Patience Privacy & Data Handling Policy

• Patient information will only be used or disclosed for treatment, payment, or healthcare operations.
• Staff must only access patient records necessary to perform their specific job duties (minimum
necessary rule).
• Patient information may not be shared with unauthorized individuals, including family or friends,
without written consent.
• Patients have the right to request copies of their medical records and to request corrections if needed.
• Conversations about patient care must occur in private areas and never in public spaces.

• Electronic records must be stored in secure, password-protected systems.
• Paper records must be kept in locked cabinets when not in use.
• PHI (Protected Health Information) transmitted electronically must be encrypted when possible.
• Staff must log off computers and secure mobile devices when not in use.
• Medical records must be retained and destroyed according to Florida retention guidelines (typically 5
years minimum).

Any suspected or actual breach of patient privacy must be reported immediately to the compliance
officer. This includes lost/stolen devices, misdirected emails, or unauthorized disclosures. Reports must
be made within 24 hours, and patients will be notified in accordance with HIPAA breach notification
rules.

​• Al staff must complete HIPAA and privacy training upon hire and annually thereafter.
• Employees must sign a confidentiality agreement as a condition of employment.
• Failure to comply with this policy may result in disciplinary action up to and including termination.