Last updated: June 2, 2020
Note: Latest changes are marked with YELLOW color
Revisions and history:
|6/2/2020||Security Policy||7||Added line item 5 in sub-section “How Information is Protected by AaNeel?”|
|5/15/2020||Security Policy||8||Added sub-section “AaNeel Guideline for Cyber Security”|
|3/11/2020||Data Collection Practice||Added sub-section “Third Party Providers”|
Interpretation and Definitions
The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
- Website – refers to AaNeel Infotech, accessible from www.aaneel.com or portal.gopatientportal.com
- Service – refers to the Website.
- Country – refers to: United States
- Personal Data – is any information that relates to an identified or identifiable individual.
- Cookies – are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Background / Purpose
AaNeel team provides contractual services, technical and business support for various healthcare organizations, groups and individuals serving Medicare beneficiaries. The Team activities are based on assigned tasks involving healthcare (Medicare) beneficiaries, health care providers and payors. As such, it is expected that each team member performs his/her assigned tasks efficiently and effectively, maintains privacy and security, abides by the workplace discipline and treats clients and beneficiaries with respect and dignity.
IF YOU DO NOT WANT AANEEL TO COLLECT, STORE, AND PROCESS YOUR INFORMATION AS DESCRIBED IN THIS POLICY, THEN YOU HAVE THE OPTION TO OPT-OUT USING OUR CONTACT INFORMATION BELOW
Employee Resource and Training
Data Collection Practice
AaNeel only collects and uses information for the purpose of providing the information and services that clients need and request. AaNeel does not and will not sell or lease information that it collects. Information collected is only used for a proper business purpose and at no time will be used outside that scope.Personal data processed by AaNeel shall not be kept for longer than is necessary for the intended process or purposes and required by the law. Clients have the right to request that their information be deleted, once the request has been verified the data will be deleted within 30 days of receiving the
Information We Receive from Beneficiaries:
AaNeel collects beneficiary name, postal address, email address, phone number, and other demographic information (such as your gender, occupation and ethnicity) as well as other information provided by the beneficiaries (such as education and language preference).
Information We Get from Other Organizations and Entities:
AaNeel may receive additional information about beneficiaries from clients, organizations and entities, such as information from third parties, such as regulatory agencies (CMS, HHS, State), business partners, marketers, researchers, analysts, and other parties that we may use to supplement the information that we collect directly from you.
Information from the use of AaNeel Mobile Apps:
When clients use AaNeel mobile apps, it may collect information about the type of device and operating system they use. AaNeel may ask you if you want to receive push notifications about activity in your account. If you opt into these notifications and no longer want to receive them, you may turn them off through your operating system. AaNeel doesn’t access or track any location based information from your mobile device unless you’ve given us permission. AaNeel may use analytics software (such as intercom.io) to help us better understand how people use our application. AaNeel may collect information about how often you use the app AaNeel follows an opt-in permission-based text message (SMS) enrollment policy. AaNeel will not send unsolicited, bulk or commercial offers or advertisements without permission. All SMS messages contain information on how to unsubscribe from the list. You may leave our lists at any time for any reason. If you have any questions or feel that you received unsolicited email or an unsolicited SMS message please contact us.
Use of Personal Information:
AaNeel may use personal information for following purposes:
- To operate, maintain, and improve our sites, products, and services.
- To respond to comments and questions and provide customer service.
- To send information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.
- To communicate about promotions, upcoming events, and other news about products and services offered by us and our selected partners.
- To process and deliver contest entries and rewards.
- To link or combine user information with other information.
- To provide and deliver products and services at customer’s request.
Sharing of Information
AaNeel may share information as follows:
- We may use third-party web analytics services on our services to collect and analyze the information discussed above, and to engage in auditing, research and reporting.
- We may share information if company merges or is combined with any other organization, or if it transfers all or substantially all of its assets or operations to another organization, it may disclose information it collects from you to the other organization so that the other organization can continue to provide services to you while maintaining your information rights of both access and choice. The other organization will be bound by this policy. You will be notified via U.S. mail once such decision has been made, when the merger or transfer process begins with an approximate / exact effective date of operations with the new organization / management. You may contact us if you would like to opt out.
- We may share information for legal, protection, and safety purposes.
- We may share information to comply with laws.
- We may share information to respond to lawful requests and legal processes.
- We may share information to protect the rights and property of its agents, customers, and others.This includes enforcing agreements and policies AaNeel may share information in an emergency. This includes protecting the safety of its employees and agents, its customers, or any person.
- We may share information with those who need it to do work for it.
Third Party Providers:
AaNeel may contract with other companies to provide various services to its customers on an outsourced basis rather than performing the services directly. For example, AaNeel may contract with a cloud hosting provider to host some or all of the processing and communication services that AaNeel provides. By continuing to use our services, you consent to AaNeel’s use of these third party providers.
