MD Hyperbaric HIPAA Policy Pack

01 / Overview

MD Hyperbaric HIPAA Policy Pack

Purpose

This policy pack sets the minimum HIPAA operating standards for MD Hyperbaric and for centers participating in insurance workflows.

The goal is to make the expected behavior clear enough for corporate staff, center managers, and technicians to follow during normal work, patient requests, incidents, downtime, onboarding, offboarding, and vendor review.

These documents are internal draft operational policies for review. They are not legal advice and should be reviewed by qualified counsel before final adoption or external distribution.

Read This First

Role	Start here	Then read
HQ staff	HQ Staff HIPAA Guide	Core policy; incident SOP; patient record request SOP if handling requests
Center managers	Center Manager HIPAA Guide	Core policy; incident SOP; device standard; center checklist
Technicians	Technician HIPAA Guide	Incident SOP; device standard; center checklist
Operations	Core policy	Incident SOP; patient record request SOP; access SOP; training evidence SOP; evidence templates
Technical/security owner	Core policy	Risk assessment brief; access SOP; device standard; backup/DR tabletop packet; vendor register
Leadership/reviewers	MD Hyperbaric HIPAA Policy Pack	Policy review schedule; open implementation items; formal risk assessment drafting brief

Minimum Standard for Participating Centers

Centers participating in insurance workflows are required to follow the minimum MD Hyperbaric HIPAA standards in this pack. Centers may have additional obligations under their own business, franchise, employment, state law, vendor contract, or payer requirements.

The policies recognize that participating centers operate as individual businesses. They still set minimum expectations for PHI handling, workforce behavior, incident escalation, access management, device security, physical safeguards, and evidence cooperation when participating in MD Hyperbaric insurance workflows.

What This Pack Covers

Practical PHI handling rules.
Minimum necessary use and disclosure.
Texting and personal-phone limits.
Incident reporting and breach-response escalation.
Patient record request handling.
Access onboarding, offboarding, shared-account exceptions, and access review.
Device, workstation, personal-phone, physical-security, and network safeguards.
Vendor/BAA inventory, training evidence, logs, and review cadence.
Open implementation items that are not yet fully remediated.

What This Pack Does Not Cover

Legal advice.
A substitute for attorney review of the Notice of Privacy Practices, website privacy policy, sanctions language, or franchise acknowledgement language.
A substitute for signed vendor contracts, BAAs, SOC reports, or security evidence.
A full technical backup manual. Backup and disaster recovery procedures are maintained in MDH Backup and Disaster Recovery Plan.md.
A Part 2/SUD policy. MD Hyperbaric does not currently provide SUD treatment or maintain Part 2 records. This should be revisited only if services or record types change.
A PCI compliance program. Payment-card processing must first be inventoried to determine whether additional PCI work is needed.

Document Map

Area	Documents
Core policy	MD Hyperbaric HIPAA Operating Policy; Formal HIPAA Risk Assessment Drafting Brief
Role guides	HQ Staff HIPAA Guide; Center Manager HIPAA Guide; Technician HIPAA Guide
SOPs	Incident Reporting and Breach Response SOP; Patient Record Request SOP; Access Onboarding and Offboarding SOP; Device, Workstation, and Personal Phone Standard; Center Physical Security and Network Checklist; Backup and Disaster Recovery Tabletop Exercise Packet
Registers and evidence	Vendor and BAA Register Template; Training Evidence SOP; log and review templates
Governance	Policy Review Schedule; Open Implementation Items

Source Anchors

This draft was prepared from the local HIPAA investigation tracker, backup/DR plan, current policy-drafting framework, and current official HHS/eCFR source anchors checked on 2026-05-08.

Primary regulatory anchors:

45 CFR 164.308: administrative safeguards.
45 CFR 164.316: policies, procedures, documentation, six-year retention, availability, and updates.
HHS HIPAA Security Rule summary.
HHS right-of-access guidance.
HHS Breach Notification Rule guidance.
HHS model Notice of Privacy Practices page, including February 2026 Part 2/NPP updates.
HHS HIPAA Security Rule NPRM fact sheet. The NPRM is treated as proposed direction, not final binding rule.

02 / Core Policy

MD Hyperbaric HIPAA Operating Policy

1. Purpose

This policy defines the minimum HIPAA operating standards MD Hyperbaric expects people to follow when creating, receiving, maintaining, using, disclosing, or transmitting protected health information.

2. Scope

This policy applies to:

HQ staff who handle patient, insurance, referral, billing, clinical, technical, vendor, or compliance information.
Center managers and technicians at centers participating in insurance workflows.
Contractors or support personnel who are approved to access MD Hyperbaric PHI or systems.
Work done from offices, centers, homes, mobile devices, laptops, tablets, and vendor-hosted systems.

Centers participating in insurance workflows are required to follow these minimum standards. A center may apply stricter rules.

3. Key Roles

Role	Responsibilities
Leadership	Approves policy adoption, supports remediation, and makes business decisions where risk, cost, franchise obligations, patient notice, insurance, or counsel review is needed.
Operations	Owns day-to-day operational HIPAA procedures, incident intake, patient record request fulfillment, training tracking, location follow-up, and staff communications.
Technical/security owner	Owns technical-security investigation, access-control standards, backup/DR technical evidence, system security review, and technical remediation tracking.
Center managers	Enforce minimum standards at the center level, report incidents, support onboarding/offboarding, supervise local paper/device/physical controls, and ensure technicians follow daily safeguards.
Technicians	Use approved systems and procedures, protect PHI during daily work, avoid informal workarounds, lock workstations, handle paper securely, and report mistakes quickly.
Participating centers	Follow the minimum MD Hyperbaric HIPAA standards for insurance workflows and cooperate with review, training, incident response, access review, and remediation.

4. What Counts as PHI

PHI is individually identifiable health information connected to a patient or prospective patient.

In practical MD Hyperbaric work, PHI can include:

Name, date of birth, phone number, email address, address, insurance details, account number, or identifiers when connected to health care.
Diagnosis, treatment details, clearance status, protocol details, session notes, vitals, outcomes, appointment details, referral details, and medical records.
Screenshots, photos, exports, downloads, spreadsheets, paper forms, emails, texts, portal messages, call notes, and support tickets that include patient-identifying health information.

