HIPAA POLICY
SECTION 1
HIPAA GOVERNANCE
1.1 Purpose
Bloomfield Wellness & Aesthetics ("BWA") is committed to protecting the privacy, confidentiality, integrity, and availability of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, applicable Pennsylvania laws, and other federal regulations governing healthcare privacy and security.
This HIPAA Privacy & Security Manual establishes the policies, procedures, and operational standards that all workforce members, contractors, students, volunteers, and Business Associates must follow when handling Protected Health Information.
The objectives of this manual are to:
- Protect the confidentiality of patient information.
- Ensure compliance with federal and Pennsylvania privacy laws.
- Standardize privacy and security practices throughout the organization.
- Reduce the risk of unauthorized access, disclosure, alteration, or destruction of PHI.
- Establish clear accountability for HIPAA compliance.
- Promote a culture of privacy, ethics, and professionalism.
- Support safe, high-quality patient care through secure information management.
Compliance with this manual is mandatory for every member of the Bloomfield Wellness & Aesthetics workforce.
1.2 Scope
This manual applies to all workforce members and any individual acting on behalf of Bloomfield Wellness & Aesthetics, including:
- Physicians
- Pharmacists
- Nurse Practitioners
- Physician Assistants
- Registered Nurses
- Licensed Practical Nurses
- Estheticians
- Medical Assistants
- Laser Technicians
- Medical Receptionists
- Billing Personnel
- Practice Managers
- Administrative Staff
- Students
- Interns
- Volunteers
- Independent Contractors
- Information Technology Personnel
- Consultants
- Temporary Staff
- Business Associates when applicable
It applies to all forms of Protected Health Information, including:
- Electronic PHI (ePHI)
- Paper records
- Verbal communications
- Photographs
- Videos
- Audio recordings
- Emails
- Text messages
- Patient portal communications
- Laboratory reports
- Billing information
- Insurance records
- Appointment schedules
- Telehealth documentation
1.3 Mission Statement
Bloomfield Wellness & Aesthetics recognizes that patient privacy is fundamental to quality healthcare.
Every workforce member is entrusted with sensitive personal and medical information. This trust requires unwavering commitment to confidentiality, ethical conduct, regulatory compliance, and respect for every patient's dignity.
Protecting patient information is not solely a legal obligation—it is a core professional responsibility shared by every member of the organization.
1.4 Organizational HIPAA Compliance Structure
Bloomfield Wellness & Aesthetics has established a formal HIPAA compliance program to oversee all privacy and security activities.
Medical Director
Dr. Domenic Mantella, MD
Responsibilities include:
- Providing clinical oversight.
- Supporting HIPAA compliance initiatives.
- Reviewing clinical privacy issues.
- Participating in compliance investigations when appropriate.
- Supporting corrective action initiatives.
Privacy Officer
Kathryn Confer, PharmD
The Privacy Officer is responsible for:
- Developing privacy policies.
- Maintaining HIPAA documentation.
- Investigating privacy complaints.
- Responding to patient privacy requests.
- Coordinating breach investigations.
- Managing Business Associate Agreements.
- Conducting workforce privacy education.
- Monitoring compliance with the HIPAA Privacy Rule.
- Serving as the primary contact for patient privacy concerns.
HIPAA Security Officer
Kathryn Confer, PharmD
Responsibilities include:
- Conducting annual HIPAA Security Risk Analyses.
- Overseeing technical safeguards.
- Managing cybersecurity initiatives.
- Monitoring access controls.
- Reviewing audit logs.
- Coordinating disaster recovery planning.
- Investigating security incidents.
- Maintaining HIPAA Security Rule compliance.
- Coordinating cybersecurity awareness training.
Compliance Officer
Kathryn Confer, PharmD
Responsibilities include:
- Monitoring regulatory compliance.
- Performing internal audits.
- Coordinating corrective action plans.
- Reviewing federal and Pennsylvania regulatory changes.
- Supervising compliance education.
- Maintaining compliance documentation.
- Reporting significant compliance concerns to leadership.
1.5 Workforce Responsibilities
Every workforce member is personally responsible for protecting Protected Health Information.
Each workforce member shall:
- Access only the information necessary to perform assigned job duties.
- Maintain patient confidentiality at all times.
- Complete HIPAA training before accessing PHI.
- Participate in annual refresher training.
- Report suspected privacy or security incidents immediately.
- Follow all administrative, physical, and technical safeguards.
- Cooperate fully with compliance investigations.
- Protect passwords and authentication credentials.
- Secure workstations before leaving unattended.
- Avoid discussing patient information in public areas.
- Refrain from accessing records without a legitimate business or treatment purpose.
- Immediately report lost devices, phishing attempts, or suspected breaches.
Failure to comply with these responsibilities may result in disciplinary action up to and including termination of employment, reporting to licensing boards, civil penalties, or criminal prosecution, as permitted by law.
SECTION 2
HIPAA DEFINITIONS & PROTECTED HEALTH INFORMATION (PHI)
2.1 Purpose
Understanding HIPAA terminology is essential for consistent compliance throughout Bloomfield Wellness & Aesthetics. Every workforce member must understand what information is protected, when HIPAA applies, and how Protected Health Information (PHI) must be handled.
The definitions contained in this manual are based upon the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA Privacy Rule, the HIPAA Security Rule, the HITECH Act, and applicable federal guidance. When federal or Pennsylvania law changes, these definitions shall be interpreted in accordance with the most current legal requirements.
2.2 What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to:
- Protect patient privacy.
- Improve healthcare data security.
- Standardize electronic healthcare transactions.
- Reduce healthcare fraud.
- Provide patients with rights regarding their medical information.
- Establish national standards for safeguarding health information.
HIPAA applies to Covered Entities and their Business Associates that create, receive, maintain, or transmit Protected Health Information.
2.3 Covered Entity
Bloomfield Wellness & Aesthetics is a Covered Entity under HIPAA to the extent it provides healthcare services and engages in covered electronic transactions.
As a Covered Entity, Bloomfield Wellness & Aesthetics must:
- Protect Protected Health Information.
- Limit disclosures.
- Train workforce members.
- Maintain written policies.
- Conduct security risk analyses.
- Notify patients of certain breaches.
- Honor patient privacy rights.
- Enter into Business Associate Agreements when required.
2.4 Business Associate
A Business Associate is any person or organization, other than a member of the workforce, that performs services involving Protected Health Information on behalf of Bloomfield Wellness & Aesthetics.
Examples include:
- Electronic Health Record vendors
- Practice Management software providers
- Medical billing companies
- Cloud storage providers
- Cybersecurity consultants
- Secure shredding vendors
- IT consultants
- Collection agencies
- Attorneys
- Accountants
- Telehealth vendors
- Patient portal providers
Whenever required, a HIPAA-compliant Business Associate Agreement (BAA) must be executed before PHI is shared.
2.5 Protected Health Information (PHI)
Protected Health Information (PHI) is individually identifiable health information maintained or transmitted by Bloomfield Wellness & Aesthetics in any form or medium.
PHI may exist in:
- Electronic records
- Paper records
- Verbal conversations
- Emails
- Text messages
- Clinical photographs
- Audio recordings
- Videos
- Faxes
- Portable devices
- Cloud storage
Examples include:
- Patient name
- Date of birth
- Medical diagnoses
- Laboratory results
- Procedure notes
- Clinical photographs
- Medication history
- Insurance information
- Appointment records
- Billing information
- Hormone treatment plans
- Weight management records
- Laser treatment documentation
- Functional medicine assessments
PHI remains protected regardless of where it is stored.
2.6 Electronic Protected Health Information (ePHI)
Electronic Protected Health Information (ePHI) refers to Protected Health Information created, stored, transmitted, or received electronically.
Examples include:
- Electronic medical records
- Patient portal communications
- Electronic laboratory reports
- Electronic prescriptions
- Cloud-based medical records
- Secure emails
- Digital photographs
- Electronic billing records
- Telehealth documentation
- Electronic consent forms
The HIPAA Security Rule applies specifically to ePHI.
2.7 Individually Identifiable Health Information
Health information becomes protected when it identifies an individual or could reasonably be used to identify that individual.
Information may be considered identifiable when it contains:
- Name
- Address
- Telephone number
- Email address
- Date of birth
- Social Security Number
- Medical Record Number
- Account Number
- Insurance Identification Number
- Driver's License Number
- Vehicle information
- Biometric identifiers
- Full-face photographs
- Device identifiers
- Internet Protocol (IP) address when associated with health information
- Any other unique identifying characteristic
Even partial information may identify a patient when combined with other available information.
2.8 Designated Record Set
A Designated Record Set includes records used by Bloomfield Wellness & Aesthetics to make decisions regarding patients.
Examples include:
- Medical histories
- Progress notes
- Consultation reports
- Laboratory results
- Diagnostic reports
- Medication records
- Allergy documentation
- Treatment plans
- Clinical photographs
- Billing records
- Insurance records
- Appointment histories
- Electronic communications maintained within the medical record
Patients generally have rights to inspect and obtain copies of information contained within the Designated Record Set.
2.9 Minimum Necessary Standard
Except for certain permitted uses, Bloomfield Wellness & Aesthetics limits the use, access, and disclosure of Protected Health Information to the minimum amount reasonably necessary to accomplish the intended purpose.
Examples include:
Reception staff generally do not require access to:
- Complete laboratory histories
- Detailed provider notes
- Mental health documentation
- Entire medical records
Billing personnel generally require:
- Patient demographics
- Insurance information
- Procedure codes
- Diagnosis codes
- Payment information
Clinical providers generally require broader access to deliver safe patient care.
Role-based access controls support compliance with the Minimum Necessary Standard.
2.10 Workforce
The workforce includes:
- Employees
- Physicians
- Pharmacists
- Nurse Practitioners
- Physician Assistants
- Estheticians
- Medical Assistants
- Receptionists
- Students
- Volunteers
- Interns
- Temporary personnel
- Individuals under direct control of Bloomfield Wellness & Aesthetics
Every workforce member must comply with HIPAA policies.
2.11 Confidential Information
Confidential information extends beyond Protected Health Information and includes business information not intended for public disclosure.
Examples include:
- Financial records
- Employee personnel files
- Vendor contracts
- Business plans
- Compliance investigations
- Cybersecurity documentation
- Internal audit reports
- Credentialing files
- Quality improvement activities
Confidential information shall be protected from unauthorized disclosure.
2.12 Authorization
An Authorization is a written document signed by the patient (or authorized representative) permitting the use or disclosure of Protected Health Information for purposes not otherwise permitted by HIPAA.
An authorization generally includes:
- Patient identification
- Description of information
- Recipient
- Purpose
- Expiration
- Signature
- Date
Patients may revoke an authorization prospectively in writing.
2.13 Privacy Incident
A Privacy Incident is any event involving actual or suspected inappropriate access, use, disclosure, or handling of Protected Health Information.
Examples include:
- Discussing patients in public
- Viewing records without authorization
- Sending records to the wrong recipient
- Leaving records unattended
- Improper disposal of records
- Lost paperwork
- Unauthorized photography
Every suspected privacy incident must be reported immediately.
2.14 Security Incident
A Security Incident involves actual or attempted unauthorized access to electronic systems or electronic Protected Health Information.
Examples include:
- Phishing attacks
- Malware infections
- Ransomware
- Lost laptops
- Lost smartphones
- Password compromise
- Unauthorized system access
- Hacking attempts
- Stolen devices
Security incidents require immediate reporting to the HIPAA Security Officer.
2.15 Breach
A Breach is the acquisition, access, use, or disclosure of unsecured Protected Health Information in a manner not permitted under HIPAA that compromises the security or privacy of the information.
Not every privacy incident constitutes a reportable breach.
Each incident must undergo a documented risk assessment to determine whether notification is required under the HIPAA Breach Notification Rule.
2.16 De-Identified Information
Information is considered de-identified when identifiers have been removed in accordance with HIPAA requirements such that the information cannot reasonably be used to identify an individual.
De-identified information may be used for:
- Quality improvement
- Research (where applicable)
- Statistical reporting
- Operational analysis
- Educational purposes
Bloomfield Wellness & Aesthetics will de-identify information only in accordance with applicable legal standards.
2.17 Need-to-Know Principle
The Need-to-Know Principle means workforce members access only the information necessary to perform assigned responsibilities.
Curiosity is never a legitimate reason to access patient records.
Examples of prohibited access include:
- Reviewing records of family members without authorization.
- Viewing records of coworkers.
- Accessing celebrity records out of curiosity.
- Looking up neighbors or friends.
- Reviewing your own medical record through internal systems without authorization.
Unauthorized access is grounds for disciplinary action.
2.18 Definition Summary
Every workforce member should remember these fundamental principles:
- PHI belongs to the patient; Bloomfield Wellness & Aesthetics is entrusted with protecting it.
- Every access to PHI must have a legitimate treatment, payment, healthcare operations, or other legally permitted purpose.
- When in doubt, disclose less—not more—and seek guidance from the Privacy Officer or HIPAA Security Officer before acting.
SECTION 3
HIPAA PRIVACY RULE
3.1 Purpose
The HIPAA Privacy Rule establishes national standards governing the use and disclosure of Protected Health Information (PHI). Bloomfield Wellness & Aesthetics is committed to ensuring that every workforce member understands these standards and applies them consistently in daily operations.
The Privacy Rule is intended to:
- Protect the confidentiality of patient information.
- Allow appropriate information sharing necessary for quality healthcare.
- Provide patients with rights regarding their medical information.
- Establish safeguards to prevent unauthorized disclosure.
- Promote patient confidence in the healthcare system.
Compliance with the HIPAA Privacy Rule is mandatory for every workforce member, regardless of position or employment status.
3.2 General Privacy Principles
Bloomfield Wellness & Aesthetics follows these core privacy principles:
- Patients have a right to privacy.
- PHI shall only be used or disclosed when legally permitted or authorized.
- Workforce members shall access only the information necessary to perform assigned duties.
- Patient dignity and confidentiality shall always be respected.
- Privacy protections apply regardless of whether information is spoken, written, photographed, or stored electronically.
3.3 Permitted Uses and Disclosures Without Patient Authorization
HIPAA permits Bloomfield Wellness & Aesthetics to use or disclose Protected Health Information without obtaining written authorization for certain purposes.
These include:
Treatment
Information may be shared among healthcare providers involved in patient care.
Examples include:
- Referrals
- Laboratory orders
- Consultation requests
- Prescription management
- Medication reconciliation
- Care coordination
- Emergency treatment
Payment
Information may be used to:
- Submit insurance claims
- Verify insurance eligibility
- Obtain prior authorization
- Process patient payments
- Coordinate benefits
- Conduct billing audits
- Collect outstanding balances
Healthcare Operations
PHI may be used for:
- Quality improvement
- Credentialing
- Staff education
- Internal audits
- Compliance investigations
- Practice management
- Risk management
- Performance improvement
- Infection prevention
- Accreditation activities
3.4 Uses Requiring Written Authorization
Unless another HIPAA exception applies, Bloomfield Wellness & Aesthetics will obtain a written authorization before using or disclosing PHI for purposes such as:
- Marketing communications that require authorization
- Most disclosures to employers
- Most disclosures to attorneys when not otherwise required by law
- Use of patient testimonials
- Use of patient photographs for advertising
- Sale of Protected Health Information (which BWA does not engage in)
- Uses not otherwise permitted under HIPAA
The authorization must include all elements required by HIPAA and may be revoked prospectively by the patient.
