Lab Compass, Inc.
Terms of Service
 
Effective Date: June 24, 2014

THE ORDER FORM(S) OF LAB COMPASS INC. (“LAB COMPASS” OR “WE”, “US”, “OUR”, OR SIMILAR DESIGNATIONS) AND THESE TERMS AND CONDITIONS (COLLECTIVELY, THIS “AGREEMENT”) SHALL CONSTITUTE THE ENTIRE AGREEMENT BETWEEN YOU AND LAB COMPASS CONCERNING YOUR USE OF THE SOFTWARE AND SERVICES. BY ORDERING OR OTHERWISE USING THE SOFTWARE AND SERVICES, YOU AGREE TO AND ACCEPT THIS AGREEMENT, INCLUDING THE SPECIFIC LIMITATIONS SET FORTH IN SECTIONS 2, 6, 8 AND 12-14. YOU MAY USE THE SOFTWARE AND SERVICES ONLY IN ACCORDANCE WITH THIS AGREEMENT. NO OTHER CONTRACT OR TERMS CONCERNING THE SOFTWARE OR SERVICES MAY BE CREATED IN ANY OTHER MANNER, INCLUDING BY MEANS OF YOUR PURCHASE ORDERS OR SIMILAR DOCUMENTS (EVEN IF SIGNED OR ACKNOWLEDGED BY LAB COMPASS), WHICH SHALL NOT MODIFY OR AMEND THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, YOU SHALL NOT BE ENTITLED TO USE THE SOFTWARE AND SERVICES.

Lab Compass offers the Software only to individuals and legal entities (each a “Customer”) who have expressly ordered the Software for use by them and their Users, and agreed to use the Software pursuant to an order form and Lab Compass’s Terms of Service. You may only use the Software if you are an authorized User of a Customer.

  1. DEFINITIONS.

1.1 The terms “you” or “your” refer to the individual, entity, or organization ordering the Software and Services as provided in the Order Form(s).

1.2 “Software” means the currently available Symport™ software which allows you and your Users to enter, collect and store healthcare data, including Protected Health Information, and related services and features, and any additions, modifications, or enhancements thereto.

1.3 “Services” means Lab Compass’s services to you, if any, as provided in the Order Form(s), which may include administrative setup, administrative and healthcare professional training, system integration, data storage, customization, and other such services as agreed between the parties.

1.4 “User” means any user of the Software, including Administrators, Healthcare Professionals, and Study Participants, who are authorize to use the Software under the terms of this Agreement.

1.5 “Documentation” means any instructions and policies provided to you or your Users by Lab Compass in connection with administration and use of the Software, Services, and related services, which may be amended by Lab Compass from time to time.

1.6 “Order Form(s)” means the order forms or other forms from Lab Compass (submitted in written form or online) evidencing the initial order for the Software and Services, and any subsequent order forms or other forms from Lab Compass, specifying, among other things, the initial term, the number of authorized Users, Services (if any) to be provided, the applicable fees, and such other charges and terms as agreed between the parties. Capitalized terms in the Order Form(s) not otherwise defined in the Order Form(s) are as defined in these Terms and Conditions.

1.7 “Healthcare Professionals” means your healthcare professionals, such as doctors, nurses, clinicians, researchers, and other healthcare professionals, authorized to use the Software under a Healthcare Professional account, under the terms of this Agreement and the EULA, to have access to the features and services available on the Software for Healthcare Professionals.

1.8 “Study Participants” means those Users who are authorized to use the Software under a Study Participant Account, under the terms of this Agreement, to have access to the features and services available on the Software for Study Participants.

1.9 “Administrators” means those Users designated by you as administrators who are authorized to use the Software under an Administrator Account, under the terms of this Agreement, to have access to the features and services available on the Software for Administrators.

1.10 “Data” means records, information, and data provided or entered by you or your Users, including PHI and PII, or otherwise collected by the Software, in the course of your and your Users’ use of the Software.

1.11 “Protected Health Information” or “PHI” means information that: (a) is created or received by a health care provider and relates to the (i) past, present, or future, physical or mental health or condition of an individual, (ii) provision of health care to an individual, or (iii) past, present, or future payment for the provision of health care to an individual; and (b) identifies or can reasonably be used to identify an individual. PHI is subject to Lab Compass’s “HIPAA Privacy and Security Policy” located at in the last tab on this page.

1.12 “Personally Identifiable Information” or “PII” means information, not otherwise defined as PHI, that identifies or can reasonably be used to identify an individual. PII is subject to Lab Compass’s “Privacy Policy” located at https://mntnlabs.com/privacy/, and is identified as “personal information” in the Privacy Policy.

1.13 “Anonymized Data” means Data other than PHI or PII, or Data for which PHI and PII have been removed or modified so that the Data cannot be used to identify or cannot reasonably be used to identify an individual.

1.14 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended.

1.15 “Initial Term” means the initial period during which in the Software shall be made available to you and your Users. Unless a different term is specified in your Order Form(s), the Initial Term shall be for a period of one year.

  1. SOFTWARE LICENSE AND RESTRICTIONS.

2.1 Lab Compass hereby grants you and your Users a limited, personal, non-exclusive, non-transferrable, non-assignable, terminable license to internally use the Software during the Initial Term and any renewal term for personal, educational, and noncommercial purposes, subject to the terms and conditions of this Agreement. All rights not expressly granted to you are reserved by Lab Compass. You are responsible for the use and misuse of the Software by your Users.

