As a business associate of covered entities, Beesy, LLC is legally required to comply with HIPAA regulations when handling Protected Health Information (PHI). As part of business practices related to market research, Beesy may receive Protected Health Information or collect, use, or maintain PHI on behalf of covered entities. PHI is confidential information specific to individual patients. BEESY is accountable and responsible for PHI under its control. As such, Beesy will comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (the “Privacy Rule”, 45 C.F.R. Parts 160-64), when handling PHI as required by law.
A. Business Associate. “Business Associate” shall mean Beesy, LLC and shall also have the meaning given to such term under the Privacy Rule, including 45 C.F.R. § 160.103.
B. Covered Entity. “Covered Entity” shall mean any Beesy, LLC client(s) and shall also have the meaning given to such term under the Privacy Rule, including 45 C.F.R. § 160.103.
C. Third-Party. “Third-Party” shall mean any vendor or subcontractor to Beesy, LLC.
D. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45CFR Part 160 and Part 164, Subparts A and E.
E. Protected Health Information. “Protected Health Information “shall have the same meaning as the term “protected health information” in 45CFR160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
F. Required by Law. “Required by Law” shall have the same meaning as the term “required by law” in 45CFR164.103.
III. Use and Disclosure of Medical Information
Your health information may be used and disclosed by Beesy, LLC for market research needs.
BEESY and its representatives may collect and use your information for the following purposes:
- Determining your eligibility to participate
- Clarifying your responses in surveys or interviews
- Conducting research
Only information that you provide to Beesy, LLC may be used and disclosed. Beesy, LLC will have no other health information or means to access your health information.
How We Collect Information About You: When collecting personal information from you, BEESY will explain the purpose of collecting the information and will answer any questions you may have. Beesy, LLC and its employees collect data through a variety of means including but not necessarily limited to
surveys, phone and in person interviews. Some of your information may be collected from other sources such as third-party recruitment firms.
What We Do Not Do With Your Information: We disclose only aggregate survey responses to our customers. We may share de-identified information with our clients; however, patient confidentiality is protected. We do not disclose protected health information about you to our clients without your prior written consent.
A. Types of Protected Health Information Collected:
Survey and interview data of patients may include Protected Health Information (PHI). PHI is personally identifiable health information in any form, including orally, written and electronically. BEESY will obtain your consent to collect, use or disclose protected health information.
PHI includes the 18 unique identifiers:
- Specific dates—birth, admission, discharge, death;
- Telephone numbers;
- Social security number(s);
- Medical record number;
- City, zip code, and other geographic identifiers;
- Fax numbers;
- Electronic mail addresses;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP)address numbers;
- Biometric identifiers, including finger, retinal and voiceprints; and
- Any other unique identifying number, characteristic or code.
B. Sources of PHI Collected
a. Quantitative Market Research Studies
Beesy, LLC receives data files from programmers that may provide the following
- Randomly generated IDs
- Zip code, state, or another regional identifier
- Dates of importance including hospitalization and treatment dates
The PHI would be subject to appropriate safeguards and proper retention and disposal procedures defined below.
b. Qualitative Market Research Studies
BEESY receives data drawn from questionnaires and interviews that may include the following information:
- Names, including abbreviations and initials
- Dates of importance including hospitalization and treatment dates
- Address or location by state
- Photographs, or video on occasion
Information collected from patients through qualitative market research studies maybe considered PHI if included in categories as described in Section III A. Information provided by medical professionals and their associates are not subject to HIPAA regulations, unless the professional mentions a patient by a specific identifier listed in Section III A.
Obligations of Beesy, LLC Use of PHI
B. Beesy will use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Policy.
C. Beesy, LLC will report to Covered Entity any use or disclosure of the PHI not provided for by this Policy of which it becomes aware.
E. Beesy, LLC will establish internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI created or received by Beesy, LLC on behalf of the Covered Entity and will make them available to the Covered Entity or to the Department of Health and Human Services, in a timely manner or as designated by the Department of Health and Human Services, for purposes of the Department determining Covered Entity’s compliance with the Privacy Rule.
F. Beesy, LLC agrees to document any disclosures of PHI and information related to these disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with guidance provided in 45 C.F.R. § 164.528.
G. Beesy, LLC agrees to provide to Covered Entity or an Individual, in a timely manner information collected to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with guidance provided in 45 C.F.R. § 164.528.
