Introduction:

The HIPAA Privacy Rule establishes standards for protecting a Student 's PHI ("PHI"). It specifies a Student 's rights over their private health information and requires that all employees of Gateway protect that information. The Privacy Rule, essentially, addresses how PHI can be used and disclosed. As a subset of the Privacy Rule , the Security Rule applies specifically to electronic PHI, or ePHI.

1. Summary of the HIPAA Privacy Rule:

Introduction
The Standards for Privacy of Student ly Identifiable Health Information ("Privacy Rule") establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ( "HIPAA"). The Privacy Rule standards address the use and disclosure of a Gateway Student s' health information— called " protected health information " by Gateway — called a "covered entity," as well as standards for Student s' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights ("OCR") has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil monetary penalties.

A major goal of the Privacy Rule is to assure that Student 's health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well -being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.

Who is Covered by the Privacy Rule.
HIPAA applies to e very health care provider . Health care providers include all "providers of health care services " such as Gateway Academy .

Business Associates
In general, a business associate is a person or organization, other than a Gateway employee , that performs certain functions or activities on behalf of, or provides certain services to, Gateway that involve the use or disclosure of Student PHI . Business associate functions or activities on behalf of a Gateway include those people or organizations who provide services such as billing, programming, computer work, treatment, etc. who are not employed by Gateway.

When Gateway uses a contractor or other non -workforce member to perform "business associate" services or activities, the Rule requires that Gateway include certain protections for the information in a business associate agreement . In the business associate contract, Gateway must impose specified written safeguards on the Student ly identifiable health information used or disclosed by its business associates.

What Information is Protected / Protected Health Information ("PHI ").
The Privacy Rule protects all "individually identifiable health information" held or transmitted by Gateway or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information ( "PHI"). "Individually identifiable health information" is information, including demographic data, that relates to:

• a Student 's past, present or future physical or mental health or condition,

• the provision of health care to a Student , or

• the past, present, or future payment for the provision of health care to a Student , and that identifies a Student or for which there is a reasonable basis to believe it can be used to identify a Student .

Student ly identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule does NOT include PHI for employees. It only applies to Student PHI.

General Principle for Uses and Disclosures
A major purpose of the Privacy Rule is to define and limit the circumstances in which a Student 's PHI may be used or disclosed by Gateway . Gateway may not use or disclose PHI, except either:

(1) as the Privacy Rule permits or requires; or
(2) as the Student who is the subject of the information authorizes in writing *.

*If the Student is a minor, only a parent may authorize a Student 's use or disclosure of PHI - the minor Student MAY NOT authorize the release of his/her PHI.
** Once a Gateway Student turns 18, only the Student may authorize the use and disclosure of his/her PHI.

Permitted Uses and Disclosures Under The Privacy Rule
Gateway is permitted, but not required, to use and disclose following purposes or situations:

(1) To the Student . Gateway may disclose PHI to the Student who is the subject of the information.

(2) Treatment, Payment, Health Care Operations. Gateway may use and disclose PHI for its own treatment, payment, and health care operations activities.

Treatment is the provision, coordination, or management of health care and related services for a Student by one or more health care providers, including consultation between providers , such as a dentist or pediatrician's office, regarding a Student and referral of a Student by one provider to another.

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to a Student such as insurance reimbursement.

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accr editation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring r isk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity . An example of health care operations is Gateway's JACHO accreditation.

(3) Incidental Use and Disclosure. The Privacy Rule does not require that every risk of an incidental use or disclosure of PHI be eliminated. A use or disclosure of this information that occurs because of , or as "incident to," an otherwise permitted use or disclosure is permitted Gateway has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the "minimum necessary," as required by the Privacy Rule . For example, an employee may disclose a Student 's name and other identifying information to sign them up for the climbing gym. The use of the identified information should be limited in scope and is not considered the use or disclosure of PHI.

(4) Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of PHI, without a Student 's authorization or permission, for 12 national priority purposes. example, as required by law, for public health activities, etc.

As Authorized by the Student (or his/her parents as applicable)
Gateway must obtain the written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. An authorization must be written in specific terms. It may allow use and disclosure of PHI by Gateway seeking the authorization, or by a third party. Examples of disclosures that would require a Student 's authorization include disclosures to an educational consultant or medical provider.

All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.

Limiting Uses and Disclosures to the Minimum Necessary
A central aspect of the Privacy Rule is the principle of " minimum necessary " use and disclosure. Gateway must make reasonable efforts to use, disclose, and request only the minimum amount of needed to accomplish the intended purpose of the use, disclosure, or request.

