GDPR and HIPAA Compliance Policy

Introduction

At ABSmartly we take our responsibilities under the General Data Protection Regulation (GDPR) very seriously. In addition to our obligations deriving from the GDPR and to further our business we have voluntarily committed to the Health Insurance Portability and Accountability Act (HIPAA). Whilst the GDPR governs the use of and applies to all personal data of the persons that fall within its scope, HIPAA has a much narrower scope and only applies to HIPAA protected health information (PHI). As both allow for some overlap and the security of personal data is given the uttermost importance, more stringent provisions are applied in order to supplement and resolve challenges where ambiguity raises.

 This policy sets out how personal data is managed and dealt with in order to ensure that the obligation to fulfill individuals' reasonable expectations of privacy is applied and followed and that the responsibilities established under the GDPR and HIPAA are complied with.


Rationale

ABsmartly acquires, uses, stores and otherwise processes personal data relating to potential and current clients and their customers, current and potential and former employees and contractors, website users and contacts, and collectively refers to those individuals in this policy as data subjects. Likewise, no distinction is made between the rights of data subjects, and all are treated equally under this policy.

 

Purpose of the policy

This policy seeks to ensure that ABsmartly is:

  • clear about how personal data must be processed;

  • complying with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and with good practice;

  • protecting the personal data entrusted to us and that it is processed in accordance with data subjects’ rights;

  • protecting itself from risks of personal data breaches and breaches of data protection laws;

Scope

The policy covers both personal and special category personal data held by ABSmartly in relation to data subjects. The policy applies equally to personal data held in print and digital form. All employees and others processing personal data on behalf of ABsmartly must read it and a failure to comply may result in disciplinary action. All managerial and executive staff is responsible for ensuring that their subordinated staff is complying with this policy and should implement appropriate practices, processes, controls, and training accordingly.

 

Data Protection Officer

ABsmartly's Data Protection Officer (DPO) is Bruno Silva and can be reached at dpo@absmartly.com.

 

Data Protection Principles

ABsmartly is responsible for, and must be able to demonstrate compliance with the data protection principles set out in the GDPR/HIPAA and all personal data must be:

  • processed lawfully, fairly, and in a transparent manner in relation to the data subject;

  • collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards and provided that there is no risk of breaching the privacy of the data subject.

  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

  • accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay;

  • kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject; and

  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures;

 

Data Subjects’ Rights

The GDPR grants several rights to data subjects and how their data is handled. These include the following:

  • the right to be informed;

  • the right of access;

  • the right of rectification;

  • the right to erasure (the “right to be forgotten”);

  • the right to restrict processing;

  • the right to data portability;

  • the right to object;

  • rights with respect to automated decision-making and profiling.

  • the right to withdraw consent

  • to be notified of a data breach that is likely to result in high risk to their rights and freedoms; and

  • to make a complaint to the relevant Data Protection Authority.

 

The HIPAA also grants rights to data subjects and how their data is handled. These include the following:

  • the right to inspect and copy.

  • the right to get notice of a breach.

  • the right to amend, correct or add

  • the right to an accounting of disclosures

  • the right to request restrictions

  • the right to request confidential communications

  • the right to choose someone to act for the individual

 

ABsmartly requires the verification of the identity of an individual requesting data under any of the rights listed. Requests made must be complied within one month of receipt and immediately forwarded to the DPO and are processed free of charge.

 

Accountability

ABsmartly must implement appropriate technical and organizational measures in an effective manner to ensure compliance with data protection principles. ABsmartly is responsible for and must be able to demonstrate compliance with the data protection principles. Consequently, adequate resources and controls to ensure and document GDPR/HIPAA compliance are put into place. Those are

  • the appointment of a DPO;

  • security and privacy measures when processing and handling data are implemented;

  • a Data Protection Impact Assessment (DPIA) is carried out;

  • policies and procedures for processing and handling data are implemented;

  • ABsmartly staff is trained in accordance with the GDPR/ HIPAA;

  • security and privacy measures and processing and handling policies and procedures are reviewed and updated;

  • Audits and reviews are carried out regularly;

 

Responsibility

As the Data Controller, ABsmartly is responsible for establishing policies and procedures in order to comply with data protection law.

