Notice of Privacy Practices Policies and Procedures
14.1 Notice of Privacy Practices
(Effective September 2020)
The following is the Notice of Privacy Practices for Axis Vision Care. This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
14.1.1 WHO WILL FOLLOW THIS NOTICE
This notice describes the practices of Axis Vision Care Doctors/staff and its business associates.
For ease of reference, in the remainder of this Notice, the words “you,” “your,” and “yours” refers to any individual with respect to whom Axis Vision Care receives, creates or maintains Protected Health Information. Axis Vision Care is required by law to take reasonable steps to protect your Protected Health Information from inappropriate use or disclosure.
Your “Protected Health Information” (PHI) is information about your physical or mental health condition, the provision of health care to you, or payment for health care provided to you, but only if the information identifies you or there is a reasonable basis to believe that the information could be used to identify you.
Axis Vision Care is required by law to provide notice to you of the duties and privacy practices with respect to your PHI, and is doing so through this Notice. This Notice describes the different ways in which the Plan uses and discloses PHI. It is not feasible in this Notice to describe in detail all of the specific uses and disclosures the Plan may make of PHI, so this Notice describes all of the categories of uses and disclosures of PHI that the Plan may make and, for most of those categories, gives examples of those uses and disclosures.
Please note that this Notice applies only to your PHI that Axis Vision Care maintains.

14.1.2 OUR PLEDGE REGARDING MEDICAL INFORMATION
We understand that medical information about you and your health is personal.
We are committed to protecting medical information about you. This notice applies to all of the medical records maintained by Axis Vision Care. This notice tells you about the ways in which we may use and disclose medical information about you. It also describes our obligations and your rights regarding the use and disclosure of medical information.
We are required by law to:
•make sure that medical information that identifies you is kept private;
•give you this notice of our legal duties and privacy practices with respect to medical information about you;
•and follow the terms of the notice that are currently in effect.

14.1.3 HOW WE MAY USE AND DISCLOSE MEDICAL INFORMATION YOUR PHI
The following categories describe different ways that we use and disclose medical information. For each category of uses or disclosures, we will explain what we mean and present some examples. These examples are not exhaustive. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
Please note: In most instances, how information is used and disclosed has not changed. The descriptions reflect how the Health and Welfare Plan has traditionally operated.
For Treatment (as described in applicable regulations):
We may use or disclose medical information about you to facilitate medical treatment (as defined in applicable federal rules) or services by providers. We may disclose medical information about you to providers, including doctors, nurses, technicians, medical students, or other personnel who are involved in taking care of you.
For Payment (as described in applicable regulations)
Axis Vision Care may use or disclose your PHI for payment (as defined in applicable federal rules) activities, including making payment to or collecting payment from third parties, such as health care providers, other health plans and insurances.
Axis Vision Care’s use or disclosure of your PHI for payment purposes may include uses and disclosures for the following purposes, among others.
•Obtaining payments required for co-pays, co-insurances, and deductibles under the Plan
•Determining or fulfilling its responsibility to provide coverage and/or benefits under the Plan, including eligibility determinations and claims adjudication
•Obtaining or providing reimbursement for the provision of health care (including coordination of benefits, subrogation, and determination of cost sharing amounts)
•Claims management, collection activities, obtaining payment under a stop-loss insurance policy, and related health care data processing
•Reviewing health care services to determine medical necessity, coverage under the Plan, appropriateness of care, or justification of charges
•Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services
Axis Vision Care may also disclose your PHI for purposes of assisting other health plans, co-management of care, health care providers, and health care clearinghouses with their payment activities, including activities like those listed above with respect to your care.
Limited Data Set:
Axis Vision Care may disclose a limited data set to a recipient who agrees in writing that the recipient will protect the limited data set against inappropriate use or disclosure. A limited data set is health information about you and/or others that omits your name and Social Security Number and certain other identifying information.
Legally Required:
Axis Vision Care will use or disclose your PHI to the extent required to do so by applicable law. This may include disclosing your PHI in compliance with a court order, or a subpoena or summons. In addition, Axis Vision Care must allow the U.S. Department of Health and Human Services to audit records.
Health or Safety:
When consistent with applicable law and standards of ethical conduct, Axis Vision Care may disclose your PHI if the Practice, in good faith, believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or the health and safety of others.

14.1.4 SPECIAL SITUATIONS
Disclosure to Health Plan (vision or medical insurance) Sponsor:
Information may be disclosed to another health plan for purposes of facilitating claims payments under that plan.
Military and Veterans:
If you are a member of the armed forces, we may release medical information about you as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority.
Workers’ Compensation:
We may release medical information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health:
We may disclose medical information about you for public health activities. These activities generally include the following:
•to prevent or control disease, injury or disability;
•to report reactions to medications or problems with products;
•to notify people of recalls of products they may be using;
•to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
•to notify the appropriate government authority if we believe an individual has been the victim of abuse, neglect or domestic violence.
•We will only make this disclosure if you agree or when required or authorized by law.
Emergency Situation:
Axis Vision Care may disclose your PHI to a family member, friend, or other person, for the purpose of helping you with your health care or payment for your health care, if you are in an emergency medical situation and you cannot give your agreement to Axis Vision Care to do this.
Personal Representatives:
Axis Vision Care will disclose your PHI to your personal representatives appointed by you or designated by applicable law (a parent acting for a minor child, or a guardian appointed for an incapacitated adult, for example) to the same extent that Axis Vision Care would disclose that information to you.
Health Oversight Activities:
We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes:
If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
Law Enforcement:
We may release medical information if asked to do so by a law enforcement official:
•in response to a court order, subpoena, warrant, summons or similar process;
•to identify or locate a suspect, fugitive, material witness, or missing person
•about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
•about a death we believe may be the result of criminal conduct; and
•in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
Coroner, Medical Examiner or Funeral Director:
We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death or other duties as authorized by law. We may also release medical information about patients of the hospital to funeral directors as necessary to carry out their duties.
National Security and Intelligence Activities:
We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Inmates:
If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

