“GDPR” means Regulation (EU) 2016/679 and any law made under or as a result of it.
“Personal data” means any data that relates to an identified or identifiable natural person.
“Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Responsibility for Your Personal Data
- Locke Lord LLP, 2200 Ross Avenue, Suite 2800, Dallas, Texas 75201, United States, T: +1-214-740-8000
- Locke Lord (UK) LLP, 201 Bishopsgate, London, EC2M 3AB DX 567, United Kingdom; T: +44 (0) 20 7861-9000, and
- Locke Lord, 21/F Bank of China Tower, 1 Garden Road, Central, Hong Kong; T: +852-3465-0600.
You may contact the Firm regarding any questions or complaints as specified in the “How to Contact Us” section below.
3. Categories of Individuals About Whom We Process Personal Data
We process personal data from or about the following categories of individuals:
- Job applicants to the Firm (whether as an employee, partner, contractor, consultant, paid intern or temporary employee (“Job Applicant Data”);
- Users of the Firm website (“Website Data”);
- Individuals who are, or are associated with, Firm clients, vendors, or other business contacts with whom we interact or seek to establish a relationship with (“Contact Data”);
- Individuals identified in data provided by or on behalf of clients in connection with representation by the Firm (“Client Sourced Data”); and
- Individuals who are, or are associated with, adverse parties, witnesses, or other third parties relevant to our legal representation of clients, such as information obtained during investigations or discovery in the context of litigation, arbitration, negotiations, or other aspects of client representation (“Other Party Data”)
4. Categories and Sources of Personal Data Processed
We may collect and store various types of Personal Data about you, depending on the category in which you fall and the reason for which the personal data is processed. The following is a general summary of the personal data about you that we may process in each category, the sources of such personal data, and the purposes for processing:
When you apply for employment with the Firm (whether as an employee, partner, contractor, consultant, paid intern or temporary employee) and when we evaluate your employment application and related materials (e.g., the results of pre-employment screenings), we obtain Job Applicant Data about you.
Categories of Job Applicant Data: The Job Applicant Data we collect and process varies by the roles and responsibilities for the position you are applying for with the Firm, and our needs. Such personal data may include:
- Individual Data: Your name, address, telephone and/or mobile telephone number, e-mail address, gender, marital status, date of birth/age, citizenship, foreign language skills, relevant tax identification number(s), information on your passport, driver’s license or other governmental identification, information contained in a governmental employment eligibility form, passport number, prior employers, education, prior employment history, including salary information, results of criminal background screening, visa information, emergency contact information, name change information, CVs, etc.; and
- Other Data About You: Any additional personal data that may be included on documents you submit or we obtain as part of your employment application, such as information contained on any employment application or cover letter, curriculum vitae or resume, diploma, transcript, license, statement of good behavior, background screening, employment contract, any related documents, reference check, identification card, request for leave, benefits, etc., and information collected from publicly available resources, professional license databases, and credit agencies, where applicable, or data that you voluntarily submit concerning your sexual orientation.
Sources of Job Applicant Data: We obtain Job Applicant Data about you (i) directly from you, (ii) from partners and employees at the Firm (e.g., partners or employees that refer you to the Firm or who have worked with you at your prior employer), and (iii) from third parties, such as government agencies, recruiters, employment agencies, screening companies, and references that you provide to us, as well as from publicly available sources, such as websites.
Purposes and Legal Basis for the Processing: Your Job Applicant Data is processed for the purpose of establishing and maintaining your employment relationship with us (whether as an employee, partner, contractor, or consultant). The legal basis for such processing is that it is: (i) necessary for entering into and/or performing your employment relationship with the Firm, (ii) necessary for compliance with one or more legal obligations to which you or the Firm is subject (e.g., reporting to governmental or taxing authorities), and/or (iii) necessary for the purposes of the legitimate business interests pursued by the Firm in recruiting and employing personnel in order to provide its services.
You do not have to submit any personal data in order to use our Website.
Categories of Website Data: When you visit the Firm Website, we may collect two types of data: (1) personal data about you that you voluntarily choose to provide to us, and (2) information related to your activities on the Firm Website that we automatically collect as you interact with the Website (“Website Usage Information”).
