HIPAA/PHI Policy

PredictBGL eliminates concerns regarding the transfer of protected health information (PHI), as all data stored in and transferred through PredictBGL follows the “Safe Harbor” de-identification standard. More

In addition to HIPAA-compliant policies for data storage and handling, the following procedures are in place to ensure HIPAA compliance:

  1. All PredictBGL employees and contractors receive annual HIPAA Business Associate training and certification
  2. PredictBGL web-based applications receive annual internal HIPAA audits

Client Data Policies

Client Data includes data stored by Clients in PredictBGL applications, information about a Client’s usage of the application, data instances in the CRM system that we have access to, or data that the Client has supplied to use for support or implementation. Here are the special considerations we take into account when managing Client Data:

  1. Client Data is not to be disclosed outside of PredictBGL, except to the Client who owns the data or to a Partner who has been contracted by the Client to manage or support their account.
  2. Client Data should only be shared using a secure sending method. Approved sending and sharing methods include Dropbox, Google Drive, emailing of encrypted files or use of a Client-provided secure transfer method.
  3. Client Data should only be stored temporarily outside of the PredictBGL Application if at all. If there is a need to archive Client Data (for example, data provided by a Client during implementation or training), the data should be stored on a central file server and deleted from any personal computers. This includes report exports, contact lists, and presentations that contain Client information, and Client agreements.
  4. Client Data should only be accessed on a need-to-know basis. Specifically, a Client’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
  5. Client Data should never be changed except with the explicit permission of the Client, with the exception of repairing data quality issues.

PHI Handling Policy

All PredictBGL staff members are made aware of relevant external regulations as part of their induction process, and all staff who may come into contact with PHI are trained in our PHI handling processes.

PredictBGL anonymizes PHI upon receipt and destroys the original except in exceptional circumstances. Where anonymization is not possible (for example for technical reasons or where a product problem can only be recreated using PHI or if the Client specifies the data cannot be anonymized (e.g. if we are investigating a problem on a Client’s workstation), access to the data is restricted and the data is destroyed or returned to the Client as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library.

PredictBGL expects professional integrity of our collaborators, Clients and partners providing PHI to us and will assume that they have obtained the data subject’s consent to use their data in this way.

Where a Business Associate agreement or similar contract relating to PHI is in place, PredictBGL staff members work under the terms of that agreement. Where no such agreement exists, the PredictBGL PHI handling policy and process are followed.

PredictBGL conducts periodic internal audits on compliance with this policy.

Last Modified: 4-Feb-2014