14.1.5 YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU
You have the following rights regarding medical information we maintain about you:
Authorization to Use or Disclose Your PHI:
Except as stated above, Axis Vision Care will not use or disclose your PHI unless it first receives written authorization from you. If you authorize Axis Vision Care to use or disclose your PHI, you may revoke that authorization in writing at any time, by sending notice of your revocation to the contact person named at the end of this Notice. To the extent that Axis Vision Care has taken action in reliance on your authorization (entered into an agreement to provide your PHI to a third party, for example) you cannot revoke your authorization.
Axis Vision Care May Contact You:
Axis Vision Care may contact you for various reasons, usually in connection with claims and payments and usually by mail or phone calls.
You should note that Axis Vision Care may contact you about treatment alternatives or other health- related benefits and services that may be of interest to you.
Right to Access Your PHI:
You have a right to access your PHI such as: payment, claims adjudication and case management records, or in other records used by Axis Vision Care to make decisions about you, in order to inspect it and obtain a copy of it. Your request for access to this PHI should be made in writing to the Privacy Officer. The Plan may deny your request for access, for example, if you request information compiled in anticipation of a legal proceeding. If access is denied, you will be provided with a written notice of the denial, a description of how you may exercise any review rights you might have, and a description of how you may complain to the Privacy Officer or the Secretary of Health and Human Services. If you request a copy of your PHI, Axis Vision Care may charge a reasonable fee for copying and, if applicable, postage associated with your request.
Right to Amend
You have a right to request amendments to your PHI in Axis Vision Care’s records if you believe that medical information we have about you is inaccurate or incomplete. You have the right to request an amendment for as long as the information is kept on record for ten (10) years by Axis Vision Care.
To request an amendment, your request must be made in writing and submitted to the Privacy Officer. In addition, you must provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
•is not part of the medical information kept by or for the Health and Welfare Plan;
•was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
•is not part of the information which you would be permitted to inspect and copy; or is accurate and complete.
If Axis Vision Care denies your request for an amendment to your PHI, it will notify you of its decision in writing, providing the basis for the denial, information about how you can include information on your requested amendment in the Plan’s records, and a description of how you may complain to Plan or the Secretary of Health and Human Services.
Right to an Accounting of Disclosures
You have the right to receive an accounting of certain disclosures made of your health information. Most of the disclosures that Axis Vision Care makes of your PHI are not subject to this accounting requirement because routine disclosures (those related to payment of your claims, for example) generally are excluded from this requirement. To request an accounting of disclosures of your PHI, you must submit your request in writing to the Privacy Officer. Your request must state a time period which may not be longer than dates prior to 2010. Your request should indicate in what form you want the accounting to be provided (for example on paper or electronically). The first list you request within a 12-month period will be free. If you request more than one accounting within a 12-month period, Axis Vision Care mayl charge a reasonable, cost- based fee for each subsequent accounting. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Personal Representatives: You may exercise your rights through a personal representative. Your personal representative will be require to produce evidence of his/her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. Axis Vision Care retains discretion to deny a personal representative access to your PHI to the extent permissible under applicable law.
Right to Request Restrictions on Certain Uses and Disclosures:
You may request Axis Vision Care to restrict the uses and disclosures it makes of your PHI. Axis Vision Care is not required to agree to a requested restriction, but if it does agree to your requested restriction, Axis Vision Care is bound by that agreement, unless the information is needed in an emergency situation. There are some restrictions, however, that are not permitted even with Axis Vision Care’s agreement. To request a restriction, please submit your written request to the Privacy Officer. In the request please specify: (1) what information you want to restrict; (2) whether you want to limit Axis Vision Care’s use of that information, its disclosure of that information, or both; and (3) to whom you want the limits to apply (a particular physician, for example). We are not required to agree to your request. Axis Vision Care will notify you if it agrees to a requested restriction on how your PHI is used or disclosed. You should not assume that Axis Vision Care has accepted a requested restriction until Axis Vision Care confirms its agreement to that restriction in writing.
Right to Request Confidential Communications:
If you feel that disclosure of your PHI could endanger you, Axis Vision Care will accommodate a reasonable request to communicate with you by alternative means or at alternative locations. For example, you might request Axis Vision Care to communicate with you only at a particular address. If you wish to request confidential communications, you must make your request in writing to the Privacy Officer. You do not need to state the specific reason that you feel disclosure of your PHI might endanger you in making the request, but you do need to state whether that is the case. Your request also must specify how or where you wish to be contacted. Axis Vision Care will notify you if it agrees to your request for confidential communication. You should not assume that Axis Vision Care has accepted your request until Axis Vision Care confirms its agreement to that request in writing. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
Right to a Paper Copy of This Notice
You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
To obtain a paper copy of this notice, contact the Privacy Officer.
Notice of Breach
You have the right to be notified if there is a breach – compromise to the security of privacy of your health information – due to your health information being unsecured. Axis Vision Care and/or its business associates will notify you with 60 days of discovery of a breach.

14.1.6 CHANGES TO THIS NOTICE
Axis Vision Care is required to abide by the terms of this Notice until it is replaced. Axis Vision Care may change its privacy practices at any time and, if any such change requires a change to the terms of this Notice, Axis Vision Care will revise and re-distribute this Notice. Accordingly, Axis Vision Care can change the terms of this Notice at any time. Axis Vision Care has the right to make any such change effective for all of your PHI that it creates, receives or maintains, even if Axis Vision Care received or created that PHI before the effective date of the change. We will post a copy of the current notice on the benefits website. The notice will contain on the first page, the effective date.

14.1.7 COMPLAINTS
Any complaints to Axis Vision Care should be made in writing to the contact person named at the end of this Notice. Axis Vision Care encourages you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.
If you believe your privacy rights have been violated, you have the right to express complaints to the Privacy Officer and to the Secretary of the Department of Health and Human Services. Any complaints should be made in writing to the Privacy Officer. Axis Vision Care encourages you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.

To file a formal complaint:
VII – Kansas City (Iowa, Kansas, Missouri, Nebraska)
Frank Campbell, Regional Manager
Office for Civil Rights
U.S. Department of Health & Human Services
601 East 12th Street – Room 353
Kansas City, MO 64106
Voice Phone (800)368-1019
Fax (816)426-3686
TDD (800)537-7697
[email protected]
The complaint form may be found at www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaint.pdf.
You will not be penalized in any way for filing a complaint.
Contact Information:
Axis Vision Care has designated the individual listed below as its contact person for all issues regarding Axis Vision Care’s privacy practices and your privacy rights. If you have any questions about this notice, please contact the Privacy Officer:
Beth Gutierrez
Axis Vision Care
221 N. 2nd Ave
Washington, IA 52353
[email protected]
Phone (319)653-4558 Fax (319)653-2574

14.1.8 OTHER USES OF MEDICAL INFORMATION
Other uses and disclosures of medical information not covered by this notice or the other applicable laws will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.

14.2 HIPAA Privacy Policies and Procedures Overview
14.2.1 POLICY STATEMENT
HIPAA requires covered entities to have policies and procedures reflecting HIPAA’s privacy mandates. Axis Vision Care, as a covered entity, has developed administrative policies and procedures reflecting the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations.

14.2.2 POLICY INTERPRETATION AND IMPLEMENTATION
HIPAA Policies and ProceduresHIPAA requires covered entities to have policies and procedures to ensure compliance with HIPAA’s regulations. Axis Vision Care is a “covered entity” under HIPAA. Consequently, Axis Vision Care is responsible for the research, development, implementation, monitoring and maintenance of Axis Vision Care’s HIPAA privacy policies and procedures.

Revisions to HIPAA PoliciesAxis Vision Care’s HIPAA privacy policies and procedures may be revised at any time, in order to comply or enhance compliance with HIPAA.

Distribution of Revisions to HIPAA PoliciesAny revisions to Axis Vision Care’s HIPAA’s privacy policies and procedures will be distributed to individual’s family members, representatives, employees, business associates, etc., within five (5) working days of the release of such revisions.

Policy InquiriesInquiries relative to HIPAA policies and procedures should be directed to the HIPAA Privacy Officer.

Specific Policies and ProceduresAxis Vision Care’s specific policies and procedures have been created in order to satisfy HIPAA’s requirements.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. If you have a question or concern about your HIPAA rights contact the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319) 653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.3 HIPAA Privacy Policy – Hands Off
14.3.1 POLICY STATEMENT
Axis Vision Care, a “covered entity” for purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has developed this HIPAA Privacy Policy in order to comply with the requirements under the HIPAA privacy regulations and guidelines. Axis Vision Care intends to maintain a “hands-off” approach to medical information associated with or generated by the Practice. Axis Vision Care shall conduct its business in accordance with this HIPAA Privacy Policy.

14.3.2 POLICY INTERPRETATION AND IMPLEMENTATION
Protected Health Information (PHI)Neither Axis Vision Care (nor any member of the Axis Vision Care workforce) shall create or receive protected health information (PHI) other than specifically described below.
Axis vision Care does not create, maintain or receive PHI except for:
•Patient account information;
•Summary of health information; and
•Periodic review or use of E H R related material, notice of payments and/or denials from insurances.
•Record sharing for continuation of care
•Referrals.

Summary Health InformationSummary health information is information that summarizes the claims history, expenses, descriptions of services received and/or billed for.

Restrictions on Intimidating or Retaliatory ActsAxis Vision Care shall refrain from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against individuals for:
•Exercising their HIPAA privacy rights;
•Filing a complaint;
•Participating in an investigation; or
•Opposing any improper practice under HIPAA.
If such an action should occur by one of Axis Vision Care’s employees, the action shall not be attributed to the Practice unless the employee was acting in a capacity on behalf of Axis Vision Care as a covered entity.

No Waiver RequiredAxis Vision Care shall not require an individual to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility. If such an action should occur by one of Axis Vision Care’s employees, the action shall not be attributed to the Practice unless the employee was acting in a capacity on behalf of Axis Vision Care as a covered entity.

Periodic ReviewPeriodically, Axis Vision Care will review its operating practices to ensure they are in compliance with this HIPAA Privacy Policy.

ViolationsViolations of this policy will be subject to discipline.

14.4 HIPAA Privacy Officer
14.4.1 POLICY STATEMENT
A HIPAA Privacy Officer has been designated by our office to be responsible for the development and implementation of HIPAA policies and procedures.

14.4.2 POLICY INTERPRETATION AND IMPLEMENTATION
Appointment of HIPAA Privacy OfficerAxis vision Care has designated Beth Gutierrez, as the HIPAA Privacy Officer.

