1. OVERVIEW AND SCOPE
This policy and supporting procedures cover the privacy of all data collected by Mental Health Solutions, Inc. in its interaction with individuals in its business operations.
2. ROLES AND RESPONSIBILITIES
The following roles and responsibilities are to be developed and subsequently assigned to authorized personnel within Mental Health Solutions, Inc. regarding privacy practices:
Chief Privacy Officer: Responsibilities include providing overall direction, guidance, leadership, and support on methods and tools for the implementation of a security and privacy-related program. The Chief Privacy Officer will conduct resource and investment planning to implement the management, operational, technical, and privacy requirements of the program.
Privacy Committee: Responsibilities include approving and monitoring adherence to this policy, analyzing the organization’s environment, and the legal requirements with which it must comply. Additional responsibilities include:
Execute the privacy operations of the firm, including monitoring the system used to solicit, evaluate, and respond to individual privacy complaints and problems.
Evaluate implemented privacy controls;
Assessing existing policies and procedures that address privacy areas;
Working with appropriate departments to ensure compliance with privacy policies and procedures;
Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s privacy objectives;
Report to the Chief Privacy Officer on the effectiveness of the privacy controls/program in meeting applicable regulatory requirements and standards.
3. PERSONAL INFORMATION
"Personal Identifiable Information" (PII) as used in this policy, is information that specifically identifies an individual, such as an individual’s name, social security number, telephone number, or e-mail address. Personal information also includes information about an individual’s activities, such as information about his or her activity on the Site or credit history, and demographic information, such as date of birth, gender, address, geographic area, and preferences, when any of this information is linked to personal information that identifies that individual.
Personal information does not include "aggregate" or other non-personally identifiable information. Aggregate information is information that the organization collects about a group or category of products, services, or users that is not personally identifiable or from which individual identities are removed. The organization may use and disclose aggregate information, and other non-personally identifiable information, for various purposes.
4. PROTECTED HEALTH INFORMATION
"Protected Health Information" (PHI) as used in this policy, is information that specifically identifies an individual used together with medical information. PHI is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses). PHI is also not limited to digital text. Videos, images, x-rays, MRIs, doctors’ notes, and insurance cards are all examples of PHI.
PHI includes, but is not limited to the following data types:
Dates, except year
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers including license plates
Device identifiers and serial numbers
Internet protocol addresses
Full face photos and comparable images
Biometric identifiers (i.e. retinal scan, fingerprints)
Any unique identifying number or code
5. PHI MINIMUM NECESSARY STANDARD
Mental Health Solutions, Inc. collects only the minimum amount of information necessary to perform an approved function. Any new projects, processes, analysis or research using PHI data requires approval from the Chief Privacy Officer.
COLLECTION OF INFORMATION
5.1 Passive Information Collection
When an individual uses the Service, some information may be automatically collected, such as the user’s IP address, browser type, system type, the content and pages that the user accessed on the Site, "referring URL" (i.e., the page from which the user navigated to the Site), the pages the user navigate to on the Site, and from which the user leaves the Site, as well as the time the user spent on the Site.
This information is collected using technologies such as standard server logs, cookies, and clear GIFs (also known as "Web beacons"). This information is then used to administer, operate, and improve the external facing website, client experience, other services and systems, and to provide services and content that are tailored to the user. If any of this information is linked or associated with any PII, the new data set is subject to the same restrictions as PII per this policy. Otherwise, this information is collected as non-personally identifiable.
Third parties may set cookies on the user’s hard drive or use other means of passively collecting information about the user’s use of their services or content. The organization does not have access to, or control over, these third-party means of passive data collection.
5.2 Collection of Voluntarily Provided Information
Mental Health Solutions, Inc. may collect personal information in a variety of ways through the organization’s client facing applications. For instance, when the user requests information about the organization’s services or otherwise communicates with us, certain information is collected. This information may include: name, e-mail address, city, state, country, other demographic information, and the user’s interests and preferences.
5.3 Information from Other Sources
Any information the organization collects about the user must be protected, whether the source be direct collection from the user or obtained through a third party service. Any combination of information together with personal information is treated as personal information and protected accordingly.
6. USE OF PII AND PHI
Mental Health Solutions, Inc. uses personal information to provide services and information that the user requests; to enhance, improve, operate, and maintain the Site and Service, our programs, services, website, and other systems; to prevent fraudulent use of our Site and Service; to tailor the user’s experience; to maintain a record of our dealings with the user, and for other administrative purposes.
The organization may also use PII to contact the user regarding our products and services. The user must be provided the opportunity to “Opt Out” to these marketing services as described in the "Choice" section below.