 

The DPO is responsible for:

  • advising ABsmartly and its staff of its obligations under GDPR/ HIPAA

  • monitoring that the GDPR/HIPAA and other relevant data protection laws are followed and applied;

  • monitoring training and audit activities related to GDPR/HIPAA compliance;

  • advice when requested and conduct data protection impact assessments;

  • act as the contact point for the Information Commissioner and data subjects; and

  • oversee ABsmartly’s performance regarding risk deriving from processing operations, considering the nature, scope, context, and purpose.

Staff members are responsible for:

ABsmartly’s staff members who process personal data of employees, clients, customers etc. Staff members must ensure that

  • all personal data is kept securely;

  • no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party;

  • personal data is kept in accordance with ABsmartly’s retention schedule;

  • queries concerning data protection, complaints, and access requests are forwarded to the DPO immediately;

  • data protection breaches are swiftly made known to the DPO and that support in resolving breaches I prioritized;

  • any uncertainty about data protection is addressed to the DPO without delay;

  • they are aware of the Data Protection principles and have read this Policy;

 

De-Identification

ABsmartly may use or disclose de-identified Personal Data, Personal Identity Information, and Personal Health Information without obtaining an individual’s authorization when in accordance with the GDPR/HIPAA any such Personal Data, Personal Identity information, and Personal Health Information is de-identified.

 

Personal Data, Personal Identity Information, and Personal Health Information shall be considered de-identified if either of the two de-identification procedures set forth below is followed.

 

Removal of Identifiers

De-identified Personal Data, Personal Identity Information, and Personal Health Information are rendered anonymous when the ABsmartly does not have any actual knowledge that the information could be used alone or in combination with other information to identify an individual.

De-identification requires the elimination not only of primary or obvious identifiers, such as the individual’s name, address, and date of birth but also of secondary identifiers through which a user could deduce the individual’s identity.

For information to be de-identified the following identifiers must be removed

  • Names;

  • All address information except for the state;

  • Names of relatives and employers;

  • All elements of dates (except year);

  • Telephone number;

  • Fax numbers;

  • E-mail addresses;

  • Social security numbers;

  • Medical record numbers;

  • Health plan beneficiary numbers;

  • Account numbers;

  • Certificate/license numbers;

  • Vehicle identifiers, including license plate numbers;

  • Device IDs and serial numbers;

  • Web Universal Resource Locaters (URL);

  • Internet Protocol (IP) addresses;

  • Biometric identifiers;

  • Full face photographic images and other characteristics (except as other wise permitted for re-identification purposes).

Statistical Method

Personal Data, Personal Identity information and Personal Health Information is considered de-identified if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; (a) determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify and individual who is subject of the information; and (b) documents the methods and results of the analysis to justify such determination.

Third-Party Data Processors

Where ABsmartly is outsourcing or using external companies for the processing of personal data, the responsibility for the data remains with ABsmartly.

A third-party data processor must

  • provide sufficient guarantees about its data protection and security measures;

  • agree to a written contract covering what personal data is processed and for what purpose; and

  • agree to a written data processing agreement;

 

Data Subject Access Requests

Data subjects have the right to receive a copy of their personal data which is held by ABsmartly. Likewise, an individual is entitled to receive further information about processing their personal data and in particular on:

  • the purpose of processing;

  • the categories of personal data being processed;

  • the recipients of personal data;

  • the retention periods;

  • information about their rights;

  • the relevant safeguards when personal data is transferred outside the EEA;

  • any third-party source of the personal data;

Do not share any personal data without proper authorization. Do not alter, conceal block or destroy personal data after such a request has been made. Contact the DPO before making any changes or replying to a Data Subject Access Requests.