Privacy Officer’s Responsibilities
The HIPAA Privacy Officer’s responsibilities include:
•Assisting management in the development, implementation, and updating of all HIPAA policies and procedures;
•Performing periodic privacy risk assessments;
•Development of security procedures and guidelines for the protection of Axis Vision Care’s information systems;
•Assisting management in the assigning of passwords and user identification codes for access to protected health information (PHI) by authorized users;
•Receiving complaints concerning the compliance with established policies and procedures;
•Maintaining a privacy complaint disposition log;
•Assisting in obtaining “use and disclosure of PHI” authorizations;
•Assisting in the development of training materials and training to ensure that relevant staff are well trained in matters relating to the use and disclosure of protected health information (PHI);
•Providing staff, individuals, business associates, government agencies, etc., with information relative to Axis Vision Care’s HIPAA policies and procedures.

DelegationThe Privacy Officer may delegate certain job functions to be performed by other individuals; however, the ultimate responsibility for compliance with HIPAA remains with HR and Privacy Officer.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.5 Notice of Privacy Practices
14.5.1 POLICY STATEMENT
Each individual that is the subject of Protected Health Information (PHI) must receive a Notice of Privacy Practices (NPP) describing (1) the uses and disclosures of his/her PHI that may be made by or on behalf Axis Vision Care, (2) the individual’s rights, and (3) Axis Vision Care’s legal duties with respect to the individual’s PHI.

14.5.2 POLICY INTERPRETATION AND IMPLEMENTATION
Issue of NPPIndividuals receiving care at Axis Vision Care (POA’s & Guarantors) will be provided with a copy of the Health Plan’s NPP;

Content of NPPNPPs must be prepared in easy to read language and contain, as a minimum, the following elements:
•A statement indicating how medical information about the individual may be used and disclosed and how the individual can obtain access to such information;
•A description, including at least one example, of the types of uses and disclosures that Axis Vision Care is permitted to make for purposes of treatment, payment and healthcare operations, with sufficient detail to place an individual on notice of the uses and disclosures permitted or required;
•A description of each of the other purposes for which the Axis Vision Care is permitted or required to use or disclose PHI without the individual’s consent or authorization, with sufficient detail to place an individual on notice of the uses and disclosures permitted or required;
•A statement that other uses or disclosures will be made only with the individual’s written authorization, and that the authorization may be revoked in accordance with the policy on authorization;
•A statement of the individual’s rights with respect to his/her PHI, and a brief description of how the individual may exercise those rights, including:
•The right to request restrictions on certain uses/disclosures of PHI, and the fact that Axis Vision Care does not have to agree to such restrictions;
•The right to receive confidential communications of PHI;
•The right to inspect and copy PHI;
•The right to amend PHI;
•The right to receive an accounting of disclosures of PHI; and
•The right to receive a paper copy of the privacy notice.
•A statement of Axis Vision Care’s duties with respect to PHI, including statements:
•Axis Vision Care is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices;
•Axis Vision Care is required to abide by the terms of its current effective privacy notice; and
•Axis Vision Care reserves the right to change the terms of the notice and make a new notice provision effective for all PHI maintained, along with a description of how Axis Vision Care will provide individuals with the revised notice
•A statement that individuals may complain to the Health Plan and to the Secretary of the U.S. Department of Health and Human Services about privacy rights violations, including a brief statement about how a complaint may be filed and an assurance that the individual will not be retaliated against for filing a complaint;
•The name, or title, and telephone number of Axis Vision Care’s HIPAA Privacy Officer to contact for further information;
•The name, telephone number and address of the person designated by Axis Vision Care to receive complaints regarding the Health Plan’s privacy practices; and
•The effective date of the NPP, which may not be earlier than the date printed or published.

Distribution of NPP•Axis Vision Care will distribute the NPPs at the times specified below:
•On Axis Vision Care’s initial compliance date;
•New Patients at check in.
•Within 60 days of a material revision of the NPP to individuals affected by changes.
•The signed NPP does not term. Only with a written request, death, a change in POA and/or a change in Guarantor will a new agreement be issued to replace the previously signed NPP.

Posting of NPPA copy of the NPP will be posted on the web page Axis Vision Care. The HIPAA Privacy Officer is responsible for prompt distribution of changes to the privacy notice.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline

14.6 Use or Disclosure of Protected Health Information (PHI)
14.6.1 POLICY STATEMENT
In order for Axis Vision Care to use or disclose (including obtaining) protected health information (PHI), the use or disclosure must either (1) fall under the enumerated uses and disclosures allowed without an individual authorization, or (2) Axis Vision Care must obtain an individual authorization.

14.6.2 POLICY INTERPRETATION AND IMPLEMENTATION
Use and Disclosure not Requiring an Individual AuthorizationPHI may only be used or disclosed without an individual authorization for treatment, payment, or health care operations (TPO). These purposes include:
Axis Vision Care may use or disclose PHI for its own treatment, payment, or health care operations;
Axis Vision Care may disclose PHI to another covered entity for the payment activities of that entity;
Axis Vision Care may disclose PHI to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to such relationship, and the disclosure is:
•For health care operations regarding conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not include treatment, reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, credentialing activities; or
•For the purpose of health care fraud and abuse detection or compliance.
Nothing in this paragraph 1, prevents Axis Vision Care from obtaining an individual authorization for use and disclosure of PHI for TPO purposes.

Use and Disclosure Requiring an Individual AuthorizationAn individual authorization is required for any use or disclosure of PHI that is not allowed without the individual authorization. This includes, but is not limited to:
•Psychotherapy notes;
•Marketing, except if the communication is in the form of:
•Face-to-face communication made by Axis Vision Care to an individual; or
•A promotional gift of nominal value provided by Axis Vision Care.

Definition of PHIProtected Health Information (PHI) means individually identifiable information relating to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

Definition of TPOTreatment, Payment and Health Care Operations (TPO) includes all of the following:
Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual or referral of an individual to another provider for health care.
Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collection activities, medical necessity determinations and utilization review.
Health Care Operations includes functions such as quality assessment and improvement activities, reviewing competence or qualifications of health care professionals, conducting or arranging for medical review, legal services, and auditing functions, business planning and development, and general business and administrative activities.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319) 653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.7 Minimum Necessary Standard
14.7.1 POLICY STATEMENT
Whenever practical/feasible, Axis Vision Care will make reasonable efforts to limit use and disclosure of protected health information (PHI) to the minimum necessary to accomplish the appropriate intended purpose.

14.7.2 POLICY INTERPRETATION AND IMPLEMENTATION
Minimum Necessary StandardWhen using, disclosing or requesting PHI, Axis Vision Care shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose.

Access to PHIAxis Vision Care requires relevant staff to have access only to the minimum necessary PHI required by their job functions.
It is the responsibility of the HIPAA Privacy Officer to limit the access of relevant staff to only the minimum necessary PHI required by their job function. The HIPAA Privacy Officer may delegate certain job functions to be performed by other individuals; however, the ultimate responsibility for compliance with HIPAA remains with the HIPAA Privacy Officer and HR.

Where Minimum Necessary Standard Does Not ApplyLimiting use, disclosure or request of PHI to the minimum necessary does NOT apply in the following situations:
•Disclosures or requests by a health care provider for treatment;
•Uses or disclosures made to the individual or requested and authorized by the individual;
•Disclosures made to the Secretary of Health and Human Services (HHS) or to the Office of Civil Rights (OCR);
•Uses or disclosures required by law; and/or
•Uses or disclosures required for compliance with the Privacy Rule.

Disclosures of PHI by
Health PlanFrom time to time relevant staff of Axis Vision Care will be asked to disclose PHI to other Covered Entities, regulatory agencies, law enforcement authorities and others. Many of these disclosures are permitted or required by law and do not require authorization of the individual. Others may require authorization of the individual whose PHI is to be disclosed. Except for those instances identified previously, Axis Vision Care will apply the minimum necessary standard to all disclosures.
Relevant staff of Axis Vision Care may treat a request for a disclosure as being for the minimum necessary PHI when the request is:
•A permitted disclosure to a public official who states that the disclosure is the minimum necessary;
•From another Covered Entity;
•From a professional who is a member of Axis Vision Care or is a Business Associate of Axis Vision Care he/she states that the information is the minimum necessary needed; and
•For research purposes when the required documentation is provided.

