Data Protection Statement

Company: TLC Staffing Agency LLC | Operating as TLCAssistLiving.com

Effective Date: May 17, 2026   |   Last Updated: May 17, 2026

Address: Randolph, MA 02368   |   Contact: privacy@tlcassistliving.com

1. Our Commitment to Data Protection

TLC Staffing Agency LLC (“TLC,” “we,” “us,” or “our”), operating as TLCAssistLiving.com, takes its obligations as a custodian of personal information and protected health information (PHI) with the utmost seriousness. We recognize that the individuals we serve — our home care clients, their families, our caregivers, and our staff — entrust us with sensitive personal and health information as an essential part of our service relationship. This trust is foundational to our mission, and we are deeply committed to protecting that information from unauthorized access, use, disclosure, modification, or destruction.

Our data protection program is designed to comply with, and in many cases exceed, the requirements of the following applicable laws and regulations:

• Massachusetts 201 CMR 17.00 — Standards for the Protection of Personal Information of Residents of the Commonwealth, requiring a comprehensive Written Information Security Program (WISP);
• MGL c.93H — Massachusetts data security breach notification law;
• MGL c.66A — Massachusetts Fair Information Practices Act;
• HIPAA Privacy Rule — 45 CFR Part 164, Subparts A and E, governing the use and disclosure of Protected Health Information (PHI);
• HIPAA Security Rule — 45 CFR Part 164, Subparts A and C, requiring administrative, physical, and technical safeguards for electronic PHI (ePHI); and
• HITECH Act — Health Information Technology for Economic and Clinical Health Act, strengthening HIPAA enforcement and breach notification requirements.

This Data Protection Statement describes how TLC Staffing Agency LLC implements these obligations in practice and provides transparency about the safeguards we maintain to protect your information.

2. Categories of Data We Protect

TLC Staffing Agency LLC maintains protective measures for the following categories of sensitive information:

2.1 Client Protected Health Information (PHI)

Individually identifiable health information about our home care clients, including:

• Medical diagnoses, conditions, care plans, and treatment histories;
• Medication lists, physician orders, and prescription information;
• Attending physician, specialist, and care coordinator information;
• Health insurance information, MassHealth/Medicaid identifiers, and prior authorization records; and
• Functional assessments and activities of daily living documentation.

2.2 Caregiver and Employee Personally Identifiable Information (PII)

Personal information relating to our caregivers, home health aides, personal care aides, drivers, and other staff, including:

• Social Security Numbers, government-issued identification numbers, and Form I-9 documentation;
• Background check, CORI check, and criminal history data;
• Professional certifications, licensure records, and credentialing data;
• Contact information, home addresses, and emergency contact details; and
• Payroll, direct deposit, and tax withholding information.

2.3 Financial Records

• Client billing records, invoices, and payment histories;
• Insurance claims data and remittance information;
• Caregiver payroll records and W-2/1099 tax documents; and
• Banking and ACH information for payroll and client billing.

2.4 Employment and Operational Records

• Personnel files and employment history;
• Performance evaluations and disciplinary records;
• Training records and certification renewals; and
• Incident reports and quality assurance documentation.

3. Our Written Information Security Program (WISP)

TLC Staffing Agency LLC maintains a Written Information Security Program (WISP) as required by Massachusetts 201 CMR 17.00. Our WISP is a comprehensive, documented security framework that governs how we collect, store, access, transmit, and dispose of personal information about Massachusetts residents.

3.1 WISP Components

Our WISP addresses the following core areas:

1. Physical Safeguards: Policies for the secure storage of paper records, access controls to our office premises, and procedures for the secure disposal of paper documents containing personal information;
2. Technical Controls: Technical measures governing electronic access to personal information, encryption standards, network security, and software security;
3. Administrative Safeguards: Personnel policies, training requirements, vendor management, and incident response procedures; and
4. Risk Assessment: Periodic evaluation of internal and external threats to the security of personal information, with documented remediation of identified vulnerabilities.

3.2 Annual Review and Risk Assessment

Our WISP is reviewed and updated at least annually, or whenever there is a material change in our business practices, technology environment, or applicable legal requirements. Annual risk assessments are conducted to identify foreseeable internal and external risks to the security, confidentiality, and integrity of personal information and to evaluate the sufficiency of existing safeguards.

3.3 Workforce Security Training

All employees and contractors who have access to personal information or PHI receive security awareness training at the time of hire and at least annually thereafter. Training covers HIPAA Privacy and Security Rules, Massachusetts data protection requirements, phishing and social engineering awareness, password hygiene, and our incident reporting procedures.

