Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (“HIPAA”) governs how we are permitted to use, store, and destroy patient information. Under the terms of our business associate agreements with healthcare systems, and per company policy, we have a legal and ethical obligation to ensure that we protect patient health information (“PHI”). At KIC Ventures, we require that our employees, distributors, and agents apply the “minimum necessary” rule as defined under HIPAA. The “minimum necessary” rule seeks to limit the use or disclosure of, and request for, a patient’s PHI. Individuals are permitted to access and use only the minimum necessary patient information needed to perform their job duties.

 

PHI is defined as individually identifiable health information (including demographic information), in any format, that is received or transmitted by KIC Ventures relating to the individual’s “past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” and/or for which there is a “reasonable basis to believe the information can be used to identify the individual.”

 

To the extent they are consistent with KIC Ventures policy, employees, distributors, and agents shall make themselves familiar with and shall adhere to the policies of the establishments with which they do business (e.g., hospitals, medical centers, HCP offices). KIC Ventures employees shall not use, disclose or request PHI in a manner that violates this policy, the policy of the other establishment, or state or federal laws. KIC Ventures employees who may view PHI in the regular course of their employment (i.e., during a clinical trial) shall not use or disclose the PHI to third parties absent express written consent. Any KIC Ventures employee who receives PHI in the regular course of their employment must ensure that the PHI shall not be made visible to other employees and shall be redacted to ensure compliance with the minimum necessary standard. All PHI must be stored in a secure area and all documents containing PHI shall be shredded when the information is no longer needed.