HIPAA POLICY

SECTION 1

HIPAA GOVERNANCE

1.1 Purpose

Bloomfield Wellness & Aesthetics ("BWA") is committed to protecting the privacy, confidentiality, integrity, and availability of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, applicable Pennsylvania laws, and other federal regulations governing healthcare privacy and security.

This HIPAA Privacy & Security Manual establishes the policies, procedures, and operational standards that all workforce members, contractors, students, volunteers, and Business Associates must follow when handling Protected Health Information.

The objectives of this manual are to:

  • Protect the confidentiality of patient information.
  • Ensure compliance with federal and Pennsylvania privacy laws.
  • Standardize privacy and security practices throughout the organization.
  • Reduce the risk of unauthorized access, disclosure, alteration, or destruction of PHI.
  • Establish clear accountability for HIPAA compliance.
  • Promote a culture of privacy, ethics, and professionalism.
  • Support safe, high-quality patient care through secure information management.

Compliance with this manual is mandatory for every member of the Bloomfield Wellness & Aesthetics workforce.


1.2 Scope

This manual applies to all workforce members and any individual acting on behalf of Bloomfield Wellness & Aesthetics, including:

  • Physicians
  • Pharmacists
  • Nurse Practitioners
  • Physician Assistants
  • Registered Nurses
  • Licensed Practical Nurses
  • Estheticians
  • Medical Assistants
  • Laser Technicians
  • Medical Receptionists
  • Billing Personnel
  • Practice Managers
  • Administrative Staff
  • Students
  • Interns
  • Volunteers
  • Independent Contractors
  • Information Technology Personnel
  • Consultants
  • Temporary Staff
  • Business Associates when applicable

It applies to all forms of Protected Health Information, including:

  • Electronic PHI (ePHI)
  • Paper records
  • Verbal communications
  • Photographs
  • Videos
  • Audio recordings
  • Emails
  • Text messages
  • Patient portal communications
  • Laboratory reports
  • Billing information
  • Insurance records
  • Appointment schedules
  • Telehealth documentation

1.3 Mission Statement

Bloomfield Wellness & Aesthetics recognizes that patient privacy is fundamental to quality healthcare.

Every workforce member is entrusted with sensitive personal and medical information. This trust requires unwavering commitment to confidentiality, ethical conduct, regulatory compliance, and respect for every patient's dignity.

Protecting patient information is not solely a legal obligation—it is a core professional responsibility shared by every member of the organization.


1.4 Organizational HIPAA Compliance Structure

Bloomfield Wellness & Aesthetics has established a formal HIPAA compliance program to oversee all privacy and security activities.

Medical Director

Dr. Domenic Mantella, MD

Responsibilities include:

  • Providing clinical oversight.
  • Supporting HIPAA compliance initiatives.
  • Reviewing clinical privacy issues.
  • Participating in compliance investigations when appropriate.
  • Supporting corrective action initiatives.

Privacy Officer

Kathryn Confer, PharmD

The Privacy Officer is responsible for:

  • Developing privacy policies.
  • Maintaining HIPAA documentation.
  • Investigating privacy complaints.
  • Responding to patient privacy requests.
  • Coordinating breach investigations.
  • Managing Business Associate Agreements.
  • Conducting workforce privacy education.
  • Monitoring compliance with the HIPAA Privacy Rule.
  • Serving as the primary contact for patient privacy concerns.

HIPAA Security Officer

Kathryn Confer, PharmD

Responsibilities include:

  • Conducting annual HIPAA Security Risk Analyses.
  • Overseeing technical safeguards.
  • Managing cybersecurity initiatives.
  • Monitoring access controls.
  • Reviewing audit logs.
  • Coordinating disaster recovery planning.
  • Investigating security incidents.
  • Maintaining HIPAA Security Rule compliance.
  • Coordinating cybersecurity awareness training.

Compliance Officer

Kathryn Confer, PharmD

Responsibilities include:

  • Monitoring regulatory compliance.
  • Performing internal audits.
  • Coordinating corrective action plans.
  • Reviewing federal and Pennsylvania regulatory changes.
  • Supervising compliance education.
  • Maintaining compliance documentation.
  • Reporting significant compliance concerns to leadership.

1.5 Workforce Responsibilities

Every workforce member is personally responsible for protecting Protected Health Information.

Each workforce member shall:

  • Access only the information necessary to perform assigned job duties.
  • Maintain patient confidentiality at all times.
  • Complete HIPAA training before accessing PHI.
  • Participate in annual refresher training.
  • Report suspected privacy or security incidents immediately.
  • Follow all administrative, physical, and technical safeguards.
  • Cooperate fully with compliance investigations.
  • Protect passwords and authentication credentials.
  • Secure workstations before leaving unattended.
  • Avoid discussing patient information in public areas.
  • Refrain from accessing records without a legitimate business or treatment purpose.
  • Immediately report lost devices, phishing attempts, or suspected breaches.

Failure to comply with these responsibilities may result in disciplinary action up to and including termination of employment, reporting to licensing boards, civil penalties, or criminal prosecution, as permitted by law.

 

SECTION 2

HIPAA DEFINITIONS & PROTECTED HEALTH INFORMATION (PHI)


2.1 Purpose

Understanding HIPAA terminology is essential for consistent compliance throughout Bloomfield Wellness & Aesthetics. Every workforce member must understand what information is protected, when HIPAA applies, and how Protected Health Information (PHI) must be handled.

The definitions contained in this manual are based upon the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA Privacy Rule, the HIPAA Security Rule, the HITECH Act, and applicable federal guidance. When federal or Pennsylvania law changes, these definitions shall be interpreted in accordance with the most current legal requirements.


2.2 What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to:

  • Protect patient privacy.
  • Improve healthcare data security.
  • Standardize electronic healthcare transactions.
  • Reduce healthcare fraud.
  • Provide patients with rights regarding their medical information.
  • Establish national standards for safeguarding health information.

HIPAA applies to Covered Entities and their Business Associates that create, receive, maintain, or transmit Protected Health Information.


2.3 Covered Entity

Bloomfield Wellness & Aesthetics is a Covered Entity under HIPAA to the extent it provides healthcare services and engages in covered electronic transactions.

As a Covered Entity, Bloomfield Wellness & Aesthetics must:

  • Protect Protected Health Information.
  • Limit disclosures.
  • Train workforce members.
  • Maintain written policies.
  • Conduct security risk analyses.
  • Notify patients of certain breaches.
  • Honor patient privacy rights.
  • Enter into Business Associate Agreements when required.

2.4 Business Associate

A Business Associate is any person or organization, other than a member of the workforce, that performs services involving Protected Health Information on behalf of Bloomfield Wellness & Aesthetics.

Examples include:

  • Electronic Health Record vendors
  • Practice Management software providers
  • Medical billing companies
  • Cloud storage providers
  • Cybersecurity consultants
  • Secure shredding vendors
  • IT consultants
  • Collection agencies
  • Attorneys
  • Accountants
  • Telehealth vendors
  • Patient portal providers

Whenever required, a HIPAA-compliant Business Associate Agreement (BAA) must be executed before PHI is shared.


2.5 Protected Health Information (PHI)

Protected Health Information (PHI) is individually identifiable health information maintained or transmitted by Bloomfield Wellness & Aesthetics in any form or medium.

PHI may exist in:

  • Electronic records
  • Paper records
  • Verbal conversations
  • Emails
  • Text messages
  • Clinical photographs
  • Audio recordings
  • Videos
  • Faxes
  • Portable devices
  • Cloud storage

Examples include:

  • Patient name
  • Date of birth
  • Medical diagnoses
  • Laboratory results
  • Procedure notes
  • Clinical photographs
  • Medication history
  • Insurance information
  • Appointment records
  • Billing information
  • Hormone treatment plans
  • Weight management records
  • Laser treatment documentation
  • Functional medicine assessments

PHI remains protected regardless of where it is stored.


2.6 Electronic Protected Health Information (ePHI)

Electronic Protected Health Information (ePHI) refers to Protected Health Information created, stored, transmitted, or received electronically.

Examples include:

  • Electronic medical records
  • Patient portal communications
  • Electronic laboratory reports
  • Electronic prescriptions
  • Cloud-based medical records
  • Secure emails
  • Digital photographs
  • Electronic billing records
  • Telehealth documentation
  • Electronic consent forms

The HIPAA Security Rule applies specifically to ePHI.


2.7 Individually Identifiable Health Information

Health information becomes protected when it identifies an individual or could reasonably be used to identify that individual.

Information may be considered identifiable when it contains:

  • Name
  • Address
  • Telephone number
  • Email address
  • Date of birth
  • Social Security Number
  • Medical Record Number
  • Account Number
  • Insurance Identification Number
  • Driver's License Number
  • Vehicle information
  • Biometric identifiers
  • Full-face photographs
  • Device identifiers
  • Internet Protocol (IP) address when associated with health information
  • Any other unique identifying characteristic

Even partial information may identify a patient when combined with other available information.


2.8 Designated Record Set

A Designated Record Set includes records used by Bloomfield Wellness & Aesthetics to make decisions regarding patients.

Examples include:

  • Medical histories
  • Progress notes
  • Consultation reports
  • Laboratory results
  • Diagnostic reports
  • Medication records
  • Allergy documentation
  • Treatment plans
  • Clinical photographs
  • Billing records
  • Insurance records
  • Appointment histories
  • Electronic communications maintained within the medical record

Patients generally have rights to inspect and obtain copies of information contained within the Designated Record Set.


2.9 Minimum Necessary Standard

Except for certain permitted uses, Bloomfield Wellness & Aesthetics limits the use, access, and disclosure of Protected Health Information to the minimum amount reasonably necessary to accomplish the intended purpose.

Examples include:

Reception staff generally do not require access to:

  • Complete laboratory histories
  • Detailed provider notes
  • Mental health documentation
  • Entire medical records

Billing personnel generally require:

  • Patient demographics
  • Insurance information
  • Procedure codes
  • Diagnosis codes
  • Payment information

Clinical providers generally require broader access to deliver safe patient care.

Role-based access controls support compliance with the Minimum Necessary Standard.


2.10 Workforce

The workforce includes:

  • Employees
  • Physicians
  • Pharmacists
  • Nurse Practitioners
  • Physician Assistants
  • Estheticians
  • Medical Assistants
  • Receptionists
  • Students
  • Volunteers
  • Interns
  • Temporary personnel
  • Individuals under direct control of Bloomfield Wellness & Aesthetics

Every workforce member must comply with HIPAA policies.


2.11 Confidential Information

Confidential information extends beyond Protected Health Information and includes business information not intended for public disclosure.

Examples include:

  • Financial records
  • Employee personnel files
  • Vendor contracts
  • Business plans
  • Compliance investigations
  • Cybersecurity documentation
  • Internal audit reports
  • Credentialing files
  • Quality improvement activities

Confidential information shall be protected from unauthorized disclosure.


2.12 Authorization

An Authorization is a written document signed by the patient (or authorized representative) permitting the use or disclosure of Protected Health Information for purposes not otherwise permitted by HIPAA.

An authorization generally includes:

  • Patient identification
  • Description of information
  • Recipient
  • Purpose
  • Expiration
  • Signature
  • Date

Patients may revoke an authorization prospectively in writing.


2.13 Privacy Incident

A Privacy Incident is any event involving actual or suspected inappropriate access, use, disclosure, or handling of Protected Health Information.

Examples include:

  • Discussing patients in public
  • Viewing records without authorization
  • Sending records to the wrong recipient
  • Leaving records unattended
  • Improper disposal of records
  • Lost paperwork
  • Unauthorized photography

Every suspected privacy incident must be reported immediately.


2.14 Security Incident

A Security Incident involves actual or attempted unauthorized access to electronic systems or electronic Protected Health Information.

Examples include:

  • Phishing attacks
  • Malware infections
  • Ransomware
  • Lost laptops
  • Lost smartphones
  • Password compromise
  • Unauthorized system access
  • Hacking attempts
  • Stolen devices

Security incidents require immediate reporting to the HIPAA Security Officer.


2.15 Breach

A Breach is the acquisition, access, use, or disclosure of unsecured Protected Health Information in a manner not permitted under HIPAA that compromises the security or privacy of the information.

Not every privacy incident constitutes a reportable breach.

Each incident must undergo a documented risk assessment to determine whether notification is required under the HIPAA Breach Notification Rule.


2.16 De-Identified Information

Information is considered de-identified when identifiers have been removed in accordance with HIPAA requirements such that the information cannot reasonably be used to identify an individual.

De-identified information may be used for:

  • Quality improvement
  • Research (where applicable)
  • Statistical reporting
  • Operational analysis
  • Educational purposes

Bloomfield Wellness & Aesthetics will de-identify information only in accordance with applicable legal standards.


2.17 Need-to-Know Principle

The Need-to-Know Principle means workforce members access only the information necessary to perform assigned responsibilities.

Curiosity is never a legitimate reason to access patient records.

Examples of prohibited access include:

  • Reviewing records of family members without authorization.
  • Viewing records of coworkers.
  • Accessing celebrity records out of curiosity.
  • Looking up neighbors or friends.
  • Reviewing your own medical record through internal systems without authorization.

Unauthorized access is grounds for disciplinary action.


2.18 Definition Summary

Every workforce member should remember these fundamental principles:

  • PHI belongs to the patient; Bloomfield Wellness & Aesthetics is entrusted with protecting it.
  • Every access to PHI must have a legitimate treatment, payment, healthcare operations, or other legally permitted purpose.
  • When in doubt, disclose less—not more—and seek guidance from the Privacy Officer or HIPAA Security Officer before acting.

SECTION 3

HIPAA PRIVACY RULE


3.1 Purpose

The HIPAA Privacy Rule establishes national standards governing the use and disclosure of Protected Health Information (PHI). Bloomfield Wellness & Aesthetics is committed to ensuring that every workforce member understands these standards and applies them consistently in daily operations.

The Privacy Rule is intended to:

  • Protect the confidentiality of patient information.
  • Allow appropriate information sharing necessary for quality healthcare.
  • Provide patients with rights regarding their medical information.
  • Establish safeguards to prevent unauthorized disclosure.
  • Promote patient confidence in the healthcare system.

Compliance with the HIPAA Privacy Rule is mandatory for every workforce member, regardless of position or employment status.


3.2 General Privacy Principles

Bloomfield Wellness & Aesthetics follows these core privacy principles:

  • Patients have a right to privacy.
  • PHI shall only be used or disclosed when legally permitted or authorized.
  • Workforce members shall access only the information necessary to perform assigned duties.
  • Patient dignity and confidentiality shall always be respected.
  • Privacy protections apply regardless of whether information is spoken, written, photographed, or stored electronically.

3.3 Permitted Uses and Disclosures Without Patient Authorization

HIPAA permits Bloomfield Wellness & Aesthetics to use or disclose Protected Health Information without obtaining written authorization for certain purposes.

These include:

Treatment

Information may be shared among healthcare providers involved in patient care.

Examples include:

  • Referrals
  • Laboratory orders
  • Consultation requests
  • Prescription management
  • Medication reconciliation
  • Care coordination
  • Emergency treatment

Payment

Information may be used to:

  • Submit insurance claims
  • Verify insurance eligibility
  • Obtain prior authorization
  • Process patient payments
  • Coordinate benefits
  • Conduct billing audits
  • Collect outstanding balances

Healthcare Operations

PHI may be used for:

  • Quality improvement
  • Credentialing
  • Staff education
  • Internal audits
  • Compliance investigations
  • Practice management
  • Risk management
  • Performance improvement
  • Infection prevention
  • Accreditation activities

3.4 Uses Requiring Written Authorization

Unless another HIPAA exception applies, Bloomfield Wellness & Aesthetics will obtain a written authorization before using or disclosing PHI for purposes such as:

  • Marketing communications that require authorization
  • Most disclosures to employers
  • Most disclosures to attorneys when not otherwise required by law
  • Use of patient testimonials
  • Use of patient photographs for advertising
  • Sale of Protected Health Information (which BWA does not engage in)
  • Uses not otherwise permitted under HIPAA

The authorization must include all elements required by HIPAA and may be revoked prospectively by the patient.


