Medical Office Technologies, Inc. (“MOT”) takes privacy seriously. We share a commitment with our clients to protect the privacy and security of the Protected Health Information (PHI) that we use, maintain or disclose subject to the terms of a Business Associate Agreement.
This Policy is provided to help you better understand how we at MOT use, disclose, and protect PHI.
Use and Disclosure of PHI
We will use or access PHI to provide the services for which we are contracted. We may use PHI for our management, administration and legal obligations to the extent such use of PHI is permitted or required by law. In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent has implemented the appropriate safeguards to protect the privacy and security of PHI. We will also obtain an agreement to ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI. We may also use PHI to report violations of law to appropriate federal and state authorities.
We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BA Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include:
- Maintaining appropriate workforce clearance procedures
- Training for our workforce to assure complete understanding and compliance with our privacy and security policies
- Making use of appropriate encryption when transmitting PHI over the Internet
- Utilizing appropriate storage, backup, and disposal procedures to protect PHI
- Utilizing appropriate authentication and access controls to safeguard PHI
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed
In the event possible breach, we will notify the Covered Entity(s) in a timely manner, including where possible, a list of affected patients. We will investigate and mitigate, to the extent practicable, any harmful effect resulting from the breach. Such mitigation will include:
- Reporting any use or disclosure of PHI not provided for by the BA Agreement and any security incident of which we become aware to the Covered Entity
- Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA
Access and Amendment to PHI
We will honor Covered Entity requests to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.