PRIVACY and SECURITY POLICY

The purpose of this policy is to describe the general framework which Four Rivers Resource Services, Inc. will utilize for ensuring compliance with the health information privacy and security provisions of Public Law 104-19, commonly known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal and state laws related to the privacy and security of personal, identifiable information. Four Rivers recognizes through this policy and other related supporting policies and procedures, that personal, identifiable information privacy is a fundamental right of each consumer and employee. Four Rivers is committed to preserving and protecting the privacy of all information to the highest degree practicable. As a result, Four Rivers has formally adopted this Privacy and Security Policy to ensure that it is in compliance with and in many instances exceeds, the requirements of the privacy and security provisions of HIPAA, the final HIPAA Privacy Rule, which was published in the Federal Register on December 28, 2000, certain amendments to the HIPAA Privacy Rule, which were published on August 14, 2002, certain amendments to the HIPAA Electronic Data Transaction Standards and Code Sets and Security Standards, published on February 20, 2003 and other federal and state laws related to the privacy and security of health information.

Generally, if a state law conflicts with HIPAA, then the law that provides greater protections, freedom or access to the consumer/employee will take precedence over the less restrictive law. This concept will provide greater protections to consumers/employees in situations where either the state law or HIPAA would make disclosures easier for the provider (e.g. under HIPAA an “authorization” is valid the exact date or occurrence, on which it is scheduled to expire, but does not place any specific time limitations on how long the authorization can last. Under Indiana law, however, an authorization can only last for 60 days for general health records and for 180 days for mental health records). Conversely, it will provide greater ease for the consumer/employee to access information (e.g. under HIPAA a provider may allow a consumer/employee access to their own PHI in a broader range of circumstances than under Indiana law. In this circumstance, Indiana law is controlling, because it gives greater access to the consumer/employee).

HIPAA does not eliminate existing federal and state laws addressing privacy. In addition to HIPAA, Four Rivers will need to comply with all federal laws addressing privacy issues. State laws, however, will be pre-empted unless they are more stringent than HIPAA, or if they fit within an exception.

In general, a standard, requirement or implementation specification adopted under HIPAA that is contrary to a provision of state law pre-empts the state provision. This general rule applies unless one or more of the following conditions is met. First, the Secretary of the Department of Health and Human Services (the “Secretary”) determines that the state law provision is necessary to prevent fraud and abuse, to ensure appropriate state regulation of insurance, for state reporting on healthcare delivery or costs or for purposes related to public health, safety or welfare. Another exception exists where the principal purpose of the state law is the regulation of the manufacture, registration, distribution, dispensation or other control of any controlled substances.

A second exception to pre-emption applies when a state law provision relates to the privacy of information and is “more stringent” than a standard, requirement or implementation standard in the HIPAA privacy standards. An example of this is where the state has a mental health statute that affords a consumer/employee more privacy protection than the HIPAA privacy standards. Please see the following discussion regarding application of the “more stringent” standard.

A third exception applies when the provision of state law provides for the reporting of disease or injury, child abuse, birth or death or for the conduct of public health surveillance, investigation or intervention.

State laws must be evaluated to determine whether they are more stringent than the HIPAA privacy standards. Four Rivers and its Business Associates will need to comply both with the HIPAA privacy standards and with the more stringent state law.

The HIPAA privacy standards offer guidance as to how to interpret whether a state law is more stringent. With respect to a use or disclosure, the state law is “more stringent” if it prohibits or restricts a use or disclosure in circumstances under which such use or disclosure would otherwise be permitted under the HIPAA privacy standards, for disclosures required by the Secretary in connection with determining whether Four Rivers is in compliance with the HIPAA privacy standards and to disclosures to consumers/employees.

With respect to the rights of a consumer/employee to access or amend PHI, the state law is “more stringent” if it permits greater rights of access or amendment. HIPAA privacy standards may not be construed to take precedence over any state law to the extent that it authorizes or prohibits disclosure of PHI about a minor to a parent, guardian or person acting in loco parentis of such minor.

With respect to information provided to a consumer/employee about a use, a disclosure, rights and remedies, the state law is “more stringent” if it provides the greater amount of information. With respect to the form or substance of an authorization or consent, the state law is “more stringent” if it provides requirements that narrow the scope or duration, increase the privacy protections afforded or reduce the coercive effect of the circumstances surrounding the authorization or consent. With respect to record keeping or requirements relating to account of disclosures, the state law is “more stringent” if it provides for the retention or reporting of more detailed information or for a longer duration.

