What does HIPAA mean for patients?

HIPAA ensures your personal and medical information remains private and secure, setting strict limits on how healthcare providers can share data.

How does All Seniors Foundation ensure HIPAA compliance?

We maintain encrypted data systems, annual staff training, and strict internal audits to ensure patient information is protected under HIPAA regulations.

Can I request my medical records?

Yes, patients can request access, copies, or corrections to their medical records by contacting our HIPAA Compliance Officer at info@allseniors.org.

HIPAA

HIPAA Policy & Notice of Privacy Practices (NPP)

Organization: All Seniors Foundation

Last Updated: October 2025

Summary: This HIPAA Policy explains how we protect your PHI, how we use and disclose it, and what rights you have under the Health Insurance Portability and Accountability Act (HIPAA).

Purpose

We protect the confidentiality, integrity, and availability of patient information. This policy describes how All Seniors Foundation handles PHI, supports your rights, and complies with HIPAA’s Privacy, Security, and Breach Notification Rules.

Scope

This policy applies to all workforce members, including employees, volunteers, contractors, interns, and board members. It also applies to third‑party vendors with access to PHI through services, storage, or support.

Key Definitions

Protected Health Information (PHI)

PHI is any information that identifies you and relates to your health, care, or payment for care. PHI may be oral, paper, or electronic and includes medical records, test results, billing data, and demographic details.

Notice of Privacy Practices (NPP)

The NPP explains our legal duties and privacy practices. This page serves as our online NPP. You may request a paper copy at any time.

Your HIPAA Privacy Rights

You have important rights. We make it easy to use them.

Access: Request copies of your records in paper or electronic form.
Amendment: Ask us to correct or add information in your records.
Accounting of Disclosures: Request a list of certain disclosures.
Restrictions: Ask us to limit how we use or disclose PHI. We will honor required limits and reasonable requests.
Confidential Communications: Request contact at a different address, phone number, or email.
Paper Copy: Get a paper copy of this policy at any time.
Fundraising Opt‑Out: If we contact you for fundraising, you may opt out. We will honor your choice.
File a Complaint: You can complain without fear of retaliation. See Contact the Privacy Officer.

How We Use and Disclose PHI

We use or disclose PHI for the following core purposes:

Treatment: To coordinate your care with clinicians, caregivers, and service partners.
Payment: To bill and obtain payment for services.
Health Care Operations: To run our programs, improve quality, train staff, and perform audits.

For other uses and disclosures, we obtain your written authorization. You may revoke an authorization at any time in writing.

Examples of Disclosures Without Authorization

Public health reporting and health oversight activities as permitted by law.
Reporting abuse, neglect, or domestic violence when required.
Responding to court orders, subpoenas, or law enforcement requests.
Averting a serious threat to health or safety.
Limited use of de‑identified or aggregated data for quality improvement.

We do not sell PHI. We do not use your PHI for marketing without your explicit authorization.

Minimum Necessary Standard

We follow the “minimum necessary” rule. Staff access only the PHI they need to perform their duties. We apply role‑based access controls and review access regularly.

Administrative, Physical, and Technical Safeguards

Administrative Safeguards

Governance: Appointed Privacy Officer and Security Officer oversee compliance.
Risk Management: Annual risk assessments and remediation plans.
Policies & Training: New‑hire and annual HIPAA training with documented completion.
Sanctions: Violations result in corrective action up to termination.
Contingency Planning: Data backups and disaster recovery procedures are tested.

Physical Safeguards

Locked file storage; clean‑desk policy for paper PHI.
Badge‑controlled offices and visitor sign‑in.
Workstation security and privacy screens where needed.
Secure device storage and transport.

Technical Safeguards

Encryption: AES‑256 encryption at rest and TLS in transit.
Access Controls: Unique IDs, strong passwords, and multifactor authentication.
Audit Controls: System logs, alerts, and periodic access reviews.
Integrity: Anti‑malware, patching, and change management.
Automatic Logoff & Device Protections: Screen locks, remote wipe, and mobile management.

Business Associates & Vendor Management

We execute Business Associate Agreements (BAAs) with vendors that create, receive, maintain, or transmit PHI on our behalf. We assess vendor security, review BAAs, and monitor performance. Subcontractors must meet the same standards.

Records, Retention & Secure Disposal

Accuracy: We strive to keep records current and complete.
Retention: We retain records as required by law and our schedule.
Secure Disposal: We shred paper PHI and sanitize or destroy media containing ePHI.

Digital Privacy, Cookies & Telehealth

Our patient portals and web forms use SSL/TLS to protect PHI during transmission. We use analytics and cookies to improve the site; these do not access PHI. You may control cookies in your browser.

When we deliver telehealth or remote services, we use HIPAA‑aligned platforms and follow our identity verification and privacy procedures.

For legal resources, see Legal Help for Seniors and Families.

Breach Notification & Incident Response

We investigate suspected incidents promptly. If a breach of unsecured PHI occurs, we notify affected individuals without unreasonable delay and no later than 60 days after discovery. When required, we also notify regulators and, if applicable, the media.

Contain: Stop the incident and secure systems.
Assess: Complete a risk assessment and forensic review.
Notify: Send letters with details and recommended protections.
Remediate: Correct root causes and update safeguards.
Document: Keep detailed incident records.

How to Exercise Your Rights

You can submit requests online, by mail, or in person. We will respond in accordance with HIPAA timelines.

Access or Copies: Request your records and choose paper or electronic format.
Amendment: Ask us to correct information you believe is inaccurate or incomplete.
Restrictions & Confidential Contact: Request limits or alternative contact methods.
Accounting of Disclosures: Request a list of certain disclosures.
Complaints: If you believe your privacy rights were violated, contact us or file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights.

Contact the Privacy Officer

Privacy Officer, All Seniors Foundation
Email: [email protected]
Phone: (818) 581-4101
Mailing Address: 16101 Ventura Blvd Suite 333

For more on HIPAA, visit the HHS HIPAA website or the Breach Notification Rule.

Frequently Asked Questions

Do you share PHI with family members or caregivers?

With your permission, we may share relevant PHI with family or caregivers to support your care. In emergencies, we may share information if it is in your best interest.

Can I choose not to receive fundraising messages?

Yes. If you receive a fundraising message, you may opt out at any time. Your choice will not affect your care or services.

How do you protect electronic PHI (ePHI)?

We use encryption, multifactor authentication, access logs, and regular security reviews. We limit access to authorized staff.

Will you notify me if my data is involved in a breach?

Yes. If a breach of unsecured PHI occurs, we will notify you as required by law and provide steps you can take to protect yourself.

Legal Notices

This policy reflects our HIPAA compliance program. It is for information only and is not legal advice. Where state laws are more protective, we follow the stricter standard.

HIPAA Policy