Purpose

GeriatRx is committed to protecting the privacy and confidentiality of all patient, client, and business information. This policy ensures that all team members, contractors, and affiliates handle sensitive information in compliance with federal law (HIPAA), state regulations, and professional ethical standards.

Scope

This policy applies to:

• All employees, contractors, interns, and volunteers of GeriatRx
• All patient/client health information (PHI) in any form — electronic, paper, or verbal
• All business and proprietary company information

Policy Statement

• Patient and client health information (PHI) will only be accessed, used, or disclosed when necessary to perform job responsibilities and in accordance with HIPAA requirements.
• Company business information, including contracts, strategies, pricing, and internal communications, must be treated as confidential and not shared outside GeriatRx without explicit authorization.
• Any disclosure of PHI without patient authorization or legal requirement is strictly prohibited.

Employee Responsibilities

All team members must:

1. Access only what you need: View or use PHI solely for work-related duties.
2. Protect records: Keep physical files secure and lock screens when leaving devices unattended.
3. Use secure systems: Store digital PHI only in company-approved systems. Do not download PHI to personal devices or email it through unsecured channels.
4. Share cautiously: Discuss PHI only with authorized individuals, and only when necessary for care or operations.
5. Maintain discretion: Avoid discussing sensitive information in public spaces (conferences, hallways, coffee shops, etc.).
6. Report incidents immediately: Notify the team if you suspect a data breach, accidental disclosure, or unauthorized access.

Data Protection (Using Personal Devices)

To ensure PHI and company information are secure, even when accessed on personal devices, GeriatRx enforces the following safeguards:

• Approved Use Only: PHI and confidential data may only be accessed for work-related purposes on personal devices.
• Device Security: All personal devices used for work must be password-protected, set to auto-lock, and kept up to date with the latest security updates.
• Encryption: Whenever possible, devices must use built-in encryption (FileVault on Mac, BitLocker on Windows, device encryption on iOS/Android).
• Secure Connections: Access PHI only over secure, private internet connections (no public Wi-Fi unless using a company-approved VPN).
• Approved Storage: PHI must not be saved locally on personal devices. All files must be stored in company-approved, secure cloud platforms.
• Access Control: Devices must not be shared with family or friends if they are used to access PHI or confidential company data.
• Incident Response: If a device is lost, stolen, or compromised, the employee must report it immediately so access can be restricted and data secured.

AI & Confidential Information

• PHI, client data, or confidential company information may not be entered into external AI tools (e.g., ChatGPT, Google Gemini, etc.) unless the company has explicitly approved the platform and confirmed that it is HIPAA-compliant and secure.
• AI may be used for general productivity tasks (drafting, summarizing, brainstorming) only when the information does not contain PHI or sensitive company data.
• Employees must always verify that any AI-generated content used in official communications is factually accurate and aligns with company standards.
• Misuse of AI in a way that risks confidentiality or compliance will be treated as a violation of this policy.

Prohibited Actions

• Sharing patient/client information with unauthorized individuals
• Using PHI or company information for personal gain
• Storing PHI on unapproved or unsecured devices
• Posting, emailing, or messaging PHI on unencrypted platforms
• Entering PHI or confidential company data into unapproved AI tools

Compliance & Enforcement

• Violations of this policy may result in disciplinary action, up to and including termination of employment or contracts.
• Significant violations may be reported to regulatory authorities, in accordance with federal and state law.

Acknowledgment

All team members must read and understand this policy as part of onboarding and reaffirm compliance during annual reviews.