Our privacy policy is available here in PDF format as well as in the below text: http://www.hcsinc.net/images/HCS_Privacy_Policy.pdf
The Health Care Systems, Inc. Privacy Policy defines the requirements for the Health Care Systems, Inc. Workforce to ensure protection of confidential, sensitive, and proprietary information, including Protected Health Information (“PHI”), Personally Identifiable Information (“PII”), Personal Information (“PI”), Personal Data (“PD”), Personal Health Information, and/or other sensitive information (collectively, “Sensitive Information”) at Health Care Systems, Inc. (“Health Care Systems, Inc.”) and as required under applicable laws, as defined in Appendix A.
It is the policy of Health Care Systems, Inc. to comply with all applicable laws and regulatory requirements for the use, access, and disclosure of Sensitive Information, to ensure the confidentiality and protection of Sensitive Information, and to prevent and mitigate any privacy incidents.
All members of the Workforce shall be required to comply with this Policy and it is applicable to all Health Care Systems, Inc. operations. Individuals who violate these requirements are subject to disciplinary action, up to and including termination or dismissal.
2.0 Exceptions
Exceptions to this Privacy Policy may be granted by the Chief Privacy & Security Officer (“CPSO”) or his/her designee.
3.0 Privacy Principles
Health Care Systems, Inc. has implemented the following fair information privacy principles that support individual rights and set guidelines for the protection of Sensitive Information:
3.1 Notice. Health Care Systems, Inc. shall provide notice regarding its privacy policies and procedures and include the purposes for which Sensitive Information is accessed, collected, used, retained, and disclosed. Notice may occur in a variety of formats including publication on Health Care Systems, Inc. internal and external websites and specified in internal and external contracts and agreements.
3.2 Choice and Consent. Where practical or required by law or contract, Health Care Systems, Inc. shall provide individuals with opportunity to consent to or authorize Health Care Systems, Inc. access, collection, use, retention, and disclosure of Sensitive Information. Consent or authorization may be explicit or implicit depending upon the specific circumstances, and the CPSO shall advise the Business Units as to appropriate means of obtaining consent or authorization.
3.3 Limited Collection. Sensitive Information shall only be collected for the purposes identified in the notice.
3.4 Limited Use and Disclosure. Sensitive Information shall only be used and/or disclosed to third parties for the purposes identified in the notice.
3.5 Limited Retention. Sensitive Information may be retained only as long as necessary, including, but not limited to, as may be required by law or contract, to fulfill a valid business purpose.
3.6 Accuracy. Health Care Systems, Inc. shall maintain the accuracy and integrity of the Sensitive Information under its care.
3.7 Right to Inspect/Correction. Individuals may request access to their Sensitive Information and request amendment to that Sensitive Information if such information is believed to be inaccurate. Health Care Systems, Inc. shall review and respond to requests for access and amendment in a timely manner. The CPSO shall provide guidance to Business Units regarding individual rights to access and/or amend Sensitive Information upon request by the Business Unit.
3.8 Disposal. Health Care Systems, Inc. shall dispose and destroy Sensitive Information, at the end of the applicable retention period, in a manner that prevents the likelihood of restoration of the Sensitive Information or in a manner required by law or contract.
3.9 Training. Workforce members shall be provided training on this Privacy Policy.
3.10 Breach Notification. Actual or suspected breaches of Sensitive Information shall be immediately reported in accordance with the Privacy and Security Incident Reporting Policy.
3.11 Accountability. Violations of this Privacy Policy may result in discipline up to and including termination, in compliance with Human Resources policies.
4.0 Privacy Policy Requirements
4.1 Policy Availability
This Privacy Policy shall be made available to the Workforce through Health Care Systems, Inc. management, the Intranet, formal training programs, and other appropriate mechanisms.
4.2 Review Cycle
4.2.1 The CPSO shall review the privacy requirements for the organization. The CPSO shall be responsible for conducting an annual review of this Privacy Policy and all related corporate policies, standards, and procedures. The CPSO may grant an exception for an annual review of this Privacy Policy. A review shall also occur each time there is a significant and material change in laws or regulations regarding the privacy of Sensitive Information.