3.5 Incidental Disclosures

Despite reasonable safeguards, limited incidental disclosures may occur during normal healthcare operations.

Examples include:

  • Another patient briefly overhearing a name called in the reception area.
  • A visitor seeing a sign-in sheet containing only limited identifying information.
  • Conversations between providers conducted in appropriate clinical settings that are inadvertently overheard.

Incidental disclosures are permissible only when:

  • Reasonable safeguards are in place.
  • The disclosure is unavoidable.
  • The workforce member has otherwise complied with HIPAA.

3.6 Minimum Necessary Standard

Except for disclosures related to treatment or other HIPAA exceptions, workforce members shall disclose only the minimum amount of information necessary to accomplish the intended purpose.

Examples include:

Appropriate:

  • Billing staff accessing diagnosis codes necessary for claim submission.
  • Reception staff confirming appointment times.
  • Providers reviewing complete records before treatment.

Inappropriate:

  • Reviewing unrelated portions of a patient's chart.
  • Printing entire records when only one office note is required.
  • Discussing unnecessary medical details with non-clinical staff.

Department managers are responsible for ensuring workforce access aligns with job responsibilities.


3.7 Patient Directory Information

Bloomfield Wellness & Aesthetics generally does not maintain a public patient directory.

Patient names, appointment information, and treatment details will not be released to callers or visitors without patient permission unless otherwise permitted or required by law.


3.8 Verification Before Disclosure

Before releasing PHI, workforce members shall make reasonable efforts to verify the identity and authority of the requesting individual.

Verification methods may include:

  • Government-issued photo identification.
  • Patient portal authentication.
  • Date of birth and address verification.
  • Written authorization.
  • Legal documentation (e.g., healthcare power of attorney, guardianship).
  • Professional credentials for healthcare providers.

No PHI shall be released when identity or authority cannot be reasonably verified.


3.9 Telephone Communications

When communicating by telephone, workforce members shall:

  • Confirm the identity of the caller.
  • Limit disclosures to the minimum necessary.
  • Avoid discussing PHI in public areas.
  • Verify callback numbers when appropriate.
  • Use professional judgment before leaving voicemail messages.

Voicemail messages should generally include only limited information, such as:

"This is Bloomfield Wellness & Aesthetics calling regarding your appointment. Please contact our office at (412) 999-4306."

Detailed medical information should not be left on voicemail unless the patient has specifically authorized it.


3.10 Reception Area Privacy

Reception staff shall make reasonable efforts to protect patient privacy.

Examples include:

  • Speaking in a low voice when discussing patient information.
  • Positioning computer monitors away from public view.
  • Limiting visible paperwork.
  • Avoiding unnecessary discussion of diagnoses.
  • Calling patients by name only when appropriate.
  • Avoiding discussion of financial matters where others may overhear.

3.11 Waiting Room Practices

Workforce members shall:

  • Avoid discussing confidential medical information within hearing distance of other patients.
  • Use private consultation rooms when discussing sensitive matters.
  • Maintain professional discretion regarding patient identity and reason for visit.

3.12 Conversations in Clinical Areas

Clinical discussions involving PHI should occur only:

  • In treatment rooms.
  • In provider offices.
  • In designated staff areas.
  • Through secure communication systems.

Discussions should never occur in elevators, hallways, parking lots, restaurants, or other public locations where they may be overheard.


3.13 Email Communications

Email containing PHI shall be transmitted only through approved methods consistent with practice policy.

Workforce members shall:

  • Verify recipient addresses before sending.
  • Avoid using personal email accounts for patient care.
  • Use encryption when appropriate.
  • Report misdirected emails immediately.

3.14 Text Messaging

Text messaging containing PHI shall occur only through approved communication methods authorized by Bloomfield Wellness & Aesthetics.

Personal texting of patient information from personal devices is prohibited unless specifically authorized under practice policy and appropriate safeguards are in place.


3.15 Social Media

Workforce members shall never post patient information on social media without a valid written authorization.

Prohibited activities include:

  • Posting clinical photographs.
  • Sharing patient stories that identify individuals.
  • Discussing interesting cases in a manner that could identify a patient.
  • Responding to online comments in a way that confirms an individual is a patient.

Even if a patient publicly identifies themselves as a patient of Bloomfield Wellness & Aesthetics, workforce members shall not confirm the treatment relationship through social media.


3.16 Photography in the Practice

Clinical photographs are considered Protected Health Information when they identify or can reasonably identify a patient.

Photography shall be:

  • Clinically appropriate.
  • Securely stored.
  • Accessed only by authorized personnel.
  • Used only for authorized purposes.

Marketing use requires a separate written authorization.


3.17 Media Requests

All requests from television stations, newspapers, magazines, podcasts, bloggers, influencers, or other media organizations shall be referred to practice leadership.

Workforce members shall not disclose patient information to the media without appropriate authorization or legal authority.


3.18 Privacy Complaints

Patients have the right to file complaints regarding the privacy of their information.

Every complaint shall be:

  • Taken seriously.
  • Documented.
  • Promptly investigated.
  • Reviewed by the Privacy Officer.
  • Resolved in accordance with practice policy.

Retaliation against any patient or workforce member who reports a good-faith privacy concern is strictly prohibited.


3.19 Practical Workforce Examples

Appropriate

Discussing laboratory results privately with the treating provider.

Accessing the chart of a patient you are actively treating.

Confirming an appointment with the patient.

Sending records pursuant to a valid authorization.


Inappropriate

Looking up your neighbor's laboratory results.

Viewing a celebrity's chart out of curiosity.

Discussing patient care in the break room where visitors are present.

Photographing a patient with a personal cellphone.

Taking screenshots of medical records.

Sharing patient stories on personal social media.


3.20 Privacy Rule Summary

Every workforce member should remember these guiding principles:

  • Treat every patient's information as if it were your own.
  • Access only what you need to do your job.
  • When uncertain, ask the Privacy Officer before disclosing information.
  • Protect confidentiality in every conversation, document, and electronic communication.
  • Privacy is not simply a legal requirement—it is fundamental to patient trust and the mission of Bloomfield Wellness & Aesthetics.

SECTION 4

HIPAA SECURITY RULE


4.1 Purpose

The HIPAA Security Rule establishes national standards for protecting Electronic Protected Health Information ("ePHI"). Bloomfield Wellness & Aesthetics is committed to implementing comprehensive administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of all electronic patient information.

The objectives of this Security Rule policy are to:

  • Protect electronic Protected Health Information from unauthorized access.
  • Prevent data loss, alteration, or destruction.
  • Maintain secure access to patient information for authorized users.
  • Reduce cybersecurity risk.
  • Ensure continuity of patient care.
  • Maintain compliance with HIPAA, HITECH, and applicable Pennsylvania laws.

Every workforce member is responsible for complying with the safeguards described in this manual.


4.2 Security Program Objectives

Bloomfield Wellness & Aesthetics' Information Security Program is designed to:

  • Protect patient confidentiality.
  • Preserve data integrity.
  • Maintain system availability.
  • Reduce cybersecurity threats.
  • Ensure regulatory compliance.
  • Promote safe clinical operations.
  • Minimize operational disruptions.
  • Support disaster recovery.
  • Foster workforce security awareness.
  • Continuously improve security practices.

4.3 Security Management Process

Bloomfield Wellness & Aesthetics maintains an ongoing Security Management Process consisting of:

Risk Analysis

We conduct periodic risk analyses to identify potential threats and vulnerabilities affecting electronic Protected Health Information.

Risk analyses evaluate:

  • Hardware
  • Software
  • Mobile devices
  • Cloud systems
  • Third-party vendors
  • Workforce practices
  • Physical security
  • Cybersecurity threats
  • Remote access
  • Business continuity

Risk Management

After risks are identified, Bloomfield Wellness & Aesthetics implements reasonable and appropriate safeguards to reduce those risks.

Examples include:

  • Security updates
  • Policy revisions
  • Workforce education
  • Vendor oversight
  • Multi-factor authentication
  • Encryption
  • Improved access controls
  • Enhanced monitoring

4.4 Assigned Security Responsibility

Bloomfield Wellness & Aesthetics designates a HIPAA Security Officer responsible for implementing and overseeing the Security Rule.

Current Security Officer:

Kathryn Confer, PharmD

Responsibilities include:

  • Conducting security risk analyses
  • Developing security policies
  • Monitoring cybersecurity
  • Investigating security incidents
  • Coordinating breach response
  • Overseeing technical safeguards
  • Maintaining security documentation
  • Coordinating workforce security training

4.5 Workforce Security

Access to electronic Protected Health Information is limited to authorized workforce members.

Prior to receiving system access, workforce members shall:

  • Complete orientation.
  • Complete HIPAA Privacy training.
  • Complete HIPAA Security training.
  • Sign a Confidentiality Agreement.
  • Receive role-based access.
  • Review applicable policies.

When employment or contractual relationships end, system access shall be promptly modified or terminated.


4.6 Information Access Management

Electronic access is granted according to each workforce member's responsibilities.

Examples include:

Providers

Access may include:

  • Complete medical records
  • Laboratory results
  • Imaging reports
  • Medication history
  • Clinical documentation
  • Scheduling
  • Billing summaries as necessary

Nursing and Clinical Staff

Access generally includes:

  • Clinical documentation
  • Medication administration information
  • Laboratory results
  • Treatment plans
  • Appointment information

Reception Staff

Access generally includes:

  • Scheduling
  • Demographics
  • Insurance information
  • Limited billing information

Reception personnel should not routinely access complete provider documentation unless necessary for assigned duties.


Billing Personnel

Access generally includes:

  • Charges
  • Insurance information
  • Procedure codes
  • Diagnosis codes
  • Payment history

IT Personnel

IT personnel receive only the level of access necessary to maintain systems and are expected to avoid accessing patient records unless operationally necessary.


4.7 Security Awareness Training

All workforce members shall participate in ongoing cybersecurity education.

Training topics include:

  • Password security
  • Phishing recognition
  • Malware
  • Ransomware
  • Device security
  • Remote work security
  • Safe internet browsing
  • Email security
  • Social engineering
  • Secure disposal
  • Incident reporting

Training is documented and retained.


4.8 Password Policy

Passwords shall meet current organizational standards.

Passwords shall:

  • Be unique.
  • Not be shared.
  • Not be reused across critical systems.
  • Be kept confidential.
  • Be changed whenever compromise is suspected.

Employees shall never:

  • Write passwords on visible notes.
  • Share passwords with coworkers.
  • Send passwords through unsecured email or text.
  • Allow another individual to log in using their credentials.

4.9 Multi-Factor Authentication (MFA)

Whenever supported, multi-factor authentication shall be enabled for:

  • Electronic Health Records
  • Remote access
  • Cloud services
  • Administrative accounts
  • Email systems
  • Financial applications

Examples of secondary authentication include:

  • Authentication applications
  • Hardware tokens
  • SMS verification (when appropriate)
  • Biometric authentication

4.10 Workstation Security

All workstations capable of accessing ePHI shall be protected through reasonable safeguards.

Employees shall:

  • Lock computers before leaving workstations.
  • Log off at the end of each shift.
  • Position monitors away from public view.
  • Protect printed documents.
  • Avoid leaving records unattended.

Automatic screen-lock functionality should be enabled whenever practical.


4.11 Mobile Device Security

Mobile devices capable of accessing ePHI include:

  • Smartphones
  • Tablets
  • Laptops
  • Portable storage devices

Security requirements include:

  • Device passcodes
  • Encryption where available
  • Automatic locking
  • Remote wipe capability when supported
  • Approved applications
  • Current software updates

Lost or stolen devices must be reported immediately.


4.12 Bring Your Own Device (BYOD)

Personally owned devices may access practice information only when authorized by Bloomfield Wellness & Aesthetics.

Requirements include:

  • Security approval
  • Password protection
  • Current operating system
  • Antivirus protection where appropriate
  • Immediate reporting of loss or theft
  • Compliance with mobile device policies

The practice reserves the right to revoke access to any personal device that does not meet security standards.


4.13 Remote Access

Remote access shall occur only through approved secure methods.

Examples include:

  • Encrypted Virtual Private Network (VPN)
  • Secure cloud applications
  • Multi-factor authentication
  • Approved remote desktop solutions

Public computers should never be used to access electronic Protected Health Information.


4.14 Email Security

Employees shall:

  • Verify recipients before sending messages.
  • Avoid transmitting unnecessary PHI.
  • Use approved email systems.
  • Report suspicious emails immediately.
  • Never open unexpected attachments.
  • Avoid clicking suspicious links.

Email containing PHI should utilize secure transmission methods whenever appropriate.


4.15 Phishing Prevention

Phishing remains one of the leading causes of healthcare data breaches.

Employees should be alert for:

  • Urgent payment requests
  • Unexpected password reset messages
  • Suspicious hyperlinks
  • Unknown attachments
  • Misspelled domains
  • Requests for login credentials
  • Requests to bypass established procedures

If uncertain, employees shall contact the IT department or Security Officer before responding.


4.16 Malware Protection

Practice systems shall utilize commercially reasonable protections against malicious software.

Security measures may include:

  • Antivirus software
  • Endpoint Detection and Response (EDR)
  • Email filtering
  • Web filtering
  • Threat detection
  • Software updates

Employees shall never intentionally disable security software.


4.17 Encryption

Encryption shall be utilized whenever appropriate to protect ePHI.

Encryption may apply to:

  • Laptop computers
  • Mobile devices
  • Cloud storage
  • Portable media
  • Secure messaging
  • Backup systems
  • Electronic transmission

Although encryption significantly reduces risk, workforce members must continue to follow all other privacy and security safeguards.


4.18 Audit Controls

Electronic systems should maintain audit capabilities that record events including:

  • User logins
  • Failed login attempts
  • Record access
  • Record modification
  • Record deletion
  • Administrative changes
  • Export activity
  • Printing activity

Audit logs support investigations, quality improvement, and regulatory compliance.


4.19 Integrity Controls

Bloomfield Wellness & Aesthetics maintains safeguards designed to ensure electronic information is not improperly altered or destroyed.

Examples include:

  • User authentication
  • Version controls where applicable
  • Audit logging
  • Backup procedures
  • System monitoring
  • Controlled editing permissions

Medical records shall accurately reflect the care provided and shall not be altered to conceal errors or misrepresent clinical services.


4.20 Transmission Security

Electronic transmission of ePHI shall occur using secure technologies whenever reasonably available.

Examples include:

  • Secure patient portals
  • Encrypted email
  • Secure electronic prescribing
  • Secure laboratory interfaces
  • Encrypted telehealth platforms
  • Secure electronic fax systems

Transmission methods shall be periodically evaluated as technology evolves.


4.21 Security Rule Summary

Every workforce member plays a critical role in protecting electronic Protected Health Information.

Remember these guiding principles:

  • Lock your workstation whenever unattended.
  • Never share passwords.
  • Verify recipients before sending information.
  • Report suspicious activity immediately.
  • Protect mobile devices.
  • Access only the information necessary to perform your job.
  • When uncertain, contact the HIPAA Security Officer before taking action.

