Privacy Policy
The Privacy Policy applies to all personnel in P1BILLING LL (P1 Billing), In addition, third parties such as customers, contractors, and others (hereinafter referred to as "PII Principals") shall benefit from the rights included in this policy.
ACCOUNTABILITY
Member of the management team in P1BILLING, within his or her business area, is responsible for compliance with this Privacy Policy and all personnel in P1BILLING must comply with this Privacy Policy.
Each P1BILLING member acting as PII Controller or a PII processor for processing of PII shall ensure and be responsible for compliance with these Privacy Policy requirements for the PII Controller and Processor according to ISO 27701.
If a type of processing is likely to result in a high risk to the rights and freedoms of PII Principals, P1BILLING shall, prior to the processing, carry out an assessment (Privacy Impact Assessment) of the impact of the processing operations on the protection of PII.
1. CATEGORIES OF PII AND KEY PURPOSES OF THE PII PROCESSING
1.1. CATEGORIES
P1BILLING processes the following main categories of PII:
-
Employees - general contact information: e.g. name, address, email address, phone number, Social Security number, date of birth etc.
-
Employees - other information:
-
Key information necessary for the employment management, e.g. salary information, resume, education level, performance reviews, recruitment information, bank account number, details of next of kin etc.
-
Registration of hours worked, absences, holiday, overtime, maternity leave and other paid leave of absence
-
Records of training
-
Employment history within P1BILLING : e.g. start date, company and corporate seniority, job grade, position, organizational unit (department), immediate superior, contract details, employee type, job location, leaving date, performance review, retirement time etc.
-
Other employee data for statistical purposes: (e.g. gender, nationality, age)
-
-
Customer and supplier information (e.g. name, address, email address, phone number, picture etc.)
-
IT-related information (electronic logs regarding persons use of IT-resources, user profile/account information/emails etc.)
-
Patient information (only as reasonably necessary to provide P1BILLING services): For Coding, Demo; Charges, EDI, Payments, AR and TSM Services, processes Email, SSN, Phone, Standard Phone, Full name, DOB, Address, City, State, ZIP code, Medical health details, Criminal offences, IP address, Credit score, phone carrier info, Insurance letters, Account Number, Claim number, CPT; ICD 10. For Medical Transcription Service, P1BILLING collects audio files containing detailed health information requiring conversion to a written format.
1.2. MAIN PURPOSES
The processing has the following main purposes:
-
Services provided by P1BILLING
-
Background verification of insurance claim
-
Demographics
-
Medical Coding
-
Charge entry and Validation
-
Electronic/Paper Claim Submissions
-
Payment Posting
-
Account Reconciliation
-
-
For Internal operations, P1BILLING processes:
-
Contact information
-
Employee administration, including payroll
-
Customer administration
-
IT administration and information security administration
-
Authentication and authorization
-
Physical security
-
Administer IT-costs per employee, and internal CRM-information
-
Support the recruitment process (e.g. registering applications and CVs etc.)
-
Document Management
-
Provide input to the organization regarding trends and reasons for leaving the company (e.g. exit interview)
-
Provide input to HR personnel in connection with disciplinary actions
-
2. REQUIREMENTS FOR PROCESSING PII
2.1. LEGAL BASIS/LAWFUL PROCESSING
P1BILLING shall ensure that processing of PII takes place for legitimate purposes and has a legal basis. P1BILLING may Process PII for legitimate purposes if at least one of the following legal bases applies:
a) the PII Principal has given his or her unambiguous consent
b) the processing is necessary for the performance of a contract
c) the processing is necessary for compliance with a legal obligation to which P1BILLING is subject.
d) the processing is necessary in order to protect the vital interests of the PII Principal.
e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in P1BILLING
or
f) the processing is necessary for legitimate purposes pursued by P1BILLING or by a Third Party to whom the PII are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the PII Principal.
