HIPAA Policies & Procedures

For all Chiropractic Works Staff

Last Updated: Mar 03, 2026

Introduction

Purpose
To define the technical controls and security configurations users and administrators are required to implement in order to ensure the integrity and availability of the data environment at CHIROPRACTIC WORKS PC, 21790 coolidge highway, oak park, MI, 48237 (hereinafter referred to as the "Company" or "Business"). It serves as a central policy document with which all workforce members must be familiar, and defines actions and prohibitions that all users must follow.

Scope
The policy requirements and restrictions defined in this Information Security Policy (aka HIPAA Policies and Procedures documents) shall apply to network infrastructures, databases, external media, encryption, hard copy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms. This definition includes equipment connected to any Company domain or VLAN, either hardwired or wireless, and includes all stand-alone equipment that is deployed by the Company at its office location(s) or at remote locales.

Privacy Officer
The Company has established a privacy official / security official (hereinafter "privacy officer" or "PO") as required by the HIPAA. This privacy officer will oversee all ongoing activities related to the development, implementation, and maintenance of the Company's privacy policies in accordance with applicable federal and state laws.

Workforce Responsibilities

Purpose
The first line of defense in data security is the individual user; therefore, workforce members are responsible for the security of all data which may come to them in whatever format.

Responsibilities
Workforce members and contractors are held to the following responsibilities. This list is not inclusive; other responsibilities are referenced elsewhere within policies and procedures.

Challenge unrecognized persons
If you see an unrecognized person in a restricted location, you should challenge them as to their right to be there. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff.

Workstation configuration
Make sure the work environment is configured in a manner that inhibits non-employees from incidentally viewing another person's ePHI on workstations. Workstations may refer to desktop computers, laptops, printers, copiers, tablets, smartphones, monitors, and others.

Clear desk, clear screen
When leaving your workstation or a room, either for a short time or at the end of the day, ensure all protected health information, both in digital and physical format, and assets (e.g., notebooks, cellphones, tablets, etc.) are not left unprotected.

Unattended computers
Unattended computers should be locked by the user when leaving the work area, and configured to automatically lock when inactive for more than 10 minutes. Workforce are not allowed to override this setting.

Resource Security
Any person authorized to access an information resource is responsible for the day-to-day, hands-on security of that resource.

Retention of ownership
All software programs and documentation generated or provided by employees, consultants, or contractors for the benefit of the Company are the property of the Company unless covered by a contractual agreement. Nothing contained herein applies to software purchased by employees at their own expense.

Prohibited Activities
Personnel are strictly prohibited from the following activities. This list is not inclusive; other prohibited activities are referenced elsewhere within policies and procedures.

Crashing
Deliberately crashing an information system. Users may not realize they caused a system crash, however, repetition by the same user may be viewed as a deliberate act.

Break in / Bypass
Attempting to break into an information resource or to bypass a security feature.

Code injection
Introducing, or attempting to introduce, computer viruses, Trojan horses, or other malicious code into an information system. Exception: Authorized support personnel, or others authorized by the Company privacy officer, may test the resiliency of a system. Such personnel may test for susceptibility to hardware or software failure, security against hacker attacks, and system infection.

Browsing
The willful, unauthorized access or inspection of confidential or sensitive information to which you have not been approved on a "need to know" basis.

Personal software
Software may not be installed on Company computers without prior approval by the Company.

Software use
Violating or attempting to violate the terms of use or license agreement of any software product.

System use
Engaging in any activity for any purpose that is illegal or contrary to the policies, procedures, or business interests of the Company.

Electronic Communication
All electronic communication systems and all messages generated on or handled by Company owned equipment, or Company messages generated on approved personal equipment, are considered the property of the Company - not the property of individual users. Electronic communications include, but is not limited to, telephones, email, voice mail, instant messaging, Internet, fax, personal computers, and servers.

Incidental personal use
Company provided resources are intended for business purposes only; therefore, incidental personal use is not permitted.

Monitoring
The Company is responsible for servicing and protecting the Company's equipment, networks, data, and resource availability. Therefore, it may be necessary to monitor electronic communications from time to time. For example, electronic communications may be monitored to test IT resources, troubleshoot technical problems, or detect patterns of abuse or illegal activity.

The Company reserves the right to review any employee's files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with applicable laws and regulations as well as Company policies.

Employees should structure all electronic communication with recognition the content could be monitored, and that any electronic communication could be forwarded, intercepted, printed or stored by others.

Internet access
The Internet access provided by the Company should not be used for entertainment, listening to music, viewing the sports highlights, games, movies, etc.. While seemingly trivial, company wide use of these non-Company sites consumes a huge amount of Internet bandwidth.

Users must understand that individual Internet usage may be monitored, and if an employee is found to be spending an excessive amount of time or consuming large amounts of bandwidth for personal use, disciplinary action will be taken.

Internet considerations
Special precautions are required to block Internet access to Company information resources not intended for public access, and to protect confidential Company information when it is to be transmitted over the Internet. The following security and administration issues shall govern Internet usage.

Approval shall be obtained before an Internet, or other external network connection, is established.
Approval shall be obtained before Company information (including notices, memoranda, documentation and software) is made available on any Internet-accessible computer (e.g. web or ftp server) or device.
Approval shall be obtained before users install or download any software (applications, screen savers, etc.).
Confidential or sensitive data (including credit card numbers, logon passwords, and other parameters used to access goods or services) shall be encrypted before being transmitted through the Internet.

Report Security Incidents
Company employees and contractors must report perceived security incidents to the privacy officer as soon as they are discovered. Each incident will be analyzed to determine if changes in the existing security structure are necessary. All reported incidents are investigated, logged, and remedial action indicated.

Transfer of Sensitive/Confidential Information
When confidential or sensitive information from one individual is received by another individual, the receiving individual shall maintain the information in accordance with the conditions imposed by the providing individual.

Transferring Software and Files between Home and Work
Personal software shall not be used on Company computers or networks. If a need for specific software exists, submit a request to your supervisor. Users shall not use Company purchased software on home or on non-Company computers or equipment.

Company proprietary data shall not be placed on any computer that is not the property of the Company without supervisor consent. In the event a supervisor receives a request to transfer Company data to a non-Company Computer System, the supervisor shall notify the privacy officer or appropriate personnel of the intentions and the need for such a transfer of data.