Maintaining strong security practices protects our patients, our workforce, and the mission of Bloomfield Wellness & Aesthetics while ensuring compliance with federal and Pennsylvania law.

SECTION 5

HIPAA ADMINISTRATIVE SAFEGUARDS

HIPAA Security Rule: Administrative Safeguards (45 CFR §164.308)


5.1 Purpose

Administrative Safeguards are the policies, procedures, and management practices that direct how Bloomfield Wellness & Aesthetics protects Electronic Protected Health Information ("ePHI").

These safeguards establish the organizational framework necessary to ensure that all workforce members understand their responsibilities and consistently apply appropriate privacy and security measures.

Bloomfield Wellness & Aesthetics maintains Administrative Safeguards that are reasonable, appropriate, and scalable based on the size, complexity, services, and operational needs of the practice.


5.2 Administrative Safeguard Objectives

The objectives of our Administrative Safeguards are to:

  • Protect patient confidentiality.
  • Reduce cybersecurity risk.
  • Ensure compliance with HIPAA.
  • Promote workforce accountability.
  • Establish consistent security procedures.
  • Prepare the organization for emergencies.
  • Reduce human error.
  • Detect inappropriate access.
  • Respond rapidly to security incidents.
  • Continuously improve our compliance program.

5.3 Security Management Process

Bloomfield Wellness & Aesthetics maintains an ongoing Security Management Process consisting of:

A. Risk Analysis

A formal Security Risk Analysis shall be performed:

  • Prior to implementation of new technology
  • At least annually
  • Following major operational changes
  • Following significant security incidents
  • Whenever new threats emerge

The Risk Analysis evaluates:

  • Electronic Health Records
  • Patient Portal
  • Practice Management Software
  • Cloud Storage
  • Email Systems
  • Mobile Devices
  • Wireless Networks
  • Firewalls
  • Third-Party Vendors
  • Medical Equipment connected to networks
  • Telehealth Platforms
  • Payment Systems

Each identified risk shall receive:

  • Likelihood rating
  • Impact rating
  • Overall risk score
  • Recommended mitigation
  • Assigned responsible individual
  • Target completion date

B. Risk Management

Once risks are identified, Bloomfield Wellness & Aesthetics shall implement corrective actions appropriate to the level of risk.

Examples include:

  • Software upgrades
  • Enhanced encryption
  • Multi-factor authentication
  • Password changes
  • Additional employee training
  • Vendor remediation
  • Hardware replacement
  • Policy revisions
  • Additional monitoring

Risk mitigation efforts shall be documented.


5.4 Sanction Policy

Bloomfield Wellness & Aesthetics maintains a zero-tolerance approach toward intentional HIPAA violations.

Violations are evaluated based upon:

  • Intent
  • Severity
  • Harm caused
  • Previous violations
  • Corrective actions taken

Possible sanctions include:

Level I

Minor accidental violations

Examples:

  • Leaving workstation unlocked
  • Failure to shred documents
  • Discussing PHI too loudly

Possible Actions:

  • Coaching
  • Retraining
  • Verbal counseling

Level II

Moderate violations

Examples:

  • Accessing records without clinical need
  • Sharing passwords
  • Improper emailing of PHI

Possible Actions:

  • Written warning
  • Mandatory retraining
  • Suspension of system access
  • Performance improvement plan

Level III

Serious violations

Examples:

  • Intentional snooping
  • Downloading medical records
  • Unauthorized photography
  • Posting PHI online
  • Theft of information
  • Sale of patient information

Possible Actions:

  • Immediate suspension
  • Termination
  • Reporting to licensing boards
  • Civil penalties
  • Criminal referral when appropriate

5.5 Information System Activity Review

Bloomfield Wellness & Aesthetics shall periodically review:

  • Audit logs
  • Login reports
  • Failed login attempts
  • Access reports
  • Export reports
  • Printing activity
  • Remote access logs
  • Administrative account activity

Monitoring may be conducted:

  • Daily for critical alerts
  • Weekly for selected systems
  • Monthly for routine audits
  • Following reported incidents

Abnormal activity shall be investigated promptly.


5.6 Assigned Security Responsibility

The HIPAA Security Officer is responsible for implementing and maintaining the Security Rule.

Primary responsibilities include:

  • Security Risk Analysis
  • Policy development
  • Incident investigations
  • Cybersecurity oversight
  • Workforce training
  • Vendor security oversight
  • Annual program evaluation
  • OCR investigation support
  • Security documentation

Current Security Officer:

Kathryn Confer, PharmD


5.7 Workforce Security

Access to ePHI shall be managed throughout the workforce lifecycle.

Before Employment

Where appropriate:

  • Background screening
  • License verification
  • Credential verification
  • Confidentiality Agreement
  • HIPAA Orientation

During Employment

Employees shall:

  • Maintain confidentiality
  • Complete annual HIPAA training
  • Report incidents immediately
  • Protect passwords
  • Follow security policies
  • Maintain professional conduct

Upon Separation

Immediately upon termination or resignation:

  • Disable user accounts
  • Recover keys
  • Recover badges
  • Recover laptops
  • Recover mobile devices
  • Recover access cards
  • Remove remote access
  • Disable email access
  • Recover practice-owned media

The Security Officer or designee shall document completion.


5.8 Information Access Management

Role-based access shall be assigned according to job responsibilities.

Examples include:

Clinical Providers

Access:

  • Complete medical records
  • Laboratory results
  • Imaging
  • Prescriptions
  • Clinical documentation

Medical Assistants

Access:

  • Assigned patient schedules
  • Clinical documentation
  • Orders
  • Medication history

Reception

Access:

  • Scheduling
  • Registration
  • Demographics
  • Insurance

Billing

Access:

  • Financial records
  • Charges
  • Insurance
  • Claims

IT Personnel

Access only as operationally necessary.


5.9 Security Awareness Program

Bloomfield Wellness & Aesthetics maintains an ongoing Security Awareness Program.

Topics include:

  • HIPAA
  • Passwords
  • Email security
  • Social engineering
  • Phishing
  • Malware
  • Ransomware
  • Mobile device security
  • Internet safety
  • Physical security
  • Remote work
  • AI and emerging technologies
  • Data privacy

Security reminders shall be distributed periodically.


5.10 Workforce Clearance Procedures

Prior to receiving access to systems containing ePHI, workforce members shall:

  • Complete orientation
  • Complete HIPAA Privacy training
  • Complete HIPAA Security training
  • Review applicable policies
  • Receive supervisor approval
  • Receive Security Officer approval when appropriate

No employee shall receive unrestricted access upon hire.


5.11 Password Management

Bloomfield Wellness & Aesthetics shall maintain formal password procedures.

Passwords shall never be:

  • Shared
  • Written on sticky notes
  • Stored in browsers without authorization
  • Sent through unsecured email
  • Reused after compromise

Employees shall immediately change passwords if compromise is suspected.


5.12 Contingency Planning

Bloomfield Wellness & Aesthetics maintains contingency plans to ensure continuity of operations.

The Contingency Plan addresses:

  • Fire
  • Flood
  • Power outage
  • Cyberattack
  • Ransomware
  • Tornado
  • Severe weather
  • Hardware failure
  • Software failure
  • Internet outage
  • Building evacuation

Patient care remains the highest operational priority during emergencies.


5.13 Data Backup Plan

Critical systems shall be backed up according to operational requirements.

Backup objectives include:

  • Recovery of medical records
  • Restoration of scheduling
  • Billing continuity
  • Clinical documentation recovery
  • Regulatory compliance

Backups shall be protected using appropriate physical and technical safeguards.


5.14 Disaster Recovery Plan

The Disaster Recovery Plan identifies procedures for restoring systems after catastrophic events.

Recovery priorities:

Priority 1

  • Electronic Health Record
  • Scheduling
  • Clinical communications

Priority 2

  • Billing
  • Financial systems

Priority 3

  • Administrative systems
  • Archived information

Testing of recovery procedures should occur periodically.


5.15 Emergency Mode Operation Plan

During emergencies, Bloomfield Wellness & Aesthetics shall continue critical healthcare operations whenever safely possible.

Examples include:

  • Emergency patient treatment
  • Access to essential records
  • Medication management
  • Laboratory coordination
  • Provider communications

Emergency procedures shall prioritize patient safety while protecting PHI.


5.16 Evaluation

The HIPAA Security Program shall be evaluated:

  • Annually
  • Following major technology implementations
  • Following significant security incidents
  • Following OCR guidance updates
  • Following significant regulatory changes

Evaluations assess:

  • Policy effectiveness
  • Workforce compliance
  • Technical safeguards
  • Vendor performance
  • Cybersecurity posture
  • Documentation quality

Corrective actions shall be documented and tracked to completion.


5.17 Business Associate Oversight

Administrative Safeguards extend to third-party vendors.

Bloomfield Wellness & Aesthetics shall:

  • Maintain current Business Associate Agreements
  • Evaluate vendor security
  • Monitor significant vendor incidents
  • Review contractual responsibilities
  • Document corrective actions when necessary

High-risk vendors may undergo additional review before implementation.


5.18 Documentation Requirements

The following documentation shall be maintained as part of the HIPAA Administrative Safeguards Program:

  • HIPAA Policies
  • Security Risk Analyses
  • Training Records
  • Incident Reports
  • Breach Investigations
  • Sanction Documentation
  • Audit Reports
  • Business Associate Agreements
  • Contingency Planning Documents
  • Disaster Recovery Testing
  • Annual Evaluations
  • Corrective Action Plans

Documentation shall be retained in accordance with applicable federal and Pennsylvania record retention requirements.


5.19 Administrative Safeguards Summary

Administrative Safeguards provide the management framework supporting Bloomfield Wellness & Aesthetics' HIPAA compliance program.

Every workforce member contributes to security by:

  • Following policies.
  • Protecting passwords.
  • Reporting suspicious activity.
  • Completing required training.
  • Using sound professional judgment.
  • Maintaining patient confidentiality.

Strong Administrative Safeguards reduce risk, strengthen patient trust, and support the mission of Bloomfield Wellness & Aesthetics to provide exceptional, secure, and compliant healthcare services.

SECTION 6

HIPAA PHYSICAL SAFEGUARDS

HIPAA Security Rule – Physical Safeguards (45 CFR §164.310)


6.1 Purpose

Physical Safeguards are the physical measures, policies, procedures, and environmental controls implemented by Bloomfield Wellness & Aesthetics to protect facilities, equipment, workstations, and media that contain Electronic Protected Health Information ("ePHI") or other confidential patient information.

The objectives of this policy are to:

  • Prevent unauthorized physical access to Protected Health Information.
  • Protect electronic systems from theft, damage, or misuse.
  • Safeguard patients, workforce members, and visitors.
  • Maintain secure operations during routine business and emergencies.
  • Ensure compliance with the HIPAA Security Rule.

Every workforce member shares responsibility for maintaining the physical security of the practice.


6.2 Scope

This policy applies to:

  • Clinical treatment rooms
  • Reception areas
  • Provider offices
  • Administrative offices
  • Medical records storage areas
  • Medication storage areas
  • Laboratory specimen collection areas
  • Staff workstations
  • Server equipment
  • Network equipment
  • Portable electronic devices
  • Practice-owned vehicles transporting records or equipment
  • Any location where Bloomfield Wellness & Aesthetics stores or accesses Protected Health Information

6.3 Facility Access Controls

Bloomfield Wellness & Aesthetics maintains reasonable physical security measures to protect facilities containing PHI and ePHI.

Examples include:

  • Controlled building access
  • Locked exterior doors when the office is closed
  • Alarm systems
  • Security cameras in appropriate non-clinical areas
  • Exterior lighting
  • Restricted employee-only areas
  • Secure locking mechanisms
  • Controlled key distribution

Only authorized individuals may access restricted areas.


6.4 Restricted Areas

The following areas shall be restricted to authorized personnel:

  • Provider offices
  • Medication storage
  • Supply rooms containing confidential records
  • IT/network equipment locations
  • Records storage areas
  • Administrative offices containing confidential files
  • Billing offices
  • Human Resources records
  • Compliance records
  • Credentialing files

Patients and visitors shall not enter restricted areas unless escorted by an authorized workforce member.


6.5 Key and Access Control Management

Physical keys, access cards, key fobs, keypad codes, and electronic credentials shall be managed securely.

Requirements include:

  • Issuing credentials only to authorized personnel.
  • Maintaining an access log where appropriate.
  • Promptly recovering credentials upon separation from employment.
  • Immediately reporting lost or stolen keys or badges.
  • Changing access codes when security is compromised.

Duplicate keys shall not be made without authorization from practice leadership.


6.6 Visitor Management

Visitors include:

  • Vendors
  • Delivery personnel
  • Maintenance personnel
  • Consultants
  • Contractors
  • Surveyors
  • Inspectors
  • Guests

Visitors entering non-public areas should:

  • Check in at reception.
  • Be escorted when appropriate.
  • Wear visitor identification if utilized by the practice.
  • Limit access to the specific area necessary for their visit.

Visitors shall not have unsupervised access to Protected Health Information unless authorized by law or contract.


6.7 Workforce Identification

Workforce members should wear identification badges while on duty when required by practice policy.

Identification badges should include:

  • Employee name
  • Position or title
  • Practice identification

Employees shall not allow unauthorized individuals to enter restricted areas by "tailgating" or sharing access credentials.


6.8 Reception Area Security

Reception areas shall be arranged to protect patient confidentiality.

Reasonable safeguards include:

  • Positioning computer monitors away from public view.
  • Using privacy screens where appropriate.
  • Limiting visible paperwork.
  • Keeping sign-in procedures compliant with HIPAA.
  • Avoiding unnecessary discussion of diagnoses or treatment.
  • Promptly securing completed registration forms.

Reception staff shall exercise discretion when speaking with patients.


6.9 Waiting Room Privacy

Reasonable efforts shall be made to minimize unnecessary disclosure of patient information in waiting areas.

Examples include:

  • Calling patients by first name and last initial when appropriate.
  • Avoiding announcements of diagnoses or procedures.
  • Using private consultation rooms for sensitive conversations.
  • Maintaining appropriate distance between workstations and seating areas.

6.10 Clinical Treatment Rooms

Treatment rooms shall be maintained to protect patient privacy.

Requirements include:

  • Closing doors or curtains during examinations and procedures.
  • Securing paper documentation when not in use.
  • Logging off electronic systems when rooms are unattended.
  • Properly storing medications and supplies.
  • Preventing unauthorized photography or recording.

Only individuals necessary for patient care should be present unless the patient requests otherwise.


6.11 Workstation Use Policy

Workstations include:

  • Desktop computers
  • Laptops
  • Tablets
  • Thin clients
  • Mobile carts
  • Documentation stations

Workstations shall be used solely for authorized business purposes.

Employees shall:

  • Log in using their own credentials.
  • Lock screens whenever leaving the workstation.
  • Log off at the end of the workday.
  • Protect patient information from public view.
  • Avoid storing PHI locally unless authorized.

6.12 Workstation Positioning

Computer monitors shall be positioned to reduce the risk of unauthorized viewing.

Examples include:

  • Facing away from waiting rooms.
  • Facing away from public hallways.
  • Using privacy filters where appropriate.
  • Avoiding placement near windows visible to the public.

Whenever possible, confidential conversations should occur away from active computer screens.


6.13 Clean Desk Policy

At the conclusion of each workday, and whenever practical during business hours, workforce members shall secure confidential materials.

Employees shall:

  • File patient records.
  • Lock confidential documents in cabinets or drawers.
  • Remove sticky notes containing passwords or patient information.
  • Shred unnecessary documents.
  • Secure portable media.
  • Remove prescription pads from public view.
  • Lock medication cabinets.