In all other situations, state law is considered “more stringent” if it provides greater privacy protection for the consumer/employee.

Under HIPAA, a state, through its chief elected official (or his or her designee), may submit a request to the Secretary requesting an exception to pre-emption for the state law at issue. The determination will remain in effect until one of two events occurs. First, the state law, or the federal standard, requirement or implementation specification that provided the basis for the exception is materially changed such that the ground supporting the need for the exception no longer exists. Second, the Secretary revokes the exception, based on a determination that the ground supporting the need for the exception no longer exists.

There are several federal laws and regulations relating to privacy that affect healthcare organizations in addition to the HIPAA privacy standards. Four Rivers will determine how the HIPAA privacy standards will affect their ability to comply with these other privacy laws.

Four Rivers will use and disclose PHI of a deceased person in the same manner as any other consumer/employee.

Generally, except as otherwise provided in this section, Four Rivers will treat a consumer’s/employee’s personal representative as the consumer/employee for purposes of this Privacy and Security Policy and other related supporting policies and procedures. Four Rivers may, however, elect not to treat a person as the personal representative of a consumer/employee if:

(i) The consumer/employee has been, or may be, subjected to domestic violence, abuse or neglect by such person; or

(ii) Treating such person as the personal representative could endanger the consumer/employee.

(b) Four Rivers, in the exercise of professional judgment, decides that it is not in the best interest of the consumer/employee to treat the person as the consumer’s/employee’s personal representative.

If under Indiana law a parent, guardian or other person acting in loco parentis has authority to act on behalf of a consumer who is an unemancipated minor in making decisions related to services, Four Rivers will treat such person as the consumer’s personal representative with respect to PHI; provided that a person will not be treated as a personal representative of an unemancipated minor and the minor will have the authority to act as a consumer with respect to PHI pertaining to a service, if:

(a) The minor consents to such service and no other consent to such service is required by Indiana law, regardless of whether the consent of another person has also been obtained and the minor has not requested that such person be treated as the personal representative;

(b) The minor may lawfully obtain such service without the consent of a parent, guardian or other person acting in loco parentis, and the minor, a court or another person authorized by law consents to such service; or

(c) A parent, guardian or other person acting in loco parentis agrees to an agreement of confidentiality between Four Rivers and the minor with respect to such service.

If under Indiana law a person has authority to act on behalf of a consumer/employee who is an adult or an emancipated minor in making decisions related to services, Four Rivers will treat such person as a personal representative with respect to PHI relevant to such personal representation.

If under Indiana law an executor, administrator or other person has authority to act on behalf of a deceased person, or on behalf of a person’s estate, Four Rivers will treat such person as a personal representative with respect to PHI relevant to such personal representation.

IV. USES and DISCLOSURES (45 CFR §§ 164.502, 164.504, 164.506, 164.508, 164.510, 164.512, 164.514)

Four Rivers will not use or disclose PHI, except as specifically permitted by this Privacy and Security Policy and other related policies and procedures or as otherwise permitted or required by law.

(b) To the Secretary when the information is requested to investigate or determine Four River’s compliance with HIPPA or as required by law and in accordance with Four River’s “Confidentiality Policy” addressing where authorizations are not required.

2. Four Rivers may use or disclose PHI as permitted by law and consistent with the Privacy and Security Policy and other related policies and procedures:

(a) “Uses and Disclosures for Treatment, Payment or Health Care Operations” (see FRRS Confidentiality Policy);

(b) “Limited Access to Persons Involved in a Consumer’s/Employee’s Services and for Notification Purposes” (see Four River’s Confidentiality Policy);

(d) “Where Authorizations are Required” (see Four River’s Confidentiality Policy);

(e) “Where Authorizations are not Required” (see Four River’s Confidentiality Policy);

(f) “Managing Marketing Activities” (see Four River’s Confidentiality Policy);

(g) “Managing Fund Raising Activities” (see Four River’s Confidentiality Policy);

(h) “Addressing Business Associate Relationships (see applicable Business Associate Contracts.”

