curaJOY PHI Use and Disclosure Policy 

curaJOY PHI Use and Disclosure Policy 

1.Purpose: This policy outlines the procedures for using and disclosing Protected Health Information (PHI) to protect the privacy of individuals and ensure the confidentiality and security of their health information.

2.Scope:This policy applies to all employees, contractors, and business associates of curaJOY who have access to PHI.

3.Definition

Data considered as PHI:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city county, and zip code) 
  • All elements (expect years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Phone number
  • Fax number
  • Email address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary
  • Account number
  • Certificate or license number
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Web URL
  • Internet Protocol (IP) Address
  • Biometric identifiers (such as fingerprints, or retinal scan)
  • Photographic image – Photographic images are not limited to images of the faces.
  • Any other characteristic that could uniquely identify the individual
  • Mental health record

Use

The sharing, application, utilization, examination, or analysis of PHI within curaJOY.

Disclosure

The release, transfer, or provision of access to PHI outside of curaJOY.

Minimum Necessary Standard

The principle that PHI should only be accessed, used, or disclosed to the extent necessary to fulfill a specific purpose.

4.Use and Disclosure of PHI

  • Permissible Uses and Disclosures: PHI may be used or disclosed without the individual’s authorization in the following situations:
  • For treatment purposes: PHI can be used to provide, coordinate, or manage healthcare services.
  • For healthcare operations: PHI may be used for operational purposes such as quality assessment, training, licensing, and accreditation.
  • Uses and Disclosures Requiring Authorization: For purposes other than those listed above (such as marketing, fundraising, or disclosure to third parties), explicit written authorization from the individual is required before their PHI can be used or disclosed.
  • Minimum Necessary Standard: All curaJOY employees and contractors must follow the Minimum Necessary Standard when using or disclosing PHI. Only the minimum amount of PHI necessary to accomplish the intended purpose may be used or disclosed.
  • De-identification of PHI: curaJOY may use or disclose health information that has been de-identified in accordance with HIPAA standards, meaning that it does not identify an individual and there is no reasonable basis to believe the information can be used to identify the individual.
  • Disclosures to Business Associates: curaJOY may disclose PHI to business associates only if they sign a Business Associate Agreement (BAA) ensuring they will protect the PHI in compliance with HIPAA regulations.
  • Disclosures to Law Enforcement and Legal Authorities: PHI may be disclosed to law enforcement agencies, public health authorities, or legal representatives if required by law (e.g., in response to a court order or subpoena).

5.Patient Rights

Patients have the right to:

  • Access their PHI.
  • Request amendments to their PHI.
  • Receive an accounting of disclosures of their PHI.
  • Request restrictions on certain uses and disclosures.
  • File a complaint if they believe their privacy rights have been violated.

6.Breach Notification

In the event of an unauthorized use or disclosure of PHI, curaJOY will follow breach notification procedures as required by HIPAA to notify the affected individuals, the Department of Health and Human Services (HHS), and, if necessary, the media.

7.Procedure

  • All curaJOY employees and contractors must receive training on this policy to ensure compliance.
  • Regular audits will be conducted to ensure PHI is used and disclosed in accordance with this policy.
  • Any employee found to be in violation of this policy will be subject to disciplinary action, up to and including termination.

8.Effective Date: This policy is effective as of 4/4/2025.

9.Review and Update: This policy will be reviewed and updated on an annual basis or as needed to comply with changes in applicable laws or regulations.