Axial Exchange Privacy Policy

KEY DEFINITIONS

Access: The Security Rule defines “access” as the ability or the means necessary to read, write,

modify, or communicate data or information or otherwise use any system resource.

Access Controls: Access controls provide users with rights and privileges to access and perform

functions using information systems, applications, programs, or files. Access controls enable

authorized users to access the minimum necessary information needed to perform job functions.

Additional Privacy Protection Requests: These requests from individuals seek to limit the uses or

disclosures of protected health information. There are two types of requests:

1. A request that uses or disclosures of the requestor’s protected health information be

restricted to carry out treatment, payment, or health care operations; or

2. A request that disclosures permitted under § 164.510(b) (relating to uses and disclosures

for involvement in the individual’s care and notification purposes) be restricted. See

generally 45 CFR § 164.502.

Administrative Safeguards: The administrative actions, and policies and procedures, that should

be implemented to manage the selection, development, implementation, and maintenance of

security measures to protect electronic protected health information and to manage the conduct

of the workforce in relation to the protection of that information.

Authorization: An “authorization” refers to a permission form that allows a HIPAA-covered entity

to disclose protected health information to another person or entity. An authorization must

contain the following elements to be valid under HIPAA:

1. A specific description of the protected health information to be disclosed;

2. The name or other specific identification of the person(s), or class of persons, authorized

to make the requested disclosure;

3. The name or other specific identification of the person(s), or class of persons, to whom

the requested disclosure can be made;

4. A description of each purpose of the requested use or disclosure or, alternatively, the

statement “at the request of the individual;”

5. An expiration date or an expiration event that relates to the individual or the purpose of

the use or disclosure; and

6. The signature of the individual or that individual’s authorized representative, specifying

the nature of the relationship to the individual.

Authorized Personnel: Authorized Personnel are those members of the workforce, whether paid

or unpaid, who, as a part of their assigned duties, perform functions on behalf of Axial Exchange,

Inc. that require the use or disclosure of protected health information about individuals.

Breach: The unauthorized acquisition, access, use, or disclosure of protected health information

which “compromises” the security or privacy of such information, as “compromises” is further

defined below, except where an unauthorized person to whom such information is disclosed

would not reasonably have been able to retain such information. In addition, the term “breach”

does not include

4

business associate, or, by exercising reasonable diligence would have been known to the

covered entity, or its business associate.

Electronic Health Record: Electronic health record means an electronic record of health-related

information of an individual that is created, gathered, managed, and consulted by authorized

health care clinicians and staff. This definition may include more than what we typically think of

as an electronic medical record and may include prescription databases, picture archiving and

communications systems, medical devices, and other mechanisms that electronically capture

information about patients on the health care provider’s premises. The HITECH Act requires that

disclosures made through electronic health records for purposes of treatment, payment, and

health care operations be included in the response to a request for an accounting, limited to the

3-year period preceding the request. Forthcoming regulations from the Secretary of the United

States Department of Health and Human Services will specify the information to be collected for

such disclosures and to be included in the accounting response.

Electronic Media: Electronic media includes (1) electronic storage media including memory

devices in computers (hard drives) and any removable or transportable digital memory medium,

such as magnetic tape or disk, optical disk, or digital memory card; or (2) transmission media

used to exchange information already in electronic storage media, such as the internet, extranet,

leased lines, dial-up lines, private networks, and the physical movement of removable or

transportable electronic storage media. Facsimile transmission and telephone are not considered

to be transmission via electronic media because the information being exchanged did not exist in

electronic form before the transmission.

Health Care Operations: The term includes a wide range of activities that make up the typical

functions of a covered entity, including: quality assessment and improvement, protocol

development, case management, peer review, health plan performance evaluation, training

programs, legal and auditing services, and other managerial and administrative functions. Health

care operations also includes due diligence for mergers, transfers, or consolidation of the covered

entity.

Effective February 17, 2010, the HITECH Act placed some limitations on the broad definition of

health care operations. Specifically, a covered entity’s communication, or a communication by a

covered entity’s business associate, that encourages the recipient of the communication to use

the product or service shall not be considered a health care operations unless such

communications are:

1. To describe a health-related product or service (or payment for such product or service)

that is provided by, or included in a plan of benefits, including communications about

entities participating in a health care provider network or health plan network;

replacement of, or enhancements to, a health plan; and health-related products or

services available only to a health plan enrollee that add value to, but are not part of, a

plan of benefits.

2. For treatment of the recipient.

3. For case management or care coordination for the recipient, therapies, health care

providers, or settings of care to the recipient.

Even if the communication satisfies these conditions, if a covered entity, or its business

associate, receives, or has received, directly or indirectly, payment in exchange for making such

communication, the communication will not qualify as health care operations unless:

1. The communication describes only a drug or biologic that is currently being prescribed for

the recipient of the communication; and any payment received, or to be received, in

exchange for the communication is reasonable; or

6

or enhancements to, a health plan; and health-related products or services available

only to a health plan enrollee that add value to, but are not part of, a plan of benefits;

(ii) For treatment of the individual; or

(iii) For case management or care coordination for the individual, or to direct or

recommend alternative treatments, therapies, health care providers, or settings of

care to the individual.

Even if the conditions above are satisfied, the communication shall still be “marketing” if

the covered entity making the communication receives or has received direct or indirect

payment (which excludes any payment made for treatment of the individual) in exchange

for making such communication, except where—

(a)(i) such communication describes only a drug or biologic that is currently being

prescribed for the recipient of the communication; and

(ii) any payment received by such covered entity in exchange for making a

communication described in clause (a)(i) is reasonable in amount (as that term is to

be defined in regulations);

(b) each of the following conditions apply—

(i) the communication is made by the covered entity; and

(ii) the covered entity making such communication obtains from the recipient of the

communication a valid authorization with respect to such authorization; or

(c) each of the following conditions apply—

(i) the communication is made by a business associate on behalf of the covered

entity; and

(ii) the communication is consistent with the written contract (or other written

permissible arrangement) between such business associate and covered entity.

2. An arrangement between a covered entity and any other entity whereby the covered

entity discloses protected health information to the other entity, in exchange for direct or

indirect remuneration, for the other entity or its affiliate to make a communication about

its own product or service that encourages recipients of the communication to purchase

or use that product or service.

Minimum Necessary: The term “minimum necessary” is not defined in the Privacy Rule but

generally refers to the least amount of protected health information that is needed to perform a

particular task or function. Until such time as the Secretary of the Department of Health and

Human Services releases guidance that will further define “minimum necessary,” as required by

42 U.S.C. § 17935(b)(1)(B), the Privacy Rule requires that a covered entity, or its business

associate, that is disclosing the information default to the use of a limited data set. If the limited

data set will not achieve the permitted or required use, disclosure, or request, the covered entity,

or the business associate, as applicable, must determine the minimum necessary amount of

protected health information necessary to achieve the purpose of the intended use, disclosure, or

request and limit the protected health information to only that amount.

Notice of Privacy Practices: A covered entity prepares this document to explain how the covered

entity will create, receive, use and disclose protected health information; the policies and

procedures that the covered entity has in place to protect the privacy of protected health

8

threat triggering or exploiting a particular vulnerability and (2) the resulting impact on the

organization. Risk is not a single factor or event. It is a combination of factors or events (threats

and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

Safeguards: Precautionary measures taken to prevent uses or disclosures of protected health

information that are not required or permitted by the HIPAA. Safeguards fall into three

categories: administrative, technical, and physical safeguards.

Security Compliance Training: Security compliance training focuses on compliance with the

HIPAA Security Rule and addresses the safeguards necessary to ensure the confidentiality,

integrity, and availability of the electronic protected health information that a covered entity, or a

business associate on its behalf, creates, receives, maintains, or transmits.

Security Incident: Security incidents occur as a result of the attempted or successful

unauthorized access, use, disclosure, modification, or destruction of information or interference

with system operations in an information system.

