HIPAA Privacy Policy | FSHD Medical Education Portal

1. SECTION 1 – RESPONSIBILITIES AND OVERVIEW

1.1 Introduction

1.1.1 FSHD Global Research Foundation Limited (ABN 79 128 037 614) (FSHD) operates website www.fshdmedicaleducationportal.org (the Site).
1.1.2 FSHD is an Australian not-for-profit organisation dedicated to finding a treatment and cure for Facioscapulohumeral Dystrophy.
1.1.3 FSHD has been formed for the sole purpose of funding medical research projects for Facioscapulohumeral Dystrophy.
1.1.4 FSHD has developed a Medical Education Portal, being the Site, for the purpose of educating individuals and families that are affected by FSHD on the latest global research news that FSHD considers relevant to finding a cure for FSHD, to provide education on the changes in medical research and how you or family can access this information. The Site will also provide a mechanism by which you can express your desire to voluntarily participate in future clinical trials and will detail the prerequisite steps required to be met to be considered for such trials.
1.1.5 FSHD needs to gather and use certain information about individuals for the purposes of the Site.
1.1.6 This can include, however is not limited to personal, sensitive and health information that enables FSHD to carry out necessary research.
1.1.7 The handling of personal information within the United States of America is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its related regulations.
1.1.8 FSHD respects and upholds your right to privacy protection under the law, including HIPAA.
1.1.9 This Data Protection & Privacy Policy (this policy) is designed to facilitate the understanding of how FSHD collects, uses, discloses and/or processes your personal information as well as to assist you in making an informed decision before providing us with your personal information.
1.1.10 This policy covers the management of all protected health information (PHI) at FSHD no matter how it is collected or stored.
1.1.11 HIPAA defines “protected health information or PHI” as:
(a) information that is created or received by FSHD and relates to the past, present, or future physical or mental health condition of a patient/client (“participant”);
(b) the provision of health care to a participant; or
(c) the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information of persons living or deceased.
1.1.12 Examples of PHI include but are not limited to:
(a) participant’s medical record number;
(b) participant’s demographic information, i.e. address, telephone number;
(c) information doctors, nurses and other health care providers put in a participant’s medical record;
(d) images of the participant;
(e) any health information that can lead to the identity of an individual or the contents of the information can be used to make a reasonable assumption as to the identity of the individual.
1.1.13 It is FSHD’s policy to fully comply with HIPAA’s legislative requirements and all relevant regulations which govern the way it collects, uses, discloses, holds and processes your personal information.
1.1.14 This policy is applicable to:
(a) any external providers and contractors contracted by FSHD who may collect, access, use, disclose or manage PHI relating to participants or any other individual whose information may be collected; and
(b) FSHD offshore partners regarding FSHD activities.
1.1.15 This policy is applicable to all FSHD staff members who have access to PHI including employees, volunteers, interns, board members and other persons whose work performance is under the direct control of FSHD, whether or not they are paid by FSHD. Any reference to an employee includes all these types of workers.
1.1.16 From time to time, the Site may contain links to other sites of interest. FSHD does not control and is not responsible for, the content or privacy practices of those websites. Please read the privacy policies of those other websites before you provide any personal information to them.
1.1.17 No third-party rights (including but not limited to rights of participants, beneficiaries, covered dependents, or business associates) are intended to created by this policy.
1.1.18 FSHD reserves the right to amend or change this policy at any time (an even retroactively) without notice.
1.1.19 To use the Site, you must agree to this policy. You may not use the Site if you do not accept this policy as it forms part of FSHD’s terms and conditions of service.

1.2 Definitions

1.2.1 In this policy, unless otherwise indicated by the context:

(a) “Business Associate” has the meaning given to it in clause 2.2.2(a). (b) “de-identified information” has the meaning given to it in clause 2.3.2. (c) “FSHD” means FSHD Global Research Foundation Limited (ABN 79 128 037 614).

(d) “PJ Lab” means Peter Jones and Takako Jones Lab forming part of the University of Nevada, Reno School of Medicine.

(e) “PHI” has the meaning given to it in clause 1.1.11.

(f) “Saliva Research Test” means the method of collecting DNA through a person’s saliva for genetic testing for the purposes of research into a treatment and cure for Facioscapulohumeral Dystrophy.

(g) “Saliva Research Test Kit” means the kit issued by FSHD to you and identified in clauses 2.5 and 3.4 for the purposes of conducting the Saliva Research Test.

1.3 Privacy Officer

1.3.1 FSHD’s Privacy Officer is responsible for the development and implementation of policies and procedures relating to privacy including this policy, updating such policies and procedures, conducting regular staff training, receiving and responding to questions out FSHD’s privacy policies, handling complaints, maintaining records and responding to any data breaches that occur.

