers, or the public.
  • Noble Telehealth encourages all Workforce Members to report any inappropriate use or disclosure of PHI to the Privacy Official.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

7.          Complaints to Privacy Official and Inquiries

Policy:

Noble Telehealth shall promote an environment that allows and encourages individuals to make complaints regarding Noble Telehealth’s policies and procedures, uses or disclosures of PHI, and/or other matters related to the privacy of the individual’s PHI. Noble Telehealth will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals or others in accordance with the Privacy Rule.

Procedure:

If an individual states that he or she would like to file a complaint, approved Workforce Members or the Privacy Official should inform the individual that he or she must make the complaint by completing the HIPAA Privacy Complaint Form. (See below).

The Privacy Official or their designated investigator(s) will then investigate and make a determination regarding the validity of the complaint. The Privacy Official will coordinate the investigation until the complaint is resolved. The Privacy Official or designated investigator(s) will carry out an investigation appropriate for the circumstances of the complaint and where appropriate, legal counsel may be consulted. The Privacy Official shall document and maintain all investigations by utilizing the Complaint Investigation Form. (See below).

The Privacy Official and/or their designated investigator(s), management, or any Workforce Member shall not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any individual for:

  • Filing a privacy-related complaint with the Secretary of the United States Department of Health and Human Services; or
  • Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing as specified under 45 C.F.R. Part 160; or
  • Opposing any act made unlawful by the Privacy Rule, provided the person has a good faith belief that the act opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Rule; or
  • Disclosing PHI to (i) an appropriate health oversight agency, public health authority, or health care accreditation organization to report failure to meet professional standards or misconduct, or (ii) an attorney retained by the person for purposes of determining legal options with regard to whistleblower activity, provided the person has a good faith belief that Noble Telehealth or the applicable Covered Entity client has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided potentially endanger patients, workers, or the public.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

HIPAA Privacy
Complaint Form

Individual Name:
Address:Noble Telehealth #:
Name of Person Reporting (if different):
Relationship to individual:Noble Telehealth #:
Address:
Specifics of Report (include date and time of incident, names of persons involved, and nature of complaint):
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

[for internal use only]

Date Received:  Time Received:  Received By 
 
Report Received:  In Person  Phone  Mail (please attach)  E-mail (please attach)

COMPLAINT INVESTIGATION FORM

Individual Name:
Name of Investigator(s):
Date of Complaint:(attach completed individual Complaint Form)
Facility Location:
Persons Interviewed (include date/time and attach written statements):
Documents Reviewed (attach copies):
Summary and Conclusions of Investigation (attach additional pages if necessary):
Recommended Mitigation Steps (to the extent practicable):
Indicate whether the incident is a Breach of Unsecured PHI:
Corrective Action Taken: (include action taken and date of action):
 
 
 
 
    
Investigator Signature Date 
    
Investigator Signature Date 
    
Privacy Official Signature Date 

8.          Use and Disclosure of Protected Health Information

Policy:

Under HIPAA, PHI may not be used or disclosed without patient authorization, unless a specific exception applies under either state or federal law. All Workforce Members who use or disclose PHI are required to understand and abide by the policies and procedures and applicable federal and state laws. Except with respect to uses or disclosures that require an authorization or that are otherwise prohibited (for example, by more restrictive state laws), Workforce Members may use and disclose PHI as permitted by the Business Associate Agreement with a Covered Entity.

Procedure:

It is the responsibility of Noble Telehealth and all Workforce Members to determine if a proposed use or disclosure is in compliance with these policies and procedures, applicable federal and state law, and any applicable Business Associate Agreement. It is expected that many of the uses and disclosures of PHI that Workforce Members will encounter will fall under disclosures made for Treatment, Payment, or Health Care Operations. These exceptions to the authorization requirement cover the majority of uses and disclosures that are necessary for day to day healthcare operations. However, applicable state law may be more restrictive.

If a proposed use or disclosure does not fit within the Treatment, Payment, or Health Care Operations exceptions, the proposed use or disclosure must fit within another exception under HIPAA and state law, taking into account the preemption analysis. If the proposed use or disclosure does not fit within an exception under HIPAA or applicable state law, or does not comply with the terms of the applicable Business Associate Agreement, the PHI may not be used or disclosed without the individual’s written authorization, and in the case of a Business Associate Agreement, without Covered Entity’s approval.

In the event of Noble Telehealth’s discovery of a use or disclosure of PHI that is inconsistent with the terms of an applicable Business Associate Agreement, Noble Telehealthshall notify the applicable Covered Entity in accordance with the applicable Business Associate Agreement, the Breach Notification Policy (if applicable), and the Security Policies and Procedures applicable to Noble Telehealth (if applicable).

When in doubt all Workforce Members should contact the Privacy Official to understand their obligations with respect to using and disclosing PHI.

  •  
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

9.          Minimum Necessary

Policy:

Noble Telehealth shall use, disclose, and request only the minimum amount of PHI necessary to accomplish the specific purpose of the use, disclosure, or request. Until the effective date of further guidance or regulations issued on the meaning of “Minimum Necessary,” Noble Telehealth will request, use, and disclose, to the extent practicable, only PHI in the form of a Limited Data Set (See 10. Limited Data Set) or, if needed, the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.

Procedure:

  • For routine and reoccurring disclosures of PHI, Noble Telehealth will limit access to Workforce Members requiring access to PHI for their job duties. Access to PHI shall be limited through reasonable administrative, technical, and physical safeguards established by the Privacy Official.
  • Non-routine disclosures of PHI will be reviewed on an individual basis, taking into consideration one or more of the following criteria as applicable: specificity of the request; purpose/importance of the request; likelihood of re-disclosure; and any other factors determined to be relevant. These criteria will be applied as a general set of guidelines recognizing that the context of each such requested disclosure will vary.
  • Noble Telehealth, when disclosing PHI, shall be responsible for determining what constitutes the Minimum Necessary to accomplish the intended purposes of such disclosures. Workforce Members may reasonably rely on the representations by a requesting party that the PHI requested complies with the Minimum Necessary standard.

Exceptions:

The requirements of the “Minimum Necessary standard” do not apply to:

  • Disclosures to or requests by a health care provider for treatment purposes;
  • Uses and disclosures made to the patient or their authorized personal representative;
  • Uses and disclosures made pursuant to an authorization from a person in interest;
  • Disclosures made to the Secretary of the U.S. Department of Health and Human Service for enforcement or during an investigation of compliance with the Privacy Rule;
  • Uses or disclosures required by law; and
  • Uses or disclosures required for compliance with HIPAA.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

10.     Limited Data Set

Policy:

Noble Telehealth may disclose a Limited Data Set to an outside party without a patient’s authorization only if (a) the disclosure is for purposes of research, public health, or health care operations, (b) Noble Telehealth obtains satisfactory assurances, in the form of a HIPAA-compliant data use agreement, that the Limited Data Set recipient will only use or disclose the PHI for limited purposes, and (c) if permitted under the associated Business Associate Agreement.

A Limited Data Set is a subset of PHI from which the following direct, or “facial,” identifiers of the individual, or of relatives, employers, or household members of the individual, have been removed:

  • Names
  • Postal address information, other than town or city, State, and zip code
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health-plan beneficiary numbers
  • Account numbers
  • Certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifies including fingerprints and voice prints
  • Full-face photographic images and any comparable image
  • Any other unique identifying number, characteristic, or code

The Limited Data Set may contain the following data elements: town, city, state, and zip code; date of birth; date of death; and admission or discharge dates. A Limited Data Set is not de-identified information and is therefore still PHI and subject to the requirements of the Privacy Rule.

Procedure:

Creation of Limited Data Set:

Only Covered Entity, Workforce Members, or a Business Associate of Noble Telehealth may create a Limited Data Set. If a Subcontractor creates a Limited Data Set, there must be a Business Associate Agreement in place.

Data Use Agreement:

Noble Telehealth may use or disclose a Limited Data Set, as defined above, for purposes of research, public health, or health care operations only if Noble Telehealth obtains a Data Use Agreement (“DUA”) from the person/entity to whom the Limited Data Set is to be disclosed, and such disclosure is consistent with the associated Business Associate Agreement. A DUA must be entered into before there is any use or disclosure of a limited data set to an outside party. A DUA must:

  • Establish the permitted uses and disclosures of such information by the Limited Data Set recipient. The DUA may not authorize the Limited Data Set recipient to use or further disclose the information in a manner that would violate the Privacy Rule, if done by a Covered Entity;
  • Establish who is permitted to use or receive the Limited Data Set; and
  • Provide that the Limited Data Set recipient will:
  • Not use or further disclose the information other than as permitted by the DUA or as otherwise required by law;
  • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the DUA;
  • Report to the Covered Entity any use or disclosure of the information not provided for by the DUA of which it becomes aware;
  • Ensure that any agents to whom it provides the Limited Data Set agree to the same restrictions and conditions that apply to the Limited Data Set recipient with respect to such information; and
  • Not identify the information or contact the individuals.

Noncompliance by Limited Data Set Recipient:

If at any time Noble Telehealth becomes aware that a recipient of a Limited Data Set has undertaken a pattern of activity or practice that constitutes a material breach or violation of the DUA, then Noble Telehealth must take reasonable steps to cure the breach or end the violation. If the breach cannot be cured or the violation ended, then Noble Telehealth must cease all disclosures of the Limited Data Set to the recipient and report the problem to the Covered Entity.

All Workforce Members are required to report to the Privacy Official any suspected violations of Data Use Agreements.