Security Officer: The individual designated to develop, implement and oversee the policies and

procedures necessary to achieve compliance with the HIPAA Security Rule.

Technical Safeguards: These safeguards are aimed primarily at the automated processes used

to protect data and control access to data, such as using authentication controls to verify that the

person signing onto a computer is authorized to access that electronic protected health

information, or encrypting and decrypting data as it is being stored or transmitted.

Threat: The potential for a person or thing to exercise (accidentally trigger or intentionally exploit)

a specific vulnerability of an information system. There are three general categories of threats:

natural, human, and environmental. Examples of each category follow:

1. Natural threats include such things as floods, earthquakes, tornadoes, and landslides.

2. Human threats are enabled or caused by humans and may include intentional (e.g.,

network and computer based attacks, malicious software upload, and unauthorized

access to electronic protected health information) or unintentional (e.g., inadvertent data

entry or deletion and inaccurate data entry) actions.

3. Environmental threats include power failures, pollution, chemicals, and liquid leakage.

Unsecured Protected Health Information: Protected health information that is not rendered

unusable, unreadable, or indecipherable to unauthorized individuals through the use of a

technology or methodology specified by the Secretary in guidance issued under section

13402(h)(2) of the HITECH Act on the United States Department of Health and Human Services

website. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule9

guidelines. Technical vulnerabilities may include holes, flaws, or weaknesses in the development

of information systems, or incorrectly implemented or configured information systems.

Workforce: People (e.g., employees, volunteers, trainees, etc.) who perform work for the covered

entity, or a business associate as the case may be, and are under its direct control, regardless of

whether the covered entity, or the business associate, pays them. For purposes of training for

security compliance, the definition of workforce includes management.

Workstation: The Security Rule defines a workstation as an electronic computing device such as

a laptop or desktop computer or any other device that performs similar functions, and electronic

media stored in its immediate environment.

11

COMPLIANCE OFFICER JOB DESCRIPTION

The Compliance Officer is the person who is responsible for the ongoing activities and

compliance related to the development, implementation, and maintenance of the Axial

Exchange’s HIPAA compliance policies and procedures arising under statutory, regulatory, or

contractual obligations.

Responsibilities:

(1) Provides development guidance and assistance in the identification, implementation, and

maintenance and periodic review of the HIPAA policies and procedures, as well as other

policies and procedures that may be required for compliance with applicable state

privacy laws.

(2) Ensures the delivery of initial and refresher compliance training to members of Axial

Exchange’s workforce as well as training that may be required to implement new or

modified requirements and to foster HIPAA awareness within the workforce.

(3) Performs ongoing HIPAA compliance monitoring activities.

(4) Participates in the development, implementation, and ongoing compliance monitoring of

all business associate agreements to ensure that HIPAA concerns, requirements, and

responsibilities are addressed.

(5) Oversees covered entity requests for individuals to inspect, amend, and restrict access to

protected health information in designated record sets, if any.

(6) Responds to complaints from covered entities concerning the Axial Exchange’s HIPAA

policies and procedures, in coordination and collaboration with, when necessary, with

legal counsel.

(7) Ensures compliance with HIPAA policies and procedures, and consistent application of

sanctions for violations, for all workforce members and business associates, in

cooperation with Human Resources, the Security Officer, and legal counsel, as

appropriate.

(8) Oversees the identification and implementation of mitigation efforts in the event of

inappropriate disclosures of protected health information.

(9) Acts as liaison to the Information Security Department with respect to protected health

information issues.

(10) Reviews system-related information security plans to ensure consistency with the Axial

Exchange’s HIPAA obligations and practices.

(11) With the assistance of legal counsel, determines appropriateness of requested release of

protected health information to ensure full coordination and cooperation under Axial

Exchange’s policies and procedures and legal requirements.

(12) Maintains current knowledge of applicable federal and state privacy laws.

(13) Cooperates with the United States Department of Health and Human Services, Office of

Civil Rights, other legal entities and organizations in any compliance reviews or

investigations.

13

POLICY NO.: 164.504(e)

TITLE: Business Associate and Subcontractor Agreements.

POLICY: Axial Exchange will execute a business associate agreement in those instances when

it is engaged by a covered entity to perform a service that requires the use or disclosure of

protected health information by or on behalf of the covered entity. Axial Exchange will execute a

HIPAA subcontractor agreement with its subcontractors who perform Axial Exchange obligations

involving the use or disclosure of protected health information that incorporates similar

safeguards in the business associate agreement.

PROCEDURE:

A. Identify Axial Exchange’s business associate and subcontractor relationships.

The Compliance Officer will identify and document the covered entities for which Axial

Exchange perform functions that require the use or disclosure of protected health

information (the “covered entities”) and any entities to which Axial Exchange has

delegated any portion of such obligations (the “subcontractors”). The Compliance Officer

should ensure that a central log is maintained that identifies all such relationships and

includes necessary contact information for each covered entity and subcontractor and

update as necessary.

B. Execute appropriate agreements.

1. The Compliance Officer will send each identified covered entity Axial Exchange’s

business associate agreement form (attached). The Compliance Officer will examine

potential new engagements to determine whether a business associate agreement is

necessary.

2. The Compliance Officer will send each identified subcontractor Axial Exchange’s

HIPAA subcontractor agreement (attached). The Compliance Officer will examine

potential new engagements to determine whether a HIPAA subcontractor agreement

is necessary.

3. The Compliance Officer will coordinate the process of executing the business

associate or HIPAA subcontractor agreement, as applicable, and involve other

individuals, such as legal counsel, on an as-needed basis (e.g., to discuss proposed

changes to the form of the Axial Exchange business associate or subcontractor

agreements).

C. Amend agreements, as may be required from time to time.

1. The Compliance Officer, in consultation with counsel, shall ensure that any changes

in the state or federal law that may require changes to the business associate or

HIPAA subcontract agreement shall be incorporated into existing agreements

through an amendment or by executing a new agreement that includes the modified

requirements.

2. The Compliance Officer shall consult with legal counsel to prepare amendments and

to modify the business associate and HIPAA subcontractor agreement forms, as may

be required from time to time, or to prepare an amendment to existing agreements.

3. The Compliance Officer shall ensure that the Axial Exchange workforce members are

informed regarding the modifications and receive training related to them, if

necessary.

15

BUSINESS ASSOCIATE AGREEMENT

This Agreement is made effective the _____ day of ___________, 20___, by and

between _____________ (“Covered Entity”), and AXIAL EXCHANGE, INC. (“Business

Associate”), (each individually, a “Party” and collectively, the “Parties”).

WITNESSETH

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and

Accountability Act of 1996, Public Law 104-191, known as “the Administrative Simplification

provisions,” direct the Department of Health and Human Services (“HHS”) to develop standards

to protect the security, confidentiality and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of

HHS has issued regulations at 45 C.F.R. Parts 160 and 164 (the “HIPAA Privacy and Security

Rules”); and

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby

Business Associate will provide certain services to or perform certain functions on behalf of

Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a

“business associate” of Covered Entity as defined in the HIPAA Privacy Rule. The agreement

evidencing such arrangement between Covered Entity and Business Associate is entitled

______________________________________, dated ____________________, (the

“Arrangement Agreement”); and

WHEREAS, Business Associate may have access to Protected Health Information in

fulfilling its responsibilities under the Arrangement Agreement; and

WHEREAS, Business Associate acknowledges its responsibility to comply with the

requirements of Title XIII, Subtitle D of the Health Information Technology for Economic and

Clinical Health Act (the “HITECH Act”), codified at 42 U.S.C. §§ 17921-17954, which are

applicable to business associates, and all applicable regulations issued by the HHS to implement

the HITECH Act; and

WHEREAS, pursuant to the HITECH Act, the Secretary of HHS has issued regulations at

45 C.F.R. Part 164, Subpart D (the “Breach Notification Rule”, together with the HIPAA Privacy

and Security Rules, the “HIPAA Rules”) and may issue additional regulations in the future to

further protect the security, confidentiality, and integrity of health information;

THEREFORE, in consideration of the Parties’ obligations under the Arrangement

Agreement, compliance with the HIPAA Rules, the HITECH Act, and all other applicable

regulations, the promises set forth in this Agreement, and other good and valuable consideration,

the receipt and sufficiency of which is hereby acknowledged, the Parties hereto enter into this

Agreement in order to address the requirements of the HIPAA Rules, the HITECH Act, and all

other applicable regulations, and to protect the interests of both Parties.