1.3.2 The Privacy Officer can be contacted as follows:
The Privacy Officer
FSHD Global Research
PO Box A296, Sydney South NSW 1235
Sydney NSW 2000
Email: admin@fshdglobal.org

1.4 Safeguards

1.4.1 FSHD has established safeguards to protect the PHI it holds from loss, misuse, interference as well as unauthorised access, modification or disclosure, in breach of the HIPPA requirements. Safeguards include:
(a) ongoing training;
(b) locking of doors and cabinets where PHI is physically stored;
(c) implementation of and regular reviews of internal practices, procedures and systems;
(d) keeping employee access and authorisation up-to-date including secure and strong passwords and individual logins; and
(e) ensuring all devices, virtual private networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software); and
(f) implementation of multi-factor authentication for remote access systems and resources (including cloud services).

1.4.2 PHI collected is stored:
(a) electronically within an external internet-based server and also an internal server as back up; and
(b) PHI is stored within a password secure CRM program.

1.4.3 PHI collected by FSHD is only accessible by authorised staff members and contractors who may require access in connection with the purposes described in this policy.

1.4.4 FSHD uses a range of hardware and software security measures to protect its information and your PHI.

1.5 Access Authorisation

1.5.1 FSHD grants access to employees based on their employment duties and responsibilities.

1.5.2 The Privacy Officer in collaboration with FSHD’s Chief Executive Officer (CEO) is responsible for determining which individuals require access to PHI and the level of access they require. In the case of employees, access will be limited to senior management. This is determined on a case by case basis.

1.5.3 Once a determination is made in respect of an employee’s authorisation access, FSHD’s CEO, who also acts as FSHD’s internal information technology manager will impose the approved authorisation access levels.

1.5.4 Employees and/or contractors who are authorised to access PHI in accordance with this clause 1.5 will be managed by FSHD’s Chairperson and/or CEO.

2. SECTION 2 – USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI)

2.1 Access to PHI is limited to certain employees

2.1.1 FSHD has a detailed policy and set of procedures to ensure that only authorised personnel have access to your PHI and that your PHI remains confidential and is only used for appropriate purposes and in accordance with this policy.
2.1.2 FSHD employees and contractors have their own login credentials which are not shared amongst colleagues or third parties.
2.1.3 Employees and contractors of FSHD are only permitted to access, use and/disclose PHI as required under HIPAA and the PHI disclosed must be limited to the minimum amount necessary to perform their employment and/or contractual obligations to FSHD.
2.1.4 Any employees and contractors of FSHD who are required to access, use and/disclose PHI in accordance with clause 2.1.1 are restricted to those employees and/or contractors that are:
(a) approved and authorized in accordance with the procedures set out in clause 1.5 of this policy;
(b) in senior management roles / positions within FSHD; and
(c) must only access, use and/or disclose PHI in accordance with thispolicy.
2.1.5 Employees with access may not use or disclose PHI unless the use and/or disclosure complies with this policy and the provisions of HIPAA.
2.1.6 Staff members may not access, either through FSHD’s information systems or the participant’s medical record, any information for themselves, family members, friends, other staff members or other individuals for personal or other non-work related purposes, even if the appropriate authorisation has been provided.
2.1.7 In the unlikely event that a staff member is required to access, use or disclose PHI of a family member, another staff member or an individual personally known to them during the course of their job responsibilities, the staff member must immediately notify their manager who will determine whether the task should be assigned to a different staff member.
2.1.8 In the event a staff member requires access to their own PHI, they must do so in the same manner as other participants, which may include contacting the Privacy Officer.
2.1.9 Authorised employees of FSHD and/or contractors who provide services in relation to its information systems including the development and maintenance of the Site and any associated cloud computing will have access to internal and external information technology servers which may, from time to time, include access to PHI. Such employees and contractors are not authorised to use and/or disclose PSHI to any third party without the prior written consent of FSHD, such consent to be determined by FSHD in its sole and absolute discretion.

2.2 Use and Disclosure of PHI

2.2.1 For the purposes of this clause 2.2, these words have the following meanings:

(a) “use” means the sharing, employment, application, utilization, examination or analysis of individually identifiable health information by any person working for or within FSHD, or a Business Associate of FSHD.

MADISON MARCUS LAW FIRM

(b) “disclosure” means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within FSHD’s business.

2.2.2 Disclosures of PHI to Business Associates

(a) For the purposes of this clause 2.2.2, a “business associate” is an entity that:

(i) performs or assists in performing a FSHD business function or activity involving the use and disclosure of PHI (including claims processing or administration, data analysis, underwriting, etc); or

(ii) provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation or financial services, where the performance of such services involves giving the service provider access to PHI.

Examples of Business Associates include:

▪ a third-party administrator that assists FSHD with carrying out its objectives;

▪ a CPA firm whose accounting services toa health care provider involves access to PHI;

▪ an attorney whose legal services involve access to PHI.