AaNeel intends to process the personal information it receives according to Industry best practices and subsequently transfers any and all liabilities to third parties acting as an agent or on its behalf. AaNeel complies with the industry standards for all onward transfers of personal data including the onward transfer liability provisions.
User Consent Practice
AaNeel follows strict policies on user consent. If you are missing any one of below listed five elements, you do not have consent.
- Freely given – the person must not be insisted and or pressured into giving consent or suffer any lack of service or detriment if they refuse
- Specific – the person must be asked to consent to individual types of data processing.
- Informed – the person must be told what they are consenting to.
- Unambiguous – language must be clear and simple to understand.
- Clear affirmative action – the person must expressly consent by doing or saying something that can be documented, i.e. when asked for someone’s consent, he/she or they understand the question and the implications, and then make a genuine choice.
When is Consent Required?:
- Consent: the individual or client has given clear consent to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract AaNeel has with the individual / client or because the individual or client has asked to take specific steps before entering into a contract
- Legal Obligation: The processing is necessary to comply with the law (beside contractual obligations)
- Vital Interest: The processing is necessary to protect someone’s life.
- Legitimate interest: The processing is necessary for AaNeel’s legitimate interest or legitimate interests of a third party, unless there is a good reason to protect personal data which overrides those legitimate interests.
Generally speaking, AaNeel will not ask for consent if:
- AaNeel is carrying out a core or contracted service.
- AaNeel is required to process personal data by law (legal obligation).
- AaNeel is processing personal data to the benefit of clients in a way that the users would reasonably expect, with minimal risk and impact on individuals (legitimate interests)
AaNeel will ask for consent while offering a genuine choice over a non-essential service. Typical examples include:
- Using tracking/advertising cookies
- Sending marketing emails or newsletters
- Sharingpersonal data with other companies for commercial purposes
AaNeel maintains its Data Security (electronic PHI) by protecting the
of e-PHI that is held or transmitted by AaNeel. AaNeel maintains reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI that it receives, stores, and transmits
How Information is Protected by AaNeel?
- Ensures the confidentiality, integrity, and availability of all e-PHI it creates, receives, maintains, or transmits.
- Identifies and protects against reasonably anticipated threats to the security or integrity of the information.
- Protects against reasonably anticipated, impermissible uses or disclosures.
- Ensures compliance by its workforce.
- Information is protected by AaNeel using different protective measures like, secure user access and encryption
AaNeel ensures the three core components of data protection as follows:
- That e-PHI is not available or disclosed to unauthorized persons
- Prohibits against improper uses and disclosures of PHI.
- That e-PHI is not altered or destroyed in an unauthorized manner.
- That e-PHI is accessible and usable on demand by an authorized person.
How AaNeel Ensures HIPAA Security?
Risk Analysis and Management
- Identify Risk
- Implement appropriate security measure
- Maintain continuous, reasonable, and appropriate security protections
- Establish a Security Management Process
- Designate security personnel
- Workforce Training and Management
- Perform periodic evaluation
- Access control – Implement technical guidelines to allow only authorized people to handle e-PHI
- Audit controls – hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI
- Integrity control – Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed
- Transmission Security – guard against unauthorized access to e-PHI when transmitted over an electronic network
AaNeel Guideline for Cyber Security
Report to law enforcement requirement
- OCR (must report) – No later than 60 days after the discovery of a breach affecting 500 or more individual
- Local FBI (if FBI wants to investigate, wait for their written request or 30 days).
- ISAO (information – sharing and analysis organization)
- Homeland Security
- HHS Assistant Secretary for Preparedness and Response
AaNeel Breach Notification Policy
AaNeel defines the Breach Notification rules as, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
What AaNeel Will Do?
- Perform Risk Assessment
- Provide notification following a breach of unsecured protected health information per breach notification provisions implemented and enforced by the Federal Trade Commission (FTC)
Who It Applies To?
- Applies to vendors of personal health records and their third-party service providers, pursuant to relevant statutes e.g. section 13407 of the HITECH Act.
- Information includes coding, billing and insurance verification
Burden of Proof of Extent of Damage and Subsequent Actions
- Applies appropriate sanctions against workforce members who do not comply with these policies and procedures.
- Breach involving Less Than 500 members (OCR & Asst. Secretary for Preparedness and Response)
- AaNeel will report such breaches at the time they are discovered.
- AaNeel will report all of its breaches affecting fewer than 500 individuals on one date, but will
- AaNeel will submit the notice electronically completing all of the fields of the breach notification form
- By email: email@example.com
- By Phone: 813-200-5600