2.2 Neither you nor your Users shall: (i) modify, disassemble, decompile or reverse engineer the Software, except to the extent that such restriction is expressly prohibited by law; (ii) share, rent, lease, loan, resell, sublicense, distribute or otherwise transfer the Software to any third party or use the Software to provide time sharing or similar services for any third party; (iii) make any copies of the Software or content thereon; (iv) remove, circumvent, disable, damage or otherwise interfere with security-related features of the Software, features that prevent or restrict use or copying of any content accessible through the Software, or features that enforce limitations on use of the Software or such content; (v) delete the copyright and other proprietary rights notices on the Software; (vi) integrate the Software with any other software except as provided in the Documentation or as otherwise agreed between the parties in an Order Form; or (vii) engage in any fraudulent or illegal activity, violate any laws or third party rights, or violate the policies and procedures contained in the Documentation.

2.3 You and your Users may use the Software only for its intended purpose and shall not: (i) send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (ii) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violative of third-party privacy rights; (iii) send or store material containing software viruses, worms, Trojan horses, or other harmful computer code, files, scripts, agents, or programs; (iv) interfere with or disrupt the integrity or performance of the Software or the data contained therein; or (v) attempt to gain unauthorized access to the Software or its related systems or networks.

2.4 Your Users will have log-in information, including a username and password. You and your Users are individually responsible for all activity occurring under your User accounts and shall abide by all applicable local, state, national, and foreign, laws, treaties and regulations in connection with your use of the Software. You shall: (i) notify Lab Compass immediately of any unauthorized use of any password or account or any other known or suspected breach of security; (ii) report to Lab Compass immediately and use reasonable efforts to stop immediately any unauthorized copying or distribution of content that is known or suspected by you or your Users; and (iii) not impersonate another User or provide false identity information to gain access to or use the Software.

2.5 You acknowledge and agree that your Users of the Software shall each be subject to terms set herein this binding document. LAB COMPASS RESERVES THE RIGHT TO DISABLE ANY USER’S USE OF OR ACCESS TO THE SOFTWARE WITHOUT NOTICE IF IT REASONABLY BELIEVES, IN GOOD FAITH, THAT SUCH USER’S USE OF OR ACCESS TO THE SOFTWARE IS IN FURTHERANCE OF SOME PROSCRIBED PURPOSE OR SCHEME OR A VIOLATION OF THIS AGREEMENT.

  1. NO MEDICAL ADVICE. Lab Compass does not give medical advice. The Software may provide helpful information to assist you in medical decision-making. The information and materials available through the Software are for informational and educational purposes only and are not intended to constitute professional advice, diagnosis or treatment, or to substitute for the Healthcare Professionals. You assume full risk and responsibility for the use of information you obtain from or through the Software. You will be solely responsible for the professional and technical services you provide.
  1. Third-Party Services. The Software may include certain third-party software and services. Your use of such software or services may require that you enter into separate subscription or licensing agreements with third-party vendors and suppliers. You agree to comply with and, upon request, execute such agreements as may be required for the use of such software or services.
  1. SERVICES. Lab Compass shall provide the Services, if any, to you as provided in your Order Form(s). Unless otherwise noted, all service fees are included with the service fees indicated on your Order Form(s). Any additional Services are subject to Lab Compass’s standard hourly rates for such Services (minimum 1/4 hour charge). Please see the Documentation for details.
  1. OWNERSHIP. All right, title, and interest in the Software, including, without limitation, all patents, copyrights, trade secrets, and other proprietary rights in the Software shall at all times remain solely and exclusively the property of Lab Compass (or its licensors, where applicable), whether or not specifically recognized or perfected under the laws of the jurisdiction in which the Software is used or licensed. Lab Compass shall further own all right, title, and interest in any copy, translation, modification, adaptation, enhancements or derivation of the Software, even if developed for or recommended by you and whether or not part of the Services. You shall not take any action that jeopardizes Lab Compass’s proprietary rights or acquire any rights in the Software. This Agreement is not a sale and does not convey to you any rights of ownership in or related to the Software, or the intellectual property rights owned by Lab Compass. Except as specifically provided in Section 2 above, no license under any patents, copyrights, trademarks, trade secrets, or any other intellectual property rights are granted by Lab Compass to you. Lab Compass’s name, logo, and the product name, Symport™, and other product names associated with the Software are trademarks of Lab Compass or third parties, and no right or license is granted to use them.
  1. PROPRIETARY MARKS. Except as specifically authorized by Lab Compass in writing, you shall not alter, change or remove from the Software any trademark, other proprietary mark or proprietary rights notice.
  1. DATA; PROTECTED HEALTH INFORMATION.

8.1 Data. Lab Compass does not own any of your Data and does not share any Data with any third-party except as expressly provided in this Agreement or as required by law. We do not represent or guarantee the truthfulness, accuracy, or reliability of Data, entered by you or your Users. You accept that any reliance on Data posted by you or your Users will be at your own risk. You, not Lab Compass, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of your Data. In the event this Agreement is terminated (other than by reason of your breach), Lab Compass will make available to you an electronic file of your Data within thirty (30) days of termination if you so request at the time of termination.

8.2 PHI and PII. PHI is subject to Lab Compass’s “HIPAA Privacy and Security Policy” located in the last tab on this page. PII is subject to Lab Compass’s “Privacy Policy” located at https://mntnlabs.com/privacy/, and is identified as “personal information” in the Privacy Policy.

8.3 Protected Health Information. You acknowledge that by granting your Users to access the Software, you are responsible for ensuring such Users use the Software for the purposes for which they are accessing it. You agree that Lab Compass will not be responsible for any unlawful access to or use of the Software by your Users. You agree that you are responsible for ensuring that PHI and related information is properly protected under applicable law. You represent and warrant that you have obtained the proper consents, authorizations, and releases from individuals to the fullest extent required by applicable law before entering their PHI to the Software. You are solely responsible for any PHI exported from the Software by you or your Users. You agree to train all Healthcare Professionals on HIPAA or health privacy obligations, and the requirements of these Terms and ensure that they comply with such requirements. You will promptly notify us of any order or demand for compulsory disclosure of PHI if the disclosure requires access to or use of the Software. You will cooperate fully with us in connection with any such demand.

