HIPPA NOTICE OF PRIVACY PRACTICES
The purpose of this policy is to govern the use and disclosure of Premier Orthopaedics & Sports Medicine’s (the ‘Practice’) patients’ Protected Health Information in accordance with federal and state laws, including the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (‘HITECH’) Act of 2009, and any current and future regulations promulgated thereunder (collectively ‘HIPAA’).
It is the policy of the Practice to protect the privacy of the Practice’s patients’ health information in accordance with federal and state laws, including HIPAA. Accordingly, the Practice shall only use or disclose patients’ Protected Health Information (defined below) if such use or disclosure is allowed under this Policy, which is designed to ensure all use and disclosure of Protected Health Information meets the requirements of the law.
Compliance by Practice employees with this Policy is mandatory. Adherence to this Policy is a condition of employment for every Practice employee. Violations of this Policy may result in disciplinary measures up to and including the termination of employment.
1. ‘HIPAA’ means the Health Insurance Portability and Accountability Act of 1996 and the regulations and guidance promulgated thereunder, as amended from time to time.
2. ‘HITECH Act’ means the Health Information Technology for Economic and Clinical Health (‘HITECH’) Act and any rules, regulations and guidance issued pursuant thereto. The HITECH Act, HIPAA, and all rules, regulations and guidance issued pursuant to HIPAA and the HITECH Act are collectively referred to herein as ‘HIPAA’ unless otherwise indicated.
3. ‘Electronic Medical Record’ or ‘EMR’ means a computerized, digital version of a patient’s Medical Record. Ideally, an Electronic Medical Record should be stored in a centralized computer system with security safeguards and multiple data backups (also referred to as an electronic health record).
4. ‘Medical Record’ means that part of a patient’s health record that is made by physicians and other health care providers and is a written or transcribed history of various illnesses or injuries requiring medical care, inoculations, allergies, treatments, prognosis, and frequently health information about parents, siblings, occupation, and military service. All Medical Records include Protected Health Information of the patient.
5. ‘Practice’ means Premier Orthopaedics & Sports Medicine
6. ‘Protected Health Information’ and ‘PHI’ mean A subset of health information, including demographic information collected from an individual, that: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and could identify the individual whether transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI in an electronic format is also referred to as ‘EPHI.’
7. ‘Retaliation’ means any adverse action taken in response to a Practice employee’s good faith inquiry or disclosure to Practice management or any other individual or governmental authority in connection with potential non-compliance with this Policy and/or the use or disclosure of Practice patients’ PHI. Retaliation does not include investigation into the complainant’s participation in the identified misconduct or violation of this Policy.
8. ‘Breach’ with respect to PHI means the unauthorized acquisition, access, use or disclosure of ‘unsecured’ PHI, unless the Practice demonstrates that there is a low probability that the PHI has been compromised.
Exceptions: the following situations do not constitute a ‘Breach’:
‘ Unintentional acquisition or access of PHI by an employee or individual acting under the authority of the Practice or a business associate of the Practice, if acquisition was in good faith and within the scope of authority and does not result in further disclosure;
‘ Inadvertent disclosure of PHI from an authorized person at the Practice to another person at the Practice who did not have reason to use or access that particular PHI but is generally authorized to access PHI at the Practice; and
‘ An unauthorized disclosure in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information.
9. ‘Unsecured PHI’ means PHI that is not secured (i.e., rendered unusable or unreadable to unauthorized persons) through the use of a technology or methodology deemed acceptable under the Guidance issued by the Secretary of the Department of Health & Human Services. If ‘secured’ PHI is acquired, accessed, used or disclosed to an unauthorized party, the disclosure does not constitute a breach.
1. Designation of Privacy Officer. The Practice shall designate an individual as the Privacy Officer, who shall be responsible for overseeing the safeguarding of Practice patients’ PHI consistent with this Policy. The duties of the Privacy Officer shall include: (i) developing and conducting training programs for Practice employees regarding this Policy and the appropriate use and disclosure of patients’ PHI; (ii) responding to questions from Practice employees and contractors concerning this Policy and the use and disclosure of patients’ PHI; (iii) receiving and investigating complaints regarding the Practice’s use and disclosure of patients’ PHI or in connection with the Practice’s Notice of Privacy Practices; (iv) investigating and correcting violations of this Policy; and (v) ensuring the Practice complies with all federal and state notification requirements in the event of an unauthorized disclosure and/or a Breach.