Treat uncertain information as PHI until Operations or the technical/security owner confirms otherwise.

5. Minimum Necessary Rule

Use, access, disclose, export, print, or share only the minimum PHI needed for the task.

Do:

Access only patients, centers, records, reports, and systems needed for your role.
Share the smallest amount of information needed to complete the work.
Use approved workflows for referrals, insurance, records, scheduling, clinical documentation, and support.
Ask Operations before sending PHI to a new recipient or through a new channel.

Do not:

Browse patient records out of curiosity.
Export or download PHI because it is convenient.
Send full records when a narrower record set will satisfy the request.
Use patient examples in training, screenshots, chats, documents, or support requests unless approved and de-identified.

6. Permitted PHI Handling

PHI may be used or disclosed only for approved work purposes, such as treatment, payment, health care operations, patient record request fulfillment, authorized vendor support, required reporting, or approved compliance activity.

Approved handling must use the least risky available workflow:

Use approved systems and accounts.
Use individual accounts wherever available.
Keep PHI in approved systems rather than local files.
Store paper records securely until uploaded, filed, shredded, or otherwise handled under local procedure.
Keep records, logs, and policy evidence for the required retention period.

7. Prohibited PHI Handling

Do not:

Put PHI into ordinary SMS/text messages except in a genuine emergency when no safer option is available.
Send patient photos, screenshots, records, DOB, diagnosis, insurance details, treatment details, or record extracts through ordinary text.
Use personal email for PHI.
Store PHI in personal cloud drives, personal notes apps, personal messaging apps, or unapproved tools.
Copy PHI into generative AI tools, public websites, or vendor support forms unless the tool and workflow are approved for PHI.
Print, photograph, screenshot, or export PHI without a work need.
Leave paper records, unlocked screens, tablets, laptops, or printed PHI visible to patients, visitors, or unauthorized staff.
Share passwords except under a currently authorized shared-account exception.

8. Texting and Personal Phones

Ordinary SMS/text is not an approved PHI channel.

Center managers may use personal phones only for minimal non-PHI logistics, such as appointment timing or location coordination, unless an emergency requires more. Keep messages short and do not include clinical, insurance, diagnosis, DOB, record, or treatment information.

Technicians should not use personal phones for work PHI. Emergency use must be reported to Operations after the immediate risk is resolved.

If PHI is accidentally sent by text or to the wrong recipient, report it immediately under the incident SOP.

9. Patient Record Requests

Patient record requests must be escalated to Operations.

Operations must:

Verify the requester identity.
Log the request date, requester, records requested, requested format, due date, fulfillment date, method, and notes.
Work toward the general 30-calendar-day HIPAA access timeline.
Use secure delivery by default once an approved secure delivery vendor/workflow is implemented.
Until secure delivery is implemented, avoid routine standard-email delivery of records. If a patient specifically requests standard email after a risk warning, document the request and warning.

Staff should not independently fulfill patient record requests unless Operations assigns the task.

10. Access Management

Access must match role need.

Do:

Request access through the approved onboarding/access process.
Use individual accounts wherever the system supports them.
Use MFA where available or required.
Report access that appears too broad, stale, or inappropriate.
Notify Operations promptly when staff leave, change roles, or no longer need access.

Do not:

Use another person's individual account.
Let another person use your account.
Keep access after your role changes or work ends.
Create informal accounts, shared logins, or local workarounds without approval.

11. Shared-Account Exceptions

Individual accounts are the target state. Shared accounts remain temporary exceptions only where a system or current workflow does not yet support individual accounts.

Shared-account compensating controls:

Limit use to assigned people and assigned workflows.
Keep manager oversight over who is permitted to use the account.
Change the password when staff leave or no longer need access.
Do not use the account outside the assigned center or workflow.
Report suspected misuse immediately.
Track shared accounts in access review until replaced.

Shared accounts are not the desired end state.

12. Device and Workstation Security

Devices used for PHI must meet minimum safeguards:

Managed endpoint protection where deployed.
Full disk encryption where available.
Current security updates and patching.
Screen locks when unattended.
No unattended unlocked workstations.
Lost or stolen device reporting.
Secure storage of laptops, tablets, and paper records.

Do not save PHI locally unless there is a specific approved reason and a secure storage method.

13. Physical Security

Centers must protect PHI from casual viewing, theft, loss, and improper disposal.

Minimum expectations:

Position screens away from patients and visitors.
Use privacy filters where needed.
Lock or supervise devices.
Store tablets/laptops securely overnight.
Keep network equipment in staff-only or locked areas where practical.
Separate staff and guest Wi-Fi where available.
Keep paper records secured until uploaded, shredded, filed, or otherwise handled under procedure.
Do not leave printed PHI at printers, desks, treatment areas, or public spaces.

14. Data Classification

Use these practical classifications:

Classification	Examples	Handling rule
Public	Approved public website copy, published marketing content	May be shared externally after normal approval.
Internal	Internal operating notes without PHI or secrets	Share only with people who need it for MD Hyperbaric work.
Confidential	Contracts, vendor evidence, non-public business information	Keep in approved locations; do not forward casually.
Restricted/PHI	Patient records, insurance, treatment, DOB, diagnosis, clinical notes, identifiable session details	Use only approved systems and workflows; minimum necessary only.
Credential-bearing	Passwords, API keys, service-account keys, database URLs, encrypted export keys	Treat as secret; do not paste into docs, chat, tickets, or email.

15. Retention and Destruction

Retain HIPAA policies, procedures, assessments, logs, incident records, access review records, training records, and other required compliance documentation for at least six years from creation or last effective date, whichever is later, unless counsel or law requires longer.

Paper PHI must be shredded or securely disposed of after upload, filing, or retention requirements are satisfied. Electronic PHI must be deleted or archived only through approved workflows.

Do not independently delete evidence related to incidents, access reviews, requests, audits, or litigation holds.

16. Training

All required workforce groups must complete assigned HIPAA training through the approved HIPAA training portal.

