TEAM Companies HIPAA Policy


Policy Statement

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), is a federal law intended to strengthen the privacy and security of individuals' health information. HIPAA applies to "covered entities," as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 ("HIPAA Rules"). HIPAA covered entities include health plans, health plan clearinghouses, and health care providers that transmit health information electronically in certain types of transactions.

Legal entities that conduct both HIPAA-covered and non-covered functions may designate themselves as hybrid entities for HIPAA compliance purposes. Some components within TEAM Professional Services, Inc., TPS Alert, LLC, and/or TEAM Background, LLC (collectively, the “TEAM Companies”) perform activities or functions that may, from time to time, bring them within the definition of a covered entity for HIPAA purposes. Each of the TEAM Companies therefore chooses to invoke hybrid entity status and must designate and document as its "health care components" those components within the TEAM Companies that would meet the definition of a covered entity if they were a single legal entity.

Although the TEAM Companies are responsible for HIPAA oversight, compliance, and enforcement requirements, as applicable, the HIPAA Rules apply only to the TEAM Companies’ designated health care components.

This statement of the TEAM Companies’ Health Information Privacy Policies & Procedures specifically addresses the requirements of 45 C.F.R. Sections 164.103 and 164.105, which involve organizational requirements for hybrid entities under HIPAA, among other issues.

Required Safeguards

The TEAM Companies shall ensure that its health care components comply with the HIPAA Rules, as applicable. In particular, the TEAM Companies shall ensure that:

  1. Any health care components do not disclose protected health information to another component of the TEAM Companies in a manner that would be prohibited under the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) if the health care component and other component were separate legal entities;
  2. Its health care components protect electronic protected health information regarding another component of the TEAM Companies to the same extent that they would be required to protect this information under the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) if the health care components and other component were separate legal entities; and
  3. If a person performs duties as a workforce member for both the TEAM Companies’ health care components and non-health care component in the same capacity, the person does not use or disclose protected health information created or received in the course of (or incident to) the person's work for the health care component in a way that is prohibited under the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E).

The TEAM Companies shall comply with HIPAA's requirements concerning compliance and enforcement (45 C.F.R. Part 160, Subpart C).

The TEAM Companies shall comply with requirements under the HIPAA Privacy Rule and Security Rule regarding implementation of compliance policies and procedures (45 C.F.R. §§ 164.316(a) and 164.530(i)), including the safeguards addressed in this Section 2.

The TEAM Companies shall ensure compliance with requirements under the HIPAA Privacy Rule and Security Rule regarding business associate arrangements and other organizational requirements (45 C.F.R. §§ 164.314 and 164.504).

Employee Health Records

Through their respective human resources offices, each of the TEAM Companies maintains employee health records in its capacity as an employer. Employee health records are expressly excluded from the definition of protected health information under the HIPAA regulations, and the TEAM Companies’ human resources offices are not one of the TEAM Companies’ designated health care components.

Recordkeeping Requirement

Each of the TEAM Companies shall retain documentation evidencing its health care component designation for at least six years from the date of a decision to remove a component's designation as a health care component. Otherwise, the TEAM Companies shall retain documentation evidencing health care component designations indefinitely.

HIPAA Privacy and Security Officer

The TEAM Companies have appointed Tammy Person as the TEAM Companies’ HIPAA Privacy and Security Officer for their health care components. For any questions regarding the TEAM Companies’ compliance with the HIPAA Rules and their implementing regulations concerning the health care components, please contact the HIPAA Privacy and Security Officer.

Consequences of Failing to Follow Policy

An individual who fails to comply with the TEAM Companies’ Health Information Privacy Policies & Procedures may be subject to sanctions, up to and including disciplinary action, suspension, employment termination, dismissal from the TEAM Companies, or legal action.

Protected Health Information

The TEAM Companies may receive Protected Health Information (“PHI”) in connection with certain of the medical and diagnostic testing and reporting services that the TEAM Companies are currently or in the future may provide.It is the intention of the TEAM Companies to ensure the confidentiality and integrity of all PHI in its possession, as required by HIPAA.Our office must not use or disclose PHI, except as these Health Information Privacy Policies & Procedures permit or require.

In some cases we must have proper, written Authorization from the patient (or the patient's personal representative) before we use or disclose a patient's PHI.

Our office will use the Authorization form. We will always act in strict accordance with an Authorization. In certain situations, in accordance with the provisions of HIPAA, our office retains the right to condition testing on the patient’s execution of a valid Authorization.A patient may revoke an authorization at any time by written notice. Our office will not rely on an Authorization we know has been revoked.

Our office will use or disclose PHI as permitted by a valid Authorization we receive from another healthcare provider.Our office may rely on that covered entity to have requested only the minimum necessary protected PHI. Therefore, our office will not make our own "minimum necessary" determination, unless we know that the Authorization is incomplete, contains false information, has been revoked, or has expired.

Permitted Without Acknowledgement, Authorization or Oral Agreement

Our office may use or disclose a patient's PHI in certain situations, without Authorization or oral agreement. In our office, these disclosures are not likely to be frequent.

