Orchid Surgical

HIPAA Privacy Policies and Procedures

Privacy procedures governing PHI handling, disclosures, training, and breach response.

Retrieved March 23, 2026

General

Introduction:

It is the policy of Orchid Surgical, Inc. (“Company”) that all personnel must preserve the integrity and confidentiality of protected health information (“PHI”) and other sensitive information pertaining to the patients of our covered entity clients. The purpose of these Privacy Policies and Procedures is to ensure Company’s compliance with applicable standards, implementation specifications, and requirements of the HIPAA Privacy Rule with respect to PHI. Furthermore, the purpose of these Privacy Policies and Procedures is to ensure that Company and its workforce have the necessary medical and other information to provide the highest quality services possible while protecting the confidentiality of that information to the highest degree possible so that covered entities do not fear to provide information to Company and its workforce.

General Policy:

Shonte Amato-Grill shall serve as Company’s Privacy Officer. Company and its personnel shall not use or disclose PHI, except as permitted or required by the HIPAA Privacy Rule and the HIPAA Security Rule. All Company workforce members are required to comply with all HIPAA Privacy Policies and Procedures. In addition, workforce members are expected to report known or suspected violations of the HIPAA Privacy Policies and Procedures by others. Reports of violations should be in writing and directed to Company’s Privacy Officer.

Procedures:

  • Company shall only use and disclose PHI in accordance with the appropriate Business Associate Agreements it has entered into with its covered entity clients and any downstream HIPAA Subcontractor Agreements with its subcontractors. In the event that the obligations of Company pursuant to an applicable Business Associate Agreement or HIPAA Subcontractor Agreement conflict with the policies or procedures set forth in these HIPAA Privacy Policies and Procedures, Company shall comply with its obligations pursuant to the applicable Business Associate Agreement.

Sanctions Policy

General Policy

Whenever there is a credible allegation that a violation of the HIPAA Privacy Rule, HIPAA Security Rule, or Company’s HIPAA Privacy or Security Policies has occurred, Company shall investigate the allegation and shall recommend appropriate sanctions for such violations, if any.

Procedures

Sanctions for workforce members may include, but are not limited to: verbal warnings, written warnings, paid and unpaid suspensions, and termination, in accordance with applicable personnel policies.

  • Definition of a Violation: The level of breach in patient confidentiality or privacy violation is determined according to the severity of the breach or violation, whether the breach or violation was intentional or unintentional, and whether the breach or violation indicates a pattern or practice of improper use or release of confidential patient information or violation of patient privacy. The degree of discipline may range from a verbal warning to immediate termination.

a. Class I Violation(s): Carelessness or Inadvertent action. This level of breach or violation occurs when a Company workforce member unintentionally or carelessly accesses, reviews, or releases confidential patient information without a legitimate business reason. Examples include, but are not limited to:

  • Leaving PHI in an unsecured area where it might be viewed by others;
  • Leaving a computer unattended while the workforce member is logged on to a system containing PHI;
  • Sharing PHI with another workforce member without authorization or unrelated to the performance of the workforce member’s duties;
  • Discussing PHI in public areas where the workforce member can be overheard (i.e. patient waiting room, restroom, etc.); or
  • Faxing documents to the wrong location or mailing/giving documents to the wrong person/patient.

b. Class II Violation(s): No Personal Gain. This level of breach or violation occurs when a workforce member intentionally accesses or releases confidential patient information for purposes other than the care of the patient or other authorized purposes but for reasons unrelated to personal gain. Examples include but are not limited to:

  • The sharing of computer access codes (username & password); or
  • The use of another person’s computer access codes (username & password).

c. Class III Violation(s): Personal Gain or Malice. This level of breach or violation occurs when a workforce member accesses, reviews, or releases confidential patient information for personal gain or with malicious intent. Examples include, but are not limited to:

