HIPAA and GDPR Policy Statement

Value and Commitment

We believe protecting consumers' personal information is a fundamental business requirement. We base our approach to safeguard Protected Health Information (“PHI”), Electronic Protected Health Information(“EPHI”), and Personal Data on federal and global standards and agreements, including the Health Insurance Portability and Accountability Act (“HIPAA”) and the General Data Protection Regulation (“GDPR”). HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Definitions

Personal Data (GDPR Definition): Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Protected Health Information (“PHI”): All "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

Electronic Protected Health Information (“EPHI”): PHI that is created, stored, transmitted, or received in any electronic format or media.

HIPAA Background

HIPAA is a Federal law designed to protect a subset of sensitive information referred to as PHI. PHI is defined as “any information that can be used to identify an individual that relates to the individual’s past, present, or future physical or mental health or condition, including health care services provided and payment for those services.” HIPAA consists of two specific rules, the Privacy Rule and Security Rule. The Privacy Rule and Security Rule are explained in more detail below, including how these rules relate to us as employees.

HIPAA Privacy Rule

Establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and health care providers. The HIPAA Privacy Rule applies to all forms of protected health information, whether electronic, written, or oral. The Privacy Rule is designed to ensure that all PHI is properly handled and applies to anyone that has access to or works with an individual’s PHI. The Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Understanding HIPAA within the Organization:

Implementing HIPAA will enable employees to take necessary and appropriate measures to protect PHI and EPHI. Employees should review and follow these best practices within the workplace:

  1. Take reasonable efforts to limit access to PHI or EPHI to those persons who need access to carry out their duties (“Minimum Necessary Standard”;
  2. Before disclosing information, always stop and consider how the information will be used;
  3. Do not talk about patients/consumers, even in general terms;
  4. Close computer programs containing patient/consumer information when not in use;
  5. If you suspect anyone has learned or may be using your password, badge, access code, report this to the necessary individual immediately;
  6. Report, in a timely fashion, incidents or breaches to the appropriate individuals; and
  7. Implement role-based security measures to prevent access to information that is not necessary or required for their role/responsibilities.

General Data Protection Regulation (“GDPR”)

The General Data Protection Regulation (GDPR) is a European Union (EU)-wide law that replaces the Data Protection Directive 95/46/ec. The GDPR, effective on May 25, 2018, sets out requirements for how organizations must handle and protect the personal data of individuals located in the European Union. Organizations must comply with GDPR if they are involved in the processing of the personal data of individuals located in the EU.

Understanding the GDPR within the Organization:

The GDPR places new obligations on a business and its employees when collecting and controlling/processing personal data. Data subjects have numerous rights under the GDPR, including the right to receive notice of data processing, the right to access the personal data an organization holds specific to a given individual, the right to rectify data efforts, the right to withdraw consent to data processing, the right to object to data processing, the right to object to automated processing, and the right to be forgotten. Employees should ask themselves the following questions prior to working with a data subject’s personal information:

  1. Does the organization limit the personal data collected/processed from individuals to what is deemed relevant or necessary to accomplish the specific business purposes;
  2. Is the organization using/processing the data for the purpose it was collected;
  3. Do I know how to get help within the organization in the event I receive a rights-related request from a data subject covered by the GDPR;
  4. In the event of a possible data incident or breach, am I familiar with and do I understand the data breach policy; and
  5. Have I read and understood the company’s “Global Privacy Policy” located on our website?

Why It Matters in the Workplace

Everyone is responsible for protecting PHI, EPHI, and PII within the workplace. All employees should treat consumer information as confidential information. When personal data is divulged or released to the wrong party, there can be a negative impact not only on the individual, but also on the organization. Individuals place trust in an organization when they share personal information. When an organization mishandles or misuses the information, that trust is broken and can be very hard to rebuild.

Overall, a strong data privacy and data security program will benefit both the consumer and the organization as a whole. Organizations that make clear protecting the privacy of their consumers is a primary goal and consistently follow best practices that demonstrate a high level of care have a better chance to build emotional connections with their consumers. In addition, a strong privacy program which implements and provides the appropriate controls to sensitive data will improve brand value, build trust, and become the preferred brand by the customer base. Further, organizations that establish the appropriate standards also demonstrate it has established ethical practices. These practices help demonstrate the organizations commitment to handling personal information responsibly and in ways that do not do cause harm to their consumers.

Governance and Reporting

To ensure that our commitment to data privacy and data security is understood throughout our global enterprise, we have developed internal policies and procedures, including an internal due diligence and reporting process, to monitor our progress in promoting and protecting data privacy and security throughout our organization. We encourage our employees and others to report any potential violations of our HIPAA and GDPR Policy by contacting Justin DeYonge, HIPAA Compliance Officer, at [email protected].

If you suspect or become aware that an information security incident has or may have occurred, you must immediately report the incident to Clay Long, Director SPS/SHS IT, at [email protected] and to Justin DeYonge, Corporate Counsel, at [email protected]. Other concerns regarding this policy and reports may be made anonymously, where allowed by law, at:

USA: www.securitashotline.com

Canada: www.securitashotline.ca

Mexico: www.lineadealerta.mx

All Other: www.securitasintegrity.com

There will be no retaliation for reports submitted in good faith.