1. Information we may collect:
A. Categories of Information We May Collect and Sources From Which We May Collect it:
We collect nonpublic personal information about prospects and customers from the following sources:
- Information provided to us on applications and other forms, through telephone or personal interviews or through web sites,
- Information about transactions between our company and our partners,
- Information contained in medical records, insurance records, billing (Explanation of Benefits), CDHC Accounts, healthcare financial management, or from medical professionals that is related to our products
B. Persons From Whom Information May Be Collected.
We may collect nonpublic personal information from individuals other than those proposed for coverage.
2. Information we may disclose to third parties:
We do not disclose information about others to third parties whose only use of the information is to market a product or service. However, in the course of our general business practices, we may disclose the information that we collect (as described above) to the following types of institutions for the reasons described below:
A. To a third party if the disclosure will enable that party to perform a process in our applications, for our business, professional or products and/or services function for us.
- To a partner for our members, , agent, or credit reporting agency in order to detect or prevent criminal activity, fraud or misrepresentation in connection with a sales transaction.
3. Approved Use and Security of Confidential Information
At all times staff shall use customer information ONLY in connection with the sale of HarmonyHealth products and services , and shall protect the security of confidential information and disclose such confidential information only to authorized representatives of carriers only when such disclosure is necessary to support the sale products and/or services of our products and/or services. Confidential information retained in hard copy format must be held in a locked file cabinet for which access is limited and confidential information retained in electronic format must be held in a confidential, password protected file. At no time shall any staff member access or use data for any reason other than that specified above.
4. Safeguarding Confidential Information and Prohibited Acts
The Company is committed to safeguarding the confidentiality, integrity and availability of Confidential Information through the use of reasonable and appropriate physical, administrative and technical safeguards. All employees who come into contact with such Confidential Information must maintain the confidentiality of the information, prohibit unlawful disclosure and limit access to it. Employees authorized to access such information should also consider the following guidelines when handling Employee, Client or Third Party Information:
- Employees authorized to access such information should not leave documents containing the information unattended unless secured in a restricted area or locked in a file cabinet, desk drawer, or office. In addition, password-protected screen savers should be activated after brief periods of inactivity to prevent casual viewing of Employee, Client or Third Party Confidential Information by unauthorized persons.
- Do not publicly display such information, for example, on bulletin boards, or postings on the Internet.
- To the maximum extent feasible, employees should not store Employee, Client or Third Party Confidential Information on portable devices and movable storage media, such as laptop computers, personal digital assistants, and “flash drives.”
- Documents containing Employee, Client or Third Party Confidential Information generally should not be transmitted over the Internet unless appropriately encrypted or password-protected to avoid detection.
- Before transmitting documents that contain Employee, Client or Third Party Confidential Information by facsimile verify the recipient’s facsimile number and arrange for the recipient to promptly remove the facsimile from the fax machine or fax on desktop.
- Use encryption email in the communication of customer information.
- Refrain from discussing Employee, Client or Third Party Confidential Information with Company employees, friends, acquaintances, family member, neighbours or anyone else who is not authorized to access the information.
- If it is necessary to send Employee, Client or Third Party Confidential Information to a printer in a location accessible to individuals not authorized to access such Information, arrange for prompt retrieval of the printed document.
- Envelopes containing Employee, Client or Third Party Confidential Information, whether sent by company mail or other means, should be sealed.
- Dispose of Employee, Client or Third Party Information in paper form by shredding it before placing it in the garbage or recycling bin. Confidential Information in electronic form should be destroyed in a manner that will render the information irretrievable.
- Employee, Client and Third Party Confidential Information should be removed from the electronic resources of employees who leave the Company before those resources are re-issued to another employee unless the successor employee has the same authority to access such Information.
Additional Safeguards For Social Security Numbers
Social Security Numbers (“SSNs”) and documents containing SSNs should receive the following additional protections:
- SSNs should not be publicly displayed, for example, by including them in electronic documents posted on internal websites or in paper documents posted on employee bulletin boards;
- SSNs generally should not be printed on paper documents that are mailed to the employee unless the document, by law, is required to include an SSN (such as a W-2 Form) or in certain other limited circumstances.
- SSNs should not be transmitted over the Internet unless appropriately encrypted to avoid detection.
- SSNs should be redacted from materials sent to third parties unless the materials are required to accomplish the purpose of the disclosure and then only if properly encrypted.
Disposal of Confidential Information
Disposal of documents containing Employee, Client and Third Party Confidential Information should be accomplished in a manner intended to prevent unauthorized access to such Confidential Information. For example, paper documents containing background or criminal history reports or medical reports/records or financial information or any documents containing information derived from those reports should be shredded. Confidential Information stored on electronic media, such as hard drives, compact disks, and back-up tapes, should be subject to processes, before disposal or reassignment, that render the Confidential Information irretrievable.
