ResQ Medical Privacy Policies and Agreement to comply
with HIPAA Requirements
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean ResQ Medical, Inc.
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and shall mean any covered entity that uses ResQ Medical’s technology.
(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Obligations and Activities of ResQ Medical
ResQ Medical agrees to:
(a) Not use or disclose protected health information other than as permitted or required by agreement with the covered entity or as required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by agreement with the covered entity.
- Administrative Safeguards
ResQ Medical will provide controls to ensure that only authorized individuals from the covered entity are allowed to access, modify and delete information from ResQ Medical’s application.
ResQ Medical will provide controls to ensure that access to the application is configured with security controls.
ResQ Medical will provide reasonable assurance that the confidentiality of the covered entity’s sensitive information is not compromised by the covered entity’s users.
ResQ Medical will provide controls for the covered entity to create, limit, or revoke user access to the covered entity’s sensitive information.
- Physical Safeguards
ResQ Medical will store all physical documents with Protected Health Information or Personal Identifiable Information in a secure, locked location. Only personnel with an immediate need for the information will have access to the information.
ResQ Medical will store all data from the covered entity at a separate location of a third party server obtained from a company that complies with all HIPAA requirements and signs a Business Associate Agreement to provide reasonable assurances of compliance with HIPAA and ResQ Medical’s privact policy.
- Technical Safeguards
- Access Control– Access to all data will be validated with an authorized logged in user, with a globally unique identifier (“GUID”).
- Automatic Logoff– In the ResQ iPhone application (the “App”), after a certain period of inactivity (60 minutes by default) is detected, the App will automatically log the user out and require the user to sign back in. When the program is running through the web, the user session will be removed when the system remains unattended for 20 minutes.
- Encryption and decryption– The database will be kept in a server with encrypted fields. Database server connection details will be encrypted.
- Audit controls – When controlling the program from the website, system activities such as institute management, program management, user profile management, settings edit, scheduling, and so on, can be logged into database server tables, which details the specific action took place with date time. Audit reports can be generated from the log tables.
- Person or Entity Authentication– In the server/web side, when creating a user by the administrator, a strong password policy will be followed to ensure person or entity authentication.
- Transmission security for integrity and encryption– All communications to the server/database will be over an SSL enabled encrypted tunnel. This will automatically provide integrity checking and encrypt the data.
- Network Security Safeguards
ResQ Medical will only store data with third party servers that provide reasonable assurances of their compliance with HIPAA requirements. Any company providing third party servers will also sign a business associate agreement indicating their ability and obligation to comply with HIPAA requirements
- Data Security Safeguards
ResQ Medical will ensure that all data, whether stored or in transit, is kept secure through industry standard encryption methods.
- Employee Training and Education
All employees of ResQ Medical will receive proper training on the requirements of HIPAA. Employees will only have access to the information necessary to perform their duties. All employees must sign an agreement to keep confidential all protected health information and personally identifiable information.
- Third Party Audit
ResQ Medical will be annually evaluated by a third party auditor who will issue an evaluation report that will detail the controls that ResQ Medical has in place to ensure compliance with the requirements of HIPAA regarding data privacy and security.
- Subcontractor Compliance
ResQ Medical shall, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractor, consultant, agent, or other third party that creates, receives, maintains, or transmits Protected Health Information on behalf of ResQ Medical agrees to the same restrictions, conditions, and requirements that apply to ResQ Medical with regard to its creation, use, and disclosure of Protected Health Information. ResQ Medical shall, upon request from Covered Entity, provide Covered Entity with a list of all such third parties. ResQ Medical shall ensure that any subcontractor, consultant, agent, or other third party to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect such information. ResQ Medical will terminate its agreement with any subcontractor, consultant, agent or other third party, and obtain from the third party all Protected Health Information provided to such subcontractor, consultant, agent or other third party, if ResQ Medical becomes aware that the subcontractor, consultant, agent or other third party has breached its contractual duties relating to HIPAA, ResQ Medical or the agreement with the covered entity. If any subcontractor, consultant, agent, or other third party of Contractor is not subject to the jurisdiction or laws of the United States, or if any use or disclosure of Protected Health Information in performing services under the Agreement will be outside of the jurisdiction of the United States, such entities must agree by written contract with ResQ Medical to be subject to the jurisdiction of the Secretary, the laws and the courts of the United States, and waive any available jurisdictional defenses as they pertain to the parties’ obligations under this Agreement, the Privacy Rule or the Security Rule.
(c) Report to the covered entity any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of ResQ Medical agree to the same restrictions, conditions, and requirements that apply to ResQ Medical with respect to such information;
(e) Make available protected health information in a designated record set to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;
(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;
(h) To the extent ResQ is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s);
(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules; and
(j) Enter into a business associate agreement with the covered entity to ensure that all serves are compliant with HIPAA, the HITECH Act, and the Final HIPAA Omnibus Rule.
Permitted Uses and Disclosures by ResQ Medical
(a) ResQ Medical may only use or disclose protected health information in a manner consistent with the agreement with the covered entity and only to those people or entities that are listed in the agreement with said covered entity.
(b) ResQ Medical may use or disclose protected health information as required by law.
(c) ResQ Medical agrees to make uses and disclosures and requests for protected health information consistent with covered entity’s minimum necessary policies and procedures.
(d) ResQ Medical may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by the covered entity, except for the specific uses and disclosures set forth below.
(e) ResQ Medical may use protected health information for the proper management and administration of ResQ Medical or to carry out the legal responsibilities of ResQ Medical.
(f) ResQ Medical may disclose protected health information for its proper management and administration or to carry out its legal responsibilities, provided the disclosures are required by law, or ResQ Medical obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies ResQ Medical of any instances of which it is aware in which the confidentiality of the information has been breached.
(g) ResQ Medical may provide data aggregation services relating to the health care operations of the covered entity.
Obligations of ResQ Medical Upon Termination
Upon termination of the Agreement between ResQ Medical and the covered entity for any reason, ResQ Medical shall return to covered entity [or, if agreed to by the covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by ResQ Medical on behalf of covered entity, that ResQ Medical still maintains in any form. ResQ Medical shall retain no copies of the protected health information.