Policy Statement

The Company has value-based and ethical obligations, as well as legal obligations and other legislation and standards of practice, for the control or custody of confidential information provided by their clients.

The purpose of this Confidentiality Policy (“Policy”) is to provide consistent standards to ensure that employees of Learn on Demand Systems are aware of and acknowledge these obligations to protect confidential information under the custody and control of the Company while performing their duties.

Scope

This policy applies to all Company associates and information assets in the custody of respective owners, including customer data, corporate data, and application and systems software, during the creation, storage, access, and distribution to users, both internal and external.

POLICY

Accountabilities

Governance

 Accountability with this Policy rests with the Human Resources and Chief Information Security Officer (CISO), although other Staff within the Company are responsible for day-to-day collection and processing of confidential Information. The CISO is responsible for oversight and compliance with this Policy.

Management

Management Staff have a responsibility to oversee compliance with this Policy by Staff within their area(s) of responsibility. Management must also notify all external parties of any confidentiality commitment changes.

Staff

 All members of Staff have responsibility to ensure that appropriate steps are taken to protect Client confidential Information at all times. They must ensure that their practices in collecting, accessing, using or disclosing this Information comply with this Policy as well as with statutory requirements and their professional codes of practice. In addition, Staff are expected to report to the Learn on Demand Systems CISO any concerns with or recommended improvements to information privacy and security procedures, and any information to help resolve problems.

Acknowledgement of Confidentiality

Learn on Demand Systems will make all Staff aware of the importance of maintaining the confidentiality of Client Information and other confidential business information. As a condition of employment or

affiliation, all new Staff must read the Information Confidentiality Policy and sign an

approved Confidentiality Acknowledgement (see below).

In addition, Confidential information obtained in the course of one’s employment or other affiliation with LEARN ON DEMAND SYSTEMS must be held in confidence even after the affiliation comes to an end.

Failure to Comply

Failure to comply with this Policy may result in disciplinary action including, but not limited to, the

termination of employment.

Collection of Confidential Information

The collection of Confidential Information by the Company is governed by HIPAA and HITECH and must be limited to what is needed to fulfill the purposes identified.

Accuracy of Confidential Information

Staff must take all reasonable steps to ensure the accuracy and completeness of any Confidential

Information they collect or record and be diligent to protect against making any errors due to

carelessness or other oversights.

Access, Use, Disclosure or Sharing of Confidential Information

Staff is only authorized to access, use, disclose or share Confidential Information for legitimate

purposes based on a “need to know” basis in order to perform their job functions and

responsibilities.

Release of Information

Staff are expected to comply with all LEARN ON DEMAND SYSTEMS policies, procedures and guidelines for the release of Confidential Information on patients, residents and other staff members and ensure all releases comply with PII and other applicable legislation.

 Accessing or Sharing Confidential Information with Third Parties

Before Confidential Information in the custody or control of Learn on Demand Systems is accessed by or shared with a contractor or other third-party organization, both parties must execute an Non-Disclosure Agreement (NDA) or an information sharing agreement. Leadership must approve the form of all agreements.

Staff should take all reasonable steps to ensure no unauthorized personnel or third parties are provided with access to records containing Confidential Information. Any third party who requests access should be asked to produce identification and confirmation that they have signed an agreement in accordance with this policy.

The CISO must be consulted before any program is implemented in which Confidential Information will be transmitted outside the boundaries of the Companies system.

Security of Information

The Company is committed to maintaining the security of Confidential Information and other sensitive

information, including appropriate physical security of records and security safeguards for computer and network systems. Staff are expected to comply with Learn on Demand Systems security requirements developed for use of such systems.

All Staff have the responsibility to protect against unauthorized access and disclosure of Confidential

Information. This responsibility includes ensuring that access or disclosure is only made to or by authorized individuals and reasonable measures are taken to prevent any unauthorized access, disclosure, loss or theft of information. 

Retention and Destruction of Confidential Information

Records will be retained in accordance with all legal, regulatory and accreditation requirements,

as well as with any Learn on Demand Systems record retention policies. Staff holding records containing Confidential Information are expected to identify retention times and then follow appropriate guidelines and procedures for the secure destruction of Confidential Information that is no longer required.

Personal Identification Information (PII) Risk Assessment

A PII Risk Assessment must be completed before implementing or significantly changing any program or system that requires the collection, use, disclosure or sharing of Confidential Information, not less than annually.

Compliance Monitoring, Auditing & Consequences

Access, use, disclosure and sharing of Confidential Information will be monitored and all suspected breaches of this Policy will be investigated by management. Actions to be taken will be determined by Human Resources, Legal Services and/or other Learn on Demand Systems stakeholders according to the nature of the breach and parties involved. Company operational areas and programs must conduct appropriate reviews and audits of their systems and processes to ensure compliance with internal policies and standards.

Breach of Policy

Staff are expected to report any real or suspected breaches of this Policy in connection with any

Learn on Demand Systems program or activity.   Staff may report real or suspected breaches without any fear of reprisal. Such reports will be covered by the Company policy that protects “whistle blowers” aka hotline procedures.

All incidents involving theft or loss of Confidential Information will be promptly addressed for

containment, investigation, reporting, and remedial actions.

PROCEDURES

General Inquiries or Requests to Amend Confidential Information

Questions or concerns about collection, access, use or disclosure of Confidential Information,

reports of breaches or loss of information should be directed to the CISO.

Confidentiality Acknowledgements

The responsibilities for obtaining and holding confidentiality Acknowledgements for all new Staff

Is Human Resources.