- Information You Voluntarily Provide: We collect personal data that you voluntarily provide in response to requests we may make at various places and through various mechanisms on the Firm Website. The personal data we collect is business-oriented data and is usually limited to contact information necessary for the relationship, such as name, company name, job title, and email address. We may collect such information, for example, when you fill out and submit a form, such as if you register for an event, register to receive a newsletter or email communications, when you submit an inquiry or request to us using a form or e-mail address link on the Firm Website, and when you send an email to a Firm address or Firm mail list that is listed on the Firm Website. In such case, we will collect whatever personal data you voluntarily provide in response to our request. .
- Special Categories of Personal Data: In connection with the registration for and provision of access to an event or seminar, we may ask for information about your health for the purpose of identifying and accommodating any disabilities or special dietary requirements you may have. Any use of such information is based on your consent. If you do not provide any such information about disabilities or special dietary requirements, we will not be able to take any respective precautions.
We use the following types of cookies:
(a) Necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable the website to perform as intended and to access secure areas of our website.
(b) Analytical/performance cookies. They allow us to recognize and count the number of visitors and repeat visitors, to see how visitors move around our website when they are using it, to see which search engine is being used to access our website, the region a visitor is browsing from, and the type of device a user is visiting from. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. We may use third-party services, currently Google Analytics and Siteimprove, to collect standard internet log information and details of visitor behavior patterns. This information is only processed in a way that does not identify anyone. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. Individuals who have opted to browse websites in private or incognito mode will not be tracked by Siteimprove on our website.
If you do not wish to receive cookies, most browsers allow you to change your cookie settings. Please note that if you choose to change cookie settings you may not be able to use the full functionality of our website. These settings will typically be found in the "options" or "preferences" menu of your browser. Further, most browsers permit individuals to decline cookies. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org .
- Information about Children. Neither the Firm Website nor any of our products or services are directed to children younger than age sixteen (16). We do not knowingly collect personal data from children under the age of sixteen (16) via the Firm Website and we will delete any such information later determined to be from a person younger than age sixteen (16).
Sources of Website Data: We obtain Website Data about you (i) directly from you if you voluntarily choose to enter personal data on the Firm Website, and (ii) from the data analytics software, cookies, and web beacons that we may use on the Firm Website.
Purposes and Legal Basis for the Processing: We process Website Data for the purposes of building relationships with existing and potential clients and other interested parties, communicating with such parties, and analyzing and improving the firm website. This includes keeping such people informed of the latest updates about legal and regulatory developments and notifying them of seminars and hosted events. Such processing is done in furtherance of and is necessary for the legitimate business interests pursued by the Firm to market and provide legal services.
As any business, we collect, receive, and process Contact Data regarding our clients, potential clients, and other third parties (e.g., vendors, other attorneys, and other business and professional contacts) with whom we may interact from time to time.
Categories of Contact Data: The Contact Data that we collect and process typically consists of information such as name, title, position, employer, email address, other business contact data (e.g., business card data), and similar relationship type data. Such Contact Data may also include details of your visits to our offices.
Sources of Contact Data: We obtain Contact Data about you (i) directly from you, such as when you seek legal advice from us, attend a seminar or another event or sign up to receive newsletters, emails, or other information from us, or when you or your organization offer to provide or provide services to us, (ii) from others (e.g., referrals), (iii) from third parties, such as government agencies, and (iv) from publicly available sources, such as websites (e.g., LinkedIn, your business’ website, etc.).
Purposes and Legal Basis for the Processing: We process Contact Data for the purposes of providing legal services to clients, building and managing relationships with existing and potential clients and other interested parties, communicating with such parties, and generally operating the Firm’s business. This includes keeping such people informed of the latest updates about legal and regulatory developments and notifying them of seminars and hosted events. Such processing is done in furtherance of and is necessary for the legitimate business interests pursued by the Firm as a provider of legal services. It may also be done to comply with our legal obligations (such as record-keeping obligations), compliance screening or recording obligations, and financial and credit check and crime prevention and detection purposes.
In the course of representing our clients, and providing legal services to them, we may receive certain Client Sourced Data from such clients or from third parties providing such data on their behalf, as necessary or relevant to the legal services we are providing.
Categories of Client Sourced Data: The scope and extent of the Client Sourced Data that we collect and process is typically determined by the client and/or the nature and scope of the relationship and legal services involved.