2.2. PROCESSING OF SPECIAL CATEGORIES OF PII
P1BILLING's processing of PII revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a PII Principal, data concerning health or data concerning a natural person's sex life or sexual orientation is prohibited unless one of the following applies:
a) the PII Principal has given his or her explicit consent
b) the processing is necessary for the purposes of carrying out the obligations and specific rights of P1BILLING in the field of employment, social security and social protection law, in so far as the processing is authorized by applicable law providing for adequate safeguards
c) the processing is necessary to protect the vital interests of the PII Principal or of another person
d) the processing relates to special category of PII which are manifestly made public by the PII Principal
e) the processing is necessary for the establishment, exercise or defense of legal claims (including for dispute resolution) or processing is necessary for compliance with a legal obligation to which P1BILLING is subject
f) the processing is necessary for the performance of a task for reasons of substantial public interest
g) the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the PII Principal, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, and the special category of PII are Processed by a health professional subject to applicable law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
h) the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
i) the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
2.3. NATIONAL IDENTIFICATION NUMBERS
National identification numbers and social security numbers shall be processed in accordance with applicable local law.
2.4. CONSENT
If consent is the legal basis for processing PII or Special category of PII, the conditions described in this section shall apply. When seeking Consent, P1BILLING must inform the PII Principal of;
i. the identity and contact details of P1BILLING being the PII Controller of the processing
ii. the purposes for which the PII is to be Processed
iii. the categories of Third Parties to which the PII will be disclosed (if any)
P1BILLING must be able to demonstrate that the PII Principal has consented to processing of the PII. The request for consent shall be presented in an intelligible and easily accessible form, using clear and plain language. Prior to giving consent, the PII Principal shall be informed that the consent can be withdrawn without adverse consequences for the PII Principal. The consent shall be as easy to withdraw as to give. The PII Principal may withdraw consent at any time. A withdrawal of consent shall not cause any adverse consequences to PII Principals relationship with P1BILLING. The withdrawal of consent does not affect the lawfulness of the processing based on such consent, which is conducted before the withdrawal.
2.5. PURPOSE LIMITATION
P1BILLING shall only collect, use or otherwise process PII for specified, explicit and legitimate purposes, and shall not be further process in a way incompatible with those purposes. Processing of PII further to collection shall only take place if such processing is compatible with the purposes that are originally specified for the processing. The following purposes shall be considered compatible with the purposes for which P1BILLING process PII:
a) audits, business controls, due diligence and investigations
b) dispute resolution
c) legal and business affairs
d) research
e) insurance and pension
2.6. SECURITY OF PROCESSING
P1BILLING's processing of PII shall be kept in a form which permits identification of PII Principal for no longer than what is necessary for the collecting or further-processing purposes, unless necessary to comply with an applicable legal requirement.
Temporary files shall only be stored or processed till its purpose is met. A review of temporary files shall be performed once in a year. Taken into consideration the particular kind and the cost of implementation, such measures shall ensure a level of security that is appropriate to the risks represented by the Processing and the nature of the data.
P1BILLING shall specify the period for which certain PII will be stored. Promptly after the applicable storage period has ended, the PII shall be securely deleted or anonymized.
P1BILLING shall implement appropriate technical and organizational measures to protect PII against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access. Taken into consideration the kind and the cost of implementation, such measures shall ensure a level of security that is appropriate to the risks represented by the processing and the nature of the data.
You may contact us as follows:
2.7. PRIVACY BY DESIGN AND DEFAULT
P1BILLING shall implement appropriate technical and organizational measures designed to implement data protection principles, such as PII minimization, in an effective manner. The purpose for implementation of these measures is to integrate the necessary safeguards into the processing for protecting of PII Principals; rights. When implementing these measures, P1BILLING shall take into account the state of the art technology, the cost of implementation and the nature, scope, context and purposes of processing, as well as the severity and likelihood of the risks posed by the processing to the rights of the PII Principals.
P1BILLING shall implement appropriate technical and organizational measures for ensuring, by default, only PII for each specific purpose are processed. This obligation applies to the amount and type of PII collected, the period of their storage and their accessibility.
3. PRIVACY BREACH
3.1. WHAT IS PRIVACY BREACH
Privacy Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PII transmitted, stored or otherwise processed.
