Personal information can be anything that can be used to identify an individual, including but not limited to name, address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services.

Data LVM collects may differ depending on product or service in use. This data includes:

• For hosting, LVM may collect user information, including user first and last name, business name, login ID, email address, phone number, etc.
• LVM software may capture personal (PII) and medical (PHI) data covered under HIPAA and HITECH from patients.
• LVM software may additionally capture and forward to LVM certain usage statistics such as triage dispositions, guidelines used, call duration, transaction type, caller type, reports run, DLLs called, etc. This data does not contain PII or PHI and is an opt-in/opt-out feature.
• The myLVM website collects user information, including first and last name, business name, login ID, email address, physical address, phone number, products and services requested, IP address, cookies, usage data, etc.
• LVM sales and business unit may collect first and last name, business name, title, physical address, email address, phone number, products purchased, products replaced with LVM software and services, license, and maintenance fees.

Non-PHI data that LVM collects is used to provide products and services to our clients, for billing purposes, for statistical analysis, and for identifying opportunities for improved or additional product offerings.

LVM may process or transform PHI in compliance with the contractual terms defining a business relationship between LVM and a covered entity or in response to a request from a covered entity. LVM will make every effort to maintain the integrity of the data within the bounds of such contract or request.

LVM may release PHI in compliance with the contractual terms defining a business relationship between LVM and a covered entity customer or in response to a request from an individual or entity as allowed by state or federal law.

When using or disclosing PHI internally or with third-party vendors, LVM and LVM’s team members shall make reasonable efforts to limit the sharing of PHI based on the Need to Know Principle. Uses or disclosures that involve more than the minimum necessary information may qualify as breaches.

LVM enters into business associate contract relationships with covered entity customers as required by the HIPAA Privacy and Security Rules.

Business Associate contracts with covered entity customers require that LVM make available protected health information in accordance with § 164.524; make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526; and make available the information required to provide an accounting of disclosures in accordance with § 164.528.

Limited data will be shared with third party partners only to the extent required to provide products and services offered through those third-party partners.

Team members may share PHI with other members of the LVM team for purposes of supporting activities specifically defined in the contract with the covered entity customer.

• Team members may disclose an individual’s PHI to a business associate (third-party contractor/vendor) if the disclosure is for purposes of supporting activities specifically defined in the contract with the covered entity customer or at their request.

• Members of the LVM team will follow appropriate privacy practices in accordance with the LVM privacy policies, procedures, and practices as it relates to the release of PHI to a third party.

• All releases of PHI for purposes of supporting activities specifically defined in the contract between LVM and a covered entity customer or for purposes described above shall adhere to the minimum necessary standard except for releases of PHI to the covered entity customer or as required by law.

• If a use or disclosure involves more than the minimum necessary standard, the use or disclosure must be evaluated to determine if breach notification is required.
  
  
• Upon request from a covered entity customer, LVM will make access available to the protected health information (PHI) that it creates, receives, maintains, or transmits on behalf of the covered entity customer.
  
  
• Upon request from a covered entity customer, LVM will amend the protected health information (PHI) that it creates, receives, maintains, or transmits on behalf of the covered entity customer as directed by the covered entity customer.

• If LVM receives a request for an accounting of disclosure from a covered entity, LVM will provide the accounting of disclosures of covered entity’s PHI for purposes other than treatment, payment, and health care operations to the covered entity.

LVM will uniformly apply appropriate sanctions for employees and third-party vendors who violate LVM privacy and security policies, procedures or practices, applicable state and federal laws, and covered entity customer contracts. Sanctions shall vary, depending on the severity of the violation, whether the violation was intentional or unintentional, and indicates a pattern or practice of improper access, use, or disclosure of protected health information (PHI), evidence of criminal activity, and similar factors.