Four Rivers will be in compliance with HIPAA, other federal and state privacy laws, Four River’s Privacy and Security Policy and other related policies and procedures if an employee or a Business Associate discloses PHI as a Whistleblower; or if an employee who is a victim of a criminal act discloses PHI to a law enforcement official, so long as the PHI disclosed is about a suspected perpetrator of a criminal act and the PHI disclosed is limited to the following information:

8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars and tattoos.

When using or disclosing PHI or when requesting PHI from another covered entity, Four Rivers will make all reasonable efforts to limit these uses and disclosures to the “minimum necessary” to accomplish the intended purposes. This requirement does not, however, apply to:

1. Disclosures to, or requests by, an agency/organization/facility for information necessary to provide treatment, in accordance with Four River’s “Confidentiality Policy”;

2. Uses or disclosures made to the consumer/employee, in accordance with Four River’s “Confidentiality Policy”;

3. Pursuant to an authorization in accordance with Four River’s “Confidentiality Policy” addressing where authorizations are required;

4. Disclosures made to the Secretary in accordance with Four River’s “Confidentiality Policy” addressing where authorizations are not required;

5. Uses and disclosures that are required by law, in accordance with Four River’s “Confidentiality Policy” addressing where authorizations are not required; and

6. Uses and disclosures that are required for compliance with applicable requirements of HIPAA and other federal or state health privacy laws.

Four Rivers will require all Business Associates with whom it shares PHI to execute an agreement with Four Rivers and to handle such PHI in accordance with the Administrative Simplification provisions of HIPAA and other requirements of Four River’s Privacy and Security Policy and other related policies and procedures.

E. De-Identified and Re-Identified Information (45 CFR § 164.514(a),(b), (c))

For purposes of Four River’s Privacy and Security Policy, information that qualifies as De-Identified, in accordance with Four River’s “Confidentiality Policy” shall not constitute PHI and may be used or disclosed pursuant to that policy. If information is subsequently Re-Identified, it may only be used and disclosed like any other PHI covered by this Privacy and Security Policy.

All disclosures of Drug and Alcohol Treatment Records shall include the following written statement:

This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse consumer/employee.

All uses and disclosures of PHI by Four Rivers are subject to and shall comply with Four River’s “Notice of Privacy Practices” and Four River’s Notice of Privacy Practices Consent Form. Each Four Rivers consumer/employee will receive a copy of Four River’s Notice of Privacy Practices.

All consumers/employees will have the ability to request access to their PHI in accordance with Four River’s “Confidentiality Policy” and/or “Personnel Policies and Procedures”.

B. Right of a Consumer/Employee to Request Amendments to PHI (45 CFR § 164.526)

All consumers/employees will have the right to request amendments to their PHI pursuant to Four River’s “Confidentiality Policy”, “Consumer Rights Policy” and/or Personnel Policies and Procedures”.

Each consumer/employee will have the right to request an accounting of disclosures of PHI, pursuant to Four River’s “Confidentiality Policy”, “Consumer Rights Policy” and/or “Personnel Policies and Procedures”.

Each consumer/employee will have the right to request confidential communications pursuant to Four River’s “Confidentiality Policy”, “Consumer Rights Policy” and/or “Personnel Policies and Procedures”.

E. Right of a Consumer/Employee to Request Restrictions of Uses and Disclosures (45 CFR § 164.522(a))

Each consumer/employee will have the right to request restrictions on uses and disclosures of PHI pursuant to Four River’s “Confidentiality Policy”, “Consumer Rights Policy” and/or “Personnel Policies and Procedures”.

Four Rivers will protect PHI from unauthorized access, modification, disclosure and destruction.

An Information Security Program will exist to protect all PHI in the possession of Four Rivers. The Four Rivers Information Security Program will, at a minimum, address the following areas:

Four Rivers will establish and maintain a plan for responding to system emergencies. This plan will include performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency and recovering from a disaster. The plan will also include the following features:

All information obtained or created by Four Rivers will be appropriately labeled and stored in secured locations. Only authorized persons will be granted access to such information pursuant to access procedures adopted by Four Rivers. PHI will only be used and/or disclosed in accordance with Four River’s “Confidentiality Policy”, more fully addressed in Section V. of this Policy.