No confidential documents shall remain unattended in public or shared areas.


6.14 Paper Record Security

Paper medical records remain Protected Health Information.

Paper records shall be:

  • Stored in secure locations.
  • Accessible only to authorized personnel.
  • Protected from water, fire, theft, and unauthorized viewing.
  • Transported securely.
  • Never left unattended in patient-accessible areas.

Records removed from secure storage shall be returned promptly.


6.15 Medical Record Storage

Archived medical records shall be stored in secure locations with protections including:

  • Controlled access
  • Locked storage
  • Environmental protections
  • Fire protection where feasible
  • Organized indexing
  • Inventory tracking

Only authorized personnel may retrieve archived records.


6.16 Portable Device Security

Portable devices capable of storing or accessing PHI include:

  • Laptops
  • Tablets
  • Smartphones
  • External hard drives
  • USB storage devices

Whenever possible, these devices shall:

  • Be encrypted.
  • Require authentication.
  • Remain under workforce control.
  • Be secured during transportation.
  • Never be left unattended in public places or visible inside vehicles.

Loss or theft shall be reported immediately.


6.17 Server and Network Equipment

Network infrastructure supporting ePHI shall be protected through reasonable physical safeguards.

Examples include:

  • Locked equipment rooms
  • Restricted access
  • Environmental controls
  • Cable management
  • Uninterruptible Power Supplies (UPS)
  • Surge protection
  • Fire suppression systems where appropriate

Only authorized personnel may service network equipment.


6.18 Environmental Controls

Bloomfield Wellness & Aesthetics shall implement reasonable measures to protect equipment from environmental hazards.

Considerations include:

  • Fire
  • Smoke
  • Water damage
  • Excessive heat
  • Humidity
  • Dust
  • Electrical surges
  • Power outages

Critical equipment should be protected whenever practical.


6.19 Equipment Inventory

The practice shall maintain an inventory of technology assets capable of storing or accessing ePHI.

Examples include:

  • Desktop computers
  • Laptops
  • Tablets
  • Smartphones
  • Network switches
  • Servers
  • Backup devices
  • Firewalls
  • Printers with storage capability
  • Multifunction copiers

Inventory records should include assignment, location, and disposition when equipment is retired.


6.20 Media Controls

Electronic media containing ePHI shall be managed throughout its lifecycle.

Procedures include:

  • Receipt
  • Inventory
  • Secure storage
  • Transportation
  • Reuse
  • Disposal
  • Destruction

No electronic media shall be discarded until patient information has been securely removed.


6.21 Equipment Disposal

Before disposal, sale, recycling, donation, or return of equipment, Bloomfield Wellness & Aesthetics shall ensure that all Protected Health Information has been securely removed.

Approved methods may include:

  • Cryptographic erasure
  • Secure overwriting
  • Physical destruction of storage media
  • Certified destruction vendors

Documentation of disposal should be maintained.


6.22 Transportation of PHI

Whenever records or devices containing PHI are transported outside the practice:

  • Records shall remain under the control of authorized personnel.
  • Documents shall be placed in closed containers or locked cases.
  • Devices shall be password protected and encrypted where appropriate.
  • Records shall never be left unattended in vehicles unless absolutely necessary and secured from view.

6.23 Emergency Physical Security

During emergencies, workforce members shall prioritize:

  1. Patient safety.
  2. Workforce safety.
  3. Protection of medications.
  4. Protection of medical records.
  5. Protection of technology.
  6. Secure shutdown of equipment when feasible.
  7. Restricting unauthorized access to the facility.

Emergency response procedures are coordinated with the practice's Emergency Operations Plan.


6.24 Physical Safeguards Summary

Physical Safeguards are a critical component of HIPAA compliance. Every workforce member contributes by:

  • Securing workstations.
  • Protecting paper records.
  • Safeguarding portable devices.
  • Escorting visitors appropriately.
  • Maintaining a clean desk.
  • Reporting lost keys, badges, or devices immediately.
  • Remaining alert to suspicious activity.

Strong physical security protects patient information, supports clinical operations, and reinforces Bloomfield Wellness & Aesthetics' commitment to privacy, professionalism, and regulatory compliance.

SECTION 7

HIPAA TECHNICAL SAFEGUARDS

HIPAA Security Rule – Technical Safeguards (45 CFR §164.312)


7.1 Purpose

Technical Safeguards are the technology-based controls used by Bloomfield Wellness & Aesthetics to protect Electronic Protected Health Information ("ePHI") from unauthorized access, alteration, disclosure, or destruction.

These safeguards work together with Administrative and Physical Safeguards to create a comprehensive information security program that protects patient information while allowing authorized workforce members timely access to information necessary for patient care.


7.2 Objectives

Bloomfield Wellness & Aesthetics implements Technical Safeguards to:

  • Protect patient confidentiality.
  • Ensure only authorized users access ePHI.
  • Prevent unauthorized disclosure.
  • Detect inappropriate activity.
  • Maintain accurate medical records.
  • Protect against cyber threats.
  • Maintain availability of clinical systems.
  • Support disaster recovery.
  • Comply with HIPAA Security Rule requirements.

7.3 Unique User Identification

Every workforce member shall receive an individual user account.

Shared usernames are prohibited.

Each account shall be uniquely assigned to one authorized individual to ensure accountability.

Individual user accounts allow the practice to:

  • Track access
  • Audit activity
  • Investigate incidents
  • Limit permissions
  • Support regulatory compliance

Employees shall never:

  • Share usernames
  • Use another employee's login
  • Permit another person to document under their credentials

7.4 Authentication Standards

Bloomfield Wellness & Aesthetics shall implement reasonable methods to verify the identity of users before granting access to systems containing ePHI.

Authentication methods may include:

  • Username and password
  • Multi-factor authentication (MFA)
  • Authentication applications
  • Biometric verification
  • Hardware security keys
  • Smart cards
  • Single Sign-On (SSO) integrated with approved identity providers

Authentication requirements may vary depending upon system sensitivity.


7.5 Role-Based Access Control (RBAC)

Electronic access shall be assigned according to workforce responsibilities.

Examples include:

Physicians and Advanced Practice Providers

May access:

  • Complete medical records
  • Orders
  • Laboratory results
  • Imaging
  • Medication history
  • Billing summaries when appropriate

Pharmacists

May access:

  • Medication histories
  • Prescription information
  • Relevant diagnoses
  • Laboratory information necessary for medication management
  • Allergy documentation
  • Clinical documentation supporting pharmaceutical care

Nursing and Clinical Staff

May access:

  • Assigned patient records
  • Orders
  • Medication administration information
  • Clinical documentation

Estheticians

May access only information necessary to perform aesthetic services, including:

  • Consultation forms
  • Skin assessments
  • Procedure documentation
  • Consent forms
  • Clinical photographs
  • Relevant medical history affecting treatment

Estheticians shall not access unrelated portions of the patient's medical record.


Reception

Access limited to:

  • Scheduling
  • Registration
  • Insurance
  • Demographics
  • Limited billing information

Billing Staff

Access limited to:

  • Claims
  • Charges
  • Insurance
  • Financial information
  • Diagnosis and procedure codes necessary for billing

7.6 Automatic Logoff

Systems containing ePHI should automatically terminate inactive sessions after an appropriate period of inactivity.

Automatic logoff helps prevent unauthorized access when workstations are left unattended.

Employees shall still manually lock workstations whenever leaving their work area.


7.7 Emergency Access Procedure

Bloomfield Wellness & Aesthetics maintains procedures allowing authorized access to ePHI during emergencies.

Emergency access procedures shall ensure:

  • Continuity of patient care
  • Appropriate documentation
  • Limited use
  • Prompt review following the emergency

Emergency access credentials shall be tightly controlled and used only when necessary.


7.8 Encryption Standards

Electronic Protected Health Information shall be encrypted whenever reasonable and appropriate.

Encryption should be utilized for:

  • Laptop computers
  • Mobile devices
  • Portable media
  • Cloud storage
  • Backup systems
  • Secure messaging
  • Email containing PHI
  • Telehealth communications
  • File transfers

Encryption technologies should align with current industry standards and organizational policies.


7.9 Transmission Security

Bloomfield Wellness & Aesthetics protects ePHI during transmission through reasonable safeguards.

Approved transmission methods may include:

  • Secure patient portals
  • Encrypted email
  • Secure electronic prescribing
  • Secure laboratory interfaces
  • Encrypted telehealth platforms
  • Secure file transfer solutions
  • Approved electronic fax services

Unencrypted transmission of PHI should occur only when specifically authorized, operationally necessary, and permitted by applicable policy.


7.10 Audit Controls

Electronic systems shall maintain audit capabilities recording activities including:

  • User logins
  • Failed login attempts
  • Record viewing
  • Record modification
  • Record deletion
  • Printing
  • Data exports
  • Administrative changes
  • Password changes
  • Privilege modifications

Audit logs provide accountability and assist with:

  • Compliance monitoring
  • Security investigations
  • Breach investigations
  • Internal audits
  • OCR investigations

7.11 Audit Log Review

Audit logs shall be reviewed periodically.

Examples include:

Routine Reviews

  • Random employee access
  • Administrative accounts
  • High-profile patient records
  • Bulk exports
  • Failed logins

Targeted Reviews

  • Following patient complaints
  • Following suspected snooping
  • Following employee termination
  • Following cybersecurity alerts

Documented investigations shall be maintained.


7.12 Integrity Controls

Bloomfield Wellness & Aesthetics maintains safeguards designed to ensure electronic information remains complete, accurate, and trustworthy.

Examples include:

  • Controlled editing permissions
  • Version tracking where available
  • Authentication controls
  • Database protections
  • Audit logging
  • Secure backups
  • Antivirus protections

Medical documentation shall never be altered to conceal errors or misrepresent services provided.


7.13 Endpoint Protection

Practice-owned computers shall utilize commercially reasonable endpoint security measures, including when appropriate:

  • Antivirus software
  • Endpoint Detection and Response (EDR)
  • Anti-malware protection
  • Device encryption
  • Firewall protection
  • Automatic updates
  • Threat monitoring

Security software shall not be disabled without authorization.


7.14 Network Security

Bloomfield Wellness & Aesthetics maintains reasonable network security measures, including:

  • Firewalls
  • Secure wireless networks
  • Network segmentation where appropriate
  • Intrusion detection and/or prevention systems
  • Secure DNS services
  • Network monitoring
  • VPN access for approved remote users

Guest wireless networks, if provided, shall remain separate from internal clinical systems.


7.15 Cloud Security

Cloud services used by Bloomfield Wellness & Aesthetics shall be evaluated before implementation.

Considerations include:

  • HIPAA compliance
  • Business Associate Agreement availability
  • Encryption
  • Access controls
  • Data backup
  • Disaster recovery
  • Vendor reputation
  • Security certifications where applicable

Only approved cloud services may store ePHI.


7.16 Artificial Intelligence (AI) Systems

Artificial intelligence tools may improve efficiency but also introduce privacy and security risks.

Workforce members shall not enter Protected Health Information into public AI platforms unless:

  • The platform has been formally approved by Bloomfield Wellness & Aesthetics.
  • Appropriate contractual and privacy protections are in place.
  • A Business Associate Agreement is executed when required.
  • Use complies with organizational AI governance policies.

Examples of prohibited activity include:

  • Copying patient charts into public AI tools.
  • Uploading laboratory reports to consumer AI applications.
  • Entering identifiable patient information into public chatbots.
  • Using AI-generated clinical documentation without provider review.

Any AI-assisted documentation remains the responsibility of the treating provider and must be reviewed for accuracy before becoming part of the medical record.


7.17 Electronic Signatures

Electronic signatures shall comply with applicable legal and regulatory requirements.

Electronic signatures shall:

  • Identify the signing individual.
  • Be attributable to one authorized user.
  • Be protected from unauthorized use.
  • Be maintained within the medical record.

Signing another individual's documentation is strictly prohibited.


7.18 Data Loss Prevention

Bloomfield Wellness & Aesthetics employs reasonable safeguards to reduce the risk of unauthorized disclosure or loss of information.

Examples include:

  • Controlled exports
  • Printing restrictions where appropriate
  • Secure file sharing
  • Email monitoring
  • Access restrictions
  • Encryption
  • Workforce education

7.19 Security Monitoring

Technology systems may be monitored to identify:

  • Malware
  • Ransomware
  • Unauthorized access
  • Data exfiltration
  • Credential theft
  • Privilege escalation
  • Suspicious downloads
  • Network anomalies

Alerts shall be investigated promptly by authorized personnel.


7.20 Technical Safeguards Summary

Technical Safeguards provide the technology foundation supporting HIPAA compliance at Bloomfield Wellness & Aesthetics.

Every workforce member shall:

  • Use only assigned credentials.
  • Protect passwords.
  • Lock devices when unattended.
  • Report suspicious activity immediately.
  • Use only approved software and cloud services.
  • Never enter PHI into unapproved AI platforms.
  • Follow all security policies and procedures.

Strong Technical Safeguards reduce cybersecurity risk, support patient safety, and help ensure that Bloomfield Wellness & Aesthetics maintains the highest standards of privacy, security, and regulatory compliance.

SECTION 8

WORKFORCE CONFIDENTIALITY & EMPLOYEE HIPAA STANDARDS


8.1 Purpose

Every workforce member at Bloomfield Wellness & Aesthetics is entrusted with confidential patient information. Protecting that information is both a legal obligation and a professional responsibility.

This policy establishes the confidentiality standards expected of every employee, provider, contractor, student, volunteer, temporary worker, and any individual acting on behalf of Bloomfield Wellness & Aesthetics.

Confidentiality is a condition of employment and continued access to Protected Health Information (PHI).


8.2 Scope

This policy applies to every member of the Bloomfield Wellness & Aesthetics workforce, including:

  • Physicians
  • Pharmacists
  • Nurse Practitioners
  • Physician Assistants
  • Registered Nurses
  • Licensed Practical Nurses
  • Medical Assistants
  • Estheticians
  • Laser Technicians
  • Receptionists
  • Billing Personnel
  • Administrative Staff
  • Students
  • Interns
  • Volunteers
  • Independent Contractors
  • Temporary Employees
  • Consultants
  • IT Personnel

Confidentiality obligations continue after employment or contractual relationships end.


8.3 Confidentiality Expectations

Every workforce member shall:

  • Maintain strict patient confidentiality.
  • Access only information necessary to perform assigned duties.
  • Protect passwords and authentication credentials.
  • Secure workstations whenever unattended.
  • Report suspected HIPAA violations immediately.
  • Protect paper and electronic records.
  • Maintain professionalism in all communications.
  • Follow all Bloomfield Wellness & Aesthetics privacy and security policies.

8.4 Workforce Confidentiality Agreement

Prior to receiving access to PHI, every workforce member shall:

  • Complete HIPAA Orientation.
  • Complete HIPAA Privacy Training.
  • Complete HIPAA Security Training.
  • Review applicable policies.
  • Sign the Workforce Confidentiality Agreement.

The signed agreement shall be maintained in the employee's personnel file.


8.5 Need-to-Know Standard

Protected Health Information may only be accessed when required to perform assigned responsibilities.

Examples of appropriate access include:

Reviewing records of patients assigned to your care.

Scheduling appointments.

Processing insurance claims.

Performing medication reconciliation.

Reviewing laboratory results necessary for treatment.

Examples of inappropriate access include:

Looking up family members.

Viewing your own medical record through the internal EHR.

Accessing a coworker's chart.

Looking up neighbors.

Reviewing celebrity records.