3.5 Incidental Disclosures
Despite reasonable safeguards, limited incidental disclosures may occur during normal healthcare operations.
Examples include:
- Another patient briefly overhearing a name called in the reception area.
- A visitor seeing a sign-in sheet containing only limited identifying information.
- Conversations between providers conducted in appropriate clinical settings that are inadvertently overheard.
Incidental disclosures are permissible only when:
- Reasonable safeguards are in place.
- The disclosure is unavoidable.
- The workforce member has otherwise complied with HIPAA.
3.6 Minimum Necessary Standard
Except for disclosures related to treatment or other HIPAA exceptions, workforce members shall disclose only the minimum amount of information necessary to accomplish the intended purpose.
Examples include:
Appropriate:
- Billing staff accessing diagnosis codes necessary for claim submission.
- Reception staff confirming appointment times.
- Providers reviewing complete records before treatment.
Inappropriate:
- Reviewing unrelated portions of a patient's chart.
- Printing entire records when only one office note is required.
- Discussing unnecessary medical details with non-clinical staff.
Department managers are responsible for ensuring workforce access aligns with job responsibilities.
3.7 Patient Directory Information
Bloomfield Wellness & Aesthetics generally does not maintain a public patient directory.
Patient names, appointment information, and treatment details will not be released to callers or visitors without patient permission unless otherwise permitted or required by law.
3.8 Verification Before Disclosure
Before releasing PHI, workforce members shall make reasonable efforts to verify the identity and authority of the requesting individual.
Verification methods may include:
- Government-issued photo identification.
- Patient portal authentication.
- Date of birth and address verification.
- Written authorization.
- Legal documentation (e.g., healthcare power of attorney, guardianship).
- Professional credentials for healthcare providers.
No PHI shall be released when identity or authority cannot be reasonably verified.
3.9 Telephone Communications
When communicating by telephone, workforce members shall:
- Confirm the identity of the caller.
- Limit disclosures to the minimum necessary.
- Avoid discussing PHI in public areas.
- Verify callback numbers when appropriate.
- Use professional judgment before leaving voicemail messages.
Voicemail messages should generally include only limited information, such as:
"This is Bloomfield Wellness & Aesthetics calling regarding your appointment. Please contact our office at (412) 999-4306."
Detailed medical information should not be left on voicemail unless the patient has specifically authorized it.
3.10 Reception Area Privacy
Reception staff shall make reasonable efforts to protect patient privacy.
Examples include:
- Speaking in a low voice when discussing patient information.
- Positioning computer monitors away from public view.
- Limiting visible paperwork.
- Avoiding unnecessary discussion of diagnoses.
- Calling patients by name only when appropriate.
- Avoiding discussion of financial matters where others may overhear.
3.11 Waiting Room Practices
Workforce members shall:
- Avoid discussing confidential medical information within hearing distance of other patients.
- Use private consultation rooms when discussing sensitive matters.
- Maintain professional discretion regarding patient identity and reason for visit.
3.12 Conversations in Clinical Areas
Clinical discussions involving PHI should occur only:
- In treatment rooms.
- In provider offices.
- In designated staff areas.
- Through secure communication systems.
Discussions should never occur in elevators, hallways, parking lots, restaurants, or other public locations where they may be overheard.
3.13 Email Communications
Email containing PHI shall be transmitted only through approved methods consistent with practice policy.
Workforce members shall:
- Verify recipient addresses before sending.
- Avoid using personal email accounts for patient care.
- Use encryption when appropriate.
- Report misdirected emails immediately.
3.14 Text Messaging
Text messaging containing PHI shall occur only through approved communication methods authorized by Bloomfield Wellness & Aesthetics.
Personal texting of patient information from personal devices is prohibited unless specifically authorized under practice policy and appropriate safeguards are in place.
3.15 Social Media
Workforce members shall never post patient information on social media without a valid written authorization.
Prohibited activities include:
- Posting clinical photographs.
- Sharing patient stories that identify individuals.
- Discussing interesting cases in a manner that could identify a patient.
- Responding to online comments in a way that confirms an individual is a patient.
Even if a patient publicly identifies themselves as a patient of Bloomfield Wellness & Aesthetics, workforce members shall not confirm the treatment relationship through social media.
3.16 Photography in the Practice
Clinical photographs are considered Protected Health Information when they identify or can reasonably identify a patient.
Photography shall be:
- Clinically appropriate.
- Securely stored.
- Accessed only by authorized personnel.
- Used only for authorized purposes.
Marketing use requires a separate written authorization.
3.17 Media Requests
All requests from television stations, newspapers, magazines, podcasts, bloggers, influencers, or other media organizations shall be referred to practice leadership.
Workforce members shall not disclose patient information to the media without appropriate authorization or legal authority.
3.18 Privacy Complaints
Patients have the right to file complaints regarding the privacy of their information.
Every complaint shall be:
- Taken seriously.
- Documented.
- Promptly investigated.
- Reviewed by the Privacy Officer.
- Resolved in accordance with practice policy.
Retaliation against any patient or workforce member who reports a good-faith privacy concern is strictly prohibited.
3.19 Practical Workforce Examples
Appropriate
✓ Discussing laboratory results privately with the treating provider.
✓ Accessing the chart of a patient you are actively treating.
✓ Confirming an appointment with the patient.
✓ Sending records pursuant to a valid authorization.
Inappropriate
✗ Looking up your neighbor's laboratory results.
✗ Viewing a celebrity's chart out of curiosity.
✗ Discussing patient care in the break room where visitors are present.
✗ Photographing a patient with a personal cellphone.
✗ Taking screenshots of medical records.
✗ Sharing patient stories on personal social media.
3.20 Privacy Rule Summary
Every workforce member should remember these guiding principles:
- Treat every patient's information as if it were your own.
- Access only what you need to do your job.
- When uncertain, ask the Privacy Officer before disclosing information.
- Protect confidentiality in every conversation, document, and electronic communication.
- Privacy is not simply a legal requirement—it is fundamental to patient trust and the mission of Bloomfield Wellness & Aesthetics.
SECTION 4
HIPAA SECURITY RULE
4.1 Purpose
The HIPAA Security Rule establishes national standards for protecting Electronic Protected Health Information ("ePHI"). Bloomfield Wellness & Aesthetics is committed to implementing comprehensive administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of all electronic patient information.
The objectives of this Security Rule policy are to:
- Protect electronic Protected Health Information from unauthorized access.
- Prevent data loss, alteration, or destruction.
- Maintain secure access to patient information for authorized users.
- Reduce cybersecurity risk.
- Ensure continuity of patient care.
- Maintain compliance with HIPAA, HITECH, and applicable Pennsylvania laws.
Every workforce member is responsible for complying with the safeguards described in this manual.
4.2 Security Program Objectives
Bloomfield Wellness & Aesthetics' Information Security Program is designed to:
- Protect patient confidentiality.
- Preserve data integrity.
- Maintain system availability.
- Reduce cybersecurity threats.
- Ensure regulatory compliance.
- Promote safe clinical operations.
- Minimize operational disruptions.
- Support disaster recovery.
- Foster workforce security awareness.
- Continuously improve security practices.
4.3 Security Management Process
Bloomfield Wellness & Aesthetics maintains an ongoing Security Management Process consisting of:
Risk Analysis
We conduct periodic risk analyses to identify potential threats and vulnerabilities affecting electronic Protected Health Information.
Risk analyses evaluate:
- Hardware
- Software
- Mobile devices
- Cloud systems
- Third-party vendors
- Workforce practices
- Physical security
- Cybersecurity threats
- Remote access
- Business continuity
Risk Management
After risks are identified, Bloomfield Wellness & Aesthetics implements reasonable and appropriate safeguards to reduce those risks.
Examples include:
- Security updates
- Policy revisions
- Workforce education
- Vendor oversight
- Multi-factor authentication
- Encryption
- Improved access controls
- Enhanced monitoring
4.4 Assigned Security Responsibility
Bloomfield Wellness & Aesthetics designates a HIPAA Security Officer responsible for implementing and overseeing the Security Rule.
Current Security Officer:
Kathryn Confer, PharmD
Responsibilities include:
- Conducting security risk analyses
- Developing security policies
- Monitoring cybersecurity
- Investigating security incidents
- Coordinating breach response
- Overseeing technical safeguards
- Maintaining security documentation
- Coordinating workforce security training
4.5 Workforce Security
Access to electronic Protected Health Information is limited to authorized workforce members.
Prior to receiving system access, workforce members shall:
- Complete orientation.
- Complete HIPAA Privacy training.
- Complete HIPAA Security training.
- Sign a Confidentiality Agreement.
- Receive role-based access.
- Review applicable policies.
When employment or contractual relationships end, system access shall be promptly modified or terminated.
4.6 Information Access Management
Electronic access is granted according to each workforce member's responsibilities.
Examples include:
Providers
Access may include:
- Complete medical records
- Laboratory results
- Imaging reports
- Medication history
- Clinical documentation
- Scheduling
- Billing summaries as necessary
Nursing and Clinical Staff
Access generally includes:
- Clinical documentation
- Medication administration information
- Laboratory results
- Treatment plans
- Appointment information
Reception Staff
Access generally includes:
- Scheduling
- Demographics
- Insurance information
- Limited billing information
Reception personnel should not routinely access complete provider documentation unless necessary for assigned duties.
Billing Personnel
Access generally includes:
- Charges
- Insurance information
- Procedure codes
- Diagnosis codes
- Payment history
IT Personnel
IT personnel receive only the level of access necessary to maintain systems and are expected to avoid accessing patient records unless operationally necessary.
4.7 Security Awareness Training
All workforce members shall participate in ongoing cybersecurity education.
Training topics include:
- Password security
- Phishing recognition
- Malware
- Ransomware
- Device security
- Remote work security
- Safe internet browsing
- Email security
- Social engineering
- Secure disposal
- Incident reporting
Training is documented and retained.
4.8 Password Policy
Passwords shall meet current organizational standards.
Passwords shall:
- Be unique.
- Not be shared.
- Not be reused across critical systems.
- Be kept confidential.
- Be changed whenever compromise is suspected.
Employees shall never:
- Write passwords on visible notes.
- Share passwords with coworkers.
- Send passwords through unsecured email or text.
- Allow another individual to log in using their credentials.
4.9 Multi-Factor Authentication (MFA)
Whenever supported, multi-factor authentication shall be enabled for:
- Electronic Health Records
- Remote access
- Cloud services
- Administrative accounts
- Email systems
- Financial applications
Examples of secondary authentication include:
- Authentication applications
- Hardware tokens
- SMS verification (when appropriate)
- Biometric authentication
4.10 Workstation Security
All workstations capable of accessing ePHI shall be protected through reasonable safeguards.
Employees shall:
- Lock computers before leaving workstations.
- Log off at the end of each shift.
- Position monitors away from public view.
- Protect printed documents.
- Avoid leaving records unattended.
Automatic screen-lock functionality should be enabled whenever practical.
4.11 Mobile Device Security
Mobile devices capable of accessing ePHI include:
- Smartphones
- Tablets
- Laptops
- Portable storage devices
Security requirements include:
- Device passcodes
- Encryption where available
- Automatic locking
- Remote wipe capability when supported
- Approved applications
- Current software updates
Lost or stolen devices must be reported immediately.
4.12 Bring Your Own Device (BYOD)
Personally owned devices may access practice information only when authorized by Bloomfield Wellness & Aesthetics.
Requirements include:
- Security approval
- Password protection
- Current operating system
- Antivirus protection where appropriate
- Immediate reporting of loss or theft
- Compliance with mobile device policies
The practice reserves the right to revoke access to any personal device that does not meet security standards.
4.13 Remote Access
Remote access shall occur only through approved secure methods.
Examples include:
- Encrypted Virtual Private Network (VPN)
- Secure cloud applications
- Multi-factor authentication
- Approved remote desktop solutions
Public computers should never be used to access electronic Protected Health Information.
4.14 Email Security
Employees shall:
- Verify recipients before sending messages.
- Avoid transmitting unnecessary PHI.
- Use approved email systems.
- Report suspicious emails immediately.
- Never open unexpected attachments.
- Avoid clicking suspicious links.
Email containing PHI should utilize secure transmission methods whenever appropriate.
4.15 Phishing Prevention
Phishing remains one of the leading causes of healthcare data breaches.
Employees should be alert for:
- Urgent payment requests
- Unexpected password reset messages
- Suspicious hyperlinks
- Unknown attachments
- Misspelled domains
- Requests for login credentials
- Requests to bypass established procedures
If uncertain, employees shall contact the IT department or Security Officer before responding.
4.16 Malware Protection
Practice systems shall utilize commercially reasonable protections against malicious software.
Security measures may include:
- Antivirus software
- Endpoint Detection and Response (EDR)
- Email filtering
- Web filtering
- Threat detection
- Software updates
Employees shall never intentionally disable security software.
4.17 Encryption
Encryption shall be utilized whenever appropriate to protect ePHI.
Encryption may apply to:
- Laptop computers
- Mobile devices
- Cloud storage
- Portable media
- Secure messaging
- Backup systems
- Electronic transmission
Although encryption significantly reduces risk, workforce members must continue to follow all other privacy and security safeguards.
4.18 Audit Controls
Electronic systems should maintain audit capabilities that record events including:
- User logins
- Failed login attempts
- Record access
- Record modification
- Record deletion
- Administrative changes
- Export activity
- Printing activity
Audit logs support investigations, quality improvement, and regulatory compliance.
4.19 Integrity Controls
Bloomfield Wellness & Aesthetics maintains safeguards designed to ensure electronic information is not improperly altered or destroyed.
Examples include:
- User authentication
- Version controls where applicable
- Audit logging
- Backup procedures
- System monitoring
- Controlled editing permissions
Medical records shall accurately reflect the care provided and shall not be altered to conceal errors or misrepresent clinical services.
4.20 Transmission Security
Electronic transmission of ePHI shall occur using secure technologies whenever reasonably available.
Examples include:
- Secure patient portals
- Encrypted email
- Secure electronic prescribing
- Secure laboratory interfaces
- Encrypted telehealth platforms
- Secure electronic fax systems
Transmission methods shall be periodically evaluated as technology evolves.
4.21 Security Rule Summary
Every workforce member plays a critical role in protecting electronic Protected Health Information.
Remember these guiding principles:
- Lock your workstation whenever unattended.
- Never share passwords.
- Verify recipients before sending information.
- Report suspicious activity immediately.
- Protect mobile devices.
- Access only the information necessary to perform your job.
- When uncertain, contact the HIPAA Security Officer before taking action.
