IntelliCentrics SEC3URE Platform
Business Associate Addendum for SEC3URE LINK and SEC3URE VISITOR MANAGEMENT
More specifically, the HIPAA Standards (defined herein) require that Facilities that use and share PHI via SEC3URE LINK and SEC3URE VISITOR MANAGEMENT must obtain satisfactory assurances from us to ensure appropriate safeguarding of any Individually Identifiable Health Information that may be created, received, maintained, or transmitted by us in the course of performing services for or through SEC3URE LINK and SEC3URE VISITOR MANAGEMENT.
In connection with SEC3URE LINK and SEC3URE VISITOR MANAGEMENT, a Facility may disclose PHI to us that is subject to protection under applicable provisions of: (i) HIPAA (P.L. 104-191, as amended); (ii) the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of the American Recovery and Reinvestment Act (“HITECH”); (iii) the privacy and security standards as set forth in the “Privacy Rule” at 45 CFR Part 160 and Part 164, Subparts A and E, and “Security Rule” at 45 CFR Part 160 and Part 164, Subparts A and C, promulgated under HIPAA and HITECH; (iv) the breach notification standards at 45 CFR parts 160 and 164, subparts A and D (“Breach Notification Rule”); and (v) the HIPAA Omnibus Final Rule, all as adopted by HHS and as they may be amended from time to time (collectively, the “HIPAA Standards”). Terms used, but not otherwise defined herein, shall have the same meaning as those terms in the Privacy Rule and the Security Rule. And for purposes of our obligations, PHI shall include “Protected Health Information” and “Electronic Protected Health Information” (“ePHI”), respectively, as defined in 45 CFR §160.103, limited to information that we create, receive, maintain, or transmit for or on behalf of a Facility.
OUR OBLIGATIONS AND ACTIVITIES
When performing services for SEC3URE LINK and SEC3URE VISITOR MANAGEMENT for or on behalf of a Facility:
- We will not use or further disclose PHI other than as permitted or required by SEC3URE LINK, SEC3URE VISITOR MANAGEMENT, or as required by law.
- We will report to a Facility any use or disclosure of PHI or Personal Information not provided for herein, including without limitation any Breach of PHI, Unsecured PHI, or Personal Information and of any Security Incident involving PHI or Personal Information of which we become aware. Such report shall be made to a Facility within five (5) business days following our discovery of such Breach or Security Incident. The terms “Breach” and “Unsecured PHI” are defined in 45 CFR § 164.402. A “Security Incident” is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
- In addition to the above-referenced report of a Breach or Security Incident to a Facility, we will carry out our own independent duty to comply with applicable federal and state breach notification laws relating to notification, timing of notification, and related provisions. This includes obligations we have for California residents as set forth in California breach notification rules (California Civil Code §§ 1798.29, 1798.82, 1798.84 & 1798.85 and California Health & Safety Code § 1280.15, all as amended from time to time).
- We will take any action necessary or requested by a Facility to mitigate, to the extent practicable, any harmful effect that is known to us of the Security Incident or use or disclosure of PHI, Unsecured PHI, or Personal Information by us in violation of these obligations. If a Breach of PHI or Unsecured PHI or Personal Information occurs, our notice to a Facility of such Breach will include, to the extent reasonably practicable, the identification of each Individual whose PHI or Personal Information has been, or is reasonably believed by us, to have been accessed, acquired, or disclosed during such Breach. We will also provide a Facility any other available information that the Facility is required to include in the notification to the Individual, even if such information becomes available after notification to the Individual, or take any action necessary as requested by a Facility to assist the Facility in complying with any applicable breach notification requirements.
- We will ensure that any downstream agent of ours, including a subcontractor, to whom we provide PHI or Personal Information received from, or created or received by us for or on behalf of a Facility, agrees to the same restrictions and conditions that apply herein to us for such information.
