Policies

Protecting Personally Identifiable Information (PII) and Protected Health Information (PHI) in Persimmony Systems

Updated January 27, 2014

Purpose

This policy governs the treatment of personally identifiable information (PII) and protected health information (PHI) within and among Persimmony systems.

Scope

This policy applies to Persimmony and any third-party vendor creating, storing, or maintaining Persimmony data or Persimmony client data per a contractual agreement.

Effective Date

This version of the policy became effective on January 27, 2014.

All new systems designed and implemented after January 1, 2013, must comply with the security standards described herein. Data stewards must have a compliance plan for all systems with confidential data by January 1, 2011.

Authority

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to safeguard sensitive information known as protected health information (PHI). HIPAA is strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2013. The two essential components of HIPAA compliance are the HIPAA Privacy Rule and the HIPAA Security Rule.

PHI Defined

PHI is generally defined as any information that can be used to identify a patient, including a deceased patient, that relates to that individual’s past, present or future physical or mental health or condition, including health care services provided and payment for those services. Persimmony personnel may have access to PHI in performing their duties.

All the following types of information are considered identifiers under HIPAA:

Patient name Geographic subdivision smaller than state
Telephone number Fax number
Social Security number Vehicle identifier
Email address Web URL and IP address
Dates except year Names of relatives
Full-face photographs or images Health care/medical record numbers
Account numbers Biometric identifiers such as fingerprints or voiceprints
Device identifiers Health plan beneficiary numbers
Certificate/license numbers U.S. Citizenship and Immigration Services (USCIS) Alien Registration Number (also known as A number or USCIS number)
Passport number Any other unique number, code or characteristic that can be linked to an individual

Access Policy

All Persimmony team members must have a job-related reason for accessing any HIPAA data for participants in any of our clients’ programs. This policy applies to data in all formats or media. A breach occurs when information that must be protected is lost, stolen or disposed of improperly; hacked into by people or programs that are not authorized to have access (e.g., when the system in which the information is located is compromised by a virus or other unauthorized code); or communicated or sent to others who have no official need to receive it. This policy forbids Persimmony personnel from disclosing PII and PHI during such activities as phone conversations, social media, unencrypted email messages, and any non-job-related discussion or transmission of the PII or PHI.

Individuals, not just the covered entities for which they work, are subject to HIPAA rules.

Persimmony maintains a formal record of all registered users. This record is checked regularly for unused, redundant or expired accounts, as well as incorrect privileges. New accounts that have not been used for a maximum of 14 days are disabled. User accounts of personnel leaving the Persimmony team are removed immediately.

Reporting Breaches

Any Persimmony team member who becomes aware of a breach, whether suspected or confirmed, must report it immediately (within two hours) to the CEO/CISO. When reporting a breach, associates must not forward the PII or PHI itself as part of the reporting process. Breaches may result in both civil and criminal penalties.

In addition to Persimmony senior management, breaches must also be reported to the client whose data was, or may have been, compromised. The CEO/CISO, or his designee, will make that report to the client within 24 hours of discovering the suspected or confirmed breach.

Business Associate Obligations

Persimmony is a business associate of our clients whose databases contain extensive PII and PHI. Under the HITECH rule, a business associate is directly liable for complying with HIPAA privacy and security requirements. That rule obligates Persimmony to do the following:

  • Use appropriate safeguards to prevent the access, use or disclosure of PII other than as permitted by the contract with the covered entity
  • Obtain satisfactory assurances from subcontractors (for example, the company that hosts the Persimmony data center) that appropriate safeguards are in use to prevent the access, use or disclosure of the PII entrusted to it
  • Notify the covered entity of any breach of unsecured PII or PHI for which Persimmon was responsible upon discovery
  • Ensure Persimmony and subcontractor personnel receive HIPAA training
  • Protect PII and PHI to the same degree that a covered entity would protect it

HIPAA Security Rule

The HIPAA Security Rule focuses on the confidentiality, integrity and availability of PHI.

  • Confidentiality means the data or information is not made available or disclosed to unauthorized persons or processes
  • Integrity means the data or information has not been altered or destroyed in an unauthorized manner
  • Availability means data or information can be accessed and used only by an authorized person

Safeguards

In compliance with HIPAA and HITECH, Persimmony uses administrative, technical and physical safeguards to protect the privacy of PII and PHI. Safeguards must meet the following minimum standards:

  • They must protect PII and PHI from accidental or intentional unauthorized use or disclosure in computer systems
  • They must limit accidental disclosures
  • They must include practices such as encryption, document shredding, locking doors and file storage areas, and the use of passwords and codes for access

All Persimmony team members are required to use up-to-date security/virus protection software on any devices they use to perform their jobs for Persimmony. Upon request, they must provide to the company screen shots of that software on their personally owned equipment.

Contracts with Third Parties

Contracts between Persimmony and third parties involving Persimmony data must include language requiring compliance with all applicable laws, regulations, and Persimmony policies related to data and information security; immediate notification to Persimmony if Persimmony data is used or disclosed in any manner other than allowed by the contract; and, to the extent practicable, mitigate any harmful effect of such use or disclosure.

Roles and Responsibilities

Everyone with any level of access to Persimmony data is responsible for its security and is expected to observe requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data in any type of reporting function. The following roles have specific responsibilities for protecting and managing Persimmony data and data collection.

  1. Chief Information Security Officer – Provides advice and guidance on information and information technology security policies and standards. This role is currently held by Persimmony’s Chief Executive Officer.

Related Laws, Regulations, or Policies

Federal Legislation and Guidelines

  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)http://www.hhs.gov/ocr/hipaa/
  2. Electronic Communications Privacy Act of 1986 (ECPA) https://it.ojp.gov/default.aspx?area=privacy&page=1285
  3. NIST Publication 800-88 “Guidelines for Media Sanitization” http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf
  4. NIST Publication 800-53 “Recommended Security Controls for Federal Information Systems” http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
  5. NIST Publication 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories”http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf 
  6. Executive Order 12958, Classified National Security Information, As Amended, March 2003 https://www.fas.org/sgp/crs/secrecy/97-771.pdf

Questions/Waivers

The CEO/CISO is responsible for this policy, and for ensuring compliance with all applicable data security standards.

Questions related to the policy or standards should be directed to the CEO/CISO at michaelk3@persimmony.com or the COO at Maureen.Tierney@persimmony.com

The CEO or designee must approve any exception to this policy.