Minimum Necessary and Accounting for Disclosures:

The minimum necessary and accounting for disclosures rules do not apply to PHI disclosed as part of a Limited Data Set.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

11.     De-Identification of PHI

Policy:

The Privacy Rule does not apply to de-identified health information. PHI may be de-identified by Noble Telehealth, provided the applicable Covered Entity permits such a use of PHI in an agreement or Business Associate Agreement.

Noble Telehealth meets the de-identification standard if it has removed all of the required identifiers and if Noble Telehealth has no actual knowledge that the information could be used to identify a patient. Noble Telehealthmay not share any de-identified data without the authorization of the associated Business Associate Agreement.

Procedure:

Noble Telehealth will convert patient PHI into a format that does not identify the patient (de-identify) when:

  • PHI is used or shared for purposes other than treatment, payment, or health care operations, or
  • Information is used or shared without patient authorization.

Noble Telehealth will de-identify the PHI by one of the following methods:

a.            Elimination of all identifiers:
i.              Names.
ii.             All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if the geographic area contains more than 20,000 people. If less than 20,000 people are found to be in this area based on the first three digits of the zip code, the code must be changed to 000.
iii.            All elements of dates (except year) for date directly related to a patient including birth date, admission date, discharge date, date of death: and all ages over 90 and al elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
iv.           Telephone numbers.
v.             Fax numbers.
vi.           Electronic mail address.
vii.          Social security numbers.
viii.         Medical Record numbers.
ix.           Health plan beneficiary numbers.
x.             Account numbers.
xi.           Certificate/license numbers.
xii.          Vehicle identifiers and serial numbers, including license plate numbers.
xiii.         Device identifiers and serial numbers.
xiv.         Web Universal Resource Locators (URLs).
xv.          Internet Protocol (IP) address numbers.
xvi.         Biometric identifiers, including finger and voiceprints.
xvii.        Full face photographic images and any comparable images.
xviii.       Any other unique identifying number, characteristic, or code.

In addition to removing the above identifiers, Noble Telehealth must not have actual knowledge that the information could be used alone or in combination with other information to identify a patient who is a subject of the information.

b.            Statistical De-Identification: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applies such principles and determines that the risk is very small that the information could be used to identify the patient. The methods and the results of the analysis must be documented.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

12.     Authorizations for the Use and Disclosure of PHI

Policy:

In accordance with the Privacy Rule, and in accordance with the associated Business Associate Agreement, when PHI is to be used or disclosed for purposes other than Treatment, Payment, or Health Care Operations or another permitted purpose under HIPAA, Noble Telehealth will use and disclose it only pursuant to a valid, written authorization. Use or disclosure pursuant to an authorization will be consistent with the terms of such authorization.

Procedure:

Exceptions to Authorization Requirements:

If consistent with any associated Business Associate Agreement, PHI may be disclosed without an authorization if the disclosure is:

  • Requested by the patient or its personal representative (authorization is not required);
  • For the purpose of Treatment;
  • For the purpose of Payment activities, or the Payment activities of the entity receiving the PHI;
  • For the purpose of Health Care Operations;
  • In limited circumstances, for the Health Care Operations of another Covered Entity, if the other Covered Entity has or had a relationship with the patient;
  • To the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the Privacy Rule; or
  • Required by other state or federal law.

Use or Disclosure Pursuant to an Authorization:

  • PHI may never be used or disclosed in the absence of a valid written authorization if the use or disclosure is:
  • Of Psychotherapy Notes as defined by the Privacy Rule, except if the disclosure is to carry out the following Treatment, Payment, or Health Care Operations:
  • Use is by the originator of the Psychotherapy Notes for Treatment;
  • Use or disclosure by Noble Telehealth for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
  • Use or disclosure by Noble Telehealth to defend itself in a legal action or other proceeding brought by the individual;
  • For the purpose of Marketing; and
  • The sale of PHI.
  • If the use or disclosure requires a written authorization, Noble Telehealth shall not use or disclose the PHI unless the request for disclosure is accompanied by a valid authorization.
  • If the request for disclosure is not accompanied by a valid written authorization, Noble Telehealth shall notify the requestor that it is unable to provide the PHI requested.
  • If the request for disclosure is accompanied by a written authorization, Noble Telehealth will review the authorization to ensure that it is valid.
  • If the authorization is lacking a required element or does not otherwise satisfy the HIPAA requirements, Noble Telehealth will notify the requestor, in writing, of the deficiencies in the authorization. No PHI will be disclosed unless and until a valid authorization is received.
  • If the authorization is valid, Noble Telehealth will disclose the requested PHI to the requester. Only the PHI specified in the authorization will be disclosed.
  • Each authorization shall be filed in the patient’s medical record.

Preparing an Authorization for Use or Disclosure:

  • When Noble Telehealth is using or disclosing PHI and an authorization is required for the use or disclosure, Noble Telehealth will not use or disclose the PHI without a valid written authorization from the patient or the patient’s personal representative.
  • The authorization must contain all required elements of a valid HIPAA authorization and must be signed and dated by the patient or the patient’s personal representative before the PHI is used or disclosed.
  • Noble Telehealth may not condition the provision of treatment on the receipt of an authorization unless it is providing research-related treatment or health care that is solely for the purpose of creating PHI for disclosure to a third party (i.e., performing an independent medical examination at the request of an insurer or other third party).
  • An authorization may not be combined with any other document unless one of the following exceptions applies:
  • Authorizations to use or disclose PHI for a research study may be combined with any other type of written permission for the same research study, including a consent to participate in such research; or
  • Authorizations to use or disclose psychotherapy notes may only be combined with another authorization related to psychotherapy notes.

Revocation of Authorization:

A patient may revoke his or her authorization at any time. The authorization may only be revoked in writing. Upon receipt of a written revocation, Noble Telehealth may no longer use or disclose a patient’s PHI pursuant to the authorization. Each revocation will be filed in the patient’s medical record and/or Designated Record Set.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

13.     Subcontractors

Policy:

Noble Telehealth contracts with various outside persons and entities to perform functions or provide services on its behalf that may involve the disclosure of PHI to, or the creation, receipt, maintenance, or transmission of PHI by, the outside person or entity. These outside persons or entities are Noble Telehealth Subcontractors. The policy of Noble Telehealth is to obtain written assurances from Subcontractors that they will appropriately safeguard any PHI they create or receive on Noble Telehealth’s behalf. Such written assurances must be in place before Noble Telehealth discloses PHI to the Subcontractor. In entering such agreements, Noble Telehealthwill adhere to the Business Associate Agreements between it and Covered Entities.

Procedure:

1.            Noble Telehealth will follow established procedures regarding contract review, revision, and approval to assure that any contract is in compliance with state and federal law.

2.            For each contract, Noble Telehealth must determine whether a Business Associate Agreement or Subcontractor Business Associate Agreement is necessary.

3.            Business Associate Provisions. Prior to disclosing any PHI to a Subcontractor, Noble Telehealth will obtain satisfactory assurances from the Subcontractor that the Subcontractor will appropriately safeguard the PHI it creates, receives, maintains, or transmits on behalf of Noble Telehealth, in the form of a written agreement that provides that the Subcontractor will:

a.            Not use or disclose PHI other than as permitted or required by the agreement with Noble Telehealth or as required by law;
b.            Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided by the agreement with Noble Telehealth and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI;
c.             Report to Noble Telehealth any access, use, or disclosure of the information not provided for by its contract and any security incident of which it becomes aware; and following the discovery of any breach of unsecured PHI, notify Noble Telehealth of such breach;
d.            Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Subcontractor agree in writing to the same restrictions and conditions that apply to the Subcontractor with respect to such information and implement reasonable and appropriate safeguards to protect the PHI;
e.            Make available to Noble Telehealth the information necessary for Noble Telehealth to comply with an individual’s right to access to PHI; and if Subcontractor maintains an electronic health record, provide such information in electronic format to enable Noble Telehealth to fulfill its obligations and those of its contracts under the HITECH Act;
f.              Make PHI available for amendment and amend the patient records as necessary;
g.            Make available the information required to provide an accounting of disclosures;
h.            Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the Privacy Rule;
i.              At termination of the contract, if feasible, return or destroy all PHI that the Subcontractor still maintains in any form and retain no copies of such information, or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible;
j.              To the extent the Subcontractor is to carry out Noble Telehealth’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligations; and
k.             To the extent Noble Telehealth is subject to a Business Associate Agreement with a Covered Entity or another Business Associate, a Business Associate Agreement with a Subcontractor must be similar or the same as the terms of the Business Associate Agreement for that certain PHI.

4.            Noble Telehealth shall make reasonable attempts to utilize its own template Business Associate Agreements. It is acceptable for Noble Telehealth to negotiate terms of a Business Associate Agreement with an applicable Covered Entity or Subcontractor.

5.            If the Subcontractor refuses to sign the Business Associate Agreement, the Privacy Rule prohibits Noble Telehealth from disclosing any PHI to the Subcontractor or permitting the Subcontractor to create, receive, maintain, or transmit PHI on Noble Telehealth’s behalf. If the Subcontractor requires access to PHI in order to perform the function or service on behalf of Noble Telehealth, Noble Telehealth shall not contract with the Subcontractor.

6.            Noble Telehealth shall maintain the original signed Business Associate Agreement and any contract addenda containing Subcontractor language.

7.            The information disclosed to the Subcontractor must be restricted to the minimum amount necessary to enable the Subcontractor to perform the function or provide the services for which Noble Telehealth has contracted with the Subcontractor.

