O & P Innovations, Inc Privacy Administration MISSION O & P Innovations, Inc. recognizes that personal patient information is private must be treated carefully and responsibly. The purpose of this Compliance Program is to guide O & P Innovations, Inc. in the use and disclosure of protected health information as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and by the privacy standards issued pursuant to that law. OBJECTIVE O & P Innovations, Inc Compliance Program is an important tool to comply with applicable laws, regulations and company policies. O & P Innovations, Inc has developed this Compliance Plan in order to assist it in complying with the use and disclosure of protected personal health information as required by the Health Insurance Portability and Accountability Act of 1996 and the privacy regulations issued pursuant thereto. This Compliance Plan shall be applicable to all officers, managers, employees, and independent contractors of O & P Innovations, Inc COMPLIANCE PLAN 1. Privacy Officer O & P Innovations, Inc has appointed Patrick Flanagan as Privacy Officer. He will be responsible for the development and implementation of policies and procedures to safeguard the privacy of patients’ personal health information as required by federal and state laws and regulations. The specific responsibilities of the Privacy Officer include: Developing policies and procedures to implement this Compliance Plan; Developing and conducting training programs on privacy policies and procedures; Implementing and monitoring this Compliance Plan; Responding to questions and/or concerns from staff and patients concerning privacy policies and procedures; Serving as the contact person for any individuals who have complaints concerning any of the privacy policies described in The Notice of Privacy Practices; Investigating and correcting violations of the privacy policies and procedures; Developing and implementing any corrective action plans for violations of the privacy policies and procedures; Developing sanctions for violations of this Compliance Plan; and Developing and implementing, with management consent, any necessary updates and/or revisions to the Compliance Plan as necessary to comply with changes in the law or regulations. 2. General Staff Responsibilities All staff are responsible for safeguarding the privacy of patient health information. All staff members must: Use and disclose protected health information only as authorized in their job description or as authorized by a supervisor or manager; Conduct oral discussions of personal health information with other staff or with patients ands family members in a manner that complies with the minimum necessary disclosure standard; Complete privacy training; and Report suspected violations of the policies and procedures established under this Compliance Plan by staff members, independent contractors, or business associates. Utilize proper shredding and destruction of privacy related documents 3. Education and Training The Privacy Officer will develop a training program for the Company’s privacy policies and procedures. The training program will include: The definition and identification of protected health information; The Notice of Privacy Practices form that is provided to all patients; Using and disclosing protected health information for treatment, payment and health care operations; Obtaining consent and authorization for the use and disclosure of personal health information; Procedures for handling suspected violations of privacy policies and procedures; Penalties for violations of privacy policies and procedures; and Documentation required by federal and state privacy laws and regulations. As changes in federal or state laws or regulations and/or private payor policy occur, it shall be the obligation of the Privacy Officer to communicate these changes to all staff. 4. Employee Communication/Complaint Process All employees at all levels are encouraged to report concerns, questions, or possible violations of privacy policies and procedures to their supervisor or to the Privacy Officer; if reported to a supervisor, that individual shall promptly report to the Privacy Officer, who will investigate each matter so reported to determine its veracity. He/She will then draft and implement, with management approval, an action plan to address any compliance issues which require attention. 5. Enforcement and Discipline The Company’s management will ensure uniformity and consistent application of appropriate discipline in the event of a substantiated violation of its privacy policies and procedures. The type of disciplinary action shall be determined on a case-by-case basis. The action taken shall be commensurate with the particular offense and will also consider the severity and/or frequency of the offense, prior disciplinary action, and any damage resulting from the violation. No action shall be based in any way upon an employee’s seniority or position within the company. The range of sanctions shall include: oral warnings; written warnings, probation with action plan; suspension with or without pay; and termination of employment. Employees in a managerial or supervisory position who, in the usual performance of their duties, discover independently or through the reports of others, that a violation of the Company’s privacy policies and procedures has occurred and who fail to investigate further and report the matter to the privacy Officer, will be subject to disciplinary action. Any employee with direct knowledge that a violation has occurred and who fails to report this will be subject to disciplinary action. Any reprisals taken against employees who have reported violations will subject the offender to disciplinary action. 6. Mitigation Whenever it comes to know of a violation of its privacy policies or procedures, the Company will take all reasonable and necessary steps to mitigate any harmful effect of the use or disclosure of personal health information in violation of its privacy policies and procedures.