Security and Privacy Policy

PURPOSE

The purpose of this policy is to set forth clear standards and guidelines for the confidential treatment of information concerning patients, employees, and staff, as well as research, and business affairs.

SCOPE

This policy applies to members of the medical and professional staff, consultants, volunteers, and trainees.

Privacy Policy Statement: Every member of the workforce of AllaraCare and its business associates who have access to confidential or proprietary information have an obligation to keep such information strictly confidential. It is the policy of AllaraCare to comply with all applicable federal and state laws, regulations, and guidelines concerning confidentiality. Any confidential or proprietary information learned during the performance of one’s work must be kept confidential and should never be accessed, copied, or disclosed to anyone without proper authorization. Safeguarding confidential or proprietary information is a responsibility of all members of the workforce of AllaraCare and its business associates.

The unauthorized possession, use, copying, reading, or disclosure of confidential or proprietary information is strictly forbidden. All records containing confidential or proprietary information must be maintained in a manner which ensures confidentiality. Failure to adhere to this policy may result in immediate dismissal of an employee or termination of a contractual relationship with any AllaraCare entity.

Data Security Policy Statement: It is the obligation of AllaraCare to provide patients with a secure and confidential environment in which to view the cost and quality of past care at various settings. It is the policy of AllaraCare to mitigate any harm caused by a breach of Protected Health Information (PHI) or Personal Information (PI) in accordance with applicable federal and state laws. As a result, AllaraCare will investigate reports of alleged breaches promptly, and when appropriate, notify affected individuals of a breach of Unsecured PHI or PI, and evaluate circumstances of any breach to identify areas of risk and opportunities for improvement. AllaraCare will also pursue corrective action against workforce members and business associates involved in a breach when such corrective action is deemed appropriate.


POLICIES AND PROCEDURES

  1. Data Breach Issues:

A. Reporting Suspected Breaches: Any suspected breaches of Unsecured Protected Health Information (PHI) and Personal Information (PI) must be immediately reported to the AllaraCare Compliance Officer. Individuals reporting breaches or suspected breaches in good faith will be protected from retaliatory conduct.

B. Investigating Suspected Breaches: AllaraCare will investigate any and all reports of breaches and/or suspected breaches. Breach investigations may include, but are not limited to, interviews of workforce members, audits of electronic systems, and reviews of procedures and systems. The Compliance Officer is responsible for coordinating breach investigations. If necessary or in the event of a suspected breach, AllaraCare may engage independent third-party vendors to assist in the breach investigation.

C. Risk Assessment: The unauthorized or impermissible acquisition, access, use, or disclosure of Protected Health Information (PHI) is a presumed breach. The Compliance Officer performs a Risk Assessment to determine whether the incident presumed to be a breach carries a low probability that the PHI at issue has been compromised. If after performing the Risk Assessment, the Compliance Officer determines that the incident carries a low probability that the PHI at issue has been compromised, the Compliance Officer may decide not to notify individuals of the breach. The results of such a Risk Assessment shall be documented and maintained by the Compliance Officer. If the Risk Assessment determines that there is not a low probability that the PHI at issue has been compromised, AllaraCare will notify affected individuals of the breach pursuant to the procedures identified in Sections #4 and #5. The Compliance Officer shall consider at least the following factors in performing the Risk Assessment:

  • The nature and extent of the PHI involved, including the types of individual identifiers and the likelihood of re-identification;

  • The unauthorized person who used the PHI or to whom the PHI was disclosed;

  • Whether the PHI was actually acquired or viewed; and

  • The extent to which the risk of the PHI has been mitigated.

D. Notifying Affected Individuals of Breach of Protected Health Information (PHI) and/or Personal Information (PI):

  • Timing of Notice: AllaraCare will promptly provide notice to affected individuals of a breach, and no later than sixty (60) calendar days of discovery of the breach.

  • Content of Notice: Notice to affected individuals of a breach will include the following to the extent possible:

    1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

    2. A description of the types of Unsecured PHI that were involved in the breach; 

    3. Any steps individuals should take to protect themselves from the potential harm of the breach;

    4. A brief description of what AllaraCare is doing to investigate the breach, to mitigate harm to individuals, and to protect against future breaches.

E. Notifying Appropriate Government Agencies

U.S. Department of Health and Human Services: AllaraCare will promptly notify the Secretary of the Department of Health and Human Services (Department) for breaches of Unsecured Protected Health Information (PHI) involving 500 or more affected individuals. AllaraCare shall report such breaches electronically pursuant to the directions on the Department’s website. In the event that AllaraCare learns of additional information about the circumstances of the breach after filing a report with the Department, AllaraCare shall submit such information to the Department as an amended submission. For breaches involving less than 500 individuals, AllaraCare will maintain a log of such breaches and not later than sixty (60) days after the end of each calendar year, provide notification of the breaches. 

F. Determining Corrective Action: After reviewing all investigatory findings, a recommendation of any appropriate disciplinary action to be taken against any responsible employees, up to and including termination of employment, assignment, or engagement with AllaraCare, will be made. Such action shall take into account the severity of the breach and whether the workforce member has a history of similar conduct.

If the breach involves a business associate, AllaraCare may take any and all appropriate actions up to and including discontinuing services with the business associate. Such action shall take into account the severity of the breach, and steps the business associate has taken to mitigate the breach and to prevent future breaches. AllaraCare shall maintain a record of any and all disciplinary action taken to ensure fairness and consistency.