8.            Notice of Termination of a Contract with a Subcontractor. Noble Telehealth shall notify the Privacy Official when issuing or receiving a notice of contract termination involving a Subcontractor. Noble Telehealth will coordinate with the Subcontractor regarding the Subcontractor’s obligations to return or destroy all PHI or, if return or destruction is not feasible, to extend the protections of the Subcontractor requirements to the PHI and to limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. The contract and contract addendum must be retained for 6 years after the contract was last in effect.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

14.     Access to PHI

Policy:

Generally, all individuals have a right to access his or her PHI maintained in a Designated Record Set. As a Business Associate, Noble Telehealth agrees, to the extent PHI is maintained in a Designated Record Set on behalf of a Covered Entity, to make PHI in a Designated Record Set available for access and copying. Noble Telehealth will promptly notify the applicable Covered Entity of the request for access. A Covered Entity may make a reasonable request that Noble Telehealth fulfill requests on behalf of a Covered Entity, or such fulfillment may be required by an agreement with the Covered Entity. While exceptions exist to a patient’s right to access their PHI, Noble Telehealth will respond to every request for access in accordance with the requirements of the Privacy Rule.

Procedure:

Informing Covered Entity:

a.            All requests from an individual to access their PHI should be directed to the Privacy Official, who shall notify the Covered Entity. Upon a reasonable request by the Covered Entity, or as required by contract, Noble Telehealth will respond to the individual in accordance with this policy.

Right of Access:

a.            Noble Telehealth shall ensure that their practices conform to HIPAA and an applicable Covered Entity’s Notice of Privacy Practices in order to inform patients of their right to access their PHI.
b.            A “designated record set” is defined as follows:
i.              Medical, billing, and payment records maintained by Noble Telehealth;
ii.             Insurance information, including enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
iii.            Records Noble Telehealth uses, in whole or in part, to make decisions about individuals (e.g., clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes). These records include those that are used to make decisions about any individuals, even if they have not been used to make decisions about the particular individual requesting access.

Exceptions to the Right of Access:

A patient’s right of access does not apply to the following records and information:

a.            Psychotherapy notes;
b.            Information that is compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
c.             PHI that is not part of the designated record set.

Procedure for Requesting Access:

A patient (or his or her personal representative) must make a request for access in writing. The request must be documented on an Access to Protected Health Information form or in the notes of the patient’s medical record.

Procedure for Responding to Access Requests:

a.            Upon receipt of a request to access, inspect, and/or obtain a copy of PHI from an individual, Noble Telehealth shall notify the applicable Covered Entity.
b.            Upon reasonable request by the Covered Entity or where required by the Privacy Rule, Noble Telehealth will allow an individual to access, inspect, and/or obtain a copy of his or her PHI maintained by Noble Telehealth in a timely and professional manner. Noble Telehealth shall work with the individual (and, if necessary, the Covered Entity) to determine the time, manner, and place for the Individual to access his/her PHI.
c.             Requests for access to PHI will be managed by Noble Telehealth’s Privacy Official.

Procedure for Providing Access:

Noble Telehealth will work with the Covered Entity to provide the patient or the Covered Entity with access to the PHI in the form or format requested, if readily producible in that form and format.

a.            If the PHI is not readily available in the requested format, Noble Telehealth will provide it in readable hard copy form or other form and format as agreed to by Noble Telehealth and the individual.
b.            Requests for Electronic Access to Electronically Stored PHI. If an individual specifically requests electronic access to PHI that is maintained electronically, Noble Telehealth will provide the individual with access to the information in the requested electronic form and format. If the PHI is not readily producible in electronic form and format, then Noble Telehealth will provide it in an agreed upon alternative, readable electronic format. If the individual refuses to accept any of the electronic formats that are readily producible, then Noble Telehealth may provide the individual with a readable hard copy of the PHI.
c.             Requests for Paper Copies of Electronically Stored PHI. If an individual requests a paper copy of PHI maintained electronically, Noble Telehealth will provide the individual with the paper copy requested.
d.            Requests for Electronic Access of PHI Maintained Only in Hard Copy. If an individual requests an electronic copy of PHI maintained only on paper, then Noble Telehealth will provide the individual with an electronic copy, provided the paper record can be readily scanned into electronic format. If the paper record is not readily producible in electronic format, then Noble Telehealth will produce it in a readable alternative electronic format or in hard copy format as agreed to by Noble Telehealth and the individual.

Noble Telehealth may charge a reasonable cost-based fee for the copies provided. The fee may include only the cost of:

  1. the labor associated with copying the PHI, whether in paper or electronic form;
    1. supplies for creating the paper copy or electronic media (e.g., CD or USB drive);
      1. postage, when the individual requests that the copy, or the summary or explanation, be mailed; and
        1. preparation of an explanation or summary of the PHI.

The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by state law. Noble Telehealth may not charge any costs for copies provided if prohibited by state law.

ACCESS TO PROTECTED HEALTH INFORMATION

 Date Received:  Initials of Privacy Official: 
 
Patient to complete the following information
Date:Requestor Name:
Patient Name:Medical Record Number:
Address:
REQUEST:
I hereby request that Noble Telehealth provide me with access to my Protected Health Information as checked below. (Check all that apply):
 
 The entire medical record (all information)
  
 Minimum Data Set
  
 Business Office File
  
 Nursing documentation/Progress Notes
  
 Physician and Professional Consult Progress Notes
  
 Diagnostic reports (lab, x-ray, etc.)
  
 History and physical
  
 Medication and treatment records
  
 Rehabilitative and restorative therapy documentation
  
 Other (Describe as specifically as possible:
  
I request access to my health information as indicated above covering the dates ______________________ through ____________________________. (Please fill in dates).
 
Type of Access Requested
 
 Inspection of requested information at Noble Telehealth.
  
 Copies of requested information maintained by Noble Telehealth.
  
   
Signature of Patient or Personal Representative Date
  
  
Print Name 
  
  

Personal Representative’s Title (e.g., Guardian, Executor of Estate, Health Care Power of Attorney

ACCESS TO PROTECTED HEALTH INFORMATION – page 2

Noble Telehealth to complete the following information

Request for access or copy is            _____ Accepted         _____ Denied

If denied, check the reasons for denial:

☐         PHI is not part of the patient’s Designated Record Set

☐         Federal law forbids making the requested information available to the patient for inspection (e.g., CLIA or Privacy Act of 1974)

☐         The requested information is psychotherapy notes

☐         The requested information has been compiled for legal proceeding

☐         The requested information was obtained under promise of confidentiality and access would be reasonably likely to reveal the source of the information

☐         The requested information is temporarily unavailable because the individual is a research participant

☐         Licensed health care provider has determined that access to the requested information would result in physical harm to the individual or others

☐         Licensed health care provider has determined that the requested information identifies a third person who may be physically, emotionally, or psychologically harmed if access to the information is granted

☐         Licensed health care provider has determined that access to the requested information by the patient’s personal representative could result in harm to the individual

☐         We are acting under the direction of a correctional institution and letting the inmate access or obtain a copy of the requested information would jeopardize the health, safety, security, custody, or rehabilitation of another person at the correctional institution

☐         The requested information is not maintained by Noble Telehealth

RIGHT TO REVIEW:

☐         Yes

☐         No – Contact the Privacy Official with any questions.

You have a right to file a complaint with Noble Telehealth and may do so by contacting Noble Telehealth’s Privacy Official at: ____________________________ (877) 399-3371.

You also have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services. Contact Noble Telehealth’s Privacy Official for additional information.

   
Signature of Privacy Official Date
  
Print name 

If your request to copy the requested information has been granted, you will be charged a reasonable fee for photocopying and mailing.

NOTIFICATION OF TIME EXTENSION

Patient Name:  Medical Record No: 

TYPE OF REQUEST:

☐         Request for Access to PHI

☐         Request to Amend PHI

☐         Request for an Accounting of Disclosures

Date of original request: ___________________________

Original Due Date: ________________________________

Request to Access: 30 days from receipt of request.

Request for Amendment or Accounting: No more than 60 days from receipt of request.

Revised Due Date (may not be more than 30 days from original due date): __________________

Reason that extension of time to respond is needed:

 
 
 
 

A copy of this Notice of Time Extension has been provided to the patient or the patient’s personal representative.

   
Signature of Privacy Official Date
   
  
Print Name 

[DATE]

[INDIVIDUAL/PATIENT NAME]

[ADDRESS]

[CITY, STATE ZIP]

Re:      Request for Review of Access Denial

Dear [Patient]:

We have considered your request for review of the denial of access to your health information. We reaffirm our denial of your request for the following reason(s):

[DESCRIBE REASONS HERE]

You may file a complaint with Noble Telehealth by contacting our Privacy Official at John Parks (877) 399-3371 support@nobletelehealth.com. You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. Please contact the Privacy Official for further information.

Very truly yours,

[SIGNATURE]

[PRINTED NAME AND TITLE]

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

15.     Confidential Communications

Policy:

Individuals have the right to request that Covered Entities and Noble Telehealth communicate with them through alternative means or alternative locations, and Noble Telehealth shall comply with the agreed upon confidential communication at the request of the Covered Entity. Noble Telehealth may also accommodate reasonable requests made by individuals to receive confidential communications of their PHI.

Procedure:

Requests to Communicate Via Alternate Means or at Alternate Locations:

If a Covered Entity notifies Noble Telehealth that it has agreed to accommodate an individual’s request for a confidential communication, Noble Telehealth will comply with this request.

