Online Privacy Notice

ONLINE PRIVACY NOTICE

  1. Introduction.
  2. Website Owner. [AZTRT LLC, i.e., “AZTRT LLC”] ("AZTRT LLC") is the owner of this website ("(AZTRT LLC Website)"). AZTRT LLC can be contacted by mail at [address], by phone at [telephone number], or by e-mail at [e-mail address]. This online privacy notice discloses AZTRT LLC information practices for this AZTRT LLC Website, including what type of personal identifiable information is requested in order to make a purchase, how the information is used, and with whom the in-formation is shared. [Note that other AZTRT LLC websites may be governed by privacy notices containing different information practices applicable to those sites.]
  3. [Anonymous] Website Visits. In general, you can visit on the AZTRT LLC Website without [disclosing OR revealing ] any personal information. AZTRT LLC does [does OR does not] [keep track of the domains from which people visit us. OR AZTRT LLC analyzes the data gathered from Website visits for trends and statistics, and then AZTRT LLC discards the gathered data.]
  4. Website Transactions. At times, AZTRT LLC will need personal information regarding a customer or a prospect. For example to process an order or provide a subscription, AZTRT LLC may need to know a customer's name, mailing address, e-mail address and credit card details. It is AZTRT LLC's intent to inform you know before AZTRT LLC collects personal information, such as user's name and/or address on the Internet. If you tell us that you do not wish to have this information used as a basis for further contact with you, AZTRT LLC will respect your wishes.
  5. Third Party Certification. AZTRT LLC is a member of the [name of third party certification program], an independent, nonprofit organization that promotes privacy policies of disclosure and informed consent. [AZTRT LLC also abides by the Safe Harbor framework as set forth by the United States Department of Commerce regarding the collection, use and retention of information collected from the European Union.]
  6. Personal Information That May Be Collected.
  7. Identifying Information. In order to make a purchase [to make a purchase OR to access designated subscriber services and /or restricted areas within the AZTRT LLC Website], AZTRT LLC will request a user to provide certain personal identifying information, which may include: [legal] name, postal address, e-mail address, [screen name, password,] [daytime] telephone number, facsimile number, method of payment, and, if applicable, credit card number. AZTRT LLC may request additional information necessary to establish and maintain customer's account.
  8. Service Quality Monitoring. Some Website transactions may require a customer to telephone AZTRT LLC, or AZTRT LLC to call the customer. AZTRT LLC will not contact you by telephone without your prior consent, except to confirm an order placed online and/or to inform a customer of the status of such order. Customer should be aware that it is AZTRT LLC's practice to monitor, and in some cases record such calls for staff training or quality assurance purposes.
  9. Information from Children. AZTRT LLC does not sell products or services for purchase by children, and will not collect or post information from a child under the age of [16 OR 17 OR 18] without the involvement of a parent or guardian. AZTRT LLC will notify the child's parent or guardian at the e-mail address provided by the prospective customer, alerting the parent or guardian to the child's use of the Website and providing instructions as to how the parent or guardian can delete the child's registration from the Website. AZTRT LLC does not use personally identifying information collected from children for marketing or promotional purposes, and does not disclose such information to any third party for any purpose whatsoever.]
  10. Lost or Stolen Information. If a [customer's credit card and/or password] is lost or stolen, the customer should promptly notify AZTRT LLC in order to enable AZTRT LLC to cancel the lost or stolen information and to update its records with a changed [credit card and/or password].
  11. Chat Rooms, Forums and Bulletin Boards. If customer participates in an AZTRT LLC chat room, discussion forum, or posts messages to an AZTRT LLC bulletin board, customer should be aware that the information disclosed and shared will be broadly available to other persons, both inside of and/or outside AZTRT LLC, who have access to that chat room, forum or bulletin board. Some individual AZTRT LLC chat rooms, forums or bulletin boards have additional rules and conditions regarding participation. Also, participant's expressed opinion is his or her own and should not be considered as reflecting the opinion of AZTRT LLC.
  12. Links to Other Websites. An AZTRT LLC Website may contain links to other websites. AZTRT LLC is not responsible for the privacy practices or the content of those other Websites.
  13. Uses Made of the Information.
  14. Limited Uses Identified. Without customer's prior consent, AZTRT LLC will not use your personal identifiable information for any purpose other than that for which it is submitted. AZTRT LLC uses personal identifiable information to reply to inquiries, handle complaints, provide operational notices and in program record-keeping. AZTRT LLC also processes billing and business requests related to AZTRT LLC Website participation.