Training evidence should include staff name, course name, completion date, status or certificate, and overdue escalation notes. Do not create a separate annual policy acknowledgement process unless counsel later requires it.

17. Incidents

Report suspected or known incidents immediately to Operations. Technical/security incidents must also involve the technical/security owner.

Examples include:

Wrong patient text or email.
Lost or stolen laptop, tablet, phone, paper record, or credential.
Suspected unauthorized access.
Shared-account misuse.
Malware, ransomware, suspicious login, or vendor breach notice.
Paper PHI left unsecured.
PHI sent through the wrong channel or to the wrong recipient.

Do not delete messages, logs, files, or evidence. Do not self-fix quietly.

18. Vendors and BAAs

Vendors that create, receive, maintain, or transmit PHI must be tracked in the vendor/BAA register.

Before using a new vendor or system for PHI, confirm:

Business owner.
PHI involved.
Access type.
BAA status.
Security or DR evidence needed.
Review cadence.

Vendor names may appear in evidence registers and vendor templates, but staff-facing instructions should stay vendor-neutral unless a specific named workflow is approved for the audience.

19. Sanctions and Corrective Action

MD Hyperbaric may apply corrective action when workforce members fail to follow HIPAA policies or procedures.

Corrective action should be proportionate and may include coaching, retraining, access changes, written corrective action, disciplinary action, or other measures allowed by applicable policy, contract, and law.

Sanctions language should be reviewed by counsel before final adoption.

20. Documentation and Review

This policy pack and related evidence must be:

Written or electronic.
Available to people responsible for implementing the procedures.
Retained for at least six years from creation or last effective date, whichever is later.
Reviewed at least annually and after material operational, system, vendor, regulatory, or incident-driven changes.

21. Regulatory Source Notes

This policy is based on the current HIPAA Security Rule structure, including administrative safeguards, documentation requirements, and contingency-planning expectations. It also reflects HHS right-of-access and breach-notification guidance.

The HHS Security Rule cybersecurity update is currently treated as a notice of proposed rulemaking, not a final binding rule.

03 / Core Policy

Formal HIPAA Risk Assessment Drafting Brief

Source Evidence

Use HIPAA Investigation Findings.md as the primary evidence base. Use related backup/DR, vendor, and evidence files only to confirm implementation status or open gaps.

Do not invent system details. If a system, data flow, owner, control, likelihood, impact, or residual risk cannot be confirmed from local evidence, mark it as unknown or pending evidence.

Do not include PHI, secrets, database URLs, decrypted exports, service-account keys, or patient-level examples.

Assessment Scope

The formal risk assessment should cover systems, workflows, and operational controls that create, receive, maintain, transmit, access, back up, or review ePHI for MD Hyperbaric and centers participating in insurance workflows.

Minimum domains:

Workforce access and shared accounts.
MFA and authentication.
Endpoint, workstation, and mobile-device safeguards.
Clinic network and physical safeguards.
Patient record request handling.
Incident reporting and breach response.
Vendor and BAA management.
Backup, disaster recovery, and emergency mode operation.
Training and sanctions.
Data classification, retention, and destruction.
Payment-card processing inventory only to determine whether separate PCI work is needed.

Finding-to-Risk Mapping

For each open, partial, pending-evidence, or recently closed item in HIPAA Investigation Findings.md, capture:

Field	Guidance
Finding ID	Use the tracker item number or descriptive name.
System/data flow	Identify the affected system, workflow, role, location, or vendor category.
PHI/ePHI involved	Describe the category only; do not include patient examples.
Threat/vulnerability	Describe what could go wrong and why.
Current controls	List verified controls only.
Open gap	State what remains incomplete or unknown.
Likelihood	Low, medium, high, or unknown; explain briefly.
Impact	Low, medium, high, or unknown; explain briefly.
Residual risk	State the remaining risk after current controls.
Owner	Use role titles, not personal names.
Target date	Use a known date or mark pending.
Risk decision	Remediate, accept, transfer, avoid, defer, or pending review.
Evidence	Link to local files or state pending evidence.

Current High-Priority Inputs

The current investigation tracker highlights these high-priority remaining risk areas:

Shared PHI-system accounts and user deprovisioning.
MFA enforcement for PHI-accessing systems and Google Workspace.
Endpoint security, full disk encryption, patching, firewall/network protection, and screen locks.
Workforce HIPAA training and annual refresher process.
Incident reporting and breach-response procedures.
Patient record request handling and secure delivery.
Formal policies and procedures.
Location-level physical security and network checks.
Vendor session and access evidence.
Backup/DR tabletop exercise, paper emergency check-in forms, and cloud organization/BAA cleanup.

Output Structure

Recommended formal risk assessment sections:

Purpose and scope.
Methodology and scoring scale.
Systems and data-flow summary.
Risk register table.
Current controls summary.
Remediation plan.
Accepted/deferred risks.
Evidence index.
Review and update cadence.

Keep the formal assessment separate from staff-facing policies. Staff-facing documents should tell people what to do; the risk assessment should document why the controls and remediation priorities are reasonable.

Review Rules

Use current local evidence, not assumptions.
Mark counsel, vendor, or technical evidence gaps honestly.
Do not claim a control is complete unless evidence shows it.
Treat the Security Rule NPRM as useful direction, not final binding law.
Retain final assessments and updates for at least six years.

04 / Role Guides

HQ Staff HIPAA Guide

Do

Protect PHI, credentials, vendor evidence, contracts, and compliance records.
Use approved systems and approved access methods.
Access only the records, reports, centers, and systems needed for your role.
Share only the minimum PHI needed for the task.
Escalate suspected incidents to Operations immediately.
Escalate technical or security issues to the technical/security owner.
Use the approved HIPAA training portal for required training.
Support vendor/BAA evidence collection, policy review, access review, and training evidence when assigned.
Store documents containing PHI or confidential information only in approved locations.
Report lost devices, suspicious access, wrong-recipient messages, credential exposure, or vendor breach notices immediately.