1. DEFINITIONS

A. Except as otherwise defined in this Agreement, any and all capitalized terms

shall have the same meaning as the definitions set forth in the HIPAA Rules and

the HITECH Act, as amended from time to time. In the event of an inconsistency

between the provisions of this Agreement and any mandatory provisions of the

HITECH Act or the HIPAA Rules, as amended, the HIPAA Rules and the

HITECH Act shall control. Where provisions of this Agreement are different than

those in the HITECH Act or the HIPAA Rules, as amended, but are nonetheless

17

on behalf of, Covered Entity available to the Secretary of HHS, in a time and

manner designated by the Secretary, for purposes of the Secretary determining

Covered Entity's compliance with the Privacy Rule.

C. Business Associate shall report to Covered Entity any Security Incident, or Use

or Disclosure of Protected Health Information that is not in compliance with the

terms of this Agreement of which Business Associate becomes aware.

D. Business Associate shall notify Covered Entity’s privacy official of any Breach, as

that term is defined in the Breach Notification Rule, of Unsecured Protected

Health Information as required by the Breach Notification Rule without

unreasonable delay and in no case later than sixty (60) calendar days after

Discovery, unless delayed by law enforcement. Business Associate and Covered

Entity acknowledge and agree that it is the Covered Entity’s responsibility to

ensure that Individuals affected by the Breach are notified in accordance with the

requirements in the Breach Notification Rule. Business Associate shall identify

each Individual whose Unsecured Protected Health Information has been, or is

reasonably believed to have been, accessed, acquired or disclosed as a result of

the Breach, and to provide such information to the Covered Entity as is

necessary to meet the breach notification requirements under the Breach

Notification Rule.

3. OTHER PERMITTED USES AND DISCLOSURES

A. Notwithstanding the prohibitions set forth in this Agreement, Covered Entity

acknowledges and agrees that Business Associate may Use and Disclose

Protected Health Information as follows:

i. if necessary for the proper management and administration of Business

Associate or to carry out the legal responsibilities of Business Associate,

provided that as to any such Disclosure, the following requirements are

met:

(1) the Disclosure is Required by Law; or

(2) Business Associate obtains reasonable assurances from the

person or entity to whom the Protected Health Information is

Disclosed that the Protected Health Information will be held

confidentially and Used or further Disclosed only as Required by

Law or for the purpose for which it was Disclosed to the person

or entity, and the person or entity notifies Business Associate of

any instances of which the person or entity is aware in which the

confidentiality of the Protected Health Information has been

breached;

ii. for Data Aggregation services, if Data Aggregation services are to be

provided by Business Associate for the Health Care Operations of

Covered Entity pursuant to the Arrangement Agreement or any

agreements between the Parties evidencing their business relationship;

and

iii. Business Associate may use Protected Health Information to report

violations of law to appropriate Federal and State authorities, consistent

with 45 C.F.R. § 164.502(j)(1).

19

made directly to Business Associate will be referred to Covered Entity’s privacy

official.

6. TERM AND TERMINATION

A. Unless terminated as otherwise provided herein, this Agreement shall be

effective as of the date and year first written above and shall terminate upon the

later of (1) the date the Arrangement Agreement is terminated or (2) the date all

Protected Health Information is returned to Covered Entity or destroyed.

B. Notwithstanding anything in this Agreement to the contrary, if Covered Entity

determines that Business Associate has violated any material term of this

Agreement, Covered Entity shall provide written notice to Business Associate of

such violation and provide Business Associate with a reasonable opportunity to

cure such violation. If cure is not feasible, Covered Entity shall have the right to

terminate this Agreement and the Arrangement Agreement, or if termination is

not feasible, report the violation to the Secretary of HHS.

Notwithstanding anything in this Agreement to the contrary, if Business Associate

determines that Covered Entity has violated any material term of this Agreement,

Business Associate shall provide written notice to Covered Entity of such

violation and provide Covered Entity with a reasonable opportunity to cure such

violation. If cure is not feasible, Business Associate shall have the right to

terminate this Agreement and the Arrangement Agreement, or if termination is

not feasible, report the violation to the Secretary of HHS.

7. WRITTEN NOTICE

Except as otherwise stated in this Agreement, written notice shall be deemed to have been duly

served if delivered in accordance with the terms of the Arrangement Agreement.

8. MISCELLANEOUS

A. Nothing express or implied in this Agreement is intended to confer, nor shall

anything herein confer, upon any person other than Covered Entity, Business

Associate, or their respective successors or permitted assigns, any rights,

remedies, obligations or liabilities whatsoever.

B. The obligations of Business Associate and Covered Entity under Sections 2.A.iv

and 2.D, Section 4, and Sections 8.H and 8.I shall survive the expiration,

termination, or cancellation of this Agreement, the Arrangement Agreement

and/or the business relationship of the Parties, and shall continue to bind

Business Associate, its agents, employees, contractors, successors, and assigns

for so long as Business Associate retains Protected Health Information that it is

not feasible to return to Covered Entity or destroy.

C. This Agreement may be amended or modified only in a writing signed by the

Parties.

D. No Party may assign its respective rights and obligations under this Agreement

without the prior written consent of the other Party.

E. None of the provisions of this Agreement are intended to create, nor will they be

deemed to create any relationship between the Parties other than that of

independent parties contracting with each other solely for the purposes of

21

IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement

as of the day and year written above.

COVERED ENTITY: BUSINESS ASSOCIATE:

__________________________________ AXIAL EXCHANGE, INC.

By: By:

__________________________________ ___________________________________

Signature Signature

__________________________________ ___________________________________

Printed Name Printed Name

__________________________________ ___________________________________

Title Title

23

received by SUBCONTRACTOR on behalf of BUSINESS ASSOCIATE, for any purpose

other than as expressly permitted or required by this Agreement. 45 C.F.R. §

164.504(e)(2)(i).

5. Other Permitted Uses And Disclosures. In addition to the Stated Purposes for which

SUBCONTRACTOR may use or disclose PHI, SUBCONTRACTOR may use or disclose

PHI provided or made available from BUSINESS ASSOCIATE, or created or received by

SUBCONTRACTOR on behalf of BUSINESS ASSOCIATE, for the proper management

and administration of SUBCONTRACTOR or to carry out legal responsibilities of

SUBCONTRACTOR. 45 C.F.R. § 164.504(e)(4)(i)(A), (B). Notwithstanding the

foregoing, such a use and disclosure is permitted provided that:

a. The disclosure is Required By Law; or

b. SUBCONTRACTOR obtains reasonable assurances from the person to whom the

PHI is disclosed that it will be held confidentially and used or further disclosed only as

Required By Law or for the purposes for which it was disclosed to the person; the

person will use appropriate safeguards to prevent use or disclosure of the PHI; and

the person immediately notifies SUBCONTRACTOR of any instance of which it is

aware in which the confidentiality of the information has been breached. 45 C.F.R. §

164.504(e)(4)(ii).

6. Prohibition on Remuneration For PHI. Unless an exception applies, as set forth at 42

U.S.C. § 17935(d)(2), in no event may SUBCONTRACTOR directly or indirectly receive

remuneration in exchange for any PHI of an Individual unless the applicable Covered

Entity obtains from the Individual a valid authorization that includes a specification of

whether the PHI can be further exchanged for remuneration by the entity receiving PHI of

that Individual. This prohibition does not apply to remuneration SUBCONTRACTOR

receives from BUSINESS ASSOCIATE for activities that SUBCONTRACTOR undertakes

on behalf of and at the specific request of the BUSINESS ASSOCIATE pursuant to this

Agreement.

