Last Updated: June 02, 2020
1.0 Objective
This privacy policy sets out how Vee Healthtek ensures to protect all personally identifiable information of our clientele that is entrusted and handled within Vee Healthtek and of its employee’s personal data. Vee Healthtek recognizes and supports the need for reasonable protections regarding the privacy of personal data entrusted to us by our clientele for this reason, the company has developed and adopted these general guiding Principles. Individual locations should consider adopting regional implementation policies to put these Principles into practice.
All company employees whose responsibilities include the collection, processing or storage of client data are expected to be vigilant and assist in the protection of that data by adherence to these Principles and reporting any deviations. In following these Principles, Vee Healthtek complies with the applicable laws and regulations protecting the privacy of personal data in the jurisdictions in which the company operates alongside HIPAA and GLB.
2.0 Scope
- These Principles apply to all personal data entrusted to us by our client that is collected, maintained, processed and returned by the company as part of an actual client relationship. The Company will review and amend these Principles from time to time, should it become necessary to do so.
- This principle applied to all Personal data collected by Vee Healthtek of its employees and consultants.
“Personal data” means data about an individual that is personally identifiable.
3.0 Responsibility
All Employees of Vee Healthtek involved in the processing of personally identifiable information.
4.0 Procedure
4.1 Notice
4.1.1 Notice Principle:
The entity provides notice about its privacy policies and
procedures and identifies the purposes for which personal
information is collected, used, retained, and disclosed.
Vee Healthtek informs its clients/stake holders the purposes
for which personal information is collected, used retained and
disclosed
- The type of data Vee Healthtek collects,
- The purposes for which Vee Healthtek collects and discloses personal data,
- The circumstances under which Vee Healthtek discloses personal data, including the types of potential recipients
- That Vee Healthtek employs privacy and information safeguards; and
- The circumstances under which individuals may access and correct their personal data.
Vee Healthtek provides periodic general notice regarding routine information practices. In addition, Vee Healthtek communicates these Principles and any implementing policies and procedures through normal communication channels via HR Portal and email.
4.1.2 Communication to clients and stake
holder
Notice is provided to all clientele regarding our commitment to
the following privacy policies by share the below listed
details:
a. Purpose for collecting personal information
b. Choice and consent
c. Collection
d. Use, retention, and disposal
e. Access
f. Disclosure to third parties
g. Security for privacy
h. Quality
i. Monitoring and enforcement
4.1.3 Provision of Notice:
Notice is provided to the clients about the Vee Healthtek
privacy policies and procedures.
- Prior to project initiation
- as and when there are changes in Vee Healthtek privacy policies and procedures
- Prior to changes in the work order in case personal information may be used for new purposes not previously identified.
4.1.4 Entities and Activities
Covered
An objective description of the Vee Healthtek and activities
covered by the privacy policies and procedures is included in
the entity’s privacy notice
For Clients: Privacy Memorandum
For Employee’s: Privacy Notice and Consent
4.2 Choice and Consent
Vee Healthtek describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4.2.1 Communication to clients and employees
Clients are informed about
Vee Healthtek accesses personal data for medical
claims-related business purposes. Where consent of the clients
for the collection, use, or disclosure of personal data is
required by law (HIPAA) or contract, Vee Healthtek will
comply with these law or contract.
That implicit or explicit consent is required to collect, use,
and disclose personal information, unless a law or regulation
specifically requires or allows otherwise
- In the event that a client expresses a concern about the collection, use or disclosure of personal data, Vee Healthtek will respond to the clients concern consistent with applicable law. (HIPAA)
- Vee Healthtek will abide to the HIPAA law [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] and maintains the Business Associate Agreement (BAA) with its clients to assure that the Electronically maintained protected health information are used for the purposes for which it was engaged and will safeguard the information from misuse.
- Vee Healthtek has designated a CPO to develop and implement the policies and procedures of the entity and review them periodically to incorporate latest standards. There is disciplinary procedure in place to take appropriate action against members of its workforce who fail to comply with the privacy policy HIPAA Privacy Rule, 45 C.F.R. Part 160 and Part 164, Subparts A and E.
- All the policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must be documented and reviewed periodically for appropriateness and currency. At each department level implementation of this policy and set of standard must be evident and addressing any additional information systems functionality in such department. The latest revised policies should be uploaded in HR portal and same has to be read and acknowledged by the employees.
