Privacy Policy

AIRS Medical Inc. (“AIRS”) recognizes that patient information is sensitive and, as such, must be treated carefully and responsibly. As a potential Business Associate of Health Care Providers, AIRS will use and disclose any Individually Identifiable Health Information received from a Health Care Provider in strict accordance with the requirements governing the use and disclosure of protected health information (“PHI”) contained in the Health Insurance and Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule (collectively, the “HIPAA Standards”). Capitalized terms used but not defined directly in this policy, including its Endnotes, have the meanings set forth in the HIPAA Standards. 

1. GENERAL COMPLIANCE REQUIREMENTS

1.1 Policies and Procedures as an Element of the Compliance Program

1.1.1 AIRS’s policies and procedures with respect to PHI, which may be found later in this document, are reasonably designed to comply with the standards, implementation specifications, and other requirements of the HIPAA Standards, considering the fact that AIRS will access PHI as a Business Associate of a Covered Entity. 

1.1.2 AIRS has appointed a Chief Privacy Officer and Data Protection Officer (the “Compliance Officer”) who is responsible for the development, implementation, modification, and oversight of AIRS’s HIPAA policies and procedures, including all policies and procedures related to compliance with the HIPAA Standards. The current Compliance Officer is Yunmyeong Kim.

1.1.3 All policies and procedures related to compliance with the HIPAA Standards will be documented and contain a version number and effective date. This documentation, as well as any documentation required to be created by the HIPAA Standards or these policies and procedures, will be maintained by AIRS for at least six (6) years from the date they were last in effect.

1.1.4 AIRS will modify its policies and procedures as necessary to comply with changes in applicable law, including changes to the HIPAA Standards, or to reflect changes in the operations of AIRS and its relationships with Covered Entities. These changes will be documented and implemented promptly.

1.2 Training Requirement

1.2.1 The Compliance Officer and all members of AIRS’s Workforce who access Individually Identifiable Health Information will undergo training on the HIPAA Standards and AIRS’s related policies and procedures, as necessary and appropriate for the individuals to perform their job-related duties. For purposes of this Compliance Program, “Workforce” means employees, volunteers, trainees, and other persons who may have access to PHI in performing work for AIRS and whose conduct, in the performance of work for AIRS, is under the direct control of AIRS, whether or not they are paid by AIRS.

1.2.2 For persons who will handle or have access to PHI joining the Workforce after the date of the initial training, training will be required within thirty (30) days of hire. All new employees who will handle or have access to PHI prior to completing the training will be counseled as to the importance of maintaining the confidentiality and privacy of patient information.

1.2.3 When AIRS makes a material change to this Compliance Program it will retrain the personnel who will need to implement the change prior to initiating the revised policy.

1.2.4 A minimum of one (1) hour per year of HIPAA refresher training will be provided to Workforce members with significant access to PHI.

1.2.5  Compliance Officer and members of the Workforce will sign an acknowledgement when they have completed the required training. This documentation will be maintained by the Compliance Officer or other designated employee for at least six (6) years from the date the acknowledgement is signed.

1.3 Complaint Process

1.3.1 AIRS will provide a process for any individual, including an employee, Covered Entities with which AIRS has entered into a Business Associate Agreement, as well as patients and their family members, to raise issues with AIRS regarding AIRS’s policies and procedures concerning the use and disclosure of PHI and its compliance with those policies and procedures.

    • Written complaints should be sent to:
    • Once a complaint is received, it will be logged, and the Compliance Officer will launch an investigation.

1.3.2 AIRS will designate an employee to be responsible for overseeing or investigating all complaints, and taking corrective measures, as necessary.

1.4 Sanctions

1.4.1 As a condition of employment or other affiliation with AIRS, personnel are required to follow AIRS’s policies and procedures concerning the use and disclosure of PHI. AIRS will impose appropriate disciplinary action, in accordance with AIRS’s disciplinary policies, upon any person who fails to comply with applicable laws or this Compliance Program.