Protected Health Information (PHI)
It's your responsibility to protect all "individually identifiable health information" held or transmitted by the Company or its business associates, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

What information must be protected?
Any information that relates to...

The individual's past, present or future physical or mental health or condition;
The provision of health care to the individual; or
The past, present, or future payment for the provision of health care to the individual; ...

And that...

Identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual.

Individual identifiers include:

Names
Addresses
Geographic subdivisions smaller than a state
All elements of dates directly related to the individual (Dates of birth, marriage, death, etc.)
Telephone numbers
Facsimile numbers
Driver's license numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers, certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web universal resource locators (URLs)
Internet protocol (IP) address
Biometric identifiers
Full face photographic images and any comparable images

Basically, when any identifier listed above is combined with information related to the provision of health care then it becomes PHI and must be protected!

De-identified health information
De-identification is the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

There are no restrictions on the use or disclosure of de-identified health information because de-identified health information neither identifies nor provides a reasonable basis to identify an individual.

Social Media

Purpose

While social media can be a great community outreach and marketing tool workforce must follow strict policies and procedures to reduce the risk of privacy violations when using social media platforms.

What Is Allowed?

Posts containing patient protected health information (PHI) must be approved by the privacy officer, or other designated person, and can only be posted to the Company's official social media accounts.

With written authorization

The Company may post PHI after obtaining the patient's written authorization; however, both the information disclosed and uses of that information must be limited to only what the patient authorized. For example, if a patient's written authorization states "daily headaches" the post cannot say "severe daily headaches" because the authorization does not mention severity. Nor can the post be shared on Twitter or the Company's website if the patient only authorized its use on Facebook.

Without written authorization

In the absence of written authorization the Company must remove all information that has the potential to personally identify an individual. Removing a name may not be enough because other bits of information can used to identify people. For example, "43 y.o. female with daily migraines" might personally identify someone, especially within a small community. It would be better to say "adult female with frequent migraines" because fewer details are present.

Grouped data

Posting about trends using grouped data instead of individual data can also be helpful when the Company lacks patient authorization. For example, "75% reduction in migraine frequency among female patients" communicates results without exposing individual identifying information.

What Is Not Allowed?

Without written patient authorization the activities below are strictly prohibited by all workforce members.

Posting images or videos

Common examples include: patient appreciation day photos, Halloween costume contest photos, or raffle winner pictures.

Posting details

Even small and seemingly insignificant details could be used to identify a patient or their family members.

Online discussions

Entering into online discussions with patients or prospective patients.

Gossip

Gossip of any kind reflects badly on the Company.

Googling patients

Not only can googling patients or viewing their social media profiles be misleading and inaccurate, it can also be, or can be perceived as, voyeuristic by professional licensing boards.

Independently posting

Posting anything about a patient on one's own personal social media accounts.

Responding to Online Reviews or Questions

Any response to an online review or comment cannot identify a patient in any way, even if the reviewer shared his or her name and health information.

Good review

Thank you for your kind words. It is our policy to provide a quality service.

Thank you for your review. Our policy is to make office visits efficient.

Bad review

Our privacy policy prevents us from publicly refuting social media posts. For people interested in our office, please make an informed decision by seeking information from a variety of sources. Please call our office if you have questions or concerns.

Important health matters must be discussed offline. Please call our office so we can help.

Question

We can certainly answer your question. Please call our office.

Please submit questions on our website and we'll be happy to respond!

Social Media Marketing

The Company can utilize online marketing but may not provide PHI to the marketing platform or agency, nor allow the marketing platform or agency to generate PHI on the Company's behalf, without first entering into a business associate agreement (BAA) with the marketing platform or agency.

Sanction Policy

Purpose
To ensure appropriate sanctions will be applied to workforce members who violate the requirements of HIPAA, Company's security policies, Directives, and/or any other state or federal regulatory requirements.

Policy
It is the policy of the Company that all workforce members must protect the confidentiality, integrity, and availability of sensitive information at all times. The Company will impose sanctions (disciplinary action), as described below, against any individual who accesses, uses, or discloses sensitive information without proper authorization, or who violates the Company's information security and privacy policies or state, or federal confidentiality laws or regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Definitions
Workforce member
Employees, volunteers, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, volunteers, and staff from third party entities who provide service to the covered entity.

Sensitive information

Protected Health Information (PHI): Individually identifiable health information in any form or media, whether electronic, paper, or oral.
Electronic Protected Health Information (ePHI): PHI that is in electronic format.
Personnel files: Any information related to the hiring or employment of any individual who is or was employed by the Company.
Payroll data: Any information related to the compensation of an individual during employment with the Company.
Financial/accounting records: Any records related to accounting or financial statements of the Company.
Other information that is confidential: Any other information sensitive in nature or considered to be confidential.

Availability
Refers to data or information being accessible and useable upon demand by an authorized person.

Confidentiality
Refers to data or information NOT being made available or disclosed to unauthorized persons or processes.

Integrity
Refers to data or information that has NOT been altered or destroyed in an unauthorized manner.

Violations
Listed below are the types of violations that require sanctions to be applied. They are stated at levels 1, 2, and 3 depending on the seriousness of the violation.

Level 1 violations

Disclosing sensitive information with unauthorized persons
Discussing sensitive information in a public area or in an area where the public could overhear the conversation
Accessing information you do not need to know to do your job
Sharing computer access codes (username or password)
Leaving computer unattended while being able to access sensitive information
Copying or changing sensitive information without authorization
Failing or refusing to cooperate with the privacy officer or authorized designee

Level 2 violations

Second occurrence of any Level 1 offense (does not have to be the same offense)
Unauthorized use or disclosure of sensitive information
Transmitting sensitive information without a legitimate business reason or purpose
Posting sensitive information on social media or any public forum
Using another person's computer access code (username or password)
Failing or refusing to comply with a remediation resolution or recommendation

Level 3 violations

Third occurrence of any Level 1 offense (does not have to be the same offense)
Second occurrence of any Level 2 offense (does not have to be the same offense)
Obtaining sensitive information under false pretenses
Using or disclosing sensitive information for commercial advantage, personal gain, or malicious harm

Recommended Disciplinary Actions
In the event a workforce member violates the Company's privacy and security policies or violates the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or related state laws governing the protection of sensitive and patient identifiable information, the following recommended disciplinary actions below will apply.