Privacy Practices Notice
Gateway provides a notice of its privacy practices to all enrolling families . The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which Gateway may use and disclose PHI. The notice must state Gateway 's duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe Student s' rights, including the right to complain to HHS and to Gateway if they believe their privacy rights have been violated. The not ice must include a point of contact for further information and for making complaints to Gateway .

Enforcement and Penalties for Noncompliance
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the Privacy Rule and may conduct complaint investigations and compliance reviews. Consistent with the principles for achieving compliance provided in the Privacy Rule, OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subj ect to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution. These penalty provisions are explained below.

Civil Money Penalties
OCR may impose a penalty on Gateway and its employees for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether Gateway knew or should have known of the failure to comply, or whether Gateway 's failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.

Criminal Penalties
A Gateway employee who knowingly obtains or discloses Student ly identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one -year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involve s false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Priv acy Rule.

2. Summary of the HIPAA Security Rule

Introduction The Security Standards for the Protection of Electronic PHI (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non -technical safeguards that organizations called "covered entities" must put in place to secure Student s' "electronic PHI " (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rule s with voluntary compliance activities and civil money penalties.

Gateway uses clinical applications such as a computerized physician order, electronic health records (EMAR ), and pharmacy, and laboratory systems. While this means that the Gateway workforce can be more mobile and efficient the rise in the adoption rate of these technologies increases the potential security risks. A major goal of the Security Rule is to protect the privacy of Student s' health information while allowing Gateway as a covered entity to adopt new technologies to improve the quality and efficien cy of Student care.

What Information is Protected

Electronic PHI . The HIPAA Privacy Rule protects the privacy of individually identifiable Student health information, called PHI (PHI), as explained in the Privacy Rule. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable Student health information Gateway creates, receives, maintains or transmits in electronic form. The Security Rule calls this information "electronic PHI" (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

All restrictions set forth regarding the use and disclosure of PHI under the Privacy Rule also applies to the use and disclosure of ePHI under the Security Rule.

General Rules The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e -PHI. Such as:

(1) Ensure the confidentiality, integrity, and availability of all e -PHI they create, receive, maintain or transmit,
(2) Identify and protect against reasonably anticipated threats to the security or integrity of the information,
(3) Protect against reasonably anticipated, impermissible uses or disclosures , and
(4) Ensure compliance by their workforce.

Physical Safeguards - Facility Access and Control
Gateway must limit physical access to its facilities while ensuring that authorized access is allowed.

Technical Safeguards

Access Control. Gateway must implement technical policies and procedures that allow only authorized persons to access electronic PHI (e-PHI).

Audit Controls. Gateway must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e -PHI.

Integrity Controls. Gateway must implement policies and procedures to ensure that e altered or destroyed. Electronic measures must be put in place to confirm that e altered or destroyed.

3. In Case of a Breach of HIPAA

A HIPAA breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI .” This means if Gateway or an employee impermissibly discloses Student PHI unlawfully or accidentally to a person OUTSIDE of Gateway – that’s a breach.
In terms of protections, healthcare data has some of the most restrictive and stringent security requirements in the U.S. There is a good reason for this: medical data is typically seen as completely private to the person involved in a way such that it sho uld never be shared outside of the relationship between a Student and their doctor, healthcare provider or insurance payor.

What Is the Difference Between a HIPAA Violation and a HIPAA Breach?
A HIPAA violation is an impermissible use or disclosure of that is less severe than a breach. A HIPAA violation may or may not lead to a financial penalty or other sanctions, while a breach is a serious violation of HIPAA rules that can lead to sanctions, fines, and other corr ective action. A HIPAA violation may involve the inappropriate use or disclosure of PHI WITHIN an organization, such as an employee disclosing a Student ’s PHI or other related information without authorization to another employee .

A HIPAA breach, by contrast, typically involves the unauthorized disclosure of PHI to an unauthorized individual or entity OUTSIDE of Gateway , or the access by an unauthorized individual or entity to PHI. A breach can also include the loss of unsecured PHI, such as in the case of unauthorized physical or electronic access.

Is a Ransomware Attack Considered a Breach of HIPAA?
Yes, a ransomware attack is considered a breach of HIPAA and will trigger HIPAA’s notification requirements. HIPAA requires Gateway and their business associates to notify individuals and the Department of Health and Human Services (HHS) of any breaches of unsecured PHI .

