THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED ANDHOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Who Must Follow This Policy
Document and Record Retention
Digital Therapeutics, Inc. ("Digithera" or "Quit Genius") provides you with health care by working with health coaches and other health care providers (referred to as "we", "our", or "us") when you apply for or participate in the Quit Genius Program (the "Services"). This is a joint notice of our information privacy practices ("Notice"). The following people or groups will follow this Notice:
- Any health care provider who provides services to you at or from Digithera's locations, whether physical or on-line, including health coaches and others;
- All departments and units of our organization, including mobile units; and
- Our employees, contractors, and volunteers, including regional support offices and affiliates. These entities, sites, and locations may share health information with each other for treatment, payment, or health care operations purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law. If you have any questions about this Notice, please see our contact information on the last page of this Notice.
2. Uses And Disclosures of PHI Permitted For Reasons Other Than Treatment,Payment and Health Care Operations, And Without Individual Authorization
In the following limited instances, which are in addition to Treatment, Payment and Health Care Operations, Digithera is permitted to use or disclose PHI without an individual’s authorization.
Uses And Disclosures That Require An Opportunity For The Individual To Agree Or To Object.
Disclosures to Designated Individuals. Digithera employees authorized to access PHI, without written authorization from the individual, may use or disclose PHI to any person identified by the individual, such as a family member or close friend, of any PHI directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s care as long as the following conditions are met:
- If the individual is present for, or otherwise available prior to, this type of use or disclosure and has the capacity to make health care decisions, Digithera employee will authorize the use or disclosure of the PHI if he or she: (1) obtains the individual’s agreement; (2) provides the individual with the opportunity to object and the individual does not do so; or (3) the Digithera employee reasonably infers from the circumstances and based on professional judgment, that the individual does not object.
- If the individual is not present for, or it is not possible to give the individual the opportunity to agree to the use or disclosure because of incapacity or an emergency, the Digithera employee will determine, based on professional judgment, whether the use or disclosure is in the best interest of the individual. If use or disclosure is made, only the PHI that is directly relevant to the third person’s involvement with individual’s health care or payment for health care will be used or disclosed.
Disclosures for Notification Purposes. Digithera employees authorized to access PHI, without written authorization from the individual, may use or disclose PHI to notify, or assist in notifying (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the individual’s care, of the individual’s location, general condition or death. The Digithera employee also may use or disclose PHI to a public or private entity that is authorized by law or by its charter to assist in disaster relief, for the purpose of coordinating with such entities to notify (including identifying or locating) relatives or those close to the individual, of the individual’s location, general condition or death.
Uses And Disclosures For Which An Individual’s Authorization Or Opportunity To Agree Or Object Are Not Required.
Uses and Disclosures. In the following circumstances, Digithera employees authorized to access PHI may use or disclosure of PHI without the individual’s written authorization, and without giving the individual the right to agree or object. To the extent not covered below, the Digithera will comply with additional requirements in the HIPAA Privacy Rule, as applicable.
- To the appropriate governmental or judicial authority as required by law in situations of abuse, neglect or domestic violence; in the course of any judicial or administrative proceeding; for law enforcement purposes to a law enforcement official as required by law. The Digithera will only make such disclosures to the extent they are required by law and the use or disclosure complies with and is limited to the relevant requirements of the law.
- To the appropriate public health authority that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease (including notifying infected individuals when authorized by law), injury or disability; or to receive reports of child abuse or neglect.
- To persons or entities subject to the jurisdiction of the Food and Drug Administration (“FDA”) to meet the reporting requirements of the FDA, such as submitting adverse event reports, tracking products for recalls, and conducting post-marketing surveillance to track compliance. The Digithera will comply with the additional requirements in the HIPAA Privacy Rule, as applicable.
- To an employer to comply with OSHA requirements related to medical surveillance and work related injuries, and to persons as authorized by workers’ compensation laws.
- To health oversight agencies for oversight activities authorized by law, e.g., fraud and abuse audits, investigations and inspections; licensure or disciplinary actions; and civil, administrative or criminal proceedings. The Digithera will comply with the additional requirements in the HIPAA Privacy Rule, as applicable.
- To coroners and medical examiners, and funeral directors, the PHI which is necessary to permit those persons to carry out their duties consistent with applicable law.
- To organ procurement organizations for donation purposes.
- For research purposes, provided that an Institutional Review Board or privacy board (as described in the Privacy Rule) approves the waiver of individual authorization.
- To appropriate persons and consistent with applicable laws and standards of ethical conduct, when the Privacy Officer believes, in good faith, that it is necessary to use or disclose the PHI to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, or to assist law enforcement in identifying or apprehending an individual.
- To military and veterans authorities, national security and intelligence sources, protective services for the President, correctional institutions and other custodial law enforcement, and Department of State for the purposes detailed in the HIPAA Privacy Rule.
Verification Procedures. Before making any such disclosures, the Digithera employee will verify the identity of the person requesting the PHI and the authority that person has to have access to the requested PHI.
- In the normal course, the Digithera employee will obtain the requisite verification by requiring the requester to send their request in writing on official stationery. The Digithera employee may also require the requester to provide any other documentation that he/she deems necessary, using professional judgment, to verify the authenticity of the requester.
- If the request is made to the Digithera employee in person, the Digithera employee will require the requester to present sufficient official identification, such as a badge or official credential, to verify the requester’s identity and authority.
- If the request is made pursuant to a legal process, such as a subpoena, warrant or court order, the Digithera employee may rely on the veracity of that request.
- If the Digithera employee determines, using professional judgment, that there is an emergency situation that does not allow for a written exchange, the Digithera employee may verify the requester’s identity by calling the requester back. If this occurs, the Digithera employee must document the exchange and the nature of the emergency, and maintain the documentation in accordance with Digithera’s policy on record retention and documentation.
Disclosures To Business Associates.
The Digithera may disclose PHI to Business Associates after entering into a Business Associate Agreement, and consistent with Digithera’s policy on business associate relationships.
Disclosures By Whistleblowers And Workforce Member Crime Victims.
A Digithera employee with access to PHI will not be disciplined if he/she discloses PHI to a health oversight agency or to an attorney only if he/she believes, in good faith, that the Digithera has engaged in unlawful conduct. If that employee believes that he/she should disclose PHI about a suspected perpetrator of a criminal act to a law enforcement official, if feasible, that employee should first discuss that disclosure with the Privacy Officer.
3. Uses And Disclosures Of PHI That Are Required Or Permitted By The Privacy Rule, Or Permitted By Authorization
This Policy summarizes the uses and disclosures of patient protected health information (“PHI”) that are required or permitted by the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, or permitted by authorization.
Required Uses And Disclosures.
Digithera is required to use or disclose PHI in the following circumstances:
Individual Access. To the individual who is the subject of the PHI contained in the designated record set, provided the individual’s identity is reasonably verified by the Digithera employee, or if the request is to inspect and/or copy his/her PHI, Digithera follows procedures set forth in Digithera’s policy regarding access to PHI.