Do Not

Export, download, email, or text PHI unless the workflow is approved.
Put PHI into ordinary SMS/text, personal email, personal cloud storage, unapproved chat tools, generative AI tools, or public websites.
Use another person's account or let anyone else use your account.
Create informal workarounds for patient records, insurance documents, referrals, billing data, or clinical details.
Delete or alter incident evidence, access records, logs, messages, or files after a suspected issue.
Name patients or include patient-level examples in training, support, or internal documentation unless the information has been approved and de-identified.

Report

Report these immediately to Operations:

Wrong patient email or text.
PHI sent to the wrong person.
Lost or stolen device.
Suspicious login or access.
Shared-account misuse.
Vendor breach notice.
Patient record request.
Paper PHI left unsecured.
Any situation where you are unsure whether PHI was exposed.

For technical/security issues, include the technical/security owner after reporting to Operations.

05 / Role Guides

Center Manager HIPAA Guide

Do

Enforce the minimum MD Hyperbaric HIPAA standards for insurance workflows.
Use approved systems and approved access methods.
Keep PHI out of ordinary SMS/text except in a genuine emergency.
Use personal phones only for minimal non-PHI logistics unless an emergency requires otherwise.
Report incidents, lost devices, wrong-patient messages, suspicious access, shared-account concerns, and paper-record issues to Operations immediately.
Escalate patient record requests to Operations.
Make sure technicians lock screens, handle paper securely, and avoid informal workarounds.
Support onboarding, offboarding, access review, and training completion.
Keep devices, screens, paper records, printers, and network equipment protected from patients, visitors, and unauthorized people.
Cooperate with location reviews and corrective actions.

Do Not

Text patient photos, screenshots, DOB, diagnosis, insurance details, treatment details, records, or clinical details.
Ask technicians to use personal phones for PHI.
Leave shared accounts unmanaged.
Ignore staff departure, role change, or access changes.
Leave paper PHI visible or unsecured.
Let staff use another person's individual account.
Delete messages, paper records, or other evidence after a suspected incident.

Daily Checks

Screens are locked when unattended.
Patient-facing areas do not expose screens or paper PHI.
Paper records are secured, uploaded, filed, shredded, or otherwise handled under local procedure.
Tablets and laptops are supervised or secured.
Staff know how to report an incident.
Staff are using only approved access methods.

Report

Report quickly even if the issue seems small. Delayed reporting creates more risk than early escalation.

Examples:

A patient text includes PHI.
A message goes to the wrong person.
A device is missing.
A staff member leaves and still has access.
A shared password may have been misused.
A printer, folder, tablet, laptop, or form with PHI is left unsecured.

06 / Role Guides

Technician HIPAA Guide

Do

Use only approved systems, accounts, and access methods.
Access only the patient information needed for your assigned work.
Lock the screen every time you step away.
Keep paper records secure while you are using them.
Upload, file, shred, or store paper records according to local procedure.
Ask the center manager or Operations if you are unsure how to handle PHI.
Report mistakes quickly.
Report lost devices, wrong-patient messages, suspicious access, unlocked devices, or paper PHI left unsecured.

Do Not

Text or email PHI.
Use a personal phone for PHI except in a genuine emergency.
Take patient photos or screenshots unless specifically approved for the workflow.
Share passwords beyond currently authorized shared-account workflows.
Use another person's individual account.
Leave a workstation, laptop, tablet, or paper record unattended.
Discuss patient details where patients, visitors, or unauthorized people can hear.
Put PHI into personal notes, personal email, personal cloud storage, unapproved chat tools, or AI tools.

If Something Goes Wrong

Report it immediately to the center manager or Operations.

Do not:

Delete the message.
Throw away the form.
Close the issue quietly.
Try to decide by yourself whether it is a reportable breach.

Fast reporting helps MD Hyperbaric protect the patient, document what happened, and fix the problem.

07 / Operational SOPs

Incident Reporting and Breach Response SOP

Purpose

This SOP gives the team a clear path when something goes wrong with PHI, credentials, systems, devices, paper records, vendors, or access.

Fast reporting is required. Staff should not decide alone whether an event is a breach.

What Counts as an Incident

Report any event that may involve unauthorized access, use, disclosure, loss, alteration, destruction, or unavailability of PHI or systems that hold PHI.

Examples:

Wrong patient text or email.
PHI sent to the wrong recipient.
Lost or stolen laptop, tablet, phone, paper record, or credential.
Unattended unlocked workstation with PHI visible.
Shared-account concern or suspected misuse.
Suspicious login, suspicious access, malware, ransomware, phishing, or credential exposure.
Vendor breach notice or suspicious vendor activity.
Paper record left unsecured.
PHI placed in ordinary SMS/text, personal email, unapproved app, or unapproved AI tool.
Inability to access critical systems during an outage.

Immediate Staff Steps

Stop the exposure if you can do so without destroying evidence.
Report first to Operations.
If the issue is technical or security-related, involve the technical/security owner.
Preserve evidence.
Do not delete messages, logs, files, screenshots, paper records, or emails.
Do not contact the patient, vendor, or recipient with legal conclusions unless Operations directs you.
Do not try to self-fix quietly.

Operations Intake Steps

Operations should capture:

Date and time reported.
Reporter.
Location or team.
Incident type.
What happened.
PHI involved, if known.
People or systems involved.
Immediate containment steps.
Whether technical/security investigation is needed.
Whether breach assessment is needed.
Assigned owner.
Next action and due date.

Use Incident Log Template for the log fields.

Technical/Security Investigation

The technical/security owner should assist when the incident involves:

Suspicious login or unauthorized access.
Device loss or compromise.
Malware, ransomware, phishing, or credential exposure.
Shared-account misuse.
System logs, access logs, audit logs, or vendor technical evidence.
Backup/DR activation.
Data export, download, deletion, or alteration.

Technical investigation should preserve logs and avoid production-impacting actions unless needed to contain active risk.

Breach Assessment

Operations and the technical/security owner should determine whether a breach assessment is needed. Counsel should review breach determinations and notice language.

Use the HHS four-factor assessment framework when applicable:

Factor	Questions
Nature and extent of PHI	What PHI was involved? Was it sensitive, clinical, financial, identifying, or broad in scope?
Unauthorized person	Who received or accessed it? Were they obligated to protect it?
Acquisition or viewing	Was the PHI actually viewed, acquired, downloaded, copied, or used?
Mitigation	Was the risk reduced, such as by confirmed deletion, return, access revocation, or recipient assurance?