  1. SUPPORT. Lab Compass provides limited customer support to you and your Users. Standard support hours are Monday-Friday from 9 a.m. to 5 p.m. Eastern Time daily via e-mail ([email protected]), with integration, training, and consulting services available separately. Lab Compass has no obligation to provide additional services or upgrades, modifications, or new releases to the Software under this Agreement. Lab Compass may voluntarily provide some or all of these items; should Lab Compass do so, any such action shall not be considered a waiver of this provision.
  1. FEES AND PAYMENTS.

10.1 Service Fees. You shall pay Lab Compass for the Services (“Service Fees”) as provided in your Order Form(s). You shall make all payments for Service Fees to Lab Compass within thirty (30) days of the invoice date or as otherwise provided in your Order Form(s). Late payments shall incur interest equal to the lesser of (a) one and one-half percent (1.5%) per month, or (b) the maximum amount allowed by law.

10.2 Software/Subscription Fees. You shall pay all fees or charges to your account for use of the Software (“Subscription Fees”) in accordance with the fees, charges, and billing terms in effect at the time a fee or charge is due and payable. The initial Subscription Fees will be equal to the current number of total User subscriptions requested, multiplied by the per User Subscription Fee currently in effect. Payments must be made monthly in advance unless otherwise mutually agreed upon in an Order Form. All payment obligations are non-cancelable and all amounts paid are nonrefundable. You are responsible for paying for all User subscriptions ordered for the entire term of this Agreement, whether or not such User subscriptions are actively used. You must provide Lab Compass with valid credit card or approved purchase order information as a condition to ordering the Software or Services. An Administrator may add User subscriptions through their Administrator account. Added subscriptions will be subject to the following: (i) added subscriptions will be coterminous with the preexisting term of the Agreement (either Initial Term or renewal term); (ii) the Subscription Fee for the added Users will be the then current, generally applicable Subscription Fee; and (iii) subscriptions added in the middle of a billing month will be charged in full for that billing month. Lab Compass reserves the right to modify its fees and charges and to introduce new charges at any time, upon at least 30 days prior notice to you, which notice may be provided by email or through the Software to your Administrators, and such modifications shall be applicable to the next billing month. All pricing terms are confidential, and you agree not to disclose them to any third party.

10.3 Excess Data Storage Fees. The maximum storage space for Data provided to you at no additional charge is 1 GB per User license. If the amount of storage for Data exceeds these limits, you will be charged the then-current storage fees. Lab Compass will use reasonable efforts to notify you when the average storage used for Data per license reaches approximately 90% of the maximum; however, any failure by Lab Compass to so notify you shall not affect your responsibility for such additional storage charges. Lab Compass reserves the right to establish or modify its general practices and limits relating to storage of Data.

10.4 Payment Terms. All amounts are stated and payable in U.S. Dollars and do not include taxes. If Lab Compass is required to pay taxes in connection with this Agreement, including without limitation sales, use, GST, value-added, or other taxes (excepting taxes based on income), such taxes will be invoiced to and paid by you. Lab Compass reserves the right to modify the procedures used for invoicing/paying the Service Fees, as well as changing the Service Fees due. Lab Compass shall provide you with at least thirty (30) days written notice prior to making any changes to the payment procedures or the amount of Service Fees due for subsequent contract terms, which notice may be provided by email or through the Software to your Administrators,.

10.5 You agree to provide Lab Compass with complete and accurate billing and contact information. This information includes your legal name, street address, email address, and name and telephone number of an authorized billing contact and your contracts administrator. You agree to update this information within 30 days of any change to it.

10.6 If you believe your invoice is incorrect, you must contact Lab Compass in writing within 60 days of the invoice date of the invoice containing the amount in question to be eligible to receive an adjustment or credit.

  1. TERM AND TERMINATION.

11.1 Term. This Agreement shall become effective on the date referenced in your Order Form(s) and shall remain in effect for a period of one (1) month, unless another period is referenced in your Order Form(s) or unless terminated earlier pursuant to Sections 11.2 or 11.3 below. Upon the expiration of the initial term, this Agreement will automatically renew for successive one-month terms at Lab Compass’s then current subscription fees.

11.2 Termination for Convenience. Either party may terminate this Agreement, effective only upon the expiration of the then current term, by notifying the other party in writing at least thirty (30) days prior to the expiration of the term

11.3 Termination for Cause or Default. Either party may terminate this Agreement immediately upon written notice if the other party ceases to do business or (i) becomes insolvent, admits insolvency or admits a general inability to pay its debts as they become due; (ii) files a petition for protection under the bankruptcy laws of any jurisdiction; or (iii) an involuntary petition in bankruptcy is filed against such other party and is not dismissed within thirty (30) days thereafter. You may also terminate this Agreement if Lab Compass fails to perform a material obligation hereunder and fails to cure such nonperformance within twenty (20) days following written notice thereof. Lab Compass may also terminate this Agreement if you fail to perform a material obligation hereunder (without notice or an opportunity to cure); provided that, any breach of the restrictions in Section 2 of this Agreement by you, or any breach of your payment obligations shall be deemed a material breach of this Agreement.

11.4 Effect of Expiration/Termination. No refund of Fees shall be due in any amount on account of a termination by you under Section 11.2 or by Lab Compass under Section 11.3 of this Agreement. However, in the event a refund of fees are due, these shall be prorated to reflect the period during which you were able to make use of the Software and Services. When this Agreement expires or terminates, Lab Compass shall cease providing the Software and Services to you.