Access by Secretary of HHS. To the Secretary of the Department of Health and Human Services(“HHS”) when the Secretary is investigating a complaint or monitoring compliance. The Digithera will verify the identity of the HHS requester.
Disclosures To Family Members.
Spousal Access. A spouse must typically sign a HIPAA-compliant authorization releasing an individual’s PHI to his or her spouse.
Parental Access. Parents or guardians (“parents”) are generally considered the personal representatives of unemancipated minors. As such, the Digithera generally responds to parental inquiries about their children’s treatment and health care claims, and provides parents with access to the minors’ PHI.
Emergency Access. If a family member or close friend inquires on behalf of an individual who is being cared for by the Digithera or from whom it would be difficult to obtain an authorization, the Digithera may respond to that family member or close friend’s inquiries. (This type of access does not require that the individual be incapacitated or unconscious.) However, before responding, the identity of the family member or close friend and the individual’s identity must be verified. The PHI provided must be the minimum necessary for the family member or close friend to ensure the individual receives the medical care he/she needs.
Uses And Disclosures Of Phi Permitted When The Patient Is Deceased.
Digithera may disclose PHI of a deceased patient to a family member, other relative, close personal friend or other person previously identified by the patient as someone involved in the patient’s care or payment for health care prior to the patient’s death. PHI disclosed will be limited to what is relevant to the person’s involvement in the patient’s care. NOTE: if Digithera has knowledge that the disclosure of PHI would be inconsistent with a preference previously expressed by the patient, the PHI requested will not be disclosed.
Uses And Disclosures Permitted For Treatment, Payment Or Health Care Operations.
Digithera may use or disclose PHI for purposes of treatment, payment or health care operations without written authorization from the patient.
Treatment. Digithera may use or disclose PHI for treatment purposes to assist any health care provider in that provider’s treatment activities or to coordinate or manage with a healthcare provider to provide treatment for an individual so long as each entity has or had a relationship with the individual who is the subject of the protected health information being requested.
Payment. Digithera may use or disclose PHI to obtain or provide reimbursement for the provision of healthcare. These payment activities must relate to an individual, and include: (i) billing, claims management, collection activities and related health care data processing; (ii) review of health care services with respect to medical necessity or coverage under a health plan; (iii) utilization review activities; and (iv) disclosure to consumer reporting agencies.
Health Care Operations. Health Care Operations includes any of the Digithera’s following activities to the extent they are related to the covered function asper the HIPAA Privacy Rule:
- Conducting quality assessment and improvement activities, and related functions that do not include treatment.
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision; training of non-health care professionals; accreditation, certification, licensing or credentialing activities.
- Underwriting, premium rating, or other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and securing a contract for reinsurance of risk relating to claims for healthcare.
- Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs.
- Business planning and development, such as conducting cost management and planning related analyses for Digithera including formulary development and administration, development or improvement of methods of payment or coverage policies.
- Business management and general administrative activities of Digithera including, but not limited to: (A) Management activities relating to the implementation and compliance with other Privacy Rule requirements; (B) Customer service; (C) Resolution of internal grievances;(D) The sale, transfer, merger or consolidation of all or part of Digithera with another covered entity; and (E) Creating de-identified health information or a limited data set as defined under HIPAA.
Use And Disclosure Of Phi Permitted Pursuant To A Valid Authorization.
Digithera will only use or disclose PHI to third parties for purposes other than treatment, payment or health care operations, or reasons other than those specified in the Privacy Rule as not requiring authorization or otherwise required by law, upon receipt of a valid, written authorization. Once a valid authorization is received, Digithera will only use and disclose information consistent with the terms of the authorization. However, the standard authorization received by Digithera will state that once disclosed, the PHI may no longer be protected, and that the information may be further disclosed by the recipient without any additional authorization from the individual. An individual may revoke, inwriting, his or her signed authorization at any time, except to the extent that Digithera has taken action in reliance on the authorization prior torevocation.
Specific Instances for Which Authorization is Required Prior to Use or Disclosure:
- Psychotherapy Notes;
- Marketing: Digithera must obtain an authorization for any use or disclosure of protected health information for marketing, except: (i) Face-to-face communication made by Digithera to the individual; (ii) A promotional gift of nominal value provided by Digithera; and (iii) Communications made to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for a patient, provided that any payment received by Digithera in exchange for making the communication is “reasonably related” to Digithera’s cost of making the communication. Costs are considered to be “reasonably related” if they cover direct and indirect costs to Digithera for making the communication, including the costs of labor, materials, and supplies, as well as capital and overhead costs.
Authorization Forms. Authorization Forms must contain the following information:
- A description of the information to be used or disclosed that describes the information in a specific and meaningful fashion.
- The name or other specific identification of the person(s) or class of person(s) authorized to use or disclose the information from Digithera.
- The name or other specific identification of the person(s) or class of person(s) to whom Digithera may use or disclose the information.
- A description of each purpose of the requested use or disclosure. If the individual initiates the authorization, the purpose may be described as “At the request of the individual.”
- A statement that the individual may revoke the authorization in writing, and how to do so.
- A statement that Digithera shall not condition treatment, payment or eligibility for benefits on the authorization (unless one of the conditional exception applies, in which case that exception must be explained).
- The potential for information disclosed under the authorization to be subject to redisclosure by the recipient, and the fact that once the information isdisclosed (to a non-covered entity) it is no longer protected by HIPAA.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- Signature of the individual who is the subject of the PHI and the date. If the authorization is executed by a personal representative, it must include a description of the representative’s authority to act for the individual.
4. The Minimum Necessary Requirement
Digithera applies the minimum necessary standard whenever it uses or discloses PHI to a third party, or requests PHI from another covered entity. This means that Digithera makes reasonable efforts to limit the use or disclosure, or request of PHI to the minimum necessary to accomplish its intended purposes.
Applicability Of The Minimum Necessary Requirement.
Digithera will apply the minimum necessary standard to all uses and disclosures of PHI, except as follows:
- Disclosures to or requests by a health care provider for treatment purposes;
- Permitted and required disclosures to the individual who is the subject of the information;
- Uses or disclosures pursuant to a valid authorization executed by the individual;
- Disclosures made to the Secretary of HHS in accordance with the Privacy Rule; or
- Uses and disclosures required by law, and uses and disclosures that are required for compliance with the Privacy Rule.
Identification Of Employees.
Identified Employees. The Digithera employees who need access to PHI areidentified in Digithera’s Policies on Personnel Designations and Limited Employee Access. No other Digithera employees may have access to PHI unless specifically authorized by the Privacy Officer.
Restrictions on Employee Access. The Digithera employees who need access to PHI only haveaccess to the PHI necessary for their job duties, unless specifically authorized by the Privacy Officer.
