General Compliance with HIPAA. In performing services under this
Agreement MCR agrees to respect the confidential nature of all information
that may come to MCR with regard to the Hospital's patient and financial
records. MCR will maintain confidentiality of the aforementioned
records and agreed not to use or disclose any Protected Health Information
concerning a patient other than as permitted by this Agreement.
The parties shall conduct their respective businesses in accordance
with all applicable laws and regulations, including without limitation,
the Health Insurance Portability and Accountability Act of 1996,
Public Law 104-194, as amended from time to time, and the regulations
promulgated thereunder ("HIPAA"), and applicable state
laws, regulations, and other applicable jurisprudence. Further,
MCR shall comply with all policies and procedures adopted by Hospital
related to the use and disclosure of individually identifiable health
information.
(1) Definitions. For purposes of this Section:
A. Business Associate shall have the meaning ascribed to in
45 C.F.R. Section 160.103.
B. The following terms shall have the meaning ascribed to them
in 45 C.F.R. Section 164.501, "data aggregation,"
"disclosure," "protected health information,"
and "use."
C. "Protected Information" shall mean all protected
health information (1) received by MCR from Hospital, (2) created
by MCR on Hospital's behalf,(3) received by MCR on Hospital's
behalf, or (4) otherwise created or received by MCR in MCR's
capacity as a Business Associate of Hospital under or in connection
with this Agreement.
(2) Duties of MCR with Respect to Protected Information.
A. Uses and Disclosure of Information. MCR may use and disclose
Protected Information only for the specific purpose and to the
extent necessary to (1) properly manage and administer MCR,
(2) provide the services reasonably contemplated by this Agreement,
including if appropriate, data aggregation services, (3) carry
out MCR's legal responsibilities, or (4) comply with a requirement
of law. Other than as specifically permitted above, MCR shall
not use or further disclose any Protected Information.
B. Assurances. MCR hereby assures Hospital that MCR will MCR
hereby assures Hospital that MCR will appropriately safeguard
the privacy, security, confidentiality and integrity of all
Protected Information, and shall not use or disclose Protected
Information except as specifically permitted under Subsection
C.1. above. Further, MCR shall develop, implement and maintain
a security and privacy plan and other policies and procedures
as necessary to prevent the use or disclosure of Protected Information
other than as specifically permitted by this Agreement.
C. Agents of MCR. MCR shall ensure that its agents, including
without limitation any subcontractors to whom it provides Protected
Information, agrees to the same restrictions and conditions
as they apply to Hospital and MCR under this Article. MCR shall
incorporate in any and all agreement(s) with such subcontractor(s)
a provision naming Hospital as an intended third party beneficiary
with respect to the enforcement of, and right to benefit from,
the subcontractor's covenants regarding the use and disclosure
of protected health information.
D. Inappropriate Use or Disclosure. If MCR becomes aware that
any Protected Information is, or has been, used or disclosed
other than in accordance with this Agreement, MCR shall immediately
(1) take reasonable and necessary steps to prevent such impermissible
use or disclosure and to prevent further dissemination of such
improperly disclosed information, and (2) notify Hospital of
such impermissible use or disclosure and the corrective actions
being taken by MCR.
E. Access of Individuals to Protected Health Information. MCR
shall provide an individual's protected health information to
such individual in accordance with state and federal law and
Hospital's policies-and procedures, including but not limited
to the regulations set forth in 45 C.F.R. "164.524, 164.526,
and 164.528, relating to an individual's right to (1) access
his or her protected health information, (2) require the amendment
of his or her protected health information, and (3) receive
an accounting of disclosures of his or her protected health
information.
F. Access to Books and Records. MCR shall make its internal
practices, books and records relating to the use and disclosure
of Protected Information available to the Secretary of the U.
S. Department of Health and Human Services ("Secretary")
for the purpose of determining Hospital's compliance with applicable
law. MCR shall inform Hospital immediately upon receipt of any
request by the Secretary for or relating to Protected Information.
(3) Termination. Return or Destruction of Protected Information.
Upon termination of this Agreement, MCR shall, to the extent feasible
as determined in the sole discretion of Hospital, return or destroy
all Protected Information that is in the possession of MCR as
of the effective date of termination. Further, the provisions
of this Article limiting uses and disclosures of Protected Information
shall continue beyond termination of the Agreement.
(4) No Third-Party Beneficiary. Notwithstanding any other provision
of this Agreement to the contrary, if any, nothing in this Agreement,
or in the parties' course of dealings, shall be construed as conferring
any third-party beneficiary status with respect to this Article,
on any person or entry not a party to this Agreement.
(5) Security of Protected Information
A. Data Transmission between MCR servers and MCR client systems.
To ensure the security and privacy of Protected Information,
Medical Capital Recovery uses ETRAX, proprietary software developed
by MCR that authenticates and creates audit logs of patient
record accesses and disclosures in conjunction with Citrix Metaframe,
a 128bit level encryption and thin client access to central
servers. All patient information resides on firewall and encryption
secured servers, and can only be viewed as encrypted "images"
or "pictures" and not data streams. ETRAX never transmits
unencrypted patient data streams to our client workstations.
B. Data Storage. Protected Information resides on firewall-protected
data servers. Medical Capital Recovery also utilizes firewalls
and encrypted storage of all historical data. Hard copy storage
of historical data is placed on optical storage media with 512bit
encryption.
C. Data Transmission. Medical Capital Recovery currently adheres
to standard EDI transaction sets, such as, but not limited to
X12, 837, 835, 276, and 277. When patient data transmissions
are necessary, Medical Capital Recovery only transmits data
through modem based or HIPAA compliant encrypted network communications.