Four Rivers will control physical and electronic access to PHI. Each person who is entitled to access information possessed by Four Rivers will be assigned an access level based on their position, role and/or responsibility.

The right to access and to contribute to a consumer’s/employee’s information will be granted to staff on a “need to know” basis if they are, have been or will be involved in that consumer’s services or staff’s employment. In this context, “Staff” includes all clinicians and/or appropriate support staff that participate actively in a consumer’s services or staff’s employment, e.g., physicians, psychologists, social workers, nurses, physician assistants, medical assistants, therapists, medical students, direct service, service coordinators, case managers and administrative personnel for legitimate business purposes. All other access is prohibited without the consumer’s/employee’s written authorization, or as otherwise required by law.

Staff may be unexpectedly involved in the emergency care of a consumer/employee. Thus, provisions must be made to allow such staff to access a consumer’s/employee’s information. At the same time, such emergency access will be closely monitored, to be certain that it has been appropriate.

Clinicians who are not employed by Four Rivers may be able to access information about consumers/employees for whom they have responsibility wherever these consumers receive services or staff are employed at Four Rivers.

Volunteers will not typically have access to PHI in certain circumstances although access to non-clinical information, e.g., demographics, might be appropriate.

Access to information about certain types of consumers/employees requires special security measures and restrictions because of the sensitive nature of the clinical problem. Clinically sensitive problems include conditions and treatments for which state or federal law imposes special restriction.

¨ HIV test results (Consumer/Employee Authorization is required for EACH release request);

¨ Records pertaining to sexually transmitted diseases, alcohol and drug abuse records that are protected by Federal Confidentiality Rules (42 CFR Part 2).

Other consumers/employees who might require special security measures include people who may generate curiosity, such as victims of crime, celebrities or public figures.

(i) Access control lists will be maintained, subject to ongoing review and update.

(ii) An administrative determination of trustworthiness will be made prior to allowing users physical access to sensitive areas. This will normally include reference and records checks.

(iii) Maintenance personnel should be escorted and supervised in sensitive areas at all times by authorized persons.

(iv) The Systems Administrator will provide initial and ongoing security awareness training for those assigned to sensitive areas.

(v) The Information Security Subcommittee, or its designee, will review and approve the placement of and physical access to, devices located in any authorized off-campus sites.

(vi) Sensitive areas, such as data facilities, server areas and communications facilities, will have separate control systems to limit access.

(vii)The Systems Administrator will determine security precautions for personal computers, software, documentation and diskettes. Available precautions may include equipment enclosures, lockable power switches, equipment identification and fasteners to secure the equipment.

(a) The Systems Administrator will specify the physical access controls based on information security and lock placement standards.

(b) Persons granted access to sensitive areas or information are responsible for their actions. Additionally, they are responsible for the actions of others that are, in turn, allowed access using their identification.

(i) Hardcopy of PHI should not be copied indiscriminately or left unattended and open to compromise.

(ii) Electronic media containing PHI should be placed in confidential envelopes and hand carried by employees, transported by general service couriers or sent through an approved outside carrier. These outside carriers may include, but are not limited to, the U.S. Postal Service, Federal Express and the United Parcel Service.

(iii) Employees in any containers deemed appropriate may transport media in transit on campus. Reasonable care should be used and media should be secured when left unattended.

(iv) Magnetic media containing PHI should be processed to purge any information residing on that media when it is no longer needed on that media format. Degaussing and overwriting are acceptable methods of purging information from magnetic media.

(v) Only authorized personnel should authorize the shipping and receiving of magnetic media and maintain appropriate records.

(vi) PHI in hardcopy format should be disposed of properly. This may include shredding finely enough to ensure that the information is unrecoverable.

(i) Access to the Four Rivers network, the Internet and any hardcopy of PHI will be controlled. The Systems Administrator will implement discretionary access controls. Each user will only have access to all systems, services and information necessary to accomplish assigned tasks. Each user will be uniquely identified and an accepted process will authenticate identity. The processes for verification may include unique tokens, card keys, biometric readers or passwords. Passwords and tokens are the user’s responsibility and may not be shared, unless expressly authorized by Four Rivers. Users will be able to select and change their passwords. Passwords must be changed at least every ninety (90) days. Permanent passwords are not permitted. Passwords will be at least six characters long. Use of numeric digits and non-alphanumeric characters in passwords is encouraged. Users should not write down passwords, store them on hardcopy or store them locally on workstations and laptop computers.