Sources of Client Sourced Data: We obtain Client Sourced Data directly from our clients, and from third parties that provide such information on behalf of our clients, such as their professional advisors, attorneys, auditors, and accountants, consultants, and others.
Purposes and Legal Basis for the Processing: We process Client Sourced Data for the purposes of providing legal services to our clients. Such processing is done in furtherance of and is necessary for the legitimate business interests pursued by the Firm as such a provider, and in some cases because it is necessary for the performance of a contract to which the data subject is party, or is necessary for compliance with a court order or a legal obligation.
As a matter of Firm policy, Firm attorneys and staff may use or disseminate Client Sourced Data only for the purpose of providing legal services consistent with our ethical obligations to our clients, including the duty of confidentiality under rules of professional responsibility applicable to our lawyers in our various jurisdictions . The Firm believes in transparency with the client as to the collection, use, and dissemination of Client Sourced Data, and the reasons therefor.
Protected Health Information Under HIPAA. To the extent that any Client is considered to be a Covered Entity or Business Associate under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Client Sourced Data includes Protected Health Information, or Protected Health Information is collected by us in our capacity as a Business Associate or sub-contractor Business Associate under HIPAA, the provisions of the HIPAA Privacy attached as Appendix 1 shall also apply.
In the course of representing our clients, and providing legal services to them, we may seek, obtain, receive, or require, certain Other Party Data regarding adverse parties, witnesses, or other third parties relevant to our legal representation of the client.
Categories of Other Party Data: The scope and extent of the Other Party Data that we collect and process is typically determined by the applicable client, an adverse party, a court, and/or the nature and scope of the legal representation involved.
Sources of Other Party Data: We obtain Other Party Data about you from a variety of sources as necessary in the context of representing our clients, which may include directly from adverse parties (either voluntarily or through discovery in litigation or arbitration), from our own investigations in connection with representing our clients, and from other third parties providing such data .
Purposes and Legal Basis for the Processing: We process Other Party Data for the purposes of providing legal services to our clients. Such processing is done in furtherance of and is necessary for the legitimate business interests pursued by the Firm as a provider of legal services, or is necessary for compliance with a legal obligation.
Protected Health Information Under HIPAA. To the extent that any Other Party Data is provided by a Covered Entity or Business Associate under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Other Party Data includes Protected Health Information, the provisions of the HIPAA Privacy attached as Appendix 1 shall also apply.
5. Sharing of Personal Data
Subject in all cases to our ethical obligations as attorneys, we may share selected personal data about you with the following parties or in the following circumstances.
5.1 Intra-Firm. Locke Lord LLP, Locke Lord (UK) LLP and Locke Lord may share personal data about you between or among them as necessary for the conduct of the Firm’s business.
5.2 Third Party Service Providers. We may share personal data about you with third parties who perform services for us or on our or our clients’ behalf, for the limited purpose of carrying out such services. This includes, without limitation, third parties that assist in managing our organization, hosting or administering the Firm website or other systems, sending communications on our or our clients’ behalf, maintaining or analyzing our or our clients’ data, providing marketing assistance, conducting background checks, or in providing legal services to us or our clients. It also includes third parties providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference and background check agencies and regulatory bodies with whom such personal data is shared.
5.3 Clients and Other Parties. We may share selected personal data about you with clients, adverse parties, courts, regulators, legal counsel, experts, consultants, law enforcement personnel, and other persons or entities to the extent reasonably necessary or appropriate in the context of providing legal representation or other legal services for our clients.
5.4 Corporate Change. We reserve the right to disclose and transfer personal data about you in connection with a Firm merger, consolidation, restructuring, financing, sale of substantially all assets, or other organizational change.
5.5 Legal Requirements and Law Enforcement. We may disclose personal data about you when we believe in good faith that the law requires it; at the request of governmental authorities conducting an audit or investigation; pursuant to a court order, subpoena, or discovery request in litigation; to verify or enforce compliance with our agreements or policies and applicable laws, rules, and regulations; or whenever we believe disclosure is necessary to limit our legal liability or to protect or enforce the rights, interests, or safety of the Firm Website, its users, or other third parties. We also reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful.