For an individual to request a specific means for confidential communications of PHI directly from Noble Telehealth, an individual must send a written request to Noble Telehealth’s Privacy Official at John Parks (877) 399-3371 support@nobletelehealth.com. The request should describe the means by which the individual wishes to receive communications (e.g., telephone, mail) and the location at which the individual wishes to receive communications (e.g., home, office). Noble Telehealth will determine if/how it can accommodate the request as well as any conditions that may apply to Noble Telehealth’s provision of a reasonable accommodation. Among other things, Noble Telehealth may consider:

  • Requesting that the individual to pay for any additional costs incurred in provide the accommodation, and/or
  • Requesting that the individual specify a different alternate means of communication or a different alternate location to which communications will be directed.

Documenting Requests:

Noble Telehealth will maintain documentation of the request for confidential communications and how that request was accommodated.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

16.     Restrictions on Uses and Disclosures of PHI

Policy:

If a Covered Entity informs Noble Telehealth that it has agreed to an individual’s request to restrict certain uses and disclosures of PHI, Noble Telehealth will comply with the terms of such restriction.

If permitted by the applicable BAA,Noble Telehealth will consider an individual’s requests for restrictions, however, it has no obligation, except in the limited circumstances described below, to agree to any such request, nor must it cite a reason for refusing to agree to any such request. Noble Telehealth will determine whether to honor the requested restriction with the concurrence of the Covered Entity.

Noble Telehealth recognizes that individuals have a right to request that Covered Entities set restrictions on the use and disclosure of their PHI in the following circumstances:

  • To carry out treatment, payment, or health care operations;
  • To the individual’s family member, other relative, close personal friend, or any other persons who might otherwise receive disclosures of Protected Health Information where directly relevant to such person’s involvement with the individual’s health care or to payment related to the individual’s health care;
  • To notify, or assist in the notification of (including identifying or locating), an individual’s family member, personal representative, or other person responsible for the individual’s health care, about the individual’s location, general condition, or death;
  • To make reasonable determinations regarding limited uses and disclosures when the individual is not present;
  • To public or private entities authorized to assist in disaster relief efforts, in order to notify or assist in the notification of (including identifying or locating), an individual’s family member, personal representative or other person responsible for the individual’s health care, about the individual’s location, general condition or death.

Procedure:

Request for Restriction:

The Privacy Official shall manage requests for restrictions. All documentation associated with this request will be placed in the individual’s medical record.

Response to Request: Noble Telehealth must accommodate a request for restriction on disclosure if the disclosure (1) is to a health plan for purposes of carrying out payment or health care operations, (2) pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full, and (c) is not otherwise required by law.

  • Restriction Not Accepted. If Noble Telehealth and Covered Entity deny the request for restriction, the Privacy Official will notify the individual in writing of its denial.
  • Restriction Accepted. If Noble Telehealth and Covered Entity agree to the requested restriction, it will notify the patient in writing when a request for restriction is accepted. Noble Telehealth must abide by the accepted restriction with the following exceptions:
  • Noble Telehealth may use the restricted PHI, or may disclose such information to a health care provider if the individual is in need of emergency treatment, and the restricted PHI is needed to provide emergency treatment. In this case, Noble Telehealth will release the information, but ask the emergency treatment provider not to further use or disclose the individual’s PHI.
  • Noble Telehealth may disclose the information to the individual who requested the restriction.
  • Noble Telehealth may use and disclose the restricted PHI when statutorily required to use and disclose the information under the Privacy Rule.
  • Any agreed-to restriction should be maintained in the individual’s medical record and a copy should be provided to all relevant individuals who are or may be responsible for implementing the restriction. Noble Telehealth will notify separately any business associates to which the restriction may apply.

Terminating the Restriction:

  • Termination with the individual’s agreement: Noble Telehealth upon the concurrence of the Covered Entity, may terminate the accepted restriction if the patient agrees to the termination in writing; or the patient agrees to the termination verbally and the verbal agreement is documented. The Privacy Official will notify the appropriate individuals and business associates of the termination of the restriction. The Privacy Official will document the individual’s agreement to the termination of the restriction and maintain the documentation in the individual’s record. Termination of a restriction with the individual’s agreement is effective for all PHI created or received by Noble Telehealth.
  • Termination without the individual’s agreement: Noble Telehealth, upon the concurrence of the Covered Entity, may terminate the restriction without the individual’s agreement if it informs the patient that the restriction is being terminated. Such termination is only effective with respect to PHI created or received after Noble Telehealth has informed the individual that it is terminating the restriction. Noble Telehealth must continue to abide by the restriction with respect to any PHI created or received before it informed the individual of the termination of the restriction. Any termination of an agreement to a restriction by Noble Telehealth should be made and confirmed in writing.

REQUEST TO RESTRICT USE AND DISCLOSURE
OF PROTECTED HEALTH INFORMATION

Patient Name: ________________________Medical Record No: ________________________

Address: ____________________________________________________________________

☐         Your request is granted. Per your request we will limit the use or disclosure of PHI as follows: (check applicable box(es)):

☐         Required Restriction: We are required to agree to restrict disclosures of PHI to a health plan when the PHI is solely related to health care items or services for which the individual (or a person, other than a health plan, on the individual’s behalf) has paid us in full, and the disclosure is for purposes of carrying out payment or health care operations.

☐         Use or Disclosure for Treatment: ________________________________
__________________________________________________________
__________________________________________________________

☐         Use or Disclosure for Payment: _________________________________
__________________________________________________________
__________________________________________________________

☐         Use or Disclosure for Health Care Operations: ______________________
__________________________________________________________
__________________________________________________________

☐         Disclosure to family members, relatives, close personal friends or others identified by individual: ____________________________________
__________________________________________________________
__________________________________________________________

☐         This request will apply to only the following PHI: _________________
__________________________________________________________
__________________________________________________________

☐         This request will expire: _____________________________ (insert date)

Despite the agreed upon restrictions, we may use or disclose PHI as necessary for emergency treatment of the individual. In an emergency circumstance we will ask the health care provider not further use or disclose the information.

Except for the Required Restrictions, our agreement to the above restrictions may be terminated by the individual or us at any time, but any such termination will only apply to uses or disclosures occurring after the termination of the restriction. We may terminate Required Restrictions only if the individual requests the termination in writing or the individual orally agrees to the termination, and the oral agreement is documented.

☐         Your request is denied. Your request is denied for the following reason (state the basis for the denial): _________________________________
__________________________________________________________
__________________________________________________________

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

17.     Amendment of Medical Record

Policy:

Noble Telehealth recognizes an individual’s right to request that a Covered Entity amend his or her PHI maintained in the Designated Record Set for as long as the PHI is maintained. Unless otherwise stated in the applicable Business Associate Agreement, the policy of Noble Telehealth is to respond to an individual’s request for amendment of PHI in accordance with the Privacy Rule and in conjunction with the Covered Entity. This policy contains the procedures for approving an amendment, denying an amendment, and making an amendment at the request of the covered entity.

Procedure:

Procedure for Making Request:

Requests for amendment must be made in writing on the Amendment of Protected Health Information form. Requests for amendment will not be evaluated until the request form is completed and signed by the patient or the patient’s personal representative.

Evaluating and Responding to the Request for Amendment:

  • Noble Telehealthshall notify Covered Entity of the request for amendment. At the reasonable request of Covered Entity, Noble Telehealth may handle such request.
  • Noble Telehealth will make a determination to accept or deny the amendment after the appropriate staff, if needed.
  • Noble Telehealth shall act on the request for amendment no later than 60 days after receipt of the request.
  • If the amendment is accepted, Noble Telehealth shall make the amendment and inform the individual within 60 days of the written request.
  • If the amendment is denied, Noble Telehealth shall notify individual in writing of the denial within 60 days of the written request.
  • If Noble Telehealth is unable to act on the request for amendment within 60 days of receipt of the request, it may have one extension of no more than 30 days. Noble Telehealth will notify the individual in writing of the extension, the reason for the extension and the date by which action will be taken.

Acceptance of Request for Amendment:

  • If Noble Telehealth accepts the requested amendment, in whole or in part, it will take the following steps:
  • Noble Telehealth will place a copy of the amendment in the individual’s medical record or provide a reference to the location of the amendment within the body of the medical record.
  • Noble Telehealth will notify the relevant persons with whom the amendment needs to be shared, as identified by the individual on the original Amendment of PHI form.
  • Noble Telehealth shall identify, and make reasonable efforts to inform and provide the amendment within a reasonable time to, other persons, including Covered Entity and Business Associates, who have the PHI and who may have relied on, or could foreseeably rely on, such information to the detriment of the individual.
  • Noble Telehealth will inform the individual of the amendment, and will obtain the individual’s agreement to notify such other persons or organizations of the amendment.

Denial of Request for Amendment:

  • Noble Telehealth may deny the request for amendment in whole or in part if:
  • The PHI was not created by Noble Telehealth. An exception may be granted if the patient provides a reasonable basis to believe that the creator of the PHI is no longer available to act on the requested amendment and it is apparent that the amendment is warranted;
  • The PHI is not part of the Designated Record Set;
  • The PHI would not be available for inspection under the Privacy Rule; or
  • The PHI that is subject to the request is accurate and complete.
  • If Noble Telehealth, in consultation with the appropriate staff, determines that the request for amendment is denied in whole or in part, Noble Telehealth will provide the individual with a timely amendment denial letter. The denial shall be written in plain language and shall contain:
  • The basis for the denial;
  • A statement that the individual has a right to submit a written statement disagreeing with the denial and an explanation of how the individual may file such statement;
  • A statement that, if the individual does not submit a statement of disagreement, the patient may request that Noble Telehealth include the individual’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment;
  • A description of how the individual may file a complaint with Noble Telehealth or to the Secretary of the U.S. Department of Health and Human Services. The description must include the name or title and telephone number of the contact person for complaints.