The assessment must be documented. Do not assume a low probability of compromise without evidence.

Notification Escalation Points

Breach notification deadlines are legal escalation points, not staff-facing legal analysis.

If a breach of unsecured PHI may have occurred, escalate promptly for counsel and leadership review. Notification decisions should address affected individuals, HHS, media, state law, vendors, payers, and contractual obligations where applicable.

Corrective Action

Corrective action may include coaching, retraining, access changes, workflow change, disciplinary action, or other appropriate measures. Keep sanctions language general until reviewed by counsel.

Short Incident Report Form

Field	Entry
Incident ID
Report date/time
Reporter
Location/team
Incident type
What happened
PHI involved
Systems/devices/accounts involved
Immediate containment
Evidence preserved
Assigned owner
Breach assessment needed
Corrective action
Closure date

Retain incident records for at least six years.

08 / Operational SOPs

Patient Record Request SOP

Purpose

This SOP replaces ad hoc patient record request handling with a controlled process.

Requests currently arrive by email, and a secure/encrypted delivery vendor or workflow is not yet implemented. That gap is tracked in Open Implementation Items.

General Rule

Patient record requests must be routed to Operations. Staff should not independently fulfill requests unless Operations assigns the task.

HIPAA right-of-access requests generally must be handled within 30 calendar days. If a request cannot be fulfilled within that period, escalate for review before the deadline.

Intake Steps

Record the request date.
Identify the requester.
Identify the patient.
Determine whether the requester is the patient, personal representative, authorized recipient, or another party.
Verify identity using reasonable safeguards.
Record the records requested.
Record the requested form, format, and delivery method.
Calculate the due date.
Assign an Operations owner.
Log the request using Patient Record Request Log Template.

Identity Verification

Use safeguards proportionate to the sensitivity of the records and the request channel.

Do:

Verify enough information to be comfortable the requester is authorized.
Use existing approved contact information where practical.
Document what verification was completed.
Escalate uncertain requests before disclosure.

Do not:

Send records to a new address or recipient without verifying authorization.
Over-collect identity documents when a less intrusive verification method is sufficient.
Fulfill a request from a third party without confirming authority.

Fulfillment

Operations should:

Provide only the records requested unless a broader disclosure is authorized and appropriate.
Use the requested form and format if readily producible.
Use secure delivery by default once the secure delivery workflow is implemented.
Document fulfillment date, method, and notes.
Keep copies of request and fulfillment evidence according to retention requirements.

Interim Standard-Email Handling

Standard email delivery of records should not be routine while a secure/encrypted delivery workflow remains open.

If a patient specifically requests standard email after a risk warning, document the request and warning before sending.

Draft interim warning language for counsel review:

Standard email may not be encrypted or secure. If you ask MD Hyperbaric to send your records by standard email, there is a risk that your information could be read by someone other than you while it is being sent. By choosing standard email after this warning, you accept that risk for this request.

Document:

Date/time warning was given.
Who gave the warning.
Patient/requester confirmation that standard email is still requested.
Email address to be used.
Records sent.
Fulfillment date/time.

Denials, Delays, and Special Requests

Do not deny, delay, or narrow a patient record request without escalation. Denial grounds and legal language should be reviewed by counsel.

Escalate:

Requests from attorneys, insurers, government agencies, or unknown third parties.
Requests involving minor, deceased, or representative status questions.
Requests asking for correction, amendment, restriction, or accounting.
Requests where identity cannot be verified.
Requests likely to miss the 30-calendar-day timeline.

Request Log Fields

Use the request log template, at minimum:

Request ID.
Request date.
Patient/requester.
Identity verified.
Records requested.
Requested delivery method.
Due date.
Fulfilled date.
Fulfillment method.
Risk warning documented if standard email requested.
Notes.

Retain request records for at least six years unless counsel requires longer.

09 / Operational SOPs

Access Onboarding and Offboarding SOP

Purpose

This SOP creates a repeatable access lifecycle for people who need access to systems, accounts, records, or workflows that involve PHI.

Access Principles

Access must be role-based and minimum necessary.
Individual accounts are the target state wherever supported.
Shared accounts are temporary exceptions, not the desired end state.
MFA must be used where available or required.
Access must be removed promptly when no longer needed.
Access must be reviewed periodically.

New User Access Request

Before access is granted, document:

User name.
Role.
Center/team.
Manager or business approver.
Systems or workflows requested.
Reason access is needed.
PHI or confidential information involved.
MFA requirement.
Shared-account exception, if any.
Start date.

Approval

Access should be approved by the relevant manager or business owner. Technical/security owner review is required for privileged access, broad access, admin access, access to multiple centers, or unusual requests.

Do not grant access based only on informal chat, convenience, or historical practice.

Provisioning Checklist

Step	Complete
Role and center/team confirmed
Business approval documented
Individual account created where supported
MFA enabled where available/required
Shared-account exception documented if needed
Training assigned if required before access
Access limited to approved scope
User told not to share credentials
Access log updated

Shared-Account Exception Controls

Where a shared account still exists:

Limit use to assigned users.
Limit use to assigned center/workflow.
Keep manager oversight over who may use the account.
Change the password when staff leave or no longer need access.
Do not reuse passwords across systems.
Report suspected misuse immediately.
Include the account in periodic access review.
Track migration to individual accounts as an open remediation item.

Role Change

When a person changes role, center, team, or workflow:

Review current access.
Remove access no longer needed.
Add only newly approved access.
Update the access log.
Confirm shared-account permissions still match the role.

Offboarding

Offboarding applies to resignation, termination, contractor end, role ending, center transfer, or any other reason access is no longer needed.

Complete promptly:

Step	Complete
End date/time confirmed
Individual accounts disabled or removed
Shared-account passwords changed if applicable
MFA/session tokens revoked where available
Devices returned or secured where applicable
Local files, paper records, and PHI returned or secured
Email, storage, and group access reviewed
Vendor/system access removed where applicable
Access log updated
Manager confirms completion

Periodic Access Review

Perform access review at least quarterly or on another documented periodic cadence.

