GDPR and HIPAA Policy Statement
Introduction
At iEHR.ai, safeguarding the privacy and security of personal data is our top priority. As a provider of intelligent electronic health record solutions, we are committed to complying with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union. This policy outlines our practices for handling data responsibly.
Scope
This policy applies to all personal data and Protected Health Information (PHI) collected, processed, and stored by iEHR.ai. It is binding on all employees, contractors, and partners of iEHR.ai.
GDPR Compliance
Our GDPR compliance program is designed to ensure the protection of personal data belonging to individuals within the European Union. Key elements include:
- Lawful Basis for Data Processing: We only collect and process personal data based on lawful grounds, such as explicit consent, contractual obligations, and legal requirements.
- Transparency: Clear and accessible privacy notices inform users about data collection, usage, and retention policies.
- User Rights: We respect and uphold the rights of individuals, including the rights to:
- Access their data.
- Rectify inaccuracies.
- Erase their data ("right to be forgotten").
- Restrict processing.
- Data portability.
- Data Protection Measures: We employ advanced security practices, including encryption, pseudonymization, and access controls, to protect personal data.
- Data Protection Officer (DPO): We have appointed a dedicated DPO to oversee GDPR compliance and serve as a point of contact for inquiries.
- Data Protection Impact Assessments (DPIAs): Regular DPIAs are conducted to evaluate and mitigate risks associated with data processing activities.
HIPAA Compliance
iEHR.ai ensures compliance with HIPAA regulations through the following measures:
- Data Confidentiality: We implement stringent measures to prevent unauthorized access, use, or disclosure of PHI.
- Permissible Use: PHI is used exclusively for approved purposes, such as treatment, payment, and healthcare operations.
- Safeguards: Administrative, physical, and technical safeguards are in place to ensure PHI protection. These include secure data storage, access controls, and encryption.
- Employee Training: Regular training programs educate employees on their responsibilities regarding PHI and HIPAA compliance.
- Audit and Monitoring: Ongoing audits and monitoring mechanisms are employed to identify and address potential risks.
- Breach Notification: In the event of a breach involving PHI, we notify affected individuals and regulatory authorities as per HIPAA guidelines.
Cross-Border Data Transfers
We adhere to GDPR guidelines for cross-border data transfers by:
- Implementing Standard Contractual Clauses (SCCs) and other approved mechanisms.
- Ensuring equivalent levels of data protection for personal data transferred outside the EU.
Data Sharing Policy
iEHR.ai shares personal data and PHI only with:
- Authorized healthcare providers.
- Business associates and partners bound by data-sharing agreements compliant with HIPAA and GDPR.
Incident Response Plan
In the event of a data breach:
- Investigation: We promptly investigate the breach to determine the scope and impact.
- Notification: Affected individuals and regulatory authorities (e.g., HHS OCR for HIPAA, Data Protection Authorities for GDPR) are notified within the required timeframes.
- Mitigation: Corrective actions are taken to prevent future occurrences.
Commitment to Continuous Improvement
To keep pace with evolving regulations and industry best practices, iEHR.ai regularly reviews and updates its privacy and security policies.
Contact Information
If you have questions or wish to exercise your rights, please contact our Data Protection Officer (DPO):
Email: dpo@iehr.ai
This policy demonstrates our dedication to transparency, accountability, and compliance with HIPAA and GDPR standards. Your trust is our priority at iEHR.ai.