Requests for PHI
by Health PlanRelevant staff of Axis Vision Care must limit requests made by them for PHI to that which is reasonably necessary to accomplish the purpose of the request.

Entire Medical RecordAxis Vision Care will not use, disclose or request an entire medical record unless the entire medical record is specifically justified as reasonably necessary. Unjustified use, disclosure or request of an entire medical record will be considered a violation of this policy. The only exception regarding the entire medical record is when the information is provided to persons involved in the treatment of the individual.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

HIPAA Privacy OfficerThe HIPAA Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The HIPAA Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

14.8 Individuals’ Rights to Access and Copy PHI
14.8.1 POLICY STATEMENT
Individuals have the right to access and copy their own protected health information (PHI) maintained/retained by Axis Vision Care in their designated record set (DRS).

14.8.2 POLICY INTERPRETATION AND IMPLEMENTATION
Definition of DRSA group of records maintained by Axis Vision Care that are:
Medical records and billing records about individuals maintained by or for Axis Vision Care;
The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for Axis Vision Care; or
Used by or for Axis Vision Care to make decisions about individuals.
The term “record” as used above means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Axis Vision Care.

Individual’s Right to Access and Copy PHIAn individual generally has a right to access and copy his/her PHI maintained in the DRS .

Written RequestRequest for inspection and copying of PHI must be submitted to the HIPAA Privacy Officer in writing.

Time Frame for Retrieval of Requested PHIInsofar as practical, the individual should allow at least thirty (30) days for Axis Vision Care to obtain requested information. Should an extension be necessary, the individual will be notified of such request. In no case may the extension exceed thirty (30) days.

Denial of AccessShould the individual be denied access to requested records, a written notice must be provided to the individual indicating such denial and the reason(s) for the denial.

Service FeesThe following charge(s) may be assessed for copying services:
•10 pages or less all fees are waived
•11 pages or more ($5 fee may be applied to the account to help cover the cost of shipping/postage and/or for time and labor)

ExceptionsIndividuals may be denied access to (1) psychotherapy notes, and (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Denial of Access Without Right of ReviewDenial of access without a right of review may occur:
Where information was compiled in anticipation of litigation;
Where care was provided under the direction of a correctional institution and provision of access would jeopardize health, safety, or rehabilitation; and
Where information was collected in the course of research that includes treatment of the individual and the individual agreed to a suspension of the right of access during the research period.

Denial in Accordance with Other Applicable LawAccess may also be denied in accordance with other applicable law.

Denial of Access With Right of ReviewDenial of access with a right of review may occur:
•Where access is determined by a licensed professional to be likely to endanger life or safety of the individual or another person; and
•Where access is required by the individual’s representative and a licensed professional determines that such access is reasonably likely to cause substantial harm.

Individual’s Right to Review by Another Licensed ProfessionalIf the basis for denial of access gives the individual a right to review, the individual has the right to have the denial reviewed by a licensed professional who did not participate in the original denial decision. Such review will be completed within thirty (30) days of such request. Axis Vision Care will provide the individual with a notice of the reviewer’s decision and will comply with the determination to either provide the requested information or deny access to such requested information.

Time Frame for Facility to Act Upon Individual’s Request for AccessAxis Vision Care will act upon an individual’s request for access to his/her DRS no later than thirty (30) days after receipt of such request, unless the time period is extended as described below:
If the information to be accessed is not maintained or accessible on premises, Axis Vision Care will act upon such request within sixty (60) days of receipt of such request.
If Axis Vision Care is unable to act on the request within the applicable thirty (30) or sixty (60) day period, Axis Vision Care may extend the time for response by thirty (30) days, provided that the individual is given a written notice of the reason(s) for the delay and the date by which a responsive action will be taken.

Denial of Access Notice
Axis Vision Care will provide a timely, written denial of access to the individual when such denials occur. Denial notices will be written in easy-to-read language and will include, as a minimum, the following information:
•The basis for the denial of access;
•Any right of review (as applicable);
•How to file a complaint with Axis Vision Care;
•The name and telephone number of the person to whom the complaint may be filed; and
•The address of the U.S. Secretary of Health and Human Services.

Access to Requested InformationTo the extent practical, the individual will be given access to any information requested after excluding the information for which Axis Vision Care has grounds for denying access.

Access to Information Maintained Off PremisesShould the information for which access has been requested be maintained off premises or Axis Vision Care does not maintain/retain such information, but knows where the information is located, Axis Vision Care will either (a) notify the individual where to direct his/her request for access, or (b) otherwise make arrangements for the individual to access such information.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.9 Individuals’ Rights to Amend PHI
14.9.1 POLICY STATEMENT
An individual may amend his/her protected health information (PHI).

14.9.2 POLICY INTERPRETATION AND IMPLEMENTATION
Amendment of PHI
An individual may amend his/her PHI except as outlined below:
•The originator of the record is no longer available;
•The information the individual wishes to amend was not created by Axis Vision Care;
•The information is not part of the health information record;
•The information contained in the record is accurate and complete; and/or
•The amended information would not be available as provided by current law.

Written Amendment RequestAll requests for amendments to PHI must be submitted to the HIPAA Privacy Officer in writing.

Time Frame for Acting Upon a Request for AmendmentsAxis Vision Care will act upon the individual’s request for an amendment no later than sixty (60) days after receipt of such request. Should Axis Vision Care be unable to act upon the request within the sixty (60) day period, the individual will be provided with a written notice of the reasons for the delay and the date by which Axis Vision Care will complete such action. In no case will such extension extend beyond thirty (30) days.

Acceptance of Amendment
When Axis Vision Care accepts the amendment, in whole or in part, Axis Vision Care will:
•Make the requested amendment(s) to the PHI or record that is subject to the amendment(s) or provide a link to the location of such amendment(s);
•Inform the individual that the amendment(s) are accepted and have been made;
•Notify persons/entities authorized by the individual that such amendments have been made and provide copies of such amendments as requested; and
•Notify business associates that such amendments have been made and provide copies of such amendments to business associates as requested.

Denial of Amendment Requests
Should Axis Vision Care deny a requested amendment, in whole or in part, Axis Vision Care will:
•Notify the individual in writing of the denial to make an amendment to his/her PHI. Such denial will include the following information:
•The reason(s) for the denial;
•Information relative to how the individual may submit a written statement disagreeing with the denial;
•Information relative to how the individual may request that the amendment and the denial become part of the individual’s permanent records; and
•Information relative to how the individual may file a complaint with the HIPAA Privacy Officer or to the U.S. Secretary of Health and Human Services.
•Include on all notices to the individual the name, title, and telephone number of the contact person or office designated to receive complaints.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.10 Accounting of Disclosures of PHI
14.10.1 POLICY STATEMENT
Individuals have the right to receive an accounting of disclosures of protected health information (PHI) made by Axis Vision Care.

14.10.2 POLICY INTERPRETATION AND IMPLEMENTATION
Request for an Accounting of Disclosures of PHI

An individual or his/her representative may request an accounting of disclosures of his/her PHI made by Axis Vision Care during a specified time period of up to ten (10) years prior to the date of the request of an accounting. Disclosures must be tracked by Axis Vision Care for purposes of an accounting except the following disclosures:
•To carry out treatment, payment or healthcare operations (TPO) as permitted under current law;
•To the individual about his/her own PHI;
•To persons involved in the individual’s care;
•For national security purposes;
•Pursuant to the individual’s authorization;
•To federal/health department officials as permitted under current law; and
•Those disclosures that occurred prior to the ten years of record retention.

Time Frame of Accounting ReportsOther than the exceptions noted above, the accounting record must include disclosures of PHI that occurred during the ten (10) years (or shorter time period as is specified in the request) prior to the date of such request, including disclosures made by or to any of Axis Vision Care’s business associates.

Content of Accounting of Disclosures Record

The content of the written accounting of disclosures record must contain, at a minimum, the following information:
•Date of the disclosure;
•Name of the entity or individual who received the PHI;
•The address of the person receiving the
PHI (if known);
•A brief description of the PHI disclosed; and
•A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or in lieu thereof, a copy of the individual’s authorization or the request for the disclosure.

