Public HIPAA Documentation

This document outlines the way in which Vitaview Software interprets and maintains HIPAA compliance. It also explains how we help you stay HIPAA compliant.

Privacy Rule

Basic Principle - A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

Permitted Uses and Disclosures - A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and OCR Privacy Rule Summary 5 Last Revised 05/03 (6) Limited Data Set for the purposes of research, public health or health care operations.18 Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.

Minimum Necessary - A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

Access and Uses - For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Disclosures and Requests for Disclosures - Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure.

Privacy Practices Notice - Each covered entity, with certain exceptions, must provide a notice of its privacy practices.

Privacy Personnel - A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Workforce Training and Management - A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions.

Data Safeguards - A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.

Complaints - A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice.

Privacy Personnel

Brad Kolonay
157 Esperanza Ave
Los Angeles, CA

Business Associate Contract

Contract listed publicly here.

Security Rule

Basic Principle - The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:

Risk Analysis - The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.

A risk analysis process includes, but is not limited to, the following activities:

Security Personnel - A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.

Evaluation - A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Physical Safeguards:

Technical Safeguards:

Security Personnel

Brad Kolonay
157 Esperanza Ave
Los Angeles, CA

Last Evaluation

5/27/2021 by Brad Kolonay

Physical Safeguards

Facility and Access Control

Workstation and Device Security

Technical Safeguards

Access Control

Audit Controls

Integrity Controls

Transmission Security


Contacting Us

If you have any questions regarding our HIPAA policies, the practices of this site, or your dealings with this site, please contact us at:

Vitaview Software
157 Esperanza Ave
Los Angeles, CA

This document was last updated on May 27, 2021.

References: U.S. Department of Health & Human Services