Review:

Active users.
Role and center/team.
Whether access is still needed.
Shared-account exceptions.
MFA status where available.
Admin or broad access.
Staff departure or role-change mismatches.
Actions required and completion dates.

Use Access Review Log Template.

10 / Operational SOPs

Device, Workstation, and Personal Phone Standard

Purpose

This standard sets minimum safeguards for devices and workstations used to access, create, receive, maintain, or transmit PHI.

Minimum Device Safeguards

Devices used for PHI should have:

Managed endpoint protection where deployed.
Full disk encryption where supported.
Current operating system and security updates.
Screen lock timeout.
Strong authentication.
MFA for systems where available or required.
Secure storage when not in use.
Lost/stolen device reporting.

Endpoint security rollout remains an open implementation item until confirmed complete.

Workstation Rules

Do:

Lock the screen before stepping away.
Position screens so patients, visitors, and unauthorized people cannot view PHI.
Use privacy filters where needed.
Keep printed PHI away from public areas.
Log out of systems at the end of the day or when required by workflow.
Report malware, suspicious popups, unexpected login prompts, or device loss.

Do not:

Leave an unlocked workstation unattended.
Save PHI locally unless approved.
Use unapproved USB drives or removable media for PHI.
Photograph or screenshot PHI without an approved reason.
Let another person use your individual login.

Personal Phones

Personal phones are not approved PHI storage or transmission tools.

Center managers may use personal phones for minimal non-PHI logistics unless an emergency requires otherwise.

Technicians should not use personal phones for PHI or work records except in a genuine emergency.

Do not put these in ordinary SMS/text:

Patient photos.
Screenshots.
Records.
DOB.
Diagnosis.
Insurance details.
Treatment details.
Session details.
Any other identifiable clinical or insurance information.

If emergency PHI use occurs on a personal phone, report it to Operations after the immediate risk is resolved so it can be documented and mitigated.

Lost or Stolen Device

Report lost or stolen devices immediately if they may contain, access, or be logged into systems involving PHI.

Report:

Device type.
Owner/user.
Last known location.
Whether it was locked.
Whether it had disk encryption.
Systems it could access.
Whether any PHI was stored locally.
Time discovered missing.

Quick Checklist

Check	Yes/No/Notes
Device has endpoint protection where deployed
Device has disk encryption where supported
Updates are current
Screen locks automatically
User locks screen when stepping away
No local PHI unless approved
No ordinary SMS/text PHI
Lost/stolen device reporting understood

11 / Operational SOPs

Center Physical Security and Network Checklist

Purpose

This checklist helps center managers and Operations review location-level safeguards for PHI, devices, paper records, workstations, printers, and network setup.

Use one checklist per location review.

Review Information

Field	Entry
Location
Review date
Reviewer
Center manager
Follow-up owner
Next review due

Workstation and Screen Placement

Check	Status/notes
Screens are not visible to patients or public areas
Privacy filters are used where screen position creates risk
Workstations lock when unattended
Staff understand screen-lock expectations
Treatment areas do not expose PHI casually

Devices

Check	Status/notes
Laptops/tablets are supervised during the day
Laptops/tablets are secured overnight
Shared devices have approved access controls
Lost/stolen device reporting is understood
No PHI is stored locally unless approved

Paper Records

Check	Status/notes
Paper records are not left visible to patients/public
Paper records are securely stored when not in use
Upload, filing, shredding, or other local procedure is followed
Shred bins or secure disposal are available where needed
Paper emergency forms are available or tracked as an open item

Printer and Copier Handling

Check	Status/notes
Printed PHI is collected promptly
Printer/copier area is not public-facing
Misprints are shredded or securely disposed of
Staff know not to leave PHI at printer/copier

Network and Wi-Fi

Check	Status/notes
Network equipment is locked, supervised, or in staff-only space where practical
Staff and guest Wi-Fi are separated where available
Shared building Wi-Fi risk is identified for Operations review
Default router/network credentials are not used where MD Hyperbaric controls the equipment
Unknown network devices or unusual access issues are reported

Corrective Actions

Finding	Risk	Corrective action	Owner	Due date	Closure date

Retain completed checklists and corrective-action evidence for at least six years.

12 / Operational SOPs

Backup and Disaster Recovery Tabletop Exercise Packet

Purpose

This packet exercises the existing backup and disaster recovery plan without rewriting it.

Use MDH Backup and Disaster Recovery Plan.md as the source of truth for backup systems, recovery procedures, criticality tiers, RTO/RPO targets, and remaining DR items.

Exercise Frequency

Run a tabletop exercise at least quarterly until the first exercise is complete and the process is stable, then follow the review cadence in the backup/DR plan.

Also run an exercise after material system, vendor, infrastructure, regulatory, or incident-driven changes.

Attendees

Recommended attendees:

Technical/security owner.
Operations.
Leadership as needed.
Center manager if the scenario affects a specific location.
Vendor or external support only if needed for the scenario.

Scenario Options

Choose one scenario per exercise:

Scenario	Focus
Ransomware or malware	Incident escalation, isolation, backups, communication, downtime PHI handling.
Cloud outage	Critical system prioritization, vendor communication, fallback procedures.
Data corruption	Clean backup identification, validation, recovery decision-making.
Clinic internet outage	Center downtime process, paper records, delayed entry, secure storage.
Vendor outage	Vendor status monitoring, alternate workflows, patient communication.
Lost device with PHI access	Device response, access revocation, breach assessment, documentation.

Exercise Steps

Select scenario.
Name facilitator and note taker.
Confirm systems and workflows affected.
Walk through detection and initial reporting.
Decide whether incident and breach procedures run in parallel.
Identify recovery priorities by criticality tier.
Identify backup source or vendor recovery path.
Decide emergency mode operations.
Identify communication needs.
Capture gaps, decisions, owners, and due dates.