(b) With the approval of the Privacy Officer and in compliance with HIPAA and this policy, employees may disclose PHI to FSHD’s business associates and permit FSHD’s Business Associates to create or receive PHI on its behalf.

(i) FSHD obtains the assurances from the business associate that it will appropriately safeguard the PHI; and

(ii) the Privacy Officer has verified that a business associate contract in place between FSHD and the business associate.

2.3 Disclosures of De-Identified Information

2.3.1 FSHD may freely use and disclose de-identified information.

2.3.2 For the purposes of this clause 2.3, “de-identified information” is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. FSHD is required to destroy or de-identify PHI once it no longer requires such information for a primary or secondary purpose.

2.3.3 There are two ways that health information is deemed de-identified, that is by: (a) professional statistical analysis; or
(b) removing 18 specific identifiers.

2.3.4 The 18 specific identifiers referred to in clause 2.3.3(b) and which are outlined below, relating to the participant, employee, relatives, or employer must be removed and FSHD must ascertain there is no other available information that could be used alone or in combination to identify an individual:
(1) Names;
(2) Geographic subdivisions smaller than a state
(3) All elements of dates (except year) related to an individual, including any dates of admission, discharge, birth, death and for persons over 89 years of age, the year of birth must also be removed;
(4) Telephone numbers;
(5) Facsimile (fax) numbers;
(6) Electronic mail addresses (emails);
(7) Social Security Number;
(8) Medical Record numbers;
(9) Health plan beneficiary numbers;
(10) Account numbers;
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers including license plates;
(13) Device identifiers and serial numbers;
(14) Web URLs;
(15) Internet protocol addresses;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photos, and comparable images; and
(18) Any unique identifying number, characteristic or code.

2.3.5 When determining whether PHI has been de-identified, the person:
(a) tasked with this responsibility must have appropriate expertise; and
(b) must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual; and
(c) must document the methods undertaken by them in coming to the determination and the reason or justification for coming to that determination.

2.3.6 If there is any risk that PHI has not been de-identified correctly and adequately, such information shall be deemed PHI and FSHD shall only use and/or disclose the PHI in accordance with the HIPAA requirements and this policy.

2.4 Removing PHI from FSHD Premises

2.4.1 If FSHD deems it necessary for an employee or contractor to work from a location other than an official FSHD site or place of business, PHI may be accessed and/or removed under the following circumstances:
(a) approval is obtained from a manager/supervisor prior to accessing or removing PHI;
(b) remote working conditions imposed by the Federal and/or State governments due to the COVID-19 pandemic;
(c) if attending external meetings / conferences where access to PHI is required, such access shall only occur through FSHD’s IT system;
(d) delivery of PHI from FSHD business premises to third party premises for the purposes of carrying out the objectives of FSHD and in the particular, the Portal must be transported in a secure lock box or carry case;
(e) the electronic removal of PHI (using flash drives) must be approved in advance by a manager/supervisor and the FSHD’s IT department. The flash drive must be password protected and the PHI files contained on the flash drive should be encrypted.

2.4.2 All FSHD employees and contractors are required to abide by the following safeguards when accessing, using or disclosing PHI whilst working from a location other than an official FSHD site or place of business:
(a) take all reasonable steps to keep PHI secure;
(b) when working remotely, only work on PHI in a secure and private environment; (c) keep the information with you at all times while in transit;
(d) when leaving your computer or laptop unattended for any period of time, ensure that it is locked with a secure and strong password;
(e) do not permit any other individual to access the PHI under any circumstance;
(f) only using FSHD IT platforms in carrying out employment and contractor duties/obligations including not saving work related documents or information to your personal computer, electronic and mobile devices;

2.5 Sharing of PHI with PJ Labs

2.5.1 When registering on the Site, you will be asked to complete an ‘About You’ questionnaire (the Questionnaire). Your responses to the Questionnaire and any PHI contained within those responses will be held by us in accordance with this policy.

2.5.2 During the Questionnaire process referred to in clause 2.5.1, you will be asked whether you wish to participate in a Saliva Research Test. If you choose and consent to providing a Saliva Research Test, you must complete additional questions to proceed (Saliva Research Test Questions). Your responses to the additional questions and any PHI contained within those responses will be held by us in accordance with this policy.

2.5.3 By answering the Questionnaire and the Saliva Research Test Questions, you consent to FSHD:
(a) sending a Saliva Research Testing Kit to your residential address by post; and
(b) providing your contact information, including but not limited to your full name, email address, date of birth and country of origin to PJ Labs to notify PJ Labs that a Saliva Research Testing Kit has been issued to you by FSHD.