5.5 Consent. We may also share personal data about you in accordance with any express consent you or your authorized agent give us which is specific to the purposes of the processing which you will be informed about at the time we request such consent. You do not have to give such consent. If you do give consent, you may withdraw it at any time by contacting us (see “How to Contact Us” section below), however please be aware that such withdrawal will not affect the lawfulness of personal data collected and processed prior to the date of your withdrawal of consent.
6. Cross-Border Transfers of Personal Data
Some Firm offices are located in different countries. The Firm will transfer personal data from one country to another from time to time. It will do so in compliance with applicable privacy and data protection law. For purposes of facilitating transfers of personal data from the EU to the U.S. or Hong Kong, Locke Lord LLP, and Locke Lord (UK) LLP and Locke Lord HK have entered into EU Standard Contractual Clauses. You may request a copy of the EU Standard Contractual Clauses from the Firm at any time. Where the Firm transfers personal data from the EU to any third party outside the EU where there is no relevant adequacy decision, it will put in place EU Standard Contractual Clauses with such third party or ensure a condition required by GDPR is met.
7. Data Retention Period.
All personal data retained by the firm will be deleted when such personal data are no longer necessary for the purposes for which it was processed, unless applicable law requires a longer retention period. As set out in the Firm’s “Closing Matters and Client Document Retention” policy, the standard Retention Period for all client/matter documents that contain personal data is five (5) years from the date the client/matter is closed, or six (6) years in the case of files in the London office, except for documents to be retained for a shorter or longer period of time as determined by the client’s guidelines or other agreement with the Firm or a member of the General Counsel’s Office.
8. Your Rights as a Data Subject
To the extent provided by applicable law, and subject to our ethical obligations as attorneys, you have the following rights:
- To request access to the personal data that we hold about you and to request that we rectify or erase it;
- To request a copy of the personal data that we hold about you;
- To request a transfer of your personal data from us to another data controller; and
- To request restriction of processing of your personal data or object to its processing.
We do not impose any charge for these requests (except further copies of data). For any such request, you can contact us by e-mail, postal mail, or phone as specified in the “How to Contact Us” section below. We will endeavor to respond to all reasonable requests in a timely manner, but in no event longer than thirty (30) days although where your request is complex it may takes us up to a further two months to provide a copy of your personal data.
To the extent the Firm is not the controller of your data, we will notify the controller of your request if required by applicable law.
Updating personal data about you
If any of the personal data that you have provided to us changes, for example if you change your email address or if you wish to cancel any request you have made of us, or if you become aware we have any inaccurate personal data about you, please contact us as specified in the “How to Contact Us” section below. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
Where the lawful basis of our processing under the EU General Data Protection Regulation (GDPR) is that you have consented to it for a particular identified purpose, you have the right to withdraw that consent at any time. To do so, please contact us as specified in the “How to Contact Us” section below. If you do withdraw consent, this will not affect the lawfulness of any processing that was based on your consent before its withdrawal.
Filing a Complaint
In addition to the foregoing, you have the right to lodge a complaint in respect of your data protection rights with the applicable supervisory authority for data protection in your jurisdiction. If you are in the United Kingdom, that supervisory authority is the UK’s Information Commissioner’s Office: https://ico.org.uk/.
9. Security of Personal Data
We have implemented appropriate technical and organizational measures (i) to ensure a level of security appropriate to the risks that are presented by the Firm’s processing of personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed, and (ii) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services for the personal data.
10. Connecticut Privacy Protection Policy
Connecticut law requires any person or entity that collects Social Security numbers from Connecticut residents in the course of business to create a privacy protection policy and to publish or display it publicly.
It is the policy of Locke Lord LLP to protect the confidentiality of Social Security numbers in its possession from misuse and improper disclosure by maintaining and enforcing policies and physical and electronic safeguards against misuse and improper disclosure. Unlawful disclosure of Social Security numbers is prohibited, and access to them is limited to Firm personnel who need access to such information in order to perform their job functions at the Firm.