Evidence to Capture

Field	Entry
Exercise ID
Date
Scenario
Attendees
Facilitator
Systems/workflows affected
Decisions made
Gaps found
Action items
Owners
Due dates
Closure evidence

Specific Open Items to Test

Include these until closed:

Paper emergency check-in forms.
Downtime paper handling and post-restoration data entry.
Cloud organization/BAA cleanup awareness.
Backup evidence and restore-drill evidence maintenance.
Incident response coordination during technical recovery.

Debrief Questions

Did everyone know who to notify first?
Were RTO/RPO targets understood?
Was the backup source or vendor recovery path clear?
Were paper fallback steps realistic?
Did anyone suggest an insecure workaround?
Were communication responsibilities clear?
What evidence would be available in an audit?
What action items need owners and due dates?

Retain completed exercise packets for at least six years.

13 / Registers & Evidence

Vendor and BAA Register Template

Purpose

Maintain a living list of vendors and services that create, receive, maintain, access, or transmit PHI for MD Hyperbaric or centers participating in insurance workflows.

This is an evidence register, not a narrative policy. Vendor and system names may be used here.

Known Evidence Examples to Start From

Review local evidence files before populating:

HighLevel_BAA_Signed.pdf
WebPT_BAA_Signed.pdf
WebPT_SOC2_HIPAA_Report_2025.pdf
vercel-baa-dr-evidence-2026-05-08.md
MDH Backup and Disaster Recovery Plan.md
Backup implementation evidence files

Register

Vendor/service category	PHI involved	Access type	BAA status	Security/DR evidence on file	Last review date	Notes/open items
WebPT	Clinical record/vendor-managed EMR data	Vendor-managed system	BAA on file	BAA and SOC 2/HIPAA report on file		Confirm session/access evidence remains pending in investigation tracker.
HighLevel / GoHighLevel	Contact, lead, communications, and workflow data where PHI is present	Vendor-managed system	BAA on file	BAA on file		Request/retain DR evidence during annual vendor review.
Vercel	Hosting infrastructure for apps; primary data lives in backing systems	Platform hosting	HIPAA BAA coverage documented	`vercel-baa-dr-evidence-2026-05-08.md`	2026-05-08	Reassess after plan, team, logging, support, or PHI-routing changes.
Google Cloud	Cloud infrastructure, backups, datasets, logs, and storage where PHI/ePHI is present	Cloud platform	Interim BAA status; corporate account cleanup open	Backup/DR docs and evidence files		Project migration and corporate BAA replacement remain open.
Neon	PostgreSQL databases containing patient/workflow data	Database platform	BAA/platform controls documented in backup evidence	`neon-backup-plan.md`		Maintain annual review and backup evidence.
Firebase / Firestore	Staff/admin and patient identity records; portal/session records	Identity/database platform	Covered under Google Cloud context as applicable	`firebase-backup-plan.md`; restore drill evidence	2026-05-08	Maintain backup evidence and MFA remediation tracking.
Payment processor(s)	Payment data; PHI exposure depends on local workflow	Payment processing	Pending inventory	Pending		Populate after location payment flows are inventoried.
Other PHI vendor/service

Review Instructions

For each vendor:

Confirm whether PHI is created, received, maintained, transmitted, or accessed.
Confirm business owner.
Confirm BAA status.
Retain security, privacy, SOC, DR, or backup evidence where applicable.
Note open evidence gaps.
Set next review date.
Escalate vendors with PHI but no BAA or unclear security posture.

Retain vendor review evidence for at least six years.

14 / Registers & Evidence

Training Evidence SOP

Purpose

This SOP documents that the approved HIPAA training portal is the system of record for HIPAA training completion.

Do not create a separate annual policy acknowledgement process unless counsel later requires it.

Required Groups

Training should be assigned to:

HQ staff who handle PHI, credentials, patient, insurance, clinical, vendor, or compliance workflows.
Center managers at centers participating in insurance workflows.
Technicians at centers participating in insurance workflows.
Contractors or support personnel with approved PHI access.
Technical/security owner and other system/data handlers who require role-specific technical or security training.

Cadence

New workforce members: assign training during onboarding or before PHI access where practical.
Annual refresher: assign through the approved HIPAA training portal.
Material change: assign targeted refresher training after material policy, workflow, system, incident, or regulatory changes where needed.
Incident follow-up: assign retraining when appropriate as corrective action.

Evidence to Retain

The approved HIPAA training portal should retain:

Staff name.
Role or group.
Course name.
Assignment date.
Completion date.
Status.
Certificate or completion evidence.
Overdue status and escalation notes.

Overdue Escalation

Operations should periodically review portal completion status.

For overdue training:

Send reminder.
Notify manager or center manager.
Escalate persistent overdue status to leadership or the appropriate business owner.
Consider access restriction for users who require training before PHI access.
Document action taken.

Records Retention

Retain training records for at least six years unless counsel requires longer.

15 / Registers & Evidence

Incident Log Template

Use this table to track reported incidents, investigation status, breach assessment need, outcomes, and corrective action.

Incident ID	Report date/time	Reporter	Location	Incident type	PHI involved	Immediate action	Assigned owner	Breach assessment needed	Outcome	Closure date	Corrective action/sanctions if applicable

Notes

Do not include unnecessary patient-level details in this log.
Link or reference secure evidence locations instead of pasting PHI.
Retain incident documentation for at least six years.

16 / Registers & Evidence

Patient Record Request Log Template

Use this table to track patient record requests and fulfillment.

Request ID	Request date	Patient/requester	Identity verified	Records requested	Requested delivery method	Due date	Fulfilled date	Fulfillment method	Risk warning documented if standard email requested	Notes

Notes

Avoid unnecessary patient-level detail in the log.
Store request documents and fulfillment evidence in an approved secure location.
Use the patient record request SOP before fulfilling requests.
Retain request documentation for at least six years unless counsel requires longer.

17 / Registers & Evidence

Access Review Log Template

Use this table for quarterly or periodic access reviews.

Review date	Center/team	Reviewer	Account/user	Role	Access still needed	Shared account exception	MFA enabled if available	Action required	Completion date

Notes

Include individual accounts, shared-account exceptions, admin access, and broad access.
Use role titles rather than personal commentary in findings.
Retain access review records for at least six years.

18 / Registers & Evidence

Location Review Log Template

Use this table to track location physical security, network, paper handling, and corrective-action reviews.