Discipline for level 1 violation

Verbal or written reprimand
Retraining on privacy/security awareness
Retraining on the Company's privacy and security policies
Retraining on the proper use of internal or required forms

Discipline for level 2 violation

Letter of Reprimand; or suspension
Retraining on privacy/security awareness
Retraining on the Company's privacy and security policies
Retraining on the proper use of internal or required forms

Discipline for level 3 violation

Termination of employment or contract
Civil penalties as provided under HIPAA or other applicable Federal/State/Local law
Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law

The recommended disciplinary actions are identified in order to provide guidance in policy enforcement and are not meant to be all-inclusive. When appropriate, progressive disciplinary action steps shall be followed allowing the employee to correct the behavior which caused the disciplinary action. However, depending on the severity of the violation, any single act may result in disciplinary action up to and including termination of employment or contract with the Company.

Identification & Authentication

Purpose

A good access control system identifies each user to prevent unauthorized users from entering or using information resources.

Access Control Policy

Information resources are protected by the use of access control systems, both internal (e.g., passwords, biometric (fingerprint), encryption, access control lists, constrained user interfaces) and external (e.g., port protection devices, firewalls, host-based authentication, etc.).

Users may be added to information systems only upon approval of personnel responsible for adding the employee to the network, and in a manner that ensures access is granted on a "need to know" basis.

Logon IDs

Users shall be responsible for the use and misuse of their individual logon ID.

For systems with locking capability, the logon system shall be locked after 8 unsuccessful logon attempts.

Passwords

All passwords are restricted by the policy below.

Passwords must be

A minimum of 12 characters in length (the longer the better)
Unique (don't reuse old passwords)
Masked or hidden on screens that can be viewed by others
Promptly changed if it's suspected to be disclosed or if directed by the privacy officer

Passwords must not be

Easily guessed (don't use dictionary words, names, initials, birthdays, or phone numbers)
Reused on multiple devices or software applications
Shared, written down on paper, or posted at a workstation
Printed or included in reports or logs

Password managers

Using a password manager is encouraged because these tools increase the likelihood users will choose very strong passwords.

Biometrics

Biometrics (e.g., face ID, finger print scan) shall be used only as part of multi-factor authentication with a physical authenticator (something you have, e.g., mobile phone).

An authenticated protected channel between biometric sensor and verifier shall be established. For example, it's okay to auto-populate a password using a fingerprint to then access a software program. In this scenario, the password is the "authenticated protected channel" between you and the software program and the biometric is simply acting as a physical authenticator to access your password manager.

Master lists

The Company will protect the confidentiality of the documentation containing access control records (master list of authorized users and passwords). Lock and key access control will be sufficient if documentation is in written form. If documentation is in electronic form, access must be kept behind encrypted password or other authentication controls (e.g. biometric fingerprint). These methods reduce the risk that unauthorized users can access password files and compromise access controls already in place.

User Login Entitlement Reviews

No less than annually, the privacy officer shall facilitate entitlement reviews to ensure all employees have the appropriate roles, access, and software necessary to perform their job functions effectively while being limited to the minimum necessary data to facilitate HIPAA compliance and protect patient data.

Termination of User Logon Account

Upon termination of an employee, whether voluntary or involuntary, the privacy officer shall be responsible for insuring all keys, ID badges, and other access devices, as well as Company equipment and property, is returned to the Company, and that their user accounts are made inactive prior to the employee leaving the Company on their final day of employment.

No less than annually, the privacy officer shall review active user accounts for both network and application access, including access to electronic health record (EHR) and practice management (PM) software. If any active user accounts are found for employees no longer employed by the Company, the privacy officer will immediately take necessary steps to deactivate the account.

Remote Work

Purpose

To establish policies for employees and contractors who work permanently or occasionally outside of the Company office environment - from home, on temporary travel, or connecting to the Company network or cloud software from a remote location.

General Requirements

Telecommuting can be an advantage for users and the organization but it presents new risks because each remote work environment becomes an extension of the Company's network which increases the danger of spreading malware. Therefore, remote workers are required to follow all corporate, security, confidentiality, and HR policies that are applicable to other employees and contractors.

Required Equipment

Workforce approved for telecommuting must understand the Company may not provide all equipment necessary to ensure proper protection of information.

Remote use of Company assets

Only computer hardware owned by and installed by the Company is permitted to be connected to or installed on Company equipment.
Only software approved for use by the Company may be installed on Company equipment.
Personal computers supplied by the Company are to be used solely for business purposes.
Modifications or configuration changes are not permitted on computers supplied by the Company for home use.

Remote use of personal assets

Permission to use a personal device may be granted on a per device basis.
Understand the Company is required to document information about permissible devices.
Workforce shall notify the privacy officer of any modifications or configuration changes to permissible devices.

Hardware Security Protections

Virus protection

Virus protection software (antivirus) is installed on all Company computers and is set to update on a daily basis. This update is critical to the security of all data, and must be allowed to complete. Disabling a virus scanner is reason for termination.

VPN

The Company may require the use of a virtual private network (VPN).

Firewall use

The Company may require the use of a firewall (device or software). Disabling a required firewall is reason for termination.

Lock screen

Always lock screen before walking away from a workstation. The data on the screen may be protected by the HIPAA or may contain confidential information. Be sure the automatic lock feature has been set to automatically lock after no longer than 5 minutes of inactivity.

Data Security Protections

Password use

The use of a strong password and changing it regularly is even more critical in the remote work environment. Refer to the Identification & Authentication policy for password management responsibilities.

Multi-factor authentication

Remote access to information shall utilize, when possible, multi-factor authentication solutions to strengthen access controls.

Data backup

Backup procedures have been established by the Company - do not create one on your own. If you have external media for backup that is not encrypted, contact the appropriate Company personnel for assistance. Protect external media by keeping it in your possession when traveling.

Transferring data to the Company

Transferring data to the Company requires a secure HTTPS connection to help ensure the confidentiality and integrity of the data being transmitted. Do not circumvent established procedures, nor create your own method, when transferring data.

