Pediatrix maintains a patient privacy program that protects each patient’s right to privacy of his or her protected health information, or PHI, as required by HIPAA and applicable federal regulations and interpretive guidelines. The patient privacy program fosters a culture of privacy compliance that demonstrates the company’s commitment to appropriately safeguard the privacy of an individual’s protected health information. The patient privacy program includes:
- Creation and implementation of company privacy policies and procedures.
- Education of all associates regarding the HIPAA Privacy Rule, as amended, the HITECH Act and Company privacy policies and procedures.
- Implementation of appropriate administrative, technical and physical safeguards.
- Execution of written agreements with business associates.
- Implementation of a process to routinely monitor compliance with the company’s privacy policies and procedures, HIPAA standards and the HITECH Act.
The privacy program is managed and overseen by Pediatrix’s privacy officer in the compliance department with guidance and support from the compliance committee. Privacy requirements and expectations are documented in the company’s HIPAA policy repository available to all associates on the Pediatrix policy site. Associates are trained upon hire and annually on the appropriate collection, usage, retention, disclosure and destruction of PHI. Administrative, technical and physical safeguards are implemented to protect health information from any intentional or unintentional use or disclosure that violates privacy policies, the HIPAA Privacy Rule or the HITECH Act. Business Associate Agreements are executed for all vendors that handle, use, distribute or access patient PHI on behalf of the company. The compliance department publishes the compliance helpline and privacy officer email address as a method to report possible HIPAA violations. The privacy officer, in conjunction with the legal department and the information technology department, investigates all suspected or potential privacy incidents. Root-cause analysis is performed on all substantiated privacy incidents. Remediation efforts are employed to mitigate further risk of compromise and prevent future incidents. The company reports all significant incidents to the compliance committee and the board of directors.