- We do not anticipate maintaining PHI in a Designated Record Set, but should we do so, we will:
- Provide access, at the request of a Facility and in the time and manner designated by the Facility, to PHI in a Designated Record Set to a Facility or as directed by the Facility to an Individual in order to meet the requirements under 45 CFR § 164.524; and
- Make any amendment(s) to PHI in a Designated Record Set that a Facility directs or agrees to pursuant to 45 CFR § 164.526 at the request of the Facility or Individual in the time and manner designated by the Facility.
- We will make our internal practices, books, and records relating to the use and disclosure of PHI and Personal Information received from or created or received by us for or on behalf of a Facility available to a Facility or the Secretary of the U.S. Department of Health and Human Services for purposes of the Secretary determining a Facility’s or our compliance with the HIPAA Standards.
- We will document and maintain such disclosures of PHI and information related to such disclosures as would be required for a Facility or us to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
- We will provide to a Facility, in a time and manner designated by the Facility, information pertaining to disclosures of PHI by us to permit the Facility to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. If we receive a direct request from an Individual for an accounting of disclosures of PHI made by us including, effective January 1, 2011, or a later date as provided by the HIPAA Standards, any request for an accounting of disclosures of PHI made from a Facility’s electronic health record for treatment, payment, or healthcare operation purposes during the three (3) years prior to the date of such request, we will provide the Individual with such an accounting in accordance with 45 CFR § 164.528. Please see our HIPAA Addendum for Online Notice of Privacy Practices for what items qualify for an accounting of disclosures.
- We will implement and maintain reasonable and appropriate safeguards to ensure that all PHI is used or disclosed only as authorized under the HIPAA Standards or our obligations under SEC3URE LINK and SEC3URE VISITOR MANAGEMENT. We will periodically, but no less than annually, assess potential risks and vulnerabilities to PHI in its possession and develop, implement, and maintain the administrative, physical, and technical safeguards required by the HIPAA Standards that protect the confidentiality, availability, and integrity of the PHI that we create, receive, maintain, or transmit for or on behalf of a Facility. These measures must be documented, kept current, and include, at a minimum, those measures that fulfill the requirements outlined in the HIPAA Standards and any applicable state laws. We will also implement policies and procedures that address our compliance with applicable HIPAA Standards and state laws in its efforts to detect, prevent, and mitigate the risks of identity theft resulting from the improper use or disclosure of PHI or Personal Information.
- To the extent we contract with third parties for services related to SEC3URE LINK or SEC3URE VISITOR MANAGEMENT, we will ensure that any of our agents, including subcontractors, implement and maintain the same safeguards, policies, and procedures required by the HIPAA Standards (referenced in the previous subparagraph) and applicable state laws that protect the confidentiality, availability, and integrity of the PHI or Personal Information that we create, receive, maintain, or transmit for or on behalf of a Facility.
- We will retain and maintain PHI and Personal Information with physical, technical, and administrative safeguards in compliance with the HIPAA Standards and applicable state laws.
- We will, in the performance of our obligations under SEC3URE LINK and SEC3URE VISITOR MANAGEMENT, comply with all applicable federal and state laws, regulations and rules. This includes without limitation, the HIPAA Standards; applicable provisions under state laws governing the disclosure of Individual medical information, including California’s Confidentiality of Medical Information Act (California Civil Code § 56 et seq.); applicable provisions under state laws governing the collection, use, disclosure, storage, security of Personal Information, including the California Consumer Privacy Act of 2018 (“CCPA”; California Civil Code §§ 1798.100-1798.199) and the Information Practices Act of 1977 (California Civil Code § 1798 et seq.); and applicable provisions under state laws governing data breach notification, including, but not limited to the California breach notification requirements noted above.
- We acknowledge if we violate any of the requirements set forth herein, we will be subject to the same civil and criminal penalties that a Facility would be subject to if the Facility violated the same requirements.
