35 Moons Logo
35 Moons

HIPAA Policy

Last updated: 5/5/2025

1. Introduction

35Moons LLC ("we", "us", "our") is committed to ensuring the confidentiality, integrity, and availability of all protected health information (PHI) entrusted to us. This HIPAA Policy outlines our practices for safeguarding PHI in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its subsequent amendments, including the HITECH Act.

2. Scope and Applicability

This policy applies to all our workforce members, including employees, contractors, volunteers, and other personnel who have access to PHI. It also extends to our business associates and their subcontractors who create, receive, maintain, or transmit PHI on our behalf.

3. Protected Health Information (PHI)

3.1. Definition of PHI

PHI refers to individually identifiable health information that is transmitted or maintained in any form or medium, including electronic, paper, or oral formats. This includes:

  • Medical records and health information
  • Demographic information associated with health data
  • Billing and payment information for healthcare services
  • Health plan beneficiary information
  • Any information that can be used to identify an individual in relation to their health status or healthcare

3.2. De-identified Information

Health information that has been de-identified in accordance with HIPAA standards is not subject to the same protections. Information is considered de-identified when all identifiers have been removed and there is no reasonable basis to believe the remaining information can be used to identify an individual.

4. HIPAA Compliance Measures

4.1. Privacy Rule Compliance

We implement policies and procedures to comply with the HIPAA Privacy Rule, which establishes national standards for the protection of PHI. These include:

  • Designating a Privacy Officer responsible for developing and implementing privacy policies
  • Providing privacy training to all workforce members
  • Implementing safeguards to protect the privacy of PHI
  • Establishing procedures for individuals to exercise their rights regarding their PHI

4.2. Security Rule Compliance

We implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI):

  • Risk analysis and management processes
  • Access controls and authentication mechanisms
  • Encryption and decryption of ePHI
  • Audit controls and integrity controls
  • Transmission security measures

4.3. Breach Notification Rule Compliance

We maintain procedures for identifying, assessing, and responding to potential breaches of unsecured PHI. Our breach notification process includes:

  • Prompt investigation of suspected breaches
  • Risk assessment to determine if a breach has occurred
  • Notification to affected individuals, the Department of Health and Human Services, and, when required, the media
  • Documentation of breach incidents and responses

5. Individual Rights

In accordance with HIPAA, we respect and facilitate the following rights for individuals regarding their PHI:

  • Right to access and obtain a copy of their PHI
  • Right to request amendments to their PHI
  • Right to receive an accounting of disclosures of their PHI
  • Right to request restrictions on certain uses and disclosures
  • Right to request confidential communications
  • Right to receive a Notice of Privacy Practices

6. Business Associate Agreements

Before disclosing PHI to a business associate, we obtain satisfactory assurances through a written Business Associate Agreement (BAA) that the business associate will appropriately safeguard the information. All BAAs include the elements required by HIPAA and clearly define the permitted uses and disclosures of PHI.

7. Workforce Training and Management

We provide comprehensive HIPAA training to all workforce members who have access to PHI. This training covers:

  • HIPAA regulations and our related policies and procedures
  • Individual responsibilities for protecting PHI
  • Recognition and reporting of security incidents and breaches
  • Consequences of non-compliance

Training is provided at hire, annually thereafter, and when there are material changes to our HIPAA policies or procedures.

8. Documentation and Record Retention

We maintain all documentation required by HIPAA for a minimum of six years from the date of creation or the date when it was last in effect, whichever is later. This includes:

  • Policies and procedures
  • Training materials and records
  • Business Associate Agreements
  • Risk assessments and security incident reports
  • Breach notifications and related documentation

9. Sanctions for Non-Compliance

We enforce appropriate sanctions against workforce members who fail to comply with our HIPAA policies and procedures. Sanctions are applied consistently and may include:

  • Additional training
  • Verbal or written warnings
  • Suspension of access privileges
  • Termination of employment or contractual relationship

10. Policy Updates and Revisions

We periodically review and update our HIPAA policies and procedures to reflect changes in regulations, technology, business practices, or identified risks. All revisions are documented, and workforce members are informed of and trained on material changes.

11. Contact Information

For questions or concerns about our HIPAA policies or practices, or to report a potential privacy or security incident, please contact our Privacy Officer:

Email: info@35moons.com