External system access

If you require access to an external system contact the privacy officer or appropriate personnel for assistance in establishing a secure method of access.

Email

Do not send any individual-identifiable information via email unless you are using a compliant email service of which the Company has a business associate agreement.

Non-Company networks

Extreme care must be taken when connecting Company equipment to a home, hotel, etc. network. The Company has no ability to monitor or control the security procedures on non-Company networks.

Protect data in your possession

View or access only the information you have a need to see to complete your work assignment. Regularly review the data you have stored to ensure the amount of patient level data is kept at a minimum and old data is eliminated as soon as possible. Store electronic data only in encrypted work spaces.

Hard copy reports or work papers

Never leave paper records around your work area. Lock all paper records in a file cabinet at night or when you leave your work area.

Data entry when in a public location

Do not perform work tasks which require the use of sensitive Company or patient level information when you are in a public area, i.e. coffee shops, airports, airplanes, hotel lobbies. Computer screens can easily be viewed from beside or behind you.

Sending data outside the Company

All external transfer of data must be associated with an official contract, non-discloser agreement, or appropriate business associate agreement. Do not give or transfer any patient level information to anyone outside the Company without the approval of your supervisor.

Disposal of Paper or Electronic Media

Shredding

All paper containing sensitive information which is no longer needed must be destroyed before being disposed. For example, shred documents before throwing in trash. All employees working from home, or other non-Company work environment, MUST have direct access to a shredder.

Disposal of electronic media

All external media must be sanitized or destroyed in accordance with HIPAA compliant procedures. Consult with the privacy officer before disposal of electronic media

Transportable Media

Purpose

To outline procedures for utilizing transportable media.

Use of Transportable Media

Transportable media (SD cards, DVDs, CD-ROMs, USB key devices, etc.) are small by design and easily lost. Rules governing the use of transportable media include:

No sensitive data should ever be stored on transportable media unless the data is maintained in an encrypted format.
All USB keys used to store Company data must be issued by the Privacy Officer or appropriate personnel and either be encrypted or kept securely stored (locked).
The use of a personal USB key is strictly prohibited.
Users must never connect their transportable media to a workstation that is not issued or approved by the Company. Non-Company workstations and laptops may not have the same security protection standards required by the Company; therefore, malware could potentially be transferred from the non-Company device to the media and then back to a Company workstation. Example: Do not copy a work spreadsheet to your USB key and take it home to work on your home PC.
Before any sensitive data may be transferred to transportable media, the media must be sent to the privacy officer or appropriate personnel to ensure appropriate encryption is used. Copy sensitive data only to the encrypted space on the media.
Report all loss of transportable media to your supervisor immediately.
Transportable media no longer in use must be returned to the Privacy Officer or appropriate personnel.
When an employee leaves the Company, all transportable media in their possession must be returned to the privacy officer or appropriate personnel.

Network Connectivity

Purpose

To outline the procedures for direct linking with an outside computer or network.

Direct Link

If a user has a specific need to link with an outside computer or network through a direct link, approval must be obtained from the privacy officer or other appropriate Company personnel, who will ensure adequate security measures are in place.

Direct link telecommunication equipment

Certain direct link connections may require a dedicated or leased phone line, and telecommunication equipment and services include but are not limited to the following:

phone lines
fax lines
phone head sets
software type phones installed on workstations
conference calling contracts
cellular phones
call routing software
call reporting software
phone system administration equipment
T1/Network lines
long distance lines
800 lines
telephone equipment

Third Party

The security of Company systems can be jeopardized from third party locations. When there is a need to connect to a third party location, a risk analysis should be conducted. The risk analysis should consider the type of access required, the value of the information, the security measures employed by the third party, and the implications for the security of Company systems. The privacy officer or appropriate personnel should be involved in the process, design and approval.

Emphasis on security in third party contracts

Access to Company computer systems or corporate networks should not be granted until a review of the following concerns have been made, and appropriate restrictions or covenants included in a statement of work ("SOW") with the party requesting access.

A risk assessment of the additional liabilities that will attach to each of the parties to the agreement.
The right to audit contractual responsibilities should be included in the agreement or SOW.
Arrangements for reporting and investigating security incidents must be included in the agreement in order to meet the covenants of the HIPAA Business Associate Agreement.
A description of each service to be made available.
Each service, access, account, and/or permission made available should only be the minimum necessary for the third party to perform their contractual obligations.
A detailed list of users that have access to Company computer systems must be maintained and audit-able.
If required under the contract, permission should be sought to screen authorized users.
Dates and times when the service is to be available should be agreed upon in advance.
Procedures regarding protection of information resources should be agreed upon in advance and a method of audit and enforcement implemented and approved by both parties.
The right to monitor and revoke user activity should be included in each agreement.
Language on restrictions on copying and disclosing information should be included in all agreements.
Responsibilities regarding hardware and software installation and maintenance should be understood and agreement upon in advance.
Measures to ensure the return or destruction of programs and information at the end of the contract should be written into the agreement.
If physical protection measures are necessary because of contract stipulations, these should be included in the agreement.
A formal method to grant and authorized users who will access to the data collected under the agreement should be formally established before any users are granted access.
Mechanisms should be in place to ensure that security measures are being followed by all parties to the agreement.
Because annual confidentiality training is required under the HIPAA regulation, a formal procedure should be established to ensure training takes place, there is a method to determine who must attend training, who will administer training, and to determine training content.
A detailed list of the security measures which will be undertaken by all parties to the agreement should be published in advance of the agreement.

Firewalls

Authority from the privacy officer or appropriate personnel must be received before any employee or contractor is granted access to a Company router or firewall.

Wireless Protocol

Purpose

To outline the procedures for acquiring wireless access privileges and utilizing wireless access.

Wireless Approval

In order to be granted the ability to utilize the wireless network interface on your Company computer, laptop or mobile device you will be required to gain the approval of the privacy officer or other appropriate personnel.

Software Requirements

The following is a list of minimum software requirements for any Company device that is granted the privilege to use wireless access:

Up-to-date operating system with firewall enabled
Up-to-date web browser version
Antivirus software
Full disk encryption
Appropriate VPN client, if applicable

Malicious Code

Purpose

Prevent, scan, detect and delete viruses (malware) from computers.

