Privacy Policies

HIC, Inc. has three privacy domains – PHI, corporate and public. Each of these domains has specific privacy requirements which are explained below.

PHI Domain

PHI is individually identifiable health information, including demographic data, that relates to (a) the individual’s past, present or future physical or mental health or condition; (b) the provision of health care to the individual; or (c) the past, present, or future payment for the provision of health care to the individual. PHI also includes many common identifiers such as name, address, birth date, Social Security Number (“Summary of the HIPAA Privacy Rule,” 2013).

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HIC, Inc. is mandated to comply with all regulations and standards which protect the privacy and confidentiality of PHI that is stored or transmitted within the PHI

domain. The Privacy Rule standards address the use and disclosure of individual’s health information called PHI and the individual’s privacy rights to understand and control how their health information is used (“Summary of the HIPAA Privacy Rule,” 2013).

The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 requires HIC, Inc. to notify any a!ected individuals following the discovery of a breach of unsecured PHI (McHale, 2010).

HIC, Inc. may use and disclose PHI without individual authorization as required by law, including by statute, regulation, or court orders (“Summary of the HIPAA Privacy Rule,” 2013).

The PHI can only be disclosed to a third-party with the authorization of the patient unless the disclosure is related to healthcare treatment, payment for healthcare or healthcare-related operations (“HIPAA Privacy Rule,” n.d.).

Access to PHI data is controlled by role-based access control (RBAC). RBAC allows greater control on who can access the PHI data. Access is granted to the individuals whose job requires to interact with PHI data.

Corporate Domain

The corporate data that needs protection under this domain include company marketing strategies, product development, trade secrets, and financial data.

Employee personally identifiable information (PII) such as name, race, gender, address, social security numbers, and birth date also come under this domain (“Creating a Privacy Policy,” 2016).

Since HIC, Inc. accepts credit card payments for its services, it complies with the Payment Card Industry Data Security Standard (PCI DSS) standards to securely accept, store, process, and transmit cardholder data during the credit card transaction.

HIC, Inc. is a publicly traded company; therefore, it is mandated to comply with Sarbanes- Oxley Act of 2002 (SOX) to protect shareholders and the general public from accounting errors and to improve the accuracy of corporate disclosures (Groot, 2019).

Access to corporate data, employee records, and customer payment information is restricted to the employees whose job requires them to interact with the data using a company role-based access control (RBAC) system. The company human resources and financial departments controls of the privacy of the data.

Public Domain

Information that is available to the public via the company website or press releases falls into this domain. The information includes company products and services, customer support information and quarterly financial statements. Public a!airs and the financial department control the privacy of the data. Once the information is released to the public there is no expectation of privacy because there is no control over how it is stored or transmitted.

References

  • Creating a Privacy Policy CSOL 540 Cyber Security Operational Policy Module 6 Presentation 2. (2016). Retrieved from https://vimeo.com/175581926/725ec05a43
  • Groot, D. J. (2019, July 15). What is SOX Compliance? 2019 SOX Requirements & More. Retrieved from https://digitalguardian.com/blog/what-sox-compliance
  • HIPAA Privacy Rule. (n.d.). Retrieved from https://www.hipaajournal.com/hipaa- privacy-rule/
  • McHale, R. (2010, May 3). Cloud Security and Privacy: A Legal Compliance and Risk- Management Guide, Part 1. Retrieved from http://www.informit.com/articles/article.aspx?p=1582936
  • Summary of the HIPAA Privacy Rule. (2013, July 26). Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws- regulations/index.html