• Information privacy
  • Metadata
  • Purpose
  • Compliance
  • Principles
  • Accountability
  • We do not directly collect, use or disclose PHI
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance
  • Implement an Information Privacy Program
  • Verify compliance
  • Enforcement
  • Non-compliance
  • References

Information privacy

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-04-10
  • reviewed: 2018-06-20

Purpose

• The purpose of this Privacy Policy is to provide guidance to the leadership, employees and agents on matters concerning the protection of privacy and compliance with privacy legislation in each jurisdiction in which business is conducted.
• Applicability: standard

Compliance

• We will comply with all privacy and data protection laws, regulations, and rules in each jurisdiction where we conduct business.
• The Privacy Official is the Chief Technology Officer (CTO).

Principles

• We are committed to respecting the privacy rights of individuals and to the protection of their personal health information. The following principles give substance to this commitment. They are based the “CSA Model Code for the Protection of Personal Information”.
• Refer to: CSA Model Code for the Protection of Personal Information

Accountability

• The CTO is the Privacy Official and will
  • Be responsible for day-to-day management of the information privacy program.
  • Establish operating policies and procedures to support this Information Privacy Policy.
  • Oversee all compliance activities, including the development, implementation and maintenance of appropriate privacy and security-related policies and procedures.
  • Conduct various risk analyses, as needed or required.
  • Manage breach notification investigations, determinations, and responses, including breach notifications.
  • Ensure that future initiatives are structured in such a way as to ensure patient privacy.
  • Remain up-to-date and advise on new technologies to protect data privacy.
  • Remain up-to-date on laws, rules and regulations regarding data privacy and update the Practice’s policies and procedures as necessary.
  • Serve as liaison to government agencies, industry groups and privacy activists in all matters relating to our privacy practices.
• Board of Directors will
  • Ensuring that we are in compliance with applicable laws, regulations and rules, and with our security and privacy policies..
• CEO will
  • Implement of an information privacy program, including the review and approval of this policy and supporting operating policies.
• All employees and contractors will
  • Understand and follow all of our security and privacy policies and procedures.
  • Safeguard the privacy and confidentiality of PHI collected, used and disclosed in the course of their duties.
  • Act in a timely and co-operative manner to prevent, detect and respond to security and privacy breaches or other incidents.
  • Protect their passwords and other devices (e.g. keys, access cards, access tokens) that enable access to information assets.

We do not directly collect, use or disclose PHI

• We provide technical services for companies who provide services to individuals, Health Information Custodians (HICs) or Covered Entities (CEs)
  • HIPAA: We serve Business Associates
  • PHIPA: We serve Electronic Service Providers or Health Information Network Providers
• We rely on our customer to manage the following aspect of PHI
  • consent and consent directives
  • collection and limitation of collection
  • use, disclosure and retention
  • accuracy
• If a request, complaint, or issue regarding patient rights, use or disclosure of PHI, accuracy or privacy occurs
  • Inform the requester that we do not manage this directly.
  • Direct the requester to the relevant customer.
  • Document the request and the action taken.

Safeguards

• We will apply appropriate physical, administrative and technical safeguards to protect PHI against loss or theft, or from unauthorized access, disclosure, copying, use, disposal or modification.
  • Refer to: Information Security Policy

Openness

• We will publish a Privacy Notice on our website and in our applications, that provides specific information about our policies and practices relating to our handling of PHI.

Individual Access

• Requests by individuals for access to their PHI, or correction of their PHI, that is stored in our systems, will be referred to our customer who will refer it to the responsible HIC or CE for action.
• We will implement functionality in our systems and associated business processes to enable HICs and CEs to enable our customers to provide individuals with access to their PHI and to note corrections or amendments to the record.

Challenging Compliance

• An individual shall be able to challenge our compliance with the above principles. Challenges must be submitted in writing to the Chief Compliance Officer.

Implement an Information Privacy Program

• Provide privacy and security training for our employees and contractors.
• Ensure that all of our agents who have access to PHI have signed a confidentiality agreement.
• Implement a process to receive, investigate and resolve questions or complaints from individuals, substitute decision makers and the public.
• Implement a program to monitor and audit access to records of PHI to detect privacy breaches.
• Investigate privacy breaches and make recommendations for corrective action to avoid similar breaches in the future.
• Conduct, or oversee the development of Privacy Impact Assessments for our systems.
• Ensure that agreements or contracts with third parties who require access to PHI, contain provisions to adequately protect PHI.

Verify compliance

• We will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Enforcement

• Responsible party: All managers and supervisors

Non-compliance

• employees: Any violation of this Information Privacy Policy by an employee is subject to disciplinary sanctions, up to and including dismissal.
• customers: Any violation of this policy by an employee or agent of a customer organization will be reported to the customer organization and handled in accordance with the customer organization’s sanctions policy. Where the violation poses a threat to us or other customers, we may take appropriate action to protect PHI and other sensitive assets. This could include suspension of access privileges for individuals who violate this policy.
• vendors: Any violation of this Information Privacy Policy by a supplier, vendor or contractor or their respective employees and agents, is subject to remedies identified in the agreement or contract. We may request the removal of a supplier, vendor or contractor employee who has violated this Information Privacy Policy.

