Maternal, child & family information and technology company that combines innovation and collaboration to securely integrate health care and public health.
Privacy Policy Statement:
(updated July 1, 2023)
Go Beyond MCH complies with confidential communications requirements (e.g., with respect to alternate means or locations). The organization ensures it satisfies the implementation specifications listed in the HIPAA Privacy Rule for individual rights.
With limited exceptions, Go Beyond MCH provides individuals the right of access to review and obtain a copy of their PHI in a designated record set for as long as the record set is maintained, and provides such access in a timely manner (30 days with no more than one (1) thirty (30) day extension) for no more than a reasonable, cost-based fee, or, if Go Beyond MCH does not maintain the PHI but knows where it's located, Go Beyond MCH informs the individual where to direct the request.
Go Beyond MCH provides individuals the right to receive an accounting of disclosures of PHI made by Go Beyond MCH in the six (6) years prior to the date on which the accounting is requested, except for specific disclosures addressed in CSF controls 13.c (authorizations provided), 13.d (facility directory and relevant persons), 13.e (correction institutions and national security or intelligence purposes), 13.i (required disclosures), 13.j (permitted disclosures), and 13.l (limited data sets). Go Beyond MCH acts upon an individual's request for an accounting no later than sixty (60) days after receipt of the request, free of charge for the first request within any twelve (12) month period and, if informed in advance, for a reasonable cost-based fee for subsequent requests within the period. The covered entity's accounting of disclosures includes, for the six (6) years prior to the request, the date, a name and address of the entity that provided the PHI, a description of the PHI disclosed, and why the information was disclosed; and, if for research, the name of the research activity, the period of time the PHI was disclosed, the contact information of the research sponsor (name, address and phone number), and a statement that the PHI may or may not have been disclosed for a particular research activity.
Go Beyond MCH formally verifies (e.g., with appropriate documentation) the identity and authority of persons (e.g., public officials) requesting PHI.
The organization implements mechanisms to support itemized or tiered consent for specific uses of data.
Go Beyond MCH may deny an individual access to their PHI without providing an opportunity to review only under specific circumstances. Go Beyond MCH only denies an individual access provided the individual is given the right to have such denials reviewed when a licensed healthcare professional determines access would endanger the life or physical safety of, or otherwise cause substantial harm to, the individual or another person. If access is denied for an allowable reason, Go Beyond MCH facilitates review of the denial by a licensed healthcare professional and abides by the decision of the reviewer. Go Beyond MCH provides timely (thirty (30) days plus no more than a thirty (30) day extension), written denial to an individual's request for access in plain language that addresses the basis for denial, a statement of the individual's rights for review of the denial, and a description of procedures for complaints to the entity and the Secretary of Health and Human Services.
If an individual does not object, Go Beyond MCH limits the PHI contained in a directory of individuals at its facility to the individual's name, location, general condition, and religious affiliation and only uses or discloses such information for directory purposes to members of the clergy or, except for religious affiliation, to other persons who ask for the individual by name.
When de-identifying PHI, Go Beyond MCH removes all eighteen (18) data elements required by the HIPAA Administrative Simplification's Privacy Rule and has no knowledge the resulting data set could be re-identified, or an appropriate person applies generally accepting scientific principles and methods for rendering information not individually identifiable and determines the risk of re-identification is appropriately small. Go Beyond MCH (i) understands that health information is not identifiable (i.e., de-identified) only when there is no reasonable basis to believe that the information can be used to identify an individual and meets federal requirements for de-identified data; (ii) only creates and uses information that is not individually identifiable (i.e., de-identified) when a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is not disclosed; and (iii), if the de-identified information is subsequently re-identified, Go Beyond MCH only uses or discloses such re-identified information as permitted or required for PHI.
When authorization is required, Go Beyond MCH ensures the authorizations are valid.
Go Beyond MCH does not create compound authorizations except when combining authorizations for the same research study with an authorization for the creation or maintenance of a research database or repository, combining authorizations specifically for the use or disclosure of psychotherapy notes, or combining other allowed authorizations, none of which conditions the provision of treatment, payment, enrollment (in a health plan), or eligibility for benefits (but in no case for psychotherapy notes).
Go Beyond MCH ensures it does not condition the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on the provision of an authorization except as allowed for research, underwriting and risk determinations, or disclosure of PHI to a third party, but in no case for the use of psychotherapy notes.
Go Beyond MCH denies an individual's request for amendment only if it determines the PHI or record was not created by Go Beyond MCH (unless the originator no longer exists), is not part of the designated record set, is not available for inspection per CSF control 13.f, or is otherwise accurate and complete.