- Vee Healthtek trains all members of its workforce on all the policies and procedures with respect to protected health information required by (HIPAA) § 164.530 Administrative requirements to safeguard the Electronically maintained PHI information from misuse and use client data for its intended purposes only.
- Vee Healthtek provides the training to all its employees on all Security Policies, Code of conduct (FWA), HIPAA Privacy rules to ensure reasonable safeguards for individuals’ health information.
- All the new members of the workforce are trained through Induction or awareness session and entire workforce is re-trained on refresher training programs periodically.
- All the employees are educated on how to safeguard client data while accessing, handling and transmitting.
- Non Disclosure of personally identifiable information of clients to third parties & clients
- To avoid using patients’ names/ PHI details in public areas either through oral or written communication.
- Printer or e-Fax access are restricted to users based on their operational requirement. Permitted users are responsible to shred the hard copies through shredder machines.
- Not allowing users to save client data in local drives.
- Restricted internet services to block file transfer options.
- No use or disclosure of PHI unless permitted or required by the Privacy Rule
- Required Disclosures:
– To the individual who is the subject of the PHI.
– To the Secretary of HHS in order to determine
compliance
– To the individual or personal representative
– For treatment, payment and health care operations (TPO)
- Vee Healthtek will not retaliate against any company/individual for expressing a concern about the collection, use, or disclosure of his or her personal data, or for exercising a legal right to refuse to provide information.
Employees are also informed about:
- Storage of their personal information
- Disclosure of their personal information to third parties & clients
- Use, retention, and disposal of their personal information.
- Access and update their personal information
- Security of their personal information.
4.2.2 Consent for Online Data Transfers To or From an Individual’s Computer or Other Similar Electronic Devices
4.2.3 Consent is obtained
from client before Data containing personal information is
transferred to or from an individual’s computer or other similar
device.
Privacy Memorandum
4.2.4 Consent is obtained from employees as a disclaimer through HR portal.
4.3 Collection Principle:
4.3.1 Collection Limited to Identified Purpose
Vee Healthtek collects personal information only for the purposes identified in the Privacy Notice and Consent for relevant and appropriate purposes only in a reasonable and lawful manner. The collection and use of client personal data in the business context is essential to the operation of the company, and particularly to the operation functions. Examples of the purposes for which the company collects and uses client personal data include Medical Billing, Medical coding, insurance processing, logistic processing, financial and accounting processing the client is the only source to provide information to carry out the knowledge processing, the Data is provided to use through reliable and secure resources with appropriate acknowledgments
4.3.2 Collection by Fair and Lawful Means
Methods of collecting personal information are reviewed by Chief Privacy Officer before they are implemented to confirm that personal information is obtained
- fairly, without intimidation or deception,
- Lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information.
4.4 Use, Retention, and Disposal Principle:
Vee Healthtek limits the use of personal information to the purposes identified in the notice and for which our Client has provided implicit or explicit consent. Vee Healthtek does not retain any personal information as all the information is processed on the clients system and data bases unless and until the client requires us to do so, in such circumstances the data is retained for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately the information is appropriately dispossessed.
Vee Healthtek regularly and systematically destroys, erases, or makes anonymous personal information of their employee’s which are no longer required to fulfill the identified purposes or as required by laws and regulations.
Reference: 1 SP- 82-Confidential Information Policy
Reference: 2 SP-821- Data Classification Policy
4.5 Access
Vee Healthtek does not maintain any personal data,
Authenticated non editable data is provided by the client
Disclosure to Third Parties:
- Communication to employees
Specific instructions or requirements for handling personal
information are communicated to employees to whom personal
information is disclosed.
Vee Healthtek places substantial importance on protecting the
confidentiality of personal data and seeks the cooperation of
all employees in furthering this goal.
To the extent feasible, Vee Healthtek restricts access to
personal data to those employees, agents, or contractors of Vee Healthtek,
who have a legitimate business need for such
access.
- Vee Healthtek requires agents and contractors to whom the company discloses personal data for servicing to commit to protecting the privacy and security of the data and to refrain from any uses or further disclosures or not authorized by the company.