  15. Marketing Uses. Unless customer marks an "x" on the opt-out option box herein provided, AZTRT LLC reserves the right to provide customer with information about AZTRT LLC's Website, AZTRT LLC products and services, and related information in which customer has indicated an interest.
  16. Stored Information Uses. AZTRT LLC stores [and retains] [the information provided by customer OR the information entered on the AZTRT LLC Website]. [This information is used to compile a customer's purchase history in order to enable AZTRT LLC to recommend products, services, or special offers that would be of interest to a customer. OR Stored information is used by AZTRT LLC {and/or AZTRT LLC agents}: to support customer interaction with the AZTRT LLC Website; to deliver customer purchases; and/or to contact customer again about other AZTRT LLC services and products.]
  17. Online Advertising. Some companies that help AZTRT LLC deliver interactive on-line advertising, such as banner ads, may collect and use information about AZTRT LLC's customers to help AZTRT LLC better understand the types of advertising or promotions that are most appealing to AZTRT LLC's customers. After it is collected the information is aggregated so it is not identifiable to a specific individual. If, however, customer would prefer that these companies not collect such information, please mark an "x" on the opt-out option box herein provided.
  18. Disclosure of the Information.
  19. Within Corporate Organization. AZTRT LLC is a multinational organization, with legal entities, business processes, management structures, and technical systems that cross borders. AZTRT LLC may share your personal information within the AZTRT LLC corporate organization, and may transfer the information to countries in the world where AZTRT LLC conducts business. Some countries may provide less legal protection for customer personal information. [In such countries AZTRT LLC will still handle customer personal information in the manner describe herein.]
  20. Mergers and Acquisitions. Circumstances may arise where for business reasons, AZTRT LLC decides to sell, buy, merge or otherwise reorganize its businesses in the United States or some other country. Such a transaction may involve the disclosure of personal identifying information to prospective or actual purchasers, and/or receiving such information from sellers. It is AZTRT LLC's practice to seek appropriate protection for information in these types of transactions.
  21. Agents. AZTRT LLC employs or engages other companies and individuals to perform business functions on behalf of AZTRT LLC. These persons are provided with personal identifying information required to perform their functions, but are prohibited by contract from using the information for other purposes. These persons engage in a variety of functions which include, but are not limited to, fulfilling orders, delivering packages, removing repetitive information from customer lists, analyzing data, providing marketing assistance, processing credit card payments and providing customer services.
  22. Affiliated Businesses. AZTRT LLC works closely with affiliated businesses operating website stores, providing services or selling products on each other's Websites. These businesses identify themselves to customers. Customer information related to a transaction with an affiliated business is shared with that affiliated business.
  23. Marketing Analysis by Third Parties. AZTRT LLC reserves the right to disclose to third parties personal information about customers for marketing analysis; however, any information disclosed will be in the form of aggregate data that does not describe or identify an individual customer.
  24. Disclosure to Governmental Authorities. Under certain circumstances, personal information may be subject to disclosure pursuant to a judicial or other government subpoenas, warrants or orders.
  25. Use of Computer Tracking Technologies.
  26. No Tracking of Personal Information. AZTRT LLC's Website(s) are not set up to track, collect or distribute personal information not entered by visitors. Through website access logs AZTRT LLC does collect clickstream data and HTTP protocol elements, which generate certain kinds of non-identifying site usage data, such as the number of hits and visits to our sites. This information is used for internal purposes by technical support staff for research and development, user analysis and business decision making, all of which provides better services to the public. The statistics garnered, which contain no personal information and cannot be used to gather such information, may also be provided to third parties.
  27. Use of Cookies. AZTRT LLC, or its third party vendors, collects non-identifiable and personal information through the use of various technologies, including "cookies". A cookie is an alphanumeric identifier that a Website can transfer to customer's hard drive through customer's browser. The cookie is then stored on customer's computer as an anonymous tag that identifies the customer's computer, but not the customer. Cookies may be sent by AZTRT LLC or its third party vendors. Customer can set its browser to notify customer before a cookie is received, giving an opportunity to decide whether to accept the cookie. Customer may also set its browser to turn off cookies; however, some Websites may not then work properly.
