Privacy Policy

Command Business Partners understands your privacy is important. We are committed to protecting your privacy and personal data. This privacy policy describes the data we collect, use and disclosure for both the Personal and Protected health information collected on our website, and from our Health Plan customers that utilize our software-as-a-service applications.

It is CBP’s policy to comply fully with all State and Federal requirements regarding the Privacy, Use and Disclosure of our Health Plan customers enrollee’s information. To that end, all members of CBP’s workforce must comply with this Privacy, Use and Disclosure Policy.


Data We Collect

On our website and in the course of ordinary business and by our Health Plan clients that use our on-line services we may collect personal information. We may also collect information about the devices you use to connect to our website or services.

Personal Information (PPI) means information that relates to an individual or our Health Plan client’s enrollee’s, enrollee’s family member or Provider demographic information including their name, address, email, telephone numbers, age and date of birth. (We do not collect Social Security Numbers or Financial Data).

As part of our on-line software as a service applications CBP does NOT directly collect Personal or Protect Health Information (PHI) on the enrollees of our Health Plan customers.    

Protected health information (PHI) means information that that relates to the past, present, or future physical or mental health or conditions of an enrollee; the provision of health care to a enrollee; or the past, present, or future payment for the provision of health care to a enrollee; and that identifies the enrollee or for which there is a reasonable basis to believe the information can be used to identify the enrollee.   Protected health information includes information of persons living or deceased.  

 

Use and Disclosure

Personal Information we collect on our website or in the course of ordinary business transactions.

Any personal information we may collect on our website or in the course of ordinary business for individuals may be used to fulfill requests for information, response or marketing emails, alerts or personalize content you view.

CBP will not intentionally disclose or transfer your personal information without your consent and will take all reasonable steps to prevent unintentional disclosure.

We may disclosure your information if we are required to do so by law, to support auditing, compliance and corporate governance, needed to protect ourselves against fraud or in the event of a merger, acquisition or other transfer of the business.

Personal and Personal Health Information entered into our Software-As-A-Service applications by our Health Plan clients.

CBP’s Health Plan customers directly entered data manually or electronically for the purpose processing documents and or managing and resolving Enrollee and Provider Complaints, Appeals and Grievances. CBP in no way modifies or deletes this information and this information is a copy of the source data which is retained in our customers systems.

For any data our clients may enter into our systems our Health Plan clients are required to follow our Acceptable Use Policy to ensure proper handling and security of their enrollee/provider data which is maintained in our systems on their behalf.

CBP does not disclose information. Any requests for information are made to our Health plan clients and therefore this information would be disclosed to the requestor by the HealthPlan.

CBP will not intentionally disclose or transfer your personal information and will take all reasonable steps to prevent unintentional disclosure.

We may disclosure your information if we are required to do so by law, to support auditing, compliance and corporate governance, needed to protect ourselves against fraud or in the event of a merger, acquisition or other transfer of the business.

Security and Data Retention

For the data we collect on our website or in the course of ordinary business transactions we implement generally accepted operational and technology security standards. Only authorized staff are allowed to access Personal information and all information is treated as confidential.

For the data collected by our Health Plan clients entered into our on-line services:

CBP is obligated as a Business Associate of our Health Plan clients to follow industry standards on information security management to safeguard PII/PHI information as defined below within this policy. CBP implements strict operational and technology controls and adheres to the Hitrust framework.

CBP provides our Health Plan customers with CBPs security and privacy policies as well as our use and disclosure policies through our contracts and documents which we submit as part of our customers own Risk Assessments. Our Health plan clients are able to communicate with CBP’s senior security official and senior privacy official. CBP customers have the ability to share this information with the public.

Company's Responsibilities as Business Associate

I.                     Privacy and Security

CBP has a comprehensive Security and Privacy Program and Compliance Programs that ensures privacy & security through

· Privacy & Security Officials

· Workforce Training

· Administrative, Technical and Physical Safeguards

· Complaints (Incidents) Management

· Sanctions for Violations of Privacy Policy

 · Mitigation of Inadvertent Disclosures of Protected Health Information

· No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

· Documented Policies

· Data Retention Policy

 

II.                   Privacy Official and Contact Person

Daniele Chenal and Mike Richmond are the Privacy Officials for the Company. The Privacy Officials are responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and Command’s use and disclosure procedures. The Privacy Official will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI.

 

III.                 Workforce Training
It is Command’s policy to train all members of its workforce who have access to PHI on its privacy policies and procedures. The Privacy Officials are charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions within Company.

 

IV.                Technical and Physical Safeguards
 Command has established appropriate technical and physical safeguards defined within our policies to prevent ePHI/PII from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards defined within our various policies include use of encryption, locking down ports on workstations, vetting and using a secure data center, monitoring access, and limiting access to information. Physical safeguards include educating staff on how to handle any type of paper based ePHI and validating our data center partner adheres to strict physical security safeguards.

V. Complaints (Incidents)
The Privacy Officials will be the company's contact person for receiving complaints. The Privacy Official is responsible for creating a process for individuals to lodge complaints about the company's privacy procedures and for creating a system for handling such complaints. V. Sanctions for Violations of Privacy Policy Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will be imposed up to and including termination. All incidents are reported to the Covered Entity within 24 hours.

VI. Mitigation of Inadvertent Disclosures of Protected Health Information Command shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of an individual's PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of protected health information, either by an employee of the Company or an outside consultant/contractor that is not in compliance with this Policy, immediately contact the Privacy Official so that the appropriate steps to mitigate the harm to the participant can be taken.

VII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility.

VIII Documentation and Retention of PPI/PHI

Command’s privacy policies and procedures have been documented and will be maintained for at least six years.  Policies and procedures are changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures are promptly documented. If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI/PPI created or received after the effective date of the notice.

Disclosure notices. CBP does not directly disclose collected information to the public or other entities, however in the event such disclosure should become necessary we will retain any disclosure requests and related notices for a period of at least 6 six years.

Designated record sets: CBP does not currently have any designated record sets. In the event our Health plan clients define designated record sets, CBP will retain this information along with the titles of the persons or office responsible for receiving and processing requests for a period of six years. 

IX. HIV-Related Information

Any HIV-related information entered into our system by our Health plan customers is labeled as such in that it can be retrieved if required through diagnosis and or billing codes or comments that include HIV related commentary. All HIV related data is encrypted and handled the same as all ePHI.  

 

Your Rights

Where granted by law, you have the right to request information collected about you. We will take steps to verify your identity and will promptly respond to your request. For PHI data collected and entered into our systems by our Health Plan clients, Command Business Partners will redirect your request as we are not authorized to disclose this information to your directly.

Consent

By using our website and submitting personal information you are consenting to our stated uses of your personal data.

Contact Us

Command Business Partners, LLC

33 Drummond Place Red Bank, NJ 07701

Attn:

Compliance Officer: Daniele Chenal Email: daniele.chenal@commanddirect.com Phone: 1-732-689-0564

or

Chief Information Security Officer: Mike Richmond Email: mike.richmond@commanddirect.com Phone: 1-732-689-0564