Reporting a personal data breach

The GDPR/HIPAA requires that ABsmartly report any personal data breach to the Information Commissioner if there is a risk or high risk to the rights and freedoms of the data subject. If you know or suspect a personal data breach inform the DPO immediately and follow the instructions set out in the data breach procedure.

 

Limitations on the transfer of personal data

The transfer of personal data to a country outside the EEA will only take place if one or more of the following applies:

  • the European Commission confirmed that the particular country ensures an adequate level of protection for the data subjects’ rights and freedoms;

  • the particular country provides appropriate safeguards such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism;

  • the data subject has explicitly agreed to the transfer;

  • the transfer is necessary for the performance of a contract between the data subject and ABsmartly;

  • the transfer is necessary for one of the other reasons set out in the GDPR/HIPAA including:

    • the public interest;

    • establish, exercise or defend legal claims;

    • to protect the vital interests of the data subjects;

    • if the data subject is physically or legally unable to give their consent;

Record Keeping

The GDPR/HIPAA requires ABsmartly to keep full and accurate records of all data processing activities. Keep and maintain accurate corporate records reflecting personal data processing, including the Consent Forms. Records should include, at a minimum, the name and contact details of the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.

 

Similar, records of personal data breaches must also be kept and cover the following:

  • the facts surrounding the breach;

  • its effects;

  • the remedial action taken;

 

Data Flow and Mapping

ABsmartly uses to identify the elements of personal data that are being processed, data flow, and mapping tools. Those aim to illustrate how data is handled, processed and stored and assists ABsmartly to maintain and improve personal data policies and procedures.

Training and Audit

ABsmartly is required to ensure that all staff members are adequately trained and compliance with the GDPR/ HIPAA is possible. We also regularly test our policies, systems, and processes to assess and ensure compliance.

Data privacy by design and default

ABsmartly has to ensure that by default only personal data which is necessary for each specific purpose is processed. The obligation applies

  • to the volume of personal data collected

  • the extent of the processing

  • the period of storage and the accessibility of the personal data

In particular, personal data should not be available to an indefinite number of persons and you must ensure that you adhere to those measures.

ABsmartly's SDK

In order to ensure GDPR/HIPAA compliance and the highest levels of data protection possible, ABsmartly has designed its SDK and A/B testing platform with privacy in mind. For this reason, all Personal Data, Personal Identity information and Personal Health Information processed is de-identified using state of the art technical, and physical safeguards and operate a firm system of policies, confidentiality agreements, digital safeguards, and procedures to ensure the highest level of administrative protection.

Device and Media Controls

It is the policy of ABsmartly to ensure the privacy and security of Personal Data, Personal Identity Information, and Personal Health Information in the maintenance, retention, and eventual destruction/disposal of such media.  ABsmartly also recognizes that media containing Personal Data, Personal Identity information and Personal Health Information may be reused when appropriate steps are taken to ensure that all stored Personal Data, Personal Identity information and Personal Health Information has been effectively rendered inaccessible. Destruction/disposal of patient health information shall be carried out in accordance with federal and state law and as defined in the organizational retention policy.  The schedule for destruction/disposal shall be suspended for records involved in any open investigation, audit, or litigation.

Encryption And Decryption

In compliance with GDPR/HIPAA providers must have in place and implemented policies and procedures to encrypt and decrypt electronic protected health information.

 

The investigation, selection, and installation of an appropriate software product by the Network Administration staff that fits the needs of the organization for those users who have the need to send electronic Personal Data, Personal Identity Information, and Personal Health Information over open networks (e-mail) has been completed.

 

ABsmartly employees are required to use the encryption software for all emails sent which contain Personal Data, Personal Identity information, and Personal Health Information.

 

A list of all users needing the software was developed and is maintained by the Network Administration staff. Adequate training on the use of the selected software will be mandatory and provided to each user (existing and new) by the Network Administration staff or DPO.