References

Code	Section	Title	Text
ISO	A.18.1.4	Privacy and protection of personally identifiable information	Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.
CHI	PR1	Accountable Person	Organizations connecting to the EHRi and organizations hosting components of the EHRi must designate and publicly name an individual who is accountable for facilitating compliance with applicable data protection legislation and the following privacy requirements.
CHI	PR3	Privacy Policy	Organizations connecting to the EHRi and organizations hosting components of the EHRi must implement privacy and security policies and practices, including: a) Implementing procedures to protect PHI (see Security Requirement 2 – Security Policy); b) Establishing procedures to receive and respond to privacy-related complaints and inquiries (see Privacy Requirement 28 – Complaint Procedures); c) Training users and communicating to users information about the organization’s privacy policies and practices (see Privacy Requirement 23 –Training Users and Raising Privacy Awareness and Security Requirement 14 – Confidentiality Agreements); and d) Developing communications materials to explain to the general public the organization’s privacy policies and practices (see Privacy Requirement 24 – Openness).
CSA Model Code for the Protection of Personal Information	4.1.1	Designated individuals
CSA Model Code for the Protection of Personal Information	4.1.4	Policies and practices
HIPAA	164.502	Uses and disclosures of protected health information: General rules.	(a)Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. (1) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: (i) To the individual; (ii) For treatment, payment, or health care operations, as permitted by and in compliance with § 164.506; (iii) Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§ 164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; (iv) Except for uses and disclosures prohibited under § 164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under § 164.508; (v) Pursuant to an agreement under, or as otherwise permitted by, § 164.510; and (vi) As permitted by and in compliance with this section, § 164.512, § 164.514(e), (f), or (g). (2) Covered entities: Required disclosures. A covered entity is required to disclose protected health information: (i) To an individual, when requested under, and required by § 164.524 or § 164.528; and (ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter. (3) Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. (4) Business associates: Required uses and disclosures. A business associate is required to disclose protected health information: (i) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter. (ii) To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. (5) Prohibited uses and disclosures. (i) Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: (A) Except as provided in paragraph (a)(5)(i)(B) of this section: (1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program); (2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program); (3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and (4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. (B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy. (ii) Sale of protected health information: (A) Except pursuant to and in compliance with § 164.508(a)(4), a covered entity or business associate may not sell protected health information. (B) For purposes of this paragraph, sale of protected health information means: (1) Except as provided in paragraph (a)(5)(ii)(B)(2) of this section, a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. (2) Sale of protected health information does not include a disclosure of protected health information: (i) For public health purposes pursuant to § 164.512(b) or § 164.514(e); (ii) For research purposes pursuant to § 164.512(i) or § 164.514(e), where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes; (iii) For treatment and payment purposes pursuant to § 164.506(a); (iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to § 164.506(a); (v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to §§ 164.502(e) and 164.504(e), and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities; (vi) To an individual, when requested under § 164.524 or § 164.528; (vii) Required by law as permitted under § 164.512(a); and (viii) For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law. (b) Standard: Minimum necessary - Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. (2) Minimum necessary does not apply. This requirement does not apply to: (i) Disclosures to or requests by a health care provider for treatment; (ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; (iii) Uses or disclosures made pursuant to an authorization under § 164.508; (iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter; (v) Uses or disclosures that are required by law, as described by § 164.512(a); and (vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter. (c) Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to § 164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in § 164.522(a). (d) Standard: Uses and disclosures of de-identified protected health information - (1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. (2) Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under § 164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of § 164.514, provided that: (i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and (ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. (e) (1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. (ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. (2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e). (f) Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual. (g) (1) Standard: Personal representatives. As specified in this paragraph, a covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this section, treat a personal representative as the individual for purposes of this subchapter. (2) Implementation specification: Adults and emancipated minors. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. (3) (i) Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: (A) The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative; (B) The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service; or (C) A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service. (ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this section: (A) If, and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law, a covered entity may disclose, or provide access in accordance with § 164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; (B) If, and to the extent, prohibited by an applicable provision of State or other law, including applicable case law, a covered entity may not disclose, or provide access in accordance with § 164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; and (C) Where the parent, guardian, or other person acting in loco parentis, is not the personal representative under paragraphs (g)(3)(i)(A), (B), or (C) of this section and where there is no applicable access provision under State or other law, including case law, a covered entity may provide or deny access under § 164.524 to a parent, guardian, or other person acting in loco parentis, if such action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment. (4) Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. (5) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative of an individual if: (i) The covered entity has a reasonable belief that: (A) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or (B) Treating such person as the personal representative could endanger the individual; and (ii) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative. (h) Standard: Confidential communications. A covered health care provider or health plan must comply with the applicable requirements of § 164.522(b) in communicating protected health information. (i) Standard: Uses and disclosures consistent with notice. A covered entity that is required by § 164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by § 164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in § 164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. (j) Standard: Disclosures by whistleblowers and workforce member crime victims - (1) Disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that: (i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and (ii) The disclosure is to: (A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or (B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section. (2) Disclosures by workforce members who are victims of a crime. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce who is the victim of a criminal act discloses protected health information to a law enforcement official, provided that: (i) The protected health information disclosed is about the suspected perpetrator of the criminal act; and (ii) The protected health information disclosed is limited to the information listed in § 164.512(f)(2)(i).

November 13, 2019

Powered by