Warning You are already logged in. Click here to return to login or Log out Log out

HIPAA/PHI Policy

ManageBGL eliminates concerns regarding the transfer of protected health information (PHI), as all data stored in and transferred through ManageBGL follows the “Safe Harbor” de-identification standard. More

In addition to HIPAA-compliant policies for data storage and handling, the following procedures are in place to ensure HIPAA compliance:

  1. All ManageBGL employees and contractors receive annual HIPAA Business Associate training and certification
  2. ManageBGL web-based applications receive annual internal HIPAA audits

Client Data Policies

Client Data includes data stored by Clients in ManageBGL applications, information about a Client’s usage of the application, data instances in the CRM system that we have access to, or data that the Client has supplied to use for support or implementation. Here are the special considerations we take into account when managing Client Data:

  1. Client Data is not to be disclosed outside of ManageBGL, except to the Client who owns the data or to a Partner who has been contracted by the Client to manage or support their account.
  2. Client Data should only be shared using a secure sending method. Approved sending and sharing methods include Dropbox, Google Drive, emailing of encrypted files or use of a Client-provided secure transfer method.
  3. Client Data should only be stored temporarily outside of the ManageBGL Application if at all. If there is a need to archive Client Data (for example, data provided by a Client during implementation or training), the data should be stored on a central file server and deleted from any personal computers. This includes report exports, contact lists, and presentations that contain Client information, and Client agreements.
  4. Client Data should only be accessed on a need-to-know basis. Specifically, a Client’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
  5. Client Data should never be changed except with the explicit permission of the Client, with the exception of repairing data quality issues.

PHI Handling Policy

All ManageBGL staff members are made aware of relevant external regulations as part of their induction process, and all staff who may come into contact with PHI are trained in our PHI handling processes.

ManageBGL anonymizes PHI upon receipt and destroys the original except in exceptional circumstances. Where anonymization is not possible (for example for technical reasons or where a product problem can only be recreated using PHI or if the Client specifies the data cannot be anonymized (e.g. if we are investigating a problem on a Client’s workstation), access to the data is restricted and the data is destroyed or returned to the Client as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library.

ManageBGL expects professional integrity of our collaborators, Clients and partners providing PHI to us and will assume that they have obtained the data subject’s consent to use their data in this way.

Where a Business Associate agreement or similar contract relating to PHI is in place, ManageBGL staff members work under the terms of that agreement. Where no such agreement exists, the ManageBGL PHI handling policy and process are followed.

ManageBGL conducts periodic internal audits on compliance with this policy.

Last Modified: 4-Feb-2014