1.4.2 Punishment for serious violations may subject an individual to immediate termination. The following violations are representative examples of serious violations potentially justifying termination:

    • committing any act, such as selling patient names or records, which would expose AIRS or the Covered Entity to potential criminal sanctions;

    • intentional or reckless conduct that violates this Compliance Program or the HIPAA Standards;

    • failure to report conduct that the individual knew was a violation of this Compliance Program or the HIPAA Standards; or,

    • failure to correct behavior relating for which an individual was subject to prior disciplinary action.

1.4.3 Officers are responsible for disciplining personnel in an appropriate and consistent manner. The type of disciplinary action shall be determined on a case-by-case basis, and where appropriate, in consultation with AIRS’s management and the Compliance Officer or other designated employee.

1.4.4 The range of sanctions shall include oral warnings, written warnings, oral reprimands, written reprimands, demotion, suspension, or termination.

1.4.5 Nothing in this policy shall be interpreted as granting members of AIRS’s Workforce any right to challenge or seek further review of the disciplinary action imposed upon them by their supervisor or by any other officer or agent of AIRS. The review processes discussed here are for solely for enhancing the effectiveness of this Compliance Program.

1.5 Mitigation

1.5.1 Whenever it comes to know of any violation of these policies and procedures or of the HIPAA Standards, AIRS will take all reasonable steps necessary to mitigate any harmful effect of the inappropriate use or disclosure of PHI.

1.5.2 This requirement applies whether the violation poses a legal risk to AIRS or the Covered Entity.

1.6 No Intimidation or Retaliatory Acts

1.6.1 AIRS will not require or otherwise attempt to influence individuals to waive their rights to file a complaint with the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) or their other rights under the HIPAA Standards.

1.6.2 AIRS will not retaliate against any person, patient or AIRS employee, who files a complaint with the Secretary or testifies, assists, or participates in investigations, compliance reviews, proceedings or hearings under the provisions of HIPAA.

1.6.3 All personnel are prohibited from retaliating against patients for exercising their rights granted under HIPAA or participating in any process established by the HIPAA Standards, such as the filing of a complaint against AIRS. 

2. POLICIES AND PROCEDURES

2.1 General Framework 

2.1.1 AIRS will use and disclose PHI only for the purpose(s) identified in a signed Business Associate Agreement with a Covered Entity or as otherwise required by law. AIRS will not use or disclose PHI in any manner that is not permitted by the HIPAA Privacy Rule. Formally defined, PHI means Individually Identifiable Health Informationii transmitted or maintained in any format (written, electronic, or oral), whether relating to a living or a deceased individual.

2.1.2 Business Associate Agreements entered into by AIRS must provide that AIRS will:

    • implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity;
    • ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
    • report to the Covered Entity any security incident, including a potential Breach of unsecured PHI, of which it becomes aware; and,
    • authorize termination of the contract by the Covered Entity, if the Covered Entity determines that AIRS has violated a material term of the Business Associate Agreement.

2.1.3 Business Associate Agreements entered into by AIRS also will include all other provisions required by the HIPAA Standards. 

2.1.4 When an individual requests access to certain PHI, an amendment to certain PHI, or an accounting of disclosures, AIRS will cooperate with the Covered Entity, as needed, to fulfill AIRS’s obligations under the applicable Business Associate Agreement. 

2.1.5 AIRS will promptly disclose PHI when the Secretary requests from AIRS information to determine the Covered Entity’s or AIRS’s compliance with the HIPAA Standards.  

2.1.6 All requests for access, an accounting, or an amendment must be submitted in writing. 

2.1.7 Prior to any disclosure permitted by this Compliance Program, AIRS will take reasonable steps in an effort to verify the identity of a person requesting PHI and the authority of any such person to have access to PHI, if the identity or authority of the person is not known to AIRS. 

2.1.8 As set forth in detail in Section II(B), AIRS will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of a use, disclosure or request. 