Viewing records out of curiosity.

Curiosity is never a legitimate business purpose.


8.6 Conversations Regarding Patients

Patient information should be discussed only with individuals directly involved in patient care or healthcare operations.

Workforce members shall avoid discussing patients:

  • In hallways
  • Elevators
  • Waiting rooms
  • Break rooms when visitors are present
  • Restaurants
  • Parking lots
  • Public transportation
  • Social gatherings

Whenever possible, clinical discussions should occur in private treatment rooms or secure offices.


8.7 Telephone Communications

Before discussing Protected Health Information by telephone, employees shall:

  • Verify the caller's identity.
  • Verify authority to receive information.
  • Limit disclosures to the minimum necessary.
  • Use discretion when leaving voicemail messages.

Detailed diagnoses or laboratory results should not be left on voicemail unless specifically authorized by the patient.


8.8 Social Media Policy

Social media presents significant privacy risks.

Employees shall never:

  • Post patient photographs without authorization.
  • Discuss patient cases online.
  • Share screenshots of medical records.
  • Confirm that an individual is a patient.
  • Respond to online reviews by disclosing PHI.
  • Post workplace photographs showing patient information.
  • Record videos in clinical areas where PHI is visible.

Even if a patient publicly identifies themselves as a patient of Bloomfield Wellness & Aesthetics, employees shall not acknowledge or confirm that relationship.


8.9 Photography and Video Recording

Personal photography or video recording within the practice is prohibited unless specifically authorized.

Employees shall never:

  • Photograph patient records.
  • Photograph computer screens.
  • Photograph prescriptions.
  • Photograph laboratory reports.
  • Photograph clinical procedures using personal devices.
  • Record patient interactions.

Clinical photography shall occur only using approved practice equipment and in accordance with the Clinical Photography Policy.


8.10 Personal Cell Phone Use

Personal devices shall not be used to:

  • Store patient information.
  • Photograph medical records.
  • Text PHI through personal messaging applications.
  • Email PHI using personal email accounts.
  • Record clinical conversations.

If personal devices are authorized under the Bring Your Own Device (BYOD) policy, they must comply with all applicable security requirements.


8.11 Computer Security Responsibilities

Employees shall:

  • Log in using only assigned credentials.
  • Lock workstations when leaving.
  • Log off at the end of each shift.
  • Never disable security software.
  • Avoid installing unauthorized software.
  • Protect passwords.
  • Report suspicious computer activity immediately.

8.12 Email and Messaging Standards

Electronic communications containing PHI shall:

  • Be sent only through approved systems.
  • Be addressed carefully to avoid misdirected messages.
  • Include only the minimum necessary information.
  • Be encrypted when appropriate.

Employees shall never forward patient information to personal email accounts.


8.13 Printed Documents

Printed PHI shall be:

  • Retrieved promptly from printers.
  • Stored securely.
  • Shredded when no longer needed.
  • Protected from unauthorized viewing.

Documents containing PHI shall never be left:

  • On reception counters.
  • In conference rooms.
  • On desks overnight.
  • In unlocked vehicles.
  • In public areas.

8.14 Visitors

Employees shall remain alert for unauthorized visitors.

Visitors shall not be permitted to:

  • View medical records.
  • Access computer systems.
  • Enter restricted clinical areas without authorization.
  • Handle confidential documents.

Visitors requiring access shall be escorted whenever appropriate.


8.15 Remote Work

Employees approved for remote work shall:

  • Maintain private work environments.
  • Protect computer screens from family members or visitors.
  • Use approved secure internet connections.
  • Avoid printing patient information at home unless authorized.
  • Secure all equipment when not in use.

Remote work does not reduce HIPAA responsibilities.


8.16 Professional Conduct

Employees are expected to demonstrate professionalism by:

  • Speaking respectfully about patients.
  • Avoiding gossip.
  • Maintaining discretion.
  • Protecting confidential information.
  • Reporting concerns promptly.
  • Supporting coworkers in maintaining compliance.

Patient trust is strengthened through professional behavior.


8.17 Reporting Privacy Concerns

Employees who observe potential HIPAA violations shall report concerns immediately to:

  • Supervisor
  • Privacy Officer
  • HIPAA Security Officer
  • Compliance Officer

Examples requiring reporting include:

  • Unauthorized record access.
  • Lost paperwork.
  • Lost devices.
  • Suspicious emails.
  • Misdirected faxes.
  • Password sharing.
  • Improper photography.
  • Inappropriate conversations.

Employees are protected from retaliation for reporting concerns in good faith.


8.18 Workforce Sanctions

Violations of confidentiality standards may result in disciplinary action.

Depending upon severity, sanctions may include:

  • Verbal counseling
  • Written warning
  • Mandatory retraining
  • Suspension
  • Termination
  • Reporting to licensing boards
  • Civil penalties
  • Criminal prosecution where applicable

Every incident shall be evaluated individually and documented.


8.20 Annual Workforce Acknowledgment

Every workforce member shall annually acknowledge that they:

  • Have read this HIPAA Manual.
  • Understand their confidentiality obligations.
  • Completed required HIPAA training.
  • Understand the sanctions for non-compliance.
  • Agree to protect patient privacy.
  • Will report suspected violations immediately.
  • Understand that confidentiality obligations continue after employment ends.

Documentation of the acknowledgment shall be maintained in the employee's personnel file.


Protecting patient confidentiality is not only a legal requirement; it is a core value of Bloomfield Wellness & Aesthetics and an essential part of providing ethical, patient-centered care.

SECTION 9

HIPAA RISK ANALYSIS & RISK MANAGEMENT PROGRAM

HIPAA Security Rule – Risk Analysis & Risk Management (45 CFR §164.308(a)(1))


9.1 Purpose

The HIPAA Security Rule requires Covered Entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information ("ePHI").

Bloomfield Wellness & Aesthetics maintains a formal Risk Analysis and Risk Management Program designed to:

  • Identify threats to ePHI.
  • Evaluate vulnerabilities.
  • Measure organizational risk.
  • Implement safeguards.
  • Reduce the likelihood of security incidents.
  • Support continuous improvement.
  • Demonstrate compliance with HIPAA and the HITECH Act.

The Risk Analysis is not a one-time activity. It is a continuous process integrated into the organization's compliance and cybersecurity programs.


9.2 Policy Statement

Bloomfield Wellness & Aesthetics shall conduct and document a comprehensive Security Risk Analysis:

  • At least annually.
  • Before implementing significant new technology.
  • After major operational changes.
  • Following mergers or acquisitions.
  • Following significant cybersecurity incidents.
  • Whenever new threats materially affect the organization's risk profile.

All findings shall be documented and retained in accordance with organizational record retention policies.


9.3 Scope of the Risk Analysis

The Security Risk Analysis encompasses all systems, processes, and environments that create, receive, maintain, or transmit ePHI.

This includes:

  • Electronic Health Record (EHR) systems
  • Practice Management Software
  • Billing platforms
  • Scheduling systems
  • Patient portals
  • Telehealth platforms
  • Laboratory interfaces
  • Electronic prescribing systems
  • Payment processing systems
  • Email systems
  • Cloud storage solutions
  • Network infrastructure
  • Wireless networks
  • Desktop computers
  • Laptop computers
  • Tablets
  • Smartphones
  • Backup systems
  • Medical devices connected to the network
  • Portable storage media
  • Third-party hosted applications

The analysis also considers workforce practices and physical environments that affect the security of ePHI.


9.4 Risk Analysis Team

The Risk Analysis shall be coordinated by the HIPAA Security Officer with input from individuals possessing appropriate operational and technical knowledge.

The team may include:

  • HIPAA Security Officer
  • Privacy Officer
  • Compliance Officer
  • Medical Director
  • Practice Administrator
  • Information Technology personnel
  • Department Managers
  • Outside cybersecurity consultants (when appropriate)

Participation shall be documented.


9.5 Asset Inventory

An accurate inventory of information assets shall be maintained.

Examples include:

Hardware

  • Desktop computers
  • Laptops
  • Tablets
  • Smartphones
  • Servers
  • Firewalls
  • Switches
  • Routers
  • Wireless access points
  • Backup devices
  • Multifunction printers

Software

  • Electronic Health Record
  • Practice Management System
  • Billing Software
  • Telehealth Platform
  • Secure Messaging System
  • Antivirus Software
  • Backup Software
  • Productivity Applications
  • Remote Access Software

Information Assets

  • Patient medical records
  • Clinical photographs
  • Billing information
  • Employee records
  • Vendor contracts
  • Compliance documentation
  • Business Associate Agreements

Each asset should be assigned an owner responsible for oversight.


9.6 Threat Identification

Bloomfield Wellness & Aesthetics evaluates threats that could compromise the confidentiality, integrity, or availability of ePHI.

Examples include:

Human Threats

  • Unauthorized access
  • Employee negligence
  • Insider misuse
  • Password sharing
  • Social engineering
  • Theft
  • Fraud
  • Improper disposal
  • Accidental disclosure

Technical Threats

  • Malware
  • Ransomware
  • Viruses
  • Phishing
  • Credential theft
  • Denial-of-service attacks
  • Data corruption
  • Software vulnerabilities
  • System failures

Environmental Threats

  • Fire
  • Flood
  • Tornado
  • Severe weather
  • Water damage
  • Power failure
  • HVAC failure
  • Earthquake
  • Civil disturbance

Operational Threats

  • Vendor failure
  • Internet outage
  • Cloud service interruption
  • Supply chain disruption
  • Staffing shortages
  • Equipment failure

9.7 Vulnerability Assessment

After identifying threats, Bloomfield Wellness & Aesthetics evaluates vulnerabilities that could allow those threats to occur.

Examples include:

  • Weak passwords
  • Lack of encryption
  • Unsupported software
  • Unpatched systems
  • Poor physical security
  • Inadequate employee training
  • Shared accounts
  • Improper workstation placement
  • Inadequate backup procedures
  • Insufficient vendor oversight
  • Lack of multi-factor authentication
  • Incomplete audit logging

Each vulnerability shall be documented.


9.8 Risk Rating Methodology

Each identified risk shall receive ratings for:

Likelihood

1 – Rare

2 – Unlikely

3 – Possible

4 – Likely

5 – Almost Certain


Impact

1 – Negligible

2 – Minor

3 – Moderate

4 – Major

5 – Catastrophic


Overall Risk Score

Risk Score = Likelihood × Impact

Score

Risk Level

Required Action

1–5

Low

Monitor and review

6–10

Moderate

Correct as resources permit

11–15

High

Prompt corrective action

16–25

Critical

Immediate mitigation required

High and Critical risks shall be prioritized by leadership.


9.9 Sample Risk Register

Asset

Threat

Vulnerability

Likelihood

Impact

Risk Score

Mitigation

EHR System

Ransomware

Unpatched workstation

4

5

20

Patch systems, EDR, MFA

Patient Portal

Credential Theft

Weak passwords

3

4

12

MFA, password policy

Laptop

Theft

No encryption

2

5

10

Full disk encryption

Reception PC

Unauthorized viewing

Monitor visible to public

3

2

6

Reposition monitor, privacy screen

The Risk Register shall be reviewed and updated throughout the year.


9.10 Risk Management Plan

Following completion of the Risk Analysis, Bloomfield Wellness & Aesthetics shall develop a written Risk Management Plan.

Each action item shall include:

  • Risk identified
  • Recommended safeguard
  • Responsible individual
  • Priority level
  • Budget (if applicable)
  • Target completion date
  • Completion status
  • Verification of implementation

Leadership shall monitor progress until corrective actions are completed.


9.11 Security Risk Assessment Documentation

The annual Security Risk Assessment shall include:

  • Executive Summary
  • Scope
  • Methodology
  • Asset Inventory
  • Threat Assessment
  • Vulnerability Assessment
  • Risk Ratings
  • Existing Safeguards
  • Recommended Improvements
  • Risk Management Plan
  • Leadership Approval
  • Review Date

Documentation shall be retained as part of the HIPAA compliance program.


9.12 Ongoing Risk Monitoring

Risk management is continuous.

Bloomfield Wellness & Aesthetics shall monitor:

  • New cybersecurity threats
  • OCR guidance
  • Software vulnerabilities
  • Vendor security alerts
  • Device lifecycle status
  • Regulatory updates
  • Internal audit findings
  • Incident reports
  • Workforce feedback

New risks shall be incorporated into the Risk Register as appropriate.


9.13 Change Management

Whenever significant changes occur, the Security Officer shall evaluate whether the change introduces new risks.

Examples include:

  • New Electronic Health Record
  • New cloud vendor
  • Office expansion
  • New telehealth platform
  • New AI documentation software
  • Network redesign
  • Acquisition of another practice
  • Significant staffing changes

Risk assessments shall be updated before or shortly after implementation.


9.14 Leadership Review

The completed Risk Analysis and Risk Management Plan shall be reviewed by practice leadership.

The review shall include:

  • Outstanding high-risk items
  • Completed mitigation activities
  • Budget needs
  • Workforce training needs
  • Vendor risks
  • Cybersecurity priorities
  • Recommendations for continuous improvement

Leadership approval shall be documented.


9.15 Annual Risk Analysis Checklist

At a minimum, Bloomfield Wellness & Aesthetics shall verify completion of the following each year:

Asset inventory updated

Vendor inventory reviewed

Business Associate Agreements reviewed

Threat assessment completed

Vulnerability assessment completed

Risk Register updated

High-risk items prioritized

Risk Management Plan approved

Workforce training completed

Disaster Recovery Plan reviewed

Incident Response Plan reviewed

Security policies reviewed

Leadership approval documented


9.16 Continuous Improvement

The objective of the Risk Analysis Program is not merely compliance—it is continual improvement.

Bloomfield Wellness & Aesthetics is committed to:

  • Reducing organizational risk.
  • Strengthening cybersecurity.
  • Protecting patient privacy.
  • Enhancing workforce awareness.
  • Investing in secure technologies.
  • Monitoring emerging threats.
  • Adapting to changes in healthcare and information technology.

The Risk Analysis Program shall evolve as new technologies, regulations, and risks emerge.


9.17 Risk Analysis Summary

A comprehensive Security Risk Analysis is the cornerstone of the HIPAA Security Rule and one of the most important compliance activities performed by Bloomfield Wellness & Aesthetics.

By identifying threats, evaluating vulnerabilities, prioritizing risks, and implementing appropriate safeguards, the practice protects patient information while supporting safe, effective, and compliant healthcare delivery.

The Risk Analysis Program demonstrates Bloomfield Wellness & Aesthetics' commitment to proactive risk management, regulatory compliance, and continuous improvement in information security.

SECTION 11

PATIENT RIGHTS & RELEASE OF INFORMATION (ROI)

HIPAA Privacy Rule – Patient Rights & Disclosure Procedures


11.1 Purpose

Bloomfield Wellness & Aesthetics recognizes that patients have important legal rights regarding access to their Protected Health Information ("PHI"). This policy establishes standardized procedures for responding to requests for access, copies, disclosures, amendments, restrictions, and other requests involving medical records.

These procedures are intended to:

  • Protect patient privacy.
  • Ensure compliance with HIPAA and applicable Pennsylvania law.
  • Provide timely access to health information.
  • Standardize Release of Information (ROI) practices.
  • Maintain complete documentation of disclosures.

11.2 Policy Statement

Bloomfield Wellness & Aesthetics shall respond to all requests for access to Protected Health Information in accordance with applicable federal and Pennsylvania law.

No workforce member shall release Protected Health Information unless:

  • The disclosure is permitted by HIPAA;
  • A valid written authorization has been obtained, when required;
  • The requestor's identity and authority have been verified; and
  • The disclosure has been appropriately documented when required.