Maintaining strong security practices protects our patients, our workforce, and the mission of Bloomfield Wellness & Aesthetics while ensuring compliance with federal and Pennsylvania law.
SECTION 5
HIPAA ADMINISTRATIVE SAFEGUARDS
HIPAA Security Rule: Administrative Safeguards (45 CFR §164.308)
5.1 Purpose
Administrative Safeguards are the policies, procedures, and management practices that direct how Bloomfield Wellness & Aesthetics protects Electronic Protected Health Information ("ePHI").
These safeguards establish the organizational framework necessary to ensure that all workforce members understand their responsibilities and consistently apply appropriate privacy and security measures.
Bloomfield Wellness & Aesthetics maintains Administrative Safeguards that are reasonable, appropriate, and scalable based on the size, complexity, services, and operational needs of the practice.
5.2 Administrative Safeguard Objectives
The objectives of our Administrative Safeguards are to:
- Protect patient confidentiality.
- Reduce cybersecurity risk.
- Ensure compliance with HIPAA.
- Promote workforce accountability.
- Establish consistent security procedures.
- Prepare the organization for emergencies.
- Reduce human error.
- Detect inappropriate access.
- Respond rapidly to security incidents.
- Continuously improve our compliance program.
5.3 Security Management Process
Bloomfield Wellness & Aesthetics maintains an ongoing Security Management Process consisting of:
A. Risk Analysis
A formal Security Risk Analysis shall be performed:
- Prior to implementation of new technology
- At least annually
- Following major operational changes
- Following significant security incidents
- Whenever new threats emerge
The Risk Analysis evaluates:
- Electronic Health Records
- Patient Portal
- Practice Management Software
- Cloud Storage
- Email Systems
- Mobile Devices
- Wireless Networks
- Firewalls
- Third-Party Vendors
- Medical Equipment connected to networks
- Telehealth Platforms
- Payment Systems
Each identified risk shall receive:
- Likelihood rating
- Impact rating
- Overall risk score
- Recommended mitigation
- Assigned responsible individual
- Target completion date
B. Risk Management
Once risks are identified, Bloomfield Wellness & Aesthetics shall implement corrective actions appropriate to the level of risk.
Examples include:
- Software upgrades
- Enhanced encryption
- Multi-factor authentication
- Password changes
- Additional employee training
- Vendor remediation
- Hardware replacement
- Policy revisions
- Additional monitoring
Risk mitigation efforts shall be documented.
5.4 Sanction Policy
Bloomfield Wellness & Aesthetics maintains a zero-tolerance approach toward intentional HIPAA violations.
Violations are evaluated based upon:
- Intent
- Severity
- Harm caused
- Previous violations
- Corrective actions taken
Possible sanctions include:
Level I
Minor accidental violations
Examples:
- Leaving workstation unlocked
- Failure to shred documents
- Discussing PHI too loudly
Possible Actions:
- Coaching
- Retraining
- Verbal counseling
Level II
Moderate violations
Examples:
- Accessing records without clinical need
- Sharing passwords
- Improper emailing of PHI
Possible Actions:
- Written warning
- Mandatory retraining
- Suspension of system access
- Performance improvement plan
Level III
Serious violations
Examples:
- Intentional snooping
- Downloading medical records
- Unauthorized photography
- Posting PHI online
- Theft of information
- Sale of patient information
Possible Actions:
- Immediate suspension
- Termination
- Reporting to licensing boards
- Civil penalties
- Criminal referral when appropriate
5.5 Information System Activity Review
Bloomfield Wellness & Aesthetics shall periodically review:
- Audit logs
- Login reports
- Failed login attempts
- Access reports
- Export reports
- Printing activity
- Remote access logs
- Administrative account activity
Monitoring may be conducted:
- Daily for critical alerts
- Weekly for selected systems
- Monthly for routine audits
- Following reported incidents
Abnormal activity shall be investigated promptly.
5.6 Assigned Security Responsibility
The HIPAA Security Officer is responsible for implementing and maintaining the Security Rule.
Primary responsibilities include:
- Security Risk Analysis
- Policy development
- Incident investigations
- Cybersecurity oversight
- Workforce training
- Vendor security oversight
- Annual program evaluation
- OCR investigation support
- Security documentation
Current Security Officer:
Kathryn Confer, PharmD
5.7 Workforce Security
Access to ePHI shall be managed throughout the workforce lifecycle.
Before Employment
Where appropriate:
- Background screening
- License verification
- Credential verification
- Confidentiality Agreement
- HIPAA Orientation
During Employment
Employees shall:
- Maintain confidentiality
- Complete annual HIPAA training
- Report incidents immediately
- Protect passwords
- Follow security policies
- Maintain professional conduct
Upon Separation
Immediately upon termination or resignation:
- Disable user accounts
- Recover keys
- Recover badges
- Recover laptops
- Recover mobile devices
- Recover access cards
- Remove remote access
- Disable email access
- Recover practice-owned media
The Security Officer or designee shall document completion.
5.8 Information Access Management
Role-based access shall be assigned according to job responsibilities.
Examples include:
Clinical Providers
Access:
- Complete medical records
- Laboratory results
- Imaging
- Prescriptions
- Clinical documentation
Medical Assistants
Access:
- Assigned patient schedules
- Clinical documentation
- Orders
- Medication history
Reception
Access:
- Scheduling
- Registration
- Demographics
- Insurance
Billing
Access:
- Financial records
- Charges
- Insurance
- Claims
IT Personnel
Access only as operationally necessary.
5.9 Security Awareness Program
Bloomfield Wellness & Aesthetics maintains an ongoing Security Awareness Program.
Topics include:
- HIPAA
- Passwords
- Email security
- Social engineering
- Phishing
- Malware
- Ransomware
- Mobile device security
- Internet safety
- Physical security
- Remote work
- AI and emerging technologies
- Data privacy
Security reminders shall be distributed periodically.
5.10 Workforce Clearance Procedures
Prior to receiving access to systems containing ePHI, workforce members shall:
- Complete orientation
- Complete HIPAA Privacy training
- Complete HIPAA Security training
- Review applicable policies
- Receive supervisor approval
- Receive Security Officer approval when appropriate
No employee shall receive unrestricted access upon hire.
5.11 Password Management
Bloomfield Wellness & Aesthetics shall maintain formal password procedures.
Passwords shall never be:
- Shared
- Written on sticky notes
- Stored in browsers without authorization
- Sent through unsecured email
- Reused after compromise
Employees shall immediately change passwords if compromise is suspected.
5.12 Contingency Planning
Bloomfield Wellness & Aesthetics maintains contingency plans to ensure continuity of operations.
The Contingency Plan addresses:
- Fire
- Flood
- Power outage
- Cyberattack
- Ransomware
- Tornado
- Severe weather
- Hardware failure
- Software failure
- Internet outage
- Building evacuation
Patient care remains the highest operational priority during emergencies.
5.13 Data Backup Plan
Critical systems shall be backed up according to operational requirements.
Backup objectives include:
- Recovery of medical records
- Restoration of scheduling
- Billing continuity
- Clinical documentation recovery
- Regulatory compliance
Backups shall be protected using appropriate physical and technical safeguards.
5.14 Disaster Recovery Plan
The Disaster Recovery Plan identifies procedures for restoring systems after catastrophic events.
Recovery priorities:
Priority 1
- Electronic Health Record
- Scheduling
- Clinical communications
Priority 2
- Billing
- Financial systems
Priority 3
- Administrative systems
- Archived information
Testing of recovery procedures should occur periodically.
5.15 Emergency Mode Operation Plan
During emergencies, Bloomfield Wellness & Aesthetics shall continue critical healthcare operations whenever safely possible.
Examples include:
- Emergency patient treatment
- Access to essential records
- Medication management
- Laboratory coordination
- Provider communications
Emergency procedures shall prioritize patient safety while protecting PHI.
5.16 Evaluation
The HIPAA Security Program shall be evaluated:
- Annually
- Following major technology implementations
- Following significant security incidents
- Following OCR guidance updates
- Following significant regulatory changes
Evaluations assess:
- Policy effectiveness
- Workforce compliance
- Technical safeguards
- Vendor performance
- Cybersecurity posture
- Documentation quality
Corrective actions shall be documented and tracked to completion.
5.17 Business Associate Oversight
Administrative Safeguards extend to third-party vendors.
Bloomfield Wellness & Aesthetics shall:
- Maintain current Business Associate Agreements
- Evaluate vendor security
- Monitor significant vendor incidents
- Review contractual responsibilities
- Document corrective actions when necessary
High-risk vendors may undergo additional review before implementation.
5.18 Documentation Requirements
The following documentation shall be maintained as part of the HIPAA Administrative Safeguards Program:
- HIPAA Policies
- Security Risk Analyses
- Training Records
- Incident Reports
- Breach Investigations
- Sanction Documentation
- Audit Reports
- Business Associate Agreements
- Contingency Planning Documents
- Disaster Recovery Testing
- Annual Evaluations
- Corrective Action Plans
Documentation shall be retained in accordance with applicable federal and Pennsylvania record retention requirements.
5.19 Administrative Safeguards Summary
Administrative Safeguards provide the management framework supporting Bloomfield Wellness & Aesthetics' HIPAA compliance program.
Every workforce member contributes to security by:
- Following policies.
- Protecting passwords.
- Reporting suspicious activity.
- Completing required training.
- Using sound professional judgment.
- Maintaining patient confidentiality.
Strong Administrative Safeguards reduce risk, strengthen patient trust, and support the mission of Bloomfield Wellness & Aesthetics to provide exceptional, secure, and compliant healthcare services.
SECTION 6
HIPAA PHYSICAL SAFEGUARDS
HIPAA Security Rule – Physical Safeguards (45 CFR §164.310)
6.1 Purpose
Physical Safeguards are the physical measures, policies, procedures, and environmental controls implemented by Bloomfield Wellness & Aesthetics to protect facilities, equipment, workstations, and media that contain Electronic Protected Health Information ("ePHI") or other confidential patient information.
The objectives of this policy are to:
- Prevent unauthorized physical access to Protected Health Information.
- Protect electronic systems from theft, damage, or misuse.
- Safeguard patients, workforce members, and visitors.
- Maintain secure operations during routine business and emergencies.
- Ensure compliance with the HIPAA Security Rule.
Every workforce member shares responsibility for maintaining the physical security of the practice.
6.2 Scope
This policy applies to:
- Clinical treatment rooms
- Reception areas
- Provider offices
- Administrative offices
- Medical records storage areas
- Medication storage areas
- Laboratory specimen collection areas
- Staff workstations
- Server equipment
- Network equipment
- Portable electronic devices
- Practice-owned vehicles transporting records or equipment
- Any location where Bloomfield Wellness & Aesthetics stores or accesses Protected Health Information
6.3 Facility Access Controls
Bloomfield Wellness & Aesthetics maintains reasonable physical security measures to protect facilities containing PHI and ePHI.
Examples include:
- Controlled building access
- Locked exterior doors when the office is closed
- Alarm systems
- Security cameras in appropriate non-clinical areas
- Exterior lighting
- Restricted employee-only areas
- Secure locking mechanisms
- Controlled key distribution
Only authorized individuals may access restricted areas.
6.4 Restricted Areas
The following areas shall be restricted to authorized personnel:
- Provider offices
- Medication storage
- Supply rooms containing confidential records
- IT/network equipment locations
- Records storage areas
- Administrative offices containing confidential files
- Billing offices
- Human Resources records
- Compliance records
- Credentialing files
Patients and visitors shall not enter restricted areas unless escorted by an authorized workforce member.
6.5 Key and Access Control Management
Physical keys, access cards, key fobs, keypad codes, and electronic credentials shall be managed securely.
Requirements include:
- Issuing credentials only to authorized personnel.
- Maintaining an access log where appropriate.
- Promptly recovering credentials upon separation from employment.
- Immediately reporting lost or stolen keys or badges.
- Changing access codes when security is compromised.
Duplicate keys shall not be made without authorization from practice leadership.
6.6 Visitor Management
Visitors include:
- Vendors
- Delivery personnel
- Maintenance personnel
- Consultants
- Contractors
- Surveyors
- Inspectors
- Guests
Visitors entering non-public areas should:
- Check in at reception.
- Be escorted when appropriate.
- Wear visitor identification if utilized by the practice.
- Limit access to the specific area necessary for their visit.
Visitors shall not have unsupervised access to Protected Health Information unless authorized by law or contract.
6.7 Workforce Identification
Workforce members should wear identification badges while on duty when required by practice policy.
Identification badges should include:
- Employee name
- Position or title
- Practice identification
Employees shall not allow unauthorized individuals to enter restricted areas by "tailgating" or sharing access credentials.
6.8 Reception Area Security
Reception areas shall be arranged to protect patient confidentiality.
Reasonable safeguards include:
- Positioning computer monitors away from public view.
- Using privacy screens where appropriate.
- Limiting visible paperwork.
- Keeping sign-in procedures compliant with HIPAA.
- Avoiding unnecessary discussion of diagnoses or treatment.
- Promptly securing completed registration forms.
Reception staff shall exercise discretion when speaking with patients.
6.9 Waiting Room Privacy
Reasonable efforts shall be made to minimize unnecessary disclosure of patient information in waiting areas.
Examples include:
- Calling patients by first name and last initial when appropriate.
- Avoiding announcements of diagnoses or procedures.
- Using private consultation rooms for sensitive conversations.
- Maintaining appropriate distance between workstations and seating areas.
6.10 Clinical Treatment Rooms
Treatment rooms shall be maintained to protect patient privacy.
Requirements include:
- Closing doors or curtains during examinations and procedures.
- Securing paper documentation when not in use.
- Logging off electronic systems when rooms are unattended.
- Properly storing medications and supplies.
- Preventing unauthorized photography or recording.
Only individuals necessary for patient care should be present unless the patient requests otherwise.
6.11 Workstation Use Policy
Workstations include:
- Desktop computers
- Laptops
- Tablets
- Thin clients
- Mobile carts
- Documentation stations
Workstations shall be used solely for authorized business purposes.
Employees shall:
- Log in using their own credentials.
- Lock screens whenever leaving the workstation.
- Log off at the end of the workday.
- Protect patient information from public view.
- Avoid storing PHI locally unless authorized.
6.12 Workstation Positioning
Computer monitors shall be positioned to reduce the risk of unauthorized viewing.
Examples include:
- Facing away from waiting rooms.
- Facing away from public hallways.
- Using privacy filters where appropriate.
- Avoiding placement near windows visible to the public.
Whenever possible, confidential conversations should occur away from active computer screens.
6.13 Clean Desk Policy
At the conclusion of each workday, and whenever practical during business hours, workforce members shall secure confidential materials.
Employees shall:
- File patient records.
- Lock confidential documents in cabinets or drawers.
- Remove sticky notes containing passwords or patient information.
- Shred unnecessary documents.
- Secure portable media.
- Remove prescription pads from public view.
- Lock medication cabinets.
No confidential documents shall remain unattended in public or shared areas.
6.14 Paper Record Security
Paper medical records remain Protected Health Information.