Identification Of Employees.
Limited Data Sets. A Limited Data Set is a limited set of identifiable patient information as defined by the HIPAA Privacy Rule, which may be disclosed to an outside party without a patient’s authorization if certain conditions are met. The purpose of the use or disclosure may only be for research, public health, health care operations or by a business associate to create a Limited Data Set for Digithera or the business associate. Limited Data Set information is information that excludes the following direct identifiers of the individual or the relatives, employers or household members of the individual:
- Postal address information (except town, city, state and zip code may be used or disclosed);
- Telephone and Fax Numbers;
- Social Security numbers, medical record numbers, account numbers or certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Email Addresses, Web Universal Resource Locators (URLs) and Internet Protocol (IP) address numbers;
- Biometric identifiers (including finger- andvoice-prints), and full-face photographic images and any comparable images.
Limited Data Set information may include an individual’s town, city, state and zip code, and all elements of dates related to the individual (including birth date, admission date, discharge date and death date).
Requests For Phi And The Minimum Necessary Requirement.
All requests for PHI initiated by Digithera shall seek only the minimum necessary to accomplish the purpose for which the request is made.
Limitation Regarding Using, Disclosing Or Requesting Entire Medical Record.
For all uses, disclosures, or requests to which the minimum necessary requirements apply, Digithera will not use, disclose or request an entire medical record, except when the entire medical record is specifically justified and Digithera has documented the specific justification.
5. Personnel Designations
Digithera has designated a Privacy Officer.
Privacy Officer Designation.
The Digithera has designated a Privacy Officer whois responsible for overseeing and directing the development and implementation of the Digithera’s Privacy Policies and Procedures in compliance with the Privacy Rule.
Designated Privacy Officer. The Digithera has designated the following Privacy Officer:
Digital Therapeutics, Inc.
Unit 118, The Record Hall
16-16A Baldwin's Gardens
London, EC1N 7RJ
Duties and Responsibilities. The Privacy Officer is responsible, either directly or by his/her delegated authority, for monitoring and ensuring the Digithera’s compliance with the Privacy Rule requirements and these Policies and Procedures. The Privacy Officer:
- Oversees the development and implementation of HIPAA compliance processes, and supervises the day-to-day aspects of compliance with the Privacy Rule;
- Coordinates with Digithera employees to identify HIPAA non-compliant processes and systems, and to develop and implement those changes necessary to ensure all processes and systems are HIPAA compliant;
- Serves as central liaison for internal HIPAA systems and processes, and for external business partners and vendors involved in HIPAA systems and processes;
- Communicates HIPAA compliance assessment findings, including cost and risk exposure, to Digithera and impacted personnel;
- Tracks action items;
- Prepares budgets for HIPAA compliance as necessary and appropriate;
- Responds to inquiries from individuals, government officials and other third parties regarding uses and disclosures of PHI, and promptly renders determinations in response to such inquiries and requests;
- Oversees workforce training on HIPAA compliance;
- Maintains a current list of Business Associates;
- Ensures that the Digithera’s Notice of Privacy Practices is timely disseminated to individual customers;
- Reviews and revises the Notice of Privacy Practices to reflect any changes to the law or these Policies and Procedures or practices;
- Responds to inquiries from individuals about Digithera’s privacy procedures;
- Investigates any complaints that allege that any Digithera employee or a Business Associate has not complied with or has violated thesePolicies and Procedures;
- Investigates and conducts risk assessments related to any breach of the Privacy Rule to determine whether notification of breach is required and, as appropriate and necessary, provides such notification;
- Oversees document maintenance and retention policies; and
- Reviews and revises Digithera’s HIPAA Policies and Procedures as required or needed to ensure continued compliance with the Privacy Rule and any other applicable law.
Documentation related to these personnel designations will be retained for 6 years in accordance with Digithera’s record retention policy.
6. Individual Requests
Individuals have a right to make certain requests pertaining to their PHI as described below.
Right To Inspect And Copy PHI
WRITTEN REQUEST. To inspect and copy PHI maintained by Digithera, an individual must submit a request in writing to:
Digital Therapeutics, Inc.
Unit 118, The Record Hall
16-16A Baldwin's Gardens
London, EC1N 7RJ
that states the individual’s name, address and the last four digits of his/her Social Security number and describes the PHI the individual is seeking. Digithera may deny request, as specified below.
- Information Made Available. The designated record set to which the individual will be entitled includes: (i) medical records and billing records about the individual maintained by or for Digithera as a medical practice; (ii) records used, in whole or in part, by or for Digithera to make decisions about the individual.
- Time for Response/Access. Except as provided below, any request for access is responded to no later than 30 days after it was received by the Digithera. A one-time extension of 30 days is available to Digithera if it is unable to take action within the first 30 days. Within the first 30 days after the individual’s request is made, the individual will be furnished with a written statement that states:(i) the reasons for the delay; and (ii) the date by which a response will be provided.
GRANTING OF REQUEST. If a request for accessto PHI is granted by the Digithera, the requesting party will be notified in writing of the acceptance of the request and the requested access will beprovided.
- Format. The requested information will be provided in the format requested by the individual, unless it is not readily reducible to such form. If the requested format cannot be provided, a readable hard copy or electronic form as agreed to by Digithera and the individual will be provided. To the extent the information is maintained electronically, Digithera shall make available to the requesting party a copy of such information in the electronic form and format requested by the individual, if it is readily producible or, if not, in a readable electronic form and format as agreed to by Digithera and the individual.
- Fees. An individual will be charged a reasonable per-page fee for the hardcopy copies, or a reasonable cost-based fee for the preparation of, an explanation or summary of the requested PHI.
REVIEW OF DENIAL OF ACCESS. A request to inspect and copy PHI may be denied in certain limited circumstances specified by the Privacy Rule.
Format of Denial. A denial of a request for access must:
- Be written in plain language;
- State the basis for the denial;
- If applicable, state the individual's right to an independent review of the denial;
- If applicable, provide a description of how the individual may exercise such review rights; and
- Provide a description of how the individual may appeal the denial to the Digithera, including the name and address of the HIPAA Privacy Officer, or to the Secretary of HHS.
Making Other Information Accessible.
Partial Denial. If access is denied in part, the individual will be given access to any other PHI requested after Digithera excludes the PHI for which access has been denied.
PHI Maintained by Other Entity. If access is denied, in whole or in part, because the requested information is not maintained by the Digithera and the Digithera knows where the requested information is maintained, Digithera employee will inform the individual where to direct the request for access.
Review Of Denial Of Access.
Right of Review. In certain instances, referred to above with the symbol [R], an individual whose request for access is denied has the right to have the denial reviewed by a licensed health care professional designated by the Digithera who did not participate in the original decision. In other situations, referred to above with the symbol [NR], the Digithera may deny an individual access without providing an opportunity for review.