 

Minimum Necessary

Minimum Necessary is the process that is defined in the GDPR/HIPAA regulations:  When using or disclosing protected health information or when requesting Personal Data, Personal Identity information and Personal Health Information from another covered entity, a covered entity must make reasonable efforts to limit Personal Data, Personal Identity information and Personal Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. 

 

It is ABsmartly’s policy to ensure the privacy and security of Personal Data, Personal Identity Information, and Personal Health Information by limiting the use and disclosure of Personal Data, Personal Identity information, and Personal Health Information to what is minimum or reasonably necessary to accomplish the intended purpose.

Data Breach

Data security breaches are increasingly common occurrences whether caused by human error or via malicious intent. As the amount of data and information grows and technology develops, there are new ways by which data can be breached. ABsmartly needs to have in place a robust and systematic process for responding to any reported data security breach, to ensure it can act responsibly and protect the personal data which it holds.

 

The aim of this policy is to standardize ABsmartly’s response to any data breach and ensure that they are appropriately logged and managed in accordance with the law and best practices, so that:

  • incidents are reported swiftly and can be properly investigated

  • incidents are dealt with in a timely manner and normal operations restored

  • incidents are recorded and documented

  • the impact of the incident is understood, and action is taken to prevent further damage

  • the Supervisory Authority and data subjects are informed as required in more serious cases

  • incidents are reviewed, and lessons learned

 

Article 4 (12) of the General data protection Regulation (“GDPR”) defines a data breach as “a breach of security leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

 

ABsmartly is obliged under the GDPR to act in respect of such data breaches. This procedure sets out how ABsmartly will manage a report of a suspected data security breach.

 

The aim is to ensure that where data is misdirected, lost, hacked or stolen, inappropriately accessed or damaged, the incident is properly investigated and reported, and any necessary action is taken to rectify the situation.

 

A data security breach can come in many forms, but the most common are as follows:

  • Loss or theft of paper or other hard copy

  • Data posted, emailed or faxed to the incorrect recipient

  • Loss or theft of equipment on which data is stored

  • inappropriate sharing or dissemination-Staff accessing information to which they are not entitled

  • Hacking, malware, data corruption

  • Information is obtained by deception or “blagging”

  • Equipment failure, fire, or flood

  • Unescorted visitors accessing data

  • Non-secure disposal of data

 

In any situation where staff is uncertain whether an incident constitutes a breach of security, report it to the Data Protection Officer (DPO). If there are IT issues, such as the security of the network being compromised, IT should be informed immediately.

 

This Company-wide policy applies to all ABsmartly information, regardless of format, and is applicable to all officers, members, visitors, contractors, partner organizations, and data processors acting on behalf of ABsmartly. It is to be read in conjunction with ABsmartly’s Information Security Policy.

 

Responsibilities

Information users

The GDPR applies to both Data Controllers and to Data Handlers. Therefore, all information users are responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage. Managers Heads of Department are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required.

 

Lead Responsible Officers

Lead responsible officers will be responsible for overseeing the management of the breach in accordance with the Data Breach Management Plan. Suitable further delegation may be appropriate in some circumstances.

 

Reporting a Breach

Internal

Suspected data security breaches should be reported promptly to the DPO as the primary point of contact.

The report must contain full and accurate details of the incident including who is reporting the incident [and what classification of data is involved]. The incident report form should be completed as part of the reporting process.

 

Once a data breach has been reported an initial assessment will be made to establish the severity of the breach. See Appendix

 

All data security breaches will be centrally logged by the DPO to ensure appropriate oversight of the types and frequency of confirmed incidents for management and reporting purposes.

 

External

Article 33 of the GDPR requires ABsmartly as the data controller to notify the Supervisory Authority only when the breach “is likely to result in a risk to the freedoms and rights of natural persons”. Such a breach also must be communicated to the data subject (with certain exceptions). Notification must be made “without undue delay” and within 72 hours of becoming aware of it. If ABsmartly fails to do this, it must explain the reason for the delay.

 

Article 33(5) requires that ABsmartly must maintain documentation on data breaches, their nature, and remedial action taken.

