POLICY No.

HIPAA 0012
Effective 3/01/2014
Date
Non Permitted Uses and Disclosures of Revision A
Protected Health Information Letter
Final Orlando
Approver González

1.0 Purpose

The purpose of this policy is to identify permitted and authorized uses or disclosures of
protected health information (PHI) and to define the process for handling an event in
which a breach of these rules is discovered.

2.0 Scope

This policy applies to all workforce members of MMM Holdings LLC.

3.0 Policy

This policy of MMM Holdings LLC. shall provide the following:

3.1 MMM Holdings, LLC. can only use or disclose PHI, without prior MMM Healthcare
LLC. and Preferred Medicare Choice LLC. members’ authorization, for purposes of
payment, treatment or health care operations and for other purposes required or
permitted by law. For any other use or disclosure, MMM Holdings, LLC. must obtain
prior member authorization. All business associate of MMM Holdings, LLC. shall use
or disclose PHI only as permitted or required by its business associate agreement or
by law. Business associates may not use or disclose PHI in a manner that would
violate the requirements of this policy.
3.2 If PHI is used or disclosed outside of these permitted or authorized parameters then
a breach has occurred.
3.3 In the event that a breach of PHI occurs, MMM Holdings, LLC. will make the
necessary notifications and take the appropriate corrective actions.

______________________________________________________________________________________________________
MMM Holdings LLC.
Page 1 of 4
Review date: 12/31/2017
4.0 Definitions

4.1 Breach (45 CFR §164.402): the term “breach” means the acquisition, access,
use, or disclosure of protected health information in a manner not permitted by HIPAA
which compromises the security or privacy of the protected health information.
EXCEPTIONS- the term "breach" does not include:
Any unintentional acquisition, access, or use of protected health information by an
employee or individual acting under the authority of a covered entity or business
associate if—
4.1.1.1 such acquisition, access, or use was made in good faith and within
the course and scope of the employment or other professional
relationship of such employee or individual, respectively, with the
covered entity or business associate; and
4.1.1.2 such information is not further acquired, accessed, used, or disclosed
by any person; or
4.1.2 Any inadvertent disclosure from an individual who is otherwise authorized
to access protected health information at a facility operated by a covered
entity or business associate to another similarly situated individual at
same facility; and
4.1.3 Any such information received as a result of such disclosure is not further
acquired, accessed, used, or disclosed without authorization by any
person.
4.1.4 A disclosure of PHI where MMM Holdings, LLC. has a good faith belief
that an unauthorized person to whom the disclosure was made would not
reasonably have been able to retain such information.
4.2 Business Associate (45 CFR §160.103): the term "business associate" means a
person, other than a member of the workforce of a covered entity, who in behalf of a
covered entity creates, receives, maintains or transmits protected health information for
a function or activity regulated by HIPAA, including claims processing or administration,
data analysis, processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice
management and repricing or provides, other than in the capacity or a member of the
workforce of the covered entity, legal, actuarial, accounting, consulting, data
aggregation, management, administrative, accreditation, or financial services to or such
covered entities or to or for an organized health care arrangement in which the covered
entity participates, where the provision of the services involves the disclosure of health
information from such covered entity or arrangement, or from another business
associate of such covered entity or arrangement to the person. Includes Health
Information Organization, e-prescribing gateway or other person that provides data
transmission services with respect to PHI and that requires access on a routine basis to
such PHI.

______________________________________________________________________________________________________
MMM Holdings LLC.
Page 2 of 4
Review date: 12/31/2017
 4.3 Disclose (45 CFR §160.103): the terms "disclose" and "disclosure“ means the
release, transfer, provision of access to, or divulging in any manner of information
outside the entity holding the information.
4.4 Health Care Operations (45 CFR §164.501): activities related to the business of
MMM Holdings, LLC. as, clinical management and administrative duties. Some examples
of these activities include quality assurance, quality improvement, case management,
training programs, licensing, credentialing, certification, accreditation, compliance
programs, business management and general administrative activities of the practice.
Healthcare operations is further defined to include all activities associated with the
selling, merging, transferring or consolidation of medical practices and other covered
entities and includes all the activities as established in 45 CFR § 164.501.
4.5 Member: the term “member” has the meaning of any individual who is or has
been enrolled with MMM Holdings, LLC. affiliates MMM Healthcare LLC. (MMM) and any
individual for whom MMM Holdings, LLC. has created or received Individually Identifiable
Health Information.
4.6 Payment (45 CFR §164.501): the term “payment” encompasses activities of a
health plan to obtain premiums, determine or fulfill responsibilities for coverage and
provision of benefits, and furnish or obtain reimbursement for health care delivered to
an individual and activities of a health care provider to obtain payment or be reimbursed
for the provision of health care to an individual.
4.7 PHI: the term “PHI” means Protected Health Information.
4.8 Protected Health Information (45 CFR §160.103): means individually identifiable
health information that is transmitted by electronic media, or maintains in electronic
media or transmitted or maintains in any other form or medium.
4.9 Treatment (45 CFR §164.501): the term “treatment” is the provision,
coordination, or management of health care and related services for an individual by
one or more health care providers, including consultation between providers regarding a
patient and referral of a patient by one provider to another.
4.10 Workforce Member (45 Cfr §160.103): the term “workforce member” means any
employee, contractor or consultant of MMM Holdings, LLC., or of a business associate of
MMM Holdings, LLC.

5.0 Responsibilities

5.1 The President(s) shall ensure compliance and approve all policies documents.
5.2 The Compliance Officer is responsible to identify and account for any non-
permissible use or disclosure of PHI.
5.3 The Privacy Officer is responsible for overseeing the day to day operations of the
compliance process.
5.4 The Compliance Committee shall ensure compliance and approve all policies and
procedures. The Chairman is responsible of the final approval of policies and
procedures.

______________________________________________________________________________________________________
MMM Holdings LLC.
Page 3 of 4
Review date: 12/31/2017
 5.5 Each department head, in departments which use or access PHI, is responsible
for notification to the Compliance Department of any breach of PHI.

6.0 Procedures

See HIPAA 0012-P.

7.0 Document Approvals

Role Position Name of Approval Date

Approver Signature Approved
Compliance 3/01/2014
Compliance Officer Myra Plumey
Officer
Approver Compliance 3/01/2014
(Policies and Committee Myra Plumey
Procedures) Chairman
Final Approver 3/01/2014
President Orlando González
(Policies)

8.0 Revision History

Effective Rev
Date Letter Document Author Description of Change
3/01/2014 A Daphne W. Román Format Change

______________________________________________________________________________________________________
MMM Holdings LLC.
Page 4 of 4
Review date: 12/31/2017