- Vee Healthtek will not disclose personal data to unaffiliated third parties
- In addition, under certain exceptional circumstances, the company may, as permitted by law, disclose other personal data without prior notice.
- Vee Healthtek will not make onward transfers of PII data for commercial gain,
SP-112-Acceptable Usage Policy
SP-52-Information Security
Policy
4.6 Disclosure to Third Parties
4.6.1 Disclosure of Personal Information
Personal information is disclosed to employees only for the purposes described in the notice, and for which the client has provided implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise.
4.6.2 Protection of Personal Information
Personal information is disclosed only to employees who have Signed Non-disclosure agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy policies or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.
4.6.3 Misuse of Personal Information by a Third Party
Vee Healthtek will take remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
4.7 Security:
4.7.1 Information Security Program
Vee Healthtek Information Security Program
A security program has been
- developed,
- documented,
- approved, and
- implemented
That includes administrative, technical, and physical safeguards
to protect personal information from loss, misuse, unauthorized
access, disclosure, alteration, and destruction. The security
program should address, but not be limited to, the following
areas1 insofar as they relate to the security of personal
information
Reference: ISMS MANUAL
4.7.2 Logical Access Controls
Logical access to personal information is restricted by
procedures that address the following matters:
Where Vee Healthtek commits to
a. Authorizing and registering employees
b. Identifying and authenticating employees
c. Making changes and updating access profiles
d. Granting privileges and permissions for access to IT
infrastructure components and personal information
e. Preventing individuals from accessing anything other than
their own personal or sensitive information
f. Limiting access to personal information to only authorized
internal personnel based upon their assigned roles and
responsibilities
g. Distributing output only to authorized internal personnel
h. Restricting logical access to offline storage, backup data,
systems, and media
i. Restricting access to system configurations, superuser
functionality, master passwords, powerful utilities, and
security devices (for example, firewalls)
j. Preventing the introduction of viruses, malicious code, and
unauthorized software
Reference : SP-911-Access Control Policy
4.7.3 Physical Access Controls
Physical access is restricted to personal information in any
form (including the components of the entity’s system(s) that
contain or protect personal information).
Reference : SP-911- Access Control Policy
4.7.4 Environmental Safeguards
Personal information, in all forms, is protected against
accidental disclosure due to natural disasters and environmental
hazards
Reference: SSP-172- Redundancies
4.7.5 Transmitted Personal Information
Vee Healthtek ensures that personal information is protected
when transmitted by mail or other physical means. Personal
information collected and transmitted over the Internet, over
public and other nonsecure networks, and wireless networks is
protected by deploying industry standard encryption technology
for transferring and receiving personal information
Reference: SP-101-Cryptographic Control Policy
4.7.6 Personal Information on Portable Media
Vee Healthtek does not store any PII on portable media.
4.7.7 Testing Security Safeguards
Vee Healthtek carry out Tests of the effectiveness of the key
administrative, technical, and physical safeguards protecting
personal information
Reference: SSP-172-Redundancies
4.8 Quality Principle
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Communication to clients
Clients are notified that they are responsible for providing the
entity with accurate and complete personal information, for
processing claims
Reference: Privacy Notice Draft.doc
4.9 Monitoring and Enforcement
4.9.1 Compliance:
Vee Healthtek maintains an active program to ensure compliance with these Principles, as well as with applicable law or contractual agreements on handling of personal data. Chief Privacy Officer is responsible for implementing and overseeing the administration of these Principles. All Vee Healthtek employees whose responsibilities include the collection, processing or storage of personal data are required to adhere to these Principles and implementing policy. Failure to do so may be grounds for discipline up to and including termination.
4.9.2 Roles and responsibilities of compliance team
- Overseeing the Vee Healthtek employee privacy education and training programs;
- Overseeing the resolution of privacy inquiries and complaints;
- Overseeing periodic assessments of the company’s internal practices to ensure that they conform to these Principles;
- Working with the company’s legal consultants to ensure the company’s ongoing compliance with applicable privacy laws;
- Overseeing the response to questions regarding these Principles and any implementing policies;
- Overseeing the investigation of complaints regarding possible violations of these Principles; and
- Otherwise administering the implementation and enforcement of these Principles and other human resources privacy matters.