Paper records shall be:
- Stored in secure locations.
- Accessible only to authorized personnel.
- Protected from water, fire, theft, and unauthorized viewing.
- Transported securely.
- Never left unattended in patient-accessible areas.
Records removed from secure storage shall be returned promptly.
6.15 Medical Record Storage
Archived medical records shall be stored in secure locations with protections including:
- Controlled access
- Locked storage
- Environmental protections
- Fire protection where feasible
- Organized indexing
- Inventory tracking
Only authorized personnel may retrieve archived records.
6.16 Portable Device Security
Portable devices capable of storing or accessing PHI include:
- Laptops
- Tablets
- Smartphones
- External hard drives
- USB storage devices
Whenever possible, these devices shall:
- Be encrypted.
- Require authentication.
- Remain under workforce control.
- Be secured during transportation.
- Never be left unattended in public places or visible inside vehicles.
Loss or theft shall be reported immediately.
6.17 Server and Network Equipment
Network infrastructure supporting ePHI shall be protected through reasonable physical safeguards.
Examples include:
- Locked equipment rooms
- Restricted access
- Environmental controls
- Cable management
- Uninterruptible Power Supplies (UPS)
- Surge protection
- Fire suppression systems where appropriate
Only authorized personnel may service network equipment.
6.18 Environmental Controls
Bloomfield Wellness & Aesthetics shall implement reasonable measures to protect equipment from environmental hazards.
Considerations include:
- Fire
- Smoke
- Water damage
- Excessive heat
- Humidity
- Dust
- Electrical surges
- Power outages
Critical equipment should be protected whenever practical.
6.19 Equipment Inventory
The practice shall maintain an inventory of technology assets capable of storing or accessing ePHI.
Examples include:
- Desktop computers
- Laptops
- Tablets
- Smartphones
- Network switches
- Servers
- Backup devices
- Firewalls
- Printers with storage capability
- Multifunction copiers
Inventory records should include assignment, location, and disposition when equipment is retired.
6.20 Media Controls
Electronic media containing ePHI shall be managed throughout its lifecycle.
Procedures include:
- Receipt
- Inventory
- Secure storage
- Transportation
- Reuse
- Disposal
- Destruction
No electronic media shall be discarded until patient information has been securely removed.
6.21 Equipment Disposal
Before disposal, sale, recycling, donation, or return of equipment, Bloomfield Wellness & Aesthetics shall ensure that all Protected Health Information has been securely removed.
Approved methods may include:
- Cryptographic erasure
- Secure overwriting
- Physical destruction of storage media
- Certified destruction vendors
Documentation of disposal should be maintained.
6.22 Transportation of PHI
Whenever records or devices containing PHI are transported outside the practice:
- Records shall remain under the control of authorized personnel.
- Documents shall be placed in closed containers or locked cases.
- Devices shall be password protected and encrypted where appropriate.
- Records shall never be left unattended in vehicles unless absolutely necessary and secured from view.
6.23 Emergency Physical Security
During emergencies, workforce members shall prioritize:
- Patient safety.
- Workforce safety.
- Protection of medications.
- Protection of medical records.
- Protection of technology.
- Secure shutdown of equipment when feasible.
- Restricting unauthorized access to the facility.
Emergency response procedures are coordinated with the practice's Emergency Operations Plan.
6.24 Physical Safeguards Summary
Physical Safeguards are a critical component of HIPAA compliance. Every workforce member contributes by:
- Securing workstations.
- Protecting paper records.
- Safeguarding portable devices.
- Escorting visitors appropriately.
- Maintaining a clean desk.
- Reporting lost keys, badges, or devices immediately.
- Remaining alert to suspicious activity.
Strong physical security protects patient information, supports clinical operations, and reinforces Bloomfield Wellness & Aesthetics' commitment to privacy, professionalism, and regulatory compliance.
SECTION 7
HIPAA TECHNICAL SAFEGUARDS
HIPAA Security Rule – Technical Safeguards (45 CFR §164.312)
7.1 Purpose
Technical Safeguards are the technology-based controls used by Bloomfield Wellness & Aesthetics to protect Electronic Protected Health Information ("ePHI") from unauthorized access, alteration, disclosure, or destruction.
These safeguards work together with Administrative and Physical Safeguards to create a comprehensive information security program that protects patient information while allowing authorized workforce members timely access to information necessary for patient care.
7.2 Objectives
Bloomfield Wellness & Aesthetics implements Technical Safeguards to:
- Protect patient confidentiality.
- Ensure only authorized users access ePHI.
- Prevent unauthorized disclosure.
- Detect inappropriate activity.
- Maintain accurate medical records.
- Protect against cyber threats.
- Maintain availability of clinical systems.
- Support disaster recovery.
- Comply with HIPAA Security Rule requirements.
7.3 Unique User Identification
Every workforce member shall receive an individual user account.
Shared usernames are prohibited.
Each account shall be uniquely assigned to one authorized individual to ensure accountability.
Individual user accounts allow the practice to:
- Track access
- Audit activity
- Investigate incidents
- Limit permissions
- Support regulatory compliance
Employees shall never:
- Share usernames
- Use another employee's login
- Permit another person to document under their credentials
7.4 Authentication Standards
Bloomfield Wellness & Aesthetics shall implement reasonable methods to verify the identity of users before granting access to systems containing ePHI.
Authentication methods may include:
- Username and password
- Multi-factor authentication (MFA)
- Authentication applications
- Biometric verification
- Hardware security keys
- Smart cards
- Single Sign-On (SSO) integrated with approved identity providers
Authentication requirements may vary depending upon system sensitivity.
7.5 Role-Based Access Control (RBAC)
Electronic access shall be assigned according to workforce responsibilities.
Examples include:
Physicians and Advanced Practice Providers
May access:
- Complete medical records
- Orders
- Laboratory results
- Imaging
- Medication history
- Billing summaries when appropriate
Pharmacists
May access:
- Medication histories
- Prescription information
- Relevant diagnoses
- Laboratory information necessary for medication management
- Allergy documentation
- Clinical documentation supporting pharmaceutical care
Nursing and Clinical Staff
May access:
- Assigned patient records
- Orders
- Medication administration information
- Clinical documentation
Estheticians
May access only information necessary to perform aesthetic services, including:
- Consultation forms
- Skin assessments
- Procedure documentation
- Consent forms
- Clinical photographs
- Relevant medical history affecting treatment
Estheticians shall not access unrelated portions of the patient's medical record.
Reception
Access limited to:
- Scheduling
- Registration
- Insurance
- Demographics
- Limited billing information
Billing Staff
Access limited to:
- Claims
- Charges
- Insurance
- Financial information
- Diagnosis and procedure codes necessary for billing
7.6 Automatic Logoff
Systems containing ePHI should automatically terminate inactive sessions after an appropriate period of inactivity.
Automatic logoff helps prevent unauthorized access when workstations are left unattended.
Employees shall still manually lock workstations whenever leaving their work area.
7.7 Emergency Access Procedure
Bloomfield Wellness & Aesthetics maintains procedures allowing authorized access to ePHI during emergencies.
Emergency access procedures shall ensure:
- Continuity of patient care
- Appropriate documentation
- Limited use
- Prompt review following the emergency
Emergency access credentials shall be tightly controlled and used only when necessary.
7.8 Encryption Standards
Electronic Protected Health Information shall be encrypted whenever reasonable and appropriate.
Encryption should be utilized for:
- Laptop computers
- Mobile devices
- Portable media
- Cloud storage
- Backup systems
- Secure messaging
- Email containing PHI
- Telehealth communications
- File transfers
Encryption technologies should align with current industry standards and organizational policies.
7.9 Transmission Security
Bloomfield Wellness & Aesthetics protects ePHI during transmission through reasonable safeguards.
Approved transmission methods may include:
- Secure patient portals
- Encrypted email
- Secure electronic prescribing
- Secure laboratory interfaces
- Encrypted telehealth platforms
- Secure file transfer solutions
- Approved electronic fax services
Unencrypted transmission of PHI should occur only when specifically authorized, operationally necessary, and permitted by applicable policy.
7.10 Audit Controls
Electronic systems shall maintain audit capabilities recording activities including:
- User logins
- Failed login attempts
- Record viewing
- Record modification
- Record deletion
- Printing
- Data exports
- Administrative changes
- Password changes
- Privilege modifications
Audit logs provide accountability and assist with:
- Compliance monitoring
- Security investigations
- Breach investigations
- Internal audits
- OCR investigations
7.11 Audit Log Review
Audit logs shall be reviewed periodically.
Examples include:
Routine Reviews
- Random employee access
- Administrative accounts
- High-profile patient records
- Bulk exports
- Failed logins
Targeted Reviews
- Following patient complaints
- Following suspected snooping
- Following employee termination
- Following cybersecurity alerts
Documented investigations shall be maintained.
7.12 Integrity Controls
Bloomfield Wellness & Aesthetics maintains safeguards designed to ensure electronic information remains complete, accurate, and trustworthy.
Examples include:
- Controlled editing permissions
- Version tracking where available
- Authentication controls
- Database protections
- Audit logging
- Secure backups
- Antivirus protections
Medical documentation shall never be altered to conceal errors or misrepresent services provided.
7.13 Endpoint Protection
Practice-owned computers shall utilize commercially reasonable endpoint security measures, including when appropriate:
- Antivirus software
- Endpoint Detection and Response (EDR)
- Anti-malware protection
- Device encryption
- Firewall protection
- Automatic updates
- Threat monitoring
Security software shall not be disabled without authorization.
7.14 Network Security
Bloomfield Wellness & Aesthetics maintains reasonable network security measures, including:
- Firewalls
- Secure wireless networks
- Network segmentation where appropriate
- Intrusion detection and/or prevention systems
- Secure DNS services
- Network monitoring
- VPN access for approved remote users
Guest wireless networks, if provided, shall remain separate from internal clinical systems.
7.15 Cloud Security
Cloud services used by Bloomfield Wellness & Aesthetics shall be evaluated before implementation.
Considerations include:
- HIPAA compliance
- Business Associate Agreement availability
- Encryption
- Access controls
- Data backup
- Disaster recovery
- Vendor reputation
- Security certifications where applicable
Only approved cloud services may store ePHI.
7.16 Artificial Intelligence (AI) Systems
Artificial intelligence tools may improve efficiency but also introduce privacy and security risks.
Workforce members shall not enter Protected Health Information into public AI platforms unless:
- The platform has been formally approved by Bloomfield Wellness & Aesthetics.
- Appropriate contractual and privacy protections are in place.
- A Business Associate Agreement is executed when required.
- Use complies with organizational AI governance policies.
Examples of prohibited activity include:
- Copying patient charts into public AI tools.
- Uploading laboratory reports to consumer AI applications.
- Entering identifiable patient information into public chatbots.
- Using AI-generated clinical documentation without provider review.
Any AI-assisted documentation remains the responsibility of the treating provider and must be reviewed for accuracy before becoming part of the medical record.
7.17 Electronic Signatures
Electronic signatures shall comply with applicable legal and regulatory requirements.
Electronic signatures shall:
- Identify the signing individual.
- Be attributable to one authorized user.
- Be protected from unauthorized use.
- Be maintained within the medical record.
Signing another individual's documentation is strictly prohibited.
7.18 Data Loss Prevention
Bloomfield Wellness & Aesthetics employs reasonable safeguards to reduce the risk of unauthorized disclosure or loss of information.
Examples include:
- Controlled exports
- Printing restrictions where appropriate
- Secure file sharing
- Email monitoring
- Access restrictions
- Encryption
- Workforce education
7.19 Security Monitoring
Technology systems may be monitored to identify:
- Malware
- Ransomware
- Unauthorized access
- Data exfiltration
- Credential theft
- Privilege escalation
- Suspicious downloads
- Network anomalies
Alerts shall be investigated promptly by authorized personnel.
7.20 Technical Safeguards Summary
Technical Safeguards provide the technology foundation supporting HIPAA compliance at Bloomfield Wellness & Aesthetics.
Every workforce member shall:
- Use only assigned credentials.
- Protect passwords.
- Lock devices when unattended.
- Report suspicious activity immediately.
- Use only approved software and cloud services.
- Never enter PHI into unapproved AI platforms.
- Follow all security policies and procedures.
Strong Technical Safeguards reduce cybersecurity risk, support patient safety, and help ensure that Bloomfield Wellness & Aesthetics maintains the highest standards of privacy, security, and regulatory compliance.
SECTION 8
WORKFORCE CONFIDENTIALITY & EMPLOYEE HIPAA STANDARDS
8.1 Purpose
Every workforce member at Bloomfield Wellness & Aesthetics is entrusted with confidential patient information. Protecting that information is both a legal obligation and a professional responsibility.
This policy establishes the confidentiality standards expected of every employee, provider, contractor, student, volunteer, temporary worker, and any individual acting on behalf of Bloomfield Wellness & Aesthetics.
Confidentiality is a condition of employment and continued access to Protected Health Information (PHI).
8.2 Scope
This policy applies to every member of the Bloomfield Wellness & Aesthetics workforce, including:
- Physicians
- Pharmacists
- Nurse Practitioners
- Physician Assistants
- Registered Nurses
- Licensed Practical Nurses
- Medical Assistants
- Estheticians
- Laser Technicians
- Receptionists
- Billing Personnel
- Administrative Staff
- Students
- Interns
- Volunteers
- Independent Contractors
- Temporary Employees
- Consultants
- IT Personnel
Confidentiality obligations continue after employment or contractual relationships end.
8.3 Confidentiality Expectations
Every workforce member shall:
- Maintain strict patient confidentiality.
- Access only information necessary to perform assigned duties.
- Protect passwords and authentication credentials.
- Secure workstations whenever unattended.
- Report suspected HIPAA violations immediately.
- Protect paper and electronic records.
- Maintain professionalism in all communications.
- Follow all Bloomfield Wellness & Aesthetics privacy and security policies.
8.4 Workforce Confidentiality Agreement
Prior to receiving access to PHI, every workforce member shall:
- Complete HIPAA Orientation.
- Complete HIPAA Privacy Training.
- Complete HIPAA Security Training.
- Review applicable policies.
- Sign the Workforce Confidentiality Agreement.
The signed agreement shall be maintained in the employee's personnel file.
8.5 Need-to-Know Standard
Protected Health Information may only be accessed when required to perform assigned responsibilities.
Examples of appropriate access include:
✓ Reviewing records of patients assigned to your care.
✓ Scheduling appointments.
✓ Processing insurance claims.
✓ Performing medication reconciliation.
✓ Reviewing laboratory results necessary for treatment.
Examples of inappropriate access include:
✗ Looking up family members.
✗ Viewing your own medical record through the internal EHR.
✗ Accessing a coworker's chart.
✗ Looking up neighbors.
✗ Reviewing celebrity records.
✗ Viewing records out of curiosity.
Curiosity is never a legitimate business purpose.
8.6 Conversations Regarding Patients
Patient information should be discussed only with individuals directly involved in patient care or healthcare operations.
