Intranet Privacy Notice

myBAMSI Privacy Notice

Effective Date: December 16, 2024

 

Purpose

This policy governs the use of BAMSI’s intranet (“myBAMSI”), particularly in handling Protected Health Information (PHI) and Personally Identifiable Information (PII). It ensures compliance with applicable federal and Massachusetts state laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• 42 CFR Part 2 (Confidentiality of Substance Use Disorder Records)
• Family Educational Rights and Privacy Act (FERPA)

 

Scope

This policy applies to all employees, volunteers, and contractors who access or use myBAMSI, mainly if they handle PHI, PII, or other sensitive data.

 

Data Governance

1. Types of Data Covered:

• PHI: Medical records, treatment information, and billing data.
• PII: Names, addresses, Social Security Numbers, dates of birth, and other identifiers.
• Educational Records (under FERPA): Educational and other related information.

1. Permitted Uses and Disclosures:

• PHI will only be used or disclosed as permitted under HIPAA (e.g., for treatment, payment, or healthcare operations).
• PII will only be accessed by authorized personnel for legitimate business purposes.
• Substance use disorder records protected under 42 CFR Part 2 will not be disclosed without explicit consent or a qualifying court order.
• Educational records will be handled in compliance with FERPA and only disclosed to authorized parties.

 

Security and Access Controls

1. Access Restrictions:

• Access to PHI, PII, and other sensitive data is restricted to authorized users based on their job roles.
• Multi-factor authentication (MFA) is required to access sensitive areas of the intranet.

1. Encryption and Storage:

• All PHI and PII are encrypted at rest and in transit.
• Backup systems are secured to prevent unauthorized access.

1. Audit Trails:

• User activity on the intranet is logged and audited to detect unauthorized access or breaches.

1. Training:

• All users must complete mandatory training on HIPAA, 42 CFR Part 2, and FERPA compliance before accessing the intranet.

 

User Responsibilities

• Users must not share login credentials or access the intranet from unsecured devices.
• Users must promptly report any suspected breaches or unauthorized access.
• Users must comply with minimum necessary access requirements, ensuring they access only the data needed for their roles.
• Sensitive data (e.g., PHI or educational records) must be downloaded or transferred outside the intranet with proper authorization.

 

Data Sharing and Disclosure

1. HIPAA Compliance:

• Only authorized disclosures for treatment, payment, and operations are permitted.
• Any unauthorized access or breach will trigger HIPAA’s Breach Notification Rule.

1. 42 CFR Part 2 Compliance:

• Substance use disorder records may only be disclosed with the patient’s written consent or under a court order that meets 42 CFR Part 2 standards.

1. FERPA Compliance:

• Educational records will only be disclosed to authorized parties, and students or their parents (if applicable) can access them.

 

Third-Party Vendors

All third-party vendors with access to the intranet must sign Business Associate Agreements (BAAs) to ensure compliance with HIPAA and other applicable regulations.

 

Incident Response and Breach Notifications

1. HIPAA Breaches:

• BAMSI will notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, if required, the media, within the timeframes specified under HIPAA.

1. 42 CFR Part 2 Breaches:

• Breaches involving substance use disorder records will be reported in accordance with Part 2 requirements.

1. FERPA Breaches:

• Any unauthorized disclosure of educational records will be addressed in compliance with FERPA guidelines, including notifications to affected parties.

 

Data Retention

• PHI will be retained for the minimum time required under HIPAA and Massachusetts law.
• PII and educational records will be retained as applicable laws or company policies require.
• Data will be securely disposed of after the retention period ends.

 

Use of the Intranet

myBAMSI is provided solely for operational purposes, such as accessing policies, standard operating procedures, metrics, forms, and other business-related information. Employees, volunteers, and contractors do not have rights to privacy or ownership of any activity conducted on myBAMSI.

• Any privacy concerns or rights related to PII or PHI should be addressed through appropriate BAMSI processes outside the myBAMSI environment since it is not intended to store or process such data.

 

Monitoring and Privacy Notice

myBAMSI is a BAMSI-owned system provided for business purposes. As such:

• No Expectation of Privacy: Users do not expect privacy when accessing or using the intranet, including files, communications, or data stored, transmitted, or accessed through the system.
• Monitoring: The company reserves the right to monitor, access, and review all intranet activity to ensure compliance with policies, maintain security, and protect proprietary information.
• Compliance with Laws: Any activity monitoring involving sensitive information, such as Protected Health Information (PHI) or Personally Identifiable Information (PII), will comply with applicable regulations, including HIPAA, 42 CFR Part 2, and other relevant laws.

By accessing the intranet, you acknowledge and consent to these terms.

 

Policy Updates

This policy may be updated to reflect changes in federal or state laws, regulatory guidance, or BAMSI practices. Users will be notified of significant updates.

 

Contact Information

For questions or concerns about this policy, contact:

Compliance and Privacy Office

BAMSI

10 Christy’s Drive

Brockton, MA 02301

Phone: (508) 580-8700