top of page

HIPAA Privacy & Security Policy

Effective Date: September 25, 2025

 

1. Purpose & Scope

This policy outlines how Aymond Agency (“the Agency”) will protect the privacy, confidentiality, integrity, and availability of protected health information (“PHI”) handled in its operations. While Aymond primarily handles life, health, and retirement insurance products, certain health-insurance related data may fall under HIPAA or analogous state laws. This policy ensures that the Agency treats PHI appropriately when encountered.

 

This policy applies to:

  • All employees, agents, contractors, and business associates of the Agency

  • All forms of PHI — physical, electronic, and verbal

  • All business functions and processes in which PHI is collected, stored, used, or disclosed

 

2. Definitions

  • PHI (Protected Health Information): Individually identifiable health information held or transmitted by the Agency, including medical histories, premiums, claims, eligibility, or plan benefits, in any form.

  • Covered Entity / Business Associate: If the Agency acts in a capacity that involves handling PHI on behalf of a health plan or insurer, it may be a business associate.

  • Use: Internal handling, examination, processing, management of PHI (e.g., quoting health plans, underwriting).

  • Disclosure: Release, transfer, or provision of access to PHI to another party (e.g., insurer, hospital, partner).

  • Minimum Necessary: The principle that only the minimum PHI needed to accomplish a task should be used or disclosed.

  • Safeguards: Administrative, physical, and technical protections to secure PHI.

 

3. Privacy Policies & Procedures

 

3.1 Permitted Uses & Disclosures

  • The Agency may use and disclose PHI as necessary to perform its functions (e.g. quoting health insurance, evaluating risks, processing applications)

  • PHI may be disclosed to insurers, providers, auditors, regulators, or business partners under written agreements

  • Disclosures beyond those purposes require explicit, written authorization from the individual

 

3.2 Authorization & Consent

  • Before using or disclosing PHI for purposes beyond routine operations, the Agency shall obtain a valid HIPAA-compliant authorization from the individual

  • The authorization must include the scope, purpose, expiration date, and statements of individual rights

 

3.3 Minimum Necessary Rule

  • For every use, disclosure, or request for PHI, employees must limit access to only the PHI minimally required

  • The Agency shall maintain role-based access control (e.g. agents only see client files they manage)

 

3.4 Individuals’ Rights

The Agency affirms that individuals have the following rights regarding their PHI:

  • Right to access and obtain a copy of their PHI (subject to exceptions)

  • Right to request amendments or corrections

  • Right to request an accounting of disclosures

  • Right to request restrictions on certain uses/disclosures

  • Right to receive notices of privacy practices

 

The Agency will respond to such requests per regulatory timeframes (e.g. 30 days) or state law requirements.

 

3.5 Notice of Privacy Practices

  • The Agency shall maintain and distribute a Notice of Privacy Practices that describes how PHI may be used/disclosed and the individual’s rights

  • The notice shall be posted publicly (on website, in office) and provided to individuals at first point of contact

 

4. Security Safeguards

4.1 Administrative Safeguards

  • Designate a Privacy Officer and Security Officer responsible for HIPAA compliance

  • Conduct regular risk assessments of PHI systems and workflows

  • Develop and enforce policies & procedures (e.g. incident response, termination procedures)

  • Train all staff annually (and upon onboarding) in HIPAA, data privacy, and security practices

  • Maintain business associate agreements (BAAs) with third parties handling PHI

 

4.2 Physical Safeguards

  • Secure offices and storage areas (locked doors, restricted access)

  • Control the physical movement of devices containing PHI (laptops, USB drives)

  • Use proper disposal methods (e.g. shredding of paper, secure wiping of electronic media)

  • Visitor controls and sign-in logs in areas where PHI is stored

 

4.3 Technical Safeguards

  • Access controls 

  • Encryption of PHI in transit (e.g. SSL/TLS) and at rest (e.g. encrypted databases or drives)

  • Audit logs and activity monitoring to detect unauthorized access

  • Integrity controls (e.g. checksums, data validation)

  • Backup systems and disaster recovery plans

  • Antivirus, intrusion detection, firewalls

 

5. Breach Notification & Incident Response

  • The Agency shall maintain an incident response plan to detect, respond to, and mitigate breaches

  • Upon discovery of a breach (unauthorized acquisition, use, or disclosure of PHI), the Agency shall:
     1. Contain the breach (limit ongoing exposure)
     2. Assess the risk to individuals (harm, likelihood)
     3. Notify affected individuals without unreasonable delay, typically within 60 days
     4. Notify the Department of Health & Human Services (or state equivalent, as required)
     5. Notify media if breach involves >500 residents of a state or jurisdiction
     6. Document all steps taken

 

6. Auditing & Monitoring

  • Periodic audits of PHI access logs and user activity

  • Quarterly reviews of policy compliance and security posture

  • Random spot-checks of physical and electronic safeguard adherence

  • Revision of policies based on audit findings

 

7. Sanctions & Enforcement

  • Violations of this policy may lead to disciplinary actions (verbal warning, termination, legal action)

  • All employees and agents must sign an acknowledgment of this policy and their responsibilities

 

8. Retention & Destruction

  • Retain PHI only as long as required by law or business need

  • When destruction is appropriate, PHI must be disposed of securely (paper shredded, digital data securely erased)

 

9. Business Associates & Third Parties

  • All business associates that will receive, store, or process PHI on behalf of the Agency must sign a Business Associate Agreement (BAA)

  • The BAA must require the same privacy & security obligations as this policy, and rights to audit

 

10. Policy Review & Updates

  • This policy shall be reviewed at least annually or when regulatory changes mandate updates

  • The Privacy/ Security Officers are responsible for proposing and implementing changes

bottom of page