Multiple DisclosuresIf, during the time period for the accounting, multiple disclosures have been made to the same entity or individual for a single purpose, or pursuant to a single authorization, the accounting may provide the information as set forth in paragraph 3 above for the first disclosure, and then summarize the frequency of number of disclosures made during the accounting period and the date of the last disclosure during the accounting period.

Time Frame for Providing Accounting of Disclosure Data

An individual’s request for an accounting of PHI disclosures must be provided to the individual or representative within sixty (60) days of such request. If unable to provide the accounting within the sixty (60) day time frame, a one-time thirty (30) day extension may be provided if:
•The individual is notified in writing of the delay;
•The notice includes the reason(s) why the delay is necessary; and
•The notice includes the date by which the accounting will be provided.

LogAxis Vision Care will keep a log of all disclosures, as required by paragraph 1 above, which will include all necessary information.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.11 Restrictions on Use or Disclosure of PHI Requested by Individual
14.11.1 POLICY STATEMENT
Individuals have the right to request restrictions on uses and disclosures of protected health information (PHI) relative to treatment, payment, or health care operations (TPO).

14.11.2 POLICY INTERPRETATION AND IMPLEMENTATION
Request for Restriction on use or Disclosure of PHIA request for restriction of use or disclosure of information must be submitted in writing to the HIPAA Privacy Officer. Such request must specify the type of information to be included in the restriction and to whom the restriction applies. Axis Vision Care may develop a form for this purpose.

Upon receipt of an individual’s request that a restriction be placed on the use or disclosure of PHI, the HIPAA Privacy Officer will:
•Determine the reasonableness of the request based on the administrative capability of the Health Plan to comply with such request;
•Identify the means and location the individual wishes the information to be communicated; and
•Notify the individual whether or not Axis Vision Care agrees to the restriction within sixty (60) days of the date of such request unless an extension is necessary. Such extension will not exceed thirty (30) days.

Exceptions to RestrictionsShould Axis Vision Care agree to the restriction, Axis Vision Care and its business associates will honor such request except when:
•The restriction is terminated by Axis Vision Care or the individual, and/or
•There is an emergency treatment situation.
The Privacy Officer will be responsible for notifying any impacted business associates.

Emergency TreatmentWhen emergency treatment is necessary, the provider of the treatment may not use or disclose PHI or information which a restriction has been placed, except for what is necessary to provide appropriate emergency care for the individual. The emergency health treatment provider may not further disclose the restricted information beyond what is needed for the emergency treatment.

Termination of a RestrictionAxis Vision Care may terminate a restriction:
•When the individual requests the termination; and/or
•When Axis Vision Care informs the individual of the termination.

Termination NoticesTermination notices must be in writing and must indicate the effective date such termination and the reason(s) for such termination.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319) 653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.12 Restrictions on Confidential Communications Requested by Individual
14.12.1 POLICY STATEMENT
Individuals have the right to request an alternate means of communication of the individual’s protected health information (PHI) from Axis Vision Care to the individual. The restrictions apply only to communications to the individual by Axis Vision Care or communications that would otherwise go to the subscriber of the policy under which the individual has coverage. The effect of this is to ensure a family member who is not the subscriber can receive communications of PHI at the individual’s workplace or other alternate address or phone number, so that other family members are unaware of the information.

14.12.2 POLICY INTERPRETATION AND IMPLEMENTATION
Request for Confidential CommunicationsA request for confidential communications must be submitted in writing to the HIPAA Privacy Officer. Such request must specify the type of information to be covered by the confidential communication’s restriction, and to whom the restriction applies, the alternate address or other method of contact requested, and how payment will be handled (if applicable). Axis Vision Care may require evidence that if the information is disclosed other than the manner requested it could endanger the individual.

Consideration of RequestUpon receipt of an individual’s written request for confidential communications of PHI, the HIPAA Privacy Officer will:
•Determine the reasonableness of the request based on the administrative capability of the Practice to comply with such request;
•The determination of reasonableness will not include an evaluation of the merits of the individual’s reason for making the request;
•Identify the alternate means by and/or location to which the individual requests the information to be communicated and how payment will be handled; and
•Notify the individual whether or not Axis Vision Care agrees to the request within sixty (60) days of the date such request was received unless an extension is necessary. Such extension shall not exceed thirty (30) days.

Exceptions to confidential communicationsShould Axis Vision Care agree to the confidential communications, Axis Vision Care and its business associates will honor such request except when the confidential communication request is terminated by the Axis Vision Care or the individual. The Privacy Officer will be responsible for notifying any impacted business associate.

Termination of confidential communicationsAxis Vision Care may terminate confidential communications:
•When the individual requests the termination; and/or
•When Axis Vision Care informs the individual of the termination.

Termination NoticesTermination notices must be in writing and must indicate the date such termination is to become effective and the reason(s) for such termination. The termination notice must be provided before the effective date of the termination notice. A copy of the termination notice must be filed in the individual’s records maintained for HIPAA purposes.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.13 Privacy Complaint Procedure
14.13.1 POLICY STATEMENT
Individuals, family members, employees, the general public, or business associates have the right to file complaints regarding Axis Vision Cares policies, procedures, or practices relative to the access, use, or disclosure of protected health information (PHI).

14.13.2 POLICY INTERPRETATION AND IMPLEMENTATION
Designation of Person to Receive ComplaintsThe HIPAA Privacy Officer has been designated as the individual responsible for receiving, processing, and investigating all privacy related complaints. The Privacy Officer may in turn designate employees in particular areas to assist.

Filing of Privacy ComplaintsAny individual, representative, family member, employee, business associate, visitor, or the general public may file a grievance or complaint regarding Axis Vision Care’s privacy practices (e.g., denial of access to PHI, amendment of health records, problems with business associates, privacy act/ policy violations, etc.) without fear or reprisal or retaliation in any form.

Submitted ComplaintsComplaints should be submitted to the HIPAA Privacy Officer in writing.

Investigation ProcessThe HIPAA Privacy Officer or his/her designee will begin an investigation into allegations within five (5) working days of the receipt of the complaint.

Results of InvestigationA written report of the findings of the investigation will be provided to the individual filing the complaint within thirty (30) days of receiving such complaint unless an extension is necessary to complete the investigation. Such extension may not exceed thirty (30) days.

Dissatisfaction of Investigation/ResolutionShould the individual not be satisfied with the result of the investigation, or the recommended resolution(s), he/she may file a complaint with the Secretary of Health and Human Services (HHS).

Filing Complaints with the Secretary of HHSComplaints may be filed directly with the Secretary of HHS. Such complaints must be in writing, identify the Health Plan, and must describe the violation. Complaints must be filed within one-hundred eighty (180) days of the complainant learning of the alleged violation or should have been aware of the alleged violation.

Address of Secretary of HHSThe address of the Secretary of HHS is located in the Notice of Privacy Practices (NPP) and/or made available to individuals. Persons may also obtain the address from the HIPAA Privacy Officer.

Retention of Complaints LogThe HIPAA Privacy Officer or his/her designee will maintain a log of all complaints received. Copies of all complaints, their disposition and resolutions, and our complaint log will be maintained for ten (10) years from the date such complaint was received.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.14 Authorization for Use or Disclosure of PHI
14.14.1 POLICY STATEMENT
All uses and disclosures of protected health information (PHI) beyond those otherwise permitted by current HIPAA law, and not otherwise prohibited under another applicable law, require a signed authorization. In addition, Axis Vision Care may obtain a signed authorization in situations where it is not required, but Axis Vision Care chooses to obtain the authorization.

14.14.2 POLICY INTERPRETATION AND IMPLEMENTATION
Responsibility For Obtaining AuthorizationsThe HIPAA Privacy Officer or his/her designee will be responsible for obtaining authorizations when use or disclosure of protected health information is necessary.

Provision of Treatment, Payment, or EligibilityThe provision of treatment, payment, or eligibility for benefits may not be conditioned on the individual’s provision of an authorization for the use or disclosure of PHI.

