Effective Date: March 2025

  • Purpose

    This policy ensures compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its associated regulations to protect the privacy and security of patients’ protected health information (PHI) within Mercy Throne Behavioral Health Institute LLC.

  • Scope

    This policy applies to all employees, contractors, and business associates who have access to or process PHI within Mercy Throne Behavioral Health Institute LLC.

    Policy Statements

    1. Privacy and Confidentiality
      • PHI will only be used or disclosed as permitted under HIPAA regulations.
      • Access to PHI is restricted to authorized personnel who require it to perform their job duties.
      • Patients have the right to access, amend, and receive an accounting of disclosures of their PHI.
    2. Security Measures
      • Administrative, physical, and technical safeguards will be implemented to protect PHI against unauthorized access, use, or disclosure.
      • All electronic PHI (ePHI) will be secured using encryption, secure passwords, and firewall protection.
      • Employees will be required to use unique login credentials and will be prohibited from sharing access.
    3. Employee Training
      • All employees must complete HIPAA training upon hiring and annually thereafter.
      • Training will cover the handling, storage, and disclosure of PHI, as well as reporting procedures for potential breaches.
    4. Data Breach and Incident Response
      • Any unauthorized use or disclosure of PHI must be reported immediately to the Compliance Officer.
      • The company will investigate potential breaches and notify affected individuals, regulatory agencies, and business partners as required by law.
    5. Business Associate Agreements (BAAs)
      • All third-party vendors or partners handling PHI must sign a Business Associate Agreement (BAA) ensuring compliance with HIPAA regulations.
      • Business Associates must implement appropriate safeguards to protect PHI and report breaches promptly.
    6. Patient Rights
      • Patients may request restrictions on how their PHI is used or disclosed.
      • Patients have the right to file complaints regarding HIPAA violations without fear of retaliation.
    7. Retention and Disposal
      • PHI will be retained for the period required by law and securely disposed of when no longer needed.
      • Shredding, secure deletion, and other approved methods will be used for PHI disposal.
  • Enforcement and Compliance

    • Violations of this policy may result in disciplinary action, including termination and legal consequences.
    • The Compliance Officer is responsible for ensuring adherence to HIPAA regulations and addressing compliance concerns.
  • For any questions regarding this policy or HIPAA compliance, contact the Compliance Officer at 908-378-8838.