  • Accessing or reviewing a health record of a patient without a legitimate business purpose, such as reviewing the health record of a patient in the news, another workforce member’s information, or a public personality.
  • Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm; or
  • Obtaining PHI under false pretenses.
  • Sanctions: Violation of this policy will result in action appropriate to the circumstances, the class of offense, and whether there is a pattern of repeated violations. The following steps are guidelines for disciplinary action for privacy breaches and violations. Risk to patients or staff and other serious offenses may warrant deviation from these guidelines. Such disciplinary actions may include, but are not limited to, any one or more of the following:
  • Class I Violation(s):
  • First Offense: A documented warning.
  • Multiple Offenses: Each subsequent Class I Violation constitutes a Class II Violation.
  • Class II Violation(s):

i. First Offense: Depending on the facts, (1) documented warning, and/or

(2) final written warning/last chance agreement.

ii. Multiple Offenses: Depending on the facts, (1) final written warning/last change agreement, (2) suspension up to five days without pay, documented and maintained in the workforce member’s file, and/or (3) immediate termination with reports to appropriate agencies if applicable.

  • Class III Violation(s):
  • First or Subsequent Offense: Depending on the facts, (1) suspension up to five days without pay, documented and maintained in the workforce member’s file, and/or (2) immediate termination with reports to appropriate agencies if applicable.
  • Civil and criminal penalties as provided under HIPAA and other applicable Federal/State/Local laws.
  • Exceptions: No sanctions or retaliatory actions shall apply to:

a. Whistleblowers. Workforce members who believe in good faith that Company has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by Company potentially endanger patients, workers, or the public shall not be sanctioned for disclosing PHI to the following individuals or entities:

  • A health oversight agency or public health authority authorized by law to investigate or oversee the conduct or conditions of Company so long as the purpose of the disclosure was to report the allegation regarding

Company’s failure to meet the relevant legal or professional standards;

  • A health care accreditation organization, so long as the purpose of the disclosure was to report the allegation regarding Company's failure to meet the relevant legal or professional standards; or
  • An attorney retained by or on behalf of the workforce member for the purpose of determining the legal options that the member has with regard to Company’s alleged illegal or unprofessional conduct under Section 3.a.

b. Individuals who oppose actions that violate HIPAA. Sanctions will not be applied to any individual for the following:

  • Filing a truthful complaint with HHS, or other governmental agency, regarding a privacy violation;
  • Testifying, assisting, or participating in any official investigation, compliance review, proceeding, or hearing under HIPAA; or
  • Opposing any act of Company that violates the HIPAA Privacy or Security Rules, as long as the individual doing so believes in good faith that the act of Company is unlawful, and the manner of the opposition is reasonable and does not involve making a disclosure of PHI that violates HIPAA.

Incidental Disclosures of PHI

General Policy:

Incidental disclosures are disclosures of PHI that occur as a by-product of a permissible use or disclosure, are limited in nature, and cannot be prevented through the use of reasonable measures. Incidental disclosures do not violate Company’s HIPAA Privacy Policies and Procedures as long as: (1) reasonable measures were taken to prevent the incidental disclosure; and (2) the disclosure resulted from a use or disclosure that is otherwise permissible under Company’s HIPAA Privacy Policies and Procedures, including policies regarding using or disclosing the minimum necessary information.

Procedures:

1) The following measures are considered reasonable with respect to the prevention of incidental disclosures and shall be followed when applicable:

a) Compliance with the Policy Regarding Transmission of PHI via Facsimile, Policy Regarding Transmission of PHI via E-mail, and the Policy Regarding Transmission of PHI via Telephone shall constitute reasonable measures for the prevention of incidental disclosures when receiving or disclosing PHI via telephone, e-mail or fax.

  • When discussing PHI in any non-private area (e.g., reception area or hall), all conversations should be kept as low as reasonably possible. Private areas should be used for such discussions whenever reasonably possible. If PHI is communicated via sign language, reasonable efforts should be made to move the discussion out of plain view of passersby.
  • Computer screens should be set-up out of view of unauthorized individuals.

Requests from Patients

General Policy:

Under the HIPAA Privacy Rule, patients have certain rights with regard to their PHI, including but not limited to the right to access their PHI, the right to request restrictions on the use or disclosure of PHI, the right to request amendments or corrections to PHI, and the right to request an accounting of disclosures of PHI. Company will cooperate with its covered entity clients to ensure compliance with such patient rights.

