 |
| Security and Privacy |
|
Security and Privacy Policy Statement
MDdatacor is committed to protecting the privacy and confidentiality of all
patient information (all of which is collectively referred to, for purposes of
this Policy Statement, as Protected Health Information ("PHI")) transmitted to
and maintained by MDdatacor.
MDdatacor’s policies and procedures meet or exceed the physical and electronic
security measures required by applicable federal and state regulatory guidelines
for the use, storage and/or transmission of PHI.
MDdatacor has implemented state-of-the-art electronic and physical
security measures and established stringent administrative security procedures
to protect patient information from unauthorized access, improper use,
alteration and unlawful or accidental destruction. In everything we do, MDdatacor
strives to strictly adhere to our Company’s Privacy and Security Policies and
Procedures and all applicable laws, including the privacy and security
regulations promulgated pursuant to the Health Insurance Portability and
Accountability Act of 1996 and the modifications of those by the HITECH Act of
2009.
Recognizing that data security is the cornerstone to our success, MDdatacor
provides further assurances to our customers of our commitment to the protection
of PHI through the following:
Additionally, all portable physical devices and/or media, including back-up
media, containing PHI are encrypted in order to protect data in motion or at
rest. Use of portable devices by
employees, such as thumb drives, is strictly prohibited.
Firewall and Intrusion Detection Systems.
MDdatacor uses firewall technology to protect all servers and
databases. Additional security is
provided through the continual use of advanced intrusion detection software and
high-level vulnerability analysis. All critical systems are monitored for
possible intrusions 24/7 and MDdatacor engages a reputable third party vendor to
provide regular penetration testing of our intrusion detection systems.
State of Art Data Center.
MDdatacor servers, containing all PHI maintained by MDdatacor, are located
within a Quality Technology Services data center.
The Quality Technology Services’ facility provides active security that
is aggressive and responsive, supported by multiple security systems and at
least one point of human contact at each entry point.
The facility combines systems such as
security officers, cameras, access cards, and biometrics to ensure that only
authorized personnel have access to MDdatacor's systems.
Password and ID Protections.
Through proprietary software applications, MDdatacor controls access to
restricted areas of our web site applications and databases via login
authentication, which requires a username, account ID and password be provided
before access is granted. Unique user names, account IDs and passwords are
assigned and distributed only to authorized personnel, as directed by our
customers. This login process not
only regulates who gains access, but also limits the scope of access.
Once a user is logged in, their access is
limited to only the data for which they are authorized.
Customers are able to control when access
is granted or terminated, and the level of access for each employee of the
customer. An automatic log off
feature prevents unauthorized access to information when the original user
leaves the workstation without logging off.
Self-Assessments and Security Audits.
MDdatacor records and regularly reviews all system activities, including
but not limited to, logins, file access and security events.
MDdatacor uses this audit system to
continually assess and critique our technical security measures. MDdatacor has also implemented
technical and administrative procedures to ensure that hardware and software
enhancements do not compromise data security.
Data Privacy
Limitation of uses. MDdatacor only receives, utilizes
and discloses protected health information submitted/uploaded to MDdatacor from
its customers and for the limited purposes set forth in its agreements with each
customer. MDdatacor has no other use
or purpose for the data.
Customer responsibilities.
Authorized Users. Each
customer is given access to MDinsight in accordance with the sponsored program
in which the customer is participating, or as otherwise agreed by such entity
and MDdatacor pursuant to the terms of a written agreement. The customer is expected to establish
and maintain MDinsight user access for its employees, in accordance with the
customer’s policies and applicable laws.
It is the customer’s responsibility to remove or modify access for
employees as their roles or employment change from time to time.
Data submission and revision obligations.
MDdatacor relies solely on the customer to provide accurate and
up-to-date patient data. Once
received by MDdatacor, we will safeguard and ensure the integrity and security
of the data is maintained in accordance with the policies summarized herein.
MDdatacor employs various processes to
ensure that data remains as it was as originally received from the customer. Processed data is audited for
accuracy.
Customers control what information is provided to MDdatacor for inclusion in
MDinsight and can choose to omit any information not necessary or applicable. Customers must determine what is or
is not appropriate for inclusion within MDinsight, and whether additional
patient consent is required, in accordance with the purposes for which the
customer is utilizing the data.
It is the customer’s responsibility to request (in writing) removal of any PHI
from MDinsight as may be necessary to comply with patient requests or applicable
laws. MDdatacor will respond with
diligence to any such request, but advance notice is required as such data
modifications may require significant time and resources, depending upon the
complexity of the request. Once
protected health information is removed, it will no longer be available for
inclusion within MDinsight unless resubmitted by the customer.
Retention and Disposal of Protected Health Information. The protected health information
submitted by customers to MDdatacor for inclusion in the MDinsight database is
not a medical record nor a designated record set as defined by HIPAA and,
therefore, MDdatacor shall have no obligations to maintain the Information
Database as a medical record in accordance with state or federal laws. The tools within MDinsight are to be
utilized by clinicians as supplements to their own medical decision making, not
a replacement of their medical judgment.
MDdatacor shall retain all protected health information submitted by customers
in accordance with written customer agreements.
To the extent data is destroyed, it is destroyed in accordance with
applicable industry standards to protect identifiable data from loss, theft,
misuse or unauthorized access.
Patient Access. MDdatacor is
solely a business associate of our customer providing information technology
services. MDdatacor does not grant
patients direct access to their protected health information within MDinsight. Should a patient have questions or
need access for some reason, MDdatacor will work with the customer to provide
appropriate responses and access. To
the extent MDdatacor receives a request from a patient, a patient’s legal
representative, or other legal authority to access data within the MDinsight
database, MDdatacor will immediately notify the customer and work cooperatively
to provide information in a legally appropriate manner.
Collection of Customer Information.
MDdatacor does not collect or utilize any other data about its
customers or customers’ patients.
Customer Agreements. MDdatacor enters into a HIPAA/HITECH
Act-compliant Business Associate Agreement with each of our customers, which
provides further acknowledgements of MDdatacor’s legal and contractual
obligations and commitments not only to comply with state and federal laws, but
to exceed them where necessary to provide the highest quality services.
Third Party Vendors. MDdatacor utilizes the services
of very few third party vendors that require such third parties to access
protected health information, but where such relationships exist, MDdatacor
enters into subcontractor Business Associate Agreements requiring the vendor to
attest to its compliance with all business associate obligations imposed by
state and federal law. An example of
MDdatacor’s use of a third party vendor with regard to protected health
information is the vendor that provides shredding services for all printed
materials containing PHI.
Personnel Training and Compliance
Enforcement. MDdatacor requires
initial training of all new staff and on-going training on a quarterly basis
with regard to MDdatacor Privacy and Security Policies and Procedures. Employees are trained to recognize
security concerns and report those immediately to MDdatacor management. MDdatacor limits PHI access to only
those employees who need access in order to perform their duties for MDdatacor. Compliance is diligently monitored
and violations are dealt with immediately.
Questions/Reporting of Concerns
Specific questions about MDdatacor Privacy or Security Policies and Procedures
can be directed to your client services representative or MDdatacor’s privacy
officer:
Kimberly Greaves, Esq.
|