  1. WAIVER; DELAYS. EXCEPT AS SPECIFICALLY PROVIDED IN SECTION 13, THE SOFTWARE AND SERVICES ARE DISTRIBUTED AND PROVIDED “AS IS” WITHOUT ANY WARRANTIES, WHETHER WRITTEN, ORAL, STATUTORY, EXPRESS OR IMPLIED. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, LAB COMPASS SPECIFICALLY DISCLAIMS ANY WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. This waiver of warranty affects your specific legal rights; you may have rights which may vary depending upon where you are located. Some jurisdictions do not allow limitations on implied warranties, so the limitations above may not apply to you.

THE SOFTWARE MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. LAB COMPASS IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS.

  1. LIMITED WARRANTY AND INDEMNIFICATION. Lab Compass represents and warrants that the Software will perform substantially in accordance with the Documentation; that it has the legal right to grant the licenses granted herein, including without limitation the license to any third party software; and that the Software does not contain any known viruses. Lab Compass agrees to defend you and your Users from and against any third party claim or action based on any alleged infringement of any United States patent, copyright, trade secret, or other proprietary right as a result of the use of the Software according to the terms and conditions of this Agreement, and Lab Compass agrees to indemnify you and your Users from any damages awarded against you in any such infringement claim or action or settlement thereof; provided, however, that (i) Lab Compass is promptly notified in writing of such claim, (ii) you grant Lab Compass sole control of the defense and any related settlement negotiations, and (iii) you cooperate with Lab Compass in defense of such claim. Notwithstanding the foregoing, Lab Compass shall have no obligation to indemnify you or your Users under this Agreement in the event the third-party infringement claim arises from your own infringing activity or that of a User.
  1. LIMITATION OF LIABILITY. EXCEPT FOR LAB COMPASS’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 13, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, LAB COMPASS (AND ITS LICENSORS OR SUPPLIERS) SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING OUT OF THIS AGREEMENT OR THE USE OF THE SOFTWARE, HOWEVER SUCH DAMAGES ARISE AND/OR WHETHER SUCH DAMAGES ARE CLAIMED IN TORT, CONTRACT OR OTHER ACTION, EVEN IF LAB COMPASS HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT FOR LAB COMPASS’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 13, IN NO EVENT SHALL LAB COMPASS’S LIABILITY FOR ANY CLAIM WHATSOEVER HEREUNDER (OR ASSOCIATED HEREWITH) EXCEED THE AMOUNT PAID BY YOU FOR THE SOFTWARE IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM. YOU MUST FILE ANY CLAIM WITHIN ONE (1) YEAR AFTER SUCH CLAIM AROSE OR IT IS FOREVER BARRED. Some jurisdictions do not allow for the exclusion or limitation of incidental or consequential damages, so the limitations above may not apply to you.
  1. GENERAL.

15.1 Publicity. Lab Compass may represent in press releases, on its website, and on other promotional materials that you are a subscriber of the Software.

15.2 Notices. Except as otherwise provided in this Agreement, all notices to either party shall be in writing and shall be considered given on the date of (i) confirmed delivery if sent by overnight courier or express mail service, (ii) confirmed delivery if sent by postage pre-paid certified or registered mail (or the equivalent), return receipt requested or (iii) personal delivery.

15.3 Assignment. Neither party shall assign or otherwise transfer any of their rights or obligations without the prior written consent of the other party, which shall not be unreasonably withheld; provided, however, that either party may assign this Agreement, without consent, in connection with sale of a majority of such party’s voting interests or substantially all of its assets to an acquiring party.

15.4 Governing Law; Jurisdiction; Arbitration. Except to the extent applicable law, if any, provides otherwise, this Agreement shall be governed, construed and enforced in all respects by the laws of the State of Michigan, excluding its choice of law/conflict of law provisions, and shall not be governed by the United Nations Convention on Contracts for the Sale of Goods. Unless Lab Compass elects (in its sole option) to proceed in your local jurisdiction, the jurisdiction and venue of any arbitration, litigation or other dispute resolution method between the parties (which arises out of or relates to this Agreement) shall be exclusively in Washtenaw County, Michigan; you expressly submit and consent to such exclusive jurisdiction and venue.

15.5 Export Controls. You agree to comply with all applicable laws, domestic or foreign. You further understand that the Software and Services may be subject to restrictions and controls imposed by the U.S. Export Administration Act, as amended, and agree, if informed by Lab Compass, to comply with applicable export and import control laws and regulations issued from time to time by the U.S. Department of Commerce and other governmental agencies, foreign or domestic.

15.6 Force Majeure. Neither you nor Lab Compass shall be liable for failure to perform its respective obligations under the Agreement when failure is caused by fire, explosion, water, act of God, civil disorder or disturbances, strikes, vandalism, war, riot, sabotage, weather and energy related closings, or like causes beyond the reasonable control of the party (“Force Majeure Event”). In the event that either party ceases to perform its obligations under this Agreement due to the occurrence of a Force Majeure Event, the party shall: (a) as soon as practicable notify the other party in writing of the Force Majeure Event and its expected duration; (b) take all reasonable steps to recommence performance of its obligations under this Agreement as soon as possible, including, as applicable, abiding by the disaster plan in place for Lab Compass. In the event that any Force Majeure Event delays a party’s performance for more than thirty (30) calendar days following notice by the delaying party pursuant to this Agreement, the other party may terminate this Agreement immediately upon written notice.