2. General Employee Responsibilities. All Practice employees are responsible for safeguarding the privacy of Practice patients’ PHI. In addition to any specific responsibilities listed in a Practice employee’s job description, each Practice employee must:
a) Use and disclose PHI only as authorized in their job description or as authorized by his/her supervisor;
b) Conduct oral discussions of patients’ PHI with other Practice employees and/or with patients and family members in a manner that limits the possibility of inadvertent disclosures;
c) Complete all privacy related compliance training required by the Practice;
d) Report suspected violations of a contractor’s contractual obligations to safeguard Practice patients’ PHI to the Privacy Officer; and
e) Report suspected violations of this Policy by Practice employees to the Privacy Officer.
3. Notice of Privacy Practices. The Practice will provide each patient a Notice of Privacy Practices in the form attached hereto as Exhibit A at the time of his/her first office visit to the Practice, and have each patient sign an acknowledgment that he/she received the Notice of Privacy Practices. In the event that a patient does not receive a Notice of Privacy Practices at the time of his/her first visit, the Practice shall mail a copy of the Notice of Privacy Practices to the patient on the same day it is determined that he/she did not receive such Notice. If the Practice has such patient’s email address, and the patient has authorized the Practice to communicate with him/her via email, the Practice may email the Notice to the patient. The Practice shall make available and prominently display copies of the Notice of Privacy Practices in the Practice’s waiting room on or nearby the receptionist’s desk. If the Practice maintains a website, the Notice of Privacy Practices shall be available on the Practice’s website.
4. Minimum Necessary Disclosure. All uses and disclosures of PHI will be limited to the minimum amount necessary to accomplish the stated purpose of such use and/or disclosure. Professional judgment will determine the amount of information to be released. The minimum necessary standard is not intended to impede the provision of quality health care. Disclosures of PHI between providers for treatment, payment and health care operations, or pursuant to an authorization are exempt from the minimum necessary rule. NOTE, however, if a patient pays the Practice out of pocket and in full for services provided by the Practice, the Practice may not disclose that information to the patient’s insurer or other payor if the patient specifically requests the Practice not do so.
5. Authorization Form. Except as otherwise provided in this Policy, the Practice shall only release a patient’s PHI in accordance with a properly executed authorization form ent in the form attached hereto as Exhibit B (‘Authorization Form’). The Authorization Form must include the specific PHI to be disclosed, to whom such PHI may be disclosed, the date the Authorization Form is executed, and an expiration date for the authorization. It is important that each item on the Authorization Form is completed. A patient may revoke his/her authorization to use or disclose PHI at any time, provided that the revocation is in writing except to the extent that the Practice has already taken action in reliance on the authorization. Once a patient has revoked his/her authorization, the Practice shall take all reasonable steps necessary to ensure that there are no further disclosures of such patients’ PHI.
6. Patient Access to Medical Records. Patients have the right to inspect and receive copies of his/her medical records. If a patient would like to inspect or copy his/her medical record, the Practice shall provide the patient with a Patient Access to Medical Record Request Form in the form attached hereto as Exhibit C (the ‘Request Form’). The Practice may charge for the copying of the record, including charges for supplies, labor, and postage, and the patient should be notified of and agree to such charges in advance. Charges shall not exceed the amount permitted under state and federal law. Under certain circumstances the Practice has the right to deny a patient’s request to inspect and copy their medical record. This denial must be in writing and explain why the request has been denied. There are several circumstances when the denial may not be appealed, including: (i) psychotherapy notes; (ii) information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action proceeding; (iii) PHI maintained by the Practice subject to Clinical Laboratory Improvements Amendments (‘CLIA’) (to the extent access to an individual would be prohibited by law); (iv) PHI regarding an inmate at a correctional facility; (v) in research situations, if the patient was advised prior to the study; and (vi) if the information was obtained from someone other than a health care provider and access would compromise an individual providing information under a promise of confidentiality. The patient can appeal a denial and has the right to request review by another licensed health professional designated by the Practice who was not a part of the original decision to deny access under the following circumstances: (i) if a licensed health care professional determines that the requested access would endanger the life or physical safety of the patient or another person; (ii) if the record makes reference to another person and the licensed health professional believes the access could cause substantial harm to that person; or (iii) the request for access was made by patient’s personal representative and the licensed professional believes it could cause harm to that patient or another person. The Practice must respond to the patient within thirty (30) days of the Practice’s receipt of the request. If the Practice is unable to make a determination regarding access within the 30 day period, the Practice may extend the time to respond to the request by 30 days by informing the patient within 30 days of the patient’s request of the need for an extension and the reason for such extention.