3.2 PRIVACY BREACH NOTIFICATION TO THE PII PRINCIPALS
When the privacy breach is likely to result in a high risk to the rights and freedoms of the PII Principal, P1BILLING shall, notify the PII Principal of a privacy breach within 30 days following discovery of such breach. The notification to the PII Principal shall describe the nature of the privacy breach in clear and plain language. Notification to the PII Principal as described above is not required if any of the following conditions are met:
a) P1BILLING has implemented appropriate technical and organizational protection measures, such as encryption and those measures were applied to the PII affected by the breach.
b) P1BILLING has taken subsequent measures which ensure that the high risk to the rights and freedoms of PII Principal is no longer likely to materialize or
c) It would involve disproportionate effort. In these cases, there shall instead be a common communication that informs PII Principals in an equally effective manner.
3.3 TRANSFER TO EXTERNAL PII CONTROLLERS AND PROCESSORS
Disclosure of PII from P1BILLING as PII controller to another controller may take place as long as long as the conditions listed below are fulfilled:
a) it takes place for legitimate purposes and is not incompatible with the purpose for which the PII were collected,
b) it is in accordance with the principle of data quality and proportionality.
c) the criteria for making data processing legitimate is fulfilled.
d) appropriate security measures protect the data during transfer and further processing by the receiving controller.
Transfer of PII from P1BILLING to a PII Processor may take place, on condition that the PII Processor's processing on behalf of P1BILLING is governed by a contract (PII Transfer/Protection Agreement) which stipulates the following:
a) the PII Processor shall process PII only in accordance with the P1BILLING;s instructions and for the purposes authorized by P1BILLING
b) the processor shall keep the PII confidential;
c) the PII Processor shall take appropriate technical, physical and organizational security measures to protect the PII;
d) the processor shall not permit sub-processors to process PII in connection with its obligations to P1BILLING without P1BILLING's prior written consent;
e) P1BILLING has the right to review the security measures taken by the PII Processor
f) the PII Processor shall promptly inform data processor of any actual or suspected privacy breach; and
g) the PII Processor shall take adequate remedial measures as soon as possible and shall promptly provide P1BILLING with all relevant information and assistance as requested by the P1BILLING regarding the privacy breach.
In specific situations where a transfer cannot be based on the above, transfer may take place on one or more of the following conditions:
a) the transfer is necessary for the performance of a contract between P1BILLING and the PII Principal or for taking necessary steps at the request of the PII Principal prior to entering a contract;
b) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the PII Principal between P1BILLING and the PII Processor;
c) the transfer is necessary for important reasons of public interest;
d) the transfer is necessary for the establishment, exercise or defense of a legal claim;
e) the transfer is necessary to protect a vital interest of the PII Principal; or
f) the transfer is required by any law to which P1BILLING is subject.
3.4 TRANSFER TO EXTERNAL PII CONTROLLERS AND PROCESSORS OUTSIDE THE PII ORIGINATING COUNTRY
Transfer of PII from P1BILLING to a processor or controller established in a country outside the PII originating country ensuring an adequate level of protection may only take place if the requirements of Section 8.2 are fulfilled and one of the following applies:
a) the importer has implemented Binding Corporate Rules or a similar transfer mechanism that provides appropriate safeguards under applicable law;
b) P1BILLING and the PII Processor or Controller have provided appropriate safeguards by entering into an agreement and assessed that the agreement clauses are enforceable according to importers national law;
In specific situations where a transfer cannot be based on the above, transfer may take place on one or more of the following conditions:
a) the transfer is necessary for the performance of a contract between P1BILLING and the PII Principal or for taking necessary steps at the request of the PII Principal prior to entering into a contract;
b) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the PII Principal between P1BILLING and the PII Processor;
c) the transfer is necessary for important reasons of public interest;
d) the transfer is necessary for the establishment, exercise or defense of a legal claim;
e) the transfer is necessary to protect a vital interest of the PII Principal; or
f) the transfer is required by any law to which P1BILLING is subject.
PII transfer between jurisdictions can be subject to legislation and/or regulation depending on the jurisdiction or organization to which PII is to be transferred (and from where it originates). P1BILLING shall document compliance with such requirements as the basis for transfer.