11. Personal Data About Others that You Provide to Us
13. How to Contact Us
By e-mail: Sheryl.Hanley@lockelord.com
By phone: +1-401-276-6628
By postal mail:
Locke Lord LLP
Attn: Sheryl Hanley, Privacy Officer
2800 Financial Plaza
Providence, RI 02903
Locke Lord LLP (the “Firm”) provides legal services to certain entities that are considered to be Covered Entities or Business Associates under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The policies contained in these HIPAA Privacy Policies (“Policies”) apply to the Firm solely in its role as a HIPAA Business Associate.
HIPAA and its implementing regulations (“HIPAA Privacy Regulations”) restrict the Firm’s uses of, disclosures of, and requests for Protected Health Information as a Business Associate. The Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), expanded regulatory authority of the U.S. Department of Health and Human Services (HHS) and certain rights of individuals under HIPAA. The Firm’s Privacy Policies set forth guidelines that the Firm’s personnel (“Workforce”) must follow when collecting, using or disclosing Protected Health Information, and set forth a number of rights Individuals have pursuant to applicable law. The Firm considers the protection of this information to be an essential priority and expects all of its Workforce to act in a manner consistent with these Policies. Failure of a member of Workforce to follow the HIPAA Privacy Policies may result in disciplinary action.
In conjunction with the HIPAA Privacy Policies, the Firm has also implemented the HIPAA Data Security Policy and Breach Notification Procedures to set forth requirements that Workforce must follow when dealing with and safeguarding electronically maintained or transmitted Protected Health Information and when a potential breach of unsecured Protected Health Information is discovered. These Policies and the HIPAA Data Security Policy and Breach Notification Procedures are intended to supplement the Firm’s Privacy and Compliance Information Security Program, and shall be construed and administered at all times in a manner consistent with the applicable requirements of HIPAA, the HITECH Act, and HIPAA regulations.
These Policies will change as necessary and appropriate to comply with changes in the law and/or business needs of the Firm.
Any Business Associate agreement that the Firm is asked to sign, or any agreement under which a subcontractor to the Firm will have access, use, maintenance or disclosure of PHI on behalf of the Firm, must be approved by the Firm’s Privacy Officer or her designee prior to signature.
II. Overview of Key HIPAA/HITECH Definitions:
A. Business Associate: Business Associate means a person or entity who on behalf of a Covered Entity creates, receives, maintains, or transmits Protected Health Information (“PHI”) for a function or activity regulated by the HIPAA Privacy Regulations.
1. These services include, but are not limited to, claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; certain Patient Safety Activities; benefit management; re-pricing; and practice management; or
2. The provision of legal services, actuarial services, accounting services, consulting services, data aggregation services, management services, administrative services, or accreditation services and financial services to or for a Covered Entity where the provision of the service involves the disclosure of PHI from the Covered Entity or from another Business Associate of the Covered Entity, to the person.
The term Business Associate includes a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a Covered Entity and that requires access on a routine basis to such PHI. The term Business Associate also includes a person that offers a personal health record to one or more individuals on behalf of a Covered Entity. A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate is also considered a Business Associate. In some situations, the Firm may function as a subcontractor to another Business Associate. In such situations, the Firm is a Business Associate if it creates, receives, maintains, or transmits a Covered Entity’s PHI on behalf of another Business Associate.
B. Covered Entity: Covered entity means (i) a Health Plan, (ii) a Health Care Clearinghouse and (iii) a Health Care Provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
C. Designated Record Set: A group of records maintained by or for a Covered Entity that is: (i) the medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and or case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals.
D. Electronic Protected Health Information: Electronic Protected Health Information (“Electronic Protected Health Information” or “ePHI”) means electronic protected health information as defined under HIPAA regulations that is created, received, maintained or transmitted by or on behalf of Covered Entities, including Protected Health Information that is transmitted over the Internet, stored on a computer, CD, disk, magnetic tape or other related means.
E. Limited Data Set: Protected Health Information of that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: (i) names; (ii) postal address information, other than town or city, State, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) electronic mail addresses; (vi) social security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) web universal resource locators (URLs); (xiv) internet protocol (IP) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images.
F. Protected Health Information or PHI: Protected Health Information(“PHI”) means information that is created or received by a Covered Entity (or by a Business Associate acting on behalf of a Covered Entity) and relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future Payment for the provision of health care; and that identifies the Individual or for which there is a reasonable basis to believe the information can be used to identify the Individual. Protected Health Information includes information about persons living or deceased whether in electronic, printed, or spoken form. PHI excludes: (1) individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (“FERPA”); (2) records held by a Covered Entity in its role as employer; and (3) records regarding a person who has been deceased for more than 50 years.
