Data Security Policy

Data Security Policy

Effective Date: 01/01/2026

Last Updated: 01/01/2026

ProficientNow Health Care ("Company," "we," "our," or "us") is committed to protecting the confidentiality, integrity, and availability of all information entrusted to us, including Protected Health Information ("PHI"), confidential client data, and business information.

This Data Security Policy outlines the administrative, technical, and physical safeguards implemented by ProficientNow Health Care in compliance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and applicable U.S. healthcare data protection regulations.

1. Purpose of This Policy

  • Protect PHI and sensitive information from unauthorized access, use, or disclosure
  • Ensure secure handling of healthcare data throughout its lifecycle
  • Maintain compliance with HIPAA, HITECH, and contractual obligations
  • Establish clear security responsibilities and controls
  • Reduce the risk of data breaches, loss, or misuse

2. Scope

  • All employees, contractors, and authorized personnel
  • All systems, networks, applications, and infrastructure
  • All data processed, stored, or transmitted during service delivery
  • All physical and electronic environments used by the Company

3. Data Classification

Each category is protected according to its sensitivity and regulatory requirements.

  • Protected Health Information (PHI): Individually identifiable health information received from Covered Entities and handled under a Business Associate Agreement.
  • Confidential Client Data: Business, operational, and contractual information belonging to clients.
  • Internal Business Information: Company operational, financial, and administrative data.

4. Administrative Safeguards

  • Documented security and privacy policies
  • Defined access authorization procedures
  • Workforce background verification where applicable
  • Mandatory HIPAA and data security training
  • Confidentiality and non-disclosure agreements
  • Defined roles and responsibilities for data protection
  • Incident response and escalation procedures
  • Periodic security risk assessments

5. Access Control & User Management

  • Role-based access control (RBAC)
  • Minimum necessary access principle
  • Unique user IDs and credentials
  • Secure authentication mechanisms
  • Immediate access modification or revocation upon role change or termination
  • Restricted administrative and privileged access
  • Only authorized personnel may access sensitive data required for their job function.

6. Technical Safeguards

These safeguards help prevent unauthorized access and data compromise.

  • Encryption of data in transit and at rest
  • Secure system configurations and hardened environments
  • Firewalls and intrusion prevention mechanisms
  • System monitoring and activity logging
  • Audit trails for access and system usage
  • Regular patching and system updates
  • Secure backup and disaster recovery processes

7. Physical Safeguards

  • Restricted access to office premises
  • Controlled workstation access
  • Secure server and network environments
  • Visitor access controls where applicable
  • Protection of physical records and devices

8. Data Transmission & Communication Security

  • PHI is transmitted only through authorized, secure channels
  • Encrypted file transfer methods are used
  • Unsecured communication platforms are prohibited for PHI
  • Email usage is restricted and monitored where applicable
  • Visitors and clients are advised not to transmit PHI through unsecured channels.

9. Endpoint & Device Security

  • Personal devices are not permitted for PHI handling unless explicitly authorized
  • Workstations are secured with authentication controls
  • Storage devices are restricted and monitored
  • Device usage follows internal security policies

10. Monitoring, Logging & Auditing

  • System access and activity logs are maintained
  • Regular internal security audits are performed
  • Anomalies and unauthorized access attempts are investigated
  • Audit results are used for corrective actions and improvements

11. Incident Response & Breach Management

  • Immediate investigation and containment actions are initiated
  • Affected systems and data are secured
  • Clients are notified as required by contract and regulation
  • Breach assessment and mitigation are conducted
  • Corrective measures are implemented to prevent recurrence
  • Breach notification obligations follow HIPAA and applicable laws.

12. Data Retention & Secure Disposal

  • Data is retained only as long as necessary to fulfill contractual, legal, and regulatory obligations.
  • Upon completion or termination of services, PHI is returned to the Covered Entity or securely destroyed.
  • Secure deletion and disposal methods are applied.
  • Retention and disposal follow the Business Associate Agreement and applicable law

13. Third-Party & Vendor Security

  • Vendors are assessed for appropriate security controls
  • Access to sensitive data is restricted
  • Contractual data protection obligations are enforced
  • Compliance with HIPAA requirements is ensured where applicable

14. Workforce Responsibility & Awareness

  • Following security policies and procedures
  • Protecting access credentials
  • Reporting suspected security incidents
  • Completing required training and awareness programs
  • Failure to comply may result in disciplinary action.

15. Policy Review & Updates

This Data Security Policy is reviewed periodically and updated as necessary to reflect:

Changes in regulations

Evolving security risks

Operational or technology updates

Updated versions will be published with a revised effective date.