- “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
- “Privacy rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 164.
- “Protected Health Information” or “PHI” means any information, transmitted or recorded in any form or medium; (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, shall have the meaning given to such term under HIPAA and the HIPAA Regulations at 45 CFR Parts 160, 162 and 164, including, but not limited to 45 CFR § 164.501.
- “Security Rule” shall mean the Security Standards at 45 CFR Parts 160, 162 and 164.
- Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms 45 CFR Parts 160, 162 and 164.
1. Obligations of Business Associate.
SpecialtyHealth Wellness & Prevention shall be permitted to access, use and/or disclose PHI provided by participant / client for the following stated purposes, except as otherwise limited by the request of participant / client:
- Permitted Uses and Disclosures. SpecialtyHealth Wellness & Prevention provides digital data movement, access and storage services via its web-based portal, to its employees, representatives and agents that use and access PHI.
- In the course of providing services to its participants / clients, its employees, representatives and agents are occasionally required to access PHI. SpecialtyHealth Wellness & Prevention ensures that in such cases its representatives and agents who access PHI agree to the same terms and conditions.
- As a provider of a HIPAA compliant environment to participants / clients, SpecialtyHealth Wellness & Prevention agrees to provide the following compliance standards for the access of PHI via its web-based portal:
- Access to PHI via web-based portal will be password protected and said password shall be encrypted at 128bit or higher, and will remain in encrypted format within the SpecialtyHealth Wellness & Prevention database.
- PHI will be retained in an encrypted format while residing on SpecialtyHealth Wellness & Prevention servers.
- PHI in document form is retained on SpecialtyHealth Wellness & Prevention servers. Upon termination of relationship, PHI in document form will be destroyed in accordance with Section 5.e.1 of this agreement.
- Nondisclosure. SpecialtyHealth Wellness & Prevention shall not use or further disclose PHI other than as permitted By Law without written permission from the participant / client.
- Safeguards. SpecialtyHealth Wellness & Prevention shall use appropriate safeguards to prevent use of or disclosure of PHI other than as provided for participant / client. SpecialtyHealth Wellness & Prevention shall maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of SpecialtyHealth Wellness & Prevention operations and the nature and scope of its activities, including, but not limited to, the safeguards listed above.
- Agents / Representatives. SpecialtyHealth Wellness & Prevention shall ensure that any agents / representatives or employees, including subcontractors, to whom it provides PHI received from participant / client, agree to the same restrictions and conditions that apply to SpecialtyHealth Wellness & Prevention with respect to such PHI.
- Amendment of PHI. SpecialtyHealth Wellness & Prevention shall make any amendments to PHI in a designated record set that the participant / client requests in the time and manner to fulfill obligations (if any) to amend PHI pursuant to HIPAA and the Privacy Rule, including, but not limited to, 45 CFR §164.526, and incorporate any amendments to PHI into copies of such PHI maintained by SpecialtyHealth Wellness & Prevention.
- Internal Practices. SpecialtyHealth Wellness & Prevention shall make its internal practices, books and records relating to the use and disclosure of PHI received by the participant / client available in a time and manner designated for purposes of determining SpecialtyHealth Wellness & Prevention compliance with HIPAA and the Privacy Rule.
- Documentation of Disclosures for Accounting. SpecialtyHealth Wellness & Prevention agrees to document such disclosures of PHI and information related to such disclosures as would be required to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
- Access to Documentation for Accounting. SpecialtyHealth Wellness & Prevention agrees to provide an Individual information collected in a time and manner so as to permit a response to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
- Notification of Breach. SpecialtyHealth Wellness & Prevention shall notify participant / client within twenty-four (24) hours of knowing of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI and/or knowing of any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. SpecialtyHealth Wellness & Prevention shall take prompt corrective action to cure any such deficiencies and any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations.
2. Obligations of Covered Entity.
- SpecialtyHealth Wellness & Prevention shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI pursuant to the provision of Services, in accordance with the standards and requirements of HIPAA and the Privacy Rule.
- Upon request, SpecialtyHealth Wellness & Prevention shall provide participant / client with the notice of privacy practices that SpecialtyHealth Wellness & Prevention produces in accordance with 45 CFR 164.520, as well as any changes to such notice.
- SpecialtyHealth Wellness & Prevention shall recognize any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect uses or disclosures.
- SpecialtyHealth Wellness & Prevention shall notify employees, representatives and agents of any restriction to the use or disclosure of PHI in accordance with 45 CFR 164.522, if such restriction affects permitted or required or disclosures.
3. Amendment to Comply with Law.
SpecialtyHealth Wellness & Prevention acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Policy may be required to provide procedures to ensure compliance with such developments. SpecialtyHealth Wellness & Prevention specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the Privacy Rule and other applicable laws relating to the security or confidentiality of PHI.
This Policy shall be interpreted as broadly as necessary to implement and comply with HIPAA, the Privacy Rule and any other applicable law relating to security and privacy of PHI. Any ambiguity in this Policy shall be resolved in favor of a meaning that permits SpecialtyHealth Wellness & Prevention to comply with the Privacy Rule.
5. Regulatory References.
A reference in this Policy to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.