ARTICLE IV – BUSINESS ASSOCIATE OBLIGATIONS

7. Limits On Use And Further Disclosure Established By Agreement or By Law.

SUBCONTRACTOR hereby agrees that the PHI provided or made available by

BUSINESS ASSOCIATE shall not be further used or disclosed other than as permitted or

required by the Agreement or as Required By Law. 45 C.F.R. § 164.504(e)(2)(ii)(A).

8. Appropriate Safeguards. SUBCONTRACTOR will establish and maintain appropriate

safeguards to prevent any use or disclosure of the PHI, other than as provided for by this

Agreement. 45 C.F.R. § 164.504(e)(2)(ii)(B).

9. Reports of Improper Use Or Disclosure. SUBCONTRACTOR hereby agrees that it

shall report to BUSINESS ASSOCIATE within ten (10) days of discovery any use or

disclosure of PHI not provided for or allowed by this Agreement. This provision shall

apply to Breaches of Unsecured PHI, as those terms are defined at 45 C.F.R. § 164.402.

SUBCONTRACTOR’S notice shall include the applicable elements as set forth at 45

C.F.R. § 14.410(c) when breaches of Unsecured PHI occur.

10. Subcontractors and Agents. SUBCONTRACTOR hereby agrees that anytime PHI is

provided or made available to any of its subcontractors or agents, SUBCONTRACTOR

must enter into a subcontract with the subcontractor or agent that contains the same

terms, conditions and restrictions on the use and disclosure of PHI as contained in this

Agreement. 45 C.F.R. § 164.504(e)(2)(ii)(D).

without the express written permission of BUSINESS ASSOCIATE;

18. Alternatively, in the event that either Party has knowledge of a material breach of this

Agreement by the other Party and cure is possible, the non-breaching Party may provide

a reasonable opportunity for the breaching Party to cure the breach or end the violation.

If the breaching Party does not cure the breach or end the violation within the time

specified by non-breaching Party, the non-breaching Party may terminate this

Agreement.

19. In the event that either Party has knowledge of a material breach of this Agreement by

the other Party and cure is not possible, the non-breaching Party shall (i) terminate the

portion of the service being performed that is affected by the breach, and (ii) report the

violation to the Secretary of HHS.

ARTICLE VII – TERMINATION

20. This Agreement may be terminated (i) by either Party in accordance with Article VI or (ii)

by BUSINESS ASSOCIATE upon sixty (60) days’ written notice.

21. Upon termination of this Agreement for any reason, if feasible, SUBCONTRACTOR will

return or destroy all PHI received from BUSINESS ASSOCIATE, or created or received

by SUBCONTRACTOR on behalf of BUSINESS ASSOCIATE, that SUBCONTRACTOR

still maintains in any form and shall retain no copies of such information. If such return or

destruction is not feasible, SUBCONTRACTOR will extend the protections of this

Agreement to the information retained and limit further uses and disclosures to those

purposes that make the return or destruction of the information infeasible. 45 C.F.R. §

164.504(e)(2)(ii)(I). This paragraph shall survive the termination of this Agreement.

ARTICLE VIII – MISCELLANEOUS

22. Amendment. This Agreement cannot be amended except by mutual written agreement

of BUSINESS ASSOCIATE and SUBCONTRACTOR.

23. Amendment for Compliance. In the event that any provision of this Agreement is held

by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the

provisions of the Agreement will remain in full force and effect. In addition, in the event

BUSINESS ASSOCIATE believes in good faith that any provision of the Agreement fails

to comply with the then-current requirements of the applicable HIPAA regulations,

BUSINESS ASSOCIATE shall notify SUBCONTRACTOR in writing. For a period of up to

thirty (30) days, the Parties shall address in good faith such concern and shall amend the

terms of this Agreement, if necessary, to bring it into compliance. If after such thirty-day

period this Agreement fails to comply with the HIPAA regulations with respect to the

concern(s) raised pursuant to this paragraph, BUSINESS ASSOCIATE has the right to

terminate this Agreement upon thirty (30) days’ written notice to SUBCONTRACTOR.

27

BUSINESS ASSOCIATE

Axial Exchange, Inc.

Attn: John Casey

Vice President, Operations and Finance

510 Glenwood Avenue, Suite 215

Raleigh, NC 27608

SUBCONTRACTOR

Name: ________________________________

Attn: __________________________________

Title: _________________________________

Address: ______________________________

City/State/Zip: __________________________

Either Party may at any time change its address for notification purposes by mailing a

notice stating the change and setting forth the new address.

26. Force Majeure. SUBCONTRACTOR shall be excused from performance under this

Agreement for any period SUBCONTRACTOR is prevented from performing any services

pursuant hereto, in whole or in part, as a result of an Act of God, war, civil disturbance,

court order, labor dispute or other cause beyond its reasonable control, and such

nonperformance shall not be grounds for termination, except that SUBCONTRACTOR’S

inability to perform will not be excused in the event that SUBCONTRACTOR failed to

implement a reasonable disaster recovery plan prior to experiencing the event and

invoking this provision.

27. No Third Party Beneficiaries. The Parties have not created and do not intend to create

by this Agreement any third party rights under this Agreement.

28. Severability. If any provision of this Agreement, or any other agreement, document, or

writing pursuant to or in connection with this Agreement, is found to be wholly or partially

invalid or unenforceable, the remainder of this Agreement is unaffected and shall remain

in force.

29. Waiver. No term or provision of this Agreement shall be deemed waived and no breach

excused unless such waiver or excuse of breach is in writing, signed by the Party against

who such waiver or excuse is claimed.

30. Entire Agreement. This SUBCONTRACTOR AGREEMENT consists of this document,

and constitutes the entire agreement between the Parties with respect to the subject

matter hereof. There are no understandings or agreements relating to this Agreement

which are not fully expressed herein and no change, waiver or discharge of obligations

arising under this Agreement shall be valid unless in writing and executed by the Party

against whom such change, waiver or discharge is sought to be enforced.

IN WITNESS WHEREOF, BUSINESS ASSOCIATE and SUBCONTRACTOR have caused this

Agreement to be signed and delivered by their duly authorized representatives, as of the date set

forth above.

SUBCONTRACTOR: BUSINESS ASSOCIATE:

29

POLICY NO.: 164.308(a)(5)(A)

TITLE: HIPAA Training.

POLICY: Axial Exchange will train its workforce (including management) on Axial Exchange’s

contractual and statutory HIPAA obligations.

PROCEDURE:

A. Identify Necessary Training.

1. The Compliance and Security Officers, or their designees, will identify and document

the workforce members according to job function who require the use or disclosure of

protected health information for covered entities. For purposes of security compliance

training, the workforce must include workforce management.

2. The Compliance and Security Officers, or their designees, will identify and document

other personnel, such as subcontractors or other agents, who may require training

with respect to Axial Exchange’s HIPAA compliance policies and procedures and

include them in training, as appropriate.

B. Determine the Curriculum and Audience for HIPAA Training.

1. The Compliance Officer will ensure that workforce members providing services to

covered entities involving the use or disclosure of protected health information

receive appropriate training on the contractual obligations arising under the business

associate agreement, including, but not limited to, permissible scope of use and

disclosure of protected health information, obligations to safeguard the protected

health information and to report suspected or actual breaches of confidentiality,

requirements to provide access and to amend protected health information contained

in designated record set, and related contractual obligations.

2. The Security Officer will implement a security awareness and training program for

identified personnel (including management). Topics to be included in the training

include security reminders and periodic updates; procedures for guarding against,

detecting, and reporting malicious software; procedures for monitoring log-in attempts

and reporting discrepancies; and procedures for creating, changing, and

safeguarding passwords. In the event that the Security Officer determines that the

training topics identified are not reasonable or appropriate for Axial Exchange, the

Security Officer will document why it would not be reasonable to implement the

training and identify and implement an equivalent alternative measure if reasonable

and appropriate.