4. Technical Safeguards

TLC Staffing Agency LLC implements the following technical safeguards to protect electronic personal information and ePHI:

5. Encryption in Transit: All electronic transmission of personal information and ePHI over public or untrusted networks is encrypted using Transport Layer Security (TLS) version 1.2 or higher (TLS 1.3 preferred). Unencrypted transmission of PHI or PII over public networks is prohibited;
6. Encryption at Rest: Electronic personal information and ePHI stored on servers, laptops, portable storage devices, and mobile devices is encrypted using industry-standard encryption protocols (AES-256 or equivalent);
7. Role-Based Access Controls (RBAC): Access to electronic personal information and ePHI is restricted to workforce members who require access to perform their specific job functions. The principle of minimum necessary access is applied to all systems containing sensitive data;
8. Multi-Factor Authentication (MFA): Multi-factor authentication is required for all staff accounts that access systems containing PHI, PII, financial records, or other sensitive information, including remote access and cloud-based systems;
9. Audit Logging: Access to systems containing PHI and sensitive personal information is logged and audited. Audit logs are retained and reviewed periodically to detect unauthorized access or anomalous activity;
10. Regular Software Patching: Operating systems, applications, and security software are updated and patched on a regular basis to remediate known vulnerabilities; and
11. Vulnerability Scanning and Penetration Testing: Periodic vulnerability assessments are conducted on systems and networks that process or store personal information, with documented remediation of identified vulnerabilities.

5. Administrative Safeguards

12. Privacy Officer: TLC Staffing Agency LLC has designated a Privacy Officer responsible for overseeing our HIPAA compliance program, privacy policies, and response to privacy-related complaints and inquiries. The Privacy Officer may be contacted at privacy@tlcassistliving.com;
13. Security Officer: TLC Staffing Agency LLC has designated a Security Officer responsible for our WISP, HIPAA Security Rule compliance, and the technical security of our information systems;
14. Confidentiality Agreements: All employees and contractors are required to execute confidentiality and non-disclosure agreements as a condition of access to personal information and PHI;
15. HIPAA Workforce Training: All workforce members with access to PHI receive HIPAA Privacy and Security training as required by 45 CFR §164.530(b) and §164.308(a)(5);
16. Vendor Management and Business Associate Agreements (BAAs): All vendors and service providers who create, receive, maintain, or transmit PHI on our behalf are required to execute a HIPAA-compliant Business Associate Agreement (BAA) before any PHI is shared, as required by 45 CFR §164.308(b). We conduct due diligence on all such vendors; and
17. Incident Response Procedures: TLC Staffing Agency LLC maintains documented incident response procedures for identifying, containing, investigating, and reporting data security incidents and breaches, consistent with HIPAA and MGL c.93H requirements.

6. Physical Safeguards

18. Secure Storage of Paper Records: Paper documents containing personal information or PHI are stored in locked filing cabinets or secure storage rooms. Access to such records is restricted to authorized personnel on a need-to-know basis;
19. Clean Desk Policy: All employees are required to secure or store away paper documents containing personal information or PHI when not in active use, particularly at the end of each business day. Computer screens displaying sensitive information must be locked when unattended;
20. Locked Filing and Secure Disposal: Paper documents containing personal information or PHI are disposed of using cross-cut shredding or other secure destruction methods. We do not dispose of such documents in ordinary trash or recycling;
21. Visitor Access Controls: Access to our office premises is controlled. Visitors are required to sign in and are accompanied by a staff member at all times in areas where personal information may be visible or accessible; and
22. Workstation Controls: Workstations used to access ePHI are positioned to minimize the possibility of unauthorized viewing. Screen lock policies are enforced.

7. Breach Notification

7.1 Massachusetts Data Breach Notification (MGL c.93H)

In the event of a security breach involving the personal information of Massachusetts residents, TLC Staffing Agency LLC will:

• Notify all affected Massachusetts residents in writing within thirty (30) days of the discovery and confirmation of the breach, as required by MGL c.93H, §3;
• Notify the Massachusetts Attorney General’s Office and the Director of Consumer Affairs and Business Regulation, concurrently with or prior to notifying affected individuals; and
• Provide each affected individual with notification that includes: (a) the nature of the breach; (b) the categories of personal information involved; (c) the approximate date of the breach; (d) steps taken to secure the data; and (e) steps the affected individual may take to protect themselves from potential identity theft or fraud.