OUR PERMITTED USES AND DISCLOSURES OF PHI
- We may use or disclose PHI or Personal Information to perform functions, activities, or services for or on behalf of a Facility as specified for SEC3URE LINK and SEC3URE VISITOR MANAGEMENT, provided that such use or disclosure would not violate the HIPAA Standards or any state law standards if done by the Facility. Such use or disclosure shall be limited to the minimum amount of PHI or Personal Information needed to accomplish the intended purpose of the use or disclosure. To the maximum extent possible, we will de-identify and aggregate data such that it no longer qualifies as PHI or Personal Information under applicable law.
- We may use PHI for our proper management and administration or to carry out our legal responsibilities.
- We may disclose PHI for the proper management and administration of SEC3URE LINK and SEC3URE VISITOR MANAGEMENT, provided that disclosures are authorized by law and we obtain reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law and for the purpose for which it was disclosed, and the person notifies us of any instances of which it is aware in which the confidentiality of the PHI or Personal Information has been breached.
- When using or disclosing PHI or responding to a request for PHI, we must limit such PHI, to the extent practicable, to a Limited Data Set or, if more information than a Limited Data Set is required, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request. The term “Limited Data Set” is defined in 45 CFR § 164.514(e).
- Unless expressly permitted, we will not directly or indirectly receive remuneration in exchange for any PHI or Personal Information unless a Facility has obtained from the subject Individual a valid authorization that includes a specification that PHI or Personal Information may be further exchanged for remuneration by the entity receiving the PHI or Personal Information. We will comply with any and all such federal and state laws regulations with respect to receiving remuneration in exchange for any PHI or Personal Information.
- We will not use or disclose PHI in connection with any fundraising or marketing communication for or on behalf of a Facility unless the Facility has obtained a valid authorization from each Individual who will be a recipient of any such communication.
- If an Individual requests that we restrict the disclosure of the Individual’s PHI to carry out treatment, payment, or healthcare operations, we will comply with the requested restriction if, except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or healthcare operations (and is not for purposes of carrying out treatment), and the PHI pertains solely to a healthcare item or service for which the healthcare provider involved has been paid out of pocket in full.
OBLIGATIONS OF A FACILITY
When agreeing to use SEC3URE LINK or SEC3URE VISITOR MANAGEMENT:
- A Facility will provide us with a copy of its Notice of Privacy Practices, and we shall comply with such Notice of Privacy Practices.
- A Facility will provide us with notice of any changes in, or revocation of, the permission by an Individual to use or disclose the Individual’s PHI if such changes affect our permitted or required uses and disclosures.
- A Facility will notify us of any restriction to the use or disclosure of PHI that a Facility has agreed to in accordance with 45 CFR § 164.522 if such restrictions affect our permitted or required uses and disclosures.
- A Facility will not request that we use or disclose PHI in any manner that would not be permissible under the HIPAA Standards or other applicable law if done by the Facility.
TERMINATION OF SEC3URE LINK OR SEC3URE VISITOR MANAGEMENT; EFFECT ON PHI
Upon a Facility’s knowledge of a material breach of our obligations herein, the Facility will provide us an opportunity to cure the breach or end the violation, and the Facility may terminate SEC3URE LINK or SEC3URE VISISTOR MANAGEMENT if we do not cure the breach or end the violation within the time specified by the Facility, or immediately terminate SEC3URE LINK or SEC3URE VISITOR MANAGEMENT if we have breached a material obligation and cure is not possible, as determined by the Facility in its reasonable discretion.
Upon termination for any reason:
- 1. We will return or destroy all PHI received from a Facility or created or received by us on behalf of a Facility. This provision will apply to PHI that is in the possession of our agents or subcontractors, and we will retain no copies of the PHI.
- If we determine that returning or destroying the PHI is infeasible, we will notify the applicable Facility of the conditions that make return or destruction infeasible, and on mutual agreement that return or destruction of PHI is not feasible, we will extend the protections set forth herein to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as we maintain such PHI.
Unless otherwise expressly provided by applicable law, nothing herein is intended to and does not create a private cause of action by any Individual as a result of any claim arising out of the breach of these obligations, the HIPAA Standards, or other law or regulation relating to privacy or confidentiality of healthcare information.