C. Schedule Training.

1. The Compliance and Security Officers will ensure that all appropriate personnel

receive the necessary HIPAA compliance training.

2. Changes in workforce must be communicated to the Compliance and Security

Officers (i.e., new workforce members or a change in the job function of an existing

workforce member) if the change that results in that workforce member’s need for

access to protected health information. The Compliance and Security Officers will

ensure that any new workforce members receive appropriate HIPAA compliance

training within thirty (30) days after notification or implementation of such change.

www.hhs.gov/ocr/privacy31

POLICY NO.: 164.308(a)(1)(C)

TITLE: Sanctions.

POLICY: Axial Exchange will sanction workforce members who fail to comply with Axial

Exchange’s policies and procedures, including the failure to report infractions, regarding the

statutory, regulatory, and contractual obligations regarding protected health information, up to and

including termination.

PROCEDURE:

A. Report violations.

1. Axial Exchange’s workforce is the first line of defense in safeguarding protected

health information. Consequently, all workforce members must follow Axial

Exchange’s policies and procedures concerning the use, disclosure, and

safeguarding of protected health information.

2. All members of Axial Exchange’s workforce have an obligation to report to the

Security Officer, or other appropriate member of the management team, any

instances in which they reasonably believe that Axial Exchange’s policies and

procedures concerning protected health information have been, or will be, violated.

B. Investigate reported violations.

1. The Compliance and Security Officers will investigate all reports of alleged or

potential violations of the Axial Exchange’s policies and procedures for safeguarding

protected health information, including interviewing all affected or potentially affected

personnel; reviewing system logs, as appropriate; interviewing covered entities,

subcontractors, or other potentially affected entities or individuals, if any; reviewing

documentation, if any; and taking all other steps reasonably necessary to fully review

the circumstances surrounding the alleged or potential violation.

2. The Compliance and Security Officers will make a determination regarding the

alleged or potential violation and take the reasonable necessary steps, if any, to

resolve it including recommending sanctions according to the severity of the violation;

and revising policies and procedures to address the alleged or potential violation, if

appropriate, or to prevent the future inappropriate use or disclosure of protected

health information.

3. The Compliance and Security Officers will notify the individuals affected by the

disposition of the alleged or potential violation, including workforce members

responsible for the procedures that were the basis of the alleged or potential

violation; workforce members who identified the alleged or potential violation; and all

other affected personnel.

C. Sanction workforce members or subcontractors, as appropriate.

1. The Compliance and Security Officers will identify individuals who were involved in

the violation and make an express finding of whether the violation was purposeful or

inadvertent.

2. The Compliance and Security Officers will prepare a recommendation for

management regarding any sanctions that should be applied to individuals involved

in the violation. The recommendation must reflect the level of severity of the violation

33

POLICY NO.: 164.502(a)

TITLE: Using and Disclosing Protected Health Information.

POLICY: Axial Exchange will use and disclose protected health information as permitted or

required as specified in the applicable business associate agreement, consistent with federal and

state law, and as described in the applicable covered entity’s notice of privacy practices.

PROCEDURE:

A. Permitted Uses and Disclosures

1. Axial Exchange will use or disclose protected health information only as specified in

the business associate agreement with the applicable covered entity.

2. Axial Exchange may disclose the covered entity’s protected health information if such

disclosure is required by law, or Axial Exchange obtains reasonable assurances from

the person to whom the protected health information is disclosed that it will be held

confidentially and used or further disclosed only as required by law or for the

purposes for which it was disclosed to the person; the person will use appropriate

safeguards to prevent use or disclosure of the protected health information; and the

person immediately notifies Axial Exchange of any instance of which it is aware in

which the confidentiality of the information has been breached.

3. External requests for disclosure of protected health information must be forwarded to

the Compliance Officer for resolution.

B. Scope of Permitted Disclosures

1. The Compliance Officer must identify any requirements related to a disclosure. The

requirements are summarized on the “HIPAA Required and Permitted Disclosures

Checklist” attached.

2. Unless an exception applies, the amount of protected health information Axial

Exchange may use or disclose is limited to the minimum amount necessary to

achieve the permitted purpose of the use or disclosure.

a. To the extent practicable, the minimum amount necessary is the limited data set.

b. If the limited data set will not permit the permitted purpose of the use or

disclosure to be achieved, the minimal additional data elements that would be

required to achieve the purpose of the permitted use or disclosure will be

identified.

3. The minimum necessary standard shall not apply when the use or disclosure pertains

to treatment, payment or health care operations of the covered entity.

4. Axial Exchange personnel who receive requests unrelated to the treatment, payment,

and health care operations (or who receive requests related to treatment, payment,

and health care operations but the business associate agreement between the

parties does not include such uses or disclosures within the stated purposes of the

agreement) must contact the Compliance Officer prior to disclosing the protected

health information and provide:

a. The name of the person or entity seeking the protected health information;

b. The identity and contact information for the applicable covered entity;

35

HIPAA Permitted and Required Disclosures Checklist

Purpose?

requirements?

To Health Care

TREATMENT

164.502(b)(2)(i);

To Health Care

PAYMENT Minimum

necessary to

purpose of the

or request

disclosures, and

covered entities

Permitted 164.502(a)(1)(ii);

To Patient’s

PAYMENT Minimum

necessary to

intended

use, disclosure,

Applies to uses,

requests of

generally

164.506(c)(1)(3)

entities

insurers,

HEALTH CARE

(i) Conducting

and improvement

(ii) Reviewing the

qualifications of

other

(iii) Fraud abuse

compliance

amount

accomplish the

purpose of the

or request

entities have or

relationship with

who is the

protected health

(ii) The

information

relationship;

(iii) The

meets one of

purposes

164.506(c)(4)

OPERATIONS

premium rating, or

related to the

or replacement of a

insurance or health

related purposes

necessary to

stated purpose

164.502(b)(1);

To Business

Intended purpose

written business

agreement

amount

accomplish the

purpose of the

or request

documents

indicate

any, where the

receive

information from

associate; and

Notice of

164.502(e);

36

Purpose?

requirements?

Privacy

informs the

beneficiaries

regarding how

the protected

information

Associates of the

institutionally

Raising funds for

benefit

information

individual; dates

provided to the

Notice of

Practices must

that such

be made for

and must also

individuals how

Permitted 164.502(a)(1)(vi);

To “Incidental”

Incident to a use or

otherwise

required

complied with

requirements of

and 530(c)

To “Authorized”

(i) Marketing;

psychotherapy

(iii) Otherwise as

express terms of

As specified in

authorization

authorization

requirements

164.508.

164.502(b)(2)(iii);

To the Individual --- All None Permitted 164.502(a)(1)(i);

To the Individual --- All Individual must

the information

requirements at

164.528

164.502(b)(2)(ii)

164.528

Personal

--- All Must qualify as

representative

required in

with the

for the

164.502(a)(1)(i);

164.524;

164.502(g)

of the Department

Human Services

determine the

compliance with

governing the

protected health

164.502(a)(2)(ii);

To “Agreed To”

Facility directories Minimum

necessary to

purpose of the

have the

agree or object

Permitted 164.502(b)(1);

37

Purpose?

requirements?

use, disclosure,

specified at

164.510(a)(2),

emergency

specified at

To “Agreed To”

Involvement in the

Minimum

necessary to

intended

use, disclosure,

Individual must

opportunity to

in accordance

requirements

164.510(b)(2),

Permitted 164.502(b)(1);

To “Notification”

Notification Minimum

necessary to

intended

use, disclosure,

Must be

requirements

164.510(b)(4)

164.510(b)

authorities

information for

activities

amount

accomplish the

purpose of the

or request

be authorized

receive the

Permitted 164.502(b)(1);

To Public health

Receiving reports

neglect

amount

accomplish the

purpose of the

or request

be authorized

receive the

Permitted 164.502(b)(1);

To FDA Activities related to

or effectiveness of

product or activity

amount

accomplish the

purpose of the

or request

must be related

product or

Permitted 164.502(b)(1);

To a person

exposed to a

disease

amount

accomplish the

purpose of the

or request

authorize the

the information

Permitted 164.5029b)(1);

To an employer Generally when

requested by the

otherwise

employer to

statutory

Minimum

necessary to

intended

use, disclosure,

Law must

disclosure

qualifications;

specific

164.512(b)(1)(v)

To Whom? For What

How much? Other

Notes … Cite

authorities

abuse, neglect, or

Minimum

necessary to

intended

use, disclosure,

(i) Disclosure

required by law

the relevant

such law;

individual

(iii) The

expressly

statute or

Permitted;

individual

disclosure.

