HIPAA Privacy and Security

This policy establishes the requirements for protecting patient protected health information (PHI)
in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy
Rule, Security Rule, and Breach Notification Rule.

PHI includes any individually identifiable health information created, received, maintained, or
transmitted by High Country Oxygen LLC. This includes patient names, dates of birth,
addresses, phone numbers, Social Security numbers, insurance information, diagnosis codes,
equipment information, and any other information that could identify a patient in connection with
their health care.

• Use and disclose PHI only for treatment, payment, and health care operations, or as
otherwise permitted by HIPAA.
• Provide patients with a Notice of Privacy Practices at initial service delivery.
• Honor patient requests for restrictions on use or disclosure of their PHI.
• Provide patients with access to their records upon request within 30 days.
• Maintain a minimum necessary standard: access only the PHI needed to perform job
duties.
• Obtain patient authorization before using or disclosing PHI for purposes not permitted by
HIPAA.

• Administrative: Designate a Privacy/Security Officer, conduct staff training, implement
sanctions for violations, perform risk assessments annually.
• Physical: Secure areas containing PHI, control access to workstations and devices,
properly dispose of PHI (shredding, secure electronic deletion).
• Technical: Implement access controls for electronic PHI in NikoHealth, use encryption
for electronic transmission of PHI, maintain audit logs, use strong passwords.

High Country Oxygen LLC shall execute Business Associate Agreements (BAAs) with all
vendors and partners who access, create, or maintain PHI on behalf of the company. BAAs
shall be reviewed and updated as needed.