Workforce members shall avoid discussing patients:
- In hallways
- Elevators
- Waiting rooms
- Break rooms when visitors are present
- Restaurants
- Parking lots
- Public transportation
- Social gatherings
Whenever possible, clinical discussions should occur in private treatment rooms or secure offices.
8.7 Telephone Communications
Before discussing Protected Health Information by telephone, employees shall:
- Verify the caller's identity.
- Verify authority to receive information.
- Limit disclosures to the minimum necessary.
- Use discretion when leaving voicemail messages.
Detailed diagnoses or laboratory results should not be left on voicemail unless specifically authorized by the patient.
8.8 Social Media Policy
Social media presents significant privacy risks.
Employees shall never:
- Post patient photographs without authorization.
- Discuss patient cases online.
- Share screenshots of medical records.
- Confirm that an individual is a patient.
- Respond to online reviews by disclosing PHI.
- Post workplace photographs showing patient information.
- Record videos in clinical areas where PHI is visible.
Even if a patient publicly identifies themselves as a patient of Bloomfield Wellness & Aesthetics, employees shall not acknowledge or confirm that relationship.
8.9 Photography and Video Recording
Personal photography or video recording within the practice is prohibited unless specifically authorized.
Employees shall never:
- Photograph patient records.
- Photograph computer screens.
- Photograph prescriptions.
- Photograph laboratory reports.
- Photograph clinical procedures using personal devices.
- Record patient interactions.
Clinical photography shall occur only using approved practice equipment and in accordance with the Clinical Photography Policy.
8.10 Personal Cell Phone Use
Personal devices shall not be used to:
- Store patient information.
- Photograph medical records.
- Text PHI through personal messaging applications.
- Email PHI using personal email accounts.
- Record clinical conversations.
If personal devices are authorized under the Bring Your Own Device (BYOD) policy, they must comply with all applicable security requirements.
8.11 Computer Security Responsibilities
Employees shall:
- Log in using only assigned credentials.
- Lock workstations when leaving.
- Log off at the end of each shift.
- Never disable security software.
- Avoid installing unauthorized software.
- Protect passwords.
- Report suspicious computer activity immediately.
8.12 Email and Messaging Standards
Electronic communications containing PHI shall:
- Be sent only through approved systems.
- Be addressed carefully to avoid misdirected messages.
- Include only the minimum necessary information.
- Be encrypted when appropriate.
Employees shall never forward patient information to personal email accounts.
8.13 Printed Documents
Printed PHI shall be:
- Retrieved promptly from printers.
- Stored securely.
- Shredded when no longer needed.
- Protected from unauthorized viewing.
Documents containing PHI shall never be left:
- On reception counters.
- In conference rooms.
- On desks overnight.
- In unlocked vehicles.
- In public areas.
8.14 Visitors
Employees shall remain alert for unauthorized visitors.
Visitors shall not be permitted to:
- View medical records.
- Access computer systems.
- Enter restricted clinical areas without authorization.
- Handle confidential documents.
Visitors requiring access shall be escorted whenever appropriate.
8.15 Remote Work
Employees approved for remote work shall:
- Maintain private work environments.
- Protect computer screens from family members or visitors.
- Use approved secure internet connections.
- Avoid printing patient information at home unless authorized.
- Secure all equipment when not in use.
Remote work does not reduce HIPAA responsibilities.
8.16 Professional Conduct
Employees are expected to demonstrate professionalism by:
- Speaking respectfully about patients.
- Avoiding gossip.
- Maintaining discretion.
- Protecting confidential information.
- Reporting concerns promptly.
- Supporting coworkers in maintaining compliance.
Patient trust is strengthened through professional behavior.
8.17 Reporting Privacy Concerns
Employees who observe potential HIPAA violations shall report concerns immediately to:
- Supervisor
- Privacy Officer
- HIPAA Security Officer
- Compliance Officer
Examples requiring reporting include:
- Unauthorized record access.
- Lost paperwork.
- Lost devices.
- Suspicious emails.
- Misdirected faxes.
- Password sharing.
- Improper photography.
- Inappropriate conversations.
Employees are protected from retaliation for reporting concerns in good faith.
8.18 Workforce Sanctions
Violations of confidentiality standards may result in disciplinary action.
Depending upon severity, sanctions may include:
- Verbal counseling
- Written warning
- Mandatory retraining
- Suspension
- Termination
- Reporting to licensing boards
- Civil penalties
- Criminal prosecution where applicable
Every incident shall be evaluated individually and documented.
8.20 Annual Workforce Acknowledgment
Every workforce member shall annually acknowledge that they:
- Have read this HIPAA Manual.
- Understand their confidentiality obligations.
- Completed required HIPAA training.
- Understand the sanctions for non-compliance.
- Agree to protect patient privacy.
- Will report suspected violations immediately.
- Understand that confidentiality obligations continue after employment ends.
Documentation of the acknowledgment shall be maintained in the employee's personnel file.
Protecting patient confidentiality is not only a legal requirement; it is a core value of Bloomfield Wellness & Aesthetics and an essential part of providing ethical, patient-centered care.
SECTION 9
HIPAA RISK ANALYSIS & RISK MANAGEMENT PROGRAM
HIPAA Security Rule – Risk Analysis & Risk Management (45 CFR §164.308(a)(1))
9.1 Purpose
The HIPAA Security Rule requires Covered Entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information ("ePHI").
Bloomfield Wellness & Aesthetics maintains a formal Risk Analysis and Risk Management Program designed to:
- Identify threats to ePHI.
- Evaluate vulnerabilities.
- Measure organizational risk.
- Implement safeguards.
- Reduce the likelihood of security incidents.
- Support continuous improvement.
- Demonstrate compliance with HIPAA and the HITECH Act.
The Risk Analysis is not a one-time activity. It is a continuous process integrated into the organization's compliance and cybersecurity programs.
9.2 Policy Statement
Bloomfield Wellness & Aesthetics shall conduct and document a comprehensive Security Risk Analysis:
- At least annually.
- Before implementing significant new technology.
- After major operational changes.
- Following mergers or acquisitions.
- Following significant cybersecurity incidents.
- Whenever new threats materially affect the organization's risk profile.
All findings shall be documented and retained in accordance with organizational record retention policies.
9.3 Scope of the Risk Analysis
The Security Risk Analysis encompasses all systems, processes, and environments that create, receive, maintain, or transmit ePHI.
This includes:
- Electronic Health Record (EHR) systems
- Practice Management Software
- Billing platforms
- Scheduling systems
- Patient portals
- Telehealth platforms
- Laboratory interfaces
- Electronic prescribing systems
- Payment processing systems
- Email systems
- Cloud storage solutions
- Network infrastructure
- Wireless networks
- Desktop computers
- Laptop computers
- Tablets
- Smartphones
- Backup systems
- Medical devices connected to the network
- Portable storage media
- Third-party hosted applications
The analysis also considers workforce practices and physical environments that affect the security of ePHI.
9.4 Risk Analysis Team
The Risk Analysis shall be coordinated by the HIPAA Security Officer with input from individuals possessing appropriate operational and technical knowledge.
The team may include:
- HIPAA Security Officer
- Privacy Officer
- Compliance Officer
- Medical Director
- Practice Administrator
- Information Technology personnel
- Department Managers
- Outside cybersecurity consultants (when appropriate)
Participation shall be documented.
9.5 Asset Inventory
An accurate inventory of information assets shall be maintained.
Examples include:
Hardware
- Desktop computers
- Laptops
- Tablets
- Smartphones
- Servers
- Firewalls
- Switches
- Routers
- Wireless access points
- Backup devices
- Multifunction printers
Software
- Electronic Health Record
- Practice Management System
- Billing Software
- Telehealth Platform
- Secure Messaging System
- Antivirus Software
- Backup Software
- Productivity Applications
- Remote Access Software
Information Assets
- Patient medical records
- Clinical photographs
- Billing information
- Employee records
- Vendor contracts
- Compliance documentation
- Business Associate Agreements
Each asset should be assigned an owner responsible for oversight.
9.6 Threat Identification
Bloomfield Wellness & Aesthetics evaluates threats that could compromise the confidentiality, integrity, or availability of ePHI.
Examples include:
Human Threats
- Unauthorized access
- Employee negligence
- Insider misuse
- Password sharing
- Social engineering
- Theft
- Fraud
- Improper disposal
- Accidental disclosure
Technical Threats
- Malware
- Ransomware
- Viruses
- Phishing
- Credential theft
- Denial-of-service attacks
- Data corruption
- Software vulnerabilities
- System failures
Environmental Threats
- Fire
- Flood
- Tornado
- Severe weather
- Water damage
- Power failure
- HVAC failure
- Earthquake
- Civil disturbance
Operational Threats
- Vendor failure
- Internet outage
- Cloud service interruption
- Supply chain disruption
- Staffing shortages
- Equipment failure
9.7 Vulnerability Assessment
After identifying threats, Bloomfield Wellness & Aesthetics evaluates vulnerabilities that could allow those threats to occur.
Examples include:
- Weak passwords
- Lack of encryption
- Unsupported software
- Unpatched systems
- Poor physical security
- Inadequate employee training
- Shared accounts
- Improper workstation placement
- Inadequate backup procedures
- Insufficient vendor oversight
- Lack of multi-factor authentication
- Incomplete audit logging
Each vulnerability shall be documented.
9.8 Risk Rating Methodology
Each identified risk shall receive ratings for:
Likelihood
1 – Rare
2 – Unlikely
3 – Possible
4 – Likely
5 – Almost Certain
Impact
1 – Negligible
2 – Minor
3 – Moderate
4 – Major
5 – Catastrophic
Overall Risk Score
Risk Score = Likelihood × Impact
|
Score |
Risk Level |
Required Action |
|
1–5 |
Low |
Monitor and review |
|
6–10 |
Moderate |
Correct as resources permit |
|
11–15 |
High |
Prompt corrective action |
|
16–25 |
Critical |
Immediate mitigation required |
High and Critical risks shall be prioritized by leadership.
9.9 Sample Risk Register
|
Asset |
Threat |
Vulnerability |
Likelihood |
Impact |
Risk Score |
Mitigation |
|
EHR System |
Ransomware |
Unpatched workstation |
4 |
5 |
20 |
Patch systems, EDR, MFA |
|
Patient Portal |
Credential Theft |
Weak passwords |
3 |
4 |
12 |
MFA, password policy |
|
Laptop |
Theft |
No encryption |
2 |
5 |
10 |
Full disk encryption |
|
Reception PC |
Unauthorized viewing |
Monitor visible to public |
3 |
2 |
6 |
Reposition monitor, privacy screen |
The Risk Register shall be reviewed and updated throughout the year.
9.10 Risk Management Plan
Following completion of the Risk Analysis, Bloomfield Wellness & Aesthetics shall develop a written Risk Management Plan.
Each action item shall include:
- Risk identified
- Recommended safeguard
- Responsible individual
- Priority level
- Budget (if applicable)
- Target completion date
- Completion status
- Verification of implementation
Leadership shall monitor progress until corrective actions are completed.
9.11 Security Risk Assessment Documentation
The annual Security Risk Assessment shall include:
- Executive Summary
- Scope
- Methodology
- Asset Inventory
- Threat Assessment
- Vulnerability Assessment
- Risk Ratings
- Existing Safeguards
- Recommended Improvements
- Risk Management Plan
- Leadership Approval
- Review Date
Documentation shall be retained as part of the HIPAA compliance program.
9.12 Ongoing Risk Monitoring
Risk management is continuous.
Bloomfield Wellness & Aesthetics shall monitor:
- New cybersecurity threats
- OCR guidance
- Software vulnerabilities
- Vendor security alerts
- Device lifecycle status
- Regulatory updates
- Internal audit findings
- Incident reports
- Workforce feedback
New risks shall be incorporated into the Risk Register as appropriate.
9.13 Change Management
Whenever significant changes occur, the Security Officer shall evaluate whether the change introduces new risks.
Examples include:
- New Electronic Health Record
- New cloud vendor
- Office expansion
- New telehealth platform
- New AI documentation software
- Network redesign
- Acquisition of another practice
- Significant staffing changes
Risk assessments shall be updated before or shortly after implementation.
9.14 Leadership Review
The completed Risk Analysis and Risk Management Plan shall be reviewed by practice leadership.
The review shall include:
- Outstanding high-risk items
- Completed mitigation activities
- Budget needs
- Workforce training needs
- Vendor risks
- Cybersecurity priorities
- Recommendations for continuous improvement
Leadership approval shall be documented.
9.15 Annual Risk Analysis Checklist
At a minimum, Bloomfield Wellness & Aesthetics shall verify completion of the following each year:
☐ Asset inventory updated
☐ Vendor inventory reviewed
☐ Business Associate Agreements reviewed
☐ Threat assessment completed
☐ Vulnerability assessment completed
☐ Risk Register updated
☐ High-risk items prioritized
☐ Risk Management Plan approved
☐ Workforce training completed
☐ Disaster Recovery Plan reviewed
☐ Incident Response Plan reviewed
☐ Security policies reviewed
☐ Leadership approval documented
9.16 Continuous Improvement
The objective of the Risk Analysis Program is not merely compliance—it is continual improvement.
Bloomfield Wellness & Aesthetics is committed to:
- Reducing organizational risk.
- Strengthening cybersecurity.
- Protecting patient privacy.
- Enhancing workforce awareness.
- Investing in secure technologies.
- Monitoring emerging threats.
- Adapting to changes in healthcare and information technology.
The Risk Analysis Program shall evolve as new technologies, regulations, and risks emerge.
9.17 Risk Analysis Summary
A comprehensive Security Risk Analysis is the cornerstone of the HIPAA Security Rule and one of the most important compliance activities performed by Bloomfield Wellness & Aesthetics.
By identifying threats, evaluating vulnerabilities, prioritizing risks, and implementing appropriate safeguards, the practice protects patient information while supporting safe, effective, and compliant healthcare delivery.
The Risk Analysis Program demonstrates Bloomfield Wellness & Aesthetics' commitment to proactive risk management, regulatory compliance, and continuous improvement in information security.
SECTION 11
PATIENT RIGHTS & RELEASE OF INFORMATION (ROI)
HIPAA Privacy Rule – Patient Rights & Disclosure Procedures
11.1 Purpose
Bloomfield Wellness & Aesthetics recognizes that patients have important legal rights regarding access to their Protected Health Information ("PHI"). This policy establishes standardized procedures for responding to requests for access, copies, disclosures, amendments, restrictions, and other requests involving medical records.
These procedures are intended to:
- Protect patient privacy.
- Ensure compliance with HIPAA and applicable Pennsylvania law.
- Provide timely access to health information.
- Standardize Release of Information (ROI) practices.
- Maintain complete documentation of disclosures.
11.2 Policy Statement
Bloomfield Wellness & Aesthetics shall respond to all requests for access to Protected Health Information in accordance with applicable federal and Pennsylvania law.
No workforce member shall release Protected Health Information unless:
- The disclosure is permitted by HIPAA;
- A valid written authorization has been obtained, when required;
- The requestor's identity and authority have been verified; and
- The disclosure has been appropriately documented when required.