(ii) The Systems Administrator will periodically review user privileges and remove or inactivate accounts when access is no longer required. The Systems Administrator will determine the necessity of changing locks and recovering card keys, tokens and other access control devices when users terminate employment or when work assignments change.

(iii) The Systems Administrator must implement inactivity time-outs, where technically feasible, for terminals and workstations that access PHI.

(iv) The Systems Administrator will audit attempts to access PHI. Audits will be conducted when unauthorized access or attempts are identified. Audit records shall be kept at least six months and the Systems Administrator will periodically review the audit records for evidence of violations or systems misuse.

Four Rivers will conduct periodic reviews of its security controls, including records of log-ins to the system, access to hardcopy PHI and security incidents.

Four Rivers will establish procedures that govern the receipt and removal of hardware and software, in and out of Four River’s locations and storage of PHI including the following:

Four Rivers will establish procedures that govern secure workstation location and use.

Four Rivers will enter into a Chain of Trust Partner Agreement with all Business Associates with which it exchanges any PHI.

Four Rivers will implement accurate and current security incident procedures. All Four Rivers employees will be educated regarding the definition of a security incident and their duty to report them. All security incidents will be promptly reported to the Security Officer who will investigate the report and take any necessary actions.

The Security Officer will make certain that Four Rivers has in place procedures for disabling access of all persons when they cease to be employed, or otherwise associated with, by Four Rivers.

Four Rivers will ensure that all employees and other persons having access to information possessed by Four Rivers receive appropriate security training:

(c) The Information Security Subcommittee will support specific technical and management training to employees and Business Associates as needed.

Four Rivers will have a mechanism ensuring that inter-media are only used by authorized persons.

Four Rivers will have a mechanism in place for ensuring that information it possesses has not been altered or destroyed in an unauthorized manner.

All exceptions to these standards are to be requested in writing and approved by the Information Security Subcommittee.

(a) Contracts for system and/or application management must include security, confidentiality and non-disclosure clauses. These clauses must specify adherence to the information security policies. Four River’s Information Security Officer or designee will assess the contractor’s security posture. This assessment may include a site visit.

(b) Oversight of contractor operations is the responsibility of Four River’s staff. On-site information must be identified to oversee administrative duties performed by non-entity personnel and compliance with security policies and standards. The Systems Administrator will ensure that checks and balances are in place to control and monitor contractor activities.

Any deviation from Four River’s Information Security Policies and standards is a violation. Everyone must report instances of noncompliance. Violations will be reviewed for appropriate disciplinary action in accordance with Four River’s “Personnel Policy”. Corrective action may include termination of employment or criminal prosecution.

Four Rivers will establish and maintain a program for technical evaluations to determine the extent to which particular computer systems or network design and implementation meets the Four River’s Security Information Program. The Information Security Subcommittee will certify the results of these evaluations.

Four Rivers will appoint a Privacy Officer who will be responsible for the development and implementation of policies and procedures for Four Rivers. The Privacy Officer’s duties and responsibilities are more completely described in Four River’s “Privacy Officer Job Description.” Many of the Privacy Officer’s duties, particularly those described in the supporting policies and procedures to this Privacy and Security Policy may be delegated to designated Four Rivers personnel who can perform those tasks on behalf of the Privacy Officer.

Four Rivers will establish and maintain a Privacy Office, which will be responsible for receiving and handling complaints and providing clarification and further information about matters covered by Four River’s “Notice of Privacy Practices.”

Four Rivers will train all employees to carry out their functions within Four Rivers in strict compliance with HIPAA, other federal and state health privacy laws and Four River’s Privacy and Security Policy and other related policies and procedures.

A subcommittee of Four River’s Board of Directors (the “Information Security Subcommittee”) will exist to develop and maintain an Information Security Program. The Information Security Subcommittee will oversee standards, promote awareness and monitor the program to validate its effectiveness. The Information Security Subcommittee will be comprised of members from the Board and other personnel as appointed by the Board.