164.512(c)

Oversight Agency

(e.g.,

licensure actions,

Minimum

necessary to

intended

use, disclosure,

Permitted;

disclosure for

other activity in

individual is the

investigation

164.512(d)

“legal process”

order, subpoena,

or other lawful

Minimum

necessary to

intended

use, disclosure,

Must have a

satisfactory

from the person

information that

the information

the request OR

seeking the

made

efforts to secure

order

164.512(e)

Enforcement

Law enforcement

identifying or

fugitive, material

person

amount

accomplish the

purpose of the

or request

law; or

with and is

order, etc.

164.512(f)

Medical

To identify a

determine cause of

duties as

Minimum

necessary to

intended

use, disclosure,

Permitted 164.502(b)(1);

To Funeral

To carry out duties

decedent

amount

accomplish the

purpose of the

Must be

applicable law

164.512(g)(2)

To Whom? For What

How much? Other

Notes … Cite

To Organ

Organizations

eye or tissue

transplantation

amount

accomplish the

purpose of the

or request

164.512(h)

Organizations

amount

accomplish the

purpose of the

or request

with extensive

set forth in the

164.502(b)(1);

To Authorities To prevent or

and imminent

or safety of a

public

amount

accomplish the

purpose of the

or request

“consistent with”

and standards

conduct

164.512(j)(1)(i)

Enforcement

To apprehend an

Minimum

necessary to

intended

use, disclosure,

Must be

applicable law

of ethical

Permitted 164.502(b)(1);

To Military

Authorities

execution of a

determine eligibility

Minimum

necessary to

intended

use, disclosure,

(i) Pertains to

regarding

personnel; and

notice in

Register

164.512(k)(1)

Federal Officials

lawful intelligence,

and other national

authorized by the

Act and

authority

amount

accomplish the

purpose of the

or request

164.512(k)(2)

Federal Officials

protective services

other persons

statute

amount

accomplish the

purpose of the

or request

164.512(k)(3)

Department of

To make medical

determinations

amount

accomplish the

purpose of the

The disclosing

must be a

the Department

Permitted 164.502(b)(1);

40

Purpose?

requirements?

or request

Institution or Law

Officials

healthcare to

otherwise as

health and safety

Minimum

necessary to

intended

use, disclosure,

The officials

lawful custody

Permitted 164.5029b)(1);

To Government

To provide and

benefits

amount

accomplish the

purpose of the

or request

agencies must

expressly

statute or

Permitted 164.5029b)(1);

To Entities,

Law, to provide

injuries

regard to fault

for work-related

To the extent

comply with

workers’

or other similar

Programs must

by law

164.512(l)

Set Recipient

health, or health

As specified in

agreement

disclosing and

entities

agreement

164.514(e)

42

any case in which there are doubts about the ability to orally disclose protected

health information with any other person.

b. Conduct the conversation in a manner that reasonably prevents the protected

health information from being overheard by others. Protected health information

should never be included in a message on an answering machine.

5. Periodic re-evaluation. The Compliance Officer will periodically re-evaluate the

results of the analysis with respect to the people and the processes and update as

appropriate. The Compliance Officer will consult with the Security Officer in making

this assessment.

B. Technical Safeguards

1. Facsimile machines.

a. Facsimile machines should not be used to receive or transmit protected health

information.

2. Computers.

a. Access to electronic protected health information. Only authorized personnel

should have access to systems that contain protected health information, and

Axial Exchange should adopt policies and procedures that permit access only

upon such authorization.

b. Using protected health information. Protected health information should be

encrypted before it is transmitted. Decryption keys should be conveyed verbally

to recipients of transmitted protected health information. Hard drives should be

encrypted, and computer caches should be cleared monthly. Axial Exchange

personnel should never leave their computer screens unattended if the display

includes protected health information. Axial Exchange personnel should also

ensure that while using the display, unauthorized personnel cannot see the

information.

c. Laptop computers. Axial Exchange personnel are permitted to use laptop

computers that are purchased and configured by Axial Exchange. The use of

laptop computers is subject to the same policies and procedures as that for

desktop computers.

d. Protected health information should never be downloaded to a thumb drive or

other easily transferable medium.

3. Printers and photocopiers. Printers and photocopiers should not be used to transmit

or receive protected health information.

4. Email.

a. Axial Exchange personnel should not send messages or attachments through

email if the messages or attachment include protected health information.

b. In the event that Axial Exchange personnel must send messages or attachments

that include protected health information, Axial Exchange personnel must encrypt

the protected health information prior to transmission. The decryption key must

be conveyed verbally to the recipient.

44

POLICY NO.: 164.530(f)

TITLE: Mitigation of Harmful Effects of Inadvertent, Impermissible, or Inappropriate Use or

Disclosure.

POLICY: Axial Exchange will identify reasonable mitigation measures to mitigate the harmful

effects of an inadvertent, impermissible, or inappropriate use or disclosure of protected health

information and make required notification, if any.

PROCEDURE:

A. Identify potential harmful effects resulting from the inadvertent, impermissible, or

inappropriate uses or disclosures of protected health information.

1. The Compliance and Security Officers are responsible for identifying the potential

harmful effects of the uses or disclosures, if any.

2. For each identified potential harmful effect, the Compliance and Security Officers, in

consultation with legal counsel as may be appropriate, will identify reasonably

practical steps to lessen such harmful effect, if any. Such steps may include obtaining

a credit protection policy on behalf of the individual whose information was disclosed

inappropriately.

3. The Compliance Officer will send applicable covered entities written notice of the

mitigation measures Axial Exchange plans to implement.

B. Implement mitigation efforts.

1. The Compliance and Security Officers will take all necessary steps to ensure that the

mitigation measures are implemented.

2. The Compliance Officer will send applicable covered entities written notice of the

implementation of the identified mitigation measures.

C. Receive reports of mitigation efforts from subcontractors.

1. Subcontractors are required to immediately report to the Security Officer and the

Compliance Officer any detected vulnerabilities and the mitigation measures that

were implemented to address the vulnerabilities.

2. The Compliance Officer will notify the subcontractor of the additional mitigation

measures that should be implemented, if any.

3. The Compliance Officer will send the applicable covered entities written notice of the

mitigation measures implemented.

REFERENCES:

45 CFR § 164.404 (Breaches of unsecured protected health information)

45 CFR § 164.530(f) (Mitigation)

45 CFR § 164.530(j) (Documentation)

SOP 300-1 (Mitigation of Harmful Effects of Inadvertent, Impermissible, or Inappropriate

Use or Diclosure)

46

notifications to individuals affected by a breach of unsecured protected health

information.

1. The Compliance Officer will ensure that each individual whose unsecured protected

health information has been, or is reasonably believed to have been, accessed,

acquired, used, or disclosed as a result of the breach receives all required

notifications.

