MCR CONFIDENTIALITY AND PRIVACY POLICY

The purpose of this policy is to protect a patient's right to confidentiality and privacy. Medical Capital Recovery, Inc. ("MCR") and its staff receive Confidential Patient Information from client providers of health and medical services (Covered Entities) and directly from their patients. Patient information will be regarded as confidential and will be available only to authorized users for approved purposes. Every MCR employee will use only the minimum amount of confidential patient information to accomplish his or her assigned duties. Access to confidential information is only permitted for direct patient financial assistance, billing, or administrative hospital operations such as utilization review, quality assurance, or compliance auditing.

Confidential information obtained either during assigned duties or by accident shall not be released to any person or institution except in accordance with the Covered Entity's policy and applicable federal and state laws. No MCR employee shall seek access to confidential information out of curiosity, for malicious purposes, or for financial gain. Discussion or consultation involving a patient's care of confidential information should be conducted in private. Individuals not directly involved in the patient's financial interview and screening should not be present without the patient's permission.

Policy Elements:

1. Discuss patient information with authorized personnel only and only in a private location where unauthorized persons cannot overhear.

2. Keep financial and medical records secure and unavailable to persons not involved with the patient's account.

3. Follow specified procedures for use of electronic information systems, including use of individual passwords, logging off when finished, proper data entry techniques, and protection of displayed or printed information from unauthorized users.

4. Verify with the patient what information may be given to the patient's family and friends with the patient's knowledge and permission.

5. Screen requests for access to all patient information so that those items that are minimally necessary are made available only to those persons who are legitimately involved in patient financial counseling, billing or administrative operations.

7. Release patient medical records to external sources only upon receipt of written authorization from the patient.

8. Use appropriate information security procedures for users of electronic information systems