Mangohick Volunteer Fire Department Inc. (MVFD)

Privacy and Health Information (HIPAA) Policy

Effective Date: 05/24/2025

Last Reviewed: 05/24/2025

1. Introduction and Purpose

Mangohick Volunteer Fire Department Inc. ("MVFD," "we," "us," or "our") is committed to protecting the privacy and security of personal information and Protected Health Information (PHI) that we may collect, use, or encounter in the course of our operations, including emergency response, training, and administrative activities.

This Policy outlines our practices concerning the collection, use, disclosure, and protection of such information in compliance with applicable federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and relevant Virginia state laws.

This Policy applies to all MVFD members (volunteers and any paid staff), contractors, and other individuals who may have access to personal information or PHI through their association with MVFD.

2. Definitions

• Personal Information (PI): Any information that can be used to identify an individual, such as name, address, phone number, email address, date of birth, etc., that is not considered PHI.

• Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium (electronic, paper, or oral) by a "Covered Entity" or its "Business Associate." This includes information related to an individual's past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

• Covered Entity: Under HIPAA, this typically includes health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically. While MVFD's primary role is emergency response, we handle PHI and operate in a manner consistent with HIPAA's privacy and security principles, particularly if we provide emergency medical services (EMS) and transmit information that could classify us as a healthcare provider under certain circumstances.

• Business Associate: A person or entity that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of PHI.

• Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

• Use: The sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such information.

• Breach: The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.

3. General Privacy Policy (Non-PHI Personal Information)

This section applies to Personal Information collected by MVFD that is not PHI.

3.1. Information We Collect

MVFD may collect Personal Information for various purposes, including but not limited to:

• Volunteer and membership applications (name, contact details, background information).

• Donations and fundraising (name, contact details, payment information – processed through secure means).

• Community engagement and event registration.

• Website usage (e.g., IP addresses, cookies if applicable – see Section 3.5).

• Communications with the public.

3.2. How We Use Personal Information

We use Personal Information for purposes such as:

• Managing volunteer and membership records.

• Processing donations and acknowledging supporters.

• Communicating with our members and the community.

• Organizing and managing events.

• Internal record-keeping and administrative purposes.

• Complying with legal and regulatory obligations.

3.3. How We Share Personal Information

MVFD does not sell Personal Information. We may share Personal Information only in the following circumstances:

• With Consent: When we have explicit consent to do so.

• Service Providers: With trusted third-party service providers who assist us in our operations (e.g., payment processors, database management), under contractual agreements that require them to protect the information.

• Legal Requirements: If required by law, subpoena, court order, or other legal process, or to protect the rights, property, or safety of MVFD, its members, or the public.

• Emergency Situations: To appropriate authorities in emergency situations to protect an individual's vital interests.

3.4. Data Security for Personal Information

MVFD implements reasonable administrative, physical, and technical safeguards to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

3.5. Website Privacy and Cookies

If MVFD maintains a website:

• We may collect non-personally identifiable information through cookies or similar technologies to enhance user experience and analyze website traffic.

• Users may be able to control cookie settings through their browser.

• Any Personal Information collected through our website (e.g., contact forms, donation portals) will be handled in accordance with this Policy.

4. HIPAA Compliance and Protected Health Information (PHI)

MVFD personnel, in the course of providing emergency medical services or other assistance, may create, receive, maintain, or transmit PHI. MVFD is committed to protecting the privacy and security of this PHI in accordance with HIPAA and relevant Virginia laws.

4.1. MVFD's Role Regarding PHI

As a provider of emergency medical services, MVFD may be considered a healthcare provider and thus a Covered Entity under HIPAA, or may act in a capacity that requires adherence to HIPAA standards for any PHI it handles. Regardless of formal classification, MVFD is committed to upholding the principles of HIPAA for all PHI encountered.

4.2. Uses and Disclosures of PHI

MVFD will use and disclose PHI only as permitted or required by HIPAA and Virginia law.

• For Treatment: We may use and disclose PHI to provide, coordinate, or manage emergency medical treatment and other services. For example, we may share PHI with other emergency responders, hospitals, or healthcare providers involved in an individual's care.

• For Payment: If applicable (e.g., if MVFD bills for EMS transport), we may use and disclose PHI to obtain payment for services rendered. This may include disclosures to insurance companies or billing services.

• For Health Care Operations: If applicable, we may use and disclose PHI for our internal operations, such as quality assessment, training of personnel, and other administrative activities necessary to run MVFD and ensure quality care.

• As Required by Law: We will disclose PHI when required to do so by federal, state, or local law (e.g., reporting abuse, neglect, or domestic violence; responding to court orders or subpoenas).

• Public Health Activities: We may disclose PHI for public health purposes, such as reporting to public health authorities for disease control, injury prevention, or in connection with FDA-regulated products.

• Law Enforcement Purposes: We may disclose PHI to law enforcement officials in certain circumstances, such as to report a crime on our premises, in response to a warrant, or to identify or locate a suspect, fugitive, material witness, or missing person (subject to applicable legal requirements).