Legal Effect and Changes to the Policy
This Policy is not, nor is it intended to be, a contract, nor does it otherwise create any legal rights or obligations not already imposed by federal, state or local law. Accordingly, the Company, in its discretion, may amend, interpret, modify or withdraw any portion of this and related practices with or without notice. Any change in this policy will apply to Employee, Client and Third Party Confidential Information collected before the change went into effect.
All medical and health-related information regarding an insured is “protected health information” (PHI) under federal law, the Health Insurance Portability and Accountability Act (HIPAA). Such information is to be used or disclosed solely for the purpose of providing Health Expense products and services to our clients. Such information is highly confidential and private.
Only employees employed in the following positions are authorized to collect, review, use or disclose any information, oral or written, containing an insured’s PHI, including but not limited to medical history, medical bills or invoices, and claim forms: Positions who are authorized to send or receive such communications: CEO, CFO, CTO, COO, Vice Presidents, Engineers, Account Managers. These persons are referred to as Authorized Persons.
If your position is not listed above, you are not authorized to open, read, review, receive, use, disclose, handle or access in any way, any document or communication concerning any client’s PHI unless you have written authorization to do so.
If your position is listed above, you must not use or disclose any PHI except to Authorized Persons at the Company or outside the Company with a specific need to know for purposes of providing insurance.
All communications with the insured regarding PHI shall be handled exclusively by Authorized Persons. All communications regarding an insured’s PHI received by a person who is not an Authorized Person must be referred to an Authorized Person.
Minimum Necessary Disclosure of PHI: Any use or disclosure of PHI except (1) disclosures to the insured or (2) disclosures with the insured’s written authorization shall be limited to the minimum necessary for insurance purposes.
- Incidental Disclosures: It is inevitable that some PHI will be disclosed as a byproduct of permissible uses and disclosures of PHI. For example, someone without authorized access to PHI might overhear an Authorized Person speaking on the telephone with an insured. The Company should take reasonable steps to keep incidental disclosures of PHI to a minimum.
If you are not an Authorized Person and an insured provides you with PHI do not open the email, form, FAX, envelope or content. Immediately call Vineet or one of the Authorized Persons listed above for instructions.
Safeguarding PHI: The following measures shall be taken to protect PHI from unauthorized use or disclosure:
- Client’s files containing PHI, when unattended, shall be maintained in a secure area, such as a locked file drawer, locked file cabinet, or locked office. No persons except Authorized Persons shall have access to such information.
- Fax machines will be routinely monitored for incoming faxes containing PHI. Any fax received that, on its face, contains PHI must be placed in an envelope and promptly delivered to the addressee.
- Faxing of PHI will be limited to urgent information. A fax cover sheet that includes a confidentiality statement must be used. Before faxing PHI the recipient’s number must be verified and the recipient notified that a fax is being sent so that the recipient can retrieve it immediately.
- Employees who receive PHI as an attachment to, or as part of, electronic mail, will have password-protected access to their e-mail inbox.
- Employees will turn off their computer when they intend to be absent from their desk or office for an extended period of time to prevent unauthorized access to e-mail containing PHI. Any document containing PHI will immediately be retrieved from the printer.
- All originals and copies of documents that contain PHI will immediately be removed from the copier upon completion of the copy job. Any unwanted copies will be shredded before being discarded.
- Inactive member records and other paper files containing PHI will be boxed and moved to a secure area in a locked closet or office or to off-site storage.
- When a record or other paper file containing PHI needs to be destroyed, the file will be shredded. When electronic files containing PHI need to be destroyed, the destruction will be effectuated in a manner reasonably intended to make the data irretrievable.
- Access to email that may contain PHI will be limited by use of a user name and password. When email containing PHI no longer is needed, the files will be deleted from the user’s area on the email server.
Other Disclosures of PHI
With the approval of the Privacy Officer, the Company is authorized to make non-routine disclosures of PHI (1) as required by statute or regulation; (2) in response to a court order or subpoena issued by a court or administrative body; (3) in response to a subpoena in a civil discovery matter; (4) to a law enforcement official in response to legal process in a criminal proceeding; (5) to a government agency responsible for overseeing the health care system or government health benefits programs; or (6) as permitted by state or federal workers’ compensation laws.
Complaints and Sanctions
If you believe that a violation of this policy has occurred, you may file a written complaint with the Privacy Officer. The complaint should be made within 30 days after you become aware of the facts on which the complaint is based. The Privacy Officer will investigate the complaint and will furnish a copy of the complaint to any person whose conduct is the subject of the complaint. If a complaint is made about you, you will have 14 days from the date of receipt of the complaint to submit a signed and dated written response to the Privacy Officer. The Privacy Officer will make a determination in writing within 60 days of receiving the complaint, regarding whether a violation of this policy has occurred.
The decision will contain at least the following: (a) a description of the complaint and the response(s), if any, to the complaint, (b) a statement of the Privacy Officer’s findings and conclusions, and (c) a description of the sanction, if any, to be imposed on the violator.