GDPR & HIPAA Compliance
Imperial Consultancy Services Pvt. Ltd. is committed to safeguarding its clients’ data and privacy rights. This includes patient confidentiality and document security requirements for GDPR compliance. In this context, we have developed a GDPR-compliant data security policy to provide our clients with a comprehensive overview of how we store, transfer, and handle any information they provide to us.
Policy Statement
As a leading healthcare service provider, Imperial Consultancy is dedicated to upholding the highest standards of data security and patient privacy. We recognize that the protection of sensitive patient information is paramount to our operations, and we are fully committed to complying with the General Data Protection Regulation (GDPR) and other relevant data protection laws and regulations.
25
years of experience
100% Human Transcription Services
We customise our execution to the way you want.
Our Commitment
At Imperial, we understand that patient data is among the most sensitive and personal information. We are unwavering in our commitment to the following:
- Confidentiality: We recognize the significance of maintaining the confidentiality of patient information. All patient data entrusted to us, whether in the form of medical records, billing information, or other health-related details, will be handled with the utmost discretion.
- Integrity: We are dedicated to preserving the integrity of patient data. Any information we receive will be securely stored and transferred with complete fidelity to the original source.
- Availability: Imperial Consultancy pledges to ensure the availability of patient data when needed by authorized personnel. Our commitment extends to providing timely access to patient records while implementing stringent controls to prevent unauthorized access.
- Compliance: We recognize and respect the legal and ethical obligations imposed by GDPR and other relevant regulations. We are committed to full compliance with these requirements and will take all necessary measures to protect patient rights and privacy.
Scope of the Policy
Data Types Covered
This GDPR policy encompasses the protection and management of various types of sensitive patient data, including but not limited to:
- Patient Health Records (PHR): Detailed medical records containing patient diagnoses, treatment plans, medical history, laboratory results, and other health-related information.
- Billing Information: Patient financial data, including insurance information, billing statements, and payment details related to healthcare services.
- Medical Histories: Comprehensive patient medical histories, including past illnesses, surgeries, medications, and any relevant medical conditions.
- Diagnostic Data: Information related to patient diagnoses, such as radiology reports, pathology reports, and diagnostic test results.
- Demographic Information: Patient identification details, including names, addresses (if applicable), phone numbers (if applicable), and other personal identifying information.
Imperial Consultancy usually collects PHRs from clients who want to avail of our healthcare services. We use secure digital communication channels to gather this information from customers.
Systems and Processes
This GDPR policy applies to all systems, processes, and activities involved in the handling, processing, and storage of patient data. It covers the following:
- Medical Transcription Services: The process of transcribing healthcare professionals’ audio dictations into text format, including the secure collection, transcription, and delivery of patient data.
- Insurance Liaison Services: Imperial Consultancy’s role as an intermediary between insurance providers, hospitals, and patients during claim negotiation processes, which may involve the exchange of patient information.
- Data Storage: The secure storage of patient data in cloud-based or on-premises systems, ensuring data integrity, confidentiality, and availability.
- Data Transmission: The secure transfer of patient data between healthcare providers, transcribers, and other authorized entities, both within and outside the organization.
- Access Controls: Mechanisms for granting and managing access to patient data, including authentication, authorization, and access permissions for employees, contractors, and third-party vendors.
Roles and Responsibilities
We’ve defined clear roles to ensure accountability for data security, privacy, and compliance. The most prominent roles include:
Data Security Officer (DSO)
The Data Security Officer (DSO) oversees and ensures the proper implementation of data security policies and practices across the organization. The DSO’s primary responsibilities include:
- Policy development: Collaborating with stakeholders to develop and update data security policies in accordance with GDPR, HIPAA, and other relevant regulations.
- Compliance monitoring: Regularly monitoring and ensuring compliance with data security policies and regulations.
- Incident response: Leading the incident response team in addressing security breaches, data incidents, and potential threats.
- Training: Providing training and awareness programs to educate employees, contractors, and vendors about data security.
- Risk assessment: Conducting risk assessments and vulnerability analyses to identify and mitigate security risks.
Data Custodians
Data custodians are individuals within the organization responsible for the custody and protection of patient data. Their responsibilities include:
- Data classification: Classifying patient data based on sensitivity (e.g., confidential, sensitive, public) and applying appropriate access controls and handling procedures.
- Access control: Managing and granting access permissions to patient data on a need-to-know basis, ensuring that employees, contractors, and vendors have access only to data necessary for their roles.
- Data storage: Ensuring secure storage of patient data, both in transit and at rest, in compliance with data security policies.
- Monitoring: Regularly monitoring data access and usage to identify and report any unauthorized access or policy violations.
