HIPAA Compliance

Overview

Account Holders and Members will use the “ImageStore for Healthcare” online service to transmit and store “electronic protected health information,” as defined in the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the regulations modifying 45 CFR Parts 160 and 164 adopted by the Secretary of Health and Human Services pursuant to HIPAA, as amended (the “Security and Privacy Rule”). Unless a capitalized term is specifically defined in this HIPAA Compliance Policy (the “Policy”), it will have the definition given to it in the Security and Privacy Rule or in the TTL Terms of Service (the “Agreement”), as applicable. In the event of an inconsistency between this Policy and any mandatory provision of the Security and Privacy Rule, as each may be amended from time to time, the Security and Privacy Rule will control. You can find the current text of HIPAA and the Security and Privacy Rule, as well as other information relating to the privacy of medical information here: http://www.hhs.gov/ocr/hipaa/.



Back To Top


Responsibilities of Account Holders and Members

  1. Patient Consent. Each Account Holder must have obtained from each patient written consent to the use and disclosure of electronic protected healthcare information (referred to in this Policy as “EPHI”) about such patient before any EPHI of such patient may be uploaded to the Service. The Account Holder must have complied with the Security and Privacy Rule in connection with obtaining such consent, including, but not limited to:
    1. The Account Holder must have delivered to each such patient a written notice of the Account Holder's privacy practices (within the meaning of Section 164.520 of the Security and Privacy Rule) prior to obtaining such consent;
    2. The Account Holder's practices must allow the patient to request restrictions on the use and disclosure of the patient's EPHI, and the ability of the patient to revoke such patient's consent;
    3. Each such consent must be in writing and be dated and signed by the patient (or his or her representative); and
    4. Each of the Account Holder's employees must have been trained in the Account Holder's privacy practices and procedures.

  2. Account Holder's Privacy Practices. Each Account Holder must promptly notify TTL of:
    1. Any limitation(s) in Account Holder's notice of privacy practices in accordance with Section 164.520 of the Security and Privacy Rule, to the extent that such limitation may affect TTL's use or disclosure of EPHI;
    2. Any changes in, or revocation of, permission by any individual patient to use or disclose EPHI, to the extent that such changes may affect TTL's use or disclosure of EPHI; and
    3. Any restriction to the use or disclosure of EPHI that the Account Holder has agreed to in accordance with Section 164.522 of the Security and Privacy Rule, to the extent that such restriction may affect TTL's use or disclosure of EPHI.

  3. Use of the Service.
    1. Account Holders and Members may use the Service only to carry out their respective health care functions. Account Holders and Members may only upload EPHI to the Service to the minimum extent necessary to accomplish the intended purpose for which such EPHI is being used and for which consent has been given by the patient.
    2. No Account Holder or Member may request TTL to use or disclose EPHI in any manner that would not be permissible under the Security and Privacy Rule if done by such Account Holder or Member, as applicable.



Back To Top

Responsibilities of TTL

  1. During the term of the Agreement, TTL will use or disclose EPHI solely:
      for meeting our obligations as set forth in the Agreement; (ii) as required by applicable law, rule or regulation, or by any accrediting or credentialing organization to whom any applicable Account Holder or Member is required to disclose such EPHI or as otherwise permitted under the Agreement, or the Security and Privacy Rule; and (iii) as would be permitted by the Security and Privacy Rule if such use or disclosure were made by such Account Holder or Member.

  2. Upon (i) the termination of an Account Holder's Account, (ii) the termination of a Member's access to and use of the Service, or (iii) the request of an Account Holder or Member, whichever occurs first, we will return or destroy all EPHI received from such Account Holder or Member or created or received by us on behalf of such Account Holder or Member that we still maintain in any form and retain no copies of such EPHI, or if such return or destruction is not feasible, we will extend the protections of the Agreement to the EPHI and limit further uses and disclosures to those purposes that make the return or destruction of the EPHI not feasible.

  3. We will, at all times during the term of the Agreement, ensure that our agents, including any subcontractors, to whom we provide EPHI received from or created by us on behalf of any Account Holder or Member, agrees to the same restrictions and conditions that apply to us with respect to such EPHI, and we agree to implement reasonable and appropriate safeguards to protect any such EPHI. In addition, we agree to take reasonable steps to ensure that our employees' actions or omissions do not cause us to breach the terms of the Agreement.

  4. Notwithstanding the prohibitions set forth in this Policy or in the Agreement, we may use and disclose EPHI as follows:
    1. if necessary, for the proper management and administration of our business or to carry out our legal responsibilities, provided that as to any such disclosure, the following requirements are met: (A) the disclosure is required by law; or (B) we obtain reasonable assurances from the person to whom the EPHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies us of any instances of which it is aware in which the confidentiality of the EPHI has been breached;
    2. if necessary, to report violations of law to appropriate federal and state authorities, consistent with Section 164.502(j)(1) of the Security and Privacy Rule; and
    3. for data aggregation services, to be provided by us in the provision of the Service pursuant to the Agreement. For purposes of the Agreement, data aggregation services means the combining of EPHI by us with the EPHI received by us in our capacity as a TTL of another Account Holder or Member, to permit data analyses that relate to the health care operations of the respective Account Holders or Members.

  5. We will implement appropriate safeguards to prevent use or disclosure of EPHI other than as permitted in the Agreement. We will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any EPHI that we create, receive, maintain, or transmit on behalf of any Account Holder or Member as required by the Security and Privacy Rule.

  6. The Secretary of Health and Human Services shall have the right to audit our records and practices related to use and disclosure of EPHI to ensure each Account Holder's or Member's compliance with the terms of the Security and Privacy Rule.

  7. We will report to the appropriate Account Holder or Member any use or disclosure of EPHI which is not in compliance with the terms of the Agreement or this Policy of which we become aware. We will report to the appropriate Account Holder and/or Member any Security Incident of which we become aware. In addition, we agree to mitigate, to the extent practicable, any harmful effect that is known to us of a use or disclosure of EPHI by us in violation of the Agreement or this Policy.

  8. We agree to make available EPHI to the extent and in the manner required by Section 164.524 of the Security and Privacy Rule . We agree to make EPHI available for amendment and incorporate any amendments to EPHI in accordance with the requirements of Section 164.526 of the Security and Privacy Rule. In addition, we agree to make EPHI available for purposes of accounting of disclosures, as required by Section 164.528 of the Security and Privacy Rule.

 

 



Back To Top

Termination for Cause

Notwithstanding any provision of the Agreement relating to termination of the Agreement, upon the discovery by any Account Holder or Member of a material breach of the Agreement or this Policy by TTL, such Account Holder or Member shall either:

  1. Provide an opportunity for TTL to cure the breach or end the violation and terminate the Agreement if TTL does not cure the breach or end the violation within the time specified by such Account Holder or Member;

  2. Immediately terminate the Agreement if TTL has breached a material term of the Agreement and cure is not possible; or

  3. If neither termination nor cure are feasible, such Account Holder or Member shall report the violation to the Secretary.

 


Back To Top

Coordination with HIPAA and the Security and Privacy Rule

  1. Amendment. TTL will take such action as is necessary to amend the Agreement from time to time as is necessary for Account Holders and Members to comply with the requirements of HIPAA and the Security and Privacy Rule.

  2. Interpretation. Any ambiguity in the Agreement or this Policy shall be resolved to permit the applicable Account Holder or Member to comply with the Security and Privacy Rule.

 




Back To Top