  1. Verification of Identity — Our office will always verify the identity of any patient, and the identity and authority of any patient's personal representative, government or law enforcement official, or other person, unknown to us, who requests PHI before we will disclose the PHI to that person.

Our office will obtain appropriate identification and, if the person is not the patient, evidence of authority. Examples of appropriate identification include photographic identification card, government identification card or badge, and appropriate document on government letterhead. Our office will document the incident and how we responded.

  1. Uses or Disclosures Permitted under this Section 8 — The situations in which our office is permitted to use or disclose PHI in accordance with the procedures set out in this Section 8 are listed below.
    • Our office may disclose a patient's PHI to that patient on request.
    • Our office may disclose to a patient's personal representative PHI relevant to the representative capacity. We will not disclose to a personal representative we reasonably believe may be abusive to a patient any PHI we reasonably believe may promote or further such abuse.
    • Our office will not use or disclose a patient's PHI for fundraising purposes without the patient's Authorization.
    • Our office will not use or disclose PHI for marketing without a patient's Authorization unless the marketing is in the form of a promotional gift of nominal value that we provide, or face-to-face communications between us and the patient.
    • Our office may use or disclose PHI in the following types of situations, provided procedures specified in the Privacy Rules are followed:
      • For public health activities;
      • To health oversight agencies;
      • To coroners, medical examiners, and funeral directors;
      • To employers regarding work-related illness or injury;
      • To the military;
      • To federal officials for lawful intelligence, counterintelligence, and national security activities;
      • To correctional institutions regarding inmates;
      • In response to subpoenas and other lawful judicial processes;
      • To law enforcement officials;
      • To report abuse, neglect, or domestic violence;
      • As required by law;
      • As part of research projects; and
      • As authorized by state worker's compensation laws.

Required Disclosures

Our office will disclose PHI to a patient (or to the patient's personal representative) to the extent that the patient has a right of access to the PHI (see Section 12); and to the U.S. Department of Health and Human Services (HHS) on request for complaint investigation or compliance review.

Our office will use the disclosure log to document each disclosure we make to HHS.

Minimum Necessary

Our office will make reasonable efforts to disclose, or request of another covered entity, only the minimum necessary PHI to accomplish the intended purpose.

There is no minimum necessary requirement for: disclosures to or requests by one another in our office or by a healthcare provider for treatment; permitted or required disclosures to, or for disclosures requested and authorized by, a patient; disclosures to HHS for compliance reviews or complaint investigations; disclosures required by law; or uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules.

  • Routine or Recurring Requests or Disclosures — Our office will follow the policies and procedures that we adopt to limit our routine or recurring requests for or disclosures of PHI to the minimum reasonably necessary for the purpose.
  • Non-Routine or Non-Recurring Requests or Disclosures — No non-routine or nonrecurring request for or disclosure of PHI will be made until it has been reviewed on a patient-by-patient basis against our criteria to ensure that only the minimum necessary PHI for the purpose is requested or disclosed.
  • Others' Requests — Our office will rely, if reasonable for the situation, on a request to disclose PHI being for the minimum necessary, if the requester is: (a) a covered entity; (b) a professional (including an attorney or accountant) who provides professional services to our practice, either as a member of our workforce or as our Business Associate, and who represents that the requested information is the minimum necessary; (c) a public official who represents that the information requested is the minimum necessary; or (d) a researcher presenting appropriate documentation or making appropriate representations that the research satisfies the applicable requirements of the Privacy Rules.
  • Entire Record — Our office will not use, disclose, or request an entire record, except as permitted in these Policies & Procedures or standard protocols that we adopt reflecting situations when it is necessary.
  • Minimum Necessary Workforce Use — Our office will use only the minimum necessary PHI needed to perform our duties.

Business Associates

Our office will obtain satisfactory assurance in the form of a written contract that our Business Associates will appropriately safeguard and limit their use and disclosure of the PHI we disclose to them.

These Business Associate requirements are not applicable to our disclosures to a healthcare provider for treatment purposes. The Business Associate Contract Terms document contains the terms that federal law requires be included in each Business Associate contract.

  • Breach Notification — If our office learns that a Business Associate has materially breached or violated its Business Associate Contract with us, we will take prompt, reasonable steps to see that the breach or violation is cured.

If the Business Associate does not promptly and effectively cure the breach or violation, we will terminate our contract with the Business Associate, or if contract termination is not feasible, report the Business Associate's breach or violation to the U.S. Department of Health and Human Services (HHS).

In the case of a breach of unsecured protected health information, whether by our office or a Business Associate, the patient shall be notified as required by law.In some circumstances our Business Associate may provide the notification. We may also provide notification by other methods as appropriate.

Patients' Rights

Our office will honor the rights of patients regarding their PHI.