4.9.3 Procedure Compliance measures
- Educating all the company employees as to the purpose and application of these Principles;
- Training human resources employees and others with significant access to personal data on proper procedures for the processing of personal data;
- Requiring agents and contractors with significant access to personal data to make contractual commitments to safeguard the data and use it appropriately;
- Holding employees accountable for violation of these Principles and implementing policies, with sanctions, including the possibility of termination of employment; and
- Holding agents and contractors accountable for violation of their contractual commitments, with sanctions, including the possibility of termination of contracts.
4.9.4 Compliant Resolution:
Any employee who has a concern about the collection, use or disclosure of the individual’s personal data is encouraged to use the Vee Healthtek internal Alternative Dispute Resolution program or other internal means of resolving disputes, Open house/Open Forum meeting conducted once a month.
4.9.5 Incident Management
Escalation Matrix is established wherein all employees of Vee Healthtek
would be able to report a security incident leading
to breach through appropriate channel and record the incidence
to avoid similar kind of breach in future.
SSP-16- Incident_Response_Procedure
4.10 Risk Assessment
A risk assessment is reviewed yearly to establish a risk
baseline to identify new or changed risks to personal
information accordingly respective control are inducted to
reduce the respective risks
Reference : ISMS-02- Risk Assessment methodology
4.11 Communication to Internal Personnel
Privacy policies and the consequences of noncompliance with such policies are communicated, at least annually, to the Vee Healthtek technologies internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in privacy policies are communicated to such personnel shortly after the changes are approved
4.12 Review and Approval
Vee Healthtek Privacy policies, procedures, client contract, and changes to them, are reviewed and approved by management periodically.
4. 13 Consistency of Privacy Policies and Procedures with Laws and Regulations
Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.
4.14 Privacy Breach Notification Policy
As a policy of Vee Healthtek that all employees will access, use and should not disclose PII, and that all employees shall be vigilant with respect to guarding PII. However, in the event that a potential breach of unsecured PII occurs, the following procedures shall be followed
4.14.1 DISCOVERY
- A breach of PII will be deemed “discovered” as of the first day Vee Healthtek knows of the breach or, by exercising reasonable diligence, would or should have known about the breach.
- If a potential breach is discovered, it is very time sensitive and must be immediately reported
4.14.2 INTERNAL REPORTING
- If a potential breach of PII has occurred, it should be immediately notify the Privacy Officer.
- Provide all the available information you have regarding the potential breach, including names, dates, and the nature of the PII potentially breached, the manner of the disclosure (fax, email, mail, verbal), all employees involved, the recipient, all other persons with knowledge, and any associated written or electronic documentation that may exist.
- Notification and associated documentation may itself contain PII and should only be given to the Privacy Officer.
- Do not discuss the potential breach with anyone else, and do not attempt to conduct an investigation. These tasks will be performed by the Privacy Officer.
- This reporting can be done through the HR Portal by individual employees.
4.14.3 INVESTIGATION
- Upon receipt of notification of a potential breach the Privacy Officer will promptly conduct an investigation.
- The investigation shall include interviewing employees involved, collecting written documentation, and completing all appropriate documentation.
- The Privacy Officer shall retain all documentation related to potential breach investigations for a minimum of six years.
- Whatever the privacy incidents raised in the HR Portal will be investigated by the Privacy Officer.
4.14.4 RISK ASSESSMENT AND RECOMMENDATION
After the investigation is complete, the Privacy Officer will
perform a Risk Assessment.
The purpose of the Risk Assessment is to determine if a use or
disclosure of PII constitutes a breach and requires further
notification to the Covered Entity. The Privacy Officer shall
appropriately document the Risk Assessment and make a
recommendation,
whether notification to the Covered Entity of the potential
breach would be prudent.
A “reasoned judgment” standard will be applied to the Risk
Assessment, which shall be fact specific and shall include
consideration of the following factors:
- Did the disclosure involve Unsecured PII in the first place?
- Who impermissibly used or disclosed the Unsecured PII?
- To whom was the information impermissibly disclosed?
- Was it returned before it could have been accessed for an improper purpose?
- What type of Unsecured PII is involved and in what quantity?
- Was the disclosure made for any improper purpose?
- Is there the potential for significant risk of financial, reputational, or other
- Harm to the individual whose PII was disclosed?
