Gaine Solutions

Data Privacy Policy

Your privacy is very important to us.

Please contact us with any questions, comments, or concerns that you may have regarding this privacy policy or Gaine practices in general.

V. ​0.9

All information contained herein is highly confidential and the exclusive property of Gaine Solutions Inc. This information should not be copied or replicated in any way without express written authorization.

 

1 Overview

 Data privacy is a critical component of Gaine operations.  The protection and management of the various types of employee and client Personally Identifiable Information (PII) is critical to Gaine operations.  Gaine computer systems and related devices collect and record data as required for business operation, management, and reporting purposes.  This key information should never be disclosed to unauthorized individuals.

 

2  Purpose

This policy establishes general privacy requirements for information captured or generated by Gaine operations, systems, network devices, or communications. This includes systems and devices involved in the transmission and storage of voice data.  The policy further delimits conditions where PII may be disclosed.

 

3  Scope

This policy applies to all Gaine staff that create, deploy, or support Gaine gathered or processed information.

 

4  Policy

  • Gaine ensures the public has access to information about the organization’s security and privacy activities and is able to communicate with its senior security official and senior privacy official.
    1. Gaine’s HR department will ensure this document is made available on Gaine’s website.
  • Gaine ensures that guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information.
    1. See section 1.7 of the IPP for classification
    2. See section 11 of the IPP for retention
    3. See section 12 of the IPP for disposal
    4. See section/s 3.4, 7, 8, 9 for handling and storage
  • Gaine ensures that designated senior management within the organization reviews and approves the security categorizations and associated guidelines.
    1. Gaine’s CISO and CTO are responsible for reviewing the security categorizations and associated guidelines. Reviews will take place annually; the meetings will detail changes to the security categorizations and updates to business structure. The CISO in conjunction with the CTO will approve the changes.
  • Gaine ensures that it has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information.
    1. See section 1.5 of the IPP
  • Gaine ensures that records with sensitive personal information are protected during transfer to organizations lawfully collecting such information.
    1. Gaine’s IT department shall ensure that encryption is used to transfer the information; at minimum AES 256 bit.
  • Gaine ensures that covered information storage is kept to a minimum.
    1. Gaine’s development department will ensure that only the needed amount of covered information is retained by communicating with the clients to verify that the identifiable fields are still usable. The development department will create policies PER client that detail which information must be kept in order to maintain mastered data.
  • Gaine will specify where covered information can be stored.
    1. Gaine will only store covered information in Microsoft’s Azure cloud environment. See section 7.1 of the IPP regarding data encryption protection.
  • Gaine ensures that when required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization.

 

A.    GENERAL STATEMENT OF CLIENT DATA PRIVACY

Gaine’s policy surrounding data privacy falls into three broad classifications protecting information gathered to manage and deliver services to employees, clients, and governments.  This policy is broken into three separate sections – general network data, client data (PII, PHI) and employee information.

Using data effectively and responsibly is foundational to security of such data. The Health Insurance Portability and Accountability Act as well as the NIST framework and other state or federal laws establish baseline parameters for what is permissible when sharing client PII or PHI.

Gaine uses additional guidelines and strict processes to protect the privacy of every employee and client to ensure the confidentiality and security of all PII or PHI collected and managed.

 

B.   GENERAL NETWORK DATA

In the course of normal network operations, computer systems, voice systems, access control systems, and network devices generate and track logging data, source and destination internet protocol (IP) addresses, session times, port numbers, file sizes, etc. (referenced as Network Data).

