It is the policy of Health Care Systems, Inc. to comply with all applicable laws and regulatory requirements for the use, access, and disclosure of Sensitive Information, to ensure the confidentiality and protection of Sensitive Information, and to prevent and mitigate any privacy incidents.
All members of the Workforce shall be required to comply with this Policy and it is applicable to all Health Care Systems, Inc. operations. Individuals who violate these requirements are subject to disciplinary action, up to and including termination or dismissal.
3.0 Privacy Principles
Health Care Systems, Inc. has implemented the following fair information privacy principles that support individual rights and set guidelines for the protection of Sensitive Information:
3.1 Notice. Health Care Systems, Inc. shall provide notice regarding its privacy policies and procedures and include the purposes for which Sensitive Information is accessed, collected, used, retained, and disclosed. Notice may occur in a variety of formats including publication on Health Care Systems, Inc. internal and external websites and specified in internal and external contracts and agreements.
3.2 Choice and Consent. Where practical or required by law or contract, Health Care Systems, Inc. shall provide individuals with opportunity to consent to or authorize Health Care Systems, Inc. access, collection, use, retention, and disclosure of Sensitive Information. Consent or authorization may be explicit or implicit depending upon the specific circumstances, and the CPSO shall advise the Business Units as to appropriate means of obtaining consent or authorization.
3.3 Limited Collection. Sensitive Information shall only be collected for the purposes identified in the notice.
3.4 Limited Use and Disclosure. Sensitive Information shall only be used and/or disclosed to third parties for the purposes identified in the notice.
3.5 Limited Retention. Sensitive Information may be retained only as long as necessary, including, but not limited to, as may be required by law or contract, to fulfill a valid business purpose.
3.6 Accuracy. Health Care Systems, Inc. shall maintain the accuracy and integrity of the Sensitive Information under its care.
3.7 Right to Inspect/Correction. Individuals may request access to their Sensitive Information and request amendment to that Sensitive Information if such information is believed to be inaccurate. Health Care Systems, Inc. shall review and respond to requests for access and amendment in a timely manner. The CPSO shall provide guidance to Business Units regarding individual rights to access and/or amend Sensitive Information upon request by the Business Unit.
3.8 Disposal. Health Care Systems, Inc. shall dispose and destroy Sensitive Information, at the end of the applicable retention period, in a manner that prevents the likelihood of restoration of the Sensitive Information or in a manner required by law or contract.
3.10 Breach Notification. Actual or suspected breaches of Sensitive Information shall be immediately reported in accordance with the Privacy and Security Incident Reporting Policy.
4.1 Policy Availability
4.2 Review Cycle
4.3 Policy Retention
5.0 Privacy Requirements
5.1 Executive Commitment
5.2 Workforce Responsibilities
Each member of the Health Care Systems, Inc. Workforce is responsible for the security of Sensitive Information in his or her workspace. Workforce members take reasonable and appropriate precautions to safeguard access to Sensitive Information including, without limiting the generality of the
following, compliance with security measures required by the Security Policy and other guidance issued by the Chief Privacy & Security Officer and Chief Security Officer.
Each Workforce member shall be responsible for:
5.2.4 Collaborating with all levels of the Health Care Systems, Inc. organization to ensure that an effective privacy program is implemented and maintained;
5.2.6 Complying with the Security Policy and related policies and procedures and implementing and maintaining the Security Program;
5.3 Managers’ Responsibilities
In addition to responsibilities as a member of the Workforce, each Health Care Systems, Inc. manager shall be also be responsible for:
5.3.2 Ensuring all members of the Workforce who report directly or indirectly to such manager have completed the required privacy training;
5.4 Business Units and Functional Areas
In addition to responsibilities as a member of the Workforce, each Business Unit or functional area leader shall also be responsible for:
5.4.1 Identifying any privacy-related contractual requirements mandated or requested by external clients or third-party vendors, and not previously approved by the legal team and the CPSO, and providing those requirements or requests to the legal team and the CPSO prior to contract execution;
5.4.2 Identifying where Sensitive Information is located, and providing such information to the CPSO;
5.4.3. Maintaining a list of all Workforce members who have access to Sensitive Information and approving access by Workforce members to any Sensitive Information in a manner consistent with such Workforce members’ duties and responsibilities;
5.5 Chief Privacy and Security Officer
The Chief Privacy and Security Officer shall be responsible for:
5.5.2 Coordinating with Development & Human Resources in the development and maintenance of security policies and programs to ensure that appropriate physical, administrative and technical safeguards are in place to protect the privacy and security of Sensitive Information;
5.5.3 Upon request, reviewing, guiding, and approving Standard Operating Procedures (SOPs) for Business Units and functions, relating to Sensitive Information;
5.5.7 Reviewing and responding to requests from law enforcement and regulatory agencies for access to Sensitive Information, in coordination with others to the extent permitted and as appropriate;
5.5.8 Ensuring that Health Care Systems, Inc. complies with applicable privacy laws, regulations, and contractual privacy requirements;
5.5.9 May designate another individual to function in his/her capacity with regard to the requirements set forth in this Policy.
