Capuano Care
Certified and Private Home Health Care Services

Care you can count on at home

265 Benton Drive, Suite 201
East Longmeadow, MA 01028

TEL (413) 525-2124 | FAX (413) 525-5691

Contact/Directions

Privacy/HIPAA

The Health Insurance Portability and Accountability Act of 1996(HIPAA) Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Learn details on the Privacy Rule at http://www.hhs.gov/ocr/privacy/index.html

SUMMARY OF PERSONAL INFORMATION PRIVACY AND SECURITY POLICY

EFFECTIVE AS OF 9/1/2013

PURPOSE

The Capuano Care, Inc. (Company) maintains personal and medical information about Company patients, employees and their respective dependents, and other individuals (Personal Information). This section summarizes the written information security program intended by the Company to safeguard this Personal Information (referred to as the “Privacy Policy”).

This summary and the Privacy Policy applies to any and all Personal Information received, maintained, processed, used or disclosed by the Company and any of its employees or workforce members.

Except as specifically provided in this summary or the Privacy Policy, only Company employees or workforce members assigned to work in the Company (Company Employees) may access, use, disclose, process, maintain, modify, and destroy Personal Information; provided that they may do so solely to the extent either (i) permitted by such employee’s job description or Company guidelines then in effect; (ii) reasonably necessary and appropriate to carry out such employee’s assigned responsibilities as set forth in his or her job description or Company guidelines; or (iii) directed by the Privacy Officer or his/her designee or the Security Officer or his/her designee.

A Company Employee who ceases to provide services to the Company for any reason, including disability, change of work assignment, or termination of employment for any reason, shall immediately return to the Company his or her security clearance, passwords, and all other equipment, device or information that enables him or her to access, download, modify, or destroy Personal Information.

Company Employees shall maintain, use or disclose Personal Information in accordance with the procedures set forth in this summary and the Privacy Policy, provided doing so does not result in a violation of any applicable state or federal law, rule, or regulation. No Company Employee shall use or disclose Personal Information for employment related actions or decisions nor shall such member use or disclose such information for any other improper purpose.

The Company will secure any electronic Personal Information (also known as e-PI), if any, that it creates, receives, maintains, transmits, or destroys in accordance with this summary and the Privacy Policy and applicable state law. The purpose of this summary and the Privacy Policy is to ensure the proper use and disclosure of Personal Information, to maintain the privacy and security of Personal Information, and to provide for the proper destruction of Personal Information when it is no longer needed.

For purposes of this policy "Personal Information" or “PI” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any:

  1. Name, postal or electronic mail address, telephone number, social security number, date of birth, mother's maiden name, official state-issued or United States-issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, Medicaid or food stamp account number, bank account number, credit or debit card number, or personal identification number or code assigned to the holder of a debit card by the issuer to permit authorized electronic use of such card;
  2. Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
  3. Unique electronic identification number, address, or routing code;
  4. Medical records;
  5. Telecommunication identifying information or access device; or
  6. Other number or information that can be used to access a person's financial resources.

HANDLING PERSONAL INFORMATION

In general, any and all statements, faxes, emails, documents or information of any kind which contain PI and are maintained, used or disclosed by the Company in the course of the Company’s business shall not be maintained, used or disclosed other than as necessary to conduct its business or as otherwise permitted or required by law. All Company Employees are required to comply with the following guidelines:

  • With respect to PI, any disclosure of PI to a person other than the individual about whom the information relates must be approved by the Privacy Officer, and if required by law, have the authorization of such individual.
  • In general, PI shall be used and disclosed only as minimally necessary to accomplish the purpose of the use or disclosure.
  • All Company Employees shall take reasonable steps to ensure that all incoming documents, facsimiles and print jobs containing PI are viewable and retrievable only by employees or other persons with a legitimate need for access. In addition, all Company Employees who transmit a facsimile must take reasonable steps to verify that the intended recipient is a person who is required, permitted, or authorized to receive the PI.
  • All Company Employees shall keep and maintain PI in designated and secured file cabinets to which only authorized persons have access. All Company Employees shall take reasonable steps to ensure that access to electronically transmitted PI is password protected or encrypted as required under the Privacy Policy. Electronically-stored PI, including such information residing in electronic mail messages, electronic document files, databases, floppy disks and other computer files must be password-protected and accessible only as permitted by this summary and the Privacy Policy.
  • All Company Employees shall log on to the appropriate electronic systems that access PI only when there is a need to do so for immediately pending work and shall log off from such systems when they are no longer working on the pending matter. All Company Employees shall enable the automatic logoff feature of the information systems through which they access PI to cause the employee to disconnect the employee’s connection to PI due to inactivity after a reasonable period of time.
  • The Privacy Officer shall maintain a log to document all repairs and modifications to the facilities, including those repairs and modifications that affect access to PI, such as offices, file cabinets, file cabinet drawers, network locations, etc. The log shall include date and the reason for the repair.
  • If a Company Employee needs to remove a laptop, floppy disk, CD or other transportable electronic device containing PI from the office premises, he or she shall maintain such item or equipment in a secure location, and use all necessary steps to maintain the confidentiality and security of the device and PI on the device.
  • All electronic PI shall be subject to the Company’s existing back-up procedures.
  • Any Company Employee with access to PI may only access, use, maintain or disclose such information as necessary to carry out his/her job functions as assigned by the Company.
  • Any Company Employee who knows of an improper use or disclosure of PI, must immediately report it to the Privacy Officer.
  • Any Company Employee will be subject to disciplinary action, up to and including termination, in the event the employee violates any of the provisions in this Summary or the Privacy Policy or any other Company policy involving the protection of PI.
  • The Company encourages any Company Employee who has questions regarding these policies, to call the Privacy Officer at 413-525-2124.

TRAINING

All Company Employees shall be trained as necessary to apply the terms of these policies. Privacy Officer shall be responsible for providing training to some or all of the employees as necessary and appropriate for each employee to carry out his or her job. All Company Employees who undergo training shall sign a sheet evidencing their participation in the training.

INTERPRETATION AND APPLICATION OF THESE POLICIES

The Privacy Officer shall have sole authority and discretion to resolve any questions or disputes concerning the interpretation or application of these policies, subject to applicable requirements of law.

AMENDMENT

The Privacy Officer has the right to make material changes to this summary and the Privacy Policy as necessary and appropriate to further the purposes of these policies.

RECORD DESTRUCTION

The Company shall maintain business records for as long as required by applicable law, and as necessary and appropriate in the determination of Privacy Officer. When retention of such records is no longer required by law, or is no longer deemed necessary and appropriate by Privacy Officer], the Privacy Officer shall take all reasonable steps to destroy, or arrange for the destruction of such records by (1) shredding, (2) erasing, or (3) otherwise modifying the PI in those records to make it unreadable or undecipherable through any means. If the Company hires a vendor to provide this destruction function, it shall take reasonable steps to ensure the vendor is reputable and is licensed to perform such services, if such license is required by law.

ENTERING INTO VENDOR AGREEMENTS

In the event the Company obtains services from a vendor, and the services require the vendor to have access to PI, the Company shall obtain written assurances from the vendor that it will implement reasonable safeguards to protect the privacy and security of the PI, and disclose and dispose of PI only as required by law. Any such agreement must be approved by Privacy Officer. The original copy of any such agreement, executed by all parties, shall be maintained pursuant to the Company’s record retention policy. Prior to disclosing any PI outside of the Company’s normal services to patients, the Privacy Officer shall confirm that an agreement consistent with this policy is on file and that the disclosure is permitted under it.