This policy and supporting procedures cover the privacy of all data collected by Mental Health Solutions, Inc. in its interaction with individuals in its business operations.
The following roles and responsibilities are to be developed and subsequently assigned to authorized personnel within Mental Health Solutions, Inc. regarding privacy practices:
"Personal Identifiable Information" (PII) as used in this policy, is information that specifically identifies an individual, such as an individual’s name, social security number, telephone number, or e-mail address. Personal information also includes information about an individual’s activities, such as information about his or her activity on the Site or credit history, and demographic information, such as date of birth, gender, address, geographic area, and preferences, when any of this information is linked to personal information that identifies that individual.
Personal information does not include "aggregate" or other non-personally identifiable information. Aggregate information is information that the organization collects about a group or category of products, services, or users that is not personally identifiable or from which individual identities are removed. The organization may use and disclose aggregate information, and other non-personally identifiable information, for various purposes.
"Protected Health Information" (PHI) as used in this policy, is information that specifically identifies an individual used together with medical information. PHI is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses). PHI is also not limited to digital text. Videos, images, x-rays, MRIs, doctors’ notes, and insurance cards are all examples of PHI.
PHI includes, but is not limited to the following data types:
Mental Health Solutions, Inc. collects only the minimum amount of information necessary to perform an approved function. Any new projects, processes, analysis or research using PHI data requires approval from the Chief Privacy Officer.
COLLECTION OF INFORMATION
When an individual uses the Service, some information may be automatically collected, such as the user’s IP address, browser type, system type, the content and pages that the user accessed on the Site, "referring URL" (i.e., the page from which the user navigated to the Site), the pages the user navigate to on the Site, and from which the user leaves the Site, as well as the time the user spent on the Site.
This information is collected using technologies such as standard server logs, cookies, and clear GIFs (also known as "Web beacons"). This information is then used to administer, operate, and improve the external facing website, client experience, other services and systems, and to provide services and content that are tailored to the user. If any of this information is linked or associated with any PII, the new data set is subject to the same restrictions as PII per this policy. Otherwise, this information is collected as non-personally identifiable.
Third parties may set cookies on the user’s hard drive or use other means of passively collecting information about the user’s use of their services or content. The organization does not have access to, or control over, these third-party means of passive data collection.
Mental Health Solutions, Inc. may collect personal information in a variety of ways through the organization’s client facing applications. For instance, when the user requests information about the organization’s services or otherwise communicates with us, certain information is collected. This information may include: name, e-mail address, city, state, country, other demographic information, and the user’s interests and preferences.
5.3 Information from Other Sources
Any information the organization collects about the user must be protected, whether the source be direct collection from the user or obtained through a third party service. Any combination of information together with personal information is treated as personal information and protected accordingly.
Mental Health Solutions, Inc. uses personal information to provide services and information that the user requests; to enhance, improve, operate, and maintain the Site and Service, our programs, services, website, and other systems; to prevent fraudulent use of our Site and Service; to tailor the user’s experience; to maintain a record of our dealings with the user, and for other administrative purposes.
The organization may also use PII to contact the user regarding our products and services. The user must be provided the opportunity to “Opt Out” to these marketing services as described in the "Choice" section below.
Mental Health Solutions, Inc. will not disclose the user’s personal information to third parties without the user’s consent, other than as described in this policy. Personal information may be shared with third-party service providers (e.g., data storage and processing facilities) that assist the organization in completion of approved workflows compliant with this policy. Any personal Information shared with third parties is limited to only the minimum necessary necessary for the third parties to perform the required functions.
Any additional disclosure of information must be formally requested, approved by the Chief Privacy Officer and documented. As a result of this review, the Chief Privacy Officer may determine that additional consent is required, which will be coordinated and managed by the Privacy committee.
7. Third Party Contracts
No PII or PHI is to be shared with third parties without the consent of the Chief Privacy Officer. Business Associate Agreements (BAAs) are required for any third party that is sharing PHI with the organization or is receiving PHI from the organization.
7.1 Entering into a BAA
Before the organization discloses PHI to a Business Associate (downstream third party) or permits a Business Associate view, create, maintain or transmit PHI on its behalf, the organization must enter into a BAA. The Privacy Officer is responsible for assisting in identifying those vendors that require BAAs and ensuring that such BAAs are agreed to. Upon execution of an agreement, a copy must be sent to the Privacy Officer.
7.2 Monitoring and Non-Compliance
The Privacy Officer monitors Business Associates’ compliance with their obligations as they deem necessary or there is a belief that the Business Associate has violated the terms of the agreement. Any workforce member or Business associate who becomes aware that a Business Associate may have violated the agreement should repot the potential violation through the Incident Response process who will escalate it to the Chief Privacy Officer. The Chief Privacy Officer will determine if further investigation or remediation is required.
7.2 Potential Violation Investigation
The Privacy Officer may take the following steps as appropriate if they become aware of a potential BAA violation:
7.3 Response if a Violation has Occurred
If the Chief Privacy Officer has determined that the Business Associate has violated the agreement, the Privacy Officer may:
If the user receives commercial email from the organization, the user may unsubscribe at any time by following the instructions contained within the email. The user may also opt-out from receiving commercial email from us by sending us an email or by writing to us at the address given at the end of this policy.
If the user wishes to opt out of any services that utilize PHI, a written request (either electronic or physical) needs to be received, documented, and processed in a reasonable timeframe.
Information is not knowingly collected for individuals under the age of 13. Any information collected for individuals under the age of 13 is required to have parental consent.
Mental Health Solutions, Inc. protects the Personal Information it collects with reasonable and appropriate physical, electronic, and procedural safeguards. The organization follows HIPAA requirements and uses reasonable security measures that are designed to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Please note, however, that no data security measures can be guaranteed to be completely effective.
External clients must be provided an external facing email address or other contact method to provide complaints or questions to. If there is a complaint that may indicate a compromise, the ChIef Privacy Officer must be immediately notified to determine if the Incident Response process is warranted. Otherwise, questions and complaints must be addressed within a reasonable timeframe.
Any requests to delete information (such as an opt out) must also be reviewed and actioned within a reasonable timeframe
The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates annually, or following major changes to Mental Health Solutions, Inc.’s compliance environment. The Policy Approver retains approving authority over this Policy.
Mental Health Solutions, Inc. periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements that apply to Client & Consumer Data. Mental Health Solutions, Inc. may also establish enforcement mechanisms, including disciplinary actions, to help ensure compliance with this Policy.