Written Request For Review. To secure review of a denial of a request to inspect and copy PHI, an individual must submit a request in writing to:
Digital Therapeutics, Inc.
Unit 118, The Record Hall
16-16A Baldwin's Gardens
London, EC1N 7RJ
- Upon receipt of a request for review of a denial, the Privacy Officer must promptly refer the matter to a licensed healthcare professional who was not directly involved in the denial.
- The designated licensed healthcare professional will, within a reasonable time, review the individual’s request and the denial of the request based on the following standards: (i) whether access may endanger the life or physical safety of the individual or other person; (ii) Whether the PHI makes reference to another person who is not a health care provider and the access requested is reasonably likely to cause substantial harm to that person; or (iii) whether the access requested is made by the individual’s personal representative and access to the personal representative is reasonably likely to cause substantial harm to the individual or another person.
- The Digithera will provide prompt written notice to the individual of the determination by the designated healthcare professional.
- The Digithera will take prompt action to carry out the healthcare professional’s determination.
7. Personal Representatives
For purposes of these Policies and Procedures, the Digithera will treat a person as a personal representative of the patient if, under applicable state law, that person has the authority to act on behalf of a patient, who is an adult or emancipated minor, in making decisions related to the patient’s health care. The Digithera will also treat a person as a personal representative of a patient, if under applicable state law, that person is a parent, guardian or other person who has authority to act on behalf of a patient, who is an unemancipated minor, in making decision related to the patient’s health care.
Generally, the Digithera must grant a personal representative the same right to access, and control uses and disclosures of, PHI that would be allowed to the patient he or she represents.
Examples of Personal Representatives.
- An adult who has legal authority over an individual with respect to health care decisions (e.g., a parent or guardian);
- An emancipated minor acting on behalf of the individual (e.g., an underage parent of a child);
- A legal representative of a deceased individual (e.g., an administrator or executor of an individual’s estate); and
- Any other person authorized under applicable state law to make decisions related to health care on behalf of the individual.
Exceptions. A person may not be a personal representative of an unemancipated minor with respect to PHI pertaining to a health care service if:
- The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;
- The minor may lawfully obtain such health care service without the consent of a parent, guardian or other person acting in loco parentis, and the minor, a court or another person authorized by law consents to such health care service; or
- A parent, guardian or other person acting in loco parentis assents to an agreement of confidentiality between the Digithera or another health care provider and the minor with respect to such health care service.
Deceased Patients. If under applicable law an executor, administrator or other person has the authority to act on behalf of a deceased patient or the patient’s estate, the Digithera will treat such person as a personal representative with respect to PHI relevant to such personal representation.
Violence, Abuse or Neglect. The Digithera may elect not to treat a person as the personal representative of a patient if: (i) the patient has been or may be subjected to domestic violence, abuse or neglect by such person; (ii) or treating such person as the personal representative could endanger the patient, and it is not in the best interest of the patient to treat the person as the individual’s personal representative.
8. Business Associate Relationships
The Digithera ensures that its Business Associates, the entities that perform services for the Digithera and create, receive, maintain or transmit PHI that belongs to the Digithera in the course of providing such services, protect the privacy of the PHI and provide individuals with certain rights with respect to the PHI. After the Digithera obtains a Business Associate Agreement (“BAA”) from a Business Associate, which provides that the Business Associate will protect the PHI and limit its use and disclosure of PHI, the Digithera discloses PHI to the Business Associate only to the extent necessary for the Business Associate to carry out its contractual duties.
Before the Digithera discloses PHI to a Business Associate or permits a Business Associate to create, maintain or transmit PHI on its behalf, the Digithera enters into the required BAA. The Privacy Officer is responsible for assisting in identifying those vendors that require BAAs and ensuring that such BAAs are entered into. Upon execution, a copy of the BAA must be sent to the Privacy Officer.
Monitoring And Non-compliance.
The Privacy Officer monitors Business Associates’ compliance with their obligations only if he/she has a reasonable belief that a Business Associate has violated its agreement. Any Digithera employee or Business Associate or agent who becomes aware that a Business Associate may be violating its obligations to Digithera must immediately report such alleged violation to the Privacy Officer, who may investigate the matter and, if warranted, take reasonable steps to cure the violation.
Investigation. The Privacy Officer may take the following steps as appropriate if he/she becomes aware of a possible violation of a BAA: (1) interview Digithera employees who may have knowledge of the alleged violation; (2) interview the Business Associate’s employees who may have knowledge of the alleged violation; (3) collect any documentation from the Digithera or the Business Associate that relates to the alleged violation; (4) contact the Business Associate to obtain information related to the alleged violation; (5) review the documents that pertain to the alleged violation; and (6) take any other actions that the Privacy Officer deems appropriate.
Response If Violation Has Occurred. If the Privacy Officer determines that the Business Associate has violated the agreement, the Privacy Officer may:
- sanction any Digithera employee involved with the violation;
- request that the Business Associate sanction any of its employees who were involved with the violation;
- coordinate with the Business Associate to perform a risk assessment for notification of Breach purposes and to send out or publish any necessary notifications of Breach in accordance with Digithera’s breach notification policy and any relevant written agreements with the Business Associate;
- mitigate any harmful effect that the Digithera knows of resulting from the improper use or disclosure of the PHI;
- take any remedial steps provided for by the BAA; and/or
- work with the Business Associate to cure the violation and ensure such violation will not occur again. But, if the reasonable steps taken to cure the violation are unsuccessful, the Digithera may terminate the contract with the Business Associate, if feasible. NOTE: If termination is not feasible because there are not other viable business alternatives for the Digithera, the Digithera will consult with the Privacy Officer regarding available remedies under current Privacy Rule provisions.
9. De-Identification Policy
The Digithera may use or disclose de-identified information, which is health information that does not identify an individual and is not PHI, without obtaining the individual’s authorization. If the Digithera re-identifies information, it becomes PHI that is treated in accordance with the Privacy Rule and the Digithera’s Policies and Procedures.
Creation Of De-identified Information.
The Digithera may create, or direct a Business Associate to create, de-identified information pursuant to the following guidelines.
(a) Expert Method. The Digithera de-identifies information by designating an expert, who has the appropriate knowledge of, and experience with, statistical and scientific principles and methods for rendering information not individually identifiable and applies such principles and methods to:
- Determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and
- Document the methods and results of the analysis that justify such determination.
(b) Removal of Identifiers Method. The Digithera de-identifies PHI by removing the following individual identifiers related to individuals, their relatives, household members and employers, and ensuring, to the extent practicable, that the de-identified information cannot be used, alone or in combination with other information, to identify the individual who is the subject of the information:
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, that complies with the additional requirements of §164.514(b)(2)(i)(B);
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers, fax numbers, and e-mail addresses;
- Social Security numbers, medical record numbers and account numbers;
- Certificate/license numbers, vehicle identifiers and serial numbers, including license plate numbers, and device identifiers and serial numbers;
- Web Universal Resource Locators (URLs), and Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger-and-voice prints, full-face photographic images and any comparable images; and
- Any other unique identifying number, characteristic or code.
