Rooted Stillness Logo
(949) 342-5899

HIPAA Privacy & Security Policy

HIPAA Privacy & Security Policy

 

  • Effective Date: December 30, 2025
  • Approved By: Desirae Sheldon, President
  • Version: 1.0

Section 1: Introduction and Purpose

1.1 Purpose

This manual outlines the policies, procedures, and standards of conduct for rootedstillness.org to ensure full compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the Privacy, Security, and Breach Notification Rules. Our primary goal is to protect the confidentiality, integrity, and availability of all Protected Health Information (PHI) and electronic PHI (ePHI) created, received, maintained, or transmitted by our organization.

1.2 Scope

These policies apply to all members of the rootedstillness.org workforce (employees, volunteers, interns, contractors, and management) and any Business Associates (vendors) who interact with our systems or PHI.

1.3 Definitions (Key Terms)

  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium (electronic, paper, or oral).
  • ePHI: Protected Health Information that is created, stored, or transmitted electronically.
  • Covered Entity/Organization: RootedStillness.org.
  • Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the covered entity, is under the direct control of such entity.
  • Business Associate (BA): A person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involves the use or disclosure of individually identifiable health information.

Section 2: Administrative Safeguards

2.1 Designated Roles

  • Privacy Official: Desirae Sheldon, President is responsible for the development and implementation of privacy policies and procedures.
  • Security Official: Desirae Sheldon, President is responsible for the development and implementation of security policies and procedures.

2.2 Workforce Training

  • All workforce members shall receive initial HIPAA Privacy and Security training upon hire and annually thereafter.
  • Training documentation (attendance logs, topics covered) will be retained for a minimum of six years.

2.3 Sanctions Policy

Failure to comply with these policies and procedures will result in disciplinary action, up to and including termination of employment or contract, and potential legal ramifications.

2.4 Business Associate Agreements (BAAs)

We will obtain a signed Business Associate Agreement (BAA) from any vendor or third party that creates, receives, maintains, or transmits PHI on our behalf. This agreement contractually obligates them to safeguard PHI in accordance with HIPAA standards.

Section 3: Physical Safeguards

3.1 Facility Access Controls

  • Physical access to areas where servers or paper PHI records are stored is restricted to authorized personnel only.
  • Visitor access is logged and supervised.

3.2 Workstation and Device Security

  • Workstations used to access ePHI must be physically secure when unattended (e.g., automatic screen lock after 5 minutes of inactivity).
  • Mobile devices (laptops, tablets, smartphones) that access ePHI must be encrypted and password-protected.
  • ePHI shall not be stored on personal devices unless approved by the Security Official and protected by the same safeguards as company-owned devices.

Section 4: Technical Safeguards

4.1 Access Control

  • Each workforce member is assigned a unique user ID to access systems containing ePHI.
  • Passwords must meet minimum complexity requirements (e.g., minimum 8 characters, combination of letters, numbers, and symbols) and must not be shared.

4.2 Audit Controls

  • Information systems are configured to record and regularly examine activity (audit logs) within systems that contain or use ePHI to detect security incidents.

4.3 Transmission Security

  • ePHI transmitted electronically outside our internal secure network must be encrypted.
  • Secure communication methods (e.g., secure portals, encrypted email services) must be used for all patient communication involving PHI.

Section 5: Breach Notification and Incident Response

5.1 Incident Reporting

Any workforce member who becomes aware of a suspected security incident or unauthorized use/disclosure of PHI must immediately report it to the Privacy Official or Security Official.

5.2 Mitigation

Upon discovery of a breach, rootedstillness.org will take all reasonable steps to mitigate, to the extent possible, any harmful effects that become known as a result of the violation.

5.3 Notification

If a breach of unsecured PHI is confirmed, we will notify affected individuals, the Secretary of the U.S. Department of Health and Human Services (HHS), and potentially the media (if required by law) without unreasonable delay and no later than 60 days after discovery.

Changes to this Privacy Notice

We will post any adjustments to the policy on this page, and the revised version will be effective when it is posted. If we make material changes, we may notify you via a notice posted on our website or another method. We encourage you to read this policy periodically to stay up to date about our HIPAA practices.

Contact Us

All feedback, comments, requests for technical support, and other communications relating to the Sites and our data collection and processing activities should be directed to: dsheldon@rootedstillness.org.

Last updated: December 30, 2025