  28. Use of Web Beacon Technologies. AZTRT LLC may also use Web beacon or other technologies to better tailor its Website(s) to provide better customer service. If these technologies are in use, when a visitor accesses these pages of the Website, a non-identifiable notice of that visit is generated which may be processed by AZTRT LLC or by its suppliers. Web beacons usually work in conjunction with cookies. If customer does not want cookie information to be associated with customer's visits to these pages, customer can set its browser to turn off cookies; however, Web beacon and other technologies will still detect visits to these pages, but the notices they generate cannot be associated with other non-identifiable cookie information and are disregarded.
  29. Collection of Non-Identifiable Information. AZTRT LLC may collect non-identifiable information from user visits to the AZTRT LLC Website(s) in order to provide better customer service. Examples of such collecting include: traffic analysis, such as tracking of the domains from which users visit, or tracking numbers of visitors; measuring visitor activity on AZTRT LLC Website(s); Website and system administration; user analysis; and business decision making. Such information is sometimes known as "clickstream data." AZTRT LLC or its contractors may use this data to analyze trends and statistics.
  30. Collection of Personal Information. AZTRT LLC collects personal identifying information from customer during a transaction. AZTRT LLC may extract some personally identifying information about that transaction in a non-identifiable format and combine it with other non-identifiable information, such as clickstream data. This information is used and analyzed only at an aggregate level (not at an individual level) to help AZTRT LLC understand trends and patterns. This information is not reviewed at an individual level.
  31. Information Security.
  32. Commitment to Online Security. AZTRT LLC employs physical, electronic and managerial procedures to safeguard the security and integrity of personal information. Billing and payment data is encrypted whenever transmitted or received online. Personal information is accessible only by staff designated to handle online requests or complaints. [All AZTRT LLC agents and contractors with access to personal information on the AZTRT LLC website(s) are also bound to adhere to AZTRT LLC security standards.]
  33. No Liability for Acts of Third Parties. AZTRT LLC will exercise all reasonable efforts to safeguard the confidentiality of customer personal information. However, transmissions protected by industry standard security technology and implemented by human beings cannot be made absolutely secure. Consequently, AZTRT LLC shall not be liable for unauthorized disclosure of personal information due to no fault of AZTRT LLC including, but not limited to, errors in transmission and unauthorized acts of [AZTRT LLC staff and/or third parties].
  34. Privacy Policy Changes and Opt-Out Rights.
  35. Changes to Privacy Policy. This privacy notice was last updated on 6/11/2024. AZTRT LLC reserves the right to [change OR update] its privacy policy statement at any time. A [notice of such change OR notice of any material change] will be [prominently] posted on the AZTRT LLC Website [home page OR on page] for [thirty (30) days] OR "for ___________________ (_____) days] prior to the implementation of such change. [There are two boxes at the end of AZTRT LLC's notice of change (1) an "I accept" box, and (2) an "I do not accept" box. If customer does not mark the "I do not accept" box customer will {be deemed to} have accepted AZTRT LLC's privacy policy updates.]
  36. Opt-Out Right. [Customer and/or prospective customer] has the right at any time to cease permitting personal information to be collected, used or disclosed by AZTRT LLC and/or by any third parties with whom AZTRT LLC has shared and/or transferred such personal information. Right of cancellation may be exercised by contacting AZTRT LLC via e-mail [e-mail address], telephone or [certified] postal mail. After processing the cancellation, AZTRT LLC will delete customer or prospective customer's personal information from its data base.
  37. Access Rights to Data.
  38. Information Maintained by AZTRT LLC. Upon customer's request, AZTRT LLC will provide a reasonable description of customer's personally identifiable information that AZTRT LLC maintains in its data bank. AZTRT LLC can be contacted by e-mail at admin@aztrt.com, telephone [provide phone number], or [certified] postal mail [provide AZTRT LLC address].
  39. Corrections and Changes to Personal Information. Help AZTRT LLC to keep customer personal information accurate. If customer's personal information changes, or if customer notes an error upon review of customer information that AZTRT LLC has on file, please promptly e-mail AZTRT LLC admin@aztrt.com and provide the new or correct information.
  40. Your California Privacy Rights. Beginning on January 1, 2005, California Civil Code Section 1798.83 permits customers of AZTRT LLC who are California residents to request certain information regarding AZTRT LLC’s disclosure of personal information for their direct marketing purposes. To make such a request, please write to: . Within 30 days of receiving such a request, AZTRT LLC will provide a list of the categories of personal information disclosed to third parties for third-party direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties. This request may be made no more than once per calendar year. AZTRT LLC reserves its right not to respond to requests submitted other than to the address specified in this paragraph.