- Business Associates. The Digithera may disclose PHI to a Business Associate for de-identification, whether or not the de-identified information is to be used by the Digithera.
Digithera may assign a code to de-identified information in order to later re-identify the information. Re-identified information and the re-identification code is PHI that may be disclosed and used only as permitted by the Privacy Rule and these Policies and Procedures. In addition, Digithera will make a reasonable effort to limit the use, disclosure or request of re-identified PHI to the minimum necessary to accomplish the intended purpose in accordance with Digithera’s minimum necessary policy.
10. Restricted Internal Access To Protected Health Information
Digithera has implemented reasonable safeguards, including appropriate administrative, technical and physical measures, to protect the privacy of protected health information (“PHI”), and to prevent impermissible uses and disclosures of PHI. The Digithera has limited access to PHI to only those Digithera employees who need to use or disclose PHI to carry out their duties.
Limited Employee Access.
Access to PHI is limited to the following Digithera employees for the purpose(s) described herein.
Health Care Providers. Digithera health care providers particularly have access to all PHI necessary for the Digithera’s treatment, payment or health care operations activities. Treatment includes, but is not limited to, furnishing health care services, providing patient counseling and communicating with other health professionals in order to coordinate care.
Administrative Employees. Digithera employees, such as those serving in Human Resources roles, have access to PHI in order to perform day-to-day, administrative services related to the Digithera.
Legal Counsel. PHI required to advise Digithera of legal rights and responsibilities.
IT Employees. Information technology (“IT”) employees provide technical support to Digithera employees performing functions on behalf of the Digithera involving PHI.
Access Controls And Physical Protections
Physical Layout and How Hardcopy PHI is Handled
- “Clean Desk” Rule. To the extent that Digithera employees maintain paper documents containing PHI, they will observe a “clean desk” rule with respect to such materials, including: (i) keeping such materials on their desktop only when in use; (ii) turning documents face-down on their desktop whenever possible; and (iii) at the end of each workday, putting all such materials away in their desk and locking the door to any office containing PHI. During any extended periods away from his or her desk, such as during a lunch break, an employee will place materials containing PHI in a locked drawer.
- Locked File Cabinets/ Desk Drawers. To the extent possible, hard copy PHI will be maintained in filing cabinets or desk drawers, which are locked when not in use.
- Computer Security:
(i) Email Security. Digithera employees should avoid emailing or otherwise sharing PHI in electronic form, except as expressly authorized by their supervisor. If a Digithera employee must send an email containing PHI, the email should contain the minimum amount of PHI necessary to accomplish the work task.
(ii) Password Protection. All Digithera desktop computers and laptops will be password-protected, utilizing reasonably strong passwords.
(iii) Screen-Savers and Automatic Log-off. Digithera desktop computers and laptops will utilize screen-savers that will be activated, along with automatic log-off, when the computer is inactive.
- Portable Devices.
(i) Taking Laptops Home. Digithera employees are permitted to take their laptops home, but must never leave laptops unattended at home or in transit. Employees should never leave a laptop in an unlocked room on in plain sight in a car.
(ii) Securing Laptops. Digithera employees must never leave their laptops unattended or unsecured. At the end of the workday, employees should ensure that their laptop is stored in a locked drawer or attached to a locked cable.
- Fax Machines. When practicable, Digithera employees will call ahead to make sure that the appropriate person is available to receive a fax containing PHI. Incoming faxes, particularly those containing PHI, will be picked up as soon as possible.
- Printers. Print jobs, and particularly those containing PHI, will be picked up as soon as possible.
- Copiers. Digithera employees will remove their copy jobs containing PHI from the machine when the job is completed.
- With Other Employees Who Have Access to PHI. Digithera employees only discuss PHI with other employees who have access to PHI and only as required to perform their job responsibilities.
(i) Conversations that involve PHI are conducted using moderate voice tones.
(ii) The IT employees only discuss PHI with the other Digithera employees to the extent necessary to provide technical support related to electronic PHI.
- With Employees Who Do Not Have Access to PHI. Digithera employees do not discuss PHI with other Digithera employees who do not have access to PHI, except as provided for in these Policies and Procedures and with approval from the Privacy Officer.
- With Individuals Who Are the Subject of PHI. Digithera employees may receive communications from individuals who wish to discuss their own PHI.
(i) Describe where conversations that involve PHI take place.
(ii) Conversations that involve PHI are conducted using moderate voice tones.
(iii) If an individual orally contacts a Digithera employee to inquire about matters related to his/her PHI, the Digithera employee verifies the individual’s identity by requesting the last four digits of that individual’s social security number and birth date.
IMPORTANT : UNLESS SPECIFICALLY AUTHORIZED AS ABOVE OR IN WRITING BY THE PRIVACY OFFICER, ALL OTHER EMPLOYEE ACCESS TO PHI IS UNAUTHORIZED, STRICTLY PROHIBITED AND MAY RESULT IN SANCTIONS.
All individuals or parties, including Digithera employees and their dependents, who believe that privacy rights have been violated or who have a complaint arising under the Privacy Rule or these Policies and Procedures have the right to make an inquiry or complaint with the Digithera, or with the Secretary of Health and Human Services.
Procedure To File A Complaint With The Digithera
Reporting. Individuals may report a complaint to the Digithera as follows:
An individual must make a complaint in writing to the Privacy Officer. The complaint must include the individual’s name, address and the last four digits of his/her Social Security number, a description of the individual’s complaint, and any documentation that supports his/her complaint. The Privacy Officer is available to discuss any questions the individual might have about the complaint procedure. An individual may contact the Privacy Officer at the following address and phone number:
Lucas Gordon, Digital Therapeutics, Inc.
Unit 118, The Record Hall
16-16A Baldwin's Gardens
London, EC1N 7RJ
Investigation. When an individual makes a complaint, the Privacy Officer will promptly investigate the circumstances related to the report.
Reasonable Steps. The Privacy Officer may take the following steps, as he/she deems appropriate, to investigate the alleged violation: (i) interview the individual complainant; and (ii) interview the Digithera employees or Business Associates who may have knowledge of the alleged violation and review any relevant documents that pertain to the alleged violation. These procedures are not exclusive and the Privacy Officer may take any steps he/she deems necessary to investigate the complaint.
Confidentiality. Confidentiality will be maintained throughout the investigative process to the extent practicable and consistent with the need to undertake a full investigation.
Results of Investigation. If the Privacy Officer determines that a violation has occurred, he/she may take action as in necessary and supported by the facts including:
- sanctioning the Digithera employees who have acted improperly, and requesting that any Business Associate employees who have acted improperly be sanctioned by the Business Associate;
- working with a Business Associate to cure any violation by the Business Associate, or terminating the Business Associate Agreement if no cure is possible;
- mitigating any harmful effect that the Digithera knows of resulting from the improper use or disclosure of PHI as per Digithera’s mitigation policy.