  • Access — A patient has the right to inspect and copy his or her health information, with limited exceptions.To access his or her medical information, a patient must submit a written request detailing what information he or she wants access to, whether the patient wants to inspect it or get a copy of it, and if the patient wants a copy, his or her preferred form and format.We will provide copies in the patient's requested form and format if it is readily producible, or we will provide the patient with an alternative format the patient finds acceptable, or if we cannot agree and we maintain the record in an electronic format, the patient's choice of a readable electronic or hardcopy format. We will also send a copy to any other person the patient designates in writing. We will charge a reasonable fee which covers our costs for labor, supplies, postage, and if requested and agreed to in advance, the cost of preparing an explanation or summary. We may deny a patient's request under limited circumstances.If we deny a person's request to access his or her child's records or the records of an incapacitated adult the requesting party is representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient, the requesting party will have a right to appeal our decision.
  • Amendment — A patient has a right to request that we amend his or her health information which the patient believes is incorrect or incomplete.The patient must make a request to amend in writing, and include the reasons he or she believes the information is inaccurate or incomplete.We are not required to change a patient's health information, and will provide the patient with information about this office's denial and how the patient can disagree with the denial.We may deny a request if we do not have the information, if we did not create the information (unless the person or entity that created the information is no longer available to make the amendment), if the person making the request would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is.If we deny the request, the patient or requesting party may submit a written statement of his or her disagreement with that decision, and we may, in turn, prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information.
  • Disclosure Accounting — A patient has a right to receive an accounting of disclosures of the patient's health information made by this office, except that this office does not have to account for the disclosures provided to the patient or pursuant to the patient's written authorization, or as described in the paragraphs concerning treatment, payment, health care operations, notification and communication with family and specialized government functions of the Notice of Privacy Practices or disclosures for purposes of research or public health which exclude direct patient identifiers, or which are incident to a use or disclosure otherwise permitted or authorized by law, or the disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing this accounting would be reasonably likely to impede their activities.
  • Restriction on Use or Disclosure — The patient has the right to request restrictions on certain uses and disclosures of his or her health information by a written request specifying what information he or she wants to limit, and what limitations on our use or disclosure of that information the patient wishes to have imposed. We reserve the right to accept or reject any other request and will notify the patient of our decision.
  • Alternative Communications — Patients have the right to request us to use alternative means or alternative locations when communicating PHI to them. Our office will accommodate a patient's request for such alternative communications if the request is reasonable and in writing. Our office will inform the patient of our decision to accommodate or deny such a request. If we agree to such a request, we will inform our Business Associates of the agreement and provide them with the information necessary to comply with the agreement.
  • Applicability — Our office will be aware of and respect these patients' rights regarding their PHI, even though in most situations’ patients are unlikely to exercise them.

Staff Training and Management, Complaint Procedures, Data Safeguards, Administrative Practices

  • Staff Training and Management
    • Training — Our office will train all members of our workforce whose work involves or is related to the TEAM Companies’ Health Information Privacy Policies & Procedures, as necessary and appropriate for them to carry out their functions. After the date of enactment of these Health Information Privacy Policies & Procedures, our office will train each new staff member meeting this description within a reasonable time after the member starts. We will also retrain each staff member whose functions are affected either by a material change in our Privacy Policies and Procedures or in the member's job functions, within a reasonable time after the change. Workforce members shall be requested to sign an acknowledgment that they have received and read a copy of these Policies and Procedures.
    • Discipline and Mitigation — Our office will develop, document, disseminate, and implement appropriate discipline policies for staff members who violate the TEAM Companies’ Health Information Privacy Policies & Procedures, or other applicable federal or state privacy law. Staff members who violate the TEAM Companies’ Health Information Privacy Policies & Procedures or other applicable federal or state privacy law will be subject to disciplinary action, possibly up to and including termination of employment.
    • Complaints — Our office will implement procedures for patients to complain about our compliance with the TEAM Companies’ Health Information Privacy Policies & Procedures. We will also implement procedures to investigate and resolve such complaints. The Complaint form can be used by the patient to lodge the complaint. Each complaint received must be referred to management immediately for investigation and resolution. We will not retaliate against any patient or workforce member who files a Complaint in good faith.
    • Data Safeguards — Our office will “add to” and strengthen these Privacy Policies & Procedures with such additional data security policies and procedures as are needed to have reasonable and appropriate administrative, technical, and physical safeguards in place to ensure the integrity and confidentiality of the PHI we maintain. Our office will take reasonable steps to limit incidental uses and disclosures of PHI made according to an otherwise permitted or required use or disclosure.
    • Documentation and Record Retention — Our office will maintain in written or electronic form all documentation required by the Privacy Rules for six years from the date of creation or when the document was last in effect, whichever is greater.

State Law Compliance

Our office will comply with the privacy laws of the State of Oklahoma to the extent such laws provide greater protections or rights to patients than the TEAM Companies’ Health Information Privacy Policies & Procedures. Further, new employees of the TEAM Companies will become familiar with Oklahoma's privacy laws.

HHS Enforcement

Our office will give the U.S. Department of Health and Human Services (HHS) access to our facilities, books, records, accounts, and other information sources (including individually identifiable health information without patient authorization or notice) during normal business hours (or at other times without notice if HHS presents appropriate lawful administrative or judicial process).

We will cooperate with any compliance review or complaint investigation by HHS, while preserving the rights of our practice.

This document was last updated on March 20, 2024.