2.1.9 Any member of AIRS’s Workforce who becomes aware of any activity, including any use or disclosure of PHI, that the Workforce member believes is a violation of this Compliance Program or the HIPAA Standards will immediately notify the Compliance Officer of the activity.  

2.2 Minimum Necessary Requirements 
2.2.1 General Requirements Unless an exception listed below applies, AIRS will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of a use, disclosure or requestAIRS will use or disclose only the minimum necessary amount of PHI to meet its obligations under a Business Associate Agreement. 
AIRS does not need to make a minimum necessary determination in the following circumstances: 
    • disclosures of PHI made to the Secretary to determine the Covered Entity’s or AIRS’s compliance with the HIPAA Standards; 
    • uses and disclosures required by law; and, 
    • disclosures pursuant to a valid authorization. 

2.2.2 Implementation of the Minimum Necessary Standard  

    • Only the Compliance Officer and Programs Department personnel need access to PHI to carry out AIRS’s obligations under a Business Associate Agreement with a Covered Entity.  AIRS’s Workforce whose job description does not require access to PHI received from the Covered Entity should not have access to such PHI. 
    • AIRS may rely on another person’s representation that it is requesting the minimum amount of information necessary if the reliance is reasonable and where the request is made by a public official in accordance with one of the public policy-related uses and disclosures. 
    • The Compliance Officer and personnel from AIRS’s Programs Department will be given passwords to access PHI received from Covered Entities.   
    • In the event that AIRS maintains paper PHI, AIRS will keep such PHI in files flagged as containing PHI protected by HIPAA. The files will be kept in locked storage. 
    • AIRS does not violate the HIPAA Standards when it makes incidental uses and disclosures of PHI that cannot reasonably be prevented, that are limited in nature, and that occur as a by-product of an otherwise permitted use or disclosure, so long as reasonable safeguards are taken to minimize the chance of incidental disclosure to others.  

2.3 Business Associates 

2.3.1 In the event that AIRS subcontracts any of its responsibilities to another party, that party would become a Business Associate of AIRS.  AIRS will not disclose PHI to a Business Associate unless it has first executed a written contract with the Business Associate which contains all of the provisions contained in the primary Business Associate Agreement. 

2.3.2 AIRS will designate an employee to be responsible for securing the appropriate contract from all of AIRS’s Business Associates.  

2.3.3 If AIRS becomes aware of a pattern of activity or practice of a Business Associate that constitutes a material Breach or violation of the Business Associate’s obligations under its contract, it will take reasonable steps to cure the Breach or end the violation and, if required under the primary Business Associate Agreement, notify the Covered Entity.iii  If the pattern of activity or practice of the Business Associate cannot be cured, AIRS will terminate the contract, if feasible. 

2.4 Individual Rights

2.4.1 Right to Access PHI AIRS’s Compliance Officer will be responsible for receiving and processing any individual requests for access to PHI received by and for cooperating with the Covered Entity, as prescribed under the Business Associate Agreement, when the latter responds to the requests.   

2.4.2 Right to Amendment AIRS’s Compliance Officer will be responsible for receiving and processing patient requests to amend their PHI and for cooperating with the Covered Entity, as prescribed under the Business Associate Agreement, when the latter responds to the requests.   

2.4.3 Right to an Accounting of Disclosures AIRS’s Compliance Officer will be responsible for receiving and processing patient requests for an accounting of disclosures for cooperating with the Covered Entity, as prescribed under the Business Associate Agreement, when the latter responds to the requests.   

2.5 Safeguards

2.5.1 AIRS will institute administrative, technical and physical safeguards to protect the privacy of PHI. 

2.5.2 AIRS will take all reasonable steps to safeguard PHI from any intentional or unintentional use or disclosure in violation of HIPAA. 