Determination. Upon completion of the investigation, appropriate action will be taken, as necessary and supported by the facts.
Procedure To File A Complaint With Secretary Of HHS.
Filing Complaint. To file a complaint with the Secretary of HHS, the individual should send a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, call 1.877.696.6775 or visit www.hhs.gov/ocr/privacy/hipaa/complaints.
Timing. The complaint must be filed within one hundred and eighty (180) days of the individual’s knowledge of the alleged violation.
Information related to each complaint received by the Digithera and the disposition of each complaint will be documented by the Digithera, and that documentation will be retained for six (6) years in accordance with Digithera’s record retention policy.
The Digithera, to the extent practicable, will mitigate any harmful effect that it knows of resulting from the use or disclosure of protected health information (“PHI”) in violation of the Privacy Rule or these Policies and Procedures by the Digithera, any Digithera employees or Business Associates.
Any person, including Digithera employees or Business Associates, who becomes aware that an improper disclosure was made must immediately:
- Limit any further improper disclosure; and
- Report the matter to the Privacy Officer.
Process. In order to mitigate any harmful effects of an improper use or disclosure that the Digithera knows of, the Privacy Officer may take the following steps:
- notify the affected individual;
- immediately request the return or destruction of the PHI by the disclosing party and/or the party who received the PHI;
- create additional safeguards for protecting PHI;
- discipline the Digithera employees who have acted improperly;
- work with a Business Associate who may be involved to cure a violation, including requesting that the Business Associate discipline any involved employees; and
- terminate a Business Associate Agreement if the violation does not cease or, in the alternative, if it is not feasible to terminate the Business Associate Agreement, consider other possible remedial actions.
NOTE: The above steps are not mandatory or exclusive and the Privacy Officer may take any steps he/she deems necessary to mitigate the violation.
13. Non-Retaliation And Waiver
The Digithera, Digithera employees and Business Associates are prohibited from intimidating, threatening, coercing, discriminating against or taking any retaliatory action against any individual for exercising his/her rights under the Privacy Rule or these Policies and Procedures. In addition, the Digithera is prohibited from requiring any individual to waive his/her rights under HIPAA as a condition of the provision of treatment, payment or eligibility for health care benefits.
Prohibited Retaliatory Actions.
The Digithera, Digithera employees and Digithera’s Business Associates will not retaliate against any individual because he/she:
- Exercised any right under, or participated in any process established by, the Privacy Rule or these Policies and Procedures;
- Filed a complaint with the Digithera or the Secretary of HHS, or acted with regard to Notification of Breach in accordance with Digithera’s policies;
- Testified, assisted or participated in an investigation, compliance review, proceeding or hearing conducted by the Secretary of HHS; or
- Opposed any act or practice made unlawful by the Privacy Rule or improper by these Policies and Procedures, provided that the individual has a good faith belief that the practice opposed is unlawful or contrary to these Policies and Procedures, and the manner of the opposition is reasonable and does not involve an impermissible disclosure of protected health information (“PHI”).
Individuals may not be required to waive their rights under the Privacy Rule or these Policies and Procedures, including their rights to file a complaint with the Secretary of Health and Human Services under HIPAA or obtain a notification of Breach, as a condition of treatment, payment or eligibility for health care benefits.
Any Digithera employees found to have retaliated against an individual for making a complaint, for participating in an investigation, or for seeking or obtaining a waiver from an individual, will be subject to appropriate sanctions. Any Business Associate’s employee found to have retaliated against an individual or sought or obtained a waiver from an individual may be sanctioned in accordance with the Business Associate’s sanctions policies.
The Digithera will train the appropriate Digithera employees on these Policies and Procedures as necessary and appropriate for those employees to carry out their functions.
Responsibility. The Privacy Officer is responsible for ensuring timely and proper training.
Time for Training. Training will be provided:
- To the appropriate Digithera employees as determined by the Privacy Officer;
- To each new Digithera employee who the Privacy Officer determines needs training within a reasonable time after joining the workforce; and
- To each Digithera employee whose functions are affected by any material changes in these Policies or Procedures within a reasonable time after the effective date of those changes.
- As determined by the Privacy Officer, Digithera employees may be required to attend periodic “refresher” training.
The Digithera will document that all training has been provided as required and retain those records for six (6) years in accordance with Digithera’s documentation and record retention policy.
15. Marketing And Fundraising
The Digithera limits its marketing communications as described in this Policy and prohibits the use of protected health information (“PHI”) for fundraising purposes.
Limitation On Marketing.
Except as provided below, the Digithera only communicates to individuals about products or services in a manner that encourages the individuals to use or purchase the product or service (“marketing communications”) upon receipt of a signed authorization from the individuals.
Communications Permitted Without Authorization. Under these exceptions to the above rule, the Digithera may make the following marketing communications without an individual’s authorization:
- A face-to-face communication made by the Digithera to a patient.
- A promotional gift of nominal value provided by the Digithera.
- Communications to describe a health-related product or service (or payment for such product or service) that is provided by the Digithera. Such communications may include information about the entities participating in the Digithera’s healthcare provider network.
- Communications for the treatment of an individual.
- For case management or care coordination for the individual, or to direct or recommend to the individual alternative treatments, therapies, health care providers or health care settings.
- However, for marketing communications under Sections 2.1(a)(iii)–(v) to be permitted without authorization, the Digithera may not receive direct or indirect remuneration in exchange for the communication, except if the communication describes a drug or biologic that the individual is currently being prescribed, and the payment received by the Digithera is reasonably related to the cost of making the communication.
Prohibition On Fundraising.
Neither the Digithera nor its Business Associates may use protected health information (“PHI”) for purposes of fundraising.
16. Notice Of Privacy Practices
The Digithera disseminates and maintains a Notice of Privacy Practices (“Privacy Notice” or “Notice”) that clearly states the manner in which it may use and disclose an individual’s protected health information (“PHI”), and provides adequate notice of an individual’s rights and Digithera’s legal duties with respect to PHI. Individuals have a right to request and receive a paper copy of the Privacy Notice at any time.
Responsibility. The Privacy Officer is responsible for developing, reviewing, revising, updating and disseminating the Digithera’s Privacy Notice to ensure that it conforms to these Policies and Procedures.
Notice Requirements. The Privacy Notice will be in plain language and include the content requirements set forth in 45 C.F.R. § 164.520.
Dissemination Of Notice.
Time to Notify Individuals.
- Notification. The Digithera must distribute the “Notice of Privacy Practices” to an individual prior to the individual’s first receipt of health care services or, in emergency situations, as soon as reasonably practicable.
Availability of Privacy Notice.