The Breach Notification Rule.
This aspect of the Privacy and Security Rules governs requirements for Gateway when a security breach occurs. It includes guidelines for when, how, and how often to notify those affected by security breaches in healthcare systems.
The HIPAA Breach Notification focuses on safeguarding Student s’ PHI. This rule establishes the requirements and procedures Gateway, and its business associates , must follow in the event of unauthorized access to PHI. The Breach Notification Rule aims to ensure timely notification of affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. Ultimately, the HIPAA Breach Notification Rule is designed to mitigate the potential harm of a breach and prevent future brea ches.
Adherence to the HIPAA Breach Notification Rule ensures transparency, timely response, and remediation efforts, helping to restore trust between Student s and healthcare providers while maintaining the integrity and confidentiality of sensitive health information.

When and How Should You Report a HIPAA Breach?
The HIPAA Breach Notification Rule defines a breach as an impermissible disclosure of PHI. Any unauthorized or impermissible disclosure is considered a breach unless the organization affected can prove that unlawful access did not compromise confidential h ealth data.
According to the rule, the affected organization must notify affected individuals of the data that has been compromised in writing or by email, and they must do it within 60 days of discovering the unlawful access. The letter should include the following i nformation:

1. A description of the HIPAA breach.
2. The kinds of data being compromised.
3. Mitigation efforts that are taken by the organization.
4. The steps a Student should take to protect themselves or their data.
5. Optional information for credit protection, including resources to check and monitor their credit or place a fraud notification on their credit report.

Finally, all affected organizations must inform Secretary of Health. In most cases, a breach must be reported.

When does an impermissible disclosure of PHI need not be reported?

The exception to the Breach Notification rule is if the Gateway can show that there is a low probability that someone accessed or stored PHI as determined by the following risk assessment:

1. The types of PHI affected.
2. The type of breach and the credentials used to access it.
3. The actual viewing (or not) of the data.
4. The extent where the risk against the use or theft of the PHI has been mitigated.

For example, if Gateway can show that a data breach didn’t expose data due to lack of credentials or some combination of factors that would make it impossible to be stolen or viewed. This can look like a few mistakes:

An employee unintentionally accesses Student information accidentally as part of their job.

Two authorized people expose data to each other in the same or different organization.

The data compromised will, most likely, not be saved outside of secure systems.

What if You Accidentally Violate HIPAA?
Not all HIPPA security violations are due to willful neglect. With such complex requirements and potential attack vectors, it can be understandable if Gateway or one of its employees accidentally misses a HIPAA compliance requirement. Predominantly, there are several ways to accidentally violate HIPAA:

1. Intentional avoidance: As when a n employee shares information outside compliant channels to expedite emergency treatment.
2. Accidental exposure: Disclosure made without intention to do so.
3. Intentional disclosure: Either due to theft or hacking. Most often occurs due to an individual within the organization.

If you suspect you have impermissible used or disclosed a student's PHI you should notify your supervisor immediately. Your supervisor will notify Gateway's HIPAA Compliance Officer (the CEO), who will do a risk assessment to determine if the impermissible use is a reportab le breach.

Why Staff Must Be Trained on Reporting HIPAA Breaches
Proper staff training on reporting HIPAA breaches is critical to maintaining the privacy and security of Student s’ PHI. There are several reasons why.

First and foremost, staff training helps create a culture of compliance and awareness within the organization. By educating employees on the importance of HIPAA regulations and their role in safeguarding PHI and Student privacy, they become more vigilant and proactive in identifying and addressing potential risks. This heightened awareness can lead to the prevention of breaches and a more robust security posture overall.

Second, a well -trained staff can quickly detect and report breaches, ensuring that the organization can immediately mitigate the impact. Prompt reporting and response are crucial for limiting the potential harm to affected individuals and minimizing the organization’s exposure to fine s and penalties associated with the HIPAA Breach Notification Rule.

Finally, providing staff with the necessary knowledge and tools to report HIPAA breaches ensures that the organization complies with HIPAA. Regular training updates and refreshers help staff stay informed about new threats and evolving best practices, furt her reinforcing the organization’s commitment to maintaining the privacy and security of PHI.

4. Use and Disclosure of PHI Specific to Gateway

The following information applies to all Gateway employees and is a helpful guide on many of the use and disclosure issues that arise for a Gateway employee.

Minors.
If the Student is a minor, only a parent may authorize a Student's use or disclosure of PHI Student MAY NOT authorize the release of his/her PHI. Once a Gateway Student turns 18, only the Student may authorize the use and disclosure of his/her PHI.

Psychotherapy Notes.
Psychotherapy Notes have special use and disclosure protections under HIPAA. release psychotherapy notes to a Student or his/her family. Gateway does NOT release psychotherapy notes to a Student or his/her family.