11.3 Patient Rights

Patients have the right to:

  • Inspect their medical records.
  • Obtain copies of records.
  • Request amendments.
  • Request restrictions.
  • Request confidential communications.
  • Receive an accounting of certain disclosures.
  • Receive a Notice of Privacy Practices.
  • Receive notification of certain breaches.
  • File privacy complaints without retaliation.

All workforce members shall respect and facilitate these rights.


11.4 Requests for Medical Records

Patients may request access to their records by:

  • Completing the Bloomfield Wellness & Aesthetics Medical Record Request Form.
  • Submitting a written request.
  • Using the secure patient portal when available.
  • Through another method permitted by applicable law.

Whenever possible, requests should be in writing.


11.5 Identity Verification

Prior to releasing records, workforce members shall verify the identity of the requestor.

Acceptable verification methods include:

In Person

  • Government-issued photo identification.
  • Existing patient known to staff.
  • Other reliable identification approved by the Privacy Officer.

By Mail

  • Signed written request.
  • Matching demographic information.
  • Notarized request when appropriate.

Electronic Requests

  • Secure patient portal authentication.
  • Secure electronic signature.
  • Other approved identity verification methods.

Telephone Requests

Telephone requests for complete medical records shall generally not be honored unless identity can be reasonably verified and applicable policy permits.


11.6 Authorized Representatives

Protected Health Information may be released to an authorized representative after appropriate verification.

Examples include:

  • Parent of an unemancipated minor (subject to applicable law).
  • Court-appointed guardian.
  • Healthcare Power of Attorney.
  • Executor or personal representative of a deceased patient, when authorized by law.
  • Individual authorized through a valid HIPAA Authorization.

Supporting legal documentation shall be reviewed before disclosure when applicable.


11.7 Medical Record Formats

Patients may request records in:

  • Paper format.
  • Electronic PDF.
  • Secure patient portal.
  • Encrypted electronic media when feasible.
  • Other electronic formats that are readily producible.

If the requested format is not readily available, Bloomfield Wellness & Aesthetics will work with the patient to provide an acceptable alternative.


11.8 Timeframes for Response

Bloomfield Wellness & Aesthetics shall respond to requests within the timeframes required by HIPAA and applicable law.

If additional time is permitted and necessary, the patient shall receive written notice explaining:

  • The reason for the delay.
  • The expected completion date.
  • Contact information for questions.

Requests shall be processed as promptly as practical.


11.9 Fees for Copies

Bloomfield Wellness & Aesthetics may charge only fees permitted by applicable federal and Pennsylvania law.

Permissible fees may include:

  • Labor for copying.
  • Electronic media (e.g., USB drive, CD) when requested.
  • Postage, if records are mailed.
  • Supplies used to create the copy.

Patients shall be informed of any applicable fees before records are released.


11.10 Requests for Amendment

Patients who believe their medical record contains inaccurate or incomplete information may submit a written Request for Amendment.

The request should include:

  • The specific information to be amended.
  • The reason for the request.
  • Supporting documentation, if available.

Bloomfield Wellness & Aesthetics shall review the request and respond in accordance with HIPAA.

If the request is denied, the patient shall be informed of:

  • The reason for the denial.
  • The right to submit a Statement of Disagreement.
  • The right to file a complaint.

11.11 Requests for Restriction

Patients may request restrictions on the use or disclosure of PHI.

Examples include requests to:

  • Restrict disclosure to family members.
  • Restrict disclosure to health plans when services are paid entirely out-of-pocket, where required by HIPAA.
  • Restrict communications regarding specific services.

All requests shall be reviewed by the Privacy Officer or designee.

Approved restrictions shall be documented in the medical record.


11.12 Confidential Communications

Patients may request that Bloomfield Wellness & Aesthetics communicate using alternative methods or locations.

Examples include:

  • Mobile phone only.
  • Work address.
  • Secure patient portal only.
  • Email.
  • No voicemail messages.
  • Mail to an alternate address.

Reasonable requests shall be accommodated whenever feasible.


11.13 Accounting of Disclosures

Patients may request an accounting of certain disclosures of their PHI.

The accounting generally excludes disclosures for:

  • Treatment.
  • Payment.
  • Healthcare Operations.
  • Disclosures authorized by the patient.
  • Certain other disclosures excluded under HIPAA.

The accounting shall include:

  • Date of disclosure.
  • Recipient.
  • Description of information disclosed.
  • Purpose of the disclosure.

11.14 Requests from Attorneys

Requests from attorneys shall be carefully reviewed.

Records may be released only when supported by:

  • A valid HIPAA Authorization.
  • A court order.
  • A subpoena that satisfies applicable legal requirements.
  • Other legal authority permitting disclosure.

Legal counsel may be consulted before responding.


11.15 Subpoenas

Upon receipt of a subpoena, Bloomfield Wellness & Aesthetics shall determine:

  • Whether it is signed by a judge or magistrate.
  • Whether patient authorization accompanies the subpoena.
  • Whether notice requirements have been satisfied.
  • Whether objections have been filed.
  • Whether legal counsel should be consulted.

Employees shall not release records solely because a subpoena has been received without following applicable legal procedures.


11.16 Law Enforcement Requests

Requests from law enforcement shall be reviewed carefully.

Permitted disclosures may occur only when authorized by:

  • HIPAA.
  • Federal law.
  • Pennsylvania law.
  • Court order.
  • Search warrant.
  • Applicable legal process.

Whenever practical, the Privacy Officer or legal counsel shall review such requests before records are released.


11.17 Employer Requests

Protected Health Information shall not be released to employers without:

  • A valid HIPAA Authorization signed by the patient; or
  • Another legal basis permitting disclosure.

Workforce members shall not assume an employer is entitled to medical information merely because the employer referred the patient.


11.18 Insurance Requests

Insurance companies may receive information necessary for payment and healthcare operations as permitted by HIPAA.

Only the minimum necessary information shall be disclosed.

Additional information beyond that necessary for payment may require patient authorization unless another legal basis applies.


11.19 Workers' Compensation

Disclosures relating to workers' compensation claims shall comply with:

  • HIPAA.
  • Pennsylvania Workers' Compensation requirements.
  • Applicable court orders or administrative requirements.

Only information necessary to satisfy the applicable legal requirements shall be disclosed.


11.20 Deceased Patients

Protected Health Information of deceased individuals remains protected under HIPAA for the period specified by applicable law.

Disclosures may be made to:

  • Personal representatives.
  • Executors.
  • Individuals authorized by law.
  • Others as permitted by HIPAA.

Documentation of authority shall be obtained before releasing records.


11.21 Minors

Parents or legal guardians generally have rights regarding the medical information of unemancipated minors, subject to exceptions under federal and Pennsylvania law.

Examples of exceptions may include situations involving:

  • Minor consent laws.
  • Court orders.
  • Emancipation.
  • Other legal restrictions.

Questions involving minors shall be referred to the Privacy Officer when uncertainty exists.


11.22 Documentation of Disclosures

When required, Bloomfield Wellness & Aesthetics shall document:

  • Date of disclosure.
  • Recipient.
  • Purpose.
  • Information disclosed.
  • Authorizing documentation.
  • Workforce member completing the disclosure.

Documentation shall be maintained in accordance with organizational record retention policies.


11.23 Release of Information Quality Assurance

Periodic audits of Release of Information activities shall evaluate:

  • Timeliness.
  • Identity verification.
  • Documentation.
  • Appropriate authorization.
  • Fee compliance.
  • Minimum Necessary compliance.
  • Accuracy of released information.

Deficiencies shall result in corrective action and additional workforce education when appropriate.


11.24 Practical Release of Information Scenarios

Scenario 1

A patient's spouse requests copies of laboratory results.

Action: Do not release records unless the spouse has legal authority or a valid HIPAA authorization.


Scenario 2

An attorney faxes a subpoena requesting the complete medical record.

Action: Forward the subpoena to the Privacy Officer or legal counsel for review before releasing any information.


Scenario 3

A patient requests an electronic copy of their records through the secure patient portal.

Action: Verify identity through the portal and provide the records in the requested electronic format if readily producible.


Scenario 4

An employer requests documentation regarding an employee's cosmetic procedure.

Action: Decline the request unless a valid authorization or other legal authority permits the disclosure.


Scenario 5

A patient paid entirely out-of-pocket for a service and requests that information not be submitted to their health plan.

Action: Document the request and, when required by HIPAA, honor the restriction.


11.25 Release of Information Summary

The Release of Information process protects one of the patient's most fundamental rights—the right to control access to personal health information.

Every workforce member shall remember:

  • Verify identity before releasing information.
  • Release only the minimum necessary information.
  • Obtain authorization whenever required.
  • Document disclosures appropriately.
  • Consult the Privacy Officer whenever uncertainty exists.

Consistent application of these principles helps ensure compliance with HIPAA while preserving the trust that patients place in Bloomfield Wellness & Aesthetics.

SECTION 12

BUSINESS ASSOCIATE MANAGEMENT PROGRAM

HIPAA Privacy Rule • HIPAA Security Rule • 45 CFR §§164.502, 164.504 & 164.308(b)


12.1 Purpose

Bloomfield Wellness & Aesthetics ("BWA") frequently engages third-party vendors to perform services that support patient care, practice operations, information technology, billing, and other administrative functions.

When those vendors create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of the practice, they are considered Business Associates under HIPAA.

This policy establishes procedures for:

  • Identifying Business Associates
  • Evaluating vendor security
  • Executing Business Associate Agreements (BAAs)
  • Monitoring vendor compliance
  • Responding to vendor security incidents
  • Maintaining documentation

Proper Business Associate management is a critical component of Bloomfield Wellness & Aesthetics' HIPAA Compliance Program.


12.2 Policy Statement

Bloomfield Wellness & Aesthetics shall not disclose Protected Health Information to any Business Associate unless:

  • The disclosure is permitted by HIPAA;
  • A valid Business Associate Agreement is in effect when required;
  • Appropriate due diligence has been completed;
  • The vendor maintains reasonable administrative, physical, and technical safeguards.

Every department is responsible for notifying the Privacy Officer before engaging a vendor that may access PHI.


12.3 Definition of a Business Associate

A Business Associate is a person or organization, other than a member of the workforce, that performs functions or services involving PHI on behalf of Bloomfield Wellness & Aesthetics.

Examples include organizations that:

  • Store PHI
  • Process billing
  • Host cloud applications
  • Maintain computer systems
  • Provide cybersecurity services
  • Destroy confidential records
  • Provide telehealth software
  • Manage patient communications
  • Analyze healthcare data
  • Perform transcription services

12.4 Examples of Business Associates

Examples commonly used by Bloomfield Wellness & Aesthetics include:

Clinical Vendors

  • Electronic Health Record vendors
  • Practice Management software providers
  • Telehealth vendors
  • Laboratory interface vendors
  • Electronic prescribing platforms
  • Clinical imaging storage vendors

Information Technology Vendors

  • Managed IT service providers
  • Cybersecurity companies
  • Cloud hosting providers
  • Data backup providers
  • Email encryption providers
  • Firewall management vendors
  • Network monitoring vendors

Administrative Vendors

  • Medical billing companies
  • Revenue cycle vendors
  • Collection agencies
  • Payment processors
  • CPA firms with PHI access
  • Attorneys representing the practice
  • Accreditation consultants

Operational Vendors

  • Secure document destruction companies
  • Off-site records storage vendors
  • Software implementation consultants
  • HIPAA compliance consultants
  • Secure fax providers

12.5 Vendors That Are Generally NOT Business Associates

Some vendors do not become Business Associates simply because they provide services.

Examples may include:

  • Office supply companies
  • Furniture vendors
  • Janitorial companies without access to PHI
  • Utility companies
  • General contractors
  • Internet providers
  • Courier services transporting sealed packages without accessing PHI

If uncertainty exists, the Privacy Officer shall determine whether a Business Associate Agreement is required.


12.6 Vendor Risk Classification

Bloomfield Wellness & Aesthetics classifies vendors according to the level of PHI exposure.

Low Risk

Examples:

  • Secure shredding vendors
  • Office equipment maintenance
  • Consultants with no routine PHI access

Moderate Risk

Examples:

  • Medical billing companies
  • Accounting firms
  • Collection agencies

High Risk

Examples:

  • EHR vendors
  • Cloud hosting providers
  • Telehealth platforms
  • Patient portal providers
  • IT managed service providers
  • Backup vendors

Higher-risk vendors require increased due diligence and monitoring.


12.7 Vendor Due Diligence

Before contracting with a Business Associate, Bloomfield Wellness & Aesthetics shall evaluate the vendor's privacy and security program.

Evaluation may include:

  • HIPAA compliance documentation
  • Security questionnaires
  • Cybersecurity policies
  • Data encryption practices
  • Multi-factor authentication
  • Disaster recovery capabilities
  • Incident response plans
  • Cyber liability insurance
  • Independent security certifications
  • References and reputation

The extent of due diligence should correspond to the level of risk presented by the vendor.


12.8 Business Associate Agreement (BAA)

A Business Associate Agreement shall be executed before PHI is disclosed whenever required by HIPAA.

The BAA should address:

  • Permitted uses of PHI
  • Required safeguards
  • Reporting of breaches and security incidents
  • Subcontractor responsibilities
  • Return or destruction of PHI upon termination
  • Compliance with HIPAA
  • Access for audits when appropriate
  • Termination for material breach

Executed BAAs shall be maintained by the Privacy Officer or designee.


12.9 Minimum Security Expectations

Business Associates are expected to implement reasonable safeguards including, where appropriate:

Administrative Safeguards

  • HIPAA policies
  • Workforce training
  • Risk analyses
  • Confidentiality agreements
  • Incident response plans

Technical Safeguards

  • Encryption
  • Access controls
  • Multi-factor authentication
  • Audit logging
  • Endpoint protection
  • Secure backups

Physical Safeguards

  • Facility security
  • Visitor controls
  • Secure workstations
  • Media protection
  • Equipment disposal procedures

12.10 Vendor Access Controls

Business Associates shall receive access only to the information necessary to perform contracted services.

Examples include:

  • Limited user accounts
  • Role-based permissions
  • Time-limited access
  • VPN access when appropriate
  • Logging of remote access
  • Immediate termination of access when services end

The Minimum Necessary Standard applies to Business Associates.


12.11 Subcontractors

Business Associates shall ensure that any subcontractor with access to PHI agrees to comply with HIPAA and implement appropriate safeguards.

The original Business Associate remains responsible for ensuring downstream compliance.


12.12 Security Incident Reporting

Business Associates shall notify Bloomfield Wellness & Aesthetics without unreasonable delay after discovering:

  • Privacy incidents
  • Security incidents
  • Suspected breaches
  • Ransomware
  • Malware
  • Unauthorized access
  • Lost devices
  • Credential compromise
  • Other events involving PHI

Notification shall include all information reasonably available at the time.


12.13 Vendor Monitoring

Business Associate relationships shall be monitored throughout the duration of the contract.

Monitoring activities may include:

  • Annual security questionnaires
  • Review of breach notifications
  • Contract reviews
  • Business Associate Agreement review
  • Cybersecurity updates
  • Performance reviews
  • Incident history
  • Compliance certifications

High-risk vendors may require more frequent reviews.


12.14 Vendor Termination

Upon termination of services, Bloomfield Wellness & Aesthetics shall ensure, as appropriate:

  • Return of PHI
  • Secure destruction of PHI
  • Written certification of destruction when required
  • Deactivation of user accounts
  • Return of practice-owned equipment
  • Revocation of remote access
  • Removal from vendor inventory

Termination activities shall be documented.


