Last Updated: December 10, 2012
PARiConnect is made available by PAR and provides an online testing platform for selected PAR assessment tools, giving clinicians and practitioners the capability to remotely test clients/patients. It additionally allows qualified users to present assessments online while a client/patient is in the practitioner’s office, and it may allow the PAR Customer to use his or her PAR desktop software application to gather client responses from remotely located clients/patients and run reports based on those responses. These additional stipulations and representations reflect your standing as a Covered Entity with access to confidential electronic Protected Health Information (“ePHI”) related to your clients/patients’ data that is stored on PARiConnect.
No third-party rights, including, but not limited to, the rights of Customer clients/patients or beneficiaries, are intended to be created by this Policy. PAR reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent that this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspiring and shall not be binding. This Policy does not address requirements under other federal laws or under state laws.
General HIPAA Privacy Policies and Practices
Privacy Officer and Contact Person
It is PAR’s policy to train all employees who might have access to ePHI on its privacy policies and procedures. The Privacy and Security Officer is charged with developing training plans and programs so that all employees receive the training necessary and appropriate to permit them to carry out their functions.
Technical and Physical Safeguards and Firewall
PAR will establish on behalf of PARiConnect appropriate technical and physical safeguards to prevent Customer client/patient ePHI from intentionally or unintentionally being used or disclosed in violation of HIPAAs requirements. Technical safeguards include limiting access to information by creating computer firewalls and by requiring users to have unique, secure user IDs and passwords. Technical standards also include encrypting all Customer client/patient ePHI. Physical safeguards include locking doors and/or filing cabinets, establishing secure methods of access to PAR facilities, and undertaking other measures to secure computer workstations, laptops, mobile devices, and other devices/methods used to access PARiConnect by PAR employees.
Firewalls also help ensure that only authorized parties will have access to Customer ePHI and that Customers will have access to only the minimum amount of client/patient ePHI necessary for assessment administration and/or scoring/interpretation and related administrative functions.
The Privacy and Security Officer is responsible for developing and maintaining a notice of PARiConnect's privacy practices that describes:
- the uses and disclosures of Customer client/patient ePHI that may be made by PAR;
- the individual rights of the client/patient; and
- PAR’s legal duties with respect to Customer client/patient ePHI.
This document constitutes such Privacy Notice with respect to PARiConnect.
Kay M. Cunningham is PARiConnect’s contact person for receiving complaints. The Privacy and Security Officer is responsible for creating a process for individuals to lodge complaints about PARiConnect’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any PARiConnect Customer upon request.
Mitigation of Inadvertent Disclosures of Protected Health Information
PAR shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of Customer client/patient ePHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of protected health information, either by an employee or an outside consultant/contractor, that is not in compliance with this Policy, the employee shall immediately contact the Privacy and Security Officer so that the appropriate steps to mitigate the harm to the individual can be taken.
PARiConnect’s HIPAA privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
PAR will document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to a PARiConnect Customer client/patient’s privacy rights.
The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. PAR will maintain such documentation for at least six years.
Policies on Use and Disclosure of ePHI
PAR, as it relates to PARiConnect, will use and disclose PARiConnect client/patient ePHI only as permitted under HIPAA. Such permitted uses and disclosures may occur under the following circumstances.
Mandatory Disclosures of ePHI: To Individual and DHHS
A Customer client/patient’s ePHI must be disclosed as required by HIPAA in two situations:
- The disclosure is to the individual who is the subject of the information (see “Access to Protected Health Information and Requests for Amendment” further in this Policy); and
- The disclosure is made to DHHS for purposes of enforcing HIPAA.
Permissive Disclosures of ePHI: For Legal and Public Policy Purposes
Customer client/patient ePHI may be disclosed in the following situations without a participant’s authorization, when very specific requirements are satisfied. PAR’s and HIPAA's use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. The requirements include prior approval of PAR’s Privacy and Security Officer. Permitted are disclosures:
- about victims of abuse, neglect, or domestic violence;
- for judicial and administrative proceedings;
- for law enforcement purposes;
- for public health activities;
- for health oversight activities;
- about decedents;
- for cadaver organ, eye, or tissue donation purposes;
- for certain limited research purposes;
- to avert a serious threat to health or safety;
- for specialized government functions; and
- that relate to workers’ compensation programs.
Disclosures of ePHI Pursuant to an Authorization
Customer client/patient ePHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the client/patient. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
Policies on Individual Rights
Access to Protected Health Information and Requests for Amendment
HIPAA gives individuals the right to access and obtain copies of their ePHI that PARiConnect may contain. HIPAA also provides that participants may request to have their ePHI amended. PAR will provide access to ePHI, and it will consider requests for amendment that are submitted in writing by participants. Such requests must contain appropriate identify verification documents. All such requests for ePHI must be submitted to the Privacy and Security Officer. As a professional courtesy, PAR may additionally contact the PARiConnect Customer whose account maintains such client/patient electronic PHI and inform him or her of the request for PHI.
Other PAR Privacy Policies