California’s privacy laws require a company to provide notice to California users of their rights to receive information on to which entities their information was shared for marketing purposes.

  1. Accountability.
  2. Questions, Problems and Complaints. If you have a question about this policy statement, or a complaint about AZTRT LLC compliance with this privacy policy, you may contact AZTRT LLC by e-mail admin@aztrt.com. If AZTRT LLC is unable to resolve your complaint to your reasonable satisfaction or if customer does not receive acknowledgment of an inquiry, customer may elect to proceed by contacting [provide name of third party privacy service organization and information on how to contact the organization].
  3. Terms of Use. If customer chooses [to enter into a purchase order OR to subscribe to AZTRT LLC's services], customer's action is hereby deemed acceptance of AZTRT LLC practices described in this policy statement. Any dispute over privacy between customer and AZTRT LLC is subject to the provisions of this notice and to AZTRT LLC's [Terms of Use Agreement OR Conditions of Use] which is hereby incorporated herein and which can be read at www.AZTRT.com/terms-of-use


HIPAA PRIVACY AND SECURITY POLICY

Introduction

ArizonaTRT PLLC and AZTRT LLC (the “Company”) has adopted this policy to ensure compliance under HIPAA.

Members of the Company’s workforce may have access to the “protected health information” (as described below) of participants in relation to the services. The Company intends to fully comply with the HIPAA requirements, as administered by the United States Department of Health and Human Services (HHS), including HIPAA’s Privacy Rule and Security Rule. HIPAA restricts the Companies’ use and disclosure of protected health information.

“Protected health information” (“PHI”) means information that is created or received by the Company and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information concerning persons living or deceased. The Security Rule governs electronically conveyed PHI, or “E-PHI.” (“PHI” herein includes “E-PHI” unless “E-PHI” is specified.) Special aspects of Security Rule compliance are addressed at Article 2.12, below.

The Company has adopted this Privacy Policy and the Company’s separate HIPAA Use and Disclosure Procedures regarding the use and disclosure of PHI and individuals’ rights relating to their PHI. All members of the Company’s workforce who have access to PHI must comply with this Privacy Policy and the Company’s HIPAA Use and Disclosure Procedures. Individuals who would be considered part of the Company’s workforce under HIPAA are employees, independent contractors, volunteers, trainees, and other persons whose work performance is under the direct control of the Company, whether or not they are paid by the Company. The term “employee” herein includes all of these types of workers.

As further set forth in the Use and Disclosure Procedures, the Company adopts as a policy that all claims and benefit issues arising in any of the Company’s locations shall be referred to the Contact Person (or Privacy Official or Security Official where specifically designated in this Policy or the Use and Disclosure Procedures) for resolution. Therefore, any human resources personnel receiving inquiries regarding claims or benefits or any other questions regarding the Notice of Privacy Practices or any related issue, shall not attempt to answer or address such inquiries, but shall refer such inquiries to a Contact Person, or Privacy or Security Official, as is specifically designated.

  1. RESPONSIBILITIES AS COVERED ENTITY.
  2. Privacy Official and Contact Person. Joshua Ax, manager will be the Privacy Official for the Company. The Privacy Official will be responsible for the administration of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the Company’s HIPAA Use and Disclosure Procedures.

The Privacy Official has designated Joshua Ax, manager, as the contact person (“Contact Person”) for all regular and routine matters, as set forth herein. The Contact Person will serve as the person available to participants who have questions, concerns, or complaints about their PHI, as specified in the Notice of Privacy Practices and as further detailed in the Use and Disclosure Procedures.

  1. Security Official and Contact Person. Joshua Ax, manager, will be the Security Official. The Security Official will serve as the person available for any issues of a technical nature specific to the HIPAA Security implementation specifications.

[Name and title], will serve as Contact Person for Privacy and Security Rule regular and routine matters.