12.15 Vendor Breach Response

If a Business Associate experiences a security incident involving Bloomfield Wellness & Aesthetics patient information:

The practice shall:

  1. Activate the Incident Response Team.
  2. Review the Business Associate Agreement.
  3. Determine the scope of the incident.
  4. Conduct a HIPAA Breach Risk Assessment.
  5. Coordinate required notifications.
  6. Evaluate corrective actions.
  7. Determine whether continued vendor use is appropriate.

The Privacy Officer shall coordinate communications with the vendor.


12.16 Vendor Inventory

Bloomfield Wellness & Aesthetics shall maintain a current Business Associate Inventory including:

  • Vendor name
  • Service provided
  • Contract effective date
  • Contract expiration date
  • Business Associate Agreement status
  • Risk classification
  • Primary contact
  • Last security review
  • Next review date

The inventory shall be reviewed at least annually.


12.17 Annual Business Associate Review Checklist

The Privacy Officer shall verify annually that:

Vendor inventory updated

Business Associate Agreements current

Security questionnaires completed (as applicable)

High-risk vendors reviewed

Vendor incidents evaluated

Cybersecurity concerns addressed

Contract renewals reviewed

Access permissions verified

Terminated vendors removed

Documentation retained


12.18 Practical Scenarios

Scenario 1

A new telehealth vendor is selected.

Required Actions:

  • Complete vendor security review.
  • Execute a Business Associate Agreement.
  • Verify encryption and HIPAA compliance.
  • Obtain leadership approval before implementation.

Scenario 2

An IT consultant requests unrestricted access to the Electronic Health Record.

Required Actions:

Provide only the minimum level of access necessary, document the access, and ensure a Business Associate Agreement is in place.


Scenario 3

A cloud storage vendor reports suspicious activity affecting stored patient files.

Required Actions:

Immediately notify the Privacy Officer and Security Officer, activate the Incident Response Plan, evaluate whether a reportable breach occurred, and coordinate all required regulatory and patient notifications.


12.19 Business Associate Program Summary

Business Associates are an extension of Bloomfield Wellness & Aesthetics' privacy and security responsibilities.

Every department shall:

  • Identify vendors with PHI access.
  • Notify the Privacy Officer before engagement.
  • Ensure appropriate contracts are executed.
  • Monitor vendor performance.
  • Report vendor security concerns immediately.

Effective Business Associate management protects patient information, reduces organizational risk, and supports Bloomfield Wellness & Aesthetics' commitment to regulatory compliance and excellence in patient care.

SECTION 13

HIPAA WORKFORCE TRAINING & COMPETENCY PROGRAM

HIPAA Privacy Rule • HIPAA Security Rule • HITECH Act


13.1 Purpose

Bloomfield Wellness & Aesthetics recognizes that workforce education is one of the most effective safeguards against privacy violations, cybersecurity incidents, and regulatory non-compliance.

This Workforce Training & Competency Program establishes standardized education requirements for all workforce members who create, receive, maintain, access, or transmit Protected Health Information (PHI) or Electronic Protected Health Information (ePHI).

The objectives of this program are to:

  • Ensure compliance with HIPAA and applicable Pennsylvania law.
  • Promote a culture of privacy and security.
  • Reduce human error.
  • Improve cybersecurity awareness.
  • Standardize workforce expectations.
  • Maintain documentation required during regulatory inspections.

Training is mandatory for every workforce member regardless of position.


13.2 Scope

This policy applies to:

  • Medical Director
  • Physicians
  • Pharmacists
  • Nurse Practitioners
  • Physician Assistants
  • Registered Nurses
  • Licensed Practical Nurses
  • Medical Assistants
  • Estheticians
  • Laser Technicians
  • Medical Receptionists
  • Billing Specialists
  • Practice Managers
  • Administrative Personnel
  • Students
  • Interns
  • Volunteers
  • Temporary Staff
  • Contractors with access to PHI
  • Information Technology Personnel

No workforce member may access PHI until required onboarding training has been completed.


13.3 Training Requirements

HIPAA training shall occur:

  • Before workforce members receive access to PHI.
  • During new employee orientation.
  • Annually thereafter.
  • Whenever significant policy changes occur.
  • Following major security incidents.
  • Following identified compliance deficiencies.
  • When new technologies affecting PHI are implemented.

Additional department-specific education may be assigned as needed.


13.4 New Employee HIPAA Orientation

Every new workforce member shall complete HIPAA Orientation before beginning independent job duties.

Orientation includes:

Privacy

  • HIPAA overview
  • Patient rights
  • Protected Health Information
  • Minimum Necessary Standard
  • Confidentiality expectations
  • Release of Information procedures
  • Notice of Privacy Practices

Security

  • Password management
  • Multi-factor authentication
  • Email security
  • Device security
  • Remote access
  • Workstation security
  • Encryption
  • Clean desk policy

Cybersecurity

  • Phishing recognition
  • Social engineering
  • Ransomware awareness
  • Malware prevention
  • Safe web browsing
  • Secure file sharing
  • AI and cybersecurity risks

Practice Policies

  • Incident reporting
  • Business Associate awareness
  • Photography policy
  • Social media policy
  • Bring Your Own Device (BYOD)
  • Visitor management
  • Sanction policy

Completion shall be documented before system access is granted.


13.5 Annual HIPAA Refresher Training

All workforce members shall complete annual refresher education.

Topics include:

  • HIPAA Privacy Rule updates
  • HIPAA Security Rule updates
  • OCR enforcement trends
  • Recent cybersecurity threats
  • Organizational policy updates
  • Recent privacy incidents (de-identified)
  • Lessons learned
  • Workforce responsibilities
  • Documentation standards
  • AI usage guidance
  • Security awareness

Training content shall be updated annually.


13.6 Role-Based Training

Additional education shall be tailored to job responsibilities.

Providers

Training emphasizes:

  • Documentation
  • Clinical photography
  • Telehealth
  • Electronic prescribing
  • Medical record amendments
  • Release of Information

Estheticians & Laser Technicians

Training emphasizes:

  • Clinical photography
  • Cosmetic consultation documentation
  • Before-and-after image management
  • Marketing authorization
  • Photography consent
  • Device documentation
  • Cosmetic procedure records

Reception

Training emphasizes:

  • Identity verification
  • Appointment privacy
  • Waiting room confidentiality
  • Telephone procedures
  • Scheduling
  • Confidential communications

Billing

Training emphasizes:

  • Minimum Necessary Standard
  • Insurance disclosures
  • Payment information
  • Workers' compensation
  • Collection agencies
  • Financial confidentiality

Information Technology

Training emphasizes:

  • Network security
  • Access management
  • Audit logs
  • Encryption
  • Disaster recovery
  • Incident response
  • Business Associate oversight

13.7 Security Awareness Education

Throughout the year, Bloomfield Wellness & Aesthetics shall provide ongoing security awareness education.

Examples include:

  • Monthly cybersecurity reminders
  • Phishing awareness bulletins
  • Password tips
  • Emerging scam alerts
  • AI security guidance
  • Vendor security alerts
  • Security newsletters
  • Lunch-and-learn sessions

Security awareness shall remain an ongoing process rather than a once-per-year activity.


13.8 Phishing Simulation Program

To improve cybersecurity awareness, Bloomfield Wellness & Aesthetics may periodically conduct phishing simulations.

Objectives include:

  • Evaluating workforce awareness
  • Reinforcing training
  • Identifying education needs
  • Measuring organizational improvement

Employees who interact with simulated phishing emails may receive additional coaching rather than punitive discipline, unless repeated failures or intentional misconduct warrant corrective action.


13.9 Competency Evaluation

Training effectiveness shall be evaluated through one or more methods:

  • Written examinations
  • Online quizzes
  • Practical demonstrations
  • Scenario-based discussions
  • Observation
  • Skills validation
  • Department manager evaluations

Employees demonstrating deficiencies shall complete remedial education.


13.10 Competency Standards

Bloomfield Wellness & Aesthetics recommends a minimum passing score of 80% on annual HIPAA competency assessments.

Employees who do not achieve the required score shall:

  • Review educational materials.
  • Complete additional training.
  • Retake the assessment.
  • Demonstrate competency before the training cycle is considered complete.

13.11 Documentation of Training

The following shall be documented:

  • Employee name
  • Training title
  • Date completed
  • Instructor (if applicable)
  • Method of training
  • Competency score
  • Employee acknowledgment
  • Manager verification

Training records shall be retained in accordance with organizational record retention requirements.


13.12 Workforce Acknowledgment

Following training, each workforce member shall acknowledge that they understand:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • Confidentiality requirements
  • Security responsibilities
  • Incident reporting procedures
  • Sanction policy
  • Organizational privacy expectations

Signed acknowledgments shall be maintained in personnel files.


13.13 Manager Responsibilities

Department managers are responsible for:

  • Ensuring staff complete required training.
  • Monitoring compliance.
  • Reinforcing privacy expectations.
  • Identifying additional educational needs.
  • Reporting deficiencies.
  • Supporting corrective action plans.

Managers shall model appropriate HIPAA compliance behaviors.


13.14 Remedial Training

Additional education shall be provided when:

  • Privacy violations occur.
  • Security incidents occur.
  • Documentation deficiencies are identified.
  • Audit findings indicate non-compliance.
  • New regulations are issued.
  • New technology is implemented.

Remedial education shall be documented.


13.15 Continuing Education

Bloomfield Wellness & Aesthetics encourages workforce members to participate in continuing education related to:

  • HIPAA
  • Cybersecurity
  • Information privacy
  • Healthcare compliance
  • Medical documentation
  • Artificial intelligence in healthcare
  • Risk management
  • Fraud prevention

Continuing education supports professional development and organizational excellence.


13.16 Annual Training Checklist

Each year the Privacy Officer or designee shall verify completion of:

HIPAA Privacy Training

HIPAA Security Training

Cybersecurity Awareness

Phishing Education

Password Security Review

Incident Reporting Review

Social Media Policy Review

Photography Policy Review

AI Usage Policy Review

Competency Examination

Employee Acknowledgment

Documentation Filed


13.17 Sample Annual Competency Questions

Examples of questions that may be included in annual assessments:

  1. What does PHI stand for?
  2. What should you do if you receive a suspicious email requesting your password?
  3. May you access the medical record of a family member without a business need?
  4. What is the Minimum Necessary Standard?
  5. When should a suspected HIPAA violation be reported?
  6. Is a clinical photograph considered PHI?
  7. What should you do before releasing medical records to an attorney?
  8. What is the first action if your laptop containing PHI is stolen?
  9. May patient information be entered into an unapproved public AI platform?
  10. Who serves as Bloomfield Wellness & Aesthetics' Privacy Officer?

13.18 Training Program Summary

Education is one of the strongest defenses against privacy violations and cybersecurity incidents.

Every workforce member is expected to:

  • Complete required training.
  • Maintain competency.
  • Stay informed of policy updates.
  • Report concerns immediately.
  • Apply privacy and security principles in daily practice.
  • Protect patient information with professionalism and integrity.

Bloomfield Wellness & Aesthetics is committed to fostering a knowledgeable workforce that understands both the legal requirements and ethical importance of safeguarding patient information. Continuous education strengthens compliance, supports patient trust, and reinforces the organization's commitment to excellence in healthcare.

SECTION 14

MEDICAL RECORD DOCUMENTATION STANDARDS & DOCUMENTATION INTEGRITY


14.1 Purpose

The medical record is a legal, clinical, and business document that supports patient care, communication among healthcare providers, quality improvement, billing, regulatory compliance, and risk management.

Bloomfield Wellness & Aesthetics is committed to maintaining complete, accurate, timely, and professional medical records that meet or exceed the requirements of:

  • HIPAA
  • HITECH Act
  • Pennsylvania law
  • CMS documentation standards
  • Commercial payer requirements
  • Accepted standards of medical practice
  • Professional licensing board requirements

Every workforce member responsible for documentation shall comply with this policy.


14.2 Policy Statement

Every medical record shall accurately reflect:

  • The patient's condition
  • Clinical findings
  • Assessment
  • Clinical decision-making
  • Treatment rendered
  • Patient education
  • Informed consent
  • Follow-up recommendations
  • Provider authentication

Medical documentation shall be completed promptly and shall never be altered to conceal an error or misrepresent services provided.


14.3 Purpose of the Medical Record

The medical record serves multiple purposes, including:

Clinical Care

  • Continuity of care
  • Provider communication
  • Treatment planning
  • Medication management
  • Follow-up care

Legal Documentation

  • Evidence of services rendered
  • Professional accountability
  • Regulatory compliance
  • Risk management
  • Defense in legal proceedings

Financial Documentation

  • Coding support
  • Billing
  • Insurance claims
  • Medical necessity documentation
  • Prior authorizations

Quality Improvement

  • Clinical audits
  • Performance improvement
  • Accreditation
  • Outcomes analysis
  • Patient safety initiatives

14.4 Documentation Principles

Every entry shall be:

  • Accurate
  • Objective
  • Complete
  • Legible
  • Timely
  • Organized
  • Professional
  • Clinically relevant
  • Authenticated
  • Consistent

Documentation should reflect what actually occurred—not what was intended to occur.


14.5 Required Patient Demographics

The medical record should include, as appropriate:

  • Full legal name
  • Date of birth
  • Address
  • Telephone number(s)
  • Email address
  • Emergency contact
  • Primary care provider
  • Insurance information
  • Preferred pharmacy
  • Preferred language
  • Communication preferences
  • Allergies
  • Medication list

Demographic information should be reviewed and updated at least annually or whenever changes are identified.


14.6 Clinical Documentation Requirements

Each clinical encounter shall include documentation appropriate to the services provided.

Typical components include:

  • Chief complaint
  • History of present illness
  • Relevant past medical history
  • Medication review
  • Allergy review
  • Review of systems (when applicable)
  • Physical examination
  • Skin assessment (for aesthetic visits)
  • Clinical photographs (when indicated)
  • Assessment
  • Diagnosis
  • Treatment plan
  • Patient education
  • Follow-up instructions
  • Provider signature

14.7 Aesthetic Medicine Documentation

Because Bloomfield Wellness & Aesthetics provides aesthetic and wellness services, documentation shall also include, when applicable:

  • Cosmetic consultation
  • Patient goals
  • Expectations discussed
  • Contraindications reviewed
  • Skin type assessment
  • Fitzpatrick Skin Type
  • Glogau Classification (if applicable)
  • Treatment areas
  • Device settings
  • Laser parameters
  • Energy settings
  • Pulse duration
  • Spot size
  • Cooling method
  • Product lot numbers
  • Injection sites
  • Injection quantities
  • Needle/cannula size
  • Treatment tolerance
  • Immediate response
  • Post-treatment instructions
  • Follow-up plan

Detailed documentation supports patient safety and continuity of care.


14.8 Wellness & Functional Medicine Documentation

For hormone optimization, weight management, and functional medicine services, documentation should include, as applicable:

  • Comprehensive health history
  • Lifestyle assessment
  • Nutritional assessment
  • Sleep evaluation
  • Exercise history
  • Stress assessment
  • Hormone symptoms
  • Functional medicine review
  • Laboratory interpretation
  • Clinical reasoning
  • Personalized treatment recommendations
  • Supplement recommendations
  • Medication changes
  • Follow-up laboratory schedule
  • Patient education

14.9 SOAP Documentation Standard

Bloomfield Wellness & Aesthetics utilizes the SOAP format whenever appropriate.

