We take privacy very seriously. We share a commitment with Covered Entities to protect the privacy and confidentiality of Protected Health Information that we obtain subject to the terms of a Business Associate Agreement and under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including, without limitation, amendments by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, “HIPAA/HITECH”).
- “Business Associate” (“BA”) means an entity that performs functions or activities on behalf of a Covered Entity when those services involve access to, or the use or disclosure of, Protected Health Information.
- “Business Associate Agreement” (“BAA”) means a formal written contract between a BA and a Covered Entity that requires the BA to comply with specific requirements related to PHI.
- “Covered Entity” means a health plan, healthcare provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.
- “Protected Health Information” (“PHI”) means all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment, or in relation to the payment for the provision of health care services.
Use and Disclosure of PHI
- We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under our services agreements to Covered Entities, provided that such use or disclosure is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA/HITECH, including its Privacy Rule or Security Rule as applicable to Business Associates.
- We may use PHI internally for our own internal management, administration, data aggregation and legal obligations, but only to the extent such use of PHI is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA/HITECH, including its Privacy Rule or Security Rule as applicable to Business Associates.
- We may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena.
- We may disclose PHI to downstream subcontractors or agents that provide supporting services to us; however, we will require such subcontractors and agents to comply with the same terms and conditions that apply to us under the applicable Business Associate Agreement and PHI, including the implementation and maintenance of required safeguards.
Revocation of Your Consent to Use and Disclose PHI
Many permitted uses and disclosures of PHI are only possible with your express consent. You may revoke your consent at any time by sending written revocation of your consent to the processing of your PHI to us at HIPAA.Privacy@al-enterprise.com. All PHI processed before we receive your revocation of consent will be considered legally processed with your consent. In addition, you may request that all of your PHI be removed from our systems and processes by sending written request for removal and destruction of all your data to us at HIPAA.Privacy@al-enterprise.com. Upon receipt of your request, we will take all steps necessary to remove all of your PHI completely and permanently unless we are unable to do so for legal, compliance, or other legitimate reasons.
You may request information about:
- The purpose of our use and disclosure of your PHI;
- The legal basis for our your and disclosure of your PHI;
- The categories of PHI and the subject concerned;
- Information on the type or identity of third parties to which your PHI may be disclosed to and the protection provided;
- The source of the PHI (if you didn’t provide it directly to us); and
- How long it will be stored.
You have a right to:
- Access your PHI;
- Have inaccurate PHI corrected;
- Request erasure of PHI;
- Restrict the processing of your PHI;
- Object to the processing of your PHI;
- Data portability;
- Opt out of PHI being transferred to a third party, unless there is a legal reason to do so; and
- Opt out of direct marketing.
To exercise your rights, you can write to our HIPAA Compliance Officer at HIPAA.Privacy@al-enterprise.com.
Requests Regarding PHI
Requests for access to your PHI, requests to amend your PHI, or requests for an accounting of disclosures of your PHI shall be in writing to our HIPAA Compliance Officer at HIPAA.Privacy@al-enterprise.com. Initial responses to such requests typically will occur within thirty (30) days of an access request or sixty (60) days in the case of request for amendment or for an accounting of disclosure. In the event of denial, the response will include an explanation as to why access was denied.
Access to PHI
As provided in the BAA, we will make available to Covered Entities information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity, available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.
We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BAA. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting PHI over the Internet;
- Utilizing appropriate storage, backup, disposal, and reuse procedures to protect PHI;
- Utilizing appropriate authentication and access controls to safeguard PHI;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.
Mitigation of Harm
In the event of a use or disclosure of PHI that is in violation of the requirements of the BAA, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:
- Reporting any use or disclosure of PHI not provided for by the BAA and any security incident of which we become aware to the Covered Entity; and
- Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.
How to Contact Us
ALE USA Inc.
Attention: HIPAA Compliance Officer
26801 W. Agoura Road
Calabasas, CA 91301
Telephone: (747) 388-4468