Procedure:

  • Responding to Requests from Covered Entities: In the event that a covered entity client of Company requests that Company disclose PHI maintained by Company for the purpose of responding to a patient request for: (a) access to PHI, (b) amendment or correction of PHI, or (c) an accounting of disclosures of PHI, Company shall provide the requested PHI to the covered entity. Company must provide the PHI to the covered entity within the timeframe set forth in the appropriate Business Associate Agreement, but no later than the following:

Company will not communicate directly with the patient unless specifically directed to do so by the covered entity and the covered entity provides written consent to such communication.

  • Documentation: The Privacy Officer is responsible for handling requests from covered entities and patients under this Policy. Company shall retain documentation of the requests for 6 years.

Breach Notification Policy

General Policy:

Company will comply with the federal mandatory breach notification requirements pertaining to the breach of unsecured PHI. To that end, Company will notify covered entities of whom Company is a business associate of a breach of unsecured PHI in accordance with the federal mandatory breach notification requirements. The mandatory reporting obligations set forth in this policy apply only to unsecured PHI.

Definitions:

  • “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS.

Procedures:

  • Analysis of Incident. When determining the probability that a breach has occurred, i.e.

whether the privacy or security of a patient’s PHI has been compromised, Company shall consider the factors included in the HIPAA Breach Assessment at Exhibit A to this Policy. These factors must include the following:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Other factors may also be considered as necessary.

  • Notification. Company will notify each covered entity whose patient unsecured PHI has been, or is reasonably believed by Company to have been, accessed, acquired, or disclosed because of a breach.

EXHIBIT A: HIPAA BREACH RISK ASSESSMENT

Background Information:
Date incident occurred
Date incident discovered by Company’s personnel (if different)
Brief description of the type of information that may have been improperly disclosed or accessed
Indicate who used or disclosed PHI improperly
To whom was the information improperly disclosed?
Does an exception to the definition of “Breach” apply to this situation?
1. Any unintentional acquisition, access or use of PHI by an Company workforce member
2. Any inadvertent disclosure of PHI by a person who is authorized to access PHI at Company to another person who is authorized to access PHI at Company
3. An inadvertent disclosure of PHI in a situation where Company has a good faith belief that the unauthorized person to whom PHI was disclosed would not be able to reasonably retain such information
Has the individual who improperly acquired or used PHI provided a written assurance that the individual will destroy and/or not further disclose PHI? If so, maintain copies of the signed assurance with this documentation.
If an exception does not apply, is there a “low probability” that the privacy or security of the PHI was compromised?
Factor 1: Note the nature and the extent of the PHI involved.
Factor 2: Indicate who used or disclosed PHI improperly. In addition, indicate to whom PHI was disclosed.
Factor 3: Was the impermissibly disclosed PHI actually acquired or viewed?
Factor 4: Was the risk to the PHI mitigated?

Upon consideration of all factors in combination, Company must evaluate the overall probability that the PHI has been compromised. Unless Company can reasonably establish that there is a low probability that the privacy or security of the PHI was compromised, a breach has occurred and notification is required.

Conclusion:

Signature: __________________________________ Date: _____________

Print Name: _________________________________

Privacy Practices Training

General Policy:

Each member of Company’s workforce shall be instructed regarding these HIPAA Privacy Policies and Procedures and other privacy practices in a manner that is tailored to address the specific functions that the individual receiving that education performs.

Procedures:

  • Training for existing workforce members shall be completed as soon as practicable after these HIPAA Privacy Policies and Procedures are adopted by Company. Each individual who joins the workforce after this initial training shall be trained as soon as practicable after joining the workforce.

Transmission of PHI via Telephone

General Policy:

Company personnel may release PHI over the telephone in the same manner that such information may be released in person, in accordance with these HIPAA Privacy Policies and Procedures.

Procedures:

  • Voicemail Services. The voicemail system will be password protected to prevent unauthorized access to voicemail messages containing PHI.

e) Whether or not the appointment requires special instructions, but only if doing so will not reveal the clinical condition of the patient.

Transmission of PHI via E-mail

General Policy: Unencrypted e-mail messages may be read by someone other than the intended recipient(s) of the e-mail. In accordance with Company’s HIPAA Security Policies, Company’s workforce must take the appropriate steps to limit sending unencrypted e-mails with PHI. At a minimum, workforce of Company must comply with the following procedures set forth in this policy when sending PHI to patients via e-mail.