  • Network Data Policy – Gaine treats all network data as confidential information. This information may be obtained, stored, and reported for legitimate business, compliance and audit purposes but shall not be exposed to unauthorized individuals except as specifically discussed in this policy.
    • Network data may be disclosed under the following conditions. Requests shall be authorized by Gaine’s chief information security officer (CISO) or their designee.
  • Network Operational Viability – Network data may be released under the following situations:
    • Network performance monitoring or troubleshooting
    • Security incident analysis and remediation
    • Audit, group policy, and security log management and analysis
    • Litigation holds and requests
    • Copying, archiving, or otherwise preserving portions of any messages transmitted over the network in the course of business or maintenance
  • Legal or Gaine Policy Analysis – Network data may be released to appropriate authorities to indicate the presence of activities that violate internal policies, federal or state law. These requests shall be in response to legal discovery or court requests.
  • Network Security Threats – All relevant data, protocol, logs, and user information may be released as part of incident and breach analysis and remediation. Gaine shall investigate and remediate possible network security threats by means of capturing logging, and examination of files, communications, and other traffic and transmissions over or on the network.
  • Network Data Requests – All requests to retrieve and share network data must be submitted to Gaine’s CISO or their designee. Any litigation and legal requests require confirmation by both the CTO and CISO. Such requests shall include:
    • Name and role of the requestor.
    • Reason for the request, in accordance with the principles set forth in this policy.
    • Intended use of the requested data.
    • Any network data intentionally shared with third parties must be sanitized and redacted to preserve the anonymity of network users unless that data is used directly in legal discovery or authorized by general counsel and the CTO. Requests shall be documented and stored as part of the implementation of this policy.

 

C.   EMPLOYEE DATA

All employee data is treated as confidential and private.  No employee related information shall be released or disclosed without the express approval of the CTO and Gaine’s head of HR.

Employee Data Policy – Gaine treats all employee data as private and confidential information.  This information may be obtained, stored, and reviewed for legitimate business purposes related to personnel employment, compliance, and audit purposes but shall not be exposed to unauthorized individuals, agencies, or external sources except as specifically discussed in this policy.

Requests shall be authorized by the HR department in concert with the CISO when electronic records are involved. Data shall be disclosed only under the following conditions and employees shall be informed of such activity prior to release:

  • Employee Performance or Transitions – Employee work data may be released under the following situations:
    • Security incident analysis and remediation
    • Litigation holds and requests
    • Personnel transitions involving email and work products
    • Restoration or otherwise preserving portions of messages transmitted over the network in the course of business.
  • Legal or Agency Disciplinary Analysis – Employee data may be released to appropriate authorities to indicate the presence of activities that violate internal policies, federal or state law. These requests shall be in response to internal policy incidents, personnel management, legal discovery, or court requests.
  • Network or Agency Security Threats – All relevant data, protocol, logs and user information may be released as part of incident and breach analysis and remediation. Gaine shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all employee communications and component activities relevant to the incident or breach.
  • Employee Data Requests – All requests to retrieve and share employee data must be submitted through Gaine’s HR department. Any litigation and legal requests require confirmation by executive management including at a minimum the CTO. Such requests shall include:
    • Name and role of the requestor.
    • Reason for the request, in accordance with the principles set forth in this policy.
    • Intended use of the requested data and whether this information will be used as part of a personnel action.
    • Employee notification of the event unless barred due to legal or disciplinary investigation. In all circumstances, employees shall be notified if information is placed in their permanent files related to an incident or discovery request.

Any employee network data intentionally shared with third parties shall be sanitized and redacted to preserve the anonymity of the employee unless that data is used directly in legal discovery or authorized by Gaine General Counsel and CTO.  Requests shall be documented and stored as part of the implementation of this policy.

 

D.   CLIENT PHI AND PII

All client PII and PHI is confidential and private.  Gaine client data privacy procedures adhere to the guidelines set forth in applicable federal and state law and includes additional safeguards as follows:

  • Formal information security policy
  • Security and privacy policies
  • Policy review and revision by national experts and advisors
  • Specific liability language and support in vendor contracts/agreements around client data privacy, data breaches, appropriate uses and disclosure of client data, and termination/penalties for non-compliance.
  • Annual Hitrust compliance audits
  • All PII and PHI releases shall require the express approval of the CTO and CISO.

