Sensitive Data Policy
Refined by Glacial Sands
Effective Date: September 22, 2025
1. Purpose
This policy outlines how Refined by Glacial Sands collects, stores, uses, and protects sensitive data to ensure compliance with HIPAA, state privacy laws, and company standards. The goal is to maintain the confidentiality, integrity, and availability of all patient and client information.
2. Scope
This policy applies to all employees, contractors, vendors, and partners who access, process, or manage sensitive data on behalf of Refined by Glacial Sands.
It covers all data types, including:
Patient medical and health records
Personal Identifiable Information (PII) (e.g., name, address, date of birth, phone number)
Payment and financial data
Photographs and video recordings (including before-and-after treatment photos)
Employee records
Vendor and referral information
3. Definitions
Sensitive Data: Any information that could identify an individual and is not publicly available.
PHI (Protected Health Information): Health data that can be linked to a specific person.
PII (Personally Identifiable Information): Any data that can identify an individual, directly or indirectly.
De-identification: The process of removing personal identifiers from data sets so individuals cannot be readily identified.
4. Data Collection and Use
Refined by Glacial Sands collects sensitive data for:
Patient treatment planning and documentation
Appointment scheduling and billing
Follow-up and post-treatment care
Marketing (with written consent only)
Compliance and recordkeeping
Data is collected only for legitimate business and healthcare purposes and only by authorized staff members.
5. Data Storage and Access
All digital records are stored in encrypted, HIPAA-compliant systems (e.g., DSN, patient management software, cloud storage).
Access is role-based, restricted to employees whose job duties require it.
Physical files (e.g., treatment consents) are kept in locked cabinets in restricted-access areas.
Access logs are reviewed regularly for unauthorized activity.
6. Data Sharing
Sensitive data may only be shared when:
Required for patient care (with authorized providers or labs)
Required by law (e.g., court orders, subpoenas)
With the patient’s written consent (e.g., for marketing use of photos)
Third-party vendors must sign Business Associate Agreements (BAAs) confirming their compliance with HIPAA and privacy regulations.
7. Data Retention and Disposal
Patient records are retained for at least seven (7) years or as required by state and federal law.
When data is no longer required, it is securely destroyed using approved methods:
Digital data: Permanent deletion from servers and backups
Physical data: Shredding or incineration
Disposal must be logged and verified.
8. Employee Responsibilities
All employees must:
Complete annual HIPAA and data privacy training
Log off workstations when unattended
Use unique login credentials and strong passwords
Report any suspected breach immediately to management
9. Data Breach Response
In case of a suspected or confirmed data breach:
Contain the breach (e.g., restrict system access).
Notify the Privacy Officer or Practice Administrator immediately.
Investigate to determine the scope and cause.
Report to affected individuals and authorities within 72 hours if required.
Document corrective actions and implement preventive measures.
10. Photography and Marketing Consent
Patient photographs and testimonials may only be used for marketing after obtaining a signed consent form specifying:
Intended use (e.g., website, social media, in-office materials)
Expiration or withdrawal terms
Storage and protection of the original images
11. Enforcement and Violations
Violations of this policy, including unauthorized access, disclosure, or misuse of sensitive data, will result in disciplinary action up to and including termination. Legal penalties may also apply.
12. Policy Review
This policy is reviewed annually and updated as needed to remain compliant with HIPAA, state laws, and industry best practices.