  1. Persons with Access; Workforce Training. It is the Company’s policy to limit access to PHI to those who have need and to train employees who have access to PHI on its privacy and security policies and procedures. The Privacy Official, Security Official and Contact Person will develop training schedules and programs so that employees who have access to PHI (including E-PHI) receive the training necessary and appropriate to permit them to carry out their functions within the Company. The Security Official will arrange supplemental training of Persons with Access in elements of Security Rule compliance.
  2. Technical and Physical Safeguards and Firewall. An analysis of all the Company’s information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats—internal or external, natural or artificial, electronic and non-electronic—that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination, and protection. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

All computer equipment and network systems are assets of the Company and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based on the following:

Installed Software: All software packages that reside on computers and networks within the Company must comply with applicable licensing agreements and restrictions and must comply with the Company’s acquisition of software policies.

Virus Protection: Virus checking systems approved by the Security Official and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.

Access Controls: Physical and electronic access to PHI is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Security Official and approved by the Company. Mechanisms to control access to PHI include (but are not limited to) the following methods:

  1. Authorization: Access will be user-based access whereby users of a system gain access based upon the identity of the user.
  2. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI. Users will be held accountable for all actions performed on the system with their user id.
  3. Authentication shall be by strictly controlled passwords.
  4. The user must secure his/her authentication control (e.g. password) such that it is known only to that user and possibly a designated security manager.
  5. An automatic timeout re-authentication must be required after a certain period of no activity.
  6. The workstation must freeze after three unsuccessful attempts to gain access.
  7. The user must log off or secure the system when leaving it.
  8. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features will be implemented:
  9. Encryption shall be utilized for emails where electronic PHI is transmitted.
  10. Benefits personnel shall use facsimile or telephone contact with the third-party administrator to the Company when dealing with electronic PHI in claims assistance.
  11. Remote Access: Access into the Company’s network from outside will be granted using the Company approved devices and pathways on an individual user and application basis. All remote access to systems which may access electronic PHI shall be made using a “virtual private network”. All other network access options to these systems are strictly prohibited.
  12. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.

The following physical controls must be in place:

  1. Mainframe computer systems must be installed in an access-controlled area.
  2. File servers containing PHI must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
  3. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. The following policies regarding workstation use and physical safeguards are instituted:
  4. Position workstations to minimize unauthorized viewing of protected health information.
  5. Grant access to systems which may access electronic PHI only to those who need it in order to perform their job function.
  6. Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to PHI.
  7. Use automatic screen savers with passwords to protect unattended machines.
  8. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.
  9. Facility Security Company—Procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  10. Access Control and Validation—Procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  11. Maintenance records—Procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).
  12. Employee Hiring and Departures:
  13. The Company shall maintain its existing clearance procedures regarding the hiring of employees.
  14. The Company shall maintain its existing procedures regarding departing employees, which include promptly deactivating system access and recovering ID cards, remote access devices and other access items.
  15. Security Updates: The Company will provide periodic updates as appropriate, including security reminders regarding access security, virus protection and maintaining password protection.

Equipment and Media Controls: The disposal of PHI must ensure its continued protection. The receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility shall be documented by Information Services personnel. The Company will maintain a record of the movements of hardware and electronic media and any person responsible therefor. PHI must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PCs, etc.) unless the devices have the following minimum security requirements implemented:

  1. Power-on passwords
  2. Auto logoff or screen saver with password
  3. Encryption of stored data or other acceptable safeguards approved by the Security Official
  4. Mobile computing devices must never be left unattended in unsecured areas

Data Transfer/Printing: PHI must be stored in a manner that is inaccessible to unauthorized individuals. PHI must not be downloaded, copied, or printed indiscriminately or left unattended and open to compromise.

Oral Communications: Company staff should be aware of their surroundings when discussing PHI. This includes the use of cellular telephones in public areas. Company staff should not discuss PHI in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

Audit Controls: Logs that record and examine activity in information systems that contain or use PHI will be maintained. Records of information system activity will be reviewed weekly and available for review should a security incident have occurred or be suspected.

Evaluation: The Company shall undertake periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of electronic PHI to ensure its continued protection.

Contingency Company: Controls must ensure that the Company can recover from any damage to computer equipment or files within a reasonable period of time. The Company will create and maintain, for a specific period of time, retrievable exact copies of information. Certain backup data must be stored in an off-site location and protected from physical damage.