2. Written notification must be sent without reasonable delay and in no case less than

sixty (60) calendar days after discovery. If the Compliance Officer has reason to

believe that there is a possibility of imminent misuse of unsecured protected health

information, notification will be provided by telephone or other means, as appropriate,

in addition to the written notice.

a. In the event that there is insufficient or out-of-date contact information for fewer

than ten (10) individuals that precludes providing written notification, then

notification may be provided by an alternative form of written notice, telephone,

or other means.

b. If there is insufficient or out-of-date contact information for ten (10) or more

individuals, then such substitute notice shall:

(1) Be in the form of either a conspicuous posting for a period of ninety (90) days

on the home page of the covered entity’s website, or a conspicuous notice in

major print or broadcast media in geographical areas where the affected

individuals reside; and

(2) Include a toll-free phone number that remains active for at least ninety (90)

days where an individual can call and learn whether their protected health

information may be included in the breach.

c. To the extent possible, the written notification must include the following:

(1) A brief description of what happened, including the date of the breach and

the date of the discovery of the breach, if known;

(2) A description of the types of unsecured protected health information that

were involved in the breach, such as full name, social security number, date

of birth, etc.;

(3) Any steps individuals should take to protect themselves from potential harm

resulting from the breach;

(4) A brief description of what is being done to investigate the breach, to mitigate

harm to individuals, and to protect against any further breaches; and

(5) Contact procedures for individuals to ask questions or learn additional

information, which shall include a toll free telephone number, an email

address, website, or postal address. This information should provide the

information for the Axial Exchange personnel if the applicable covered entity

has delegated responding to these contacts.

d. The Compliance Officer will review the proposed form of notice with the

applicable covered entity and obtain written confirmation of the covered entity’s

concurrence prior to making the notifications.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule48

H. Documentation. The Compliance Officer will ensure that all documentation regarding

the analysis and compliance of this requirement will be retained for a minimum of six (6)

years in accordance with the policy.

REFERENCES:

45 CFR § 164.400 et seq. (Breaches of unsecured protected health information)

45 CFR § 164.530(j) (Documentation)

SOP 200-1 (Security Incidents and Breaches of Unsecured Protected Health Information

Notification)

50

POLICY NO.: 164.522

TITLE: Requests for Privacy Protection and Confidential Communications.

POLICY: Axial Exchange will take precautions to implement any additional approved restrictions

on the use or disclosure of protected health information upon direction from the applicable

covered entity.

PROCEDURE:

A. Receive Directions from Applicable Covered Entities. All privacy restrictions and

confidential communications a covered entity grants must be forwarded to the

Compliance Officer for review and implementation.

B. Implementation.

1. The Compliance Officer will document receipt of the privacy restriction or confidential

communication received from the covered entity and, in conjunction with the Security

Officer, determine whether Axial Exchange’s practices and procedures will be

affected and the means by which Axial Exchange’s, or a subcontractor’s, routine

practices and procedures must be modified to accommodate the restriction or

communication request.

2. If the Compliance and Security Officers determine that the restriction or

communication request significantly disrupts Axial Exchange’s practices or

procedures such that it cannot comply with the restriction or request absent material

modifications, the Compliance Officer shall contact the applicable covered entity to

negotiate a resolution.

C. Terminate Restrictions.

1. The Compliance Officer will document the instructions it receives from a covered

entity to terminate a previously granted privacy restriction or confidential

communication request, and, in conjunction with the Security Officer if appropriate,

will take necessary steps to terminate the privacy restriction or confidential

communication request.

2. The Compliance Officer will ensure that appropriate members of Axial Exchange’s

workforce and subcontractors are informed of the termination and its effective date.

D. Documentation. The Compliance Officer will ensure that all documentation regarding

the analysis and compliance of this specification will be retained for a minimum of six (6)

years.

REFERENCES:

45 CFR § 164.522 (Right to request privacy protection)

45 CFR § 164.530(j) (Documentation)

52

C. Documentation. The Privacy Officer will ensure that all documentation regarding the

analysis and compliance of this requirement will be retained for a minimum of six (6)

years in accordance with the Plan’s policy.

REFERENCES:

45 CFR § 164.524 (Right to access)

45 CFR § 164.526 (Right to amend)

45 CFR § 164.528 (Right to accounting)

45 CFR § 164.530(j) (Documentation)

POLICY NO.: 164.306

TITLE: Security Requirements for Electronic Protected Health Information.

POLICY: Axial Exchange will protect the confidentiality, integrity, and availability of the electronic

protected health information that it, members of its workforce, or a subcontractor on its behalf,

creates, receives, maintains, or transmits on behalf of a covered entity.

PROCEDURE:

A. Approach.

1. Axial Exchange, through its Security Officer, will adopt, and periodically review and

assess, those security measures that allow Axial Exchange to reasonably and

appropriately implement the standards and implementation specifications that the

Security Rule requires.

2. The Security Officer shall consider the following factors in determining the security

measures that the Plan will employ:

a. The size, complexity, and capabilities of Axial Exchange;

b. Axial Exchange’s technical infrastructure, hardware, and software security

capabilities;

c. The costs of security measures; and

d. The probability and criticality of potential risks to electronic protected health

information.

B. Standards. The Security Officer shall take those necessary and appropriate steps to

ensure that Axial Exchange complies with the administrative, physical, and technical

standards the Security Rule specifies with respect to the electronic protected health

information Axial Exchange receives, creates, transmits, or maintains on behalf of a

covered entity. These standards are identified on the checklists attached to this policy

and procedure.

C. Implementation Specifications. Implementation specifications in the Security Rule fall

into two categories: “required” implementation specifications and “addressable”

implementation specifications. The categories are identified on the checklists attached to

this policy and procedure.

1. Axial Exchange must implement required implementation specifications, and the

Security Officer shall take such steps as necessary and appropriate to implement

the required implementation specifications.

2. For each addressable implementation specification, the Security Officer will:

a. Assess whether the implementation specification is a reasonable and

appropriate safeguard in Axial Exchange’s environment, when analyzed with

reference to the likely contribution to protecting the electronic protected health

information Axial Exchange receives, creates, transmits, or maintains on

behalf of a covered entity; and

b. Implement the implementation specification, if reasonable and appropriate; or

55

Administrative Safeguards Checklist

Specifications

Addressable

Security

Process

(“ePHI”) must be conducted and included in the Plan’s

potential risks and vulnerabilities to the confidentiality,

should be on the potential risks and vulnerabilities that

ePHI.

Risk

Required Axial Exchange must implement IT-related security

1 noted in the risk analysis to a reasonable and appropriate

Current status:

Required Axial Exchange must develop and implement an

contractors who fail to comply with security policies and

Current status:

System Activity

Required Developed as a part of an IT security plan and requires

activity, such as audit logs, access reports and incident

inappropriately used or disclosed.

Assigned

Responsibility

the development and implementation of the security policies

Current status:

Security

and/or

AddressableCriteria for granting individuals access to ePHI must be

Current status:

Clearance

Addressable Information security policies should include clearance

granting access by using various methods such as criminal

have appropriate access to ePHI before granting access

Current status:

Procedures

when employment ends or an employee’s job no longer

Current status:

The Security Rule does not dictate what security measures an entity must implement. Instead, an entity may use any

that in making such decisions, it considers such factors as its size, complexity, and capabilities; its technical infrastructure,

risks to ePHI. When a standard is designated as “addressable” Axial Exchange must (1) assess whether the specification is a

protecting ePHI; and (2) implement the specification if reasonable and appropriate or if not, (3) document why it would not

appropriate.

Standards Sections Implementation

Required/

Comments

Access

164.308(a)(4)

Health Care

Function

Access

Addressable Implement policies and procedures for granting access to

program, process, or other mechanism).

Access

and

Addressable Implement policies and procedures that, based upon the

document, review, and modify a user’s right of access to a

Current status:

Awareness

164.308(a)(5) Security

Addressable Security policies should include a plan for a security

security updates (for example, periodic electronic or written

Current status:

Malicious

Addressable Procedures should be developed for guarding against,

Current status:

Monitoring

procedures. Procedures for monitoring log-in attempts and

and appropriate.

