Data Privacy and Security Policy

It is the policy of the Tennessee Academy of Physician Assistants to protect against the unauthorized access, use, corruption, disclosure, and distribution of sensitive information in its possession, and to comply with all applicable state and federal laws and regulations regarding such information. The Tennessee Academy of Physician Assistants shall hold sensitive information in strict confidence and shall not release or disclose such information to any person except as required or authorized by law and in keeping with TAPA policy to such persons who are authorized to receive it. In furtherance of this policy, TAPA shall adopt procedures for the administrative, technical and physical safeguards for all sensitive information. TAPA shall ensure that an entity retained by it, or any other entity that utilizes information provided by TAPA to carry out its responsibilities, shall have signed and agreed to abide by the terms of this Data Privacy and Security Policy or shall have adopted a data privacy and security policy that is substantially similar to the TAPA policy.

TAPA’s Executive Director shall serve as the Information Security Officer to review and maintain procedures and monitor compliance with the guidelines set forth in the policy.

• Access to sensitive information shall be limited to authorized users who need to have access to carry out TAPA’s mission as it relates to that information. This includes lease of the mailing list to authorized affinity partners, but does not include release of email or financial identification data.
• Each employee and authorized user with access to sensitive information shall agree to abide by the terms of the Data Privacy and Security Policy.
• Except as required by law, when TAPA provides sensitive information to third parties, it shall first provide a copy of this Data Privacy and Security Policy and require the third party to certify that it has ready the policy and agrees to comply with the applicable provisions, or that it has a substantially similar data privacy and security policy and that it will comply with the applicable provisions of its policy with respect to the sensitive information provided.
• TAPA shall train employees and other authorized users in the use and maintenance of security procedures.
• Violations of the Data Privacy and Security Policy may result in disciplinary action up to and including termination of employment.

TAPA shall adopt procedures for protecting and maintaining the security and integrity of its information systems including network infrastructure and software design, information processing, storage, transmission, retrieval and disposal. These procedures shall address the following matters:

• Limiting access to those individuals necessary to carry out TAPA’s role with respect to sensitive information
• Limiting access to only those authorized users who shall have signed and agreed to abide by the terms of the Data Privacy and Security Policy or shall have adopted a data privacy and security policy that is substantially similar to the TAPA policy
• Protecting physical and electronic records for unauthorized access, interception, distribution or destruction
• Records back-up and off-site storage procedures to prevent inadvertent loss or destruction of records
• Data security procedures to prevent unauthorized access or interception of sensitive information
• Procedures for protecting data when changing, upgrading, or replacing servers, computers or other storage media
• Procedures for properly disposing of unneeded or outdated records
• Procedures to monitor, detect, and report upon any improper disclosure or theft of sensitive information

TAPA shall adopt procedures for the prevention, detection and response to unauthorized access to sensitive information.

In the event sensitive information is accessed by someone without proper authorization, TAPA shall immediately investigate and take appropriate remedial actions to mitigate or prevent loss or damage to affected individuals. Each situation will be evaluated separately, and based upon the potential for loss or damage to affected individuals; TAPA will take one or more of the following measures:

• Make such notifications to affected individuals as may be required by law
• Report the incident to appropriate law enforcement officials
• Determine the nature and cause of the security breach and implement corrective measures