Schedule a Call

Client Data Handling Policy

Back Office Care

Effective Date: [2/26]

Definitions

  • Protected Health Information (PHI): Any individually identifiable health information, including care plans, medical details, service schedules, or caregiver notes, that relates to a client’s health, care, or payment for care.
  • Personal Information: Any information that identifies or can be used to identify a client or caregiver, including names, addresses, phone numbers, employment details, and care‑related documentation.
  • Multi‑Factor Authentication (MFA): A security method requiring two or more verification steps (e.g., password + authentication code) to access systems containing sensitive information.
  • Client Agency: The home‑care agency that owns all data provided to Back Office Care

Back Office Care is committed to protecting the confidentiality, integrity, and security of all client information entrusted to us. This policy outlines how we handle, access, store, and safeguard data while providing back-office operational support to home care agencies.

1. Purpose

The purpose of this policy is to establish clear standards for how client data is accessed, managed, protected, and, when appropriate, securely disposed of. Back Office Care operates with structured data protection practices designed to maintain professionalism, compliance awareness, and operational integrity.

2. Scope of Data Covered

Depending on the services selected, Back Office Care may access personal information for clients and caregivers, including care plans and other materials that may constitute Protected Health Information (PHI). All such information remains the exclusive property of the client agency.

This policy applies to all information accessed or processed in the course of providing services, including but not limited to:

  • Caregiver records
  • Client or patient records
  • Scheduling data
  • Payroll information
  • Billing documentation
  • Compliance and credential tracking data
  • Administrative and operational records

Back Office Care accesses only the information necessary to perform contracted services.

3. Data Minimization & Access Control

Back Office Care follows a strict data minimization principle:

  • Access is limited to information required for the defined scope of work.
  • Duplicate or unnecessary downloads are avoided.
  • Temporary files are deleted once no longer required.
  • Unique, secure login credentials are used for each client system.
  • Multi-factor authentication (2FA) is enabled whenever available.

Credentials are never shared via unsecured communication channels.

MFA will be enabled for systems containing PHI or sensitive client/caregiver information when requested by the client agency or when required by the nature of the services provided.

Access to PHI is strictly limited to personnel who require it to perform contracted services.

Personnel Access & Confidentiality

  • All personnel with access to client or caregiver information must sign confidentiality agreements.
  • Access is role‑based and limited to the minimum necessary information required to perform assigned tasks.
  • Personnel receive ongoing training on privacy, security, and PHI handling.

4. Device & System Security

All client data is accessed through secured business systems that include:

  • Dedicated business-use devices
  • Full-disk encryption (where applicable)
  • Updated antivirus and firewall protection
  • Secure browser environments
  • Password management systems with unique credentials

Business systems are maintained separately from personal use environments to reduce risk exposure.

5. Data Storage & Backup

Client data is handled using layered protection measures:

  • Primary work is performed within client-designated platforms or secure cloud environments.
  • Where temporary storage is necessary, secure and encrypted systems are used.
  • Routine backups are maintained to support business continuity.
  • Sensitive data is not retained beyond what is required for operational delivery.

6. Data Transmission

When transmitting or receiving files:

  • Secure platforms or encrypted systems are used whenever possible.
  • Sensitive information is not transmitted over unsecured public networks.
  • Public Wi-Fi access is avoided for sensitive work activity.

7. Incident Response

In the event of a suspected data security issue:

  1. Access is immediately restricted or systems are isolated.
  2. The scope of the issue is assessed.
  3. Appropriate corrective action is taken.
  4. Clients are notified when required under applicable law or contractual obligation.

Back Office Care prioritizes transparency and timely resolution.

A security incident includes any unauthorized access, disclosure, loss, or suspected compromise of PHI or personal information.

Client agencies will be notified promptly of any incident involving their data, along with steps taken to mitigate and prevent recurrence.

8. Confidentiality Commitment

All client information is treated as confidential. Back Office Care will not:

  • Sell, share, or distribute client information.
  • Use client data for marketing purposes without written permission.
  • Disclose operational details outside the scope of professional services.

Confidentiality is foundational to every client relationship.

9. HIPPA Alignment

Back Office Care is not a healthcare provider but may handle PHI when supporting client agencies. To protect this information, Back Office Care aligns its practices with the administrative, technical, and physical safeguards outlined in the HIPAA Security Rule. A Business Associate Agreement (BAA) will be executed upon request or when required by the services provided.

10. Data Retention & Termination

Client data is retained only for the duration of active services or as required by law or contractual obligation.

Upon termination of services:

  • System access is revoked.
  • Locally stored client data is securely deleted.
  • Physical documents, if any, are properly destroyed.

Upon termination of services, all PHI and personal information will be securely deleted or returned to the client agency, according to the agency’s preference.

Secure deletion includes digital sanitization methods that prevent recovery of data.

A data‑destruction confirmation can be provided upon request.

11. Ongoing Review

This policy is reviewed periodically to ensure continued alignment with evolving security standards, technology practices, and regulatory considerations.

For privacy or security questions regarding this policy, please contact:
support@backofficecare.com.