7.2 HIPAA Breach Notification (45 CFR §§164.400–414)

For breaches of unsecured PHI covered by HIPAA, TLC Staffing Agency LLC will:

• Notify each affected individual without unreasonable delay and no later than sixty (60) calendar days after discovery of the breach;
• Notify the Secretary of the U.S. Department of Health and Human Services (HHS) through the HHS Office for Civil Rights (OCR) breach reporting portal:
  • For breaches affecting 500 or more individuals: notification within 60 days of discovery; and
  • For breaches affecting fewer than 500 individuals: notification logged annually through the HHS OCR web portal by March 1 of the following calendar year;
• For breaches affecting 500 or more residents of a state or jurisdiction, provide notification to prominent media outlets in that state, as required by 45 CFR §164.406; and
• Conduct a thorough investigation and risk assessment, and document all breach determinations and response activities.

7.3 Breach Notification Content

All breach notifications will include, to the extent known at the time of notification:

• A description of the nature of the breach and how it occurred;
• The categories and approximate number of individuals and records affected;
• The types of information involved;
• Steps TLC Staffing Agency LLC has taken to investigate, contain, and remediate the breach;
• Steps affected individuals can take to protect themselves; and
• Contact information for TLC Staffing Agency LLC, including the Privacy Officer.

8. Data Subject Rights

8.1 Massachusetts Residents

Massachusetts residents may exercise the following rights with respect to their personal information held by TLC Staffing Agency LLC:

• Right of Access: Request a copy of the personal information we hold about you, pursuant to MGL c.66A;
• Right to Correction: Request correction of inaccurate, incomplete, or outdated personal information; and
• Right to Request Deletion: Request deletion of your personal information, subject to our legal obligations to retain certain records under applicable law.

8.2 HIPAA-Covered Individuals

Individuals whose information is PHI subject to HIPAA have the following additional rights under 45 CFR §§164.524–528:

• Right of Access to PHI (45 CFR §164.524): Request access to and obtain a copy of your PHI maintained in our designated record sets;
• Right to Amend PHI (45 CFR §164.526): Request amendment or correction of PHI that you believe to be inaccurate or incomplete;
• Right to an Accounting of Disclosures (45 CFR §164.528): Request an accounting of certain disclosures of your PHI made by TLC Staffing Agency LLC;
• Right to Request Restrictions (45 CFR §164.522(a)): Request restrictions on certain uses and disclosures of your PHI; and
• Right to Confidential Communications (45 CFR §164.522(b)): Request that we communicate with you about your PHI in a specific manner or at a specific location.

8.3 How to Submit Requests

To exercise any of the above rights, please submit a written request — including your full name, contact information, and a description of the specific right you wish to exercise — to:

• By Email: privacy@tlcassistliving.com
• By Mail: TLC Staffing Agency LLC, Attn: Privacy Officer, Randolph, MA 02368

TLC Staffing Agency LLC will acknowledge receipt of your request promptly and will respond substantively within thirty (30) days of receipt of a verifiable written request, as required by applicable law. We may request verification of your identity before processing your request.

9. Data Transfers

All personal information and PHI collected and processed by TLC Staffing Agency LLC is stored and processed within the United States. We do not transfer personal information or PHI to recipients located outside of the United States. Our data storage systems, servers, and cloud service providers are located in the United States and are subject to U.S. law, including applicable HIPAA, HITECH, and Massachusetts data protection requirements.

If this policy changes in the future, we will update this Data Protection Statement and obtain any required consents or provide required notifications to affected individuals prior to implementing any international data transfers.

10. Contact Our Privacy Officer

TLC Staffing Agency LLC has designated a Privacy Officer to oversee our data protection program and to serve as the primary point of contact for privacy-related inquiries, complaints, and requests. To contact our Privacy Officer, please use the following information:

We take all privacy inquiries and complaints seriously and will respond to all communications in a timely and professional manner. If you believe your privacy rights have been violated, we encourage you to first contact our Privacy Officer directly so that we may address your concerns. You also have the right to file a complaint with the applicable regulatory authority as described in Section 11 below.

11. Regulatory Contacts

If you believe your privacy rights or data protection rights have not been adequately addressed by TLC Staffing Agency LLC, you have the right to file a complaint directly with the applicable regulatory authority:

Filing a complaint with a regulatory authority will not result in any retaliation or adverse action by TLC Staffing Agency LLC against you. We support your right to seek regulatory assistance.