Antivirus Software Installation

Antivirus software must be installed on all Company computers and servers. Virus update engines and data files are monitored by appropriate administrative staff responsible for keeping all antivirus software programs up to date. When available, antivirus software must be configured to update automatically.

Reporting Software Malfunctions

Users should inform the appropriate Company personnel when software does not appear to be functioning correctly. The malfunction, whether accidental or deliberate, may pose an information security risk. If a computer virus infection is suspected, these steps should be taken immediately:

Stop using the computer.
Do not carry out any commands, including commands to <Save> data.
Do not close any of the computer's windows or programs.
Do not turn off the computer or peripheral devices.
If possible, physically disconnect the computer from networks to which it is attached.
Write down any unusual behavior of the computer (screen messages, unexpected disk access, unusual responses to commands) and the time when they were first noticed.
Write down any changes in hardware, software, or software use that preceded the malfunction.
Do not attempt to remove a suspected virus!
Inform appropriate personnel as soon as possible.

Appropriate personnel should monitor the resolution of the malfunction or incident, and report results to Company manager/owner with recommendations on action steps to avert future occurrences.

New Software Distribution

Although shareware and freeware (software) can often be useful sources of work-related programs, the use or acquisition of such software must be approved by the privacy officer or appropriate personnel, and special precautions must be taken before it is installed on Company computers and networks. These precautions include determining the software does not, because of faulty design, "misbehave" and interfere with or damage Company hardware, software, or data, and the software does not contain viruses, either originating within the software design or acquired in the process of distribution. Therefore, all new software will be scanned for viruses before installation. This includes shrink-wrapped software procured directly from commercial sources as well as shareware and freeware obtained from the Internet, on disks (CD-ROM and custom-developed software), or on flash drives (thumb drives).

All data and program files that have been electronically transmitted to a Company computer or network from another location must be scanned for viruses immediately after being received. Contact appropriate Company personnel for instructions on scanning files for viruses.

Every CD-ROM, DVD and USB device is a potential source for a computer virus. Therefore, these devices must be scanned for virus infection prior to copying information to a Company computer or network.

Computers shall never be "booted" from a CD-ROM, DVD or USB device received from an outside source. Users shall always remove any CD-ROM, DVD or USB device from the computer when not in use to ensure these devices are not in the computer when the machine is powered on - prevents infection by a "boot" virus.

Encryption

Purpose

Encryption provides immense value for protecting ePHI from unauthorized access, modification, and destruction when it is stored or transmitted. If justified by risk analysis or risk management, sensitive data and files shall be encrypted in storage or before being transmitted through networks.

Definitions

Encryption

The translation of data into a secret code. Encryption is the most effective way to achieve data security. Unencrypted data is called plain text; encrypted data is referred to as cipher text.

Encryption key

Specifies the particular transformation of plain text into cipher text, or vice versa during decryption. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.

Authentication and Encryption Certificates on Email Systems

Any user desiring to transfer secure email with a specific identified external user may request to exchange public keys with the external user by contacting the privacy officer or appropriate personnel. Once verified, the certificate is installed on each recipient workstation, and the two may safely exchange secure email.

File Transfer Protocol (FTP)

Files may be transferred to secure FTP sites through the use of appropriate security precautions. Requests for any FTP transfers should be directed to the privacy officer or appropriate personnel.

Secure Socket Layer (SSL) Web Interface

Software systems may be hosted in the "cloud" only if access is via SSL/TLS encryption link (e.g., HTTPS website).

Records Retention & Destruction

Purpose

To achieve a complete and accurate accounting of all relevant records within the Company, and to establish the conditions and time periods for which paper based and electronic health information and records will be stored, retained, and destroyed after they are no longer active for patient care or business purposes.

Retention

The Company shall maintain records in compliance with applicable governmental and regulatory requirements. Unless otherwise stipulated, retention schedules apply to all records. Records will only be discarded when the maximum specified retention period has expired, and the record is approved for destruction by the record owner.

Record retention

Documentation relating to health information, uses and disclosures, authorization forms, business reseller contracts, notices of information, responses to a patient who wants to amend or correct their information, patient statements of disagreement, and complaint records are to be maintained as follows:

7 year but 10 years for the auto accidents

Non-record retention

Non-record documentation is maintained for as long as administratively needed. Non-records should be discarded when the business use has terminated. For example, when an employee's personal notes have been transferred to a record, the notes are no longer useful and should be discarded. The Company's compliance or privacy officer should be consulted should document determination (record vs. non-record) be needed.

Email/Text communication retention

Email/Text messages between clinicians, between patients and clinicians, and documents transmitted by email/text may be considered records. If an email/text message is considered a record based on its content, the retention period for that message would be the same for similar content in any other format. The originator of the email/text message (or the recipient of a message if the sender is an outside organization) is the person responsible for retaining the message if that message is considered a record. Users must save messages in a manner consistent with departmental procedures for retaining other information of similar content.

Permanent records

Records that cannot be destroyed include records of matters in litigation or records with a permanent retention period. In the event of a lawsuit or government investigation, applicable records can only be destroyed after the time frame set forth by the lawsuit or investigation.

Destruction

Records that have satisfied their legal, fiscal, administrative, and archival requirements may be destroyed in accordance with this policy.

Paper ("hard copy") destruction

Records must be destroyed in a manner that ensures the confidentiality of the records and renders the information unrecognizable. Approved destruction methods include:

Shredding
Burning
Pulping
Pulverizing

Media destruction

Electronic storage media (CD-ROMS, DVDs, tapes, USB thumb drives, etc.) and computer hardware (laptops, tablets, smartphones, desktops, servers, copiers, etc.) containing confidential or sensitive information may only be disposed of by these approved destruction methods:

Shredding
Burning
Degaussing (electro-magnetic fields to erase data)
Zeroization (a process of writing repeated sequences of ones and zeros over the information)
Other approach which renders the media "unusable or inaccessible"

Procedure:

It is the responsibility of each employee to identify media which should be destroyed and to utilize this policy in its destruction.
External media or computer hardware should never be thrown in the trash.
When no longer needed, all forms of external media and hardware are to be sent to the privacy officer or appropriate personnel for proper disposal.
All ePHI is to be removed from equipment and media before you remove the equipment or media from your facility for offsite maintenance or disposal.
The media will be secured until appropriate destruction methods are used.
Use a certified digital media destruction service to dispose of electronic media may be required if destruction is uncertain.