  1. Privacy Notice. The Privacy Official will maintain the Company’s Notice of the Privacy Practices that describes the uses and disclosures of PHI that may be made by the Company; the individual’s rights with respect to use and disclosure of PHI; and the Company’s legal duties with respect to the PHI.

The Notice informs participants that the Company and certain third parties as described therein (insurers and third-party administrators) will have access to PHI in connection with administrative functions. The Notice also provides details of the Company’s complaint procedures specifically for HIPAA Privacy and Security, the name and telephone number of the Privacy Official, Contact Person and Security Official for further information and assistance; and the date of the notice, among other elements.

  1. Complaints. The Contact Person is responsible for administering a process for individuals to lodge complaints about the privacy and security procedures. A copy of the complaint procedure shall be provided to any participant upon request.
  2. Sanctions for Violations of Privacy and Security Policy. Sanctions for using or disclosing PHI in violation of this HIPAA Privacy and Security Policy will be imposed in accordance with the Company’s discipline policy.
  3. Mitigation of Inadvertent Disclosures of Protected Health Information. The Company shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of PHI that violates this Policy, either by an employee of the Company or a third-party administrator or insurer, the employee may contact the Privacy Official so that the appropriate steps can be taken to mitigate the harm to the participant. (See “Use and Disclosure Procedures”.)
  4. Breach Notification Requirements. The Company will comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and its implementing regulations with respect to notifications in the event of a breach of unsecured PHI. As a result, if an employee becomes aware of a potential breach of unsecured PHI, the employee shall contact the Privacy Official. Promptly after a report of suspected breach of unsecured PHI, the Privacy Official shall direct and undertake an investigation and risk assessment to determine if a breach of unsecured PHI occurred and the scope of such breach. There is a reportable breach only if all of the following have occurred, as determined by the Privacy Official:

▪ There is a violation of the HIPAA Privacy Rules involving “unsecured” PHI.

▪ The violation involved unauthorized access, use, acquisition, or disclosure of unsecured PHI.

▪ The violation resulted in a compromise of the security or privacy of the PHI.

▪ No exception applies under applicable law.

If the Privacy Official determines that there is a low probability that the PHI was compromised, the Company will document the determination in writing and keep the documentation on file.

The Company shall, following the discovery of a breach of unsecured PHI that is required to be reported, notify each individual whose unsecured PHI has been, or is reasonably believed by the Company to have been, accessed, acquired, used, or disclosed as a result of such breach as well as the Secretary of HHS.

For a breach of unsecured PHI involving 500 or more residents of a state or jurisdiction, the Company shall notify prominent media outlets serving the state or jurisdiction.

For a breach of unsecured PHI involving 500 or more individuals, the Company shall notify the Secretary of HHS contemporaneously with the notice to affected individuals and in the manner specified on the HHS website.

The above notices shall be provided without unreasonable delay and in no case later than 60 days after discovery of the breach and shall comply with the requirements of the HITECH Act and its implementing regulations with respect to the content and method of notification.

A business associate is required to do the same.

Breach Notification Definitions

Breach. The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA and its implementing regulations which compromises the security or privacy of the PHI. If an unauthorized use or disclosure of PHI occurs, the security or privacy of PHI is presumed to have been compromised unless the Company demonstrates that there is a low probability that the PHI has been compromised. This determination is made through a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

A use or disclosure of PHI that does not include the identifiers listed at 45 CFR § 164.514(e)(2), date of birth, and zip code does not compromise the security or privacy of the protected health information. Breach excludes:

  1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under HIPAA and its implementing regulations.
  2. Any inadvertent disclosure by a Person with Access and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under HIPAA and its implementing regulations.
  3. A disclosure of PHI where the Company has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Unsecured PHI. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS in the guidance issued under Section 13402(h)(2) of the HITECH Act on the HHS website.

  1. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy and Security. No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive their privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility.