- Electronic Notice. The Digithera may provide Notice to an individual by e-mail if the individual agrees to such Notice. If the Digithera becomes aware that e-mail transmission has failed, a paper copy of the Notice must be provided to the individual. An individual receiving e-mail Notice always maintains the right to obtain a paper copy of Notice from the Digithera upon request.
- Paper Copy of Notice. Individuals have a right to a paper copy of the Privacy Notice, even if they have previously agreed to receive the Privacy Notice electronically. Individuals may receive a copy of the Privacy Notice by:
(i) In-Person Request. An individual may make a request in person to a Digithera employee.
(ii) Written Request. An individual can submit a request for Notice in writing to:
Digital Therapeutics, Inc.
Unit 118, The Record Hall
16-16A Baldwin's Gardens
London, EC1N 7RJ
- Availability on Website. To the extent the Digithera maintains a website, the Privacy Notice must be placed and maintained on the Digithera’s web site and be available electronically through the website.
Acknowledgement Of Receipt.
Acknowledgement of Paper Copy of Notice. Each paper copy of the Privacy Notice given to an individual shall have attached to it a cover page entitled Patient Acknowledgement of Receipt of Notice of Privacy Practices, included below as Exhibit A, which the individual will be asked to date and sign at the time the individual is given the Privacy Notice. If the individual is unable or unwilling to date and sign the acknowledgement form, Digithera employees should document in writing on the face of the acknowledgement form the reason for the inability or refusal of the individual to sign. Such reason could simply be, e.g., that the individual refused to sign after being requested to do so. Digithera’s duty under the law is only to make a good faith effort to obtain the acknowledgement of receipt. If the individual does not want to sign the acknowledgement form, he or she is not required to do so.
Acknowledgement of Electronic Notice. If an individual wishes to receive the Notice electronically, the system should request the patient to acknowledge receipt electronically.
The Digithera will retain copies of the Privacy Notices issued by it for six (6) years following their last effective date, in accordance with Digithera’s record retention policy.
17. Sanctions For Non-Compliance
The Digithera will apply appropriate sanctions against any of its employees who fail to comply with these Policies and Procedures or the requirements of the HIPAA Privacy Rule.
Discipline. The Digithera has a zero-tolerance policy regarding the improper use or disclosure of PHI by any employee. Any Digithera employee who violates the HIPAA Privacy Rule and/or these Policies and Procedures will be subject to sanctions, which may include oral counseling, write-ups, suspension and/or termination. All Digithera employees are employees-at-will whose employment at the Digithera may be terminated at any time, with or without cause or notice.
Discretion of the Privacy Officer. The Digithera does not guarantee that one form of discipline will necessarily precede another. Further, the Digithera reserves the right, at all times, to take whatever disciplinary action it deems appropriate, up to and including termination. Prior notification and progressive discipline are not prerequisites for termination or other disciplinary action.
Whistleblower. No violation may be considered to have been committed if a Digithera employee:
- Discloses PHI with a good faith belief that the Digithera has engaged in conduct that is violative of these Policies and Procedures or the HIPAA Privacy Rule and the disclosure is to:
(i) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the Digithera; or
(ii) An attorney retained by or on behalf of the employee or Business Associate for the purpose of determining legal options with regard to whether the Digithera has engaged in conduct that is unlawful.
All sanctions that are applied will be documented and any related records will be retained for six (6) years in accordance with Digithera’s documentation and record retention policy.
18. Documentation And Record Retention
The Digithera will maintain a written or electronic record of certain documentation, in accordance with this Policy.
The following documents must be maintained:
- The Policies and Procedures for complying with the HIPAA Privacy Rule;
- Any communication required by the HIPAA Privacy Rule to be in writing; and
- Any action, activity or designation required to be documented by the HIPAA Privacy Rule.
The Digithera will retain the above-described required documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later.
All hardcopy documents containing protected health information (“PHI”) shall be destroyed by shredding, either at the end of the six- (6-) year document retention period or, for PHI that is not subject to the six- (6-) year document retention requirements, when the information is no longer necessary for the purpose for which it was created, obtained, used or disclosed, and in accordance with the Digithera’s general record retention policy.
19. Introduction And Key Definitions
This document summarizes the permitted uses and disclosures of patient protected health information (“PHI”) as permitted by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule” or the “HIPAA Privacy Rule”), as amended by the Health Information Technology for Economic and Clinical Health Act, which is at Section 13400, et seq. of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. § 17921, et seq., (the “HITECH Act”) and any regulations promulgated thereunder, including the HIPAA omnibus final rule (the “HIPAA Final Rule”).
This policy applies to all Digithera staff members.
The Digithera is committed to complying with the Privacy Rule.
The Digithera recognizes the need to protect the privacy of PHI in order to facilitate the effective delivery of health care. These Privacy Policies and Procedures are designed and intended to ensure the Digithera’s compliance with the Privacy Rule. The Digithera adopts these Policies and Procedures to protect the PHI that it creates and maintains from unauthorized use, disclosure, or access, and to maintain the confidentiality and integrity of that PHI. These Policies and Procedures also ensure that individuals have rights related to their PHI. Through the Digithera’s Notice of Privacy Practices ("Privacy Notice") individuals are informed of the Digithera’s legal duties and these Policies and Procedures, as well as their individual rights with respect to their PHI.
"Protected Health Information" is information that (1) identifies (or could be reasonably used to identify) an individual, (2) is created or received by a HIPAA covered entity (a health care provider, health plan or health care clearinghouse) and (3) relates to the past, present or future physical or mental health of the individual, the provision of health care to the individual, or the past, present or future payment for the provision of health care to the individual.
A "Business Associate" is a person or entity, other than a member of a covered entity’s workforce, that creates, receives, maintains or transmits PHI on behalf of a covered entity for a function or activity regulated by HIPAA. The HIPAA Final Rule expands the definition of “business associate” to include subcontractors to a business associate that create, receive, maintain or transmit PHI on behalf of a business associate. Business associate functions or activities on behalf of a covered entity include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing.
These Policies and Procedures will be amended and/or supplemented as necessary and appropriate to comply with changes in the law or regulations or other interpretation of the Digithera’s privacy-related obligations, or to reflect changes related to the Digithera. The Digithera will document and implement changes to these Policies and Procedures whenever there is a change in the law, regulations or interpretation of the Digithera’s privacy obligations and/or a material change to the uses or disclosures of PHI or other privacy practices that necessitate a change in these Policies and Procedures. If a change requires revisions to the Privacy Notice, the Digithera will not implement the change before the effective date of the revised Privacy Notice unless the Privacy Officer deems it necessary to apply the change to PHI that the Digithera created or received before this effective date.
These Policies and Procedures are effective as of June 25, 2019.
- The term “ensure,” as used throughout these Policies and Procedures, is not meant to guarantee compliance with the Privacy Rule. Rather, “ensure” shall mean that the Privacy Officer, Business Associates and others, as applicable, will use their best efforts to comply with the Privacy Rule.