4.2.2 Requests for changes or modifications to this Privacy Policy may be submitted by a member of the Workforce in writing to the CPSO. The CPSO shall determine whether the requested change or modification should be included in the Privacy Policy.
4.3 Policy Retention
This Privacy Policy, as well as any procedures supporting this Privacy Policy, and all previous versions shall be maintained for a minimum of six (6) years after the latest effective date, even if superseded, or longer if required by a legal, regulatory, or contractual requirement.
5.0 Privacy Requirements
5.1 Executive Commitment
Health Care Systems, Inc. executive leadership agrees that maintaining the privacy and security of Health Care Systems, Inc., the Workforce, client PHI, PII, PD, PI, Personal Health Information, and other Sensitive Information is essential to the Health Care Systems, Inc. business and reputation and to operating in a responsible, compliant manner. Accordingly, the Executive Leadership affirmatively approves and supports this Privacy Policy, including the designation of a Privacy Officer.
5.2 Workforce Responsibilities
Each member of the Health Care Systems, Inc. Workforce is responsible for the security of Sensitive Information in his or her workspace. Workforce members take reasonable and appropriate precautions to safeguard access to Sensitive Information including, without limiting the generality of the
following, compliance with security measures required by the Security Policy and other guidance issued by the Chief Privacy & Security Officer and Chief Security Officer.
Each Workforce member shall be responsible for:
5.2.1 Reading and understanding the contents of this Privacy Policy and its related policies and procedures;
5.2.2 Ensuring that his or her actions comply with the requirements of this Privacy Policy and its related policies and procedures;
5.2.3 Demonstrating his or her understanding of and compliance with this Privacy Policy and its related policies and procedures through the completion of annual training and certification or through any other means used by Health Care Systems, Inc. for such certification;
5.2.4 Collaborating with all levels of the Health Care Systems, Inc. organization to ensure that an effective privacy program is implemented and maintained;
5.2.5 Seeking assistance if uncertain how to comply with the requirements of this Privacy Policy and its related policies and procedures;
5.2.6 Complying with the Security Policy and related policies and procedures and implementing and maintaining the Security Program;
5.2.7 Reporting any violations of this Privacy Policy, related policies or procedures or the law or regulations to the CPSO, Chief Executive Officer, Human Resources representative, and/or Health Care Systems, Inc. management.
5.3 Managers’ Responsibilities
In addition to responsibilities as a member of the Workforce, each Health Care Systems, Inc. manager shall be also be responsible for:
5.3.1 Ensuring that all members of the Workforce reporting directly or indirectly to such manager have read, understand, been trained on, and comply with, this Privacy Policy and its related policies and procedures;
5.3.2 Ensuring all members of the Workforce who report directly or indirectly to such manager have completed the required privacy training;
5.3.3 Ensuring that this Privacy Policy, and its related policies and procedures, are fully implemented in his or her functional area of responsibility;
5.3.4 Requesting guidance from Human Resources or the CPSO on implementing this Privacy Policy as a manager if needed.
5.4 Business Units and Functional Areas
In addition to responsibilities as a member of the Workforce, each Business Unit or functional area leader shall also be responsible for:
5.4.1 Identifying any privacy-related contractual requirements mandated or requested by external clients or third-party vendors, and not previously approved by the legal team and the CPSO, and providing those requirements or requests to the legal team and the CPSO prior to contract execution;
5.4.2 Identifying where Sensitive Information is located, and providing such information to the CPSO;
5.4.3. Maintaining a list of all Workforce members who have access to Sensitive Information and approving access by Workforce members to any Sensitive Information in a manner consistent with such Workforce members’ duties and responsibilities;