Client Data Policy – Gaine treats all client PII, PHI as private and confidential information.  This information may be obtained, stored, and reviewed for legitimate business purposes related to client development, accounting, contract services, operations, compliance and audit purposes but shall not be exposed to unauthorized individuals, agencies or external sources except as specifically discussed in this policy.

Client data may only be collected and utilized when meeting the express business needs of the company and as mandated by state and federal law. It shall not be disclosed to any party unless they are designated as the data owner, or an “Authorized Representative” pursuant to federal HIPAA guidelines acting in the best interests of the client.  All record release requests shall be authorized by the CISO. PII, PHI shall be disclosed only under the following conditions and clients shall be informed of such activity prior to release:

  • Aggregated (Summary and De-Identified) Client Data including but not limited to:
    • Client and Internal Development Reports
    • Program evaluation and measurement
    • Client and Gaine Improvement Plans
    • Client reporting
    • Audit reporting
  • Legal or Gaine Disciplinary Analysis – Client PII, PHI may be released to appropriate authorities to indicate the presence of activities that violate Gaine policies or federal/state law. These requests shall be in response to documented policy incidents, legal discovery, or judiciary requests.
  • Network or Gaine Security Threats – All relevant data, protocol, logs and client information may be released as part of incident and breach analysis and remediation. Gaine shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all client communications and component network activities relevant to the incident or breach as stipulated in the incident response program.
  • Consent from client’s disclosure (email, fax, communicated) of data will be accomplished by Gaine’s project managers. Project managers will send requests via email explicitly asking for the right to disseminate.
  • Client Data Requests – All requests to retrieve and share client data must be submitted to the CTO through the CISO. Any litigation and legal requests require confirmation by executive management. Such requests shall include:
    • Name and role of the requestor.
    • Reason for the request, in accordance with the principles set forth in this policy.
    • Intended use of the requested data and whether this information will be used as part of a personnel action.
    • Parental notification of the event (unless explicitly barred due to legal or disciplinary investigation) shall be made. In all circumstances, parents shall be notified when individual educational record requests are made that are not bound by legal constraints.

No client data shall be intentionally shared with third parties outside of legally compliant activities. All client data requests shall be documented and stored as part of this policy.

 

5  Audit Controls and Management

On-demand documented procedures and evidence of practice should be in place for this operational policy as part of Gaine operations.  Examples of audit control and evidence include:

  • Process, authorizations, and documentation for PII, PHI requests
  • Historical evidence or organizational compliance
  • Procedures for executing legal holds, chain of command, and discovery requests

 

6  Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

 

7  Distribution

This policy is to be distributed to all Gaine staff and made available to the public through Gaine’s website.

 

We reserve the right to make changes to this policy. Any changes to this policy will be posted.

Data Privacy Policy

Please contact us with any questions, comments, or concerns that you may have regarding this privacy policy or Gaine practices in general. We are here to help. 

Subscribe to our mailing list and stay informed on the latest innovations in solutions for healthcare.

Life Sciences
Coperor Platform
Contact Us
Careers
© 2020 Gaine Solutions. All Rights Reserved.
Connect

Linkedin

 

Subscribe

Join our contact email list for insight & updates.

Life Sciences

Biotechs 

Pharmaceuticals

 
Platform

Coperor

Data Sheet

Integrations

Salesforce

LexisNexis Risk

Healthcare

Payers

Providers

Platform

Coperor

Data Sheet

 
Integrations

Salesforce

LexisNexis Risk

NEW WHITEPAPER

Understanding the Provider Data Management Lifecycle

Learn how traditional provider data management methods are costing your healthcare organization in a big way and what to look for in a modern provider data management solution.

Subscribe below to receive the PMD Lifecycle Whitepaper in your inbox, instantly. 

Get the Whitepaper

The Journey to Interoperability Starts with Coperor Core Services.

Coperor redefines system interoperability, combining the best of master data management, operational data store, data governance, and harmonization technology into a single platform.

