Overview and scope
This policy and supporting procedures cover the privacy of all data collected by Patient Pattern in its interaction with individuals in its business operations.
Roles and responsibilities
- Chief Privacy Officer: Responsibilities include providing overall direction, guidance, leadership, and support on methods and tools for the implementation of a security and privacy-related program. The Chief Privacy Officer will conduct resource and investment planning to implement the management, operational, technical, and privacy requirements of the program;
- Privacy Committee: Responsibilities include approving and monitoring adherence to this policy, analyzing the organization’s environment, and the legal requirements with which it must comply. Additional responsibilities include.
- Execute the privacy operations of the firm, including monitoring the system used to solicit, evaluate, and respond to individual privacy complaints and problems.
- Evaluate implemented privacy controls;
- Assessing existing policies and procedures that address privacy areas.
- Working with appropriate departments to ensure compliance with privacy policies and procedures;
- Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s privacy objectives;
- Report to the Chief Privacy Officer on the effectiveness of the privacy controls/program in meeting applicable regulatory requirements and standards.
"Personal Identifiable Information" (PII) as used in this policy, is information that specifically identifies an individual, such as an individual’s name, social security number, telephone number, or e-mail address. Personal information also includes information about an individual’s activities, such as information about his or her activity on the Site or credit history, and demographic information, such as date of birth, gender, address, geographic area, and preferences, when any of this information is linked to personal information that identifies that individual.
Personal information does not include "aggregate" or other non-personally identifiable information. Aggregate information is information that the organization collects about a group or category of products, services, or users that is not personally identifiable or from which individual identities are removed. The organization may use and disclose aggregate information, and other non-personally identifiable information, for various purposes.
PROTECTED HEALTH INFORMATION
"Protected Health Information" (PHI) as used in this policy, is information that specifically identifies an individual used together with medical information. PHI is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses). PHI is also not limited to digital text. Videos, images, x-rays, MRIs, doctors’ notes, and insurance cards are all examples of PHI.
PHI includes, but is not limited to the following data types.