Protecting Client Data

Commonwealth Medicine, as part of the UMass Medical School (UMass), is a state entity, a research facility, and a supporting health care consulting and operations organization. This complexity subjects our organization to many federal and state privacy, security and compliance rules and regulations relating to these activities. 

In the course of our work, UMass receives from or collects on behalf of its clients, personal information and protected health information. The privilege of working with and storing this data is accompanied by significant obligations to protect individuals’ privacy and ensure data security. Born from a deep commitment to provide quality services while complying with these laws, we have a dedicated unit, the Office of Compliance and Review, to assist in:

  • Fulfilling its compliance obligations,
  • Maintaining the confidentiality and security of sensitive and protected health information, and;
  • Upholding ethical standards.

Promoting Responsibility

It is the policy of UMass to comply with all laws governing its operations and to conduct business in keeping with legal and ethical standards. The 

Office of Compliance and Review

guides us to effectively respond to the changing regulatory landscape in the compliance arena. The 

Office of Compliance and Review

develops policies and makes employees aware of best practices through training, monitoring, and consultation. Our employees participate in annual compliance, privacy and security training with respect to their responsibilities; the principles of which are regularly reinforced.

Among the areas that employees are instructed with respect to their responsibilities are:

  • The Code of Conduct, and related Standards and Policies
  • Protecting sensitive information and limitations on the use and disclosure of such information
  • Complying with applicable regulatory and contractual requirements
  • Identifying and reporting violations of privacy and security requirements
  • Exercising sound, ethical judgment
  • Promoting the best interests of the individuals with whose information we work as well as the best interests of our clients

Laws and Regulations

UMass established a Compliance Program based upon the Federal Sentencing Guidelines, CMS guidance and the U.S. Office of the Inspector General to effectively address applicable federal and state laws, rules and regulations including, but not limited to, HIPAA (as amended by the HITECH Act), The Privacy Act of 1974, Confidentiality of Alcohol and Drug Abuse Patient Records 42 CFR Part 2, and applicable Massachusetts laws including MGL c. 66A (FIPA - Fair Information Practices Act) and c. 93H (Security Breaches).

The UMass Compliance Program applies to all relevant employees, as well as our business partners including, but not limited to, Business Associates as defined by HIPAA and first tier, downstream and related entities (FDRs) as defined by CMS.

The effectiveness of the Compliance Program is built on our organizational culture and the implementation of our organization’s values. Our commitment is to conducting business in a fully ethical and compliant manner.