5.6 Human Resources
Human Resources shall be responsible for:
5.6.3 Collaborating with hiring managers to ensure privacy and security obligations are specified in Health Care Systems, Inc. job and roles descriptions;
5.6.4 Communicating job status changes, including termination of Workforce members, to IT Operations, so that access to systems with Sensitive Information is appropriately modified.
6.0 Permitted Uses and Disclosures of Sensitive Information
6.1 Consent and Authorization to Use Sensitive Information
6.1.2 Limited Use. Health Care Systems, Inc. Workforce members shall only access, use, and disclose Sensitive Information in accordance with:
18.104.22.168 the requirements of the consent or authorization provided by the subject or owner of the Sensitive Information;
22.214.171.124 relevant contractual requirements; and
126.96.36.199 as required by law.
6.1.3 All access, use and disclosure of Sensitive Information shall be limited to the minimum amount of Sensitive Information necessary to accomplish a valid business purpose.
6.1.4 All requests to limit or cease using Sensitive Information shall be directed to the CPSO for review.
6.2 De-Identified Sensitive Information
6.2.1 In certain cases, Health Care Systems, Inc. may receive consent or authorization to de-identify Sensitive Information. In these cases, once the Sensitive Information has been de-identified, Workforce members may use and disclose the de-identified Sensitive Information in accordance with the consent or authorization.
6.2.2 Requests to de-identify Sensitive Information must be submitted, in writing, to the CPSO or her/his designee who will evaluate the scope and purpose of the request and the means of de-identification to ensure a low likelihood of re-identification of Sensitive Information and that applicable legal, contractual, and industry-standard requirements are met.
6.3 Disclosures Required by Law
Health Care Systems, Inc. may use or disclose Sensitive Information as required by law.
7.0 Privacy Risk Assessment
Health Care Systems, Inc. shall assess Privacy Risk annually pursuant to Health Care Systems, Inc. Risk Management Policy.
8.0 Reporting and Handling of Privacy Complaints and Incidents
9.0 Disposal of Sensitive Information
All electronic media and paper copies containing Sensitive Information shall be retained in accordance with Health Care Systems, Inc. Records Management Policy and Retention Schedule, and properly disposed of once the intended use has been completed in accordance with the Health Care Systems, Inc. Information Classification and Handling Policy. All media or copies containing PHI from a client is either to be returned to the client, or destroyed, in accordance with the contractual agreement with the client.
10.0 Human Resources Privacy Requirements
11.1 “Business Unit” is a formally defined area of Health Care Systems, Inc. representing a specific business function (such as Finance, Solutions Development, Sales, Support, etc.). This could be a department or subset of a department.
11.2 “CPSO” means the Chief Privacy and Security Officer who is also the Chief Privacy Officer.
11.3 “Information” is considered databases, data files, contracts, agreements, system documentation, research information, user manuals, training material, standard operating procedures, business continuity plans, disaster recovery plans, third-party data, audit trails, and archived information.
11.8 “Sensitive Information” is a class of data that relates to an identified or identifiable individual or entity that is sensitive, confidential, or proprietary to such person or entity and may potentially cause harm to such person or entity if lost or accessed, or used or disclosed by unauthorized persons, either internal or external to Health Care Systems, Inc. “Sensitive Information” includes, but is not limited to, Protected Health Information, Personal Information, Personal Health Information, Personal Data, and Personally Identifiable Information (as those terms are defined in applicable law).
11.9 “Systems” are any computing assets that may create, access, or store sensitive data, including those used internally and those developed and sold as a product.
11.10 “Workforce” means employees, contractors, third-party users, volunteers, interns, trainees, agents, and other persons whose conduct, in the performance of work for Health Care Systems, Inc. is under the direct control of Health Care Systems, Inc. , whether they are on-site or off-site, and whether or not they are paid by Health Care Systems, Inc. .
Appendix A – Applicable Regulatory Standards
Laws and regulations relevant to this Policy include, but are not limited to, the following:
• Health Insurance Portability and Accountability Act of 1996 (US)
• Health Information Technology for Economic and Clinical Health Act of 2009 (US)
• Children’s Online Privacy Protection Act of 1998 (US)