5.4.4 Documenting and maintaining procedures to implement this Privacy Policy within its own Business Unit.
5.5 Chief Privacy and Security Officer
The Chief Privacy and Security Officer shall be responsible for:
5.5.1 Developing, implementing and maintaining this Privacy Policy and related policies and procedures;
5.5.2 Coordinating with Development & Human Resources in the development and maintenance of security policies and programs to ensure that appropriate physical, administrative and technical safeguards are in place to protect the privacy and security of Sensitive Information;
5.5.3 Upon request, reviewing, guiding, and approving Standard Operating Procedures (SOPs) for Business Units and functions, relating to Sensitive Information;
5.5.4 In collaboration with Development & Human Resources, designing and ensuring the provision of adequate training to all Workforce members, including to every new hire as a part of the on-boarding process, on this Privacy Policy, related policies and procedures, and the privacy and security laws and regulations of applicable jurisdictions;
5.5.5 Receiving and reviewing complaints related to this Privacy Policy and related procedures or the requirements for the handling of Sensitive Information under any applicable law, including documenting the complaint and disposition thereof;
5.5.6 Coordinating with Human Resources to recommend appropriate discipline for violations of this Privacy Policy;
5.5.7 Reviewing and responding to requests from law enforcement and regulatory agencies for access to Sensitive Information, in coordination with others to the extent permitted and as appropriate;
5.5.8 Ensuring that Health Care Systems, Inc. complies with applicable privacy laws, regulations, and contractual privacy requirements;
5.5.9 May designate another individual to function in his/her capacity with regard to the requirements set forth in this Policy.
5.6 Human Resources
Human Resources shall be responsible for:
5.6.1 Together with the CPSO, designing, documenting, and enforcing a progressive disciplinary policy for non-compliance with or violation of this Privacy Policy and related policies and procedures;
5.6.2 Ensuring that Workforce members reporting violations of this Privacy Policy, related policies or procedures or the law are protected from retaliation;
5.6.3 Collaborating with hiring managers to ensure privacy and security obligations are specified in Health Care Systems, Inc. job and roles descriptions;
5.6.4 Communicating job status changes, including termination of Workforce members, to IT Operations, so that access to systems with Sensitive Information is appropriately modified.
6.0 Permitted Uses and Disclosures of Sensitive Information
All members of the Workforce shall safeguard the confidentiality of and protect any Sensitive Information in accordance with the requirements of this Privacy Policy, other applicable policies and procedures, relevant contractual requirements, and as required by law.
6.1 Consent and Authorization to Use Sensitive Information
6.1.1 Limited Collection. Workforce members shall only collect, request, or access the minimum amount of Sensitive Information necessary to serve a valid business purpose and in accordance with the requirements of this Privacy Policy, other applicable policies and procedures, relevant contractual requirements, and as required by law.
6.1.2 Limited Use. Health Care Systems, Inc. Workforce members shall only access, use, and disclose Sensitive Information in accordance with:
6.1.2.1 the requirements of the consent or authorization provided by the subject or owner of the Sensitive Information;
6.1.2.2 the requirements of this Privacy Policy, or other applicable policies and procedures;
6.1.2.4 relevant contractual requirements; and
6.1.2.5 as required by law.
6.1.3 All access, use and disclosure of Sensitive Information shall be limited to the minimum amount of Sensitive Information necessary to accomplish a valid business purpose.
6.1.4 All requests to limit or cease using Sensitive Information shall be directed to the CPSO for review.
6.2 De-Identified Sensitive Information
6.2.1 In certain cases, Health Care Systems, Inc. may receive consent or authorization to de-identify Sensitive Information. In these cases, once the Sensitive Information has been de-identified, Workforce members may use and disclose the de-identified Sensitive Information in accordance with the consent or authorization.
6.2.2 Requests to de-identify Sensitive Information must be submitted, in writing, to the CPSO or her/his designee who will evaluate the scope and purpose of the request and the means of de-identification to ensure a low likelihood of re-identification of Sensitive Information and that applicable legal, contractual, and industry-standard requirements are met.
6.3 Disclosures Required by Law
Health Care Systems, Inc. may use or disclose Sensitive Information as required by law.