G. Preventing Violations: AllaraCare will take any and all reasonable steps to prevent breaches of Unsecured Protected Health Information (PHI) and Personal Information (PI) including, but not limited to, updating affected systems and educating and training Workforce members.

 

2. Duty To Report Issues

Policy: Members of the workforce of AllaraCare and its business associates must immediately report any instance or suspected instance of the following activities to the identified authority as indicated in the guidelines of this policy.

Procedures: In order to comply with this policy workforce members and business associates must:

1. Report suspected computer viruses or other suspicious activity on AllaraCare-administered workstations or laptop computers to the Compliance Officer;

2. Report to AllaraCare’s Compliance Officer any unauthorized sharing of AllaraCare’s Information System resources;

3. Report to AllaraCare’s Compliance Officer any instances of an actual or possible data breach involving Protected Data, including but not limited to:

  • Transmission of unencrypted Protected Data across the public Internet;

  • Transmission of Protected Data to an unauthorized recipient; or

  • The receipt, in error, of Protected Data by any mechanism including electronic and physical mediums;

4. Report to AllaraCare’s Compliance Officer the loss or theft of any device (such as an access card or physical key) that provides physical access to areas where components of the Information System are housed.

3. Transmission Security and Sensitive Data Storage

Policy: AllaraCare will take all reasonable steps to assure that data files containing electronic Protected Health Information (ePHI) are transmitted securely and that the data arrives unmodified at the intended destination as well as ensuring that data at rest is appropriately secured in accordance with the guidelines in this policy.

Procedures:

  1. Users must not transmit or electronically exchange any of AllaraCare’s Protected Data through email or any other transmission mechanism that is not an approved, encrypted telecommunication channel for AllaraCare.

  2. All Protected Data should be saved to servers or storage devices housed in one of the data centers with equipped protection. Data may be kept locally for application and processing needs, but it must be regularly and automatically mirrored to servers for backup and protection. Users should not save copies of Protected Data on any device unless it is protected according to federal guidelines. All portable drives, devices and storage units must be encrypted using industry standard methodology.

  3. Users must not employ software that copies AllaraCare’s Protected Data to an external system unless AllaraCare has a valid business associates or confidentiality agreement, as applicable, with the company hosting the external system. External systems include but are not limited cloud-based storage services.

  4. Email synchronization to mobile devices should only occur if the mobile device is fully encrypted.

4. Cloud Security

Policy: Cloud technologies must be utilized in accordance with this policy and all other AllaraCare standards and policies.

Procedures:

  1. All cloud-based solutions used at AllaraCare must adhere to all relevant security policies.

  2. When designing AllaraCare cloud-based security architectures, strict attention must be paid to the inherent risks of data stored in such cloud systems therein and the prohibited use of shared system resources at the cloud provider. AllaraCare ePHI must not be stored in cloud-based systems that use shared hosts or shared infrastructure unless necessary restrictions are in place.

5. Data Destruction

Policy: Data must be securely and comprehensively destroyed upon completion of the relationship with AllaraCare and applicable partners.

Procedures: Media storage devices used to store customer data are classified as critical and treated accordingly, as high impact, throughout their life-cycles. AllaraCare in partnership with Amazon Web Services has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, files are decommissioned using techniques detailed in National Institute of Standards and Technology (NIST) 800-88. Media that stored customer data is not removed until it has been securely decommissioned.

6. Workstation Physical Security

Policy: The physical security of workstations must be implemented in accordance with specific guidelines.

Procedures:

  1. Users must ensure that laptop computers used for AllaraCare’s business are secured with a laptop lock or some other equivalent physical measure when left unattended, both inside and outside of applicable facilities.

  2. Workstations are to be located in areas that minimize the risk of harm from physical and environmental hazards.

  3. Workstations, printers and displays are physically located in such a manner as to minimize the risk that unauthorized persons will gain access to them.

  4. Workstations with access to electronic Protected Health Information (ePHI) in common areas should be oriented so that the monitor screen is not in the line of sight of visitors. In the event that monitors cannot be placed so that visitors do not have a line of sight to the screen, privacy screens should be used in these instances.

  5. Workstations in offices and areas that are behind locked doors are considered secure, as long as these areas are staffed or locked when not occupied.

7. Terminating Employee Access

Policy: All AllaraCare users and business associates with access to AllaraCare's information technology must have their access disabled and removed when their relationship with the organization ends.

Procedure:

  1. All AllaraCare user and business associate termination notifications should be processed at the latest within one week of the effective date of termination, across all information technology.

  2. Management Sponsors must re-evaluate the appropriateness of users’ access on a regular basis. This includes, but is not limited to circumstances in which:

  • A user’s job or contractual responsibilities change; or

  • A user transfers to a new position; or

  • A third-party that requires access to AllaraCare’s Information Systems or Protected Data has a contract renewal or expiration.

  1. Management Sponsors must evaluate the risk associated with the termination and, when appropriate, request that AllaraCare’s Compliance Officer terminate access privileges no later than the time at which the user is terminated.

  2. Where feasible, in anticipation of a termination, managers must ensure that all Protected Data in the possession of the relevant user is retrieved and that any security passwords or encryption keys are provided to appropriate AllaraCare’s staff prior to the user’s departure.