HIPPA

RSX Hospital | HIPAA Compliance Manual (45 CFR)

COMPREHENSIVE
HIPAA COMPLIANCE MANUAL

Health Insurance Portability and Accountability Act, 1996

COVERED ENTITY:
RSX HOSPITAL
REGULATORY AUTHORITY:
US DEPT OF HEALTH & HUMAN SERVICES (HHS)
APPLICABLE REGULATIONS:
45 CFR PARTS 160, 162, 164
DOCUMENT VOLUME:
MASTER FILE (29,000 WORDS EQUIVALENT)

Table of Contents

PART I: GENERAL PROVISIONS & DEFINITIONS PART II: THE PRIVACY RULE (SUBPART E) PART III: USES & DISCLOSURES OF PHI PART IV: THE SECURITY RULE (SUBPART C) PART V: ADMINISTRATIVE SAFEGUARDS PART VI: PHYSICAL & TECHNICAL SAFEGUARDS PART VII: BREACH NOTIFICATION RULE PART VIII: BUSINESS ASSOCIATE AGREEMENTS
45 CFR PART 160

PART I: GENERAL PROVISIONS

§ 160.103 Definitions

For the purpose of this Manual and all operations within RSX Hospital, the following definitions derived from the Federal Code of Regulations apply strictly:
Protected Health Information (PHI)

Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA).

Covered Entity

RSX Hospital, a healthcare provider that transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Business Associate

A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

45 CFR PART 164 SUBPART E

PART II: THE PRIVACY RULE

CORE PRINCIPLE

RSX Hospital may not use or disclose protected health information, except as permitted or required by this subpart, or as subject to the “Minimum Necessary” standard.

§ 164.502 Uses and Disclosures

RSX Hospital is permitted to use or disclose PHI strictly for:
  • Treatment (T): The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
  • Payment (P): Activities undertaken by RSX Hospital to obtain or provide reimbursement for the provision of health care. This includes billing, claims management, collection activities, and utilization review.
  • Health Care Operations (O): Activities related to RSX Hospital’s core functions, including quality assessment, competency assurance, medical reviews, audits, and business planning.
45 CFR § 164.508

PART III: AUTHORIZATIONS & RIGHTS

§ 164.520 Notice of Privacy Practices (NPP)

An individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information.
RSX Hospital Mandate: The NPP is provided to every patient upon their first service delivery, posted prominently on the website, and displayed in physical facilities.

§ 164.524 Access of Individuals to PHI

Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.
TIMELINE REQUIREMENT: RSX Hospital must act on a request for access no later than 30 days after receipt of the request.
45 CFR PART 164 SUBPART C

PART IV: THE SECURITY RULE

RSX Hospital adopts the NIST Cybersecurity Framework to ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI) created, received, maintained, or transmitted.

§ 164.306 Security Standards

RSX Hospital ensures that it:
1. Ensures the confidentiality, integrity, and availability of all ePHI.
2. Protects against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protects against any reasonably anticipated uses or disclosures of such information that are not permitted.
4. Ensures compliance by its workforce.
45 CFR § 164.308

PART V: ADMINISTRATIVE SAFEGUARDS

Security Management Process

  • Risk Analysis: RSX conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
  • Risk Management: Implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Sanction Policy: RSX applies appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
  • Information System Activity Review: Regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports.
45 CFR § 164.310 & § 164.312

PART VI: PHYSICAL & TECHNICAL SAFEGUARDS

Physical Safeguards

  • Facility Access Controls: Biometric scanners and keycard logs for server rooms.
  • Workstation Use: Privacy screens and auto-lock policies after 3 minutes of inactivity.
  • Device & Media Controls: Protocols for disposal and re-use of electronic media (Hard drive degaussing).

Technical Safeguards

  • Access Control: Unique user identification and emergency access procedures.
  • Encryption: AES-256 bit encryption for data at rest and TLS 1.3 for data in transit.
  • Audit Controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems.
45 CFR PART 164 SUBPART D

PART VII: BREACH NOTIFICATION

PRESUMPTION OF BREACH

An acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E is presumed to be a breach unless RSX Hospital demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

§ 164.404 Notification to Individuals

RSX Hospital shall notify an affected individual of a breach of unsecured protected health information without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.

§ 164.408 Notification to the Secretary (HHS)

For breaches involving 500 or more individuals, RSX Hospital shall notify the Secretary of HHS contemporaneously with the notice to the individual.

HIPAA COMPLIANCE OFFICER

Any inquiries regarding this manual, violations of privacy, or requests for PHI access must be directed to the designated official.

Legal@rsxhospital.in

RSX HOSPITAL | OFFICE OF GENERAL COUNSEL
USA HEADQUARTERS

[END OF DOCUMENT: RSX-HIPAA-MASTER-VOL-1]