- Was immediate action taken to mitigate any potential harm?
- Do any of the specific breach exceptions apply?
4.14.5 FINAL DETERMINATION BY THE PRIVACY OFFICER
The Vee Healthtek Privacy Officer shall have final authority to determine whether a breach of unsecured PII occurred and what, if any, further action is warranted
4.14.6 NOTIFICATION TO COVERED ENTITY/BUSINESS ASSOCIATE
In the event that the Privacy Officer determines that notice to
the Covered Entity/Business
Associate is warranted, the Chairperson shall promptly prepare
and transmit a CE/BA Notice.
-
Content - The CE/BA Notice shall include:
- Identification of each individual whose Unsecured PII is believed to have been breached, the date of the disclosure, the facts and circumstances surrounding the disclosure, and all associated documentation.
- The CE/BA Notice shall include all other available information known to Vee Healthtek that the Covered Entity/Business Associate will be required to include in its own Notice to the individual(s)
- If additional information regarding the breach is later discovered by Vee Healthtek, that information will be promptly provided to the Covered Entity/Business Associate.
- The CE/BA Notice shall be sent first class mail, return receipt requested, and the receipt and a copy of the CE/BA Notice shall be kept with related documentation.
- Upon receipt of the CE/BA Notice from Vee Healthtek, it is the obligation of the Covered Entity/Business Associate to notify affected individuals, HHS, and/or the media unless otherwise specifically agreed upon by contract
-
Timing of Notification - Vee Healthtek
shall notify the Covered Entity/Business Associate “without
unreasonable delay” but no later than 3 days after discovery
of the breach. The Vee Healthtek Services Agreement
provides that Vee Healthtek is an independent contractor;
therefore the Covered Entity’s/Business Associate’s time to
provide the requisite notice begins to run on the date that
Vee Healthtek notifies the CE/BA of the breach.
- Unjustified Delay - If it appears to the Privacy Officer that the investigation will not be completed within a reason able time, the Covered Entity/Business Associate will be notified before completion of the investigation.
-
Law Enforcement Delay - A delay in
notification is permissible if a law enforcement official
states that a breach notification would impede a criminal
investigation or cause damage to national security.
- In that event, the law enforcement statement must be in writing and must specify the length of the delay required.
- If the request for a delay in notification is oral, Vee Healthtek must document the statement and request written confirmation within a day. If no written request for a delay is received within that time, Vee Healthtek must send notification of the breach to the Covered Entity/Business Associate.
4.14.7 DOCUMENTATION
All phases of the process must be documented in detail on a case-specific basis, in a manner sufficient to demonstrate that all appropriate steps were completed. All supporting documentation associated with the potential breach shall be kept on file for a period of 6 years.
4.15 Infrastructure and Systems Management
Vee Healthtek ensures potential privacy impact is assessed
when new processes involving personal information are
implemented, and when changes are made to such processes
(including any such activities outsourced to third parties or
contractors), and personal information continues to be protected
in accordance with the privacy policies. For this purpose,
processes involving personal information include the design,
acquisition, development, implementation, configuration,
modification and management of the following:
• Infrastructure
• Systems
• Applications
• Websites
• Procedures
• Products and services
• Data bases and information repositories
• Mobile computing and other similar electronic devices
The use of personal information in process and system test and
development is prohibited unless such information is anonymized
or otherwise protected in accordance with the entity’s privacy
policies and procedures.
4.16 Personal Information Identification and Classification
Vee Healthtek ensures identifying the types of personal
information and sensitive personal information and the related
processes, systems, and third parties involved in the handling
of such information are identified. Such information is covered
by the Vee Healthtek privacy and related security policies
and procedures.
Reference: SP-821-Data Classification Policy
4.17 Qualifications of Internal Personnel
Vee Healthtek establishes qualifications for personnel
responsible for protecting the privacy and security of personal
information and assigns such responsibilities only to those
personnel who meet these qualifications and have received needed
training
Reference: SSP-7-HR Operating Procedure
4.18 Privacy Awareness and Training
Vee Healthtek A privacy awareness program about the entity’s
privacy policies and related matters, and specific training for
selected personnel depending on their roles and
responsibilities, are provided.
Reference: SSP-7- HR Operating Procedure