 

A report to the Supervisory Authority must contain information as to the nature of the breach, categories of data, number of data records, number of people affected, name and contact details of DPO, likely consequences of the breach, and action taken.

 

Data Breach Management Plan

ABsmartly’s response to any reported data security breach will involve the following four elements.

  1. Containment and Recovery

  2. Assessment of Risks

  3. Consideration of Further Notification

  4. Evaluation and Response

Each of these four elements will need to be conducted in accordance with the checklist. An activity log recording the timeline of the incident management should also be completed. This reflects current guidance from the Supervisory Authority, which is likely to change.

 

Disciplinary

Officers, members, contractors, visitors, or partner organizations who act in breach of this policy may be subject to disciplinary procedures or other appropriate sanctions.

Data Protection Impact Assessments (DPIAs)

ABsmartly must also conduct DPIAs in respect of high-risk processing before that processing is undertaken. ABsmartly’s DPO will conduct a DPIA when:

  • new or changing technologies such as programs, systems, or processes are introduced;

  • automated processing including profiling takes place;

  • sensitive and special category data is processed on a large scale;

  • systematic monitoring of a publicly accessible area on a large scale takes place;

A DPIA must include:

  • a description of the processing, its purposes, and the Data Controller’s legitimate interests if appropriate;

  • an assessment of the necessity and proportionality of the processing in relation to its purpose;

  • an assessment of the risk to individuals;

  • the risk-mitigation measures in place and demonstration of compliance;

Marketing

ABsmartly is subject to certain rules and privacy laws when marketing to our clients and customers. A data subject’s prior consent is required for electronic direct marketing (for example, by email, text, or automated calls). The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information. A data subject’s request to object to direct marketing must be respected. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

Policy Review

ABsmartly will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required taking into account changes in the law and organizational or security changes.

Glossary of Terms

Automated Decision-Making (ADM)

When a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.

 

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular, to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling is an example of automated processing.

 

Consent

An agreement which must be freely given, specific, informed, and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.

 

Data Controller

The person or organization that determines when, why, and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR/HIPAA. ABsmartly is the Data Controller of all personal data relating to it and used delivering education and training and all other purposes connected with it including business purposes.

 

Data Subject

A living identified or identifiable individual about whom we hold personal data.

 

Data Protection Impact assessment (DPIA)

An assessment tool used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.

 

Data Protection Officer (DPO)

The person appointed as such under the GDPR and in accordance with its requirements. A DPO is responsible for advising ABsmartly on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with policies, cooperating with the Information Commissioner, and acting as a point of contact.

 

Personal Data

Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person’s actions or behavior.

 

Personal Data Breach

Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.

 

Privacy by Design and Default

Means implementing appropriate technical and organizational measures in an effective manner to ensure compliance with the GDPR.

 

Privacy Notices

A separate notice setting out information that may be provided to data subjects when ABsmartly collects information. These notices may take the form of general privacy statements applicable to a specific group of individuals) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.

 

Processing or Process

Any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. Basically, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

 

Pseudonymisation or Pseudonymised

Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

 

Health Information Patient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or other organization that falls under covered entity.

 

Due Diligence An organization is in violation, but they have taken every possible step they could have foreseen to prevent that.

Reasonable Cause The steps have been taken, but something was not addressed. For example, a company went into a audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect.

Individually Identifiable Health Information A subset of health information, this includes demographic information about an individual’s health that identifies or can be used to identify the individual. This includes name, address, date of birth, etc.

 

Protected Health Information (PHI) This includes any individually identifiable health information collected from an individual by a healthcare provider, employer or plan that includes name, social security number, phone number, medical history, current medical condition, test results and more.

 

Policy Review

ABsmartly will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required taking into account changes in the law and organizational or security changes. This policy was last updated on 30 April 2021.

 

How to contact us

If you have any questions about ABsmartly's Data Protection Policy, please do not hesitate to contact us per using dpo@absmartly.com.