Coverage of ZirMed Web Site
This Policy is separate from, but directly affected by, HIPAA requirements on privacy and security. ZirMed continues to track HIPAA’s “administrative simplification” roll out and aids regulators, and ultimately our customers, by providing comments and consultation on the roll out through our membership on the WEDI contact committee (a consultative body composed of healthcare service providers, payers, and interested professionals organized in association with HCFA (now renamed “CMS” — Centers for Medicare and Medicaid Services). ZirMed has made a corporate commitment to the privacy and security of our customers’ (and their patients’) personal, and especially, healthcare information, in addition to required compliance with any regulatory mandates issued under HIPAA. We are presently compliant with HIPAA regulations on transaction sets, and intend to remain compliant as final regulations are issued after legislative scrutiny. Recent CMS rulings have revealed another major benefit that our provider customers receive from utilizing ZirMed’s HIPAA – compliant product: providers facing HIPAA privacy and security requirements in regard to their own practice management systems may be “exempted” from a major portion of the regulations if they receive material claim processing services that are deemed HIPAA-compliant from a third party processor like ZirMed. Thus, ZirMed’s compliance with HIPAA transaction mandates can be attributed to applicable portions of a provider customer’s internal practice management system through its contract relationship with, and service undertaking from ZirMed. We also understand that this exemption is applicable to the payer community and its HIPAA-related obligations. In addition, it should be noted that our transaction clearinghouse has brought us a long way toward HIPAA compliance, since, unlike all others in the industry, it has been built using HIPAA mandated transaction sets at its core. We track regulatory changes and political debates regarding the scope of HIPAA, work with industry groups to educate our staff on privacy and security issues, and regularly revise and redraft implementation guides to include increasing privacy and security features with an eye both to customer/patient protection and commercial reasonability. By providing staff education and awareness programs, designating a corporate HIPAA compliance team, and conducting a number of business impact analyses on ourselves and several of our customers, we have forged a culture of privacy at ZirMed that will put us in good stead for implementing all HIPAA regulations.
Information We Collect
Information We Collect From Non-Subscriber Visitors
Visitors to our Web site can access the Web site’s home page, and browse some areas of the site, without disclosing any personally identifiable information. We do track information provided to us by your browser, including the Web site you came from (known as the “referring URL”), the type of browser you use, the time and date of access, and other information that does not personally identify you. A person/entity must enroll with us to use much of the site.
Information We Collect When You Register/Enroll
A customer registering or enrolling for use of our services, whether the registration is done on our Web site or via a paper contract entered into by ZirMed and the customer, is asked to provide us with identifying information, such as name, address, and contact information. On our registration screen and in our contracts we clearly specify what information is required for enrollment, and what information is optional and may be given at your discretion. ZirMed allows users to correct and update their personal information at any time by changing their Personal Profile on-line. Information Included in Claim Transactions We Receive from You (That We Process, Validate, and Amend if necessary, and Submit to Appropriate Payers for Adjudication, Especially Personally Identifiable Healthcare and Medical Record Information Contained In Such) As part of the rendition of our claim transaction processing services, we will receive certain information from our customers about their patients and healthcare procedures associated with them that is either personally identifiable or otherwise sensitive. In accordance with the spirit and letter of HIPAA, best corporate practices, and rational business ethics for the healthcare industry, we do all within our power to keep such information both secure and private. We work with provider and payer customers to develop ever more precise communication vehicles for encrypting and otherwise securing this information.
E-Mail Help and Customer Support
ZirMed offers e-mail help and designated Customer Service representatives to its users. For your protection, we only use ZirMed employees for these services and have made it Company policy not to contract specialty service providers for these purposes. Therefore, you should assume that any information (personal to the provider, or patient-identifiable healthcare information) that is disclosed in communications with either or both of these areas will be seen by ZirMed personnel. However, although ZirMed personnel have all signed confidentiality agreements and undergo regular training on proper use and storage of customer transmitted information, customers should never send details of personal information or patient healthcase information within an e-mail. In order to further assure efficient and effective handling of customer problems referred to us, ZirMed has created and maintains an incident tracking system that details referred problems and expedites speedy resolution.
Information From Outside Sources
We may also collect information about physicians and other healthcare professionals who register on our Web site from other sources in order to verify their licensure status and identity. In some cases we may ask customers for information after they enroll, such as credit card information. Where necessary (for example, to process automatic monthly subscription fee billing), our organization may contact financial or credit organizations to confirm customer credit card information.
Additional Forms and E-Mails: We may ask you to provide additional information after you register if you want to obtain additional services or information on new products or to resolve complaints or concerns.
Uses We Make of Information
Marketing and Advertising
We may target our advertising or marketing depending upon information we have about you. In any such case, the marketer or advertiser will not have access to any customer personal information or any patient-related personally identifiable healthcare information.
In addition to aggregate information, we may share some kinds of information with third parties, as described below:
- Other Companies – We have strategic relationships with other companies who offer products and services on our Web site (these also include “powered by” partners, and co-branded and private-branded Web site partners). We may share certain information with these partners and will endeavor to have our users/subscribers updated as to the nature of the relationships with third parties as they affect any sharing of information. When and if you interact with these companies, you should be aware that different rules and privacy policies may apply. We do not control the collection or use of the information you provide under those circumstances, but we do require that those companies clearly state their policies so that you can decide whether to give them any information.