G. Workforce: Workforce means any associate, partner, counsel, staff member, and any other employee, whether employed directly, engaged by contract, or otherwise, of the Firm. The term includes all administrative, management and technical employees as well as all attorneys and paralegals representing Firm clients on behalf of the Firm. Business Associates or subcontractor Business Associates are not considered to be Workforce.
III. Workforce Covered by This Manual
These Policies apply to any member of the Workforce that, by nature of his or her job description and through the course of providing services to a Covered Entity or another Business Associate, uses, discloses, or requests PHI.
The Firm considers the protection of Protected Health Information to be an essential priority and expects all of its Workforce to act in a manner consistent with HIPAA, the HITECH Act, and HIPAA Privacy Regulations. The Firm will use, disclose, maintain and request Protected Health Information received from or created on behalf of Covered Entities or other Business Associates only as permitted under HIPAA and in compliance with the Firm’s applicable Business Associate Agreements.
In general, HIPAA and the HIPAA Privacy Regulations restrict the Firm’s uses of, disclosures of, and requests for Protected Health Information to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure. The Firm respects the rights of Individuals under HIPAA and maintains documentation of compliance with the HIPAA privacy requirements and the terms of its Business Associate Agreements for six (6) years from the date the documentation was created.
All Workforce members have the responsibility to immediately report violations or potential violations of these Privacy Policies to their supervisor or to the Privacy Officer or to the Workforce member that the Privacy Officer may designate to receive initial reports. The Firm is committed to taking and will take appropriate disciplinary measures against Workforce who violate any policy or procedure concerning the privacy of health information. The Firm trains its Workforce regarding compliance with the HIPAA Privacy Policies as necessary and appropriate for Workforce to carry out Firm Business Associate functions. The Firm’s current Privacy Officer is:
Name and Title
Sheryl D. Hanley
Director of Employee Relations and Employment Counsel
2800 Financial Plaza
Providence, RI 02903
Documentation created pursuant to these Policies shall be retained by the Privacy Officer for six years from the date on which it was created. Documentation shall be made available to those persons responsible for implementing the procedures to which the documentation pertains.
VI. Specific Privacy Policies
A. Privacy Officer. The Firm will designate a Privacy Officer to oversee the formulation and implementation of the Firm’s HIPAA Privacy Policies. The Privacy Officer’s duties include coordinating activities related to protecting privacy and monitoring the Firm’s HIPAA privacy program to oversee compliance with applicable laws, rules, and regulations. The Privacy Officer also serves as the chief liaison for dealing with privacy matters that arise in relationships with Covered Entities, other Business Associates, the Firm’s subcontractors, the public, and privacy enforcement authorities.
B. Workforce Training. The Firm will train Workforce members who access, use and disclose PHI regarding the Firm’s policies and procedures for the safeguarding of PHI as necessary and appropriate for each such Workforce member to carry out his or her job functions under HIPAA. The Firm will also train all applicable Workforce members in Texas as required for compliance with the Texas Medical Records Privacy Act, Tex. Health & Safety Code Chapter 181.
C. Workforce Sanctions. The Firm expects all Workforce members handling PHI to adhere to the Firm’s policies and procedures regarding the safeguarding of PHI and will sanction Workforce members who violate the Firm’s policies and procedures pertaining to PHI.
D. Refraining From Intimidating or Retaliatory Acts. The Firm shall refrain from engaging in intimidation, threats, coercion, discrimination, or any other retaliatory acts in regards to PHI under the situations proscribed by the HIPAA Privacy Regulations.
E. Waiver of Rights. The Firm will not make eligibility for benefits or treatment, payment, or enrollment in a health plan conditional upon the waiver of an individual’s rights. The Firm’s health plans may require certain authorizations for PHI if that information is used for underwriting or risk rating purposes only, as permitted by law.
F. Complaints. It is the policy of the Firm, as a Business Associate, to receive, respond to, and resolve complaints regarding allegations of improper use or disclosure of PHI by Individuals, Covered Entities, other Business Associates, Workforce members, or the Firm’s subcontractors.
