HIPAA & GDPR Compliance Policies
We want to ensure that we adhere to the highest standards of privacy. As such, we follow the US HIPAA guidelines for the privacy of our clients and visitors and GDPR.
These guidelines ensure that our marketing activities comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards to protect the privacy and security of individuals' medical records and other personal health information (PHI).
For detailed information on HIPAA, refer to the below sites:
- Health Insurance Portability and Accountability Act (HIPAA)
- Office for Civil Rights (OCR) - HIPAA Privacy Rule
- Understanding PHI: PHI includes any information that can identify an individual and relates to their past, present, or future physical or mental health, the provision of health care, or payment for health care. This includes names, addresses, birth dates, and Social Security numbers.
- Authorization and Consent: Before using any PHI for marketing purposes, explicit written consent must be obtained from the individual. This consent must detail how their information will be used and shared. Without this authorization, using PHI in marketing is prohibited.
- De-identification of Data: Whenever possible, use de-identified data in marketing materials. De-identified data is stripped of all elements that could be used to identify the individual, ensuring it falls outside the scope of HIPAA.
- Business Associate Agreements (BAAs): Ensure all third-party vendors handling PHI have signed a Business Associate Agreement (BAA). This contract must outline their responsibilities to protect PHI in compliance with HIPAA regulations.
- Secure Handling of PHI: All PHI must be stored, accessed, and transmitted using secure methods that comply with HIPAA security standards. This includes encryption, secure servers, and access controls.
- Training and Awareness: All employees involved in marketing activities must receive training on HIPAA regulations and the importance of protecting PHI. Regular refresher courses should be conducted to ensure ongoing compliance.
- Breach Notification: In case of a PHI breach, follow the HIPAA-mandated breach notification procedures. This includes promptly notifying affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media.
- The data controller is the entity (individual or organization) determining the purposes and means of processing personal data.
- The data processor is the entity (either an individual or organization) that processes personal data on behalf of the controller.
- Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and transparently.
- Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data Minimization: Only the data necessary for stated purposes is collected and processed.
- Accuracy: Data is accurate and kept up-to-date. Inaccurate data is erased or rectified without delay.
- Storage Limitation: Personal data is kept in a form that permits the identification of data subjects for no longer than necessary.
- Integrity and Confidentiality: Data is processed to ensure appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
- Right to Access: Individuals can request access to their personal data.
- Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
- Right to Erasure: Also known as the "right to be forgotten," individuals can request the deletion of their data.
- Right to Restrict Processing: Individuals can request that the processing of their data be restricted.
- Right to Data Portability: Individuals can request their data be transferred to another organization.
- Right to Object: Individuals can object to the processing of their data.
- Rights Related to Automated Decision-Making and Profiling: Individuals can demand human intervention or challenge a decision based solely on automated processing, including profiling.