Location	Review date	Reviewer	Physical security findings	Network findings	Paper handling findings	Corrective actions	Owner	Due date	Closure date

Notes

Use the center physical security and network checklist for detailed review.
Retain location review records for at least six years.

19 / Registers & Evidence

Payment Card Processing Inventory Template

Purpose

Document payment processing flows enough to answer insurance and PCI-scope questions without creating an unnecessary PCI policy.

Do not draft a PCI compliance program unless the inventory shows MD Hyperbaric stores, processes, or transmits card data directly outside a compliant third-party processor.

Inventory

Location	Payment methods accepted	Payment processor/terminal category	Whether card numbers are seen by staff	Whether card numbers are stored by MD Hyperbaric	Whether payments are taken by phone	Who owns follow-up	Open PCI/security questions

Instructions

For each location:

Identify how payments are taken.
Identify whether staff see full card numbers.
Identify whether card numbers are written down, stored, emailed, texted, photographed, or entered into any MD Hyperbaric-controlled system.
Identify whether phone payments occur.
Identify the payment processor or terminal category.
Note open questions for follow-up.

Keep this inventory separate from HIPAA staff-facing policies unless the payment workflow creates PHI handling risk.

20 / Review & Governance

Policy Review Schedule

Purpose

Define how the HIPAA policy pack is reviewed, updated, retained, and escalated for counsel review.

Review Cadence

Trigger	Required action
Annual review	Review the full policy pack, open implementation items, evidence templates, and source trackers.
Material operational change	Review affected policies, SOPs, role guides, and training content.
Material system or vendor change	Review access, vendor, data handling, backup/DR, and incident procedures.
Material regulatory change	Review affected policy language and counsel checkpoints.
Security incident or breach assessment	Review affected policies, SOPs, training, access controls, and corrective actions.
Audit, payer, insurer, or franchise review request	Confirm policy/evidence pack is current before sharing.

Review Owners

Area	Owner
Operational procedures	Operations
Technical security controls	Technical/security owner
Training evidence	Operations
Access review	Operations with technical/security support
Vendor/BAA evidence	Operations with technical/security support
Backup/DR evidence	Technical/security owner
Location reviews	Operations with center manager support
Legal/counsel checkpoints	Leadership with qualified counsel

Counsel Review Checkpoints

Counsel should review before final adoption or external distribution:

Franchise acknowledgement language.
Notice of Privacy Practices and website privacy policy language.
Sanctions and corrective-action language.
Patient record request denial, delay, and risk-warning language.
Breach notification determinations and notice language.
Any state-law or franchise-specific privacy obligations.

Documentation Retention

Retain policies, procedures, updates, assessments, logs, evidence registers, incident records, training records, request records, access reviews, and review notes for at least six years from creation or last effective date, whichever is later, unless counsel requires longer.

Review Log

Review date	Reviewer role	Documents reviewed	Changes made	Open follow-up	Next review due

21 / Review & Governance

Open Implementation Items

Purpose

This tracker keeps the policy pack honest by separating current requirements from items that are not yet fully implemented.

Open gaps should be centralized here unless people need an operational instruction.

Open Items

Item	Current status	Owner role	Related policy/SOP/evidence	Notes
Encrypted email/secure delivery vendor for patient records	Open	Operations	Patient record request SOP; request log	Standard email should not be routine. If a patient specifically requests standard email after risk warning, document the request and warning.
Shared accounts and individual-account migration	Open	Operations with technical/security owner	Core policy; access SOP; access review log	Shared accounts are temporary exceptions with compensating controls.
Password policy and MFA enforcement	Partial/open where not yet implemented	Technical/security owner	Core policy; access SOP; access review log	Password policy is updated where documented, but MFA remains open for PHI-accessing systems and Google Workspace.
Endpoint security rollout	Open/confirming	Technical/security owner with Operations	Device standard	Confirm managed endpoint protection, disk encryption, patching, firewall/network protection, and screen locks for clinic devices.
Clinic network checks	Open	Operations with center managers	Center physical security and network checklist; location review log	Confirm Wi-Fi separation where available and shared building Wi-Fi risk.
Location physical security checks	Open	Operations with center managers	Center checklist; location review log	Review screen visibility, privacy filters, device storage, paper handling, printers, and network equipment.
HIPAA training rollout	In progress	Operations	Training evidence SOP	Approved HIPAA training portal is the evidence system of record.
Incident reporting process adoption	Open until trained/adopted	Operations	Incident SOP; incident log	Draft exists in this pack; adoption/training evidence still needed.
Patient record request process adoption	Open until secure delivery and log process are implemented	Operations	Patient record request SOP; request log	Interim standard-email warning language is draft for counsel review.
Vendor PHI inventory and BAA register	Open	Operations with technical/security owner	Vendor/BAA register	Known vendor evidence exists, but full PHI vendor inventory still needs completion.
Formal HIPAA risk assessment	Open	Technical/security owner with Operations	Formal risk assessment drafting brief	Use `HIPAA Investigation Findings.md` as source evidence.
Backup/DR tabletop exercise	Open	Technical/security owner with Operations and leadership	Backup/DR tabletop packet	Technical backup controls are substantially complete; tabletop exercise remains open.
Paper emergency check-in forms	Open	Operations	Backup/DR tabletop packet; center checklist	Prepare, distribute, and document storage/post-restoration data entry process.
Cyber liability insurance	Business/governance decision	Leadership	This tracker only	Do not draft a policy; handle as risk transfer/business decision.
Payment-card processing documentation	Open	Operations	Payment card inventory	Inventory location payment flows before deciding whether PCI work is needed.
Franchise acknowledgement/legal wording	Open counsel checkpoint	Leadership with counsel	Policy review schedule	Review before final adoption or franchise distribution.

Closed Technical Backup Context

The current investigation tracker says known technical backup implementation for MDH-controlled systems is substantially complete as of 2026-05-08. Remaining backup/DR implementation items tracked here are:

Tabletop exercise.
Paper emergency check-in forms.

Do not rewrite the backup/DR plan here. Use MDH Backup and Disaster Recovery Plan.md.