Four Rivers will appoint an Information Security Officer who will be responsible for implementing and monitoring a data security program, and will report directly to the Information Security Subcommittee. The Information Security Officer will:

· Coordinate the development and maintenance of Information Security Policies and standards;

· Coordinate information security activities with security, internal audit services and information services;

· Monitor security activities and oversee the application of specified security standards;

· Assist Four Rivers in assessing their data for classification and advise of available controls;

· Implement an Information Security Awareness Program to educate all employees and Business Associates of Four Rivers about its Information Security Program;

The duties of the Information Security Officer are more fully described in the “Information Security Office Job Description.”

Four Rivers will appoint a Systems Administrator who will be responsible for operation and maintenance of information processing services. The Systems Administrator will:

Four Rivers will maintain a network that allows consumers/employees and other persons to make complaints concerning Four River’s Privacy and Security Policy and other related policies and procedures and its compliance with such policies and procedures, as well as compliance with federal and state privacy laws. The process for handling such complaints is further described in Four River’s “Complaint and Appeal Process”, as well as in the “Personnel Policies and Procedures” under the Problem Resolution Procedures section.

Four Rivers will apply appropriate disciplinary actions against employees and Business Associates who fail to comply with Four River’s Privacy and Security Policy and other related policies and procedures. Applicable sanctions are described in more detail in Four River’s Disciplinary Procedures in the “Personnel Policies and Procedures” manual.

Four Rivers will mitigate to extent practicable, any harmful effect that is known to Four Rivers resulting from a use or disclosure of PHI in violation of Four River’s Privacy and Security Policy, or federal or state privacy laws. It is the duty of all Four Rivers employees to promptly report any and all violations of this Privacy and Security Policy to the Privacy Office. The Privacy Office, under the direction of the Privacy Officer, will fully investigate any complaints and mitigate them to the fullest extent practicable. Any actions taken by the Privacy Officer pursuant to this section shall be fully and accurately documented with a copy placed in the consumer’s/employee’s file.

Four Rivers will not intimidate, threaten or coerce, discriminate against or take other retaliatory actions against consumers/employees or other persons who exercise any right established by this Privacy and Security Policy or other federal or state privacy laws, for filing a compliant with the Secretary of the Department of Health and Human Services, for testifying, assisting or participating in an investigation, compliance review, proceeding or other hearing the subject of which is Four Rivers Privacy and Security Policy; or any person opposing any act or practice made unlawful by federal or state privacy law, provided the person has a good faith belief that the practice opposed is unlawful and the manner of the opposition is reasonable and does not involve a disclosure of PHI, violation of this Privacy and Security Policy or any other federal or state privacy laws. Additionally, Four Rivers will not tolerate intimidating or retaliatory acts by employees or any of its Business Associates.

I. Validation of Authorizations and Requests by Consumers/Employees for Disclosures of PHI (45 CFR § 164.530)

Except as otherwise provided by this Privacy and Security Policy, all authorizations and other requests shall be forwarded to the Privacy Officer who shall inspect such authorization or other requests to ensure that it has been validly executed and is in the appropriate format and on appropriate forms and to verify that the person requesting such disclosure is an appropriate person authorized to obtain the information. Such validation and verification shall be in accordance with Four River’s “Confidentiality Policy”.

Four Rivers will maintain records pursuant to its “Record Keeping Policy” and “Personnel Policies and Procedures” which shall include procedures for developing and maintaining consumer/employee files. Copies of all communications and forms required by Four River’s Privacy and Security Policy and other related policies and procedures and will be maintained in the consumer’s/employee’s file. All such documents shall be maintained for seven (7) years from the date of the document’s creation or the date when the document was last in effect, whichever is later.

This policy may be revised as needed but will be formally reviewed and revised at least every three (3) years. Input will as needed but will be formally reviewed and revised at least every three (3) years. Input will be solicited in staff meetings. This input will be submitted to and discussed by the Services Teams. Finalized recommendations will be submitted to the FRRS Board of Directors for approval.

PL 104-10, “Health Insurance Portability and Accountability Act of 1996 (HIPAA)”, Federal Register, Rules and Regulations, Department of Health and Human Services, Office of the Secretary, 45 CFR § 164, Standard for Privacy of Individually Identifiable Health Information, August 12, 2002

[1] This Section is based on the proposed HIPAA security regulations. When final regulations are adopted by DHHS, this Section will likely need to be changed.