11.3 Patient Rights
Patients have the right to:
- Inspect their medical records.
- Obtain copies of records.
- Request amendments.
- Request restrictions.
- Request confidential communications.
- Receive an accounting of certain disclosures.
- Receive a Notice of Privacy Practices.
- Receive notification of certain breaches.
- File privacy complaints without retaliation.
All workforce members shall respect and facilitate these rights.
11.4 Requests for Medical Records
Patients may request access to their records by:
- Completing the Bloomfield Wellness & Aesthetics Medical Record Request Form.
- Submitting a written request.
- Using the secure patient portal when available.
- Through another method permitted by applicable law.
Whenever possible, requests should be in writing.
11.5 Identity Verification
Prior to releasing records, workforce members shall verify the identity of the requestor.
Acceptable verification methods include:
In Person
- Government-issued photo identification.
- Existing patient known to staff.
- Other reliable identification approved by the Privacy Officer.
By Mail
- Signed written request.
- Matching demographic information.
- Notarized request when appropriate.
Electronic Requests
- Secure patient portal authentication.
- Secure electronic signature.
- Other approved identity verification methods.
Telephone Requests
Telephone requests for complete medical records shall generally not be honored unless identity can be reasonably verified and applicable policy permits.
11.6 Authorized Representatives
Protected Health Information may be released to an authorized representative after appropriate verification.
Examples include:
- Parent of an unemancipated minor (subject to applicable law).
- Court-appointed guardian.
- Healthcare Power of Attorney.
- Executor or personal representative of a deceased patient, when authorized by law.
- Individual authorized through a valid HIPAA Authorization.
Supporting legal documentation shall be reviewed before disclosure when applicable.
11.7 Medical Record Formats
Patients may request records in:
- Paper format.
- Electronic PDF.
- Secure patient portal.
- Encrypted electronic media when feasible.
- Other electronic formats that are readily producible.
If the requested format is not readily available, Bloomfield Wellness & Aesthetics will work with the patient to provide an acceptable alternative.
11.8 Timeframes for Response
Bloomfield Wellness & Aesthetics shall respond to requests within the timeframes required by HIPAA and applicable law.
If additional time is permitted and necessary, the patient shall receive written notice explaining:
- The reason for the delay.
- The expected completion date.
- Contact information for questions.
Requests shall be processed as promptly as practical.
11.9 Fees for Copies
Bloomfield Wellness & Aesthetics may charge only fees permitted by applicable federal and Pennsylvania law.
Permissible fees may include:
- Labor for copying.
- Electronic media (e.g., USB drive, CD) when requested.
- Postage, if records are mailed.
- Supplies used to create the copy.
Patients shall be informed of any applicable fees before records are released.
11.10 Requests for Amendment
Patients who believe their medical record contains inaccurate or incomplete information may submit a written Request for Amendment.
The request should include:
- The specific information to be amended.
- The reason for the request.
- Supporting documentation, if available.
Bloomfield Wellness & Aesthetics shall review the request and respond in accordance with HIPAA.
If the request is denied, the patient shall be informed of:
- The reason for the denial.
- The right to submit a Statement of Disagreement.
- The right to file a complaint.
11.11 Requests for Restriction
Patients may request restrictions on the use or disclosure of PHI.
Examples include requests to:
- Restrict disclosure to family members.
- Restrict disclosure to health plans when services are paid entirely out-of-pocket, where required by HIPAA.
- Restrict communications regarding specific services.
All requests shall be reviewed by the Privacy Officer or designee.
Approved restrictions shall be documented in the medical record.
11.12 Confidential Communications
Patients may request that Bloomfield Wellness & Aesthetics communicate using alternative methods or locations.
Examples include:
- Mobile phone only.
- Work address.
- Secure patient portal only.
- Email.
- No voicemail messages.
- Mail to an alternate address.
Reasonable requests shall be accommodated whenever feasible.
11.13 Accounting of Disclosures
Patients may request an accounting of certain disclosures of their PHI.
The accounting generally excludes disclosures for:
- Treatment.
- Payment.
- Healthcare Operations.
- Disclosures authorized by the patient.
- Certain other disclosures excluded under HIPAA.
The accounting shall include:
- Date of disclosure.
- Recipient.
- Description of information disclosed.
- Purpose of the disclosure.
11.14 Requests from Attorneys
Requests from attorneys shall be carefully reviewed.
Records may be released only when supported by:
- A valid HIPAA Authorization.
- A court order.
- A subpoena that satisfies applicable legal requirements.
- Other legal authority permitting disclosure.
Legal counsel may be consulted before responding.
11.15 Subpoenas
Upon receipt of a subpoena, Bloomfield Wellness & Aesthetics shall determine:
- Whether it is signed by a judge or magistrate.
- Whether patient authorization accompanies the subpoena.
- Whether notice requirements have been satisfied.
- Whether objections have been filed.
- Whether legal counsel should be consulted.
Employees shall not release records solely because a subpoena has been received without following applicable legal procedures.
11.16 Law Enforcement Requests
Requests from law enforcement shall be reviewed carefully.
Permitted disclosures may occur only when authorized by:
- HIPAA.
- Federal law.
- Pennsylvania law.
- Court order.
- Search warrant.
- Applicable legal process.
Whenever practical, the Privacy Officer or legal counsel shall review such requests before records are released.
11.17 Employer Requests
Protected Health Information shall not be released to employers without:
- A valid HIPAA Authorization signed by the patient; or
- Another legal basis permitting disclosure.
Workforce members shall not assume an employer is entitled to medical information merely because the employer referred the patient.
11.18 Insurance Requests
Insurance companies may receive information necessary for payment and healthcare operations as permitted by HIPAA.
Only the minimum necessary information shall be disclosed.
Additional information beyond that necessary for payment may require patient authorization unless another legal basis applies.
11.19 Workers' Compensation
Disclosures relating to workers' compensation claims shall comply with:
- HIPAA.
- Pennsylvania Workers' Compensation requirements.
- Applicable court orders or administrative requirements.
Only information necessary to satisfy the applicable legal requirements shall be disclosed.
11.20 Deceased Patients
Protected Health Information of deceased individuals remains protected under HIPAA for the period specified by applicable law.
Disclosures may be made to:
- Personal representatives.
- Executors.
- Individuals authorized by law.
- Others as permitted by HIPAA.
Documentation of authority shall be obtained before releasing records.
11.21 Minors
Parents or legal guardians generally have rights regarding the medical information of unemancipated minors, subject to exceptions under federal and Pennsylvania law.
Examples of exceptions may include situations involving:
- Minor consent laws.
- Court orders.
- Emancipation.
- Other legal restrictions.
Questions involving minors shall be referred to the Privacy Officer when uncertainty exists.
11.22 Documentation of Disclosures
When required, Bloomfield Wellness & Aesthetics shall document:
- Date of disclosure.
- Recipient.
- Purpose.
- Information disclosed.
- Authorizing documentation.
- Workforce member completing the disclosure.
Documentation shall be maintained in accordance with organizational record retention policies.
11.23 Release of Information Quality Assurance
Periodic audits of Release of Information activities shall evaluate:
- Timeliness.
- Identity verification.
- Documentation.
- Appropriate authorization.
- Fee compliance.
- Minimum Necessary compliance.
- Accuracy of released information.
Deficiencies shall result in corrective action and additional workforce education when appropriate.
11.24 Practical Release of Information Scenarios
Scenario 1
A patient's spouse requests copies of laboratory results.
Action: Do not release records unless the spouse has legal authority or a valid HIPAA authorization.
Scenario 2
An attorney faxes a subpoena requesting the complete medical record.
Action: Forward the subpoena to the Privacy Officer or legal counsel for review before releasing any information.
Scenario 3
A patient requests an electronic copy of their records through the secure patient portal.
Action: Verify identity through the portal and provide the records in the requested electronic format if readily producible.
Scenario 4
An employer requests documentation regarding an employee's cosmetic procedure.
Action: Decline the request unless a valid authorization or other legal authority permits the disclosure.
Scenario 5
A patient paid entirely out-of-pocket for a service and requests that information not be submitted to their health plan.
Action: Document the request and, when required by HIPAA, honor the restriction.
11.25 Release of Information Summary
The Release of Information process protects one of the patient's most fundamental rights—the right to control access to personal health information.
Every workforce member shall remember:
- Verify identity before releasing information.
- Release only the minimum necessary information.
- Obtain authorization whenever required.
- Document disclosures appropriately.
- Consult the Privacy Officer whenever uncertainty exists.
Consistent application of these principles helps ensure compliance with HIPAA while preserving the trust that patients place in Bloomfield Wellness & Aesthetics.
SECTION 12
BUSINESS ASSOCIATE MANAGEMENT PROGRAM
HIPAA Privacy Rule • HIPAA Security Rule • 45 CFR §§164.502, 164.504 & 164.308(b)
12.1 Purpose
Bloomfield Wellness & Aesthetics ("BWA") frequently engages third-party vendors to perform services that support patient care, practice operations, information technology, billing, and other administrative functions.
When those vendors create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of the practice, they are considered Business Associates under HIPAA.
This policy establishes procedures for:
- Identifying Business Associates
- Evaluating vendor security
- Executing Business Associate Agreements (BAAs)
- Monitoring vendor compliance
- Responding to vendor security incidents
- Maintaining documentation
Proper Business Associate management is a critical component of Bloomfield Wellness & Aesthetics' HIPAA Compliance Program.
12.2 Policy Statement
Bloomfield Wellness & Aesthetics shall not disclose Protected Health Information to any Business Associate unless:
- The disclosure is permitted by HIPAA;
- A valid Business Associate Agreement is in effect when required;
- Appropriate due diligence has been completed;
- The vendor maintains reasonable administrative, physical, and technical safeguards.
Every department is responsible for notifying the Privacy Officer before engaging a vendor that may access PHI.
12.3 Definition of a Business Associate
A Business Associate is a person or organization, other than a member of the workforce, that performs functions or services involving PHI on behalf of Bloomfield Wellness & Aesthetics.
Examples include organizations that:
- Store PHI
- Process billing
- Host cloud applications
- Maintain computer systems
- Provide cybersecurity services
- Destroy confidential records
- Provide telehealth software
- Manage patient communications
- Analyze healthcare data
- Perform transcription services
12.4 Examples of Business Associates
Examples commonly used by Bloomfield Wellness & Aesthetics include:
Clinical Vendors
- Electronic Health Record vendors
- Practice Management software providers
- Telehealth vendors
- Laboratory interface vendors
- Electronic prescribing platforms
- Clinical imaging storage vendors
Information Technology Vendors
- Managed IT service providers
- Cybersecurity companies
- Cloud hosting providers
- Data backup providers
- Email encryption providers
- Firewall management vendors
- Network monitoring vendors
Administrative Vendors
- Medical billing companies
- Revenue cycle vendors
- Collection agencies
- Payment processors
- CPA firms with PHI access
- Attorneys representing the practice
- Accreditation consultants
Operational Vendors
- Secure document destruction companies
- Off-site records storage vendors
- Software implementation consultants
- HIPAA compliance consultants
- Secure fax providers
12.5 Vendors That Are Generally NOT Business Associates
Some vendors do not become Business Associates simply because they provide services.
Examples may include:
- Office supply companies
- Furniture vendors
- Janitorial companies without access to PHI
- Utility companies
- General contractors
- Internet providers
- Courier services transporting sealed packages without accessing PHI
If uncertainty exists, the Privacy Officer shall determine whether a Business Associate Agreement is required.
12.6 Vendor Risk Classification
Bloomfield Wellness & Aesthetics classifies vendors according to the level of PHI exposure.
Low Risk
Examples:
- Secure shredding vendors
- Office equipment maintenance
- Consultants with no routine PHI access
Moderate Risk
Examples:
- Medical billing companies
- Accounting firms
- Collection agencies
High Risk
Examples:
- EHR vendors
- Cloud hosting providers
- Telehealth platforms
- Patient portal providers
- IT managed service providers
- Backup vendors
Higher-risk vendors require increased due diligence and monitoring.
12.7 Vendor Due Diligence
Before contracting with a Business Associate, Bloomfield Wellness & Aesthetics shall evaluate the vendor's privacy and security program.
Evaluation may include:
- HIPAA compliance documentation
- Security questionnaires
- Cybersecurity policies
- Data encryption practices
- Multi-factor authentication
- Disaster recovery capabilities
- Incident response plans
- Cyber liability insurance
- Independent security certifications
- References and reputation
The extent of due diligence should correspond to the level of risk presented by the vendor.
12.8 Business Associate Agreement (BAA)
A Business Associate Agreement shall be executed before PHI is disclosed whenever required by HIPAA.
The BAA should address:
- Permitted uses of PHI
- Required safeguards
- Reporting of breaches and security incidents
- Subcontractor responsibilities
- Return or destruction of PHI upon termination
- Compliance with HIPAA
- Access for audits when appropriate
- Termination for material breach
Executed BAAs shall be maintained by the Privacy Officer or designee.
12.9 Minimum Security Expectations
Business Associates are expected to implement reasonable safeguards including, where appropriate:
Administrative Safeguards
- HIPAA policies
- Workforce training
- Risk analyses
- Confidentiality agreements
- Incident response plans
Technical Safeguards
- Encryption
- Access controls
- Multi-factor authentication
- Audit logging
- Endpoint protection
- Secure backups
Physical Safeguards
- Facility security
- Visitor controls
- Secure workstations
- Media protection
- Equipment disposal procedures
12.10 Vendor Access Controls
Business Associates shall receive access only to the information necessary to perform contracted services.
Examples include:
- Limited user accounts
- Role-based permissions
- Time-limited access
- VPN access when appropriate
- Logging of remote access
- Immediate termination of access when services end
The Minimum Necessary Standard applies to Business Associates.
12.11 Subcontractors
Business Associates shall ensure that any subcontractor with access to PHI agrees to comply with HIPAA and implement appropriate safeguards.
The original Business Associate remains responsible for ensuring downstream compliance.
12.12 Security Incident Reporting
Business Associates shall notify Bloomfield Wellness & Aesthetics without unreasonable delay after discovering:
- Privacy incidents
- Security incidents
- Suspected breaches
- Ransomware
- Malware
- Unauthorized access
- Lost devices
- Credential compromise
- Other events involving PHI
Notification shall include all information reasonably available at the time.
12.13 Vendor Monitoring
Business Associate relationships shall be monitored throughout the duration of the contract.
Monitoring activities may include:
- Annual security questionnaires
- Review of breach notifications
- Contract reviews
- Business Associate Agreement review
- Cybersecurity updates
- Performance reviews
- Incident history
- Compliance certifications
High-risk vendors may require more frequent reviews.
12.14 Vendor Termination
Upon termination of services, Bloomfield Wellness & Aesthetics shall ensure, as appropriate:
- Return of PHI
- Secure destruction of PHI
- Written certification of destruction when required
- Deactivation of user accounts
- Return of practice-owned equipment
- Revocation of remote access
- Removal from vendor inventory
Termination activities shall be documented.