Procedures:

  • Workforce must exercise a greater degree of caution in transmitting PHI electronically than they take with other means of communicating PHI (e.g., written memos, letters, pictures, or phone calls) because of the reduced human effort required to redistribute information electronically.

This e-mail and its attachments may contain protected health information intended solely for the use of Orchid Surgical, Inc. and the recipient(s) named above. Due to the unsecured nature of unencrypted e-mail, the recipient(s) named above understand and agree that there may be some level of risk that the information in this e-mail could be read by a third party. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify Orchid Surgical, at Contact@OrchidSurgical.com and permanently delete this e-mail and any attachments.

Transmission of PHI via Facsimile

has adopted this policy to comply with the HIPAA Privacy Rule, as well as our duty to

protect the confidentiality and integrity of confidential medical information as required by law. PHI shall be transmitted by facsimile only when other means of transmission are not feasible. Minor inconvenience shall not constitute infeasibility. All personnel must strictly observe the standards and procedures set forth in this Transmission of PHI via Facsimile Policy and Procedure relating to facsimile communications of patient medical records.

Assumptions:

  • Company and the personnel or organizations with which Company does business often will have a need to transmit or receive confidential medical information by facsimile rather than by a slower method, such as mail.
  • Personnel may send faxes to unauthorized recipients, faxes may be intercepted or lost in transmission, or Company may not receive a fax intended for it because of one of these or other reasons.
  • Thus, the potential for breach of patient confidentiality exists every time someone uses such information.

Procedures:

  • Company, its contracted officers, agents, and employees will send health information by facsimile only when the original record or mail-delivered copies will not meet the needs of immediate patient care.

This facsimile and its enclosures may contain protected health information intended solely for the use of Orchid Surgical, Inc. and the recipient(s) named above. Due to the unsecured nature of facsimiles, the recipient(s) named above understand and agree that there may be some level of risk that the information in this facsimile could be read by a third party. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this facsimile and/or any enclosures is strictly prohibited. If you have received this transmission in error, please notify Orchid Surgical, Inc. at Contact@OrchidSurgical.com and shred the facsimile and its enclosures.

  • Personnel must make reasonable efforts to ensure that they send the facsimile transmission to the correct destination. Personnel must pre-program frequently used numbers into the machine to prevent misdialing errors. For a new recipient, the sender must verify the fax number before sending the facsimile and verify the recipient’s authority to receive confidential information.

Complaint and Grievance

will continually strive to improve the quality of the services it provides and will

provide a process for handling complaints and grievances related to the use or disclosure of PHI.

Definitions:

  • Complaint: an oral concern about compliance with health-information privacy laws.

Procedures:

  • All grievances regarding privacy policies and practices, and compliance with those policies and practices, will be accepted and considered. Complaints should be made in writing using the Compliant and Grievance form attached at the end of this Compliant and Grievance Policy and Procedure and directed to the Privacy Officer.

COMPLIANT AND GRIEVANCE FORM

Business Associate and Subcontractor Agreements

will enter into a HIPAA Business Associate Agreement with each of its covered entity clients for which Company provides services that involve Company’s creation, receipt, maintenance, or transmission of electronic PHI (ePHI) on the covered entity’s behalf.

To the extent that Company is the business associate of its covered entity clients, Company, in accordance with the HIPAA Privacy Rule and HIPAA Security Rule, may permit a subcontractor to create, receive, maintain, or transmit electronic PHI (ePHI) and to use or disclose PHI on Company’s behalf only if Company obtains satisfactory assurances, in accordance with this Business Associate and Subcontractor Agreements Policy and Procedure, that the subcontractor will appropriately safeguard the information.

Procedures:

  • Company will document the satisfactory assurances required by this Policy through (a) a written Business Associate Agreement with each of its covered entity clients, and (b) a written HIPAA Subcontractor Agreement with each its subcontractors to whom Company delegates certain services or activities requiring the use or disclosure of PHI. It is Company’s policy to use its own Business Associate and HIPAA Subcontractor Agreement templates. However, in some instances, Company may accept the contract templates of a covered entity or subcontractor, provided it has reviewed the contract for compliance with HIPAA.