- Companies and People Who Contract With Us – At times we contract with other companies and individuals to help us provide services. For example, we may host co-branded equivalents of our Web site on another company’s computers or hire technical consultants to aid us in some of our processing services through Web site access. In addition, if you are a healthcare professional, we may validate your licensure status or other information against available databases that list licensed health care professionals. In order to perform their jobs, these other companies may have limited access to some of the personal information we maintain about our users (not patient information). We require all such companies to comply with the terms of our privacy policies, to limit their access to any personal information to the minimum necessary to perform their obligations, and not to use the information they may access for purposes other than fulfilling their responsibilities to us. We use our best efforts to limit the use of any other companies in services where any patient personally identifiable healthcare information may be involved.
- Legal Requirements – We may release account and other personal information of customers when we believe release is required to comply with law. We will only release personally identifiable health information, including information from a medical record if, in our best judgment, after review by our attorney, the release is compelled by law or regulation, or if the release is necessary to prevent the death or serious injury of an individual.
- Medical Records – ZirMed will not disclose personally identifiable healthcare information from patients’ medical records to an unrelated third party unless that disclosure is authorized in writing by the caregiver/provider for medical purposes, for treatment of the patient, or payment of claims, or if the patient authorizes it in writing.
- When we share information with third parties, we ask that they agree in writing to abide by ZirMed’s privacy policies. If we discover that a third party inadvertently disclosed personal information about any of our customers, we will take immediate action to prevent further occurrences.
Protection of Information — Security
We have implemented technology and security policies, rules, and other measures to protect the personally identifiable data of customers and their patients that we have under our control from unauthorized access, improper use, alteration, unlawful or accidental destruction, and accidental loss. We also protect this information by requiring that all of our employees and others who have access to or are associated with the processing of this data to respect your confidentiality, and confirm this obligation to you by signing a confidentiality agreement with us. Where we allow a healthcare provider or payer to access actual medical records created by a healthcare provider, we require that the browser used support a high level of encryption to reduce security risks. ZirMed uses security methods to determine the identity of its registered users, so that appropriate rights and restrictions can be enforced for the user. Reliable verification of user identity is called authentication. ZirMed uses both passwords and usernames to authenticate users. Users are responsible for maintaining their own passwords. NEVER SHARE YOUR ZirMed USERNAME OR PASSWORD WITH ANYONE. PLEASE USE THE “LOG OFF” BUTTON WHEN EXITING THE ZirMed WEB SITE; THIS ENDS YOUR SESSION AND HELPS PREVENT UNAUTHORIZED USERS FROM ACCESSING YOUR ACCOUNT.
Security Practices and Technology
- Positive User Identification — Access to our system, past the entry-level Web site information pages, is restricted to authorized users only. Users must supply a user id and a password to access their information on our Web site. Users who forget their password must pass our challenge/response process to ensure legitimacy before being given their forgotten password.
- Positive Site Identification — The ZirMed Web site is registered with the VerisignÔ site certification authority to enable a user’s Web browser to confirm the site identity before proceeding. With this technology, the identity of ZirMed’s site is confirmed to the browser. If positive identification is not made, the user’s Web browser notifies the user that the receiving site is suspicious.
- In-Transit Data Encryption — All data being passed between the user’s browser and the private portion of ZirMed’s Web site is encrypted. This information is transmitted using Secure Sockets Layer (SSL) technology with 128-bit encryption.
- Information Back-up — All sensitive information in our office data center is backed up routinely, in order to aid in the recovery of information in the event of accidental damage of information or due to a natural disaster. The backup media is stored in a physically secure storage facility.
- Application Access Logs — All access to the ZirMed applications is logged to the user level. We thus have a complete record of all users who access our system with dates and times of access.
Storage and Protection of Healthcare Information
- Firewall Protection — As a front-line defense to the ZirMed system, we have implemented a firewall in front of all public servers. This firewall will help prevent any unauthorized access and guard against Internet hacking attempts.
- Physical Data Center Security — Our servers are located in a secure hosting facility. This facility requires key card authorization to gain initial entry into the data center. A biometric hand scanner and camera surveillance additionally protect access to the actual server room. The center is monitored 24 X 7 X 365 by the Network Operation Center personnel.
- Enforcement of Privacy and Property Protection — ZirMed works with regulators and security professionals, including our own security firm, local police, the Federal Bureau of Investigation, and the Internet security division of the U.S. Postal Service to assure against, or speedily locate and abort, Internet-based or other attempts to access personally identifiable healthcare (or financial) data that we have in our possession or transmit for customers. Our Customer Service personnel keep in contact with customers regularly to determine any payment or transmission problems that may indicate illegal access attempts by third parties that would trigger our immediate response.
Access to Information
Correction of Information We Have About You
If you believe that non-healthcare-related registration information collected by our Web site is in error, you may edit your personal profile at any time that you wish. You can directly edit your user profile on our Web site. Requests for deletion of your record may result in your removal from our registry of customers causing some future disjunctions, but we are willing to accede to your wishes. Despite such removal, we may keep certain demographic information (non-identifiable) about you for product improvement purposes. You may contact ZirMed Customer Support and ask for the changes you would like to make.