Data Processors
Data processors, including employees, contractors, and third-party vendors, play a crucial role in handling patient data. Their responsibilities include:
- Data handling: Safely and accurately processing patient data, following data security policies and procedures.
- Access control: Adhering to access controls and permissions defined by data custodians to ensure data confidentiality.
- Training: Participating in data security training programs to understand and adhere to data security policies and best practices.
- Incident reporting: Reporting any data security incidents, breaches, or potential threats promptly to the Data Security Officer.
- Data disposal: Complying with data retention and disposal guidelines, securely disposing of data when it is no longer needed.
Third-Party Vendors and Contractors
Third-party vendors and contractors who have access to patient data must also adhere to data security and privacy standards. Their responsibilities include:
- Compliance: Complying with all data security and privacy requirements specified by Imperial Consultancy, including GDPR and other relevant regulations.
- Data handling: Handling patient data with the same level of care and security as internal employees, following Imperial Consultancy’s data security policies.
- Audit and oversight: Allowing Imperial Consultancy to audit and oversee their data security practices to ensure compliance.
- Incident reporting: Reporting any data security incidents or breaches that occur while handling patient data promptly to Imperial Consultancy.
We ensure that all stakeholders are aware of their obligations in maintaining data security and patient privacy.
Data Classification
At Imperial Consultancy, we classify patient data into the following categories based on sensitivity:
Confidential Data
This category includes patient health records (PHR) and billing information. Access to confidential data is strictly limited to authorized personnel with a legitimate need-to-know. Data handling procedures include encryption during transmission and storage.
Sensitive Data
Data such as medical histories and diagnostic information are classified as sensitive. Access controls ensure that only relevant individuals, as per the principles of least privilege (section 5), have access. These data types are also subject to encryption during transmission and storage.
Public Data
Limited non-sensitive patient information, such as basic demographic details, may be considered public. However, access controls are still enforced to prevent unauthorized disclosure.
Access Controls
Access to patient data is granted and revoked through the following procedures:
- Authentication: All employees, contractors, and third-party stakeholders must undergo identity verification through secure credentials (e.g., usernames, passwords, biometrics) to gain access.
- Authorization: Access rights are systematically defined, and users are granted or denied access based on predefined criteria. The principle of least privilege is strictly enforced, ensuring that employees have access only to the data necessary for their specific roles.
Physical Security
Our team members who work remotely exclusively use company-provided laptops and desktops and have to comply with company protocols and policies about the security of data. T heir machines are loaded with desk time applications to monitor every fraction of their work.
They aren’t allowed to store PHIs and other client files on their personal devices. Furthermore, these nodes are updated with robust encryption software and malware protection software to protect the data on their computers.
We also prioritize cleaning up of temp files created during after the completion of our services. The deletion of all documents from computers after service delivery follows an established protocol.
Data Storage and Transmission
At Imperial Consultancy, we use secure cloud storage solutions to store all patient information we receive from clients. Each type of client-sourced file passes through robust 256-bit encryption at rest and during transit. Our host uses Secure Sockets Layer (SSL)/Transportation Layer Security (TLS) to protect data in transit between dictation applications and our servers. SSL/TSL creates a secure tunnel protected with 128-bit or greater Advanced Encryption Standard (AES) encryption.
We ensure secure data transmission and storage through the following measures:
- Encryption Protocols: Patient data is encrypted during both transmission and storage. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) is employed for data transmission, and data storage systems employ encryption algorithms like Advanced Encryption Standard (AES) for data at rest.
- Network Security: Robust firewalls and intrusion detection systems are in place to protect data during transmission over networks. Regular updates and diligent monitoring of network traffic are conducted to detect and mitigate threats.
- Secure Storage: Data is securely stored on the cloud and on-premise devices. Access controls are strictly enforced to prevent unauthorized access to stored data.
Authentication and Authorization
Authentication
Imperial Consultancy uses a combination of secure methods to verify the identity of users accessing patient data. These methods may include:
- Usernames and strong periodically changed passwords.
- Multi-factor authentication (MFA) to ensure an extra layer of security.
- Biometric authentication where applicable and feasible, such as fingerprint or facial recognition.
Authorization
The authorization process involves specifying access rights based on user roles and responsibilities. Imperial Consultancy employs the principle of least privilege, ensuring that employees, contractors, and third-party vendors have access only to the data necessary for their specific roles. Authorization is controlled through role-based access control (RBAC) mechanisms, which are regularly reviewed and updated as job responsibilities change.
Incident Response
Imperial Consultancy maintains a well-defined incident response protocol to address data breaches, unauthorized access, and other security incidents. Our incident response plan covers the following:
- Containment: In the event of a security incident or data breach, immediate containment actions are initiated to prevent further unauthorized access, data leakage, or damage. Containment may involve isolating affected systems or networks.