15.7 Entire Agreement; Amendments; Waiver. This Agreement constitutes the entire understanding and agreement between you and Lab Compass with respect to its subject matter. This Agreement may only be amended by mutual, written agreement of the parties. If there is any conflict between an Order Form, the Documentation and/or these Terms and Conditions, the following terms shall govern in the following priority: first, the Terms and Conditions, then the Documentation shall govern, and then the Order Form. Your purchase orders or similar documents (even if signed by Lab Compass) shall not modify or amend this Agreement. The failure of either party to object to or act with respect to any conduct of the other party that is in violation of the terms of this Agreement shall not be construed as a waiver thereof. If any provision of this Agreement is for any reason and/or to any extent determined to be unenforceable under applicable law, the remaining provisions of this Agreement shall remain in full force and effect.

15.8 Providing Notice. Should you wish to or are required to notify Lab Compass under this Agreement, use the contact information provided on the Lab Compass website located at https://mntnlabs.com.

Lab Compass, Inc.
Privacy Policy
 
Effective Date: July 23, 2015

This privacy policy has been compiled to better serve those who are concerned with how their ‘Personally identifiable information’ (PII) is being used online. PII, as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

What personal information do we collect from the people that visit our blog, website or app?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, phone number or other details to help you with your experience.

When do we collect information?

We collect information from you when you fill out a form or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

To allow us to better service you in responding to your customer service requests.

How do we protect visitor information?

Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible.

We use regular Malware Scanning.

We do not use an SSL certificate

We do not need an SSL because:

we internally secure your data in order to optimize speed

Do we use ‘cookies’?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognize your browser and capture and remember certain information. For instance, we use cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:

Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third party services that track this information on our behalf.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies.

If you disable cookies off, some features will be disabled It won’t affect the users experience that make your site experience more efficient and some of our services will not function properly.

Third Party Disclosure

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information unless we provide you with advance notice. This does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others’ rights, property, or safety.

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Third party links

We do not include or offer third party products or services on our website.

Google

Google’s advertising requirements can be summed up by Google’s Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolicy/answer/1316548?hl=en

We use Google AdSense Advertising on our website.

Google, as a third party vendor, uses cookies to serve ads on our site. Google’s use of the DART cookie enables it to serve ads to our users based on their visit to our site and other sites on the Internet. Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

We have implemented the following:

Demographics and Interests Reporting

We along with third-party vendors, such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together

track user visits and behavior to optimize elements and pages accordingly

Opting out:

Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising initiative opt out page or permanently using the Google Analytics Opt Out Browser add on.

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require a person or company in the United States (and conceivably the world) that operates websites collecting personally identifiable information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared, and to comply with this policy. – See more at: http://consumercal.org/california-online-privacy-protection-act-caloppa/#sthash.0FdRbT51.dpuf

According to CalOPPA we agree to the following:

Users can visit our site anonymously

Once this privacy policy is created, we will add a link to it on our home page, or as a minimum on the first significant page after entering our website.

Our Privacy Policy link includes the word ‘Privacy’, and can be easily be found on the page specified above.

Users will be notified of any privacy policy changes:

On our Privacy Policy Page

Users are able to change their personal information:

By calling us

How does our site handle do not track signals?

We honor do not track signals and do not track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

Does our site allow third party behavioral tracking?

It’s also important to note that we do not allow third party behavioral tracking

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

We do not specifically market to children under 13.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:

Within 7 business days

We will notify the users via in site notification

Within 7 business days

We also agree to the individual redress principle, which requires that individuals have a right to pursue legally enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or a government agency to investigate and/or prosecute non-compliance by data processors.

CAN SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

We collect your email address in order to:

To be in accordance with CANSPAM we agree to the following:

If at any time you would like to unsubscribe from receiving future emails, you can email us at

and we will promptly remove you from ALL correspondence.

Contacting Us

If there are any questions regarding this privacy policy you may contact us using the information below.

http://www.mntnlabs.com

3820 Packard Rd, Suite 140

Ann Arbor, Michigan 48108

United States

[email protected]

Last Edited on 2015-07-23

Lab Compass
HIPAA Privacy and Security Policy
 
Effective July 1st, 2014

I. INTRODUCTION

Lab Compass (“Business Associate”) is a business associate, as defined in 45 CFR 160.103, to various health care providers who transmit health information in electronic form and who are considered “covered entities” as defined in 45 CFR 160.103.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) and their implementing regulations (together, these laws are called “HIPAA” in this document) require that the Business Associate comply with certain requirements to protect the privacy of protected health information that it receives, maintains and transmits on behalf of a covered entity and to implement certain security measures with respect to electronic PHI.   It is the Business Associate’s policy that the Business Associate comply with HIPAA’s requirements.

No third-party rights are intended to be created by this Policy. The Business Associate reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent that this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall not be binding upon the Business Associate. This Policy does not address requirements under state law or federal laws other than HIPAA.

II. DEFINITIONS

  1. Administrative Safeguards are administrative actions and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI and to manage the conduct of the Business Associates’ workforce in relation to the protection of that information.
  2. Business Associate is an entity that:
  3. creates, receives, maintains, or transmits PHI on behalf of the covered entity (including for purposes of data analysis, processing, practice management, etc.); or
  4. provides legal, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity, where the performance of such services involves giving the service provider access to PHI.
  5. Electronic Protected Health Information or E-PHI is protected health information that is transmitted by or maintained in electronic media.
  6. Electronic Media means:
    1. Electronic storage material on which data is or may be recorded electronically, including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
    2. Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet, intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
  7. Physical Safeguards are physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
  8. Protected Health Information or “PHI” means information that:
    1. is created or received by a health care provider and relates to the
      1. past, present, or future, physical or mental health or condition of an individual;
      2. provision of health care to an individual; or
      3. past, present, or future payment for the provision of health care to an individual; and
    2. identifies or can reasonably be used to identify an individual.