If the request for an amendment is accepted in whole or in part, the organization makes the amendment, informs the individual the amendment was made in a timely manner, and makes reasonable efforts to notify relevant persons with whom the amendment must be shared in a reasonable timeframe.
If a requested amendment is denied in whole or in part, Go Beyond MCH must provide the individual with timely (within thirty (30) days plus thirty (30) days extension) written denial; permit the individual to submit a statement of disagreement; prepare a written rebuttal if the individual submits a statement of disagreement; maintain denials, disagreements and rebuttals as organizational records; and provide relevant information regarding any disagreements in future disclosures of the individual's PHI.
Personal Identifiable Information
The organization collects PII for specified, explicit and legitimate purposes and does not further process such information in a manner that is incompatible with the initial purpose. The organization ensures individuals have the right to amend PII (e.g., PHI or a record about the individual in a designated record set) for as long as the PII is maintained.
When statutory language is written broadly, organizations ensure there is a close nexus between the general authorization and any specific collection of PII by clearly describing the purposes in related privacy compliance documentation. The organization provides real-time and/or layered notice when it collects PII. The organization requests that the individual or individual's authorized representative (i) validate PII during the collection process, and (ii) periodically revalidate that PII collected is still accurate at an organization-defined frequency but no less than annually. Organizations ensure that they use PII only for legally authorized purposes and in a manner compatible with uses identified in the Privacy Act and/or in public notices. Organizations formally evaluate any proposed new uses of PII to assess whether they fall within the scope of the organizational authorities.
The organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure. The organization, where feasible, uses techniques (e.g., as described in NIST SP 800-122) to minimize the risk to privacy of using PII for research, testing, or training.
The organization provides information and otherwise communicates with individuals about the processing of their PII in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and in particular for any information specifically addressed to a child. Such communication may be provided orally when requested by the individual, provided the identity of the individual is proven by other means.
Specific EHNAC Requirements
The organization must determine the level at which PHI is handled, and then respond to all privacy criteria for access to individual information based on that determination.
Specific GDPR Requirements
Where personal data relating to a data subject are collected from the data subject, or obtained from other sources, the controller, at the time when personal data are obtained and if the data subject does not already have it, provides the data subject with all the information required under the EU GDPR. Unless the data subject already has it, the controller provides the subject with information on any additional (further) processing of personal data for a purpose other than that for which it was originally collected or otherwise obtained. Where personal data have not been obtained from the data subject, the controller provides the data subject with the minimum information required under the EU GDPR and in the specified timeframe. With limited exception, the data controller ensures the appropriate information is provided to a data subject about the processing of personal data.
Background/Definitions:
As used in this Policy, certain terms are defined as follows:
Availability – the property that data or information is accessible and usable upon demand by an authorized person. As it relates to security, systems [that normally include hardware, software, information, data, applications, communications, and people] must be maintained and protected in such a fashion that individuals need to be able to access these systems when required. Denial of service type attacks or malicious software [i.e. a virus designed to damage or disrupt a system] may target the availability of the information system [or an interconnected set of information resources under the same direct management control that shares common functionality], causing the system to crash or to be unavailable for the users [persons or entities with authorized access]. This loss of service can cause some financial hardship in cases where the loss of revenue due to system down time occurs or reputational harm when systems are not available to allow the users to service their clients in a timely manner.
Confidentiality – the property that data or information is not made available or disclosed to unauthorized persons or processes. If an unauthorized individual gains access to a person’s electronic protected health information, the confidentiality of this information has been breached.
Confidential Communications – communications that would be considered personally identifiable information, but not necessarily protected health information. This information may consist of human resources related information such as dates of birth, social security numbers, phone numbers, and addresses. Although this information may be considered direct identifiers, they would not be associated with health records.
Disclosure – the release of information outside of the control of the organization that maintains the information. Also, the transfer of, provision of, access to, and divulging in any other manner of that information.
Protected Health Information or Electronic Protected Health Information – individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, whether electronic, paper, or oral. Individually identifiable health information is information that can identify or reasonably be used to identify an individual and is created or received by a healthcare provider, health plan, employer, healthcare clearinghouse, or business associate. This information can relate to past, present, or future physical, mental, condition, or payment of healthcare to an individual. The following eighteen (18) direct identifiers relate to individually identifiable health information:
1. Names
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
a. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
b. The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to ‘000’.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code
Note: Genetic Information is also considered protected health information.