12.15 Vendor Breach Response
If a Business Associate experiences a security incident involving Bloomfield Wellness & Aesthetics patient information:
The practice shall:
- Activate the Incident Response Team.
- Review the Business Associate Agreement.
- Determine the scope of the incident.
- Conduct a HIPAA Breach Risk Assessment.
- Coordinate required notifications.
- Evaluate corrective actions.
- Determine whether continued vendor use is appropriate.
The Privacy Officer shall coordinate communications with the vendor.
12.16 Vendor Inventory
Bloomfield Wellness & Aesthetics shall maintain a current Business Associate Inventory including:
- Vendor name
- Service provided
- Contract effective date
- Contract expiration date
- Business Associate Agreement status
- Risk classification
- Primary contact
- Last security review
- Next review date
The inventory shall be reviewed at least annually.
12.17 Annual Business Associate Review Checklist
The Privacy Officer shall verify annually that:
☐ Vendor inventory updated
☐ Business Associate Agreements current
☐ Security questionnaires completed (as applicable)
☐ High-risk vendors reviewed
☐ Vendor incidents evaluated
☐ Cybersecurity concerns addressed
☐ Contract renewals reviewed
☐ Access permissions verified
☐ Terminated vendors removed
☐ Documentation retained
12.18 Practical Scenarios
Scenario 1
A new telehealth vendor is selected.
Required Actions:
- Complete vendor security review.
- Execute a Business Associate Agreement.
- Verify encryption and HIPAA compliance.
- Obtain leadership approval before implementation.
Scenario 2
An IT consultant requests unrestricted access to the Electronic Health Record.
Required Actions:
Provide only the minimum level of access necessary, document the access, and ensure a Business Associate Agreement is in place.
Scenario 3
A cloud storage vendor reports suspicious activity affecting stored patient files.
Required Actions:
Immediately notify the Privacy Officer and Security Officer, activate the Incident Response Plan, evaluate whether a reportable breach occurred, and coordinate all required regulatory and patient notifications.
12.19 Business Associate Program Summary
Business Associates are an extension of Bloomfield Wellness & Aesthetics' privacy and security responsibilities.
Every department shall:
- Identify vendors with PHI access.
- Notify the Privacy Officer before engagement.
- Ensure appropriate contracts are executed.
- Monitor vendor performance.
- Report vendor security concerns immediately.
Effective Business Associate management protects patient information, reduces organizational risk, and supports Bloomfield Wellness & Aesthetics' commitment to regulatory compliance and excellence in patient care.
SECTION 13
HIPAA WORKFORCE TRAINING & COMPETENCY PROGRAM
HIPAA Privacy Rule • HIPAA Security Rule • HITECH Act
13.1 Purpose
Bloomfield Wellness & Aesthetics recognizes that workforce education is one of the most effective safeguards against privacy violations, cybersecurity incidents, and regulatory non-compliance.
This Workforce Training & Competency Program establishes standardized education requirements for all workforce members who create, receive, maintain, access, or transmit Protected Health Information (PHI) or Electronic Protected Health Information (ePHI).
The objectives of this program are to:
- Ensure compliance with HIPAA and applicable Pennsylvania law.
- Promote a culture of privacy and security.
- Reduce human error.
- Improve cybersecurity awareness.
- Standardize workforce expectations.
- Maintain documentation required during regulatory inspections.
Training is mandatory for every workforce member regardless of position.
13.2 Scope
This policy applies to:
- Medical Director
- Physicians
- Pharmacists
- Nurse Practitioners
- Physician Assistants
- Registered Nurses
- Licensed Practical Nurses
- Medical Assistants
- Estheticians
- Laser Technicians
- Medical Receptionists
- Billing Specialists
- Practice Managers
- Administrative Personnel
- Students
- Interns
- Volunteers
- Temporary Staff
- Contractors with access to PHI
- Information Technology Personnel
No workforce member may access PHI until required onboarding training has been completed.
13.3 Training Requirements
HIPAA training shall occur:
- Before workforce members receive access to PHI.
- During new employee orientation.
- Annually thereafter.
- Whenever significant policy changes occur.
- Following major security incidents.
- Following identified compliance deficiencies.
- When new technologies affecting PHI are implemented.
Additional department-specific education may be assigned as needed.
13.4 New Employee HIPAA Orientation
Every new workforce member shall complete HIPAA Orientation before beginning independent job duties.
Orientation includes:
Privacy
- HIPAA overview
- Patient rights
- Protected Health Information
- Minimum Necessary Standard
- Confidentiality expectations
- Release of Information procedures
- Notice of Privacy Practices
Security
- Password management
- Multi-factor authentication
- Email security
- Device security
- Remote access
- Workstation security
- Encryption
- Clean desk policy
Cybersecurity
- Phishing recognition
- Social engineering
- Ransomware awareness
- Malware prevention
- Safe web browsing
- Secure file sharing
- AI and cybersecurity risks
Practice Policies
- Incident reporting
- Business Associate awareness
- Photography policy
- Social media policy
- Bring Your Own Device (BYOD)
- Visitor management
- Sanction policy
Completion shall be documented before system access is granted.
13.5 Annual HIPAA Refresher Training
All workforce members shall complete annual refresher education.
Topics include:
- HIPAA Privacy Rule updates
- HIPAA Security Rule updates
- OCR enforcement trends
- Recent cybersecurity threats
- Organizational policy updates
- Recent privacy incidents (de-identified)
- Lessons learned
- Workforce responsibilities
- Documentation standards
- AI usage guidance
- Security awareness
Training content shall be updated annually.
13.6 Role-Based Training
Additional education shall be tailored to job responsibilities.
Providers
Training emphasizes:
- Documentation
- Clinical photography
- Telehealth
- Electronic prescribing
- Medical record amendments
- Release of Information
Estheticians & Laser Technicians
Training emphasizes:
- Clinical photography
- Cosmetic consultation documentation
- Before-and-after image management
- Marketing authorization
- Photography consent
- Device documentation
- Cosmetic procedure records
Reception
Training emphasizes:
- Identity verification
- Appointment privacy
- Waiting room confidentiality
- Telephone procedures
- Scheduling
- Confidential communications
Billing
Training emphasizes:
- Minimum Necessary Standard
- Insurance disclosures
- Payment information
- Workers' compensation
- Collection agencies
- Financial confidentiality
Information Technology
Training emphasizes:
- Network security
- Access management
- Audit logs
- Encryption
- Disaster recovery
- Incident response
- Business Associate oversight
13.7 Security Awareness Education
Throughout the year, Bloomfield Wellness & Aesthetics shall provide ongoing security awareness education.
Examples include:
- Monthly cybersecurity reminders
- Phishing awareness bulletins
- Password tips
- Emerging scam alerts
- AI security guidance
- Vendor security alerts
- Security newsletters
- Lunch-and-learn sessions
Security awareness shall remain an ongoing process rather than a once-per-year activity.
13.8 Phishing Simulation Program
To improve cybersecurity awareness, Bloomfield Wellness & Aesthetics may periodically conduct phishing simulations.
Objectives include:
- Evaluating workforce awareness
- Reinforcing training
- Identifying education needs
- Measuring organizational improvement
Employees who interact with simulated phishing emails may receive additional coaching rather than punitive discipline, unless repeated failures or intentional misconduct warrant corrective action.
13.9 Competency Evaluation
Training effectiveness shall be evaluated through one or more methods:
- Written examinations
- Online quizzes
- Practical demonstrations
- Scenario-based discussions
- Observation
- Skills validation
- Department manager evaluations
Employees demonstrating deficiencies shall complete remedial education.
13.10 Competency Standards
Bloomfield Wellness & Aesthetics recommends a minimum passing score of 80% on annual HIPAA competency assessments.
Employees who do not achieve the required score shall:
- Review educational materials.
- Complete additional training.
- Retake the assessment.
- Demonstrate competency before the training cycle is considered complete.
13.11 Documentation of Training
The following shall be documented:
- Employee name
- Training title
- Date completed
- Instructor (if applicable)
- Method of training
- Competency score
- Employee acknowledgment
- Manager verification
Training records shall be retained in accordance with organizational record retention requirements.
13.12 Workforce Acknowledgment
Following training, each workforce member shall acknowledge that they understand:
- HIPAA Privacy Rule
- HIPAA Security Rule
- Confidentiality requirements
- Security responsibilities
- Incident reporting procedures
- Sanction policy
- Organizational privacy expectations
Signed acknowledgments shall be maintained in personnel files.
13.13 Manager Responsibilities
Department managers are responsible for:
- Ensuring staff complete required training.
- Monitoring compliance.
- Reinforcing privacy expectations.
- Identifying additional educational needs.
- Reporting deficiencies.
- Supporting corrective action plans.
Managers shall model appropriate HIPAA compliance behaviors.
13.14 Remedial Training
Additional education shall be provided when:
- Privacy violations occur.
- Security incidents occur.
- Documentation deficiencies are identified.
- Audit findings indicate non-compliance.
- New regulations are issued.
- New technology is implemented.
Remedial education shall be documented.
13.15 Continuing Education
Bloomfield Wellness & Aesthetics encourages workforce members to participate in continuing education related to:
- HIPAA
- Cybersecurity
- Information privacy
- Healthcare compliance
- Medical documentation
- Artificial intelligence in healthcare
- Risk management
- Fraud prevention
Continuing education supports professional development and organizational excellence.
13.16 Annual Training Checklist
Each year the Privacy Officer or designee shall verify completion of:
☐ HIPAA Privacy Training
☐ HIPAA Security Training
☐ Cybersecurity Awareness
☐ Phishing Education
☐ Password Security Review
☐ Incident Reporting Review
☐ Social Media Policy Review
☐ Photography Policy Review
☐ AI Usage Policy Review
☐ Competency Examination
☐ Employee Acknowledgment
☐ Documentation Filed
13.17 Sample Annual Competency Questions
Examples of questions that may be included in annual assessments:
- What does PHI stand for?
- What should you do if you receive a suspicious email requesting your password?
- May you access the medical record of a family member without a business need?
- What is the Minimum Necessary Standard?
- When should a suspected HIPAA violation be reported?
- Is a clinical photograph considered PHI?
- What should you do before releasing medical records to an attorney?
- What is the first action if your laptop containing PHI is stolen?
- May patient information be entered into an unapproved public AI platform?
- Who serves as Bloomfield Wellness & Aesthetics' Privacy Officer?
13.18 Training Program Summary
Education is one of the strongest defenses against privacy violations and cybersecurity incidents.
Every workforce member is expected to:
- Complete required training.
- Maintain competency.
- Stay informed of policy updates.
- Report concerns immediately.
- Apply privacy and security principles in daily practice.
- Protect patient information with professionalism and integrity.
Bloomfield Wellness & Aesthetics is committed to fostering a knowledgeable workforce that understands both the legal requirements and ethical importance of safeguarding patient information. Continuous education strengthens compliance, supports patient trust, and reinforces the organization's commitment to excellence in healthcare.
SECTION 14
MEDICAL RECORD DOCUMENTATION STANDARDS & DOCUMENTATION INTEGRITY
14.1 Purpose
The medical record is a legal, clinical, and business document that supports patient care, communication among healthcare providers, quality improvement, billing, regulatory compliance, and risk management.
Bloomfield Wellness & Aesthetics is committed to maintaining complete, accurate, timely, and professional medical records that meet or exceed the requirements of:
- HIPAA
- HITECH Act
- Pennsylvania law
- CMS documentation standards
- Commercial payer requirements
- Accepted standards of medical practice
- Professional licensing board requirements
Every workforce member responsible for documentation shall comply with this policy.
14.2 Policy Statement
Every medical record shall accurately reflect:
- The patient's condition
- Clinical findings
- Assessment
- Clinical decision-making
- Treatment rendered
- Patient education
- Informed consent
- Follow-up recommendations
- Provider authentication
Medical documentation shall be completed promptly and shall never be altered to conceal an error or misrepresent services provided.
14.3 Purpose of the Medical Record
The medical record serves multiple purposes, including:
Clinical Care
- Continuity of care
- Provider communication
- Treatment planning
- Medication management
- Follow-up care
Legal Documentation
- Evidence of services rendered
- Professional accountability
- Regulatory compliance
- Risk management
- Defense in legal proceedings
Financial Documentation
- Coding support
- Billing
- Insurance claims
- Medical necessity documentation
- Prior authorizations
Quality Improvement
- Clinical audits
- Performance improvement
- Accreditation
- Outcomes analysis
- Patient safety initiatives
14.4 Documentation Principles
Every entry shall be:
- Accurate
- Objective
- Complete
- Legible
- Timely
- Organized
- Professional
- Clinically relevant
- Authenticated
- Consistent
Documentation should reflect what actually occurred—not what was intended to occur.
14.5 Required Patient Demographics
The medical record should include, as appropriate:
- Full legal name
- Date of birth
- Address
- Telephone number(s)
- Email address
- Emergency contact
- Primary care provider
- Insurance information
- Preferred pharmacy
- Preferred language
- Communication preferences
- Allergies
- Medication list
Demographic information should be reviewed and updated at least annually or whenever changes are identified.
14.6 Clinical Documentation Requirements
Each clinical encounter shall include documentation appropriate to the services provided.
Typical components include:
- Chief complaint
- History of present illness
- Relevant past medical history
- Medication review
- Allergy review
- Review of systems (when applicable)
- Physical examination
- Skin assessment (for aesthetic visits)
- Clinical photographs (when indicated)
- Assessment
- Diagnosis
- Treatment plan
- Patient education
- Follow-up instructions
- Provider signature
14.7 Aesthetic Medicine Documentation
Because Bloomfield Wellness & Aesthetics provides aesthetic and wellness services, documentation shall also include, when applicable:
- Cosmetic consultation
- Patient goals
- Expectations discussed
- Contraindications reviewed
- Skin type assessment
- Fitzpatrick Skin Type
- Glogau Classification (if applicable)
- Treatment areas
- Device settings
- Laser parameters
- Energy settings
- Pulse duration
- Spot size
- Cooling method
- Product lot numbers
- Injection sites
- Injection quantities
- Needle/cannula size
- Treatment tolerance
- Immediate response
- Post-treatment instructions
- Follow-up plan
Detailed documentation supports patient safety and continuity of care.
14.8 Wellness & Functional Medicine Documentation
For hormone optimization, weight management, and functional medicine services, documentation should include, as applicable:
- Comprehensive health history
- Lifestyle assessment
- Nutritional assessment
- Sleep evaluation
- Exercise history
- Stress assessment
- Hormone symptoms
- Functional medicine review
- Laboratory interpretation
- Clinical reasoning
- Personalized treatment recommendations
- Supplement recommendations
- Medication changes
- Follow-up laboratory schedule
- Patient education
14.9 SOAP Documentation Standard
Bloomfield Wellness & Aesthetics utilizes the SOAP format whenever appropriate.