3.5 TRANSFER WHERE P1BILLING ACT AS PII PROCESSOR
P1BILLING may act as PII Processor on behalf of a customer acting as PII Controller under the condition that the processing is governed by a contract ("PII Transfer/Protection Agreement") which stipulates the following:
a) the P1BILLING shall process PII only in accordance with the customer's instructions and for the purposes authorized by the customer;
b) P1BILLING shall keep the PII confidential;
c) P1BILLING shall take appropriate technical, physical and organizational security measures to protect the PII;
d) The customer has the right to review the security measures taken by P1BILLING
e) P1BILLING shall promptly inform the customer of any actual or suspected privacy breach;
f) P1BILLING shall take adequate remedial measures as soon as possible and shall promptly provide customer with all relevant information and assistance as requested by the customer regarding the privacy breach and
g) P1BILLING shall not permit sub-processors to process PII in connection with its obligations to customer without customer's prior written consent.
JOINT PII CONTROLLER
P1BILLING shall determine respective roles and responsibilities for the processing of PII with any joint PII controller whenever it is applicable.
A joint PII agreement shall be executed in these cases and may include the following:
a) identity of the organizations (PII controllers) that are part of the joint PII controller relationship;
b) categories of PII to be shared and/or transferred and processed under the agreement;
c) overview of the processing operations (e.g. transfer, use);
d) description of the respective roles and responsibilities;
e) responsibility for implementing technical and organizational security measures for PII protection;
f) definition of responsibility in case of a PII breach (e.g. who will notify, when, mutual information);
g) terms of retention and/or disposal of PII;
h) liabilities for failure to comply with the agreement;
i) how obligations to PII principals are met;
j) how to provide PII principals with information covering the essence of the arrangement between the joint PII controllers;
k) how PII principals can obtain other information they are entitled to receive; and
l) a contact point for PII principals.
SUB-PROCESSORS
a) P1BILLING may engage sub-processors to render its services, which includes the processing of PII and SPI. This arrangement is addressed in the Business Associate Addendum (BAA) which is signed between the Covered Entity (PII Controller) and P1BILLING/P1BILLINGO.
b) P1BILLING shall inform the PII Controller of any change of sub-processors under a written authorization and give the PII Controller the opportunity to object.
c) P1BILLING shall remain liable for the acts and omissions of its sub-processors that process PII Controller's controlled PII and SPI.
d) P1BILLING must check that the sub-processor has taken the necessary technical and organizational measures to protect PII during contractual term.
e) Third-party services engaged by the PII Processor as purely supplementary services to facilitate its business activities shall not be considered a sub-contractual relationship. For supplementary services rendered by third parties, the PII Processor shall nevertheless ensure that appropriate precautions and technical and organization measures are taken to guarantee PII privacy.
f) If the sub-processors are established in a country outside the PII originating country, requirements of Section 8.3 apply.
PII QUERY REDRESSAL AND COMPLAINT MECHANISMS
All PII Principals including third party beneficiaries may request information/file a complaint regarding PII Protection, Processing and its Disposal by contacting the Data Protection Officer by sending an email to privacy@p1billing.com.
All PII Principals shall have the right to claim that P1BILLING are not complying with the Privacy Policy. Any such complaint will be handled fairly and effectively.
If the PII Principal is an employee, he or she may choose to bring the complaint to the local HR representative or to his or her manager. Alternatively, he or she may choose to contact the Data Protection Officer.
The aim is to resolve all matters within a reasonable time, but if this is not possible due to various challenges, i.e., the size of the case, then the Data Protection Officer will keep in regular contact and keep the PII Principal informed about the status of the complaint, either by phone or e-mail. In cases were the complaint is considered as justified, the PII Principal will be informed in writing, and actions, if necessary, will be taken. If the consequence is rejection of the complaint, the PII Principal will be informed in writing by the Data Protection Officer.
Any personal information that we collect (as identified in the “Personal Data We Collect” section) will not be shared with third parties.
You may contact us as follows:
P1Billing LLC.
Piscataway, NJ
Telephone# (845) 425-2800
Email - info@p1billing.com