V. Compliance Activities for Securing PHI
a. Beesy, LLC will remove all identifiers classified as PHI as described in Section III. A from items sent to clients such as transcripts, audio files, surveys, and email.
b. Beesy, LLC employees will remove all identifiers classified as PHI as described in Section III. A from written and electronic records whenever possible.
a. Administrative Safeguards
- Beesy, LLC has designated a privacy officer who is responsible for developing, implementing and enforcing all required policies and procedures.
- Access to electronic PHI (EPHI) is restricted to only those employees who require PHI to complete their job function.
- Beesy, LLC provides appropriate ongoing training regarding the handling of PHI to employees who require PHI to complete their job function.
b. Physical Safeguards
- Electronic hardware and software are introduced to and removed from Beesy, LLC networks under controls that ensure that PHI is not compromised.
- Secure access to equipment, hardware and software containing PHI is controlled and monitored with access restricted to employees who require PHI to complete their job function.
- Workstations and monitors are secure and removed from high traffic areas and direct view of the public.
c. Technical Safeguards
- Information systems housing PHI are protected from intrusion. Beesy, LLC secures all physical and digital information to prevent unauthorized alterations or destruction of data.
- Beesy, LLC employees use a secured network connection. Encryption is used when information is transmitted over open networks. Information-storing systems are secured.
C. Retention and Disposal of Data Containing PHI upon Termination of Contract
a. Upon termination of the contract with the Covered Entity for any reason, Beesy, LLC will comply with any and all disclosed Covered Entity (client) policies and procedures concerning retention and disposal of data that contains PHI (if PHI obtained from Covered entity).
b. If no such policies and procedures exist or are not disclosed to Beesy, LLC prior to termination of the contract, Beesy, LLC will defer to the Marketing Research Association Best Practice Guidelines on HIPAA.
c. Where feasible, upon termination of the contract between Beesy, LLC and the Covered Entity, Beesy, LLC will destroy all PHI received on behalf of the Covered Entity.
d. If it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the following termination provisions.
VI. Obligations of Covered Entity or Third-Party Receiving from and Providing PHI to Beesy, LLC
a. Covered Entity or Third-Party shall notify Beesy, LLC of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45CFR164.520, to the extent that such limitation may affect Beesy, LLC’s use or disclosure of PHI.
b. Covered Entity or Third-Party shall notify Beesy, LLC of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Beesy, LLC’s use or disclosure of PHI.
c. Covered Entity or Third-Party shall notify Beesy, LLC of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45CFR164.522, to the extent that such restriction may affect Beesy’s use or disclosure of PHI.
VII. Permissible Uses and Disclosures of Information
a. Any information designated as Confidential Information as defined in Section 1 in the “Agreement on Confidential Information, Ownership of Work, Possession of BEESY Property, Conflicts of Interest, and Non Solicitation with Beesy, LLC” is considered secret or confidential until Beesy, LLC discloses it or it comes in to the public domain in some other lawful manner.
b. The same restrictions described in the “Agreement on Confidential Information, Ownership of Work, Possession of BEESY Property, Conflicts of Interest, and Non- Solicitation with Beesy, LLC” apply to Confidential Information belonging to Covered Entity.
d. Any Covered Entity or any Third-Party contracted by Beesy, LLC shall not request Beesy, LLC to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if used or disclosed in the same manner by Covered Entity or Third-Party.
e. Except as limited in the preceding provisions in this section, Beesy, LLC may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the contract between Beesy, LLC and the Covered Entity, provided that such use or disclosure of PHI would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
VIII. Health Information Rights
Right to Inspect and Copy: You have the right to see and have a copy of the health information that Beesy, LLC has about you.
Right to Request an Amendment: If you feel the health information we have about you is wrong or incomplete, you may ask us in writing to fix the information. We may say no to your request if it is not in writing and it does not include a reason, or the information was not created by us, or the information is determined to be correct and complete.
Right to Request Restrictions: You have the right to ask us to either not disclose or partially disclose your health care information.
Right to Request Confidential Communication: You have the right to ask that we talk with you about health care matters in a certain way or at a certain place. For example, you can ask that we only contact you at work or by email. Beesy, LLC will work to meet all reasonable requests.
Right to a Paper Copy of this Notice: You have the right to ask for a paper copy of this notice. If you have any questions or would like to use these rights, a request for inspecting, copying, amending, making restrictions, or obtaining an accounting of your health information must be made in writing to:
68 Beekman Road
Summit, NJ 07901