HIPAA Privacy Policy

About This Document

Fulcrum Digital (here after referred to as the Company) is a Delaware incorporated body corporate with its registered office located at Pune, Maharashtra.

This document records the Privacy Policy of the organization with respect to any Individually Identified Health Information, otherwise referred to as “Protected health Information”,(PHI), received by the Company as part of its business activities from any Covered Entity as defined under Health Insurance Portability and Accountability Act 1996 (HIPAA) and Health Information Technology for Clinical and Economic health Act (HITECH Act).

This Policy is effective from 2021 and is binding on all employees of the Company as well as its Business Associates and Sub Contractors if any. A copy of this Policy is available on our website at fulcrumdigital.com. A copy of the policy is also handed over under an acknowledgement to all employees, Business Associates and Sub Contractors who may potentially have access to any PHI as part of the services rendered by them to the Company.

All Business Associates and Sub Contractors are deemed to have gone through this document and fully understood its contents before they execute the mandatory Business Associate agreement before they commence any work on behalf of the Company.

Where the work of the Business Associate or the Sub Contractor or the Employee does not involve potential or real access to PHI, this privacy policy is considered as a general notice of the requirements that may arise any time during the term of engagement of such business associate, sub-contractor or employee.

This policy also constitutes a Privacy Practice notice to all customers of the Company and Business Partners who may allow us access to PHI transferred by them to us on account of any service rendered or to be rendered by us to them.

Our Privacy Commitment

We value the privacy rights of individuals whose personal information is generated, processed, transmitted or otherwise accessed by the Company or any of its employees of the Company as a part of our activities and are committed to protection of the privacy rights of such individuals as required under the laws of all countries where the Company operates.

In particular, we value the health information privacy rights enjoyed by individuals under HIPAA and HITECH Act and have put in place all administrative, technical, physical and organizational measures to comply with the provisions of the Privacy and Security rules under HIPAA and HITECH Act.

No PHI is either used or disclosed by the Company except as required or as permitted or as authorized by HIPAA or HITECH Act and this policy is strictly binding on all the employees of the Company as well as the business Associates and Sub Contractors.

Sanctions

Any violation of the Privacy or Security Policies of the Company by its employees will attract appropriate sanctions, including termination as per the procedures laid out in the HR Policy.

Any violation of the Privacy or Security Policies of the Company by its Business Associates will attract appropriate penalties, including termination of the contracts.

Changes

We have the right to change our privacy practices and the terms of this notice. If we make a material change to our privacy practices, we will provide to you a revised notice by direct mail or electronically as permitted by applicable law. In all cases, we will post the revised notice on our website. We reserve the right to make any revised or changed notice effective for information we already have and for information that we receive in the future.

Who Can Access PHI

The Company follows a strategic principle whereby, access to PHI is restricted only to such of employees who are required to access the information for the purpose of delivering whatever services are committed to be delivered by us.

Where we have subcontracted part of the work involving PHI to any business associate, we bind the business associate through an appropriate business associate agreement as required under HIPAA and relevant information of such business associate agreement is shared with the business partners who may have a stake in the PHI.

Where a Business Associate is entrusted with the responsibility of dealing with PHI, the Company adopts a policy, where feasible, of disassociating the employees of the Company from accessing PHI even while the Business Associate may be so authorized.

In such cases, some parts of this document may not be applicable since no PHI is handled by the Company.

HIPAA Privacy Compliance Official

The Company has designated the following person as the HIPAA Privacy Compliance Official and will be the nodal officer for implementation of all compliance requirements under HIPAA or HITECH Act:

Data Breach Notification

If any employee of the Company or a Business Associate becomes aware of a potential breach of Privacy of PHI entrusted to him or accessed by him shall inform the HIPAA Privacy Compliance official immediately.

How We Secure PHI

  • PHI in storage is normally held only in encrypted form so that it is Unusable, unreadable, and undecipherable by an unauthorized person. Exceptions where necessary are properly authorized and monitored.
  • PHI no longer required is destroyed.
  • PHI in process is closely monitored through appropriate technical means to ensure that there is no accidental or intentional compromise of security.

How We Use or Disclose Information

  • PHI information is used or disclosed strictly in accordance with the provisions of HIPAA and HITECH Act.
  • PHI may be disclosed to the individual to whom the information belongs or his personal representative after appropriate authentication.
  • PHI may be disclosed to the regulatory authorities, such as the HHS or a person appropriately authorized on their behalf. PHI may be disclosed to a person as may be authorized by or on behalf of the individual to whom the information belongs, after appropriate authentication.
  • PHI may be disclosed to an appropriate law enforcement agency or a Court upon a proper demand having been received after due authentication.
  • PHI may be disclosed in emergent circumstances as may be appropriate under law with due diligence being exercised as to the permitted uses and disclosures under HIPAA and HITECH Act and to the authority of the person demanding the information.
  • Where PHI is received by the Company in its capacity as a Business Associate of another Covered Entity or another HIPAA compliant Business Associate, the disclosure of PHI would be only as permitted in the related Business Associate Agreement or as may be provided in law in supersession of such agreement.
  • All disclosures and the authorizations for such disclosures shall be documented as required under HIPAA or HITECH Act.

Customization of Privacy Practices

Where the Company enters into agreements with business partners for any service which requires a customization of this Privacy Policy, the same is agreed to by mutual discussion within the overall parameters set by law under HIPAA or HITECH Act. Such specialized policies shall be applicable on project basis between the parties concerned.

Grievance Redressal

The HIPAA Privacy Compliance official designated under this Policy shall also be the grievance officer to address any complaints arising out of this policy.

The President of the Company shall be the appeal authority in respect of any grievance which remains unresolved at the level of the Privacy Compliance Official.