Subjective
Patient-reported symptoms
Chief complaint
History
Goals
Review of systems
Objective
Vital signs
Physical findings
Laboratory results
Imaging
Clinical photographs
Device measurements
Body composition analysis
Assessment
Diagnosis
Differential diagnosis
Clinical interpretation
Medical necessity
Progress toward treatment goals
Plan
Treatment
Medication
Procedures
Patient education
Follow-up
Laboratory orders
Lifestyle recommendations
Referrals
14.10 Timeliness of Documentation
Clinical documentation should be completed as soon as reasonably practical following the patient encounter.
Documentation delays increase the risk of:
- Inaccuracies
- Billing errors
- Patient safety concerns
- Regulatory deficiencies
Providers should avoid unnecessary delays in completing records.
14.11 Late Entries
Occasionally additional information becomes available after documentation has been completed.
Late entries shall:
- Be clearly identified as late entries.
- Include the current date and time.
- Explain why the information is being added.
- Never appear to have been entered on the original service date.
Late entries shall never be used to falsify documentation.
14.12 Addenda
Addenda may be used to supplement previously completed documentation.
Appropriate reasons include:
- Additional laboratory information
- Clarification
- Additional patient history
- Additional recommendations
- Newly received consultation reports
The original documentation shall remain intact.
14.13 Corrections
Errors shall be corrected without obscuring the original documentation.
Electronic systems generally maintain audit trails documenting:
- Original entry
- Correction
- Date
- Time
- Author
Paper records shall never be altered using correction fluid or methods that make the original entry unreadable.
14.14 Copy and Paste / Copy Forward
Copying previous documentation may improve efficiency but presents risks.
When using copy-forward functionality:
- Information shall be reviewed for accuracy.
- Outdated information shall be removed.
- Physical examination findings shall reflect the current encounter.
- Medication lists shall be verified.
- Diagnoses shall be reviewed.
Providers remain fully responsible for all documentation regardless of how it was created.
14.15 Electronic Signatures
Electronic signatures shall:
- Identify the author.
- Be unique to the provider.
- Be protected from unauthorized use.
- Accurately reflect authorship.
Signing documentation completed by another individual without proper review is prohibited.
14.16 Clinical Photography Documentation
Clinical photographs shall include documentation of:
- Date obtained
- Body area
- Clinical purpose
- Patient consent
- Device used (if applicable)
- Secure storage location
Clinical photographs become part of the medical record when used for treatment documentation.
14.17 Informed Consent Documentation
The medical record shall document informed consent discussions, including:
- Nature of the procedure
- Risks
- Benefits
- Alternatives
- Expected recovery
- Opportunity for questions
- Patient understanding
- Patient agreement
Signed consent forms shall be maintained in the medical record.
14.18 Medication Documentation
Medication documentation should include:
- Medication name
- Strength
- Dose
- Route
- Frequency
- Indication
- Start date
- Discontinuation date when applicable
- Allergies
- Adverse reactions
Medication reconciliation shall be performed as appropriate.
14.19 Laboratory Documentation
Laboratory documentation shall include:
- Tests ordered
- Clinical indication
- Results
- Provider interpretation
- Patient notification
- Follow-up plan
- Repeat testing schedule
Abnormal findings shall receive appropriate follow-up.
14.20 Documentation of Patient Education
Patient education shall be documented whenever education is provided.
Examples include:
- Procedure preparation
- Medication instructions
- Hormone therapy counseling
- Laser aftercare
- Chemical peel aftercare
- Microneedling instructions
- Weight management counseling
- Lifestyle recommendations
- Nutritional counseling
- Follow-up recommendations
Documentation should include the patient's understanding when appropriate.
14.21 Prohibited Documentation Practices
The following practices are strictly prohibited:
- Falsifying documentation.
- Backdating records.
- Altering records to conceal errors.
- Creating records for services not performed.
- Signing another individual's documentation.
- Copying documentation without review.
- Recording inaccurate times.
- Fabricating clinical findings.
Violations may result in disciplinary action, reporting to licensing boards, civil penalties, or criminal prosecution.
14.22 Documentation Audits
Bloomfield Wellness & Aesthetics conducts periodic documentation audits evaluating:
- Completeness
- Timeliness
- Accuracy
- Legibility
- Medical necessity
- Coding support
- Informed consent documentation
- Authentication
- Compliance with organizational policies
Audit findings shall be communicated to providers, and corrective education shall be provided when indicated.
14.23 Documentation Integrity Summary
Every medical record represents both the care provided and the professionalism of Bloomfield Wellness & Aesthetics.
Workforce members shall remember:
- Document promptly.
- Document accurately.
- Document objectively.
- Never alter records improperly.
- Authenticate every entry.
- If it wasn't documented, it may be difficult to demonstrate that it occurred.
High-quality documentation supports patient safety, continuity of care, regulatory compliance, reimbursement accuracy, and legal defensibility while reinforcing Bloomfield Wellness & Aesthetics' commitment to clinical excellence and ethical healthcare practice.
SECTION 15
HIPAA AUDITING, MONITORING & INTERNAL COMPLIANCE PROGRAM
HIPAA Privacy Rule • HIPAA Security Rule • Internal Compliance Standards
15.1 Purpose
Bloomfield Wellness & Aesthetics ("BWA") maintains an active HIPAA Auditing, Monitoring, and Internal Compliance Program to ensure continuous compliance with federal and Pennsylvania privacy and security requirements.
The purpose of this program is to:
- Detect privacy violations before they become reportable breaches.
- Identify security vulnerabilities.
- Monitor workforce compliance.
- Improve documentation quality.
- Evaluate effectiveness of HIPAA policies.
- Strengthen cybersecurity.
- Reduce organizational risk.
- Promote continuous quality improvement.
Auditing is intended to improve compliance—not merely identify deficiencies.
15.2 Policy Statement
Bloomfield Wellness & Aesthetics shall perform ongoing monitoring and periodic audits of its privacy, security, documentation, and workforce compliance activities.
Audits may be:
- Scheduled
- Random
- Risk-based
- Triggered by complaints
- Triggered by security incidents
- Triggered by abnormal system activity
- Conducted following regulatory updates
Audit findings shall be documented, reviewed by leadership, and addressed through corrective action when necessary.
15.3 Compliance Program Goals
The Internal Compliance Program is designed to:
- Protect patient privacy.
- Improve workforce accountability.
- Detect inappropriate record access.
- Identify documentation deficiencies.
- Verify policy compliance.
- Evaluate technical safeguards.
- Improve patient safety.
- Maintain regulatory readiness.
- Support continuous education.
- Demonstrate due diligence.
15.4 Audit Authority
The following individuals may participate in HIPAA audits:
- Privacy Officer
- HIPAA Security Officer
- Compliance Officer
- Medical Director
- Practice Administrator
- Department Managers
- Information Technology personnel
- Outside HIPAA consultants
- Legal counsel when appropriate
Audit responsibilities shall be documented.
15.5 Types of Audits
Bloomfield Wellness & Aesthetics conducts multiple categories of compliance audits.
These include:
Privacy Audits
- Release of Information
- Authorizations
- Confidential communications
- Patient rights
- Notice of Privacy Practices
- Disclosure documentation
Security Audits
- Password compliance
- Multi-factor authentication
- Workstation security
- Device encryption
- Remote access
- Firewall review
- Endpoint protection
- Network monitoring
Documentation Audits
- SOAP documentation
- Medical necessity
- Procedure documentation
- Clinical photography
- Informed consent
- Signatures
- Timeliness
- Coding support
Workforce Audits
- HIPAA training
- Confidentiality agreements
- Annual acknowledgments
- Policy compliance
- Role-based access
Vendor Audits
- Business Associate Agreements
- Security questionnaires
- Vendor incidents
- Contract reviews
- Access permissions
15.6 Electronic Health Record Access Audits
Bloomfield Wellness & Aesthetics shall periodically review Electronic Health Record (EHR) access logs.
Audit objectives include identifying:
- Unauthorized access.
- Curiosity access.
- Excessive record viewing.
- Access after employment termination.
- Access outside assigned responsibilities.
- Access during unusual hours.
- Bulk record exports.
- Suspicious login activity.
Any irregular activity shall be investigated promptly.
15.7 High-Profile Patient Monitoring
Certain medical records may require enhanced monitoring.
Examples include:
- Employees
- Providers
- Public officials
- Celebrities
- Local media personalities
- Litigation-related patients
- Patients requesting heightened privacy protections
Additional audit logging may be performed for these records.
Selection for monitoring shall never be based on discrimination or inappropriate considerations.
15.8 User Access Reviews
At least annually, and more frequently when appropriate, user access shall be reviewed to verify:
- Current employment status.
- Appropriate department assignment.
- Role-based permissions.
- Administrative privileges.
- Temporary access expiration.
- Remote access authorization.
Inactive or unnecessary accounts shall be disabled promptly.
15.9 Documentation Audits
Documentation reviews shall evaluate:
- Completeness
- Accuracy
- Timeliness
- Authentication
- Medical necessity
- Procedure documentation
- Clinical photographs
- Treatment plans
- Follow-up documentation
- Patient education
- Coding support
Audit results shall be shared with providers and managers.
15.10 Workstation Audits
Periodic observations may evaluate:
- Locked workstations
- Visible PHI
- Password security
- Clean desk compliance
- Printer security
- Monitor placement
- Badge usage
- Visitor management
Immediate corrective coaching may occur when deficiencies are observed.
15.11 Security Audits
Technical security audits may evaluate:
- Firewall configuration
- Endpoint protection
- Antivirus status
- Software updates
- Encryption status
- Wireless security
- VPN access
- Multi-factor authentication
- Backup completion
- Failed login attempts
Information Technology personnel shall document corrective actions.
15.12 Physical Security Audits
Facility inspections may include:
- Door security
- Lock functionality
- Alarm systems
- Visitor controls
- Records storage
- Medication storage
- Server room security
- Emergency exits
- Camera placement (where applicable)
- Environmental protections
Deficiencies shall be corrected promptly.
15.13 Release of Information Audits
The Privacy Officer shall periodically review Release of Information activities.
Audit items include:
- Identity verification
- Valid authorizations
- Documentation of disclosures
- Timeliness
- Minimum Necessary compliance
- Appropriate fees
- Patient requests
- Restriction requests
15.14 Business Associate Audits
High-risk Business Associates may undergo periodic review.
Examples include:
- Business Associate Agreement status
- Cybersecurity posture
- Security incidents
- Breach history
- Access controls
- Insurance coverage
- Contract compliance
Documentation shall be retained.
15.15 Audit Frequency
Unless operational needs require more frequent review, Bloomfield Wellness & Aesthetics recommends the following schedule:
|
Audit Type |
Recommended Frequency |
|
EHR Access Logs |
Monthly |
|
User Access Review |
Quarterly |
|
Documentation Audit |
Quarterly |
|
Workstation Audit |
Quarterly |
|
Security Audit |
Quarterly |
|
Business Associate Review |
Annually |
|
Risk Analysis |
Annually |
|
HIPAA Training |
Annually |
|
Disaster Recovery Test |
Annually |
|
Policy Review |
Annually |
Leadership may increase audit frequency based on identified risks.
15.16 Corrective Action Plans
When audit deficiencies are identified, a written Corrective Action Plan (CAP) shall be developed.
Each CAP shall include:
- Deficiency identified
- Root cause
- Recommended corrective action
- Responsible individual
- Due date
- Completion date
- Verification of effectiveness
Corrective actions shall be monitored until completed.
15.17 Compliance Reporting
Audit findings shall be summarized for leadership.
Reports may include:
- Number of audits completed
- Significant findings
- Trends
- Repeat deficiencies
- Incident summaries
- Corrective action status
- Training needs
- Vendor concerns
- Recommendations
Reports should support strategic compliance planning.
15.18 OCR Audit Readiness
Bloomfield Wellness & Aesthetics shall maintain documentation demonstrating HIPAA compliance in the event of an investigation or audit by the U.S. Department of Health & Human Services Office for Civil Rights (OCR).
Documentation includes:
- HIPAA Policies
- Risk Analysis
- Risk Management Plan
- Workforce Training Records
- Business Associate Agreements
- Incident Reports
- Breach Investigations
- Audit Reports
- Corrective Action Plans
- Patient Complaint Files
- Policy Review Documentation
Records shall be organized and readily retrievable.
15.19 Annual HIPAA Compliance Calendar
The Privacy Officer or designee shall maintain an annual compliance calendar.
Recommended activities include:
January
- Review HIPAA policies
- Update compliance calendar
February
- Business Associate inventory review
March
- Workforce access review
April
- Documentation audit
May
- Security awareness campaign
June
- Workstation audit
July
- HIPAA refresher training
August
- Risk Register update
September
- Security Risk Analysis
October
- Disaster Recovery and Contingency Plan testing
November
- Release of Information audit
December
- Leadership compliance review
- Corrective Action Plan follow-up
- Annual program evaluation
This schedule may be adjusted based on operational priorities or regulatory developments.
15.20 Continuous Quality Improvement
Audit findings shall be incorporated into Bloomfield Wellness & Aesthetics' Quality Improvement Program.
Improvement activities may include:
- Policy revisions
- Additional workforce education
- Technology enhancements
- Vendor remediation
- Workflow redesign
- Additional monitoring
- Cybersecurity improvements
Continuous improvement strengthens both patient care and regulatory compliance.
15.21 Practical Audit Scenarios
Scenario 1
An EHR audit identifies that an employee accessed the chart of a family member without a treatment-related reason.
Required Actions:
- Initiate an investigation.
- Interview the employee.
- Review audit logs.
- Determine whether PHI was improperly disclosed.
- Apply the Sanction Policy if appropriate.
- Document findings and corrective actions.
Scenario 2
A quarterly documentation audit finds repeated missing informed consent forms for cosmetic laser procedures.
Required Actions:
- Notify the Medical Director and Practice Manager.
- Educate affected providers.
- Implement a corrective action plan.
- Re-audit within 30–60 days to verify compliance.
Scenario 3
A workstation audit reveals multiple computers left unlocked during lunch breaks.
Required Actions:
- Provide immediate coaching.
- Reinforce workstation security expectations.
- Consider additional security awareness training.
- Increase spot-check audits until compliance improves.
Scenario 4
A Business Associate experiences a cybersecurity incident affecting cloud-hosted patient information.
Required Actions:
- Review the Business Associate Agreement.
- Activate the Incident Response Plan.
- Conduct a HIPAA Breach Risk Assessment.
- Determine notification obligations.
- Document all findings and corrective actions.
15.22 HIPAA Auditing & Monitoring Summary
Routine auditing and monitoring are essential components of an effective HIPAA compliance program.
Every workforce member should understand that audits are conducted to:
- Protect patients.
- Improve organizational performance.
- Strengthen privacy and security.
- Identify opportunities for education.
- Demonstrate regulatory compliance.
- Foster a culture of accountability and continuous improvement.
Through ongoing monitoring, timely corrective action, and leadership oversight, Bloomfield Wellness & Aesthetics reinforces its commitment to safeguarding Protected Health Information and maintaining the highest standards of ethical, secure, and patient-centered care.