Privacy Policy

HIPAA Policy for The Lash Stú

Purpose The purpose of this policy is to establish guidelines for protecting the privacy and security of client information, as required by the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. This policy applies to all employees and contractors of The Lash Stu who have access to protected health information (PHI).

Definitions

• PHI: Any information, whether oral or recorded in any form or medium, that is created or received by The Lash Stu and relates to the health status, provision of health care, or payment for health care that can be used to identify the individual.
• Covered Entity: The Lash Stu, a licensed esthetician providing lash extensions as a service.

Privacy Officer The Lash Stu designates the owner as the Privacy Officer. The Privacy Officer is responsible for implementing and maintaining policies and procedures to ensure compliance with HIPAA regulations.

Use and Disclosure of PHI The Lash Stu may use or disclose PHI only as permitted or required by law or as authorized by the individual. The Lash Stu will not use or disclose PHI for any purpose other than treatment, payment, or healthcare operations without the individual's written authorization. The Lash Stu will take reasonable measures to ensure that PHI is not used or disclosed in violation of HIPAA regulations.

Safeguarding PHI The Lash Stu will take appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. These safeguards include, but are not limited to:

• Password-protecting electronic devices and files that contain PHI.
• Limiting access to PHI to only those employees and contractors who need it to perform their job duties.
• Implementing procedures to prevent unauthorized access to PHI.
• Disposing of PHI in a manner that ensures its confidentiality, such as shredding or securely erasing electronic files.

Breach Notification In the event of a breach of unsecured PHI, The Lash Stu will promptly notify affected individuals, the Department of Health and Human Services (HHS), and, if applicable, the media. Notification will be made within 60 days of discovery of the breach. The Lash Stu will also conduct a risk assessment to determine the likelihood of harm to affected individuals.

Training and Education All employees and contractors of The Lash Stu who have access to PHI will receive training on HIPAA regulations and this policy. Training will be provided on an annual basis or as necessary to ensure compliance with HIPAA regulations.

Enforcement Any employee or contractor of The Lash Stu who violates this policy or HIPAA regulations may be subject to disciplinary action, up to and including termination of employment or contractual relationship.

Policy Review The Lash Stu will review and update this policy on an annual basis or as necessary to ensure compliance with HIPAA regulations.

Acknowledgement of Receipt All employees and contractors of The Lash Stu who have access to PHI will be required to sign an acknowledgement of receipt of this policy.