1. Introduction

AMCC (“we,” “us,” or “our”) is committed to protecting the privacy and security of U.S. patients’ electronic protected health information (e-PHI). This HIPAA Compliance Statement outlines the administrative, physical, and technical safeguards we have implemented to meet all requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Privacy, Security, and Breach Notification Rules.

2. Scope

This document applies to all AMCC workforce members, contractors, and partners who create, receive, maintain, or transmit e-PHI on behalf of AMCC.

3. Privacy Rule Compliance

  1. Notice of Privacy Practices

    • We furnish patients with a clear, written Notice of Privacy Practices explaining how their PHI may be used and disclosed, and detailing their HIPAA rights.

  2. Minimum Necessary Standard

    • We limit all uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose (treatment, payment, healthcare operations).

  3. Patient Rights

    • Right to access and obtain a copy of their PHI.

    • Right to request amendments or corrections.

    • Right to request an accounting of disclosures.

    • Right to request restrictions on certain uses and disclosures.

    • Right to receive confidential communications by alternative means or at alternative locations.

4. Security Rule Compliance

4.1 Administrative Safeguards

  • Risk Analysis & Management: Annual risk assessments to identify and mitigate vulnerabilities to e-PHI.

  • Policies & Procedures: Documented HIPAA policies covering access management, data backup, incident response, and workforce sanctions. Reviewed and updated yearly.

  • Workforce Training: Mandatory HIPAA training for all employees and contractors upon hire and annually thereafter; training records maintained.

  • Incident Response Plan: Defined process for detecting, reporting, containing, and remediating security incidents involving e-PHI.

4.2 Physical Safeguards

  • Facility Access Controls: Secure server rooms and workspaces with badge access and video monitoring.

  • Device & Media Controls: Procedures for the receipt, removal, disposal, and re-use of hardware and electronic media containing e-PHI.

4.3 Technical Safeguards

  • Access Controls: Unique user IDs, strong password requirements, multi-factor authentication for system access.

  • Audit Controls: System-generated logs and audit trails record user activity and access to e-PHI.

  • Integrity Controls: Use of checksums and encryption to detect unauthorized alteration or destruction of e-PHI.

  • Transmission Security: All e-PHI transmitted over any network is encrypted in transit using TLS 1.2 or higher.

5. Breach Notification Rule

  • Definition of Breach: Any impermissible use or disclosure of PHI that compromises its security or privacy.

  • Notification Process:

    1. Individual Notice: Notify affected individuals within 60 days of breach discovery.

    2. HHS Notification: Report breaches to the U.S. Department of Health and Human Services (OCR) as required by breach size.

    3. Media Notice: For breaches affecting more than 500 residents of a state or jurisdiction, provide notice to prominent media outlets.

  • Documentation: Maintain records of all breach assessments, notifications, and remediation actions for at least six years.

6. Business Associate Agreements (BAAs)

  • We require all third-party vendors and service providers who create, receive, maintain, or transmit PHI on our behalf to sign a HIPAA-compliant BAA.

  • BAAs obligate business associates to implement equivalent privacy and security safeguards and to report any suspected breaches or security incidents immediately.

7. Privacy & Security Officer

  • Designation: We have appointed a dedicated Privacy & Security Officer responsible for overseeing and enforcing HIPAA compliance.

  • Responsibilities:

    • Developing, updating, and enforcing HIPAA policies and procedures

    • Leading risk assessments and audits

    • Managing incident response and breach investigations

    • Coordinating workforce training programs

    • Serving as the primary contact for HIPAA inquiries and OCR communications

8. Documentation & Record Retention

  • All HIPAA-related documentation—including policies, procedures, training materials, risk assessments, incident reports, and breach notifications—is retained for a minimum of six years, in accordance with 45 C.F.R. § 164.530(j).

9. Continuous Monitoring & Improvement

  • We conduct regular internal audits and periodic external reviews to verify compliance.

  • Lessons learned from audits, incidents, and regulatory updates are integrated into our policies, procedures, and workforce training to ensure ongoing improvement.

Contact Information

For HIPAA questions, to exercise your rights, or to report a possible breach:

Privacy & Security Officer
American Medical Consultation Center (AMCC)
Email: hipaa@amcc-med.org
Phone: +1 (800) 555-0199

احجز موعدك