PHI includes information of persons living or deceased (except for persons deceased for more than 50 years).

  1. Administrative Access Information means information that is critical to the security of PHI and its containing systems such as administrator account or server/database access information
  2. Security Incident means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with the system operations in an information system.
  3. Technical Safeguards means the technology and the policy and procedures for its use that protect E-PHI and control access to it.

III. BUSINESS ASSOCIATE’S ADMINISTRATIVE RESPONSIBILITIES

  1. Security Official. Max Wolff is the Security Official. The Security Official will be responsible for the development and implementation of policies and procedures relating to privacy and security, including but not limited to this Policy. Max Wolff will also serve as the contact person for individuals who have questions, concerns or complaints about the privacy of their PHI.

The Security Official is responsible for ensuring that the Business Associate complies with all applicable provisions of the HIPAA privacy and security rules, including the requirement that the Business Associate have a HIPAA-compliant business associate contract in place with all subcontractors who handle PHI on behalf of the Business Associate. The Security Official shall also be responsible for monitoring compliance by all subcontractors with the HIPAA privacy rules and the terms of their business associate contracts.

  1. Workforce Training. The Security Official will develop training schedules and programs so that all individuals who have access to PHI and E-PHI receive the training necessary and appropriate to permit them to carry out their functions within the Business Associate and to comply with HIPAA and this Policy. Security Official will keep record of when workforce members complete training and re-training. Security Official will periodically remind the workforce of their compliance obligations, and reminders will be posted in the office. Security Official will periodically review and update training program to respond to organizational changes.
  2. Sanctions for Violations of Policy. The Security Official may apply sanctions (discipline) for using or disclosing PHI or e-PHI in violation of this Policy in accordance with Business Associate’s discipline policy, up to and including termination as follows:

First Violation – Written warning

Second Violation – Three (3) day suspension without pay

Third Violation — Termination of employment.

If the Security Official deems a violation to specifically be intentional or malicious, the Business Associate may take more extreme actions, such as, but not limited to, immediate termination of employment and legal action.

  1. The Business Associate has established appropriate administrative, physical and technical safeguards on behalf of the Business Associate to prevent PHI and E-PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. These safeguards include:

Administrative Safeguards:

  1. Implementing procedures for the use and disclosure of PHI and E-PHI, as described in Section IV.
  2. Individuals who have access to PHI and E-PHI will not further use or disclose PHI or E-PHI in violation of HIPAA’s privacy rules and this Policy.

Information system activity review. The Business Associate will regularly review records of information system activity, as follows: The OTPortal user roles and permissions. The database connection and stderr log. The Super User Creation logs. These will all be monitored monthly, and reports of these records will be prepared by the Security Official. Any suspicious activity or unauthorized access will be addressed and investigated immediately by the Business Associate.

Access authorization. Access to PHI and E-PHI will be limited to those who have a legitimate business need to access the information, as determined by the Security Official, and access will be limited to the minimum amount of PHI necessary. If an individual believes they need a different level of system access, they should request authorization from the Security Official, with the understanding that the Security Official will take into account the minimum necessary business needs.

Access Modification. Access to PHI and E-PHI will be modified for individuals as necessary, as deemed appropriate by the Security Official, in accordance with the Access Authorization protocols. If an individual believes they need a different level of system access, they should request authorization from the Security Official, with the understanding that the Security Official will take into account the minimum necessary business needs. Any employee who receives access to PHI should immediately notify the Security Official. The Security Official will periodically review the list of persons with access to PHI or E-PHI.

Protection from malicious software. Computers owned and operated by the Business Associate have anti-virus software installed and configured for periodic scans of the local disks. The Business Associate will keep current with updates and patches and will periodically update software on all computers.

Login monitoring. Computers for individuals with access to E-PHI will be password protected. Individuals with access to E-PHI are not permitted to share passwords and must change passwords periodically, in accordance with the Workstation Policy. If an individual discovers that someone is using the individual’s password to access the individual’s account or if his/her computer is otherwise compromised, the individual will immediately notify the Security Official.

Data backup. Online Tech is responsible for the data backups.

Disaster recovery plan. Online Tech is responsible for managing and recovering from disasters that could affect server hardware.

Emergency mode operation. The Business Associate will take necessary and possible steps to protect data during emergency situations. In the event of an emergency situation, or when the facility is unsupervised, workstations will be locked to prevent unauthorized access to E-PHI. All data is stored in Online Tech data centers, and in doing so, the Business Associate mitigates the risk of access loss due to theft or fire within the facility. There are no other critical business operations concerning the protection of the security of E-PHI.

Physical Safeguards:

Facility access controls, workstation use and security.

  1. Individuals may only use workstations in accordance with Workstation Use Policy.
  2. An individual may only access E-PHI on a Business Associate approved computer through a secure Internet connection; the computer will be securely password protected, and will contain antivirus/malware software in accordance with the Workstation Policy. Individuals will be prohibited from storing E-PHI on personal computers.
  • Offices or workstations will be available for individuals with access to PHI and E-PHI.
  1. Authorized workstations will be protected by a screensaver that hides the screen, and the computer will time out after 15 minutes of inactivity and will require a password to restore the display.
  2. An information security warning will be displayed upon the login into Symport, reminding users that they are accessing resources that contain or have access to E-PHI, and therefore discretion is advised.
  3. Whenever possible, space will be secured through locking the door when the workstation will be unattended for extended periods.

Facility Security Plan. Building locks after 9:00 pm and a 5 digit security code is required to gain access. Office doors lock automatically and require 4 digit keycode. Windows are closed and locked at the end of the day. Keycode lock information is stored in a locked file cabinet. Visitor sign in is required for any non-employee who is spending time in the office, and reviewed periodically by the Security Official

Maintenance Records. The Business Associate will document any physical repairs, changes, or maintenance performed on components of the facility that pertain to security.