6.1. DISCLOSURE OF PII AND PHI
Mental Health Solutions, Inc. will not disclose the user’s personal information to third parties without the user’s consent, other than as described in this policy. Personal information may be shared with third-party service providers (e.g., data storage and processing facilities) that assist the organization in completion of approved workflows compliant with this policy. Any personal Information shared with third parties is limited to only the minimum necessary necessary for the third parties to perform the required functions.
Any additional disclosure of information must be formally requested, approved by the Chief Privacy Officer and documented. As a result of this review, the Chief Privacy Officer may determine that additional consent is required, which will be coordinated and managed by the Privacy committee.
7. Third Party Contracts
No PII or PHI is to be shared with third parties without the consent of the Chief Privacy Officer. Business Associate Agreements (BAAs) are required for any third party that is sharing PHI with the organization or is receiving PHI from the organization.
7.1 Entering into a BAA
Before the organization discloses PHI to a Business Associate (downstream third party) or permits a Business Associate view, create, maintain or transmit PHI on its behalf, the organization must enter into a BAA. The Privacy Officer is responsible for assisting in identifying those vendors that require BAAs and ensuring that such BAAs are agreed to. Upon execution of an agreement, a copy must be sent to the Privacy Officer.
7.2 Monitoring and Non-Compliance
The Privacy Officer monitors Business Associates’ compliance with their obligations as they deem necessary or there is a belief that the Business Associate has violated the terms of the agreement. Any workforce member or Business associate who becomes aware that a Business Associate may have violated the agreement should repot the potential violation through the Incident Response process who will escalate it to the Chief Privacy Officer. The Chief Privacy Officer will determine if further investigation or remediation is required.
7.2 Potential Violation Investigation
The Privacy Officer may take the following steps as appropriate if they become aware of a potential BAA violation:
Interview workforce members who may have knowledge of the alleged violation or circumstances around the alleged violation
Interview the Business Associate’s employees who may have knowledge of the alleged violation
Collect any documentation or forensic evidence from workforce members or the Business Associate relating to the potential violation
Contact the Business Associate to obtain information related to the alleged violation
Take any other actions that the Chief Privacy Officer deems appropriate to gather the necessary details relating to the alleged violation
7.3 Response if a Violation has Occurred
If the Chief Privacy Officer has determined that the Business Associate has violated the agreement, the Privacy Officer may:
Sanction any workforce member involved with the violation
Request that the Business Associate sanction any of its employees who were involved with the violation or remove them from working with the organization’s information
Coordinate with the Business Associate to perform a risk assessment for the purposes of a potential Breach notification.
Mitigate any harmful effect that the organization is aware of resulting from the improper use or disclosure of PHI
Request that the Business Associate take any remediation steps the Chief Privacy Officer deems appropriate
Work with the Business Associate to cure the violation and ensure that the violation will not happen again.
Terminate the contract with the Business Associate if remediation is unsuccessful
Seek compensation for damages depending on the nature of the contract
If the user receives commercial email from the organization, the user may unsubscribe at any time by following the instructions contained within the email. The user may also opt-out from receiving commercial email from us by sending us an email or by writing to us at the address given at the end of this policy.
If the user wishes to opt out of any services that utilize PHI, a written request (either electronic or physical) needs to be received, documented, and processed in a reasonable timeframe.
Information is not knowingly collected for individuals under the age of 13. Any information collected for individuals under the age of 13 is required to have parental consent.
Mental Health Solutions, Inc. protects the Personal Information it collects with reasonable and appropriate physical, electronic, and procedural safeguards. The organization follows HIPAA requirements and uses reasonable security measures that are designed to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Please note, however, that no data security measures can be guaranteed to be completely effective.
11. EXTERNAL INQUIRIES
External clients must be provided an external facing email address or other contact method to provide complaints or questions to. If there is a complaint that may indicate a compromise, the ChIef Privacy Officer must be immediately notified to determine if the Incident Response process is warranted. Otherwise, questions and complaints must be addressed within a reasonable timeframe.
Any requests to delete information (such as an opt out) must also be reviewed and actioned within a reasonable timeframe
12. POLICY ADMINISTRATION
12.1 Ownership and Review
The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates annually, or following major changes to Mental Health Solutions, Inc.’s compliance environment. The Policy Approver retains approving authority over this Policy.
12.2 Monitoring and Enforcement
Mental Health Solutions, Inc. periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements that apply to Client & Consumer Data. Mental Health Solutions, Inc. may also establish enforcement mechanisms, including disciplinary actions, to help ensure compliance with this Policy.
14.3 Related Documents
- Information Security Policy
Data Protection and Handling Policy