Hardware disposal

It must be assumed computer hardware is likely to contain electronic protected health information ("ePHI") or other sensitive information.

Equipment to be disposed of must be wiped of all data, and all settings and configurations will be reset to factory defaults. No other settings, configurations, software installation or options will be made. Asset tags and any other identifying logos or markings will be removed.

Data Integrity

Purpose

To protect the Company's ePHI from improper alteration or destruction.

Policy

The Company shall implement and maintain appropriate electronic mechanisms to corroborate ePHI has not been altered or destroyed in an unauthorized manner.

Procedure

To the fullest extent possible, the Company shall utilize applications with built-in intelligence that automatically checks for human errors (spell check is a simple example).
The Company shall acquire, if determined to be appropriate, network-based and host-based intrusion detection systems. The privacy officer shall be responsible for installing, maintaining, and updating such systems.
The Company shall prevent transmission errors as data passes from one computer to another.
The Company will check for possible duplication of data in its computer systems to prevent poor data integration between different computer systems.
To prevent programming or software bugs, the Company will update its systems when IT vendors release fixes to address known bugs or problems.
The Company will use encryption, if determined to be appropriate, to preserve the integrity of data.
To prevent damage to a battery or hard drive, computer devices should avoid hot environments. For example, laptop computers should not be left in automobiles during summer months.

Information System Activity Review

Purpose

To implement procedural mechanisms for conducting a review of activity in information systems containing electronic protected health information (ePHI).

Policy

The Company is committed to routinely auditing users' activities in order to continually assess potential risks and vulnerabilities to ePHI in its possession. As such, the Company shall conduct on a regular basis an internal review of records of system activity to minimize security violations.

Procedure

Activity reviews shall be conducted annually at a minimum, and if the Company has reason to suspect wrongdoing.
The privacy officer shall adopt a report to capture the reviewer's name, date of the review, and the review's findings.
In conducting a review, the privacy officer or designated reviewer, shall examine audit logs for security-significant events related to:
- Logins — Scan successful and unsuccessful login attempts. Identify multiple failed login attempts, account lockouts, and unauthorized access.
- File accesses — Scan successful and unsuccessful file access attempts. Identify multiple failed access attempts, unauthorized access, and unauthorized file creation, modification, or deletion.
- Security incidents — Examine records from security devices or system audit logs for events that constitute system compromises, unsuccessful compromise attempts, malicious logic (e.g., viruses, worms), denial of service, or scanning/probing incidents.
- User Accounts — Review user accounts within all systems to ensure users who no longer have a business need for information systems no longer have access, and make sure valid users access information appropriately, e.g., they aren't accessing records they shouldn't be.
All security-significant findings shall be recorded using the report referred to in 2.
Security-significant findings shall initiate a security incident, where an incident response (e.g., additional investigation, employee training and/or discipline, program adjustments, modifications to safeguards) can be determined and managed.
The privacy officer shall be responsible for maintaining system activity review reports.

Security Management Process

Purpose

To ensure the Company regularly conducts a risk analysis and performs followup risk management procedures. Both risk analysis and risk management are critical to a covered entity's Security Rule compliance efforts and form the foundation upon which an entity's security activities are built.

Risk Analysis

Company shall conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI annually, or as necessary in light of changes to the Company and technological advancements. The privacy officer shall be responsible for coordinating risk analysis activities and shall identify appropriate persons within the organization to assist with the process.

Procedure

Verify the accuracy of data for each workforce member and business associate.
Verify information systems inventory of hardware (i.e., network devices, workstations, printers, scanners, mobile devices) and software (i.e., operating system, various applications, interfaces).
- Describe the data associated with each media inventory item.
- Determine whether the data is created by the organization or received from a third party. If data is received from a third party, identify the party and the purpose and manner of receipt.
- Determine whether the data is maintained within the organization only or transmitted to third parties. If data is transmitted to a third party, identify the party and the purpose and manner of transmission.
- Determine if the media is critical to support decision making regarding patient treatment.
- Prioritize the media relative to patient care or business needs.
- For each application identified, identify the various security controls currently in place.
Identify potential threats and vulnerabilities to the confidentiality, availability and integrity of the ePHI created, received, maintained, or transmitted by the Company. The potential for a threat to trigger or exploit a specific vulnerability creates risk. Therefore, identification of threats and vulnerabilities are central to determining the level of risk. Consider the following:
- Environmental threats: e.g., earthquakes, storms, fire and smoke damage, power outage, utility problems.
- Human threats:
  - Accidental acts, e.g., input errors and omissions, failure to update or upgrade software, weak password management
  - Inappropriate activities, e.g., inappropriate conduct, abuse of privileges or rights, PHI disclosures on social media
  - Illegal operations and intentional attacks, e.g., eavesdropping, snooping, theft, tampering
  - External attacks, e.g., malicious hacking, virus introduction
- A vulnerability is a flaw or weakness in security policies and procedures, design, implementation, or controls that could be accidentally triggered or intentionally exploited, resulting in unauthorized access to ePHI, modification of ePHI, or denial of service.
Analyze both technical and non-technical security measures (safeguards) currently implemented to minimize or eliminate risks to ePHI.
Determine a risk score for each identified threat and vulnerability combination.
- Assign likelihood level, i.e., probability of a security incident involving identified threat-vulnerability combinations given the safeguards currently in place. Likelihood levels include:
  - Rare (1): insignificant chance of occurrence (once every 15+ years)
  - Not Likely (2): minimal chance of occurrence (once every 10 years)
  - Likely (3): modest chance of occurrence (once every 3 years)
  - Very Likely (4): probable chance of occurrence (once every year)
  - Certain (5): almost certain chance of occurrence (once every month)
- Assign impact level, i.e., if the threat was to exploit the vulnerability, how bad would this be for your Company. Impact levels include:
  - Insignificant Impact (1): a single or just a handful of medical records lost or compromised
  - Low Impact (2): moderate number of medical records lost or compromised
  - Medium Impact (3): significant number of medical records lost or compromised
  - High Impact (4): large number of medical records (500+) lost or compromised
  - Devastating Impact (5): very large number of medical records (500+) lost or compromised
- Multiply the likelihood level and impact level to determine a risk score. Those risks with a higher risk score require more immediate attention.
Identify security safeguards that can be used to reduce risk to a reasonable and appropriate level.