  1. Company Documents. The Company Documents include provisions to incorporate descriptions, as set forth in the Use and Disclosure Procedures, of the permitted and required uses and disclosures of PHI by the Company for Company administrative purposes. Specifically, the Company Documents require the Company to:

• not use or further disclose PHI, other than as permitted by the Company Documents or as required by law;

• ensure that any agents or subcontractors to whom it provides PHI received from the Company agree to the same restrictions and conditions that apply to the Company;

• not use or disclose PHI for employment-related actions or in connection with any other employee benefit Company (except as permitted within any “organized health care arrangement” or among the affiliated companies, as required for workers’ compensation purposes);

• report to the Privacy Official any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;

• make PHI available to Company participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures;

• make the Company’s internal practices and records relating to the use and disclosure of PHI received from the Company available to HHS upon request; and

• if feasible, return or destroy all PHI received from the Company that the Company still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

The Company Documents as amended also require the Company to (1) certify that the Company Documents have been amended to include the above restrictions and that the Company agrees to those restrictions; (2) provide adequate firewalls; and (3) provide the administrative, physical and technical safeguards (including written policies and procedures) that reasonably protect the confidentiality, integrity and availability of electronic PHI it creates, receives, maintains, or transmits.

For these purposes, “Company Documents” mean the documents of the Company.

  1. Documentation and Document Retention. The Company’s and the Company’s privacy policies and procedures must be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must promptly be documented.

If a change in law impacts the Notice, the Notice must promptly be revised and made available to the necessary parties. Such change is effective only with respect to PHI created or received after the effective date of the Notice. The Company and the Company shall document certain events and actions (including authorizations, requests for information, sanctions, complaints) relating to an individual’s privacy rights, as further set forth in the Use and Disclosure Procedures. The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. Covered entities must maintain such documentation for at least six years, beginning with documents created on or after April 14, 2003.

  1. POLICIES ON USE AND DISCLOSURE OF PHI.
  2. Use and Disclosure Defined. The Company and the Company will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:

Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any Persons with Access of the Company, by the Insurers for the fully insured benefits as set forth in the Notice, or by a Business Associate (defined below) of the Company.

Disclosure. For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons who are not Persons with Access of the Company.

  1. Workforce Must Comply with Company’s Policy and Procedures. HIPAA Use and Disclosure Procedures are set forth in a separate document.
  2. Access to PHI is Limited to Certain Employees. As set forth in Article I, above, only the Persons with Access shall have regular and recurring access to and use of PHI.

Persons with Access may use and disclose PHI for Company administrative functions, and they may disclose PHI to other Persons with Access for Company administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the Company administrative function). Persons with Access may not generally disclose PHI to employees (other than other Persons with Access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy and the Company’s HIPAA Use and Disclosure Procedures.

  1. Permitted Uses and Disclosures: Payment and Health Care Operations. PHI may be disclosed for the Company’s own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity.

Payment. Payment includes activities undertaken to obtain Company contributions or to determine or fulfill the Company’s responsibility for provision of benefits under the Company, or to obtain or provide reimbursement for health care. Payment also includes: eligibility and coverage determinations, including coordination of benefits and adjudication or subrogation of health benefit claims; risk adjusting based on enrollee status and demographic characteristics; and billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing.

PHI may be disclosed for purposes of the Company’s own health care operations. PHI may be disclosed to another covered entity, administrator, or insurer, for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship. (See Article 2.10, below, regarding disclosures to “business associates”.)

Health Care Operations. Health care operations means any of the following activities to the extent that they are related to Company administration: conducting quality assessment and improvement activities; reviewing health Company performance; underwriting and premium rating; conducting or arranging for medical review, legal services, and auditing functions; business planning and development; reallocating employee claims from the Company to workers’ compensation, as appropriate; and general administrative activities.

  1. No Disclosure of PHI for Non-Health Company Purposes. PHI may not be used or disclosed for the payment or operations of the Company’s “non-health” benefits except required workers’ compensation disclosures (e.g., long-term disability, family and medical leave, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

PHI may not be used or disclosed for personnel purposes or administration of benefits not within the Company (except workers’ compensation-required disclosures), unless the participant has provided an authorization for such uses and disclosure (as discussed in “Disclosures Pursuant to an Authorization.”)

  1. Mandatory Disclosures of PHI to Individual and HHS. A participant’s PHI must be disclosed as required by HIPAA in two situations:

• The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Health Information and Requests for Amendment”, below); and

• The disclosure is made to HHS for purposes of enforcing HIPAA.