• Emergency Situations: We may use or disclose PHI in emergency situations to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

• Coroners, Medical Examiners, Funeral Directors: We may disclose PHI to coroners, medical examiners, or funeral directors as necessary for them to carry out their duties.

• Workers' Compensation: We may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs.

• Specialized Government Functions: We may disclose PHI for specialized government functions, such as military and veterans' activities, national security and intelligence activities, and protective services for the President.

4.3. Minimum Necessary Standard

When using, disclosing, or requesting PHI, MVFD will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, except for disclosures for treatment purposes.

4.4. Safeguarding PHI

MVFD will implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. These safeguards include:

• Administrative Safeguards:

  • Designating a Privacy Official responsible for the development and implementation of HIPAA policies and procedures.

  • Implementing security measures, including risk analysis and management.

  • Providing training to all members on privacy and security policies and procedures.

  • Establishing sanctions for members who violate these policies.

  • Implementing procedures for authorizing access to PHI.

• Physical Safeguards:

  • Limiting physical access to facilities and electronic information systems containing PHI.

  • Implementing policies and procedures for the secure use and disposal of paper records and electronic media containing PHI.

  • Ensuring proper security for patient care reports and related documentation.

• Technical Safeguards:

  • Implementing access controls for electronic systems containing PHI (e.g., unique user IDs, passwords).

  • Using encryption for PHI transmitted electronically where appropriate and feasible.

  • Implementing audit controls to record and examine activity in information systems that contain or use PHI.

  • Protecting against malicious software.

4.5. Patient Rights Regarding PHI

Individuals have certain rights with respect to their PHI under HIPAA. MVFD will honor these rights as applicable:

• Right to Access PHI: Individuals have the right to inspect and obtain a copy of their PHI that MVFD maintains in a designated record set, with limited exceptions. Requests must be made in writing. A reasonable, cost-based fee may be charged.

• Right to Request Restrictions: Individuals may request restrictions on certain uses and disclosures of their PHI. MVFD is not required to agree to all requested restrictions, but will consider them. If we do agree, we will comply with the restriction unless the information is needed for emergency treatment.

• Right to Request Confidential Communications: Individuals may request that we communicate with them about their PHI in a certain way or at a certain location. We will accommodate reasonable requests.

• Right to Amend PHI: Individuals may request an amendment of their PHI if they believe it is incorrect or incomplete. Requests must be in writing and provide a reason. MVFD may deny the request under certain circumstances.

• Right to an Accounting of Disclosures: Individuals have the right to receive an accounting of certain disclosures of their PHI made by MVFD in the six years prior to the request date (or shorter period if requested), with some exceptions (e.g., disclosures for treatment, payment, healthcare operations).

• Right to a Paper Copy of This Notice: Individuals have the right to obtain a paper copy of this Policy upon request.

To exercise any of these rights, individuals should contact the MVFD Privacy Official.

4.6. Breach Notification

In the event of a breach of unsecured PHI, MVFD will comply with HIPAA's breach notification requirements. This includes notifying affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, without unreasonable delay and as required by law.

4.7. Training and Awareness

All MVFD members with access to PHI will receive training on this Policy and relevant HIPAA requirements. Refresher training will be provided periodically.

5. Virginia Law

MVFD will comply with applicable Virginia laws concerning the privacy and security of personal information and health records, including but not limited to requirements for patient consent, access to records, and data breach notification. Where Virginia law is stricter than HIPAA, MVFD will follow the more stringent standard.

6. Policy Administration

6.1. Privacy Official

MVFD will designate a Privacy Official who is responsible for:

• Developing, implementing, and overseeing this Policy and related procedures.

• Ensuring compliance with HIPAA and other privacy laws.

• Receiving and addressing complaints related to privacy and PHI.

• Providing training to MVFD members.

• Serving as the point of contact for individuals regarding their privacy rights.

MVFD Privacy Official:

Name/Title: Erin Reed, EMS Captain /  Designated HIPAA Officer

Contact Information: 804-994-9800 / Erin.Reed@mangohickfire.com

Mailing Address: P.O. BOX 715 Manquin VA 23106

6.2. Complaints

Individuals who believe their privacy rights or the provisions of this Policy have been violated may file a complaint with the MVFD Privacy Official. Complaints should be submitted in writing, if possible, and include specific details.

No individual will be retaliated against for filing a complaint or for participating in an investigation of a complaint.

Individuals also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, if they believe their HIPAA rights have been violated.

6.3. Policy Updates

This Policy may be revised or amended from time to time to reflect changes in legal requirements or MVFD operations. The current version of the Policy will be made available upon request and, if applicable, posted on the MVFD website.

7. Sanctions

Violations of this Policy by MVFD members may result in disciplinary action, up to and including termination of membership and potential legal consequences.

8. Disclaimer

This Policy is intended to provide guidance and does not constitute a contract. It should be reviewed by legal counsel to ensure full compliance with all applicable federal and state laws and regulations specific to Mangohick Volunteer Fire Department Inc.'s operations.

Adoption and Review History:

• Adopted by Mangohick Volunteer Fire Department Inc. Board on: 05/24/2024

• Reviewed on: