HIPAA Policy

Little Hearts Lactation HIPAA Privacy and Security Policy
Effective Date: October 1, 2024
Last Revised: April 28, 2025

1. Introduction

At Little Hearts Lactation, we are committed to protecting the privacy and confidentiality of our clients' health information. As a healthcare provider that offers lactation services, we are required by the Health Insurance Portability and Accountability Act (HIPAA) to ensure that all Protected Health Information (PHI) is handled with the utmost care and in compliance with HIPAA regulations.

This policy outlines the practices and procedures that we have implemented to protect the privacy and security of our clients' health information.

2. Purpose

The purpose of this policy is to ensure that:

  • PHI is protected against unauthorized access or disclosure.

  • Our clients’ privacy rights are respected.

  • Our practice complies with HIPAA’s Privacy, Security, and Breach Notification Rules.

3. Definitions

  • Protected Health Information (PHI): Any information related to an individual’s physical or mental health condition, healthcare services provided, or payment for healthcare services that can be used to identify the individual.

  • Covered Entity: Little Hearts Lactation is a healthcare provider under HIPAA and must comply with the privacy and security rules for PHI.

4. Privacy Practices

  • Access to PHI: Only authorized personnel will have access to PHI. Access to client records will be restricted to the minimum necessary information needed to perform job duties.

  • Client Rights: Clients have the right to:

    • Access their health records upon request.

    • Request corrections to any inaccuracies in their health records.

    • Request that certain uses or disclosures of their PHI be restricted.

  • Confidentiality: All communication about clients' health, including but not limited to discussions with clients, colleagues, and third-party partners, must be confidential. Confidentiality must be maintained at all times.

5. Security Practices

  • Data Encryption: We use encryption methods to protect digital records containing PHI both during transmission and when stored.

  • Physical Security: All physical records (if any) containing PHI will be stored in a locked, secure area. Only authorized personnel will have access to this storage.

  • Access Control: Only authorized personnel who have received HIPAA training will have access to PHI. We implement user authentication measures, such as unique passwords, for any electronic systems containing PHI.

  • Workplace Confidentiality: Employees and contractors must avoid discussing any PHI in public spaces where unauthorized individuals may overhear.

6. Use and Disclosure of PHI

  • Permitted Uses and Disclosures: PHI will only be used or disclosed for purposes related to treatment, payment, or healthcare operations unless the client provides written consent for other uses.

  • Sharing with Business Associates: Any third-party contractors or service providers with access to PHI (such as billing services or electronic health record vendors) will sign a Business Associate Agreement (BAA) to ensure they comply with HIPAA requirements.

  • Marketing and Sale: PHI will not be used for marketing purposes without explicit written consent from the client.

7. Breach Notification

  • Breach of PHI: In the event of a breach involving PHI, we will follow HIPAA’s breach notification protocols. This includes:

    • Notifying affected individuals within 60 days of the breach.

    • Reporting the breach to the Department of Health and Human Services (HHS) if required.

    • Taking appropriate steps to mitigate harm and prevent further breaches.

8. Employee Training

All employees and contractors will undergo HIPAA training before accessing PHI. Training will be refreshed regularly to ensure ongoing compliance with HIPAA privacy and security regulations.

9. Client Consent for Communication

  • Telehealth Services: If your lactation consultations or support services involve telehealth, clients will be informed that any telecommunication tools used are subject to the risks of unauthorized access or interception. The best available secure methods will be used, but clients should be aware of the potential security risks of telehealth communications.

  • Consent for Sharing PHI: If necessary, clients will be asked to sign a Consent Form to allow sharing of their PHI with other healthcare providers or specialists, such as pediatricians, in order to coordinate care effectively.

10. Data Retention and Disposal

  • Retention of PHI: We retain client health records for at least 6 years, as required by law or business practices.

  • Disposal of PHI: When PHI is no longer needed, it will be disposed of securely, whether through shredding paper records or permanently deleting electronic data.

11. Complaint Process

If a client believes that their privacy rights have been violated or has concerns about how their PHI is being handled, they can:

  • Contact Megan Jones at www.LittleHeartsLactation.com.

  • File a complaint with the Department of Health and Human Services (HHS) by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/..

12. Modifications to the Policy

This HIPAA Privacy and Security Policy may be updated periodically. Clients will be notified of any significant changes, and the revised policy will be made available on our website or in our office.

Contact Information

For any questions or concerns regarding this HIPAA Privacy and Security Policy, please contact:
Little Hearts Lactation