 

 

  • MDM Stack
  • Enterprise Sync
  • Policy Repository
  • Data Stewarding
  • Real-time Services
  • Notification Engine

 

 

  • Third-party Gateway
  • Extended Support
  • ODS Integration
  • Audit Manager
  • SFDC Toolkit
  • Implementation Services

Patient Master

Fast implementation, purpose-built industry applications, and scalability from start-up to Fortune 100.

  • Master Data Management
  • Data Governance
  • Enterprise Master Patient Index(EMPI)
  • Third Party Data Integration
  • Industry Model for Patient Data
  • Seamless Integration with CRM

.

EXPLORE THIS SOLUTION  

Data Migration Toolkit

Gaine’s Coperor platform acts as your information broker when moving from old to new systems, merging systems, or integrating with new applications. It sits between your legacy systems and your new platform to ensure that changes made in any system are synchronized according to your business rules — no lost data, no duplication, and no re-keying.

.

EXPLORE THIS SOLUTION  

Patient Master

Build a rich member profile with advanced identity management, demographics, and social determinants.

  • Member Outreach
  • Extended Member Profile
  • Population Health Data Store
  • Enrollment Management

.

EXPLORE THIS SOLUTION  

Provider Master

Gaine’s Provider Data Management suite drastically improves data quality and reduces overhead for Payers and Providers alike.

  • Provider Directory
  • Attestation
  • Roster Transformation for Provider Groups
  • Enterprise Sync
  • Reference Data Gateway
  • Data Quality Services

.EXPLORE THIS SOLUTION  

 

New! Lexis Nexis Risk Solutions Integration

LexisNexis® Risk Solutions is collaborating with Gaine Healthcare to offer health plans a powerful and effortless way of maintaining more accurate and continually updated provider data, addressing the needs of various stakeholders within the payer organization.

LEARN MORE  

Data Migration Toolkit

Gaine’s Coperor platform acts as your information broker when moving from old to new systems, merging systems, or integrating with new applications. It sits between your legacy systems and your new platform to ensure that changes made in any system are synchronized according to your business rules — no lost data, no duplication, and no re-keying.

.

EXPLORE THIS SOLUTION  

Member Master

Build a rich member profile with advanced identity management, demographics, and social determinants.

  • Member Outreach
  • Extended Member Profile
  • Population Health Data Store
  • Enrollment Management

.

EXPLORE THIS SOLUTION  

Provider Master

Gaine’s Provider Data Management suite drastically improves data quality and reduces overhead for Payers and Providers alike.

  • Provider Directory
  • Attestation
  • Roster Transformation for Payers
  • Enterprise Sync
  • Reference Data Gateway
  • Data Quality Services

.EXPLORE THIS SOLUTION  

 

New! Lexis Nexis Risk Solutions Integration

LexisNexis® Risk Solutions is collaborating with Gaine Healthcare to offer health plans a powerful and effortless way of maintaining more accurate and continually updated provider data, addressing the needs of various stakeholders within the payer organization.

LEARN MORE  

Data Migration Toolkit

Gaine’s Coperor platform acts as your information broker when moving from old to new systems, merging systems, or integrating with new applications. It sits between your legacy systems and your new platform to ensure that changes made in any system are synchronized according to your business rules — no lost data, no duplication, and no re-keying.

.

EXPLORE THIS SOLUTION  

Gaine Solutions

Gaine helps leading healthcare organizations, life sciences, and biotech companies leverage information as they strive for competitive advantage and operational efficiency. Our Coperor™ platform arms our clients with Information Agility™ which maximizes flexibility, minimizes cost and time-to-value, and eliminates the risks associated with implementing new systems, migrating existing systems, and integrating data from internal and external sources.

FOLLOW US ON LINKEDIN  

30%

Average Reduction in Time

TIME  

40%

Average Cost Reduction

COST  

100%

Rate of Project Success

RISK  

 

Specialization Healthcare and Life Sciences

EXPERIENCE  

News and Recommended Reading

EXPLORE MORE ARTICLES