7. Accounting of Disclosures. The Practice shall provide a patient, upon such patient’s written request, with an accounting of disclosures of his/her PHI made by the Practice over the previous six (6) years. The accounting must include the date of disclosure, the name and address of the entity or person who received the PHI, a brief description of the PHI disclosed, and a brief statement of purpose for the disclosure. The patient is allowed one accounting per year at no charge. If a patient requests more than one accounting in a given year, the Practice may charge the patient for this service, provided he/she is informed of the approximate charge in advance. The Practice shall respond to a written request for an accounting within sixty (60) days of receipt of the written request.
The Practice does not have to list disclosures of patients’ PHI if the PHI was: (i) used to provide patient care, to obtain payment for services or for healthcare operations; (ii) provided directly to the patient; (iii) provided to Practice employees responsible for the patient’s care; (iv) provided to proper authorities for national security or intelligence purposes; (v) used as part of a limited data set in accordance with a data use agreement; (vi) provided pursuant to a patient authorization; or (vii) accessed prior to the implementation of this Policy. However, if the Practice adopts an EMR, the Practice must include in the accounting disclosures made for treatment, payment for services and for the provision of healthcare operations and the accounting shall date back three (3) years or to the date the EMR was obtained or as otherwise specified by HIPAA regulations and guidance. The Practice shall retain documentation of any accounting provided to a patient.
8. Medical Record Amendment. Any patient may request that his/her medical record be changed, corrected, or amended. This request must be in writing and must include the reason for the desired change, amendment, or correction. The Practice may accept or deny this request at the discretion of the patient’s primary physician, and shall inform the patient in writing of the decision within sixty (60) days of receipt of the request including rationale for denial of the request, if denied, and instructions regarding how the individual may submit a written statement of his/her disagreement with the Practice’s decision. If the patient submits a statement of disagreement (‘Statement’), the Practice may provide a rebuttal in writing. All documentation relating to the patient’s request to amend his/her medical record shall be appended to the patient’s medical record, including the Statement and written rebuttal. If the Practice agrees to amend the patient’s medical record and the patient requests that the Practice provide the amended information to parties that previously received the PHI, the Practice will make reasonable effort to inform those parties. If the amendment to patient’s request was denied, and the patient did not submit a Statement, the Practice is only required to include the patients request for amendment in future releases of PHI if the patient so requests, and the patient asks the Practice to include his/her request in his/her medical record this denial letter must also be included in future PHI disclosures. If the patient submitted a Statement, all documentation related to the request for amendment must be included in future PHI disclosures.
9. Confidentiality. All employees, staff, contractors, and agents of the Practice will be trained to respect the health care information of our patients. They will treat all medical, personal, biometric, and financial information as confidential. All employees, staff, contractors, and agents of the Practice will receive confidentiality training and sign confidentiality agreements in the form attached hereto as Exhibit D.
10. Restriction of Use or Disclosure of PHI. A patient has the right to request that the use and disclosure of his/her PHI be restricted for treatment, payment and health care operations, and to restrict disclosure of PHIto certain people such as family members. The restriction request must be in writing, be specific as to what information is covered by the request, whether the restrictions cover use, disclosure or both, and to whom the restrictions apply. The Practice does not have to agree to such requests to restrict the use and disclosure of PHI from patients. Notwithstanding, if the Practice agrees to the request, it must honor the request unless overriding federal or state laws or medical emergencies apply. The agreement to restrict PHI use and/or disclosure to treatment, payment, or health care operations may be terminated at any time by the patient or by the Practice for health information created or received after the date the individual provides notice of termination of the restriction.
11. Right to Confidential Communications. Patients may request to receive confidential communications of their PHI from the Practice. A patient may request that communications from the Practice be sent to an alternate location or by an alternate means. The Practice shall accommodate reasonable requests for such confidential communications. The patient is not required to give a reason for this request.