Content of AuthorizationEach authorization for the use or disclosure of an individual’s PHI will be written in easy to read language and will include, at a minimum, the following information:
•A specific and meaningful description of the information to be used or disclosed;
•The name or identification of the person or class of person(s) authorized to make the use or disclosure;
•The name or identification of the person or class of person(s) to whom the requested use or disclosure may be made;
•An expiration date, condition or event that relates to the individual or the purpose of the use or disclosure; the authorization shall state that it will expire after ninety (90) days unless the individual has opted for a shorter or longer time. An individual may specify a longer period of time for the duration of the authorization only if the person:
•Is part of an approved research study and has given authorization for a longer period of time; or
•Is expected to continue receiving services beyond ninety (90) days and has given authorization for a longer period of time, which may be up to one calendar year.
•A statement of the individual’s right to revoke the authorization in writing, and exceptions to the right to revoke, together with a description of how the individual may revoke the authorization. Upon written notice of revocation, further ruse or disclosure of PHI shall cease immediately except to the extent that the facility, program or individual has acted in reliance upon the authorization or to the extent that use or disclosure is otherwise permitted or required by law; (See policy entitled Revocation of an Authorization.)
•A statement that the information may only be re -released with the written authorization of the individual, except as required by law;
•The dated signature of the individual; and
•If the authorization is signed by a personal representation of the individual, a description of the representative’s authority to act on behalf of the individual.

Request FormAxis Vision Care may develop a standard form for authorizing use and disclosure of PHI. If the Health Plan develops a form, the form must be used for all authorizations.

Requests to Use or Disclose PHI for Own PurposesIf the authorization is requested by Axis Vision Care for its own use or disclosure of the PHI it maintains, for purposes outside of treatment, payment or health care operations (TPO), health care oversight or public health activities, the following elements are required in addition to those specified in paragraph 2 above:
•Except in circumstances where it is allowed, a statement that treatment, payment and eligibility for benefits will not be conditioned upon the individual’s provision of an authorization;
•A description of each purpose of the requested use or disclosure;
•A statement that the individual may refuse to sign the authorization;
•If applicable, a statement that the use or disclosure will result in direct or indirect remuneration for a third party; and
•A copy of the signed authorization provided to the individual.

Requests for PHI from OthersIf the authorization is requested for disclosures of PHI by others, the following elements are required in addition to those specified in paragraph 3 above:
•A description of each purpose of the requested disclosure;
•Except in circumstances where it is allowed, a statement that treatment, payment and eligibility for benefits will not be conditioned upon the individual’s provision of an authorization;
•A statement that the individual may refuse to sign the authorization; and
•A copy of the signed authorization provided to the individual.

Use or Disclosure of PHI for ResearchUse or disclosure of PHI created for research generally requires an authorization unless such use or disclosure is permitted by law. Such authorization must include the basic elements specified in paragraphs 3 and 4 above, as well as the following information:
•A description of the extent to which PHI will be used to carry out treatment, payment or health care operations (TPO);
•A description of any PHI that will not be used or disclosed for purposes otherwise permitted, provided that the limitation may not preclude disclosures required by law or to avert serious threat to health or safety; and
•References to any privacy notice expected to be given to the individual, which must include statements that the terms outlined in the privacy notice are binding.
•The authorization for the use and disclosure of PHI created for research may be combined in the same document with the consent to participate in research, or the privacy notice.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (319) 653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.15 Revocation of an Authorization
14.15.1 POLICY STATEMENT
Individuals have the right to revoke the authorization to access, release, use or disclose their protected health information (PHI) at any time. ( Also see: Authorization for Use or Disclosure of PHI.)

14.15.2 POLICY INTERPRETATION AND IMPLEMENTATION
Revocation RequestAll requests for revocation of an individual’s authorization to access, release, use, or disclose PHI must be submitted to the HIPAA Privacy Officer in writing. The revocation must be specific enough to permit identification of the authorization that is being revoked. Axis Vision Care may develop a form for this purpose. Oral requests will not be honored.

Notification of Personnel of a RevocationUpon receipt of a written revocation, the HIPAA Privacy Officer will notify personnel (including impacted business associates) that a revocation has been received and that no further information may be released as specified in the authorization, with the exception that personnel may, as a result of relying on the authorization:
Exceptions to RevocationComplete the task it started (e.g., billings for services already provided); or,
Submit findings from an independent medical examiner to the person/entity requesting it.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.18 Business Associates and Business Associate Agreements
14.18.1 POLICY STATEMENT
Axis Vision Care may disclose protected health information (PHI) to business associates, or allow business associates to create or receive protected health information (PHI), provided the business associate executives sign a written agreement to appropriately safeguard such PHI.

14.18.2 POLICY INTERPRETATION AND IMPLEMENTATION
Definition of Business AssociateA business associate means a person or entity who is not an employee or workforce member of Axis Vision Care; who performs or assists in the performance of a function or activity on behalf of the Practice that involves the use or disclosure of PHI; or provides legal, actuarial, accounting, consulting, data compilation, management, administrative, accreditation, or financial services.

Definition of Employee/Workforce MemberAn employee/workforce member, for the purposes of this policy, means any employee, trainee, volunteer, or any other person(s) whose conduct, in the performance of work for Axis Vision Care, is under the direct control/supervision of the Axis Vision Care, regardless of payment source.

Identification of Business AssociatesIt is Axis Vision Cares obligation to ensure that all of Axis Vision Care’s business associates have a written valid business associate agreement.

Content of Business Associate Agreements
The business associate agreement between Axis Vision Care and the business associate establishes permitted and required uses or disclosure of PHI. Pursuant to the agreement the business associate must agree to at least:
•Not use or disclosure PHI;
•Develop safeguards to prevent unauthorized use or disclosure of information;
•Promptly report unauthorized access, use or disclosure of information to the HIPAA Privacy Officer;
•Require any subcontractors to adhere to the same requirements as outlined in the agreement between the Axis Vision Care and business associate;
•Make information available for access by the individual or his/her representative as permitted by law;
•Allow individuals to amend medical information and incorporate such amendments as part of the PHI;
•Develop a process that allows for an accounting of uses and disclosures of information in accordance with current law;
•Make its internal practices. books and records relating to its receipt or creation of PHI available to the Office of the U.S. Secretary of Health and Human Services for purposes of determining the Health Plan’s compliance with HIPAA regulations;
•Develop a process for returning or destroying all PHI upon termination of the business associate agreement; and
•Develop a process for continuing the full protection of PHI for as long as the business associate retains any PHI.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about your HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.20 Retention of PHI Documentation
14.20.1 POLICY STATEMENT
Axis Vision Care shall maintain all protected health information (PHI) documentation for ten (10) years from the date of its creation, or the date on which the document was last in effect, whichever is later.

14.20.2 POLICY INTERPRETATION AND IMPLEMENTATION
Retention of PHI DocumentsCertain documents classified as “privacy related documents” must be maintained for ten (10) years from the date of creation, or the date on which the document was last in effect, whichever is later:

Privacy Related Documents”Privacy related documents” include:
•Documentation that identifies the:
•Name, telephone number and address of Axis Vision Care’s HIPAA Privacy Officer;
•Name, title, telephone number and address of the individual responsible for receiving complaints;
•Name, title, telephone number and address of the individual responsible for obtaining and processing access, use, and disclosure of PHI requests;
•Name, title, telephone number and address of the individual responsible for receiving and processing amendment of PHI requests;
•Attempts to obtain consent when consent could not be obtained and the reason(s) why such consent could not be obtained;
Method by which PHI will be de-identified;
•Sanctions imposed against Axis Vision Care employees, business associates, or others who violate Axis Vision Care’s policy/HIPAA regulations;
•All signed authorizations, consents, and agreed to restrictions;
•Copies of all notices of privacy practices (NPPs) including any revisions to such NPPs;
•Accounting of disclosures logs;
•Any privacy complaints received and their dispositions; and
•Copies of all HIPAA related policies and procedures.

Adding/Deleting DocumentationDocuments may be added or deleted from the above listing as may become necessary by law or as may be established by the practice or policy.

Identifying/Storage of PHI DocumentsThe HIPAA Privacy Officer is responsible for identification and storage of privacy related records, electronic files, etc., for purposes of complying with this policy.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.22 HIPAA Privacy Training Program
14.22.1 POLICY STATEMENT
Axis Vision Care must train all relevant members of its workforce on HIPAA policies and procedures, as necessary and appropriate for the members of the workforce to carry out their function within the practice.