Subjective

Patient-reported symptoms

Chief complaint

History

Goals

Review of systems


Objective

Vital signs

Physical findings

Laboratory results

Imaging

Clinical photographs

Device measurements

Body composition analysis


Assessment

Diagnosis

Differential diagnosis

Clinical interpretation

Medical necessity

Progress toward treatment goals


Plan

Treatment

Medication

Procedures

Patient education

Follow-up

Laboratory orders

Lifestyle recommendations

Referrals


14.10 Timeliness of Documentation

Clinical documentation should be completed as soon as reasonably practical following the patient encounter.

Documentation delays increase the risk of:

  • Inaccuracies
  • Billing errors
  • Patient safety concerns
  • Regulatory deficiencies

Providers should avoid unnecessary delays in completing records.


14.11 Late Entries

Occasionally additional information becomes available after documentation has been completed.

Late entries shall:

  • Be clearly identified as late entries.
  • Include the current date and time.
  • Explain why the information is being added.
  • Never appear to have been entered on the original service date.

Late entries shall never be used to falsify documentation.


14.12 Addenda

Addenda may be used to supplement previously completed documentation.

Appropriate reasons include:

  • Additional laboratory information
  • Clarification
  • Additional patient history
  • Additional recommendations
  • Newly received consultation reports

The original documentation shall remain intact.


14.13 Corrections

Errors shall be corrected without obscuring the original documentation.

Electronic systems generally maintain audit trails documenting:

  • Original entry
  • Correction
  • Date
  • Time
  • Author

Paper records shall never be altered using correction fluid or methods that make the original entry unreadable.


14.14 Copy and Paste / Copy Forward

Copying previous documentation may improve efficiency but presents risks.

When using copy-forward functionality:

  • Information shall be reviewed for accuracy.
  • Outdated information shall be removed.
  • Physical examination findings shall reflect the current encounter.
  • Medication lists shall be verified.
  • Diagnoses shall be reviewed.

Providers remain fully responsible for all documentation regardless of how it was created.


14.15 Electronic Signatures

Electronic signatures shall:

  • Identify the author.
  • Be unique to the provider.
  • Be protected from unauthorized use.
  • Accurately reflect authorship.

Signing documentation completed by another individual without proper review is prohibited.


14.16 Clinical Photography Documentation

Clinical photographs shall include documentation of:

  • Date obtained
  • Body area
  • Clinical purpose
  • Patient consent
  • Device used (if applicable)
  • Secure storage location

Clinical photographs become part of the medical record when used for treatment documentation.


14.17 Informed Consent Documentation

The medical record shall document informed consent discussions, including:

  • Nature of the procedure
  • Risks
  • Benefits
  • Alternatives
  • Expected recovery
  • Opportunity for questions
  • Patient understanding
  • Patient agreement

Signed consent forms shall be maintained in the medical record.


14.18 Medication Documentation

Medication documentation should include:

  • Medication name
  • Strength
  • Dose
  • Route
  • Frequency
  • Indication
  • Start date
  • Discontinuation date when applicable
  • Allergies
  • Adverse reactions

Medication reconciliation shall be performed as appropriate.


14.19 Laboratory Documentation

Laboratory documentation shall include:

  • Tests ordered
  • Clinical indication
  • Results
  • Provider interpretation
  • Patient notification
  • Follow-up plan
  • Repeat testing schedule

Abnormal findings shall receive appropriate follow-up.


14.20 Documentation of Patient Education

Patient education shall be documented whenever education is provided.

Examples include:

  • Procedure preparation
  • Medication instructions
  • Hormone therapy counseling
  • Laser aftercare
  • Chemical peel aftercare
  • Microneedling instructions
  • Weight management counseling
  • Lifestyle recommendations
  • Nutritional counseling
  • Follow-up recommendations

Documentation should include the patient's understanding when appropriate.


14.21 Prohibited Documentation Practices

The following practices are strictly prohibited:

  • Falsifying documentation.
  • Backdating records.
  • Altering records to conceal errors.
  • Creating records for services not performed.
  • Signing another individual's documentation.
  • Copying documentation without review.
  • Recording inaccurate times.
  • Fabricating clinical findings.

Violations may result in disciplinary action, reporting to licensing boards, civil penalties, or criminal prosecution.


14.22 Documentation Audits

Bloomfield Wellness & Aesthetics conducts periodic documentation audits evaluating:

  • Completeness
  • Timeliness
  • Accuracy
  • Legibility
  • Medical necessity
  • Coding support
  • Informed consent documentation
  • Authentication
  • Compliance with organizational policies

Audit findings shall be communicated to providers, and corrective education shall be provided when indicated.


14.23 Documentation Integrity Summary

Every medical record represents both the care provided and the professionalism of Bloomfield Wellness & Aesthetics.

Workforce members shall remember:

  • Document promptly.
  • Document accurately.
  • Document objectively.
  • Never alter records improperly.
  • Authenticate every entry.
  • If it wasn't documented, it may be difficult to demonstrate that it occurred.

High-quality documentation supports patient safety, continuity of care, regulatory compliance, reimbursement accuracy, and legal defensibility while reinforcing Bloomfield Wellness & Aesthetics' commitment to clinical excellence and ethical healthcare practice.

SECTION 15

HIPAA AUDITING, MONITORING & INTERNAL COMPLIANCE PROGRAM

HIPAA Privacy Rule • HIPAA Security Rule • Internal Compliance Standards


15.1 Purpose

Bloomfield Wellness & Aesthetics ("BWA") maintains an active HIPAA Auditing, Monitoring, and Internal Compliance Program to ensure continuous compliance with federal and Pennsylvania privacy and security requirements.

The purpose of this program is to:

  • Detect privacy violations before they become reportable breaches.
  • Identify security vulnerabilities.
  • Monitor workforce compliance.
  • Improve documentation quality.
  • Evaluate effectiveness of HIPAA policies.
  • Strengthen cybersecurity.
  • Reduce organizational risk.
  • Promote continuous quality improvement.

Auditing is intended to improve compliance—not merely identify deficiencies.


15.2 Policy Statement

Bloomfield Wellness & Aesthetics shall perform ongoing monitoring and periodic audits of its privacy, security, documentation, and workforce compliance activities.

Audits may be:

  • Scheduled
  • Random
  • Risk-based
  • Triggered by complaints
  • Triggered by security incidents
  • Triggered by abnormal system activity
  • Conducted following regulatory updates

Audit findings shall be documented, reviewed by leadership, and addressed through corrective action when necessary.


15.3 Compliance Program Goals

The Internal Compliance Program is designed to:

  • Protect patient privacy.
  • Improve workforce accountability.
  • Detect inappropriate record access.
  • Identify documentation deficiencies.
  • Verify policy compliance.
  • Evaluate technical safeguards.
  • Improve patient safety.
  • Maintain regulatory readiness.
  • Support continuous education.
  • Demonstrate due diligence.

15.4 Audit Authority

The following individuals may participate in HIPAA audits:

  • Privacy Officer
  • HIPAA Security Officer
  • Compliance Officer
  • Medical Director
  • Practice Administrator
  • Department Managers
  • Information Technology personnel
  • Outside HIPAA consultants
  • Legal counsel when appropriate

Audit responsibilities shall be documented.


15.5 Types of Audits

Bloomfield Wellness & Aesthetics conducts multiple categories of compliance audits.

These include:

Privacy Audits

  • Release of Information
  • Authorizations
  • Confidential communications
  • Patient rights
  • Notice of Privacy Practices
  • Disclosure documentation

Security Audits

  • Password compliance
  • Multi-factor authentication
  • Workstation security
  • Device encryption
  • Remote access
  • Firewall review
  • Endpoint protection
  • Network monitoring

Documentation Audits

  • SOAP documentation
  • Medical necessity
  • Procedure documentation
  • Clinical photography
  • Informed consent
  • Signatures
  • Timeliness
  • Coding support

Workforce Audits

  • HIPAA training
  • Confidentiality agreements
  • Annual acknowledgments
  • Policy compliance
  • Role-based access

Vendor Audits

  • Business Associate Agreements
  • Security questionnaires
  • Vendor incidents
  • Contract reviews
  • Access permissions

15.6 Electronic Health Record Access Audits

Bloomfield Wellness & Aesthetics shall periodically review Electronic Health Record (EHR) access logs.

Audit objectives include identifying:

  • Unauthorized access.
  • Curiosity access.
  • Excessive record viewing.
  • Access after employment termination.
  • Access outside assigned responsibilities.
  • Access during unusual hours.
  • Bulk record exports.
  • Suspicious login activity.

Any irregular activity shall be investigated promptly.


15.7 High-Profile Patient Monitoring

Certain medical records may require enhanced monitoring.

Examples include:

  • Employees
  • Providers
  • Public officials
  • Celebrities
  • Local media personalities
  • Litigation-related patients
  • Patients requesting heightened privacy protections

Additional audit logging may be performed for these records.

Selection for monitoring shall never be based on discrimination or inappropriate considerations.


15.8 User Access Reviews

At least annually, and more frequently when appropriate, user access shall be reviewed to verify:

  • Current employment status.
  • Appropriate department assignment.
  • Role-based permissions.
  • Administrative privileges.
  • Temporary access expiration.
  • Remote access authorization.

Inactive or unnecessary accounts shall be disabled promptly.


15.9 Documentation Audits

Documentation reviews shall evaluate:

  • Completeness
  • Accuracy
  • Timeliness
  • Authentication
  • Medical necessity
  • Procedure documentation
  • Clinical photographs
  • Treatment plans
  • Follow-up documentation
  • Patient education
  • Coding support

Audit results shall be shared with providers and managers.


15.10 Workstation Audits

Periodic observations may evaluate:

  • Locked workstations
  • Visible PHI
  • Password security
  • Clean desk compliance
  • Printer security
  • Monitor placement
  • Badge usage
  • Visitor management

Immediate corrective coaching may occur when deficiencies are observed.


15.11 Security Audits

Technical security audits may evaluate:

  • Firewall configuration
  • Endpoint protection
  • Antivirus status
  • Software updates
  • Encryption status
  • Wireless security
  • VPN access
  • Multi-factor authentication
  • Backup completion
  • Failed login attempts

Information Technology personnel shall document corrective actions.


15.12 Physical Security Audits

Facility inspections may include:

  • Door security
  • Lock functionality
  • Alarm systems
  • Visitor controls
  • Records storage
  • Medication storage
  • Server room security
  • Emergency exits
  • Camera placement (where applicable)
  • Environmental protections

Deficiencies shall be corrected promptly.


15.13 Release of Information Audits

The Privacy Officer shall periodically review Release of Information activities.

Audit items include:

  • Identity verification
  • Valid authorizations
  • Documentation of disclosures
  • Timeliness
  • Minimum Necessary compliance
  • Appropriate fees
  • Patient requests
  • Restriction requests

15.14 Business Associate Audits

High-risk Business Associates may undergo periodic review.

Examples include:

  • Business Associate Agreement status
  • Cybersecurity posture
  • Security incidents
  • Breach history
  • Access controls
  • Insurance coverage
  • Contract compliance

Documentation shall be retained.


15.15 Audit Frequency

Unless operational needs require more frequent review, Bloomfield Wellness & Aesthetics recommends the following schedule:

Audit Type

Recommended Frequency

EHR Access Logs

Monthly

User Access Review

Quarterly

Documentation Audit

Quarterly

Workstation Audit

Quarterly

Security Audit

Quarterly

Business Associate Review

Annually

Risk Analysis

Annually

HIPAA Training

Annually

Disaster Recovery Test

Annually

Policy Review

Annually

Leadership may increase audit frequency based on identified risks.


15.16 Corrective Action Plans

When audit deficiencies are identified, a written Corrective Action Plan (CAP) shall be developed.

Each CAP shall include:

  • Deficiency identified
  • Root cause
  • Recommended corrective action
  • Responsible individual
  • Due date
  • Completion date
  • Verification of effectiveness

Corrective actions shall be monitored until completed.


15.17 Compliance Reporting

Audit findings shall be summarized for leadership.

Reports may include:

  • Number of audits completed
  • Significant findings
  • Trends
  • Repeat deficiencies
  • Incident summaries
  • Corrective action status
  • Training needs
  • Vendor concerns
  • Recommendations

Reports should support strategic compliance planning.


15.18 OCR Audit Readiness

Bloomfield Wellness & Aesthetics shall maintain documentation demonstrating HIPAA compliance in the event of an investigation or audit by the U.S. Department of Health & Human Services Office for Civil Rights (OCR).

Documentation includes:

  • HIPAA Policies
  • Risk Analysis
  • Risk Management Plan
  • Workforce Training Records
  • Business Associate Agreements
  • Incident Reports
  • Breach Investigations
  • Audit Reports
  • Corrective Action Plans
  • Patient Complaint Files
  • Policy Review Documentation

Records shall be organized and readily retrievable.


15.19 Annual HIPAA Compliance Calendar

The Privacy Officer or designee shall maintain an annual compliance calendar.

Recommended activities include:

January

  • Review HIPAA policies
  • Update compliance calendar

February

  • Business Associate inventory review

March

  • Workforce access review

April

  • Documentation audit

May

  • Security awareness campaign

June

  • Workstation audit

July

  • HIPAA refresher training

August

  • Risk Register update

September

  • Security Risk Analysis

October

  • Disaster Recovery and Contingency Plan testing

November

  • Release of Information audit

December

  • Leadership compliance review
  • Corrective Action Plan follow-up
  • Annual program evaluation

This schedule may be adjusted based on operational priorities or regulatory developments.


15.20 Continuous Quality Improvement

Audit findings shall be incorporated into Bloomfield Wellness & Aesthetics' Quality Improvement Program.

Improvement activities may include:

  • Policy revisions
  • Additional workforce education
  • Technology enhancements
  • Vendor remediation
  • Workflow redesign
  • Additional monitoring
  • Cybersecurity improvements

Continuous improvement strengthens both patient care and regulatory compliance.


15.21 Practical Audit Scenarios

Scenario 1

An EHR audit identifies that an employee accessed the chart of a family member without a treatment-related reason.

Required Actions:

  • Initiate an investigation.
  • Interview the employee.
  • Review audit logs.
  • Determine whether PHI was improperly disclosed.
  • Apply the Sanction Policy if appropriate.
  • Document findings and corrective actions.

Scenario 2

A quarterly documentation audit finds repeated missing informed consent forms for cosmetic laser procedures.

Required Actions:

  • Notify the Medical Director and Practice Manager.
  • Educate affected providers.
  • Implement a corrective action plan.
  • Re-audit within 30–60 days to verify compliance.

Scenario 3

A workstation audit reveals multiple computers left unlocked during lunch breaks.

Required Actions:

  • Provide immediate coaching.
  • Reinforce workstation security expectations.
  • Consider additional security awareness training.
  • Increase spot-check audits until compliance improves.

Scenario 4

A Business Associate experiences a cybersecurity incident affecting cloud-hosted patient information.

Required Actions:

  • Review the Business Associate Agreement.
  • Activate the Incident Response Plan.
  • Conduct a HIPAA Breach Risk Assessment.
  • Determine notification obligations.
  • Document all findings and corrective actions.

15.22 HIPAA Auditing & Monitoring Summary

Routine auditing and monitoring are essential components of an effective HIPAA compliance program.

Every workforce member should understand that audits are conducted to:

  • Protect patients.
  • Improve organizational performance.
  • Strengthen privacy and security.
  • Identify opportunities for education.
  • Demonstrate regulatory compliance.
  • Foster a culture of accountability and continuous improvement.

Through ongoing monitoring, timely corrective action, and leadership oversight, Bloomfield Wellness & Aesthetics reinforces its commitment to safeguarding Protected Health Information and maintaining the highest standards of ethical, secure, and patient-centered care.