Privacy Policy
Special Provisions Regarding Security, Confidentiality, Ownership and Use of Information.
a. Security.
Each Party shall take reasonable steps to maintain the security of communications between them using the U.S. HealthRecord products and the security of medical and dental information of identifiable Provider patients in their respective possession, including but not limited to reasonable steps: to authenticate Authorized Users using individual passwords, to maintain confidentiality of passwords, to maintain physical security of equipment and facilities in their respective control, to exercise appropriate oversight and supervision of their respective personnel, to evaluate their respective security safeguards periodically, to install and maintain appropriate firewalls and other technical measures where appropriate, and to guard against the intentional or unintentional corruption or loss of data in their respective control. The steps taken by the parties shall comply fully with all applicable provisions of any privacy and/or security regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as of the date by which such regulations require compliance. Such steps shall include, but not be limited to, the following:
(i) Provider shall maintain, on an appropriate control screen provided by U.S. HealthRecord, an up-to-date list of the names of all Authorized Users. U.S. HealthRecord shall not permit access to the U.S. HealthRecord Products except as selected on such screen.
(ii) Provider shall assign a password to each Authorized User. Each password shall be unique to each Authorized User and shall be non-transferable. Authorized Users shall log into U.S. HealthRecord using only their assigned Username and associated password. U.S. HealthRecord shall be entitled to assume, unless notified by Subscriber otherwise, that a user presenting a Username and associated password is in fact the corresponding Authorized User. Provider shall not permit anyone other than the relevant Authorized User to use the Username and password associated with that Authorized User. If the Provider or its personnel knowingly or unknowingly furnish a password to an unauthorized person, the Provider is validating the authority of such person to act on its behalf as to any access or use of U.S. HealthRecord with that password and shall be responsible for any charges, damages or losses incurred or suffered as a result of its failure to maintain the confidentiality of any password. Provider shall notify U.S. HealthRecord immediately if it becomes aware of any unauthorized use of any Username or password, and U.S. HealthRecord shall take reasonable steps upon such notification to shut off access or use by such Username and associated password.
(iii) U.S. HealthRecord shall monitor user access and Internet server logs periodically to search for unauthorized access and access attempts. U.S. HealthRecord shall provide at least 128-bit secure sockets layer access or comparably secure access via protected network technology to its Internet server. Provider shall configure its equipment to use such access.
(iv) Both parties acknowledge that no security measures are perfect and that security breaches may occur despite commercially reasonable efforts. Each Party shall promptly report to the other any material system, equipment, or software malfunction, error, breakage or breach that involves the security of Subscriber data that such Party detects or that it believes is imminent or is likely to have occurred. Each Party shall reasonably cooperate with the other in efforts to reduce the effects of any such malfunction, error, breakage or breach, to mitigate damage and restore lost code or data.
(v) U.S. HealthRecord will maintain a mechanism for granting patients secure access to their personal information upon the Subscriber granting an access code to the patient.
(vi) U.S. HealthRecord will maintain a mechanism for granting patients the right to request changes to their personal information through the Subscriber.
(vii) U.S. HealthRecord agrees to maintain a record of use and disclosure of patient information and to make the same available to the Subscriber upon request.
b. Confidentiality.
(i) Due to the nature of this Agreement, U.S. HealthRecord may receive or have access to information of Provider of a confidential or proprietary nature that may include without limitation, patient medical and demographic data, and other information used by Provider in the operation of its business. Except as set forth in Section d below or as directed by Provider, U.S. HealthRecord shall hold the confidential and proprietary information of Subscriber in confidence and not use it or disclose it or allow it to be used or disclosed, directly or indirectly, to any other person or entity, except as may be reasonably necessary for purposes of this Agreement and then only if the recipient has agreed in writing to maintain the confidentiality of the information. U.S. HealthRecord will notify Subscriber of any use or disclosure of patient information which is not authorized under this Agreement of which U.S. HealthRecord becomes aware.
(ii) Due to the nature of this Agreement, Provider may receive or have access to information from U.S. HealthRecord of a confidential and proprietary nature that may include without limitation, software, computer programs, formats and technology for organizing and presenting data, communication formats and technology, and information used by U.S. HealthRecord for the operation of its business. Except as directed by U.S. HealthRecord, Provider shall hold the confidential and proprietary information of U.S. HealthRecord in confidence and not use it or disclose it or allow it to be used or disclosed, directly or indirectly, to any person or entity, except as may be reasonably necessary for purposes of this Agreement and then only if the recipient has agreed in writing to maintain the confidentiality of the information.
iii) In keeping information confidential pursuant to this Agreement each Party shall be obligated to act in a manner no less protective than the care such Party uses to protect its own similar confidential and proprietary information, except that in no event shall such care be less than reasonable. Each Party shall comply fully with all applicable provisions of any privacy and/or security regulations promulgated pursuant to HIPAA, as of the date by which compliance is required by such regulations.
c. Ownership.