12. Voicemail and Email Messages for Patients.
a) Voicemail Messages ‘ Patient Identification. Practice employees shall only leave voicemail messages or messages for a Practice patient if: (1) the voicemail system clearly identifies the appropriate patient or the appropriate patient’s authorized representative by either repeating the correct telephone number given by the patient or mentioning the patient’s or the patient’s authorized representative’s name in the recorded greeting, and (2) the patient has not requested any restrictions regarding contacting them or leaving voicemail messages.
b) Voicemail Messages ‘ Minimum Information Necessary. When leaving a voicemail message for a Practice patient, Practice employees shall not disclose or mention any unnecessary information regarding the patient’s PHI. Practice employees should only leave voicemail messages that include the following information: (1) the name of the Practice; and (2) the name and telephone number of person to contact at the Practice. Practice employees may not leave specific information on a voicemail message or any other message regarding diagnosis or treatment information such as lab test results or the name and/or mechanics of a past or future surgical procedure.
c) Email Messages ‘ Email Address Verification. Practice employees and contractors may not send communications that include PHI to patients via email unless the Practice has: (1) received the patient’s email address in writing from the patient; (2) the patient has not requested that the Practice refrain from sending communications that include PHI to the patient via email; and (3) the patient has sent an email request to the Practice with the same email address listed in the patient’s record.
d) Email Messages ‘ Minimum Information Necessary. When sending an email message to a Practice patient, Practice employees shall not disclose or mention any unnecessary information regarding the patient’s PHI. Practice employees must not send specific information in an email message regarding diagnosis or treatment information such as lab test results or the name and/or mechanics of a past or future surgical procedure, unless: (1) the Practice has received authorization to communicate via email with the patient by providing his/her email in writing; and (2) the patient has requested the information in this format or has otherwise been informed that the information will be sent via email.
13. Contracting with Third Parties that may Receive Practice Patients’ PHI. Any third party that may receive Practice patients’ PHI pursuant to a proposed agreement with the Practice must agree to comply with this Policy, including agreeing to the terms of a ‘Business Associate Agreement’ in the form attached hereto as Exhibit E, or otherwise in a form approved by the Privacy Officer.
14. Investigation and Correction of Contractual Breaches.
a) When the Privacy Officer is notified that a contractor has violated a contractual provision related to the use and disclosure of patients’ PHI, he or she must implement the following procedure to correct the violation.
i. The Privacy Officer will contact the contractor and determine whether a contractual provision has been violated.
ii. If a contract provision has been violated, the Privacy Officer will identify steps to be taken by the contractor that will enable the contractor to comply with its contractual obligations.
iii. The Privacy Officer will review the corrective action steps with the contractor and determine whether those steps or other measures suggested by the contractor will correct the violation.
iv. The Privacy Officer will monitor the implementation of the corrective action measures by periodically contacting the contractor to inquire about such corrective actions. The Privacy Officer may discontinue monitoring the contractor after receiving adequate assurances that the corrective measures have been implemented and that the contract provisions will be complied with in the future.
b) If it is not possible to develop an acceptable corrective action plan, the Privacy Officer shall implement the procedures established to terminate the contract, if possible, including the underlying service agreement.
15. Medical Records. Medical Records are to be kept confidential, and are not to be accessed, read, copied or transcribed by any unauthorized person. Medical Records can only be accessed by authorized Practice employees if there is a clear treatment or business purpose to do so.
a) Medical Records should not be left unattended or otherwise available in an area where unauthorized person may be present. Paper Medical Records are to be placed back into the chart rack or other filing system in a timely matter, and should be filed at the end of the work day unless such Medical Records are pulled for the following day’s appointments, are in a physician’s office awaiting dictation or signatures, or are in use for payment/insurance purposes. Any Medical Records that have been pulled for such purposes should be secured at the end of each work day.
b) All Practice computers that store EMRs must have the ability to be locked and password protected. Practice employees’ passwords should be changed periodically. Practice employees must not leave their computer screens unattended in a manner that could allow an unauthorized person such as a patient or vendor representative to view or otherwise access patients’ EMRs or other PHI.