Device and Media Disposal. The Security Official will ensure all PHI is destroyed prior to disposal of media and devices once containing PHI. The Security Official will remove access to E-PHI from all electronics, and wipe them completely before disposal.

Media re-use. The Business Associate does not store E-PHI on any disposable or re-usable user devices or media. Therefore, physical disposal policy is not warranted. However, as a precautionary measure, upon repurposing, decommissioning, or modifying a workstation (either desktop or laptop), the hard disks are inspected by IT to ensure no E-PHI is present.

  1. The Security Official maintains inventory records of all Business Associate-owned hardware and is responsible for reflecting when changes occur.
  2. Data backup and storage. All E-PHI is stored centrally on Online Tech servers; therefore backup of hardware before a move is not required.
  3. Technical Safeguards:
    1. Access controls. Individuals with access to E-PHI will use an individual Symport login and password. All individuals must read and agree to the Workstation Policy before receiving access to E-PHI. Failure to comply with requirements outlined in the Workstation Policy can result in disciplinary measures for individuals, as stated by the Sanctions for Violations of Policy section above.
    2. Emergency access procedures. Access to PHI will not be affected by local emergencies or disasters. Online Tech has their own Emergency access procedures.
    3. Automatic logoff. Following 15 minutes of inactivity, an individual will automatically be locked out of the system, and must re-enter his or her password to regain access.
    4. Encryption and decryption. The Business Associate ensures encryption of the E-PHI in all components of its business.
    5. Audit controls. The Business Associate will track system activity in the following ways: failed login attempts, current active accounts, DB access logs, office wifi log and super users log. Logs will be reviewed monthly by the Security Official for any suspicious or unexpected activity.
    6. Person or entity authentication. A unique username and password combination is required for any individual to access any systems containing E-PHI. Passwords will conform to the Password Policy as outlined in the Workstation Use Policy.
    7. Transmission Security. The covered entity will use HTTP-Secure connection protocols for all transmissions of E-PHI. Data is encrypted during transmission using SSL.

IV. POLICIES ON USE AND DISCLOSURE OF PHI and E-PHI

  1. A. Access to PHI And E-PHI Is Limited To Certain Individuals.
  2. Workforce clearance: Upon employment with the Business Associate, individuals are given network access to necessary systems. Based on the individual’s role with the Business Associate, they may be given special access rights to systems containing PHI and E-PHI. Individuals with access to PHI and E-PHI will sign a statement of adherence to this Policy and will acknowledge that violations of this Policy may lead to disciplinary action, as specified in the Sanction Policy. The Security Official will periodically review the list of persons with access to PHI and E-PHI to ensure they are valid.
  3. Workforce authorization and/or supervision: The Security Official is authorized to provide network access to the E-PHI environments. The Security Official will document anytime authorization for PHI access is granted to an employee of the Business Associate, and ensure that the employee is properly trained and knowledgeable of all relevant terms outlined in this policy.
  4. Termination: If an individual who has access to PHI or E-PHI terminates employment, the individual’s access to PHI and E-PHI will be terminated immediately by the Security Official, after which a review of their system access will be conducted the Security Official. Any removable electronic media in the individual’s possession will be returned to the Business Associate prior to termination. Additionally, physical access to facilities, such as key-codes, will be changed.
  5. Use and Disclosure. The Business Associate will use and disclose PHI only as permitted or required by its business associate contract or as required by law. The Business Associate may not use or disclose PHI in a manner that would violate the requirements of HIPAA if done by the covered entity.

The Business Associate will disclose PHI as follows:

  1. When required by the HHS to investigate or determine the Business Associate’s compliance with HIPAA;
  2. To the covered entity, individual or individual’s designee as necessary to satisfy a covered entity’s obligations to provide access to PHI that is maintained in a designated record set pursuant to 164.524(c)(2)(ii) and (3)(ii).
  3. Sale of PHI. The business associate will obtain an authorization for any sale of PHI, as defined at 45 CFR 164.502(a)(5)(ii). Sale does not include a disclosure of PHI for research purposes where the only remuneration received by the business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes, or a disclosure to or by a business associate for activities that the business associate undertakes on behalf of a covered entity and the only remuneration provided is by the covered entity to the business associate for the performance of such activities, or for any other purpose permitted by HIPAA where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI of such purpose or the fee is otherwise expressly permitted by other law.
  4. Complying With the “Minimum-Necessary” Standard. For making disclosures or requests for PHI to any party for any purpose, information must, to the extent practicable, be limited to the minimum necessary to accomplish the purpose of the disclosure or request.

The “minimum-necessary” standard does not apply to any of the following:

  • uses or disclosures made to the individual;
  • uses or disclosures made pursuant to a valid authorization;
  • disclosures made to the Department of Health and Human Services;
  • uses or disclosures required by law;
  • uses or disclosures required to comply with HIPAA; and
  • disclosures to or requests made by a health care provider for treatment.

For disclosures of PHI, the Business Associate will determine what constitutes the minimum necessary.

Disclosure to Subcontractor.   The Business Associate may disclose PHI to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain or transmit PHI on its behalf if the Business Associate enters into a business associate agreement with the subcontractor that satisfies the requirements of 54 CFR 164.502(e) and 164.504(e)(1)(i).

De-identified Information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not PHI.

Breach Notification Policy. If a breach of unsecured PHI has occurred, the Business Associate will comply with the notice requirements set forth in this Section.

