Can You Keep a Secret?
There is a fine line between giving information and protecting the confidentiality of your client or customer. Unless you are in the business of selling information, most people you interact with will have some expectation of privacy, whether it is because they provide you with confidential information about their health or finances or because they purchase something from you and provide their address, phone number or email, they expect you won't sell that information to the highest bidder. The customer has a presumption of privacy and an expectation that you will not disclose the information you gain about them in your professional capacity for your own personal gain.
If you are in a medical-related field, such as personal training, fitness, yoga, health spas, etc. you will want to make sure you are asking for a HIPAA release to be signed if the customer wants the information to be shared with others, you will also want them to acknowledge that they are sharing protected information with you and members of your staff if that applies. It is important that you disclose why you are asking for the information, what you will use it for, how it will be maintained and how it will be disposed of when necessary.
Not only do you want to disclose the plan, but you also want to follow it. Just having an acknowledgment of the policy by the client will not get you out of trouble if you fail to follow that policy. It may make it worse for you if it allows the client to show that you told them how they would be protected and you failed. Only collect the information you absolutely need to perform your duties and avoid taking data just in case. You can always ask for more, but you can never ask for less.
Ensure there is a plan in place for staff access. If they need to access the data to provide the service, make sure to have several safeguards in place to ensure they will be less likely to unintentionally disclose confidential data.
The same goes for financial data. In dealing with the public, most will provide you some sort of financial data unless they pay for your service in cash. This means you have to research options and find the most secure means to collect financial data, ideally stored off-site and in a system you do not control, to ensure there are limits on the data you have access to. This is most certainly an area of business where less is more, take as much information as you need to have the service or goods paid for, but not enough that you can be alleged to have stolen the identity or financials of the customer.
You also need to have a system in place to avoid staff from having too much access to financial data or to be able to have an accusation made that they misappropriated the financial data of the customer.
If you need to have policies developed or reviewed and if you need to make sure you have appropriate releases, make an appointment with Ingram Law Firm