c) At the end of each work day, a Practice employee should be tasked to walk through the building including unlocked physician offices, nursing stations and the business office to check for Medical Records that have been left out or in unsecured areas where unauthorized persons will be during the night or weekend. The Practice employee should also ensure that no computer is unlocked or otherwise left in a manner that could allow unauthorized persons to access Electronic Medical Records.
d) Any Medical Records being printed or otherwise received via facsimilie (‘fax’) should be printed out face down, and should be removed from the printer or fax machine in a timely manner.
e) When sending any portion of a Medical Record via fax, Practice employees must use their best efforts to eliminate errors and from sending patients’ PHI to unauthorized persons. Commonly dialed fax numbers should be entered into the device’s memory. When fax numbers are initially programmed, a test sheet to each addressee asking confirmation of accurate transmission was received should be sent. When a fax that includes PHI is sent, the cover sheet must be completed including the date and time, the sender’s initials or name, and the patient’s name. The cover sheet of the fax shall be filed in a binder, and the patient’s Medical Record should document the date, time, information transmitted and the name of the recipient, and the initials of the sender.
f) During off hours, Medical Records should be stored in a safe and secure location such as a locked credenza or file cabinet, and all Practice computers storing Electronic Medical Records should be turned off, locked and/or password protected.
16. Reporting Unauthorized Uses and Disclosures. Practice staff has an obligation to report any activity that appears to violate applicable Privacy Laws, this Policy, other Practice policies, procedures or standards of conduct involving PHI and/or privacy. The Practice understands that mistakes happen. It is important that mistakes that result in an unauthorized disclosure of PHI are reported so that the Practice can promptly respond and limit any potential harm that could occur as a result. All reports of unauthorized acquisition, access, uses or disclosures of PHI or failure to comply with this Policy and/or the Privacy Laws shall be promptly reported to the Privacy Officer.
Reporting Loss/Theft of Devices Containing EPHI. In the event that a smart phone, tablet, computer, flash drive or other device containing PHI of Practice patients is lost or stolen, whether or not the device is Practice property, staff must promptly contact the Privacy Officer to report the incident. The Practice may take measures to delete information on the device remotely and/or other measures to decrease further dissemination of the information. As a condition of employment or doing business with the Practice, staff and contractors are required to report such loss or theft. Failure to report such incidents and/or otherwise comply with this Policy shall be cause for disciplinary action, including termination of employment of relationship with the Practice.
17. Determination of Breach & Mitigation of Risks.
a) Unauthorized Use or Disclosure versus Breach: As soon as reasonably practicable after learning of an unauthorized use or disclosure of PHI, the Privacy Officer shall conduct a risk assessment to assess the probability that the PHI has been compromised which shall include, at a minimum, the following information:
i. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
ii. The unauthorized person who used the PHI or to whom the disclosure was made;
iii. Whether the PHI was actually acquired or viewed; and
iv. The extent to which the risk to the PHI has been mitigated.
If the Privacy Officer determines that there is more than a low probability that the PHI was compromised, the Privacy may determine that the Disclosure/Use amounts to a Breach requiring a report be submitted to the Department of Health & Human Services.
b) Mitigation Plan: The Privacy Officer will develop and implement a plan to mitigate any known or reasonably anticipated harmful effects from any unauthorized acquisition, access, use or disclosure (the ‘Mitigation Plan’). The Mitigation Plan shall be tailored to the circumstances, but may include as appropriate, the following elements:
i. Identifying the source(s) of the disclosure and taking appropriate corrective action.
ii. Contacting the recipient of the information that was the subject of the unauthorized acquisition, access, use or disclosure and requesting that such recipient either destroy or return the information and instructing such recipient to make no further uses or disclosures of such information.
iii. Depending on the circumstances, notifying the individual whose PHI was the subject of the unauthorized acquisition, access, use or disclosure. Notify the Practice that provided the Practice with the PHI in order to carry out functions on its behalf.
iv. Evaluating actions to mitigate risks associated with potential identity theft, to the extent applicable; and taking steps to implement appropriate actions.
v. Reviewing, and correcting where appropriate, any Practice policy or procedure that caused or contributed to the unauthorized acquisition, access, use or disclosure.
vi. Evaluating whether steps could be taken to improve security or to otherwise help to prevent similar unauthorized acquisition, access, use or disclosure and taking steps to implement appropriate steps.
vii. Report the incident to Human Resources as applicable for appropriate disciplinary action.
viii. In the event that the unauthorized acquisition, access, use or disclosure was made by a Business Associate, the Privacy Officer with input from others shall determine the appropriate steps to mitigate the harmful effects of the unauthorized acquisition, access, use or disclosure and whether such disclosure warrants termination of such Business Associate’s contract.