The Security Official is responsible for reviewing the circumstances of possible breaches brought to his/her attention and determining whether a Breach has occurred in accordance with this Policy and the HIPAA Regulations. All subcontractors, and all individuals who have access to PHI, are required to report to the Security Official any incidents involving possible breaches.

A Breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the privacy rules which compromises the security or privacy of the PHI. The following are excluded from the definition of Breach:

  1. Any unintentional access, use, or acquisition of PHI by an individual or Business Associate, if the unauthorized access, use or acquisition was made in good faith and within the scope of authority of the individual and does not result in further use or disclosure in a manner not permitted under the HIPAA privacy rules.
  2. Any inadvertent disclosure by a person authorized to access PHI at the covered entity or Business Associate to another person at the same covered entity or Business Associate also authorized to access the PHI, provided that there is no further use or disclosure in violation of the HIPAA privacy rules.
  3. A disclosure of PHI where there is a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI.

Except as noted above, any acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA rules is presumed to be a Breach, unless the Security Official demonstrates that there is a low probability that the PHI has been or will be compromised. The Security Official’s determination of whether a Breach has occurred must include the following considerations:

  1. Was there a violation of HIPAA Privacy Rules? There must be an impermissible use or disclosure resulting from or in connection with a violation of the HIPAA Rules by the Business Associate. If not, then the notice requirements do not apply.
  2. Was PHI involved? If not, then the notice requirements do not apply.
  3. Was the PHI secured? For E-PHI to be “secured,” it must have been encrypted to NIST standards or destroyed. For paper PHI to be “secured,” it must have been destroyed. If the PHI was secured, then the notice requirements do not apply.
  4. Was there unauthorized access, use, acquisition, or disclosure of PHI? If not, then the notice requirements do not apply.
  5. Is there a low probability that privacy or security was compromised? If the Security Official determines that there is only a low probability of compromise, then the notice requirements do not apply.
  6. To determine whether there is only a low probability that the PHI was compromised, the Security Official must perform a risk assessment that considers at least the following factors:
    1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
    2. The unauthorized person who used the PHI or to whom the disclosure was made.
    3. Whether the PHI was actually acquired or viewed.
    4. The extent to which the risk to the PHI has been mitigated.

If a Business Associate commits or identifies a possible Breach, the Business Associate must give notice to the covered entity. The covered entity is responsible for providing any required notices of a Breach to individuals, HHS, and (if necessary) the media.

SECURITY POLICIES

  1. General. HIPAA requires the Business Associate to implement various security measures with respect to E- PHI. Specifically, the Business Associate will:
  1. Ensure that data or information that is stored or transmitted electronically (a) is not made available or disclosed to unauthorized persons or processes, (b) has not been altered or destroyed in an unauthorized manner, and (c) is accessible and useable upon demand by an authorized person;
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy rules; and
  4. Ensure compliance with the security rules by the Business Associate’s workforce.

To meet these requirements, the Business Associate will implement certain administrative, physical and technical safeguards, as specified in the HIPAA regulations and summarized in the attached HIPAA Security Standards for the Protection of E-PHI in Appendix A. In determining which security measures to use, the Business Associate will take into account the following:

  1. the size, complexity, and capabilities of the Business Associate;
  2. the Business Associate’s technical infrastructure, hardware, and software security capabilities;
  3. the costs of security measures; and,
  4. the probability and criticality of the potential risks to E-PHI.
  5. Risk Analysis. The Business Associate will conduct ongoing assessments of the potential risks to the confidentiality, integrity, and availability of E-PHI. These risk assessments will be documented by the Security Official, who will evaluate and adjust all relevant policies, especially security policies, accordingly, and provide adequate notifications of policy changes to individuals to whom those policies pertain.

The Business Associate currently uses the following software products or services:

  • Ruby, Rails, Ember, Emblem, Foundation – development language
  • PostgreSQL – database
  • Online Tech Servers

The E-PHI is stored at rest as follows: Encrypted on a firewalled server on the Online Tech cloud

Based on risk assessments undertaken by the Business Associate, as documented by the Security Official, the Business Associate has determined that it need not take any additional security measures, other than the measures set forth in this Policy and the Workstation Policy, to protect against reasonably anticipated threats and vulnerabilities and to reduce risks to the confidentiality, integrity and availability of E- PHI.

  1. Risk Management. The Business Associate has implemented the administrative, physical and technical safeguards specified in this Policy.
  2. Security Incidents. If a security incident occurs, the individuals involved will inform the Security Official. Depending on the nature of the incident, the Security Official will assess whether or not a security incident occurred and, if so, will gather and preserve the necessary evidence of the incident. If a security incident occurred, the Security Official will document the incident and outcome, including the impact of the security incident, communicate the necessary information to the affected parties, as specified by the Business Associate agreements, and review all necessary policies to mitigate the risk of having another incident. Additionally, the Security Official will review the individuals’ account activity to examine and reasonably mitigate damage.
  3. Review. The Business Associate will regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports. The Business Associate will regularly review risk assessment reports and other policy to evaluate the extent to which its security policies and safeguards protect the confidentiality of E-PHI and update the policies and safeguards as necessary.

DOCUMENTATION
The Business Associate’s HIPAA policies and procedures shall be documented, reviewed periodically, and updated as necessary in response to environmental or operational changes affecting the privacy and security of the Business Associate’s PHI and E-PHI, and any meaningful changes to policies or procedures will be documented promptly. The Business Associate shall document certain actions, activities, and assessments with respect to PHI and E- PHI required by HIPAA to be documented.

Policies, procedures, and other documentation controlled by the Business Associate may be maintained in either written or electronic form. These documents will be made easily available through hard and electronic copies to the persons responsible for the procedures to which the document pertains. The Business Associate will maintain such documentation for at least six years from the date of creation or the date last in effect, whichever is later.