20. Notification Of Breach
To notify individuals, the Secretary of Health and Human Services (the “Secretary”) and the media of breaches of Unsecured PHI in accordance with the Notification of Breach Rule, 45 C.F.R. Part 164, subpart D, and the HIPAA Final Rule, in accordance with the Digithera Breach Response Plan included below.
Breach Response Plan
This Breach Response Plan (the “Plan”) is intended for Digital Therapeutics (the “Digithera”) employees, including those responsible for responding to breaches (defined below). The Plan provides guidance in identifying, evaluating, remediating and reporting any: (i) confirmed or suspected breach of physical, network or system security; (ii) privacy breach; or (iii) material noncompliance with the Digithera’s information privacy and security policies and procedures. The guidance in this Plan applies to all information, data, and technology used by the Digithera.
This Breach Response Plan is effective as of June 25, 2019. This Plan supersedes any previous breach response plans.
- Plan Updates and Retention
The Digithera will review and update this Plan at least once annually, after each incident, and as necessary and appropriate to comply with changes in the law. Digithera will distribute the Plan to all employees and contractors after each update but does not supersede any incident response policies or procedures that the Digithera has implemented to comply with the HIPAA Security Rule.
The Digithera will maintain this Plan and any documentation created pursuant to this Plan, including breach notification letters and risk assessments, in written or electronic form, for a period of at least six (6) years after the date of creation or the date when last in effect, whichever is later, and any additional period required by Digithera record retention policies and procedures.
- Breach Response Contact(s)
The f individual(s) (“Breach Response Contact”) shall be contacted in the event of a suspected breach:
Lucas Gordon (firstname.lastname@example.org)
The Breach Response Contact’s responsibilities shall include, but not be limited to:
Leading breach response activities and assessing a breach’s impact and priority;
Correlating information across multiple Digithera components;
Coordinating information and evidence gathering forensic investigations and follow-up activities;
Updating and closing breach tickets for security breach incidents involving successful penetrations;
and Preparing and disseminating updates and reports to other Digithera personnel as necessary.
- Breach Response Process
The Digithera breach response process consists of at least the following steps:
(i) Preparation and Training
Thorough preparation is essential for prompt and effective breach response. Digithera will ensure that all Digithera employees and contractors know how to identify incidents and know the proper procedures for reporting incidents to members of the Breach Response Contact during their initial orientation.
Some incidents, such as theft of computers or unauthorized physical access to Digithera facilities, are easily identified, whereas computer security incidents can be more difficult to identify. Typical symptoms of computer security incidents include: (i) unsuccessful logon attempts; (ii) suspicious entries in system or network logs; and (iii) disruption of service, or inability of one or more users to login to an account.
When an actual or suspected incident is reported, the Breach Response Contact shall use the Breach Response Checklist (attached as Appendix A) to gather as much information about the suspected incident as possible. If the suspected incident involves a possible compromise of any sensitive or personally identifiable information, including PHI, as that term is defined in the Data Breach Notification Procedures (attached as Appendix B), the Breach Response Contact shall contact internal or external legal counsel (the “Legal Counsel”) immediately.
Once the Breach Response Contact is notified of a possible incident, containing the incident shall be the first priority. Consideration will be given to factors such as system backup, risk to continuing operations, and changing passwords or access controls lists on compromised systems and data. This step also includes determining the cause of the incident, improving system defenses, determining system vulnerabilities and removing the cause of the incident to eliminate the possibility of recurrence. It may be necessary to activate business continuity plans and/or disaster recovery plans. The process of containing an incident will differ depending on the incident type.
Once the incident has been contained, the Breach Response Contact will conduct a detailed investigation to determine the cause of the incident, the extent of damage to systems or facilities, and the quantity and nature of the compromised information, if any. During the investigation, the Breach Response Contact shall, at a minimum, investigate, tally, identify and document:
All affected Digithera facilities and systems;
Digithera employees, contractors, subcontractors and vendors with access to the affected facilities and systems, along with usage and/or entry logs;
Vulnerabilities exploited by the attackers;
Damage inflicted by the incident; and
Information compromised during the incident.
As part of the investigation, the Breach Response Contact, in conjunction with Legal Counsel, shall conduct and document a risk assessment that addresses, at a minimum, the following questions:
Who used or received the information?
Have steps been taken to mitigate the risk to any PHI?
What type of information was disclosed?
What amount of information was disclosed?
For incidents involving PHI, the Digithera shall use the Risk Assessment Questionnaire (attached as Appendix C) in conducting the risk assessment.
After the damage has been assessed, the Breach Response Contact shall take all reasonable steps necessary to remediate damages resulting from the incident. If the incident involves malicious code (“malware”), all infected systems shall be scanned and cleaned to ensure that no malware remains. If outside attackers gained access to Digithera systems, any system vulnerabilities exploited by the attackers shall be secured and the Breach Response Contact shall conduct a risk assessment to identify any additional vulnerabilities. If Digithera property is stolen, additional physical security measures shall be introduced to prevent future thefts.
Once remediation efforts are finished, and systems and facilities have been restored to their operational states, the Breach Response Contact shall arrange to have the affected systems and facilities monitored to ensure that they continue to operate normally.
(vi) Reporting to Law Enforcement and Others
If the Breach Response Contact believes that the incident was the result of a criminal or tortious act, it may, after consulting with Legal Counsel, decide to demand compensation from the perpetrator and/or refer the case for criminal prosecution. In either case, Digithera shall first consult with Legal Counsel in order to fully understand the benefits and consequences of pursuing these legal remedies. Depending on the type of information compromised, Digithera may also have regulatory and/or contractual reporting or notification obligations. Legal Counsel shall help the Breach Response Contact determine which, if any, regulatory agencies or persons it is required to notify.
(vii) Internal Notification and Reporting
The Breach Response Contact shall promptly provide Digithera managers with an incident report describing the nature of the incident, how the incident was identified, any damage caused by the incident (including compromised information), any steps taken to remediate damage caused by the incident, and the overall cost associated with the incident, including damages and expenses for response and remediation.
(viii) External Notification and Reporting
It may be necessary under federal or state law for Digithera to notify affected persons whose information may have been compromised. The Breach Response Contact shall work with Legal Counsel to identify situations when notification is necessary and to receive further instructions on reporting and notification requirements and processes. Further details are provided in the Data Breach Notification Procedures (attached as Appendix B).
(ix) Process Evaluation; Updating Policies
Once the incident response is complete, the Breach Response Contact shall meet to discuss how the incident was handled, objectively evaluate the Team’s response, and identify areas for improvement. These “lessons learned” shall be used to update the Digithera Breach Response Plan, Digithera information privacy and security policies and procedures, and other Digithera policies and procedures as appropriate.
(x) Business Associate Breach Reports
Breach reports made by Digithera Business Associates shall also be reported to the Breach Response Contact for evaluation and/or monitoring when necessary.