18. Breach Notification Requirements
a) Notification of the Individual. The Individual whose PHI was Breached must be notified of the event within 60 days of discovering the Breach. Notification to the individual must be in writing, in plain language, and sent by first class mail at the last known address of the individual (notice may be by electronic mail if the individual previously consented to communication via email).
i. Contents of Notice. Notice must include:
‘ A brief description of the cause of the breach including date of breach and date of discovery;
‘ A description of the types of PHI involved in the breach (for example, name, social security number, date of birth, etc.);
‘ Any steps the individual should take to protect him/herself from potential harm;
‘ A description of what Practice is doing to investigate the breach, mitigate the harm, and to protect against future breaches;
‘ Contact procedures to ask questions, get information and must include a toll-free number, email address, postal address or website.
ii. Individual is a Minor/Lacks Capacity. Notice may be sent to the parent or personal representative.
iii. Individual is Deceased. Notice may be sent to the next of kin or the personal representative (a person who has the authority to act on behalf of the decedent or the decedent’s estate).
iv. Substitute Notice if Insufficient Contact Information or Notices Returned. If the Practice has out of date contact information to provide notice to individuals of the Breach, the Practice must provide substitute notice. The method for providing substitute notice differs depending upon the number of individuals involved but must always be reasonably calculated to reach the individuals.
‘ If fewer than 10 people requiring substitute notice, such notice may be provided by alternative written communication (email, even if no consent allowing use of electronic communications), phone, or other means.
‘ If 10 or more individuals require substitute notice, Practice must have a toll-free number active for 90 days for individuals to learn more information, and the substitute notice, shall be made by either:
‘ Conspicuous posting on Practice’s website homepage for a period of 90 days which either lists all the information required to be included in an individual written notice or a link to a notice statement that includes this information; or
‘ In major print broadcast media in the geographic areas where the individuals are likely to reside. The notice must be conspicuous and continue for a duration reasonably calculated to reach the individuals.
b) Notification of the Secretary of the Department of Health & Human Services (‘Secretary’) of Breach. The Privacy Officer shall submit the following reports to the Secretary:
i. Less than 500 Individuals. All events occurring throughout the calendar year that involve the breach of 499 or less individuals’ PHI shall be reported to the Secretary annually. The report shall be submitted no later than 60 days after the end of each calendar year.
ii. 500 or More Individuals. Any single event resulting in the breach of 500 or more individuals must be reported to the Secretary as promptly as possible or concurrent with any report to the individuals whose PHI was breached which, in no event, shall be later than 60 calendar days following the discovery of the breach. This report is in addition to any reports sent to the individual.
c) Media. Notice must be provided to prominent media outlets serving a State or jurisdiction, within 60 days following the discovery of a breach if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been breached. The notification must include the same information required for individual notice.
19. Protection of Whistleblowers. No Retaliation shall be taken against any Practice employee who reports a suspected violation of this Policy to Practice management or who reports a suspected a violation of privacy laws and regulations to any governmental authority.
20. Employee Orientation and Training. Each Practice employee will receive training on the requirements of this Policy during orientation, specifically including training on (i) the daily use of Medical Records and Electronic Medical Records; (ii) being discreet when discussing a patient’s PHI in an area where unauthorized persons may be present; (iii) the prohibition on Retaliation taken against any Practice employee who reports a suspected violation of this Policy or of federal or state law. Practice employees must be informed that if they have any questions relating to this Policy or how information can be appropriated accessed, used and to whom it can be released, such employees should ask the Privacy Officer. Upon completion of the training on this Policy at orientation, each Practice employee must sign a written acknowledgment agreeing that he/she has read and understands this Policy and has received training on its requirements in the form attached hereto as Exhibit F. In addition to the training received during orientation, Practice employees may be required to attend additional training on this Policy or any changes to existing laws and regulations as determined by the Privacy Officer, and to participate in ongoing training no less than every two years.