2.5.3 AIRS will take all reasonable steps to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 

2.5.4 Specifically, AIRS requires that the following safeguards be taken: 

    • access controls will be used to protect electronically maintained PHIiv; 
    • computers containing PHI will not be placed in areas where the information may be viewed by unauthorized individuals, or will be programmed to revert to a screensaver or a blank screen within short time of no use; 
    • after three (3) years, all paper PHI will be shredded before it is thrown away; and, 
    • PHI will not be e-mailed.  

2.6 Notification to Covered Entity of a Breach of Unsecured PHI 

2.6.1 AIRS will investigate any report it receives that PHI has been improperly used or disclosed to determine if a Breach of unsecured PHI has occurred. 

2.6.2 AIRS will notify the relevant Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days following discovery of a Breach of unsecured PHI.  The Breach is considered known when the incident is first known or should have been known, even if it is not initially clear whether the incident constitutes a Breach. 

2.6.3 AIRS’s notification to the Covered Entity will include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by AIRS to have been, used or disclosed during the Breach.  AIRS will provide to the Covered Entity any other information requested by the Covered Entity that the Covered Entity must include in its notification to each affected individual.  

2.6.4 AIRS will maintain documentation of each investigation, the ultimate conclusion of each investigation, and any follow-up actions taken in response to each investigation, including but not limited to notification to a Covered Entity of a Breach, for six (6) years from the date the investigation is completed. 

2.6.5 “Breach” is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.  A Breach has not occurred in the following circumstances: 

    • AIRS can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: (i) the nature and extent of the PHI involved, including the types of identifies and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated; 
    • the acquisition, access, or use of PHI by a Workforce member or person acting under the authority of AIRS was unintentional, made in good faith, and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule; 
    • a person who is authorized to access PHI at AIRS makes an inadvertent disclosure to another person authorized to access PHI at AIRS, and the information received as a result of the disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; 
    • the disclosure of PHI was made to an unauthorized person who AIRS in good faith believes would not reasonably have been able to retain the information; or, 
    • the use or disclosure of PHI was incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures.

2.6.6 “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary

    • Unsecured PHI does not include electronic PHI which has been encrypted according to an encryption algorithm for which the confidential decryption key or process has not been Breached when the encryption key is kept on a separate device or at a separate location from the encrypted data to ensure that the key is not Breached. 
    • Unsecured PHI does not include PHI which has been destroyed, i.e., destruction of the media on which the PHI is stored or received has so that either (1) paper, film or other hard copy have been shredded such that PHI cannot be read or reconstructed, or (2) electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization such that PHI cannot be retrieved.

2.7 Security Policies 

2.7.1 General Policy 

    • AIRS will conduct and document an annual assessment of the potential risks to the confidentiality, integrity, and availability of the PHI held by AIRS.  AIRS also will conduct a risk assessment when there is a material change in AIRS’s operating environment or business practices that may implicate the risks posed to the PHI it maintains.  The risk assessment will include a review of the HIPAA policies and procedures to confirm that AIRS has in place all of the written policies and procedures required by HIPAA and that all of the written policies and procedures accurately reflect AIRS’s current operations. 
    • AIRS will implement (and document) all appropriate actions to correct any vulnerabilities identified by the risk assessment.  As necessary, corrective action may include revising the HIPAA policies and procedures, modifying the HIPAA compliance training program, disciplining personnel, and changing AIRS’s work processes.    