Written Statement of Disagreement: If an amendment request is denied, the Individual may submit a written statement of disagreement. If the individual submits a written statement of disagreement, Noble Telehealth may prepare a written rebuttal to the statement. Noble Telehealth shall provide a copy of the written rebuttal to the individual who submitted the statement.

  • The following documentation must be appended (or otherwise linked) to the PHI that is the subject of the disputed amendment:
  • The individual’s Amendment of PHI form;
  • Noble Telehealth amendment denial letter;
  • The individual’s statement of disagreement, if any; and
  • Noble Telehealth written rebuttal, if any.

Future Disclosures of PHI that is the Subject of the Disputed Amendment:

  • If the individual submitted a statement of disagreement, Noble Telehealth will disclose all information listed above or an accurate summary of such information with all future disclosures of the PHI to which the disagreement relates.
  • If the individual did not submit a statement of disagreement, and if the individual has requested that Noble Telehealth provide the Amendment of PHI form and the amendment denial letter with any future disclosures, Noble Telehealth shall include these documents (or an accurate summary of that information) with all future disclosures of the PHI to which the disagreement relates.

Actions on Notices of Amendment:

  • If another Covered Entity notifies Noble Telehealth of an amendment to PHI it maintains, the Noble Telehealth shall make the amendment to the individual’s Designated Record Set.
  • Amendments to the Designated Record Set shall be filed with that portion of the PHI to be amended.
  • Amendments that cannot be physically placed near the original PHI will be filed in an appropriate location.
  • If it is not possible to file the amendment(s) with that portion of the PHI to be amended, a reference to the amendment and its location will be added near the original information location.
  • If the actual amendment is not in an easily recognized location near the original information, the reference should indicate where it could be found.

REQUEST FOR CORRECTION/AMENDMENT OF
PROTECTED HEALTH INFORMATION

Individual Name:  Date of Birth: 
 
Address: 
 
Date of Entry to be Corrected/Amended: 
 
Information to be Corrected/Amended: 
 
 
 
Please explain how the entry is incorrect or incomplete and describe what you believe the entry should state in order to be more accurate or complete.
 
 
 
 
 

If you agree, Noble Telehealth will make a reasonable effort to provide the amendment to other persons who Noble Telehealth knows received the information in the past and who may have relied, or are likely to rely, on such information in a manner that may be detrimental to your health care.

☐         I agree to allow Noble Telehealth to release any amended information to individuals or entities as described above.

Would you like this amendment sent to anyone else who received the information in the past?

☐         Yes

☐         No

If yes, please specify the name and address of the organization(s) or individual(s):

 
 
 
 
   
Signature of Patient or Personal Representative Date

RESPONSE TO REQUEST FOR CORRECTION/AMENDMENT OF
PROTECTED HEALTH INFORMATION

Individual Name:  Date of Birth: 
 
Address: 
 
Date Request Received:  

Amendment has been

☐         Accepted

☐         Denied

If denied, check reason for denial:

☐         PHI is not part of the individual’s designated record set

☐         Record is not available to the patient for inspection

☐         Noble Telehealth did not create record

☐         Record is accurate and complete

Comments:

 
 
 
 
   
Signature of Patient or Personal Representative Date

SAMPLE AMENDMENT ACCEPTANCE LETTER

[DATE]

[INDIVIDUAL NAME]

[ADDRESS]

[CITY, STATE, ZIP CODE]

Dear [INDIVIDUAL]:

Your request to amend your Protected Health Information (see attached form) has been approved. We will notify the individuals and/or organizations that you identified in the original amendment request.

Very truly yours,

[AUTHOR SIGNATURE]

[PRINTED NAME AND TITLE]

SAMPLE AMENDMENT ACCEPTANCE WITH CONSENT TO NOTIFY LETTER

[DATE]

[INDIVIDUAL NAME]

[ADDRESS]

[CITY, STATE, ZIP CODE]

Dear [INDIVIDUAL]:

Your request to amend your Protected Health Information (see attached form) has been approved. We will notify the individuals and/or organizations that you identified in the original amendment request.

In addition, we have identified the following individuals and/or organizations that received your Protected Health Information. We are not permitted to notify these individuals and/or organizations without your written agreement. If you would like us to notify the individuals and/or organizations listed below, you must sign, date, and return this statement to us.

 
 
 
 
Very truly yours,
[AUTHOR SIGNATURE] [PRINTED NAME AND TITLE]
 

I hereby request and consent to the notification of the above-identified persons and/or organizations who have previously received my Protected Health Information regarding the approval of my request for amendment.

 
Signature of Patient or Personal RepresentativeDate
 
Print Name

NOTIFICATION OF AMENDMENT LETTER

[DATE]

[Name of individual/Organization to Receive Notification of Amendment]

[ADDRESS]

[CITY, STATE, ZIP CODE]

Re:      [individual]
Approval of Amendment of Protected Health Information

Dear [RECIPIENT]:

We have agreed to a request from the above-referenced individual to amend his/her Protected Health Information as outlined on the attached form entitled “Amendment of Protected Health Information.”

In compliance with the Privacy Rule (45 CFR §164.526—Amendment of Protected Health Information), we are providing you with proper notification of this approved amendment.

Thank you.

Very truly yours,

[AUTHOR SIGNATURE]

[PRINTED NAME AND TITLE]

AMENDMENT DENIAL LETTER

[DATE]

[INDIVIDUAL NAME]

[ADDRESS]

[CITY, STATE, ZIP CODE]

RE:      Request to Amend Protected Health Information

Dear [individual]:

Your request to amend your Protected Health Information (see attached form) has been denied for the following reason(s):

 
 
 
 
 
 
 

You have the right to submit a written statement disagreeing with the denial. If you choose to do so, submit your statement to John Parks (877) 399-3371 support@nobletelehealth.com.

If you do not submit a statement of disagreement, you may request that Noble Telehealth include your request for amendment and the denial in any future disclosures of your Protected Health Information.

You may file a complaint by contacting Noble Telehealth at (877) 399-3371. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services.

Please contact Noble Telehealth for contact information.

Very truly yours,

[SIGNATURE]

[PRINTED NAME AND TITLE]

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

18.     Accounting of Disclosures

Policy:

Subject to certain exceptions, Noble Telehealth must account for all known disclosures of a patient’s PHI outside Noble Telehealth. Each patient and Covered Entity may request and receive an accounting of trackable disclosures of PHI made by Noble Telehealth. Noble Telehealth will provide such an accounting, in accordance with the Privacy Rule, when requested by a patient or a patient’s personal representative.

Procedure:

1.            Disclosures for Which an Accounting is not Required. An accounting is not required for disclosures:

a.            Made to carry out treatment, payment, or healthcare operations*;
b.            To the patient or the patient’s personal representative;
c.             That are incidental to a use or disclosure otherwise permitted or required by HIPAA;
d.            Made to persons involved in a patient’s care or as part of an inpatient directory;
e.            Pursuant to an authorization for release of information signed by the patient or patient’s personal representative;
f.              For national security or intelligence purposes;
g.            To correctional institutions or law enforcement officials under certain circumstances;
h.            Made as part of a limited data set, when the recipient has executed a data use agreement;
i.              For research, public health, or certain health care operations purposes; or
j.              That occurred prior to April 14, 2003.
  • * The HITECH Act requires that disclosures through an electronic health record for purposes of treatment, payment, or health care operations in the prior 3 years be included in the disclosure accounting.

2.            Disclosures for Which an Accounting is Required. An accounting is required if the disclosure is made without an authorization and is:

a.            In response to a subpoena or other judicial or administrative proceeding if not accompanied by a patient authorization;
b.            For public health activities, including reports of vital events, public health surveillance, and investigations; communicable disease; adult and child abuse, neglect, or domestic violence; information associated with an FDA-regulated product or activity; and disclosures to an employer to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury (and in addition, the employer needs such information to comply with federal or state law, and notice has been given to the individual at the time care is provided or there is a notice at the work site;
c.             For health oversight activities or law enforcement purposes unless the health oversight or law enforcement agency has provided an official statement to temporarily suspend the individual’s right to receive an accounting for a specified period of time during which such an accounting would impede the agency’s activities;
d.            To coroners, medical examiners, funeral directors, and for cadaveric organ donation purposes;
e.            To avert a serious threat to health or safety and for specialized government functions except national security and intelligence activities and correctional institutions or other law enforcement custodial situations;
f.              For workers’ compensation purposes pertaining to treatment of potential work-related injuries;
g.            For research purposes on decedents;
h.            For research purposes if a waiver of authorization has been obtained from an IRB;
i.              In error as a result of a misdirected fax, e-mail, postal mail, etc.;
j.              By a Business Associate who has notified Noble Telehealth of the disclosure event; and
k.             Any other disclosures not excluded above.

3.            Temporary Suspension of Right to an Accounting. Noble Telehealth must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official for the time specified by such agency or official, if such agency or official provides Noble Telehealth with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required.

a.            If the agency or official statement is made orally, the Noble Telehealth must: (i) document the statement, including the identity of the agency or official making the statement; (ii) temporarily suspend the individual’s right to an accounting of disclosures subject to the statement; and (iii) limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during that time.