7.0 Privacy Risk Assessment
Health Care Systems, Inc. shall assess Privacy Risk annually pursuant to Health Care Systems, Inc. Risk Management Policy.
8.0 Reporting and Handling of Privacy Complaints and Incidents
For the purposes of this Privacy Policy, all privacy complaints and incidents shall follow Privacy and Security Incident Response Policy.
9.0 Disposal of Sensitive Information
All electronic media and paper copies containing Sensitive Information shall be retained in accordance with Health Care Systems, Inc. Records Management Policy and Retention Schedule, and properly disposed of once the intended use has been completed in accordance with the Health Care Systems, Inc. Information Classification and Handling Policy. All media or copies containing PHI from a client is either to be returned to the client, or destroyed, in accordance with the contractual agreement with the client.
10.0 Human Resources Privacy Requirements
10.1 Human Resources is responsible for ensuring that Workforce Members’ Sensitive Information is appropriately identified and protected in accordance with this Privacy Policy, applicable laws, regulations, and contractual requirements.
11.0 Definitions
11.1 “Business Unit” is a formally defined area of Health Care Systems, Inc. representing a specific business function (such as Finance, Solutions Development, Sales, Support, etc.). This could be a department or subset of a department.
11.2 “CPSO” means the Chief Privacy and Security Officer who is also the Chief Privacy Officer.
11.3 “Information” is considered databases, data files, contracts, agreements, system documentation, research information, user manuals, training material, standard operating procedures, business continuity plans, disaster recovery plans, third-party data, audit trails, and archived information.
11.4 “Privacy Guidelines” are documents that support this Privacy Policy but are not directive in nature. Guidelines are designed to provide members of the Workforce a recommended path to achieve compliance with Health Care Systems, Inc.’ policy.
11.5 “Privacy Policy” refers to this formal statement by Health Care Systems, Inc.’ executive management outlining the overall intention and direction of the safeguarding and protection of PHI and other Sensitive Information for Health Care Systems, Inc., including, but not limited to, affiliates of Health Care Systems, Inc. It is not intended to be detailed, but rather to serve as a capstone principle supported by subordinate documents (including, but not limited to, the Privacy Procedures and Privacy Standards).
11.6 “Privacy Procedures” directly support this Privacy Policy and are a detailed set of instructions for various groups of individuals, such as the general Workforce, management, Human Resources, and Business Units. These procedures outline the detailed steps, establish timelines, and document specific behaviors for all Workforce members who are bound to comply within this Privacy Policy’s scope.
11.7 “Privacy Standards” support this Privacy Policy by providing specific boundaries. Privacy Standards are focused and serve to establish a set of mandatory decision criteria for systems and processes. Privacy Standards are intended for a limited audience and are mandatory by definition. Privacy Standards do not normally require executive management approval and therefore are more fluid and may adapt to technology changes.
11.8 “Sensitive Information” is a class of data that relates to an identified or identifiable individual or entity that is sensitive, confidential, or proprietary to such person or entity and may potentially cause harm to such person or entity if lost or accessed, or used or disclosed by unauthorized persons, either internal or external to Health Care Systems, Inc. “Sensitive Information” includes, but is not limited to, Protected Health Information, Personal Information, Personal Health Information, Personal Data, and Personally Identifiable Information (as those terms are defined in applicable law).
11.9 “Systems” are any computing assets that may create, access, or store sensitive data, including those used internally and those developed and sold as a product.
11.10 “Workforce” means employees, contractors, third-party users, volunteers, interns, trainees, agents, and other persons whose conduct, in the performance of work for Health Care Systems, Inc. is under the direct control of Health Care Systems, Inc. , whether they are on-site or off-site, and whether or not they are paid by Health Care Systems, Inc. .
Appendix A – Applicable Regulatory Standards
Laws and regulations relevant to this Policy include, but are not limited to, the following:
• Health Insurance Portability and Accountability Act of 1996 (US)
• Health Information Technology for Economic and Clinical Health Act of 2009 (US)
• Children’s Online Privacy Protection Act of 1998 (US)