G. Subcontractors. The Firm will require all subcontractors who access, use, maintain or disclose PHI on behalf of the Firm and its Covered Entity or Business Associate clients to agree to comply with the Firm’s HIPAA policies, applicable law, and the terms of all applicable Business Associate Agreements to which the Firm is a party.
H. Authorization. It is the Firm’s policy to only use or disclose PHI in a manner permitted by the HIPAA Privacy Regulations or as authorized by the applicable Individual.
I. Minimum Necessary Uses and Disclosures of and Requests for PHI. The Firm will use the minimum amount of PHI necessary to carry out job functions and to provide legal services pursuant to its obligations under the applicable Business Associate Agreement to which it is a party and will disclose or request PHI in accordance with determinations made regarding the minimum amount needed to achieve the purpose of the disclosure or request. Workforce members who routinely use, receive and process requests for disclosure of, or request PHI, will receive training regarding policies and the determinations that have been made regarding minimum necessary disclosures.
Effective from February 17, 2010 until the time the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) issues guidance, as required by the HITECH Act, on what constitutes the “minimum necessary,” the Firm will limit any use, disclosure or request for PHI to the Limited Data Set, as set forth in the HIPAA Privacy Regulations, or if needed by the Firm, to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The Firm will comply with any future guidance on what constitutes the “minimum necessary” promulgated by the Secretary, which guidance shall override inconsistent policies and procedures established herein.
J. Personal Representatives and Verification of Identity. The Firm recognizes that, with respect to the HIPAA Privacy Regulations and PHI, a personal representative of an Individual is to be treated as if that personal representative were the Individual. The Firm will verify the identity and authority of a person or entity that requests access to PHI and who will be recognized as personal representatives.
K. Right to Request Privacy Restrictions. In accordance with the HIPAA Privacy Regulations and these Policies, the Firm will respect any requests for privacy restrictions granted by the applicable Covered Entity and shall refer any requests received by the Firm to the Covered Entity or Business Associate client in accordance with the terms of the applicable Business Associate Agreement.
L. Requests for Confidential or Alternative Communications. The Firm, in its role as a Business Associate, recognizes an Individual’s right to request that a Covered Entity and its Business Associates communicate with that Individual about his or her PHI only in the manner and at the location that the Individual requests. For instance, an Individual may wish to be contacted about their PHI only at work or by sending mail to a specific address. The Firm will reasonably accommodate such requests, to the extent such request have been granted by the applicable Covered Entity, in accordance with the terms of the applicable Business Associate Agreement.
M. Access to Records. The Firm shall process a request to access, inspect, and/or obtain a copy of certain PHI maintained by the Firm, if the request is made by a Covered Entity or Business Associate client in response to a request from an Individual or his or her authorized representative. The Firm will respond to such request in accordance with the terms of the applicable Business Associate Agreement.
N. Requests for Amendments. The Firm recognizes an Individual’s right to request that the applicable Covered Entity and its Business Associates including, but not limited to, the Firm, amend his or her PHI that is maintained in a Designated Record Set. Such requests may be subject to the Covered Entity’s denial, in accordance with applicable law. The Firm will defer to the Covered Entity regarding the denial or acceptance of a request for amendment unless stated otherwise in the applicable Business Associate Agreement.
O. Accounting of Disclosures. It is the Firm’s policy to provide to a Covered Entity upon its receipt of a request from Individuals, a timely accounting of certain disclosures of an Individual’s PHI as required by law. The Firm shall maintain all information required by law to prepare and provide such an accounting when requested and in accordance with the applicable Business Associate Agreement.
P. Mitigation. To the extent known by the Firm, the Firm is committed to complying with HIPAA and other applicable legal requirements regarding the mitigation of the harmful effects of the improper use or disclosure of PHI.
Q. Records Management. The Firm will retain all required HIPAA Privacy Regulations documentation for at least six (6) years, maintain appropriate storage facilities to protect documentation containing PHI or ePHI and establish appropriate procedures for destruction of records.
R. Disclosures to the Secretary. The Firm will provide the Secretary with copies and/or access to records in such time and manner required by HIPAA Privacy Regulations and as requested by the Secretary. The Firm will cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the Firm’s HIPAA policies, procedures, or practices.