4.            Procedure for Tracking Disclosures. Noble Telehealth must log disclosures as they occur in the Accounting of Disclosures Log. The Log is filed in the patient’s paper or electronic medical record.

5.            Procedure for Making and Responding to Requests for an Accounting of Disclosures

Covered Entity:

A Covered Entity may request an accounting in accordance with the applicable Business Associate Agreement and the Privacy Rule. Privacy Official or their designee shall be promptly notified and will be responsible for handling such request.

Patient or Patient Personal Representative:

a.            A patient or patient’s personal representative must request an accounting by completing and submitting a Request for an Accounting of Disclosures of PHI form.
b.            Noble Telehealth’s Privacy Official will review and process the request.
c.             Noble Telehealth will provide a written accounting using an Accounting of Disclosures Log no later than 60 days after receipt. If Noble Telehealth is unable to meet the 60-day time frame, Noble Telehealth may extend the time once by no more than 30 days as long as the individual is provided with a written statement of the reasons for the delay and the date by which Noble Telehealth will provide the accounting.
d.            The accounting will include disclosures during the period specified by the patient or personal representative in the request. The specified period may be up to 6 years prior to the date of the request. Disclosures made on or before April 13, 2003, will not be included in the accounting.
e.            Noble Telehealth will include known disclosures made by its Business Associates, if aware of any such disclosures required to be included in an accounting.
f.              For each disclosure, the accounting will include:
i.              Date the request for disclosure was received;
ii.             Name of entity requesting disclosure and, if known, the address of such person or entity;
iii.            A brief description of the PHI that was disclosed; and
iv.           A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.

6.            Multiple Disclosures to HHS. If, during the relevant accounting period, multiple disclosures of the patient’s PHI have been made to HHS for the purpose of determining Noble Telehealth’s compliance with the Privacy Rule or to the same person or entity for a single purpose, and the purpose of the disclosure is any one of the following, then the Accounting for Disclosures Log may provide: (1) for the first such disclosure, the date of the disclosure, the name and address of the organization or person to whom the disclosure was made, a brief description of the PHI disclosed and the purpose of the disclosure, and (2) the frequency, periodicity or number of additional disclosures made during the accounting period.

7.            Research Purposes Involving 50 or More individuals. For disclosures of PHI for research purposes in a project consisting of 50 or more individuals, the accounting may provide:

a.            Name of protocol or other research activity;
b.            Description and purpose of research, criteria for selecting particular records;
c.             Brief description of the type of PHI disclosed;
d.            Date or period of time during which disclosure(s) occurred, including date of last disclosure during accounting period;
e.            Name, address, telephone number of entity that sponsored the research and of the researcher to whom the information was disclosed; and
f.              Statement that PHI of the patient may or may not have been disclosed for a particular protocol or the research activity.

8.            Noble Telehealth will provide the first accounting to a patient or personal representative within a 12-month period without charge. However, Noble Telehealth may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same party within the 12-month period, provided Noble Telehealth has informed the requesting party of the charges in advance, giving the party the opportunity to withdraw or modify the request.

9.            Noble Telehealth must document and retain for 6 years from the date of the accounting:

a.            The information required to be included in the accounting, and
b.            The written accounting provided to the requesting party.

REQUEST FOR AN ACCOUNTING OF DISCLOSURES
OF PROTECTED HEALTH INFORMATION

Patient’s Name: _______________________________________________________________

I would like an accounting of disclosures of my Protected Health Information (PHI) made from: ____________________________________________________________________________

I understand that the first accounting in any 12 month period will be provided without charge.

I understand that Noble Telehealth may impose a reasonable, cost-based fee for each subsequent request for an accounting made within the 12 month period, provided Noble Telehealth provides advance notice of the fee and an opportunity to withdraw or modify the request for a subsequent accounting.

I understand that the accounting will be provided to me within 60 days unless I am notified in writing that an extension of up to 30 days is needed.

I understand that, by law, Noble Telehealth is not required to account for disclosures that occurred prior to April 13, 2003.

I understand that, by law, Noble Telehealth is not required to account for disclosures that were:

  • Made to me;
  • Necessary to carry out treatment, payment, and health care operations;
  • Pursuant to a signed authorization by me or my personal representative;
  • For Noble Telehealth’s directory or to persons involved in the patient’s care or other notification purposes;
  • For national security or intelligence purposes; or
  • To a correctional institution or law enforcement official.
 
Signature of Patient or Personal Representative Date
 
Signature of Privacy Official Date
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

19.     Breach Notification Policy

Policy:

This Policy applies only when there is a breach of a patient’s PHI. A breach occurs when there has been an acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the information.

Under HIPAA and for purposes of this Policy, a breach does not include:

  • An unintentional acquisition, access, or use of PHI by a Workforce Member or other person acting under the authority of the Noble Telehealth or Noble Telehealth’s Business Associate or Subcontractor, if the acquisition, access, or use was made in good faith and within the scope of the Workforce Member’s authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.
  • An inadvertent disclosure by a person who is authorized to access PHI at Noble Telehealth or Noble Telehealth’s Business Associate or Subcontractor to another person authorized to access PHI at Noble Telehealth or Noble Telehealth’s Business Associate or Subcontractor, or organized healthcare arrangement in which Noble Telehealth participates, and information received as a result of such a disclosure is not further used or disclosed in a manner not permitted by the Privacy Rule.
  • Disclosure of PHI where Noble Telehealth or Noble Telehealth’s Business Associate or Subcontractor has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.

A breach is presumed to have occurred if there is an unauthorized access, acquisition, use, or disclosure of unsecured PHI, unless Noble Telehealth can demonstrate a low probability that the information was compromised. This determination must be based on a risk assessment of certain factors described in this Policy.

In the event a breach has occurred, Noble Telehealth must notify the Covered Entity in compliance with the applicable Business Associate Agreement. In addition, Noble Telehealth must notify the applicable Covered Entity of any Security Incident or use or disclosure in violation of the Business Associate Agreement, regardless of whether it is a breach.

Procedure:

1.            Reporting an Unauthorized Access, Use, or Disclosure of PHI.

a.            Any Workforce Member who learns that a potential breach of PHI may have occurred must immediately notify his or her supervisor and/or Noble Telehealth’s Privacy Official. If the potential breach relates to electronic information, the Workforce Member must also notify Noble Telehealth’s Security Official.
b.            The report of a potential breach should include the following information, to the extent available:
i.              A brief description of what happened, including the date of the potential breach and the date the suspected breach was discovered;
ii.             Who used the PHI without appropriate permission or authorization and/or to whom the information was disclosed without permission or authorization;
iii.            A description of the types of and amount of unsecured PHI involved in the breach;
iv.           Whether the PHI was secured by encryption, destruction, or other means;
v.             Whether any intermediate steps were taken to mitigate an impermissible use or disclosure;
vi.           Whether the PHI that was disclosed was returned prior to being accessed for an improper purpose; and
vii.          If the PHI was provided to Noble Telehealth under a Business Associate Agreement.
c.             Failure to report a suspected breach to the Noble Telehealth may result in disciplinary action against employees, subcontractors, interns, or volunteers.

2.            Investigating Potential Breaches of PHI. Noble Telehealth must promptly investigate any security and/or privacy incident to determine whether there has been a breach of PHI. In making this determination, Noble Telehealth shall consider the following:

a.            Whether the unauthorized or impermissible acquisition, access, use, or disclosure involved PHI.
b.            Whether Noble Telehealth can demonstrate, based on the following factors, a low probability that the PHI has been compromised:
i.              The nature and extent of the information involved;
ii.             The unauthorized person who used or received the information;
iii.            Whether the information was actually acquired or viewed; and
iv.           The extent to which the risk to the information has been mitigated.
c.             Noble Telehealth must document the investigation and reasonable conclusions, including all facts relevant to the risk assessment. Documentation of findings and final actions from the investigation should be maintained as a part of Noble Telehealth’s Privacy records and retained for 6 years.
d.            If it is determined that a HIPAA violation has occurred, Noble Telehealth must determine what disciplinary actions should be taken. The disciplinary action report documenting the violation should be placed in the staff’s personnel file.

3.            Breach Notification Procedures to Covered Entity. If Noble Telehealth determines that a breach of unsecured PHI has occurred, Noble Telehealth shall notify Covered Entity in accordance with the applicable Business Associate Agreement. If the applicable Business Associate Agreement does not specify a time, Noble Telehealth shall provide the notification required without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

A Breach shall be treated as discovered by Noble Telehealth as of the first day on which such Breach is known to Noble Telehealth, or, by exercising reasonable diligence, would have been known to Noble Telehealth. Noble Telehealth shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any Workforce Member, other than the person committing the breach (determined in accordance with the federal common law of agency).

a.            Content of Notification to Covered Entity. When Noble Telehealth provides the applicable Covered Entity with notification of the breach, the notification shall include, to the extent possible, the following information:
i.              The identification of each Individual whose unsecured PHI has been, or is reasonably believed by Noble Telehealth to have been, accessed, acquired, used, or disclosed during the breach.
ii.             A brief description of the breach, including the date of the breach and the date it was discovered, if known.
iii.            The type of unsecured PHI involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
iv.           Any steps the individual should take to protect themselves from potential harm resulting from the breach.
v.             A description of Noble Telehealth’s investigation of the breach and Noble Telehealth’s efforts to mitigate resulting harm, if any, and to protect against further breaches.
vi.           Any other information required by the applicable Business Associate Agreement.