14.22.2 POLICY INTERPRETATION AND IMPLEMENTATION
HIPAA Training ProgramTo ensure the confidentiality of individual’s protected health information (PHI), HIPAA training (HIPAA Training) shall be provided for all relevant employees of Axis Vision Care who have responsibilities involving the use/disclosure of PHI, and other workforce members as deemed necessary within the sole discretion of the Privacy Officer. It is HR’s and the Privacy Officer’s responsibility to oversee such HIPAA Training.

Workforce MembersAn employee/workforce member, for the purposes of this policy, means any employee, trainee, volunteer, or any other person(s) whose conduct, in the performance of work for Axis Vision Care, is under the direct control/supervision of Axis Vision Care, regardless of payment source.

Content of HIPAA Training Program
The HIPAA Training shall include, but is not limited to:
•An overview of the HIPAA privacy regulations relative to the identification and protection of PHI.
•A review of the Health Plan’s HIPAA policies and procedures;
•Permissible uses and disclosures of PHI;
•Application of the Health Plan’s HIPAA policies and procedures to employee’s job responsibilities;
•The identity and location of Axis Vision Care’s HIPAA Privacy Officer;
•The requirement that all employees report any potential violations of Axis Vision Care’s policies and procedures or the HIPAA regulations, whether caused by a workforce member or a service provider, to the Privacy Officer; and
•Other information relative to the protection and security of PHI.

Newly Hired Employees/
Business AssociatesBefore being allowed access to PHI, all newly hired employees, and employees new to a position requiring access to PHI, shall be required to get Hipaa training and certified.

Acknowledgment of Training AttendanceAxis Vision Care will be required to have proof of certification and/or acknowledgment that the new employee has completed HIPAA Training before being allowed access to PHI.

Attendance RecordsHR and the HIPAA Privacy Officer shall maintain a record of all personnel who attend HIPAA Training. Such records shall be maintained in accordance with the Document Retention Policy .

Annual TrainingUpdated training shall take place at least every two years. Should a change in the training program or security systems occur before an annual training session occurs, impacted employees shall receive interim training materials or abbreviated instructions.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.26 Personal Representative
14.26.1 POLICY STATEMENT
Axis Vision Care must treat a personal representative the same as it would the individual who is the subject of the protected health information (PHI), unless one of the exceptions applies. In general, a personal representative is someone who is recognized under state law as a personal representative (e.g., parent/guardian, power of attorney, executor of estate).

14.26.2 POLICY INTERPRETATION AND IMPLEMENTATION
Rights of Personal RepresentativeThe personal representative must be treated the same as the individual, except as specified below:

Restrictions on Personal Representative

•If Axis Vision Care reasonably believes that the individual has been or may be subjected to domestic violence, abuse, or neglect by the person seeking to be treated as a personal representative, or that treating the person as the personal representative could endanger the individual.
•If Axis Vision Care, in the exercise of professional judgment, decides that treating the person as the individual’s personal representative would not be in the individual’s best interest.
•If a parent is the personal representative of a minor child, but disclosure to the parent is prohibited under state law.
•If a minor child consented to the treatment, no other consent was required, and the minor has not requested the person be treated as the minor’s personal representative.
•If a minor child may lawfully obtain treatment without the consent of a parent and consent was lawfully obtained.
•If the parent has agreed to a confidential relationship between the minor and the physician with respect to that treatment.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.27 Coordination with Other Laws
14.27.1 POLICY STATEMENT
In addition to being subject to HIPAA, Axis Vision Care also be subject to other state and federal laws regarding medical information and privacy. Axis Vision Care intends to comply with all applicable state and federal laws. However if there is a conflict between the laws, Axis Vision Care will resolve the conflict according to this Coordination with Other Laws policy.

14.27.2 POLICY INTERPRETATION AND IMPLEMENTATION
FloorThe HIPAA regulations are the floor above which other laws may create more narrow restrictions. No law, whether federal or state, may allow less restriction than HIPAA.

Apply Both LawsIf a potential conflict exists, Axis Vision Care shall attempt to find a way to comply with both laws. For example, if one law permits disclosure, but HIPAA does not, Axis Vision Care could obtain an individual authorization and succeed in complying with both laws.

Follow the Law that Requires Use or DisclosureIf another federal law requires disclosure or use of PHI that HIPAA prohibits, Axis Vision Care may use or disclose the PHI in accordance with the other federal law. This is not a violation of HIPAA. HIPAA’s privacy rules allow the Practice to use or disclose PHI as required by other federal laws.

Follow the More Specific LawIf there is a very specific law regarding use or disclosure of PHI that is in conflict with HIPAA, the more specific law should be followed. For example, if HIPAA allows an individual a right to access test results, but a specific federal law prohibits that type of disclosure, the specific law should be followed.

State Law PreemptionHIPAA provides for preemption of state laws that are less restrictive than HIPAA. However, HIPAA does not preempt state laws that are more restrictive. If Axis Vision Care encounters a conflict between HIPAA and a state law, Axis Vision Care should follow the more restrictive law.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.28 Disclosures to Plan Sponsor
14.28.1 POLICY STATEMENT
Axis Vision Care may not disclose protected health information (PHI) to the plan sponsor except in specific situations recognized by HIPAA.

14.28.2 POLICY INTERPRETATION AND IMPLEMENTATION
Definition of Plan SponsorThe term “plan sponsor” means (i) the employer in the case of an employee benefit plan established or maintained by a single employer, (ii) the employee organization in the case of a plan established or maintained by an employee organization, or (iii) in the case of a plan established or maintained by two or more employers or jointly by one or more employers and one or more employee organizations, the association, committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan. For example: 401K, AFLAC, and Blue Cross.

Permitted Disclosure to Plan Sponsor for Settlor FunctionsSummary health information may be disclosed to the plan sponsor for:
Obtaining premium bids for providing health insurance coverage under the Health Plan; and
Modifying, amending or terminating the Health Plan.

Summary Health InformationSummary health information is information that summarizes the claims history, expenses, or types of claims by individuals for whom the Plan Sponsor has provided health benefits under the Health Plan.

Permitted Disclosure to Plan Sponsor for Plan Administration FunctionsTo the extent described in the plan documents and notice of privacy practices, Axis Vision Care may disclose PHI to the plan sponsor necessary to perform plan administration activities such as:
•Quality assurance;
•Claims processing;
•Auditing; and
•Monitoring and managing carve-out plans like Blue Cross for medical coverage, 401k for retirement. AFLAC for accidental.

Enrollment FunctionsThese restrictions do not affect the plan sponsor’s ability to perform enrollment functions on behalf of its employees.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for a period of at least ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.29 Duty to Mitigate
14.29.1 POLICY STATEMENT
Axis Vision Care will mitigate, to the extent practicable, any harmful effect that is known to Axis Vision Care of a use or disclosure of protected health information (PHI) in violation of its policies and procedures by the Practice or its business associates.

14.29.2 POLICY INTERPRETATION AND IMPLEMENTATION
Mitigation Actions

When a violation of Axis Vision Care’s policies and procedures are brought to the attention of Management, the following action will be taken:
•The Privacy Officer will be notified and will start an immediate investigation into the violation;
•Axis Vision Care will identify the extent of the breach and will take reasonable steps to mitigate or correct the violation;
•Axis Vision Care will document the steps taken to mitigate.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.30 Discipline Policy
14.30.1 POLICY STATEMENT
HIPAA requires that Axis Vision Care discipline individuals subject to, but who fail to, comply with HIPAA’s requirements as reflected in the policies and procedures of the Practice. The purpose of this Discipline Policy is to establish guidelines for the disciplinary processes.

14.30.2 POLICY INTERPRETATION AND IMPLEMENTATION
Discipline PolicyA failure to comply by an individual subject to Axis Vision Care’s policies and procedures, or with the provisions of HIPAA, will be addressed in a timely manner. Specific disciplinary actions to be taken will be determined by the severity of the infraction.

Discipline ProcedureComplaints or allegations against an individual will be discussed with the individual in question by the Privacy Officer and HR, if deemed appropriate, will be investigated by the Privacy Officer and HR.
In general, a known or intentional infraction of Axis Vision Care’s policies and procedures, or of HIPAA’s provisions, will result in:
•First offense: Oral counseling by the Privacy Officer and HR, and written documentation in the individual’s file.
•Second offense: Oral counseling by the Privacy Officer and HR, and a written warning.
•Third offense: Discipline up to and including probation, suspension or termination of employment.

