265 Benton Drive, Suite 201
East Longmeadow, MA 01028
TEL (413) 525-2124 | FAX (413) 525-5691
The Health Insurance Portability and Accountability Act of 1996(HIPAA) Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Learn details on the Privacy Rule at http://www.hhs.gov/ocr/privacy/index.html
EFFECTIVE AS OF 9/1/2013
The Capuano Care, Inc. (Company) maintains personal and medical information about Company patients, employees and their respective dependents, and other individuals (Personal Information). This section summarizes the written information security program intended by the Company to safeguard this Personal Information (referred to as the “Privacy Policy”).
This summary and the Privacy Policy applies to any and all Personal Information received, maintained, processed, used or disclosed by the Company and any of its employees or workforce members.
Except as specifically provided in this summary or the Privacy Policy, only Company employees or workforce members assigned to work in the Company (Company Employees) may access, use, disclose, process, maintain, modify, and destroy Personal Information; provided that they may do so solely to the extent either (i) permitted by such employee’s job description or Company guidelines then in effect; (ii) reasonably necessary and appropriate to carry out such employee’s assigned responsibilities as set forth in his or her job description or Company guidelines; or (iii) directed by the Privacy Officer or his/her designee or the Security Officer or his/her designee.
A Company Employee who ceases to provide services to the Company for any reason, including disability, change of work assignment, or termination of employment for any reason, shall immediately return to the Company his or her security clearance, passwords, and all other equipment, device or information that enables him or her to access, download, modify, or destroy Personal Information.
Company Employees shall maintain, use or disclose Personal Information in accordance with the procedures set forth in this summary and the Privacy Policy, provided doing so does not result in a violation of any applicable state or federal law, rule, or regulation. No Company Employee shall use or disclose Personal Information for employment related actions or decisions nor shall such member use or disclose such information for any other improper purpose.
The Company will secure any electronic Personal Information (also known as e-PI), if any, that it creates, receives, maintains, transmits, or destroys in accordance with this summary and the Privacy Policy and applicable state law. The purpose of this summary and the Privacy Policy is to ensure the proper use and disclosure of Personal Information, to maintain the privacy and security of Personal Information, and to provide for the proper destruction of Personal Information when it is no longer needed.
For purposes of this policy "Personal Information" or “PI” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any:
In general, any and all statements, faxes, emails, documents or information of any kind which contain PI and are maintained, used or disclosed by the Company in the course of the Company’s business shall not be maintained, used or disclosed other than as necessary to conduct its business or as otherwise permitted or required by law. All Company Employees are required to comply with the following guidelines:
All Company Employees shall be trained as necessary to apply the terms of these policies. Privacy Officer shall be responsible for providing training to some or all of the employees as necessary and appropriate for each employee to carry out his or her job. All Company Employees who undergo training shall sign a sheet evidencing their participation in the training.
The Privacy Officer shall have sole authority and discretion to resolve any questions or disputes concerning the interpretation or application of these policies, subject to applicable requirements of law.
The Privacy Officer has the right to make material changes to this summary and the Privacy Policy as necessary and appropriate to further the purposes of these policies.
The Company shall maintain business records for as long as required by applicable law, and as necessary and appropriate in the determination of Privacy Officer. When retention of such records is no longer required by law, or is no longer deemed necessary and appropriate by Privacy Officer], the Privacy Officer shall take all reasonable steps to destroy, or arrange for the destruction of such records by (1) shredding, (2) erasing, or (3) otherwise modifying the PI in those records to make it unreadable or undecipherable through any means. If the Company hires a vendor to provide this destruction function, it shall take reasonable steps to ensure the vendor is reputable and is licensed to perform such services, if such license is required by law.
In the event the Company obtains services from a vendor, and the services require the vendor to have access to PI, the Company shall obtain written assurances from the vendor that it will implement reasonable safeguards to protect the privacy and security of the PI, and disclose and dispose of PI only as required by law. Any such agreement must be approved by Privacy Officer. The original copy of any such agreement, executed by all parties, shall be maintained pursuant to the Company’s record retention policy. Prior to disclosing any PI outside of the Company’s normal services to patients, the Privacy Officer shall confirm that an agreement consistent with this policy is on file and that the disclosure is permitted under it.