If any of this information is not available at the time Noble Telehealth notifies the Covered Entity of the Breach, Noble Telehealth shall provide the information to the Covered Entity as soon as the information becomes available.

b.            Documentation of Breaches and Risk Assessments. Regardless of the number of patients affected, Noble Telehealth shall maintain a process to record or log all breaches of unsecured PHI, risk assessments, and associated notifications. The following information should be collected/logged for each breach:
i.              A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of individuals affected, if known.
ii.             A description of the types of unsecured PHI that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, etc.).
iii.            A description of the action taken with regard to notification of Covered Entities (and individuals, the United States Department of Health and Human Services, and/or media, if applicable) regarding the breach.
iv.           Steps taken to mitigate the breach and prevent future occurrences.

In addition, Noble Telehealth shall create and maintain a record of the investigation of all potential breaches as well as the outcome of risk assessments. The risk assessment and the investigation record/incident report should be cross referenced so that should HHS require more information, it is easy to locate and provide

4.            Breach Notification Procedures for Others: If Noble Telehealth and Covered Entity determine that a breach of unsecured PHI has occurred and that Noble Telehealth will provide notification to affected individuals, HHS, and/or the media (as applicable), Noble Telehealth shall notifythe affected individual(s), HHS, and the media (if required) in accordance with this Policy and the requirements of HIPAA’s breach notification rules. Any notice provided pursuant to this Policy must be approved and directed by Noble Telehealth’s Privacy Official. No other personnel may, absent express authorization of the Noble Telehealth’s Privacy Official, provide the notice required by this Policy.

a.            Notice to individuals. When a breach of PHI has occurred, Noble Telehealth shall notify the affected individual(s) without unreasonable delay and in no case later than 60 days after the breach is discovered.
i.              Contents of Notice. The notice must be in writing and written in plain language, and must include, to the extent possible:
  • A brief description of the incident (e.g., the date of the breach and the date it was discovered);
    • A description of the types of information involved (e.g., whether the breach involved names, social security numbers, birthdates, addresses, diagnoses, etc.);
      • Any steps the affected individual(s) should take to protect him or herself from potential harm resulting from the breach;
      • A brief description of what Noble Telehealth is doing to investigate, mitigate, and protect against further harm or breaches; and
      • Contact information for Noble Telehealth (or business associate, as applicable) (e.g., toll-free telephone number, e-mail address, website, or postal address).
ii.             Method of Notification. Noble Telehealth shall notify the affected individual by first class mail to the individual’s last known address. Notice may be sent via e-mail if the patient has agreed to accept notification via electronic means.
iii.            Substitute Notice. If Noble Telehealth has insufficient or out-of-date contact information that precludes written notification to the individual, Noble Telehealth shall provide a substitute form of notice that is reasonably calculated to reach the individual.
  • Fewer than 10 individuals: Where there is insufficient or out-of-date contact information for fewer than 10 individuals, substitute notice may be provided by an alternative form of written notice, telephone, or other means.
    • 10 or More individuals: Where there is insufficient or out-of-date contact information for 10 or more individuals, substitute notice shall:
      • Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
        • Include a toll-free Noble Telehealth number that remains active for at least 90 days where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
iv.           Urgent Situations. In any case deemed by Noble Telehealth to require urgency because of possible imminent misuse of unsecured PHI, Noble Telehealth may provide information to individuals by telephone or other means, as appropriate, in addition to the required written notice.
v.             Deceased individuals. If Noble Telehealth has the address of the next of kin or personal representative of the deceased individual, it may provide written notification by first-class mail to either the next of kin or personal representative.
b.            Notice to HHS. If Noble Telehealth determines that a breach of protected health information has occurred, Noble Telehealth shall also notify HHS of the breach as follows:
i.              500 or More Affected individuals. For breaches of unsecured PHI involving 500 or more individuals, Noble Telehealth must notify HHS of the breach contemporaneously with the notice to the individuals and in the manner specified on the HHS website.
ii.             Fewer than 500 Affected individuals. For breaches of unsecured protected health information involving fewer than 500 individuals, Noble Telehealth may report the breach immediately to HHS in the manner specified on the HHS website. If the Privacy Official does not immediately report the breach to HHS, they shall maintain a log or other documentation of such breach and, not later than 60 days after the end of each calendar year, provide the notification to HHS in the manner specified on the HHS website.
c.             Notice to Media. For a breach of unsecured protected health information involving more than 500 residents of a particular state or jurisdiction, Noble Telehealth shall, following the discovery of the breach, notify prominent media outlets serving the state or jurisdiction. The notification must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification must contain the information required for individual notices as described in Section 4.a.i above.

5.            No Retaliation. Noble Telehealth maintains an open-door policy regarding compliance with HIPAA. Workforce Members are encouraged to speak with the Privacy/Security Official or other appropriate individual regarding any concerns they may have with Noble Telehealth HIPAA compliance program or initiatives designed to maintain and enhance privacy and security controls. Neither Noble Telehealth nor anyone affiliated with Noble Telehealth may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising any right established by, or for participating in any process provided for by, these policies or the law, including:

a.            Filing a complaint with Noble Telehealth;
b.            Filing a complaint with governmental authorities;
c.             Assisting or participating in an investigation or compliance review by Noble Telehealth or its agents;
d.            Testifying in a proceeding or hearing by governmental authorities under HIPAA; or
e.            Opposing any act or practice made unlawful by HIPAA, provided the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve an impermissible disclosure of PHI.

Any individual who believes that a form of retaliation or intimidation is occurring or has occurred should report the incident to Noble Telehealth. Noble Telehealth should treat such a report as a complaint and investigate it accordingly.

HIPAA PRIVACY BREACH LOG

Date of BreachDate of DiscoveryDescription of Incident# of individuals AffectedNotifications Made (method, media used, dates, etc.)Notes

This log will be submitted to the Secretary of the Department of Health and Human Services within 60 days after the year end. Refer to http://www.hhs.gov for how to submit this breach notification.

HIPAA BREACH ANALYSIS TOOL

Name of person completing form: _________________________________________________

Date incident occurred: _____/___/_____                 Date incident discovered: _____/___/_____

Brief description of incident (including number of individuals affected): ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

1.            Was protected health information (“PHI”) involved? (PHI is any individually identifiable information, including demographic information, that is created or received by a healthcare provider and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual).

____ Yes (continue to Question 2)

____ No (no breach reporting required under HIPAA)

Describe the information involved:

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

2.            Was the PHI unsecured? (“Unsecured” PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified in HHS guidance, which can be found at

www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.)

____ Yes (continue to Question 3)

____ No (no breach reporting required under HIPAA)

Describe the PHI (e.g., whether it was verbal/oral, paper, or electronic; if electronic, whether it was encrypted, password-protected, etc.)

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

3.            Was the PHI acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule? (A violation of the “minimum necessary” standard is not permitted by the Privacy Rule. On the other hand, a use or disclosure of PHI that is incident to an otherwise permissible use or disclosure and that occurs despite reasonable safeguards and proper minimum necessary procedures is not a violation of the Privacy Rule. You may wish to consult legal counsel to determine if the acquisition, access, use, or disclosure was permitted by the Privacy Rule).

____ Yes (continue to Question 4)

____ No (no breach reporting required under HIPAA)

Describe who acquired, accessed, used, and/or disclosed the PHI; whether the person(s) was authorized or unauthorized; and how the PHI was acquired, accessed, used, or disclosed: ____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

4.            Does an exception apply? (Check any that applies)

☐         Exception A – A breach does not include any unintentional acquisition, access, or use of PHI by a Workforce Member, or person acting under the authority of a covered entity or business associate, if it: was made in good faith; and as within the course and scope of authority; and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.

☐         Exception B – A breach does not include an inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received is not further used or disclosed in a manner not permitted by the Privacy Rule.

☐         Exception C – A breach does not include disclosure of PHI where the covered entity or business associate has a good faith belief that the unauthorized person who received it would not reasonably have been able to retain the information. These incidents would not constitute reportable breaches.

____ Yes (no breach reporting required under HIPAA)

____ No (Continue to Question 5)

5.            Risk Assessment. An acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule is presumed to be a breach and must be reported unless the organization can demonstrate a low probability that the PHI has been compromised. This determination must be based on a risk assessment of least the following 4 factors:

Factor 1 – Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. (Consider whether sensitive financial information, e.g., credit card numbers or social security numbers, was involved, or whether sensitive clinical information was involved, e.g., information related to mental health or sexually transmitted diseases, as well as the amount of detailed clinical information involved, e.g., diagnosis, medication, medical history, test results, etc. Consider whether the PHI could be used in a manner adverse to the patient or to further the unauthorized recipient’s own interests).

Describe the PHI involved, including the types of identifiers and the likelihood of re-identification

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

☐         Supports reporting

☐         Does not support reporting

Factor 2 – The unauthorized recipient or user of the PHI. This factor must be considered even if the impermissible acquisition, use, or disclosure was purely internal. Consider whether the unauthorized person is also a covered entity subject to HIPAA requirements or a government employee or other person required to comply with other privacy laws.

Describe who used or received the PHI and whether s/he has any legal or ethical obligation to protect the PHI

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

☐         Supports reporting

☐         Does not support reporting

Factor 3 – Whether the PHI was actually acquired or viewed (if ePHI is involved, this may require a forensic analysis of the computer or device to determine if the information was accessed, viewed, acquired, transferred, or otherwise compromised).