Risk Management

Company shall implement security safeguards sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The Privacy Officer shall be responsible for coordinating Company's risk management activities and shall identify appropriate persons within the organization to assist with the process.

Procedure

Identify and document appropriate security safeguards (measures), focusing on those vulnerabilities with high risk scores, as well as safeguards required by the Security Rule.
Develop and document an implementation strategy for both critical and non-critical security safeguards.
- Determine costs of such safeguards.
- Determine risk response (accept, avoid, mitigate, transfer).
- Assign timeline for implementation.
- Assign responsibility for implementation to appropriate person(s).
- Make necessary adjustments based on implementation experiences.
- Document completion dates.
Evaluate effectiveness of safeguards following implementation and make appropriate adjustments.
- The privacy officer shall be responsible for identifying appropriate times to conduct follow-up evaluations, but should consider the following events:
- Changes in HIPAA regulations.
- New federal, state, or local laws affecting the security of ePHI.
- Changes in technology, environmental processes, or business processes that may affect policies or procedures.
- Occurrence of a serious security incident.
Follow-up evaluations shall include the following:
- Interviews to assess employee compliance.
- After-hours walk-through inspections to assess physical security, password protection (password not hidden under keyboard), and workstation sessions (employees logged out).
- Review of latest security policies and procedures for correctness and completeness.
- Inspection and analysis of training, incident, and media logs for compliance.
- Analysis to assess adequacy of controls within the network, operating systems and applications.
As appropriate, the Company shall engage outside vendors to evaluate existing physical and technical security measures and make recommendations for improvement.

Breach Notification Procedures

Purpose

To outline notification requirements of a breach of protected information under the Privacy Act or unsecured protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Scope

Applies to all employees, volunteers, and other individuals working under contractual agreements with the Company. This data breach was shared with the office manager and also chirotouch was also informed about it. They said they were not aware of it.

Definitions

Personal Information

A combination of data elements which could uniquely identify an individual.

Personally Identifiable Information (PII)

A combination of an individual's name and one or more of the following: Social Security Number, driver's license or state ID, account numbers, credit card numbers, debit card numbers, personal code, security code, password, personal ID number, photograph, fingerprint, or other information which could be used to identify an individual.

Individually Identifiable Health Information (IIHI)

PII which includes information related to the past, present or future condition, treatment, payment or provision of health care.

Protected Health Information (PHI)

Individually identifiable health information except for education records covered by FERPA and employment records.

Private Information

Information protected by the Privacy Act, Personally Identifiable Information, Personal Information and Protected Health Information collectively.

Privacy Act Breach

Unauthorized acquisition or reasonable belief of unauthorized acquisition of personal information protected by the Privacy Act. This information includes, but is not limited to Social Security Number, government issued ID numbers, financial account numbers or other information posing a risk of identity theft.

HIPAA Breach

Unauthorized acquisition, access, use, or disclosure of unsecured PHI.

State Breach

Unauthorized acquisition or reasonable belief of unauthorized acquisition of Personal Information that compromises the security, confidentiality, or integrity of the Personal Information.

Procedure

Reporting a Possible Breach

Any employee who becomes aware of a possible breach involving Private Information must immediately inform their supervisor/manager upon discovery or before the end of their shift if other duties interfere. However, in no case should notification occur later than twenty-four (24) hours after discovery.

The supervisor/manager will verify the circumstances of the possible breach and inform the privacy officer within twenty-four (24) hours of the initial report.
You may call the privacy officer directly.
Provide the privacy officer with as much detail as possible.
Be responsive to requests for additional information from the privacy officer.
Be aware that the privacy officer has an obligation to follow up on any reasonable belief that Private Information has been compromised.

The privacy officer will notify Company leadership as appropriate by taking into consideration the seriousness and scope of the breach.

Containing the Breach

The privacy officer will work with department(s) to immediately contain or limit the scope and effect of the breach. Examples include, but are not limited to:

Stopping the unauthorized breach
Recovering the records
Shutting down the system that was breached
Mitigating the breach
Correcting weaknesses in security practices
Notifying the appropriate authorities including the local Police Department if the breach involves, or may involve, any criminal activity

Investigating and Evaluating the Risks Associated with the Breach

To determine what other steps are immediately necessary, the privacy officer in collaboration with the Company's Legal Counsel and affected department(s) and administration, will investigate the circumstances of the breach to determine root cause(s), evaluate risks, and develop a resolution plan.

To determining whether or not individuals affected by the breach shall be notified, consider the following:

Contractual obligations
Legal obligations — the Company's Legal Counsel should complete a separate legal assessment of the potential breach and provide the results of the assessment to the privacy officer and the rest of the breach response team
Risk of identity theft or fraud because of the type of information lost such as social security number, banking information, identification numbers
Risk of physical harm if the loss puts an individual at risk of stalking or harassment
Risk of hurt, humiliation, or damage to reputation when the information includes medical or disciplinary records
Number of individuals affected

Notice to Individuals

If required by law, affected individuals must be notified without reasonable delay, but in no case later than sixty (60) calendar days after discovery, unless instructed otherwise by law enforcement or other applicable state or local laws.

The privacy officer will work with the Company's Legal Counsel and appropriate leadership to decide the best approach for notification, determine what may be required by law, and to draft any notification that is to be distributed. Notices must be in plain language and include basic information, including:

What happened
Types of PHI involved
Steps individuals should take
Steps the Company is taking
Contact Information

Notices should be sent by first-class mail or, if individual agrees, electronic mail. If insufficient or out-of-date contact information is available, then a substitute notice is required as specified below.

If law enforcement authorities have been contacted, those authorities will assist in determining whether notification may be delayed in order not to impede a criminal investigation.

Indirect notification such as media, website information, or posted notices will generally occur only where direct notification could cause further harm, or contact information is lacking.

If a breach affects five-hundred (500) or more individuals, or contact information is insufficient, the Company will notify a prominent media outlet that is appropriate for the size of the location with affected individuals, and notice will be provided in the form of a press release.