- Investigation: A comprehensive investigation is launched to determine the nature, scope, and impact of the incident. This involves collecting evidence, conducting forensic analysis, and identifying the root cause.
- Notification: If required by data protection regulations, affected parties, regulatory authorities, and relevant stakeholders will be promptly notified of the incident. The notification process will be carried out as per legal requirements and within the specified timeframes.
- Recovery: Recovery measures are initiated to restore normal operations while minimizing any potential damage. This includes actions to remediate vulnerabilities, repair affected systems, and strengthen security controls to prevent similar incidents in the future.
Data Retention and Disposal
We follow established guidelines for retaining patient data in compliance with legal requirements and ensure secure data disposal when data is no longer needed.
Retention Guidelines
Patient health data, billing information, and other details are retained only for the duration necessary to fulfill its intended purpose or as required by applicable laws and regulations. A data retention schedule is maintained to define specific retention periods for different types of patient data.
Secure Data Disposal
Procedures for secure data disposal are in place, including:
- Secure shredding of physical documents containing patient data.
- Secure erasure or destruction of electronic data, including data on servers, databases, and portable devices.
- Regular auditing and verification of data disposal processes to ensure compliance with data security and privacy standards.
Training and Awareness
We predominantly recruit new employees through referrals from our current. We even run extensive background checks before hiring some. Moreover, our employees sign NDAs as and when required by a client to uphold privacy at all moments. We also conduct regular training programs to educate employees about data security policies, procedures, and best practices.
These include:
- Data Security Training: All employees, contractors, and third-party vendors receive comprehensive training on data security policies, procedures, and compliance with data protection regulations like GDPR and HIPAA.
- Security Awareness Campaigns: Regular security awareness campaigns are conducted to reinforce the importance of data security and promote a culture of vigilance among all stakeholders.
Third-Party Management
Imperial Consultancy specifies rigorous requirements for third-party vendors and partners who have access to patient data through the following:
- Contractual Agreements: Third-party vendors are required to enter into contractual agreements that mandate adherence to data security and privacy standards consistent with Imperial’s policies.
- Auditing and Oversight: Imperial conducts audits and oversight to ensure third-party compliance with data security policies and regulatory requirements.
Monitoring and Auditing
We employ various methods for monitoring and auditing of data access and usage:
- Logging and Records: Detailed logs and records are maintained to track data access and usage, enabling the identification of potential security breaches or policy violations.
- Regular Audits: Regular internal and external audits are conducted to assess compliance with data security policies and regulations.
Continuous Improvement
The GDPR policy is regularly reviewed and updated to adapt to new security threats, technologies, and regulations. It ensures data protection measures remain robust and up-to-date.
We reserve the right to update or modify the above GDPR Privacy Policy, as deemed necessary, to adapt to the changing business and market needs. We are not liable to inform you about the change in the policy before it has been made. Following the change, we will inform the same through the appropriate communication channels.
Enforcement and Consequences
We take proactive measures to enforce the regulations and protocols outlined in this policy. The consequences of violating the data security policy are clearly defined and communicated to all stakeholders. Disciplinary actions, including warnings, suspension, termination, and potential legal repercussions, may be taken in response to policy violations.
Your Data Protection Rights
At Imperial Consultancy Pvt. Ltd., we believe in maintaining complete transparency with our clients. So, we give you the authority to request us to delete our copy of your files from our systems after the successful completion of your project.
If you want to request the deletion of any data, you can reach out to your account manager directly.
Reach Out to Us
If you have any questions about our GDPR Data Security Policy, the data we hold, or your data protection rights, please feel free to contact us.
Email Us
info@imperialintelligence.co.uk
Call Us
(UK) +44 795 162 7123
(US) +1 347 295 4572
Write to us at
8th Floor, One Canada Square, Canary Wharf, London E14 5AA
Imperial Achievements
Testimonials
Few of Our Client’s
feedback
I learned about imperial from a recommendation from a colleague. I chose imperial because of their affordable prices, but in the end it wasn’t the prices that were the main draw - the transcriptions were high-quality and delivered very quickly!
imperial allows me to speed up my qualitative research process significantly.
Thank you for your time, and thanks again for your business.
Best so far in all of transcription companies I have used. It provides fast turnover (within 24 hours) and relative accurate transcriptions. The company takes serious for physician comments or feedbacks. Money saving and fast transcription.
Help my patient's care, save time and money.
Company responds to questions/ concerns very quickly and corrects errors without delay.
Quality of work product is excellent. My reports are accepted as among the best in my field. I have to do a little editing, but basically, the transcriptions are bona fide what was dictated with few errors. Questions and possible errors are always communicated back and forth accurately and timely.