HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
HIPAA AND HITECH COMPLIANCE STATEMENT
THE ROI COMPANIES (“ROI” or “We”) agree to be bound by the terms of this Statement to the extent that: (a) you are a client that is a “covered entity” under the administrative simplification provision of the Health Insurance Portability and Accountability Act of 1996 and its Privacy Rule and Security Rule (“HIPAA”), as such may be amended from time-to-time or otherwise modified by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) as such may be amended from time-to-time ; and (b) We are acting as your “business associate” under HIPAA and the HITECH Act. This Statement supersedes and replaces any prior statement of a similar nature that we sent to you or posted on our web site and shall work in conjunction with any Business or Business Associate Agreement that we have signed. Terms used in this Statement have the meanings given them in HIPAA and the HITECH Act except that “protected health information” shall be limited to the protected health information created or received by you or on your behalf.
1. We may use protected health information for the purpose of providing billing, collections, coding, medical records management, or similar revenue cycle management services to you. In connection with the foregoing, we may use and disclose protected health information for the proper management and administration of our agency and law firm and to carry out our responsibilities, as long as, in the case of any disclosure for these purposes, either: (a) the disclosure is required by law; or (b) we obtain reasonable written assurances from the person to whom we disclose the protected health information that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to such person, and that the person will notify us of any instances of which it is aware in which the confidentiality of the information has been breached.
2. We will:
2.1 Not use or further disclose your protected health information except as permitted or required by the agreement for services that we sign with our clients or vendors, or as required by law.
2.2 Implement policies and procedures and take all other appropriate action as is necessary to prevent use or disclosure of your protected health information other than as permitted by our agreements and the law and in connection therewith, we shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on your behalf.
2.3 Report to you in a timely fashion: (a) any impermissible use or disclosure of your protected health information of which we become aware; (b) any security incident involving electronic protected health information of which we become aware; and/or (c) any breach of your unsecured protected health information that we discover. The timing of the report will be consistent with our legal and contractual obligations, including the HITECH Act’s breach notification requirements, and the level of risk reasonably likely to be presented by the use, disclosure, incident, or breach.
2.4 Ensure that our agents and those subcontractors to whom we provide your protected health information agree to the restrictions and conditions that apply to us with respect to such information and, with respect to any electronic protected health information, agree to implement reasonable and appropriate safeguards to protect that information.
2.5 Make available your protected health information to you so you can meet your obligations to provide individual access to such protected health information, if you instruct us to do so.
2.6 Make available your protected health information so you can meet your obligations to amend any incomplete or inaccurate protected health information and incorporate any amendments as you may instruct.
2.7 Report to you, upon your request, all disclosures of protected health information by us, as necessary to enable you to comply with your obligation to account for uses and disclosures of protected health information. We will report only those disclosures for which you would be required to provide an accounting. We ask that you not direct an individual to request an accounting of disclosure directly from us.
2.8 Make our internal practices, books, and records relating to the use and disclosure of protected health information available to the Secretary of the United States Department of Health and Human Services (“Secretary”), for purposes of determining your compliance with your legal obligations. Unless otherwise required by law or authorized by you in writing, we will not disclose any confidential or privileged information that we receive from you or create on your behalf to the Secretary. This Statement and our representations hereunder do not and should not be interpreted as our waiver or amendment of either the attorney-client privilege, the attorney work product doctrine, or other privileges or protections.
2.9 Upon termination of our business relationship, return or destroy all protected health information that we maintain in any form and retain no copies of such information or, if return or destruction is not feasible, we shall extend the protections required by law or agreement to such information and limit further use and disclosure of the information to those purposes that make the return or destruction of the information infeasible. Because of our responsibility to maintain a record of the services we provide, return or destruction of the information generally will not be feasible.
3. With respect to any business associate functions, we will comply with the provisions of the HIPAA Security Rule that are made applicable to business associates by the HITECH Act, including the administrative, physical, and technical standards of the Security Rule and the requirements to maintain policies, procedures, and documentation of security activities.
4. To the extent required by the HITECH Act, any privacy or security requirement under the HITECH Act that is applicable to you, as a covered entity, shall be incorporated into our business relationship agreements and therefore, shall apply to us.
5. You may immediately terminate your business relationship with us if you determine that we have violated a material term of this Statement or any business relationship agreement that we have.
6. Nothing express or implied in this Statement is intended to, or does, confer upon any other person or entity any rights, remedies, obligations, or liabilities whatsoever.
7. This Statement is to be interpreted consistently with our obligation of reasonable care in the performance of our services on your behalf as our client. In the event of an inconsistency or disagreement between the terms of this Statement and any of our business relationship agreements, such agreements shall supersede the terms of this Statement.
8. We may amend this Statement by posting amendments on our web site. The amendments will become effective upon posting.