Patient Privacy Policy

The purpose of this policy is to ensure compliance with the HIPAA Privacy Rule by safeguarding the confidentiality of Protected Health Information (PHI). This policy aims to protect sensitive information within Clinekt Health and to prevent and identify any unauthorized or illegal access, use, or disclosure of PHI.

This policy applies to all employees and contractors of Clinekt Health, collectively referred to as "workforce members."

All user data is encrypted in transit (TLS 1.3) and at rest using industry-standard AES-256 encryption. Access to production systems is strictly limited to essential engineering staff, who undergo regular security reviews, ethical training, and occasional lectures titled:

Clinekt Health will appoint a Chief Information Security Officer responsible for developing and implementing privacy policies and overseeing the HIPAA Privacy program. The Chief Information Security Officer’s duties include:

Establishing, implementing, and maintaining written policies and procedures that provide appropriate administrative, technical, and physical safeguards to protect PHI.

Regularly updating these policies to ensure compliance with legal requirements and the organization's Notice of Privacy Practices (if applicable).

Keeping records of policies and procedures for at least six years from their creation date or their last effective date, whichever is later.

Serving as the contact person for privacy-related complaints and resolving them.

Making reasonable efforts to limit incidental uses and disclosures of PHI.

Cooperating with covered entities (for Business Associates), the Office of Civil Rights, and other legal entities during compliance reviews and investigations.

Clinekt Health will provide training on its security and privacy policies to all workforce members. Training will occur as follows:

For new workforce members, training will be provided within a reasonable timeframe after their start date.

For workforce members affected by significant changes in privacy policies, training will be provided promptly after the changes are implemented.

Annual training will be provided to all existing employees.

Training completion must be documented.

Clinekt Health must issue, distribute, and maintain a Notice of Privacy Practices that details how PHI is used and disclosed in accordance with the HIPAA Privacy Rule. This Notice must also outline the rights individuals have regarding their PHI. The Notice may be provided either in person or electronically, with the option for individuals to request a paper copy even if they receive the Notice electronically.

The Notice must be updated as necessary to reflect changes in laws or organizational policies. Clinekt Health must retain the Notice, including any revisions, for six years from the date it was last effective.

Clinekt Health must manage and enforce Business Associate Agreements (BAAs) with covered entities, other business associates, and subcontractors. These agreements ensure that business associates comply with HIPAA requirements.

Clinekt Health will develop, implement, and maintain policies and procedures to meet HIPAA security and privacy standards. These policies must be tailored to the organization’s size and the types of PHI-related activities conducted.

Policies and procedures must be updated as needed to comply with legal changes. When revisions are made, they must be documented and implemented according to the effective date of the revised policy or procedure.

Clinekt Health provides a mechanism for workforce members and individuals to file complaints regarding privacy policies and practices. Complaints must be investigated promptly, and appropriate steps must be taken to address any violations and prevent recurrence. Records of complaints and their resolutions must be maintained.

The organization will not retaliate against anyone who files a complaint or exercises their rights under the Privacy Rule.

All HIPAA-related documentation, including records of compliance activities such as training, policies and procedures, and complaint investigations, must be retained for six years from the date of creation or the date the document was last in effect, whichever is later. Documentation can be maintained in either written or electronic form.

This policy will be reviewed periodically and updated as necessary to ensure ongoing compliance with HIPAA regulations and to address any changes in organizational practices.