Privacy Policy
All programs and activities of Healthcare Quality Systems that collect personally identifiable information (PII), and other information at least as sensitive as PII, shall be designed and conducted to ensure that such PII is collected, stored, used, disclosed, and destroyed: (a) in full compliance with any applicable privacy laws and regulations; (b) only within the permissions granted, where permission is required; (c) with commercially reasonable security protection based on the type of information; and (d) consistent with Healthcare Quality Systems commitment to respecting individuals’ desire to protect their privacy. All staff designing and conducting programs that collect, store, use, disclose, or destroy PII must do so in accordance with this Privacy Policy, the Privacy Standards below, and applicable Healthcare Quality Systems Privacy & Security Procedures.
Privacy Standards
All programs and activities of Healthcare Quality Systems that collect PII, or any information at least as sensitive as PII, shall be designed and conducted using current industry standard practices intended to ensure that such PII is collected, stored, used, disclosed, and destroyed in accordance with the Privacy Policy and these Privacy Standards. Prior to any collection or use of PII by or for any Healthcare Quality Systems program or activity, the business unit responsible for the program or activity shall develop and document specific Privacy & Security Procedures in the required format to ensure compliance with the Privacy Policy and these Standards. The Privacy & Security Procedures, in addition to other requirements, shall outline:
- how PII is collected by the Healthcare Quality Systems program or activity;
- what type of PII is collected;
- where it will be collected from;
- how it will be used and shared;
- how access to PII by Healthcare Quality Systems personnel will be controlled;
- how PII is kept accurate, complete and secure;
- how long the PII will be kept and how it will be destroyed; and
- how an individual can obtain, confirm, correct, or request permanent deletion–to the extent deletion is required by law–of any PII under Healthcare Quality Systems control.
The Privacy & Security Procedures for each program or activity must be approved by the appropriate manager for that business unit before collection or use of PII begins, whether or not the PII is collected electronically or in hard copy form.
Standard 1- Compliance with Laws & Accountability:
Healthcare Quality Systems will comply with all applicable privacy and security laws and regulations. Healthcare Quality Systems will require its vendors and staff to comply with applicable laws and regulations, the Healthcare Quality Systems Privacy Policy, these Healthcare Quality Systems Privacy Standards and any applicable Privacy & Security Procedures.
Standard 2 – Transparency:
Healthcare Quality Systems will make the Privacy Policy and Privacy Standards readily available to individuals providing their own PII to Healthcare Quality Systems and will post a statement summarizing its Privacy Policy and Privacy Standards on its website. When requesting consent from individuals, whether online or offline, Healthcare Quality Systems will describe what information is to be collected, what permissions the Healthcare Quality Systems is requesting from them, and how that individual may opt out of the collection of such PII or withdraw consent later. When consent is requested from an individual to collect or use PII, the Healthcare Quality Systems will document the consent in a way that is reasonable under the circumstances.
Standard 3 – Limitations on Disclosure:
Because Healthcare Quality Systems values and respects an individual’s desire to keep certain personal information private, Healthcare Quality Systems will not disclose PII to third parties, other than: 1) when consent is required by law, only for purposes included within the consent of the individual providing his or her PII; 2) purposes that are consistent with or are necessary to carry out the original express purpose for which the consent was granted; or 3) as otherwise authorized by law. When individual consent is required, such individual consent shall be obtained at or before the time the information is collected, or before the time the information is used in a way not covered by an individual’s prior consent.
Standard 4 – Security Measures:
Healthcare Quality Systems will use reasonable and appropriate security measures to protect PII against unauthorized access, use, modification or disclosure, and shall ensure that all PII for which it has responsibility is maintained in a secure environment at least at the levels required by any applicable law. Healthcare Quality Systems will use applicable reasonable industry standards when destroying PII to protect against unauthorized disclosure.