2.5.4 Your contact information referred to in clause 2.5.3(b) will be sent by FSHD to PJ Labs by email.

2.5.5 You acknowledge that:
(a) you are responsible for posting the Saliva Research Testing Kit containing your saliva sample to PJ Labs at your own cost;
(b) PJ Labs will assess the saliva sample / DNA and prepare a report; and
(c) PJ Labs will send the report to you directly to the email address provided by you as part of the Questionnaire and/or Saliva Research Test Questions.

2.5.6 FSHD is in no way responsible or liable for PJ Labs issuing your report to an unrelated third party. By accepting this policy, you hold FSHD harmless against any loss or damage suffered by you as a result of your report being issued by PJ Labs to an individual or organisation, other than yourself or contrary to your directions.

3. SECTION 3 – YOUR RIGHTS

3.1 Requests for access to and amendment of PHI

3.1.1 You have a general right to access your PHI collected and stored by FSHD and it’s Business Associates in accordance with this policy.

3.1.2 Registered users of the Site may access and update their PHI from time to time using their personal login on the Site. You have the right to correct PHI that FSHD holds about you.

3.1.3 FSHD may refuse the right for users to access their information that is subject to any legal restrictions.

3.1.4 If there are any aspects of your personal information that cannot be updated directly by you or that you are unable to access, then you can request access and correction of your personal information by completing a “Request to Access and/or Correct PHI Form” and submitting it to the Privacy Officer by post and/or email. The Form can be obtained by contacting the Privacy Officer.

3.1.5 A request to access and/or correct PHI must be made only in writing by the person to which the PHI relates or by a person who is duly authorised in writing by such person to act on their behalf, for example, a legal guardian or authorised agent.

3.1.6 FSHD reserves the right to request from you and/or a person authorised by you, information and/or documentation to verify identity. Such information/documentation may include:
(a) name and contact details;
(b) copies of photo identification;
(c) if your signature is held by FSHD, a formal document containing your signature; (d) reason for access/correction; and
(e) a written authorisation from you to FSHD.

3.2 Request for restrictions on uses and disclosures of PHI

3.2.1 You may request restrictions on the use and disclosure of your own PHI. Such requests must be made in writing to the Privacy Officer.

3.2.2 The Privacy Officer will consider the request for restriction and attempt to honor such requests, if, in the sole and absolute discretion of the Privacy Officer acting on behalf of FSHD, considers the request is reasonable in the circumstances. The Privacy Officer’s decision will be communicated to you in writing.

3.3 Requests for a copy of his/her Record

3.3.1 A participant can request a copy of their health information by completing a “Request for Copy of PHI Form” and submitting it to the Privacy Officer by post and/or email. The Form can be obtained by contacting the Privacy Officer.

3.4 Sharing of results from saliva test – consent and rights

3.4.1 You are not obligated to share with or provide a copy of the results from your saliva test referred to in clause 2.5 to FSHD.

3.4.2 If you voluntarily decide to share or provide a copy of the results from your Saliva Research Test to FSHD, you must do so by logging into your personal login on the Site and uploading a copy of your Saliva Research Test results to the designated area within your login. You acknowledge that the cost of sharing or providing a copy of your results to FSHD shall be borne by you and FSHD shall not be liable to reimburse you.

3.4.3 You acknowledge that if you voluntarily decide to share your Saliva Research Test results as outlined in clause 3.4.2, you will automatically become a member of the “FSHD Medical Research & Clinical Trial Readiness Program”, without requiring you to acknowledge or accept your membership.

3.4.4 You accept full responsibility for uploading your results to your personal login and ensuring your results are uploaded correctly and are accessible by FSHD.

3.4.5 If your results are not received by FSHD or are received by an unintended recipient, that is, any recipient other than FSHD, you agree and acknowledge that you shall hold FSHD harmless against any cause of action against FSHD for any loss or damage suffered by you as a result.

3.4.6 FSHD will hold your Saliva Research Test results as uploaded by you in accordance with clause 3.4.2 in its secure cloud together with your other PHI and otherwise in accordance with this policy.

3.4.7 In the event that your Saliva Research Test results are required to be used and/or disclosed by FSHD, FSHD shall only do so after such test results are de-identified and the use and/or disclosure of the de-identified data is in accordance with this policy.

3.4.8 By voluntarily providing your saliva test results to FSHD in accordance with this clause 3.4, you consent to FSHD disclosing:
(a) disclosing the de-identified data with research laboratories conducting research into a treatment and cure for Facioscapulohumeral Dystrophy; and
(b) connecting you to the research laboratories when clinical trials become available.

3.4.9 You may at any time prior to the de-identification process being completed by FSHD, request FSHD to destroy your saliva test results. By accepting this policy, you acknowledge that once the de-identification process has been completed by FSHD, any request by you to destroy your saliva test results may be impractical or impossible for FSHD to action.

Privacy Policy – HIPAA

Table of Contents