Intentional MisuseIn general, intentional misuse or abuse of PHI will result in:
•First offense: Oral counseling by the Privacy Officer HR, and written documentation in the individual’s file.
•Second offense: Oral counseling by Privacy Officer and HR, and a written warning.
•Third offense: Discipline up to and including probation, suspension or termination of employment.
Notwithstanding items 3 and 4, the Privacy Officer and HR retains discretion to deviate based on the particular facts and circumstances. Each infraction will be handled on an individual basis to ensure that disciplinary actions are appropriate.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (319)653-4558.

14.31 Computer Terminals and Workstations
14.31.1 POLICY STATEMENT
Computer terminals and workstations will be positioned/shielded to ensure that protected health information (PHI) is protected from public view, view by those without a need to know whether inadvertent or otherwise, or unauthorized access.

14.31.2 POLICY INTERPRETATION AND IMPLEMENTATION
Positioning/Shielding Workstation/TerminalsInsofar as practical/feasible, computer terminals/workstations shall be positioned or shielded so that screens are not visible to the public and/or to unauthorized staff.

Access LimitationsOnly authorized users are granted access to individual and Axis Vision Care information provided through the Practice Management System. Such access is limited to specific, denied, documented and approved applications and level of access rights.

Leaving Workstations or Terminals UnattendedA user may not leave his/her workstation or terminal unattended for long periods of time (e.g., breaks, lunch, meetings, etc.) unless the terminal screen is cleared and the user is logged off. Each user must log off at the end of his/her work shift.

Clearing Terminal ScreensA user must clear the terminal screen if the workstation or terminal is left briefly unattended.

Securing Hard Copy DataAll hard copy printed information must be positioned in such a manner that it cannot be viewed or read by the public and/or unauthorized staff. Such data must be placed in designated secure areas upon leaving the work area and at the end of the work shift.

Sharing/Piggyback of Password/User ID CodeA user may not (1) share or disclose his/her password or ID code with other staff members or other non-staff members, or (2) allow staff members or other non-staff members access privileges (e.g., piggyback access) while the user is logged onto the information system used by the Health Plan.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy OfficerThe Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.32 Electronic Mail System (E-Mail) Security
14.32.1 POLICY STATEMENT
Axis Vision Care utilizes electronic mail (E-Mail) in transmitting individual and Practice information. Established security measures must be followed by all personnel who have the authority to access, use, or transmit protected health information (PHI) electronically.

14.32.2 POLICY INTERPRETATION AND IMPLEMENTATION
Application of PoliciesThis policy applies to all usage of e-mail systems related to the Practice; whether or not the e-mail is originated from or is received into the computer or network system used by Axis Vision Care employees. Such policies apply to all authorized users including employees, business associates, staff or consultants.

Definition of Authorized UserFor the purposes of this policy, an “authorized user” is defined as any person who (1) has been assigned a password and user ID code and (2) has the authority to read, enter, or update information created or transmitted by an Axis Vision Care employee.

Personal Use or E-Mail and Internet Systems

Users have the responsibility and obligation to use e-mail and internet systems appropriate, effectively, and efficiently. Incidental personal use is permissible if:
•Personal use is limited to meal and break times;
•It does not interfere with the normal business use of such services;
•It does not interfere with the work productivity of the user or other employees; and
•Passwords and user ID codes are not shared with others.

Improper Use of Health Plan’s
E-Mail or Internet Services

Improper use of e-mail and internet services is strictly prohibited. Examples of such improper use include, but are not limited to:
•Sending/forwarding harassing, insulting, defamatory, obscene, offending or threatening messages;
•Gambling, surfing or downloading pornography;
•Downloading or sending confidential individual or PHI without proper authorization;
•Copying or transmission of any document, software or other information protected by copyright and/or patent law, without proper authorization;
•Transmission of highly sensitive or confidential information (e.g., HIV status, mental illness, chemical dependency, workers’ compensation claims, etc.);
•Obtaining access to files or communication of others without proper authorization;
•Attempting unauthorized access to individual or Axis Vision Care data;
•Attempting to breach any security measure on any of Axis Vision Care’s electronic communication system(s);
•Attempting to intercept any electronic communication transmission without proper authorization;
•Misrepresenting, obscuring, suppressing, or replacing an authorized user’s identity;
•Using e-mail addresses for marketing purposes without permission from the recipient(s);
•Using e-mail system for solicitation of funds, political messages, or any other illegal activities; and/or
•Releasing of passwords and user ID codes

Ownership of E-Mail MessagesMessages whether originated or received into Axis Vision Care’s e-mail system are considered to be the property of the Practice and, therefore, are subject to the review and monitoring of the HIPAA Privacy Officer HR. Axis Vision Care reserves the right to access employee e-mail (whether present or not) for the purposes of ensuring the protection of individual/Health Plan information.

Inadvertent Access to E-MailDuring routine maintenance, upgrades, problem resolution, etc. information systems technician(s) may inadvertently access user e-mail communications. Such staff, when carrying out their assignments, will not intentionally read or disclose content of e-mail unless such data is found to be in violation of the HIPAA Policies and Procedures.

Protection of InformationUsers of the e-mail system must ensure that all information forwarded, distributed, or printed is protected according to the HIPAA Policies and Procedures.

Maintaining/Archiving E-Mail MessagesE-mail messages may not be maintained or archived for more than thirty (30) days, unless otherwise approved by the HIPAA Privacy Officer.

Record RetentionA copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

HIPAA Privacy OfficerThe HIPAA Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The HIPAA Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. If you have a question or concern about your HIPAA rights contact the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

ViolationsViolations of this policy will be subject to discipline.

14.33 Facsimile Machine Security
14.33.1 POLICY STATEMENT
Axis Vision Care Doctors and employees utilizes facsimile (fax) machines to transmit data from one location to another on a routine basis. The Practice will provide physical and procedural safeguards to minimize the possibility of unauthorized observation or access to protected health information (PHI) during the transmission or receipt of data via a facsimile machine. This policy outlines the required elements for a secure location of a facsimile machine. The procedure establishes guidelines for how the Practice will reasonably safeguard the transmission and receipt of PHI via a facsimile machine to limit incidental or accidental use or disclosure of PHI.

14.33.2 POLICY INTERPRETATION AND IMPLEMENTATION
Secure Location – Fax machines used to transmit or receive PHI shall be placed in secure locations.

Pre-Programmed Numbers – Frequently used destination numbers will be pre-programmed into fax machines and tested before being used to transmit PHI. Each fax machine will display a key that identifies the destination for each pre-programmed fax number.

Non Pre-Programmed Numbers – When PHI is faxed to a destination number that is not pre-programmed, the fax machine operator will double-check the accuracy of the number in the machine’s display before sending the fax.

Cover Letter – All fax messages will include a standard cover sheet, developed by the Privacy Officer, with the following (or substantially similar) statement:
Confidentiality Statement: The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.

Transmittal Sheets – Transmittal sheets will be checked immediately after each transmission of PHI, to assure that the information was sent to the correct number.

Misdirected Faxes – If PHI has been sent to the wrong fax number, the sender must immediately send a second fax to the number that was contacted in error, reiterating the confidentiality message, and asking the recipient to telephone the sender immediately to arrange proper disposition of the information. Any instance of transmitting PHI to the wrong destination number must be reported to the Privacy Officer immediately. The report must include the date, time, the wrong number, the correct number, the intended recipient, the identity of the member, and a brief description of the information that was transmitted in error. Transmission of PHI by fax to a wrong number must be included in an accounting of disclosures of PHI.

Received Faxes – Prior to distribution of a received fax message, the fax message must be reviewed to make sure that all pages that belong to that fax message have been received and are together, and pages that belong to other fax messages are not included. The cover sheet received with the message, if any, will be placed on top of the message.

Record Retention – A copy of all HIPAA covered information and any revisions shall be maintained for ten (10) years. Such retention may be in printed or electronic format, or both.

Privacy Officer – The Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (319)653-4558.

Violations – Violations of this policy will be subject to discipline.