Photographs/Videos of Students .
Gateway families must give their consent to the use and disclosure of a Student's image. Employees of Gateway may only take photos of a Student with a Gateway owned device. Photographs of students may not be taken on a personal cell phone without prior permission from a Director. The Company maintains a website located at gatewayacademy.net . The website contains a parent portal that is password protected. Employees take pictures of the clients on a weekly basis that are uploaded by the Admissions Counselor to the parent portal, who oversees and cares for the Company cameras. Groupings of cl ient photos are labeled by date and event. Only those clients whose parents have signed the PARENT PORTAL RELEASE AND CONSENT will be uploaded to the parent portal. Every quarter the password to the parent portal shall be changed. The Admissions Counselor shall also constantly delete photos that are two months old or older.

Social Media .
Unless specifically instructed by the Company, employees are not authorized to speak on behalf of the Company. Employees shall not publicly discuss clients, products, employees, or any work -related matters, whether confidential or not, outside Company -authorized communications. Employees are expected to protect the privacy and reputation of the Company, its employees, and its clients, and are prohibited from disclosing personal employee information and any other proprietary and nonpublic information to which employees have access. Such information includes but is not limited to confidential information as defined in the Company Handbook.

Staff Ups/Discussing Current Students.
Verbal discussions regarding clients must be conducted behind closed doors and in a soft tone. Client information shall not be discussed in a public area or where visitors or non -Company personnel may overhear. Employee family and friends may not be brough t into the client's living quarters.

Printing PHI:
Client information must never be left unattended on a copier, desk or otherwise.

Removing PHI from Campus.
PHI may not be removed from campus without written authorization. PHI that is removed from campus shall contain only the minimum necessary PHI.

Email Use .
The Gateway email system is not encrypted therefore not considered a secure connection so no Student information should be shared via email without parent permission . All parents who enroll a Student at Gateway must sign a consent form to use email to discuss PHI.

Shredding Documents / Garbage - Blue Bins Recycling Bins .
Files shall be shredded or deleted pursuant to the above Records Retention Schedule. Any document that contains PHI shall be shredded. Documents containing PHI shall not be disposed of in the blue recycling bin unless they have been shredded. To shred a record, the Company contacts its offsite storage company and gives them the box number for which box shall be shredded. Once the storage company shreds the documents, they shall send the Company a Certificate of Destruction listing what box was shredded .

Texting .
When texting a message on a Company phone, the employee shall always start by identifying themselves. The Medical Team, Therapists and other employees need to know who is sending a text to respond back to the caller. Only client initials may be used when texting information about a client.

Personal Phones .
Cell phones must be password protected. Personal cell phones may not be used to take client/family photos. Only initials or first name and last initial may be used when texting information about a client. All cell phones that contain Company information m ust be properly cleaned and disposed of. Lost cell phones containing Company information must be reported to the Privacy Officer.

Staff Contact with Current/Past Students .
Employees on or off shift shall not give their phone number, address, email, social network accounts and/or other personal information to a client, to keep in contact with a client after discharge. All communication with past clients shall be done through the Company, meaning past clients shall only call an employee on shift using the Company phone, or email an employee at the Company email addresses of gatewayacademy.net. Employees are expected to maintain these boundaries even if they are no longer employed at Gateway. Seeking information about clients or contacting clients after ending employment with Gateway is strictly prohibited and is considered protected health info rmation. Limiting contact creates a safety net for employees, and helps continue the mentor relationship, as opposed to a friendship.

Computer/iPad/Laptop Security .
Company and personal computer s must be turned off when not in direct contact with your computer. Staff must always k eep papers and computer s secure . Computers shall be password protected. When not in use, computer screens shall be turned off. Client information may only be printed on Company printers. All computers that contain Company information must be properly cleaned and disposed of . Computers containing Company information must be reported to the Privacy Officer. Fax numbers must be verified prior t o sending client information. When sending information via Email, unless otherwise approved, only a client’s first name may be used.

Outside Callers .
Occasionally employees may receive phone calls requesting information about a client. If employees are not familiar with the caller, employees must assume that the caller is a stranger and must check to confirm the identity of the caller. Employees shall not acknowledge that a client is or is not in the program unless the caller is known and has proper authority to speak with the client. If employees are unsure in any situation, request the caller call back when a Manager, Director, Assistant Director of H R & Operations, or the Admissions Counselor is available. If the caller claims to be from a law enforcement agency or DSS and there is no way to confirm they are who they claim to be. It is acceptable to ask for a number and call them back or ask for the request in writing on letterhead. It is always best to error on the side of caution.