2.7.2 System Access Management 

    • Electronic Access:  Access to AIRS’s information system will be limited in accordance with AIRS’s network security policy.  AIRS will determine the access needed by each Workforce member upon the start of employment and periodically thereafter.  Each user will be assigned a unique username and password.  Usernames and passwords will permit each user to access and view only the fields needed to perform their job functions.  Users will be automatically logged-off from the information system if there has been no system activity for fifteen (15) minutes.  When an individual’s employment ends or a Workforce member’s job no longer requires the Workforce member to have access to PHI, their access to PHI will be terminated.   
    • Physical Access: 
      • persons not members of AIRS’s Workforce are prohibited from using any remotely used computers or devices that contain PHI. 
      • Workforce members are required to lock or shut down their remote computers or other devices containing PHI when the Workforce members finish their work. 
      • Workforce members are prohibited from copying any PHI to external media, including flash drives or hard drives.   
      • Workforce members who maintain paper PHI in their remote office must use a lockable file cabinet or safe to store the information.  The paper PHI will be destroyed (e.g., through micro-shredding) once it is no longer needed; and, 
      • computers or other devices containing PHI that are used remotely must ultimately be disposed of in a manner consistent with NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization such that PHI cannot be retrieved. 

2.7.3 System Monitoring & Security 

    • Periodic security updates on how to maintain the security of AIRS’s information system will be provided to all Workforce members with access to the information system, including as part of the initial and periodic refresher HIPAA training provided to individuals with significant access to PHI. 
    • Intrusion detections software will be installed to detect unauthorized access (or attempted access) to AIRS’s information system.  All information systems will have reasonably up-to-date firewall protection and operating system security patches, as well as reasonably up-to-date system security agent software which include malware protection and reasonably up-to-date patches and virus definitions.  Any Workforce member that suspects that the information system has been corrupted by malicious software will report this suspicion immediately.  Any workstation believed to have been infected with malicious software will be disconnected from the information system and wiped clean before being reconnected to the system. 
    • AIRS regularly will review records of information system activity, including through the use of audit logs, access reports, and security incident tracking reports.  
    • AIRS will monitor attempts to log-in to its information system.  If a Workforce member’s username is associated with three unsuccessful log-in attempts, the Workforce member’s password will be required to be reset.  Workforce members are not permitted to share their passwords with any other individual, either inside or outside of the company, and passwords must be changed every ninety (90) days.  Passwords must be committed to memory and may not be written down.  Each Workforce member will be considered responsible for any activities performed on AIRS’s information system by any individual using a Workforce member’s username and password. 
    • AIRS will investigate any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with the system operations in its information system (each a “Security Incident”) of which it becomes aware.  AIRS will, to the extent feasible, mitigate the effects of an identified Security Incident and take appropriate steps to prevent a reoccurrence. 

2.7.4 Data Security 

    • AIRS will implement mechanisms to confirm the data integrity of data in its information systems, including mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner.  AIRS also will implement mechanisms to ensure that PHI is not improperly modified during transmission. 
    • AIRS will encrypt all transmitted records and files containing PHI that will travel across public networks, all data containing PHI that will be transmitted wirelessly, all PHI stored on laptops or other portable devices, all PHI stored on individual workstations, and all emails containing PHI.  PHI also may be encrypted in other situations on a case-by-case basis. 
    • Exceptions to the encryption requirement may be made on a case-by-case basis for the transmission of PHI to Business Associates or other authorized recipients of PHI when the recipient does not use a compatible encryption technology.  In cases where an exception is granted, an alternative method for protecting the PHI will be used. 

2.7.5 Device and Media

    • AIRS will maintain an asset database that tracks the name of the individual Workforce member assigned to each piece of hardware or electronic media from which PHI may be accessed or on which PHI may be stored.  For any device not currently assigned to an individual, the asset database will indicate the location where the device is located.  Each device also will be bar-coded for identification purposes.   
    • Before any electronic device or media on which PHI may have been accessed or stored can be re-used, donated, or otherwise disposed of, the device or media must be cleared, purged, or destroyed so that any recorded PHI on the device cannot be retrieved.  In the case of computers that are not being re-used by AIRS, the computer hard drive will be erased and have holes drilled through it before the computer is donated or disposed of. 

****

Date Version Change(s) Reason for Change(s) Change(s) Made by
2023.06.30.
1.0
Enactment
Enactment
Yunmyeong Kim
2024.05.01.
1.1
Revising the structure and the contents of the policy
HIPAA compliace
Yunmyeong Kim