  1. Permissive Disclosures of PHI for Legal and Public Policy Purposes. PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. The Company’s HIPAA “Use and Disclosure Procedures” will describe specific requirements that must be met before these types of disclosures may be made, including prior approval of the Company’s Privacy Official. The permissive disclosures are:

• about victims of abuse, neglect, or domestic violence;

• for judicial and administrative proceedings;

• for law enforcement purposes;

• for public health activities;

• for health oversight activities;

• about decedents;

• about crime on Company premises;

• for cadaveric organ, eye or tissue donation purposes;

• for certain limited research purposes;

• to avert a serious threat to health or safety;

• for specialized government functions; and

• that relate to workers’ compensation programs.

  1. Disclosures of PHI Pursuant to an Authorization. PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. The Contact Person will have a supply of the authorization form.
  2. Complying with the “Minimum-Necessary” Standard. HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure, as determined by the Privacy Official case-by-case, or, in the instance of routine and recurring disclosures, as set forth in the Uses and Disclosures Policy.

The “Minimum Necessary” Standard does not apply to any of the following:

• uses or disclosures made to the individual;

• uses or disclosures made pursuant to a valid authorization;

• disclosures made to the DOL;

• uses or disclosures required by law;

• uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI. For making routine and recurring disclosures of PHI, the Company’s HIPAA “Use and Disclosure Procedures” will establish specific procedures. For routine and recurring disclosures developing prospectively, the Privacy Official (or Contact Person if directed by the Privacy Official) will direct an analysis of such disclosures and further, specific standards will be developed.

All other disclosures must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from [list insurers and TPAs] for purposes of claims, claims reports, stop loss insurance and other payment and health care operations, the Use and Disclosure Procedures will outline policies and procedures designed to limit the amount requested to the amount reasonably necessary to accomplish the purpose for which the disclosure is requested.

All other requests must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

  1. Disclosures of PHI to Business Associates. Persons with Access may disclose PHI to the Company’s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate (in the form of business associate agreements) that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate”, employees must contact the Contact Person and verify that a business associate agreement is in place.

A “Business Associate” is an entity or person who:

• performs or assists in performing a Company function or activity involving the use and disclosure of protected health information (including claims processing or administration; data analysis, underwriting, etc.); or

• provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services to the Company, where the performance of such services involves giving the service provider access to protected health information.

  1. Disclosures of De-identified Information and Limited Data Sets. The Company may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers under HIPAA.
  2. Policies Specific to E-PHI/Security Rule. The Company has performed a risk analysis and assessment and developed a document called the HIPAA Security Risk Analysis and Assessment document, including recommended administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of electronic PHI the Company creates, receives, maintains or transmits.
  3. POLICIES ON INDIVIDUAL RIGHTS.
  4. Access to Protected Health Information and Requests for Amendment. HIPAA gives participants in the Company the right to access and obtain copies of their PHI that the Company (or its business associates) maintains in designated record sets. HIPAA also provides that participants may request to have their PHI amended. The Company will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants as set forth in the Notice of Privacy Practices.

A “Designated Record Set” is a group of records maintained by or for the Company that includes:

  1. the enrollment, payment, and claims adjudication record of an individual maintained by or for the Company; or
  2. other protected health information used, in whole or in part, by or for the Company to make coverage decisions about an individual.
  3. Accounting. An individual has the right to obtain an accounting of certain disclosures of their own PHI. This right to an accounting extends to disclosures made in the last six years, other than disclosures:

• to carry out treatment, payment or health care operations;

• to individuals about their own PHI;

• incident to an otherwise permitted use or disclosure;

• pursuant to an authorization;

• for purposes of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;

• as part of a limited data set; or

• for national security or law enforcement purposes.

The Company shall respond to an accounting request within 60 days. If the Company is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12-month period shall be provided free of charge. The Contact Person may impose reasonable production and mailing costs for subsequent accountings.

  1. Requests for Requested Confidential Communications. Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may ask to be called only at work rather than at home. Such requests shall be honored if, in the sole discretion of the Company, the requests are reasonable.

However, the Company shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant. The Contact Person has responsibility for addressing requests for confidential communications.

  1. Requests for Restrictions on Uses and Disclosures of PHI. A participant may request restrictions on the use and disclosure of the participant’s PHI. It is the Company’s policy to attempt to honor such requests if, in the sole discretion of the Company, the requests are reasonable. The Contact Person is charged with responsibility for addressing requests for restrictions.
  2. Requests for Amendment. No third-party rights (including, but not limited to rights of Company participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. The Company reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon the Company. This Policy does not address requirements under other Federal laws or under state laws.