Effective Date: January 1, 2025
LucraMed is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. As a Business Associate to covered entities (healthcare providers), we take the responsibility of safeguarding Protected Health Information (PHI) seriously.
This policy outlines how LucraMed protects, manages, and handles PHI in accordance with HIPAA Privacy, Security, and Breach Notification Rules.
1. Purpose
This HIPAA policy establishes procedures to ensure that all PHI handled by LucraMed is accessed, used, stored, and transmitted in a manner that complies with HIPAA regulations.
2. Scope
- Medical Billing
- Revenue Cycle Management
- Denial Management and Appeals
- Claims Follow-Up
- Payment Posting
- Reporting Services
- Credentialing and Enrollment (where applicable)
3. Definitions
- PHI: Any information that relates to a patient’s health, treatment, or payment that can identify the patient
- Covered Entity: Healthcare providers, plans, or clearinghouses regulated by HIPAA
- Business Associate: A person or entity that performs functions or activities involving PHI on behalf of a covered entity
- Minimum Necessary: The principle of accessing only the amount of PHI required to perform a job function
4. Administrative Safeguards
- LucraMed has appointed a HIPAA Compliance Officer responsible for overseeing HIPAA-related policies and enforcement.
- All employees receive initial and annual HIPAA training.
- Risk assessments are conducted regularly to evaluate the confidentiality, integrity, and availability of PHI.
- Formal Business Associate Agreements (BAAs) are signed with all covered entity clients before any PHI is handled.
- Policies are reviewed and updated annually or upon regulatory changes.
5. Technical Safeguards
- All PHI is stored and transmitted using HIPAA-compliant encryption.
- Access to PHI is role-based and limited to authorized personnel only.
- All systems require unique user authentication and secure passwords.
- Activity and access logs are maintained and monitored.
- Secure communication tools (encrypted email, secure portals) are used to exchange PHI.
6. Physical Safeguards
- Devices storing PHI are kept in secure physical environments, accessible only by authorized staff.
- Workstations are locked when unattended.
- Paper records (if any) are stored in locked cabinets with restricted access.
- Office premises are monitored and controlled.
7. Use and Disclosure of PHI
- PHI is accessed only for purposes outlined in client contracts or BAAs.
- PHI is never sold or used for marketing purposes.
- LucraMed observes the minimum necessary standard for all use and disclosures.
- Clients are instructed not to send PHI via unsecure means unless encryption is in place.
8. Breach Notification
- Any suspected or confirmed PHI breach is reported to the HIPAA Compliance Officer immediately.
- LucraMed follows HIPAA’s Breach Notification Rule and notifies affected clients without unreasonable delay and no later than 60 calendar days.
- All breaches are documented and assessed for risk.
9. Client Responsibilities
- Informing patients of their HIPAA rights
- Obtaining patient consent when applicable
- Providing accurate and authorized data
- Complying with all HIPAA-related obligations as the Covered Entity
10. Policy Enforcement
Violations of this policy may result in disciplinary action, including termination of employment or contracts. Serious breaches may be reported to regulatory authorities.
11. Contact
For HIPAA-related inquiries or reporting a concern, please contact:
HIPAA Compliance Officer
📧 info@lucramed.com