As between U.S. HealthRecord, Subscriber and Provider data entered in the U.S. HealthRecord Products shall be and remain the exclusive property of Subscriber. The U.S. HealthRecord Products and all right, title and interest in any of the U.S. HealthRecord Products shall be and remain the exclusive property of U.S. HealthRecord. All derivative works prepared from the U.S. HealthRecord Products or any part of them shall be and remain the exclusive property of U.S. HealthRecord.
d. Compiled Information.
Notwithstanding the rights, obligations and ownership set forth above, Provider agrees that U.S. HealthRecord may store, retrieve and copy information it receives concerning Provider in performing its functions under this Agreement, and modify it to remove, encode, encrypt or otherwise conceal the personal identifiers of the Providers, its personnel and its patients, and thereby de-identify such data. Such de-identification shall include the steps necessary to render the information in such condition that U.S. HealthRecord may further modify and incorporate copies of such information in de-identified form into aggregations or compilations of technical, medical, and business information (the Compiled Information). All de-identified data incorporated by U.S. HealthRecord into Compiled Information shall belong exclusively to U.S. HealthRecord and shall no longer be subject to the restrictions of Sections a, b, c, above; and U.S. HealthRecord shall have the right to use them as it sees fit for any lawful purpose (including without limitation, the perpetual, irrevocable, worldwide, exclusive, transferable, and royalty free right to monitor, store, retrieve, transmit, process, modify, otherwise prepare derivative works from, copy, distribute, disclose or display them), provided that in each case of distribution, display or disclosure to any third party, U.S. HealthRecord shall not disclose any key or other device to enable coded, encrypted, or concealed identifying information to be disclosed or re-identified unless required by law. All de-identification shall comply fully with applicable provisions of any privacy regulations promulgated pursuant to HIPAA, as of the date by which compliance is required by such regulations. U.S. HealthRecord shall destroy or return all patient information other than Compiled Information to Subscriber upon termination of Subscriber's relationship with U.S. HealthRecord in compliance with HIPAA.
e. Marketing Prohibition.
The parties will not use individual patient information for marketing purposes without the express consent of the patient.
f. Access by HHS.
U.S. HealthRecord agrees to make its books and records relating to uses and disclosures of information available to the Secretary of the U.S. Department of Health and Human Services to the extent required by HIPAA.
g. Subcontractors and Agents.
U.S. HealthRecord shall impose its obligations under this section on any applicable subcontractors and agents of U.S. HealthRecord.
h. Changing or Removing Information; Opting Out Discretionary Account Information.
To allow appropriate control over personally identifiable information, you can access the personally identifiable information you have provided us via the Website to change or update discretionary information that you have previously submitted.
Opt-Out.
If we choose to send you bulletins, updates, or other unsolicited communications that are marketing-related materials, we will provide you with the ability to decline - or "opt out of" - receiving such communications. Please understand that you will not be allowed to "opt out" of formal notices concerning operation of this Website, and legal and other related notices concerning your relationship to the Site, nor will you be allowed to opt-out of being provided with content passively via pages of our Site that you choose to access.
Changes to this Privacy Policy:
From time to time, U.S. HealthRecord may change its Privacy Policy. If we decide to change our Privacy Policy, we will post these changes from the privacy link on our Website. If we make any changes regarding disclosure of personally identifiable information to third parties, we will attempt to contact you via the email address you have provided to us in the registration process prior to the date the modified policy is scheduled to take effect. With respect to Site Visitors, Customers, and Medical Professionals, your use of our Site following any such change constitutes your agreement to follow and be bound by the Privacy Policy, as changed.
Relationship to Terms and Conditions of Use and Other Contracts
This Privacy Policy must be read in conjunction with our Terms and Conditions of Use, and the provisions of our Terms and Conditions of Use are incorporated herein. To the extent the Terms and Conditions of Use conflict with the terms of this Privacy Policy, the terms of this Privacy Policy will control. This Privacy Policy should also be read in connection with any separate agreements between you and
U.S. HealthRecord.
Contact Us:
Site visitors who have questions about this privacy statement, the privacy practices of this site, or their dealings with this website, insofar as their privacy and confidentiality are concerned, should contact
us by sending Email to support@ushealthrecord.com or you can send posted mail to the following address:
ushealthrecord,
PO Box 8699,
Fayetteville, AR 72703.
Effective Date:
The effective date of this Privacy Policy is January 1, 2008.