Describe whether the PHI was actually acquired or viewed

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

☐         Supports reporting

☐         Does not support reporting

Factor 4 – The extent to which the risk to the PHI has been mitigated (e.g., did you obtain satisfactory assurances from the recipient, in the form of a confidentiality agreement or similar means, that he or she will not further use or disclose, or has completely returned or has or will completely destroy, the PHI?).

Describe the mitigation steps taken

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

☐         Supports reporting

☐         Does not support reporting

Factor 5 – Any other relevant factors (indicate “none” if appropriate) _____________________

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

☐         Supports reporting

☐         Does not support reporting

Based on the above factors, is there a low probability that the PHI has been compromised?

____ Yes (no breach reporting required under HIPAA)

____ No (breach reporting is required under HIPAA)

Signature of person completing this form: ___________________________________________

Title: __________________________________________

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

20.     Marketing

Policy:

Subject to certain defined exceptions, marketing communications utilizing PHI require a prior written authorization from the patient, may only be made for the benefit of the Covered Entity, and may only occur as permitted by the applicable Business Associate Agreement.

Procedure:

1.            Marketing.

a.            The Privacy Rule defines marketing as a communication and/or disclosure of PHI that encourages an individual to use or purchase a product or service, except under the following conditions assuming Covered Entity and Noble Telehealth do not receive financial remuneration in exchange for making the communications:
i.              Communications made directly by Noble Telehealth on behalf of a Covered Entity to describe a health related product or service the Covered Entity provides.
ii.             Communications made for treatment of the individual.
iii.            Communications for case management or care coordination for the individual.
iv.           Communications to direct or recommend alternative treatments, therapies, and health care providers or settings of care.
v.             Face to face communications made by a Noble Telehealth representative, on behalf of Covered Entity to an individual.
vi.           Promotional gifts of nominal value (defined in policy; for example, less than $25 each gift not to exceed $100.00 per annum) provided by Noble Telehealthon behalf of Covered Entity.
b.            A valid written authorization must be obtained prior to using or disclosing PHI for purposes that meet the HIPAA definition of marketing and do not qualify for any of the exceptions listed above.
c.             If direct or indirect remuneration to Covered Entity from a third party is involved, the authorization must state the nature of such third party remuneration.
d.            In the event a planned marketing activity involves payment to Noble Telehealth (e.g., cash, referral, gifts, etc.), anti-kickback, inducement, self-referral, and general fraud and abuse statutes and regulations may apply. These shall be considered and approved prior to implementation of the marketing activity. Noble Telehealth will assure that any marketing activity is in compliance with such laws and regulations.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

21.     Sale of PHI

Policy:

Noble Telehealth is prohibited from selling PHI unless a valid authorization from the individual to whom the PHI belongs is obtained and as allowed by the applicable Business Associate Agreement. All authorizations obtained for the sale of PHI shall specifically state that disclosure will result in remuneration to Noble Telehealth.

Procedure:

Noble Telehealth may not sell PHI, except pursuant to a valid authorization that specifically states that the disclosure will result in remuneration to Noble Telehealth, and as permitted by the applicable Business Associate Agreement.

The “sale of PHI” means disclosure of PHI by Noble Telehealth where Noble Telehealth directly or indirectly receives remuneration from, or on behalf of, the recipient of the PHI in exchange for the PHI. However, “sale of PHI” does not include a disclosure of PHI for the following purposes:

  • For public health purposes pursuant to 45 C.F.R. § 164.512(b) or § 164.514(e);
  • For research purposes, where the only remuneration received by Noble Telehealth is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
  • For treatment and payment purposes;
  • For the sale, transfer, merger, or consolidation of all or part of Noble Telehealth and for related due diligence;
  • To or by Noble Telehealth for activities that Noble Telehealth undertakes on behalf of Covered Entity, or by Subcontractor on behalf of Noble Telehealth, pursuant to §§ 164.502(e) and 164.504(e), and the only remuneration provided is by Covered Entity to Noble Telehealth, or by Noble Telehealth to the subcontractor, if applicable, for the performance of such activities;
  • To an individual, when the individual requests access to the individual’s PHI or an accounting of disclosures;
  • For disclosures required by law; and
  • For any other purpose permitted by and in accordance with the Privacy Rule, where the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.

If you are uncertain whether a planned disclosure constitutes the “sale of PHI,” consult the Privacy Official for further guidance.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

22.     Law Enforcement Disclosures

Policy:

Noble Telehealth may use or disclose PHI to the extent that such use or disclosure is required by law and complies with and is limited to the relevant requirements of such law or to the extent such use or disclosure is permitted under the Privacy Regulations and the applicable Business Associate Agreement.

Procedure:

1.            Disclosures Required by Law. If there is a specific law that requires the disclosure of PHI to a law enforcement official, then Noble Telehealth may disclose the PHI without the individual’s authorization.

2.            Disclosures Pursuant to Legal Process. Noble Telehealth may disclose PHI in response to a court order, court-ordered warrant, subpoena, or summons issued by a judicial officer; a grand jury subpoena; or an administrative request, such as an administrative subpoena or summons, a civil or authorized investigative demand or similar process authorized under law if: (a) the information sought is relevant and material to a legitimate law enforcement inquiry; (b) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is being sought; and (c) de-identified information could not reasonably be used.

3.            Disclosures to Law Enforcement for Purposes of Identification and Location. If a disclosure of PHI is not required by law as described above, but a law enforcement official has requested the disclosure of the PHI solely for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, then, with the agreement of the Covered Entity, Noble Telehealth may disclose only the following: (a) name and address; (b) date and place of birth; (c) Social Security number; (d) type of injury; (e) ABO blood type and rh factor; (f) date and time of treatment; (g) date and time of death, if applicable; and (h) a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars and tattoos. Noble Telehealth may not disclose for identification or location purposes any PHI related to an individual’s DNA, DNA analysis, dental records or typing, samples or analysis of body fluids or tissue. Any disclosure for these purposes must also be in accordance with the requirements of any applicable state law.

4.            Disclosures to Law Enforcement Regarding Victims of a Crime. If a disclosure is not required by a particular law, but a law enforcement official has requested disclosure of PHI about an individual who is thought to be a victim of a crime (other than child abuse; or abuse, neglect or domestic violence concerning adults who are not elder persons or disabled adults; or abuse or neglect of an elder person or disabled adult), then, with the agreement of the Covered Entity, Noble Telehealth may make the requested disclosure if the individual agrees to the disclosure. If Noble Telehealth is unable to obtain the individual’s agreement because the individual is incapacitated or because of other emergency circumstances, Noble Telehealth may disclose the PHI if, in the exercise of its professional judgment, it determines that the disclosure is in the best interest of the individual, and the law enforcement official requesting the disclosure represents that (1) the information is needed to determine whether there has been a violation of law by a person other than the victim, and the information requested is not intended to be used against the victim; and (2) immediate law enforcement activities that depend upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree.

5.            Disclosures to Law Enforcement Initiated by Noble Telehealth

a.            Disclosures Regarding Decedents. Noble Telehealth may initiate a disclosure to a law enforcement official of PHI of an individual who has died if Noble Telehealth suspects that the individual’s death was the result of criminal conduct, and if the disclosure is necessary for purposes of alerting the law enforcement official to this suspicion.
b.            Disclosure Regarding Crime on Premises. Noble Telehealth may initiate a disclosure of PHI to a law enforcement official that Noble Telehealth believes in good faith constitutes evidence of criminal conduct that occurred on Noble Telehealth’s premises.
c.             Disclosures for Purposes of Reporting of Criminal Conduct in Emergencies. If a healthcare provider who is part of Noble Telehealth provides emergency health care in response to a medical emergency, that healthcare provider may initiate disclosure of PHI regarding the medical emergency to law enforcement officials if the disclosure is necessary to alert law enforcement to: (a) the commission and nature of a crime; (b) the location of such crime or of the victim(s) of the crime; and (c) the identity, description and location of the perpetrator of the crime. Such disclosures may not be made with regard to an emergency that occurs on Noble Telehealth’s premises. Such disclosures may not be made with regard to emergency medical care given to an individual who Noble Telehealth believes requires this care as a result of abuse, neglect, or domestic violence.

6.            Verification. Noble Telehealth shall verify the identity of any law enforcement official to whom a permitted disclosure is made pursuant to this policy.

7.            Minimum Necessary. If Noble Telehealth is permitted to make a disclosure of PHI as described above, Noble Telehealth may disclose only the information specified for the particular situation. If no specific information is specified for a particular situation, then Noble Telehealth may disclose only the minimum necessary PHI to accomplish the purpose of the disclosure. Noble Telehealth should coordinate with the Covered Entity with regard to all law enforcement disclosures.

8.            Accounting for Disclosures. Noble Telehealth must keep a record of any disclosures made to law enforcement pursuant to this policy. This information shall be available to any individual who is the subject of such a disclosure and who requests an accounting of such a disclosure. Records regarding disclosures to law enforcement must be kept for at least 6 years after the date of the disclosure.

Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members

23.     Retention

Policy:

  • Documentation required to be created by HIPAA (e.g., HIPAA Privacy Policies and Procedures, Business Associate Agreements, Subcontractor Business Associate Agreements, and documentation required to provide individuals with their privacy rights) will be retained for a minimum of 6 years from the date of its creation or the date when it was last in effect, whichever is later.
  • If state laws and regulations require a greater retention time period, the greater will be followed.
Policy InformationRelated Policies
Date Adopted: 03/10/2022Last Date Revised: 01/08/2025List Related Policies (Required if related policies exist)
Author/Contact: Privacy OfficialPolicy Number:
This Policy Applies To: All Workforce Members