Notice to the Secretary

Notice to Health and Human Services (HHS) is required (unless the Company's Legal Counsel determines HIPAA notification is not required).

If a breach involves five-hundred (500) or more individuals, regardless of location, notice must be submitted to HHS at the same time notices to individuals are issued. If a breach involves fewer than five-hundred (500) individuals, the Company will be required to keep track of all breaches and to notify HHS within sixty (60) days after the end of the calendar year.

Business Associate Notification

Business associates must notify the Company if they incur or discover a breach of unsecured PHI. Notices must be provided without reasonable delay and in no case later than sixty (60) days after discovery of the breach. Business associates must cooperate with the Company in investigating and mitigating the breach.

Prevention

The privacy officer will assist the responsible department to put into effect adequate safeguards against further breaches. Procedures will be reviewed and updated to reflect the lessons learned from the investigation and regularly thereafter. The resulting plan will also include audit recommendations, if appropriate.

Compliance and Enforcement

All managers and supervisors are responsible for enforcing these procedures. Employees who violate these procedures are subject to discipline up to and including termination in accordance with the Company's Sanction Policy.

Security Awareness & Training

Purpose

To establish a security awareness and training program for all workforce members.

Procedure

All workforce members shall receive appropriate training concerning Company's security policies and procedures. Such training shall be provided to all new workforce/employees and shall be repeated annually.

Attendance or participation in such training shall be mandatory for all workforce members.
The privacy officer shall document all training dates, topics, and attendance.
The privacy officer shall be responsible for the development and/or delivery of ongoing security training in response to environmental and operational changes impacting the security of ePHI, e.g., addition of new hardware or increased threats.

Security reminders

The privacy officer shall generate and distribute routine security reminders to all workforce members on a regular basis. Such reminders may be distributed through formal training, email, discussions during staff meetings, newsletter or articles, sticky notes, etc..
The privacy officer shall document all periodic security reminders.
The privacy officer shall distribute special notices to all workforce members providing urgent updates, such as new threats, hazards, vulnerabilities, or countermeasures.

Protection from malicious code

As part of the aforementioned Security Training Program, the Privacy Officer shall provide training concerning the prevention, detection, containment, and eradication of malicious software. Such training shall include the following:

Guidance on suspicious email attachments, email from unfamiliar senders, and phishing email.
The importance of updating anti-virus software and how to check a workstation or other device to determine if virus protection is current.
Instructions to never download files from unknown or suspicious sources.
The importance of backing up critical data on a regular basis and storing the data in a safe place.
What to do if a virus is detected.

Password management

As part of the aforementioned Security Training Program, the privacy officer shall provide training concerning password management (see Logon IDs and Passwords section within the Identification & Authentication policy).

Data Backup Plan

Purpose

To establish policies and procedures to ensure data availability after an emergency event or other occurrence (e.g., fire, vandalism, system failure, natural disaster) damages systems containing ePHI.

Data Backup Procedure

The Company, under the direction of the privacy officer, shall implement a data backup procedure to create and maintain retrievable exact copies of ePHI.

chirotouch backs up and maintains all clinical, scheduling, and billing data on an ongoing basis, per the service agreement we have with them. Insurance claims data is backed up and maintained by Trizzeto.

Monitor Backups

When the data backup plan includes local hard drive backups, the privacy officer shall monitor storage and removal of backups and ensure all applicable access controls are enforced.

Test Backups

When the data backup plan includes local hard drive backups, the privacy officer shall test backup procedures on an annual basis to ensure exact copies of ePHI can be retrieved and made available. To the extent such testing indicates need for improvement in backup procedures, the privacy officer shall identify and implement such improvements in a timely manner.

Backup Files Prior to Equipment Movement

When information stored on equipment or media does not currently have a back up the privacy officer will ensure a responsible workforce member creates a backup of files prior to the movement of such equipment or media to prevent loss of ePHI.

Emergency Operations Plan

Purpose

Establish and implement policies and procedures for responding to an emergency or other occurrence (e.g., fire, vandalism, system failure, natural disaster, planned or unexpected outage) during which systems are either damaged or made unavailable.

Establish and implement policies and procedures to restore systems and recover data in a timely manner after an emergency or outage.

Preparedness

Establish an emergency response team or responsible for the following:

Determining the impact of a disaster and/or system unavailability on Company's operations.
Identifying and implementing appropriate "workarounds" during such time information systems are unavailable.
Securing the site and providing ongoing physical security, in the event of a disaster.
Taking such steps necessary to restore operations and retrieving lost data

In anticipation of system downtime the office manager, or other designated person, is responsible for maintaining an adequate stock of paper forms and documents needed to continue Company operations in the event information systems are unavailable.

The patient schedule for the next day will be printed the previous day and kept at the front desk.

Emergency Operations

The privacy officer shall notify management as soon as practical in the event of planned downtime or an unexpected outage of software systems.

The office manager will retrieve the printed patient schedule and stock of paper forms needed to record clinical, registration, and financial interactions with patients.

If phones are operational any contact with patients shall be recorded using relevant paper forms and transferred to clinical staff for triage if needed.

Check-in staff should verify patient's name, date of birth, phone number, address, and insurance information as available and schedule and record all changes on a paper day-bill. If the patient is a walk-in or new patient and demographic information is not available, paper registration forms should be filled out by check-in staff and placed in a temporary chart. If copay information was available on the schedule, or if the patient has a copay amount listed on their insurance card, the check-in person should collect as appropriate.

Out folder is placed on treatment room door, with patient name facing inward, to notify staff that the patient is ready.

After the clinical portion of the visit is complete staff shall direct the patient to check-out and complete relevant encounter forms (diagnosis, charges, and desired return appointment date/time).

All encounter forms shall be kept for loading into software systems later.

Emergency Recovery

The following recovery procedures transition the Company back to "normal" operations when emergency conditions no longer exist.

Paper progress notes should be saved to electronic progress notes by scanning or keying directly into relevant software applications and billing/insurance information should be updated as necessary and appropriate diagnosis and charges entered.

Faxes will be evaluated by staff for urgency. Items requiring review by a provider will be placed on the provider's desk.

Scheduling telephone calls should be returned.

Once a backup of all newly entered data from the above procedures is verified then relevant paper forms should be destroyed.