Password

Addressable Procedures for creating, changing and most importantly

reflected in security policies. Workforce member training

Current status:

Incident

164.308(a)(6) Response and

Required A policy and procedure should be developed that specifies

reported, and how they are to be followed up on. Security

Current status:

Plan

Plan

retrieve exact copies of ePHI) must be documented and

Current status:

Recovery Plan

Current status:

Mode

Required An emergency plan (i.e., procedures which enable the

documented and implemented as needed.

Testing and

Procedures

plans should be in place and testing dates documented to

Current status:

Standards Sections Implementation

Required/

Comments

and Data

Analysis

of specific applications and data that store and/or access

Current status:

164.308(a)(8) Required A security evaluation plan, which periodically reviews and

assure the security of PHI. The plan and evaluation timing

Current status:

Associate

and Other

164.308(b) Written

Other

Required Written business associate agreements must exist with any

involves the use or disclosure of ePHI.

58

Physical Safeguards Checklist

Specifications

Addressable

Facility Access

164.310(a) Contingency

Addressable Access to the area where the network servers and other

personnel through the use of an access card or other

access under the disaster recovery plan and emergency

Current status:

policies. The policies must also require hardware, software

activity in information systems that contain ePHI.

Integrity 164.312(c) Mechanism to

ePHI

unauthorized alteration or destruction. Electronic

unauthorized alteration or destruction of ePHI has not

Current status:

Authentication

to ePHI is the one claimed as required.

Transmission

Communications

164.312(e) Integrity

Addressable This standard only refers to ePHI transmitted over

to protect against unauthorized access/improper

Current status:

Addressable Mechanisms to encrypt ePHI transferred over

deemed appropriate.

59

Technical Access Controls Checklist

Specifications

Addressable

Access Control

Identification

Current status:

Access

Required Information security policies must establish and set forth a

Current status:

Logoff

implemented, if reasonable and appropriate.

Encryption and

Addressable Only required if reasonable and appropriate to restrict

have been granted access.

Audit Controls 164.312(b) Required Audit controls should be included in the information security

and/or procedural mechanisms that record and examine

Current status:

Authenticate

Addressable Procedures must be developed that protect ePHI from

mechanisms should be developed to confirm that

occurred.

Person or Entity

164.312(d) Required Procedures to verify that a person or entity seeking access

Current status:

Security over

Network

Controls

communication networks and requires security safeguards

modification while in transit.

Encryption

communication networks should be implemented whenever

Current status:

61

(b) Sources of information to identify technical vulnerabilities include previous

information system assessments, information system security testing, or

publicly available vulnerability lists and advisories.

d. Assessing technical and non-technical security measures to minimize or

eliminate risks to the electronic protected health information. Indicate which are

currently implemented. Use the Security Safeguards Checklists to identify which

Security Rule standards have been implemented.

(1) Technical measures include measures that are part of the information

systems hardware and software, such as access controls, identification,

authentication, encryption, automatic logoff, and audit controls.

(2) Non-technical measures include management and operational controls, such

as policies, procedures, standards, guidelines, accountability and

responsibility, and physical and environmental security measures.

e. Determining the likelihood of threat occurrence. “Likelihood of occurrence” means

the probability that a threat will trigger or exploit a specific vulnerability. For

example, is there a high/medium/low probability that a threat will trigger or exploit

one or more vulnerabilities?

f. Determining the potential impact of threat occurrence by answering the question,

what happens if the threat triggers or exploits a specific vulnerability? Will there

be an unauthorized access to or disclosure of electronic protected health

information? Permanent loss or corruption of electronic protected health

information? Unavailability?

(1) Axial Exchange may elect to determine the magnitude of the potential impact

resulting from a threat that triggers or exploits a vulnerability as a “high,”

“medium,” or “low” impact.

(2) Alternatively, Axial Exchange could assign a numeric value based upon such

costs as cost of repair, etc. Regardless of the approach, the idea is to assess

how great the impact would be to Axial Exchange and the covered entities

that Axial Exchange serves.

g. Determining the level of risk by analyzing the values assigned to the likelihood of

threat occurrence and resulting impact of threat occurrence. The risk level

determination may be performed by assigning a risk level based on the average

of the assigned likelihood and impact levels.

h. Identifying security measures to manage the identified risks and reduce them to a

reasonable and appropriate level. Include all potential security measures that

could be used to reduce the risk. With respect to security measures, consider:

(1) The effectiveness of the particular security measure under consideration;

(2) Legislative or regulatory requirements that require certain security measures

to be implemented, including those identified on the Security Rule

Safeguards Checklists; and

(3) Requirements of the organization’s policies and procedures.

63

3. Any potential vulnerability or actual security situation shall be documented, tracked,

and resolved as quickly as possible, with notification of the incident being made to

the Security Officer and other appropriate levels of information systems

management.

E. Documentation. The Security Officer will ensure that all documentation regarding all

phases and steps of the risk analysis and management process will be retained for a

minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(1) (Security management process)

45 CFR § 164.530(e) (Sanctions)

45 CFR § 164.530(j) (Documentation)

SOP 300-1 (Mitigation of Harmful Effects of Inadvertent, Impermissible, or Inappropriate

Use or Disclosure)

65

descriptions, and is subject to change as necessary in connection with a change in

job description or responsibilities.

D. Termination procedures. The Security Officer will ensure that access to electronic

protected health information is terminated when workforce members terminate

employment, voluntarily or involuntarily, or access to electronic protected health

information is no longer deemed appropriate.

1. The immediate supervisor must obtain any keys, tokens, or cards that allow access

to electronic protected health information or to facilities where such information is

maintained from terminated workforce members.

2. A workforce member whose authorization to access electronic protected health

information is revoked shall remain subject to the sanctions policy.

E. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(3) (Workforce security)

45 CFR § 164.530(a) (Personnel designations)

45 CFR § 164.530(e) (Sanctions)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.1.1 (Appropriate Access)

SOP 100-1, Sct. 5.1.2 (Supervision)

SOP 100-1, Sct. 5.2.10 (User names and passwords)

67

b. The workforce member authorized to access electronic protected health

information may be required to provide his former password, change the

password, or verify his identity.

E. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(4) (Information access management)

45 CFR § 164.502(b) (Minimum necessary)

45 CFR § 164.514(d) (Minimum necessary)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.1.1 (Appropriate access)

SOP 100-1, Sct. 5.2.10 (User names and passwords)

SOP 100-1, Sct. 5.3.2 (Level of physical access)

69

2. Workforce members who have been locked out must contact the Information

Systems Department to reset the user password and will be required to verify their

identity. The user password will be reset to a default value that the workforce

member must then update upon initial logon.

3. All system lockouts must be tracked and documented.

D. Password management. The Security Officer will incorporate Axial Exchange’s

protocols for creating, changing, and safeguarding passwords.

1. Workforce members will access electronic protected health information through the

use of individual confidential logon username and individually defined password.

2. Individual confidential passwords must adhere to Axial Exchange’s predefined

standards.

3. Individual user logon accounts are automatically locked after five (5) incorrect logon

attempts. The lockout will last thirty (30) minutes in duration.

4. All user lockouts are tracked and documented.

5. Repeated lockouts for an individual may result in retraining, loss of authorization to

access the system, and depending upon the individual’s job, could result in

sanctions or loss of employment.

6. Initially upon hire, new workforce members are instructed upon the proper use and

importance of maintaining confidentiality of passwords. Workforce members are

prohibited from writing passwords down and are prohibited from using any other

person’s password or user identification to gain access to a system.

7. Regular notices on password security and recommended processes will be provided

to workforce members through security reminders.

8. The Security Officer shall document all training and security reminders provided to

workforce members.

E. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(5) (Security awareness and training)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.1.5 (Training)

SOP 100-1, Sct. 5.2.5 (Malicious software programs)

SOP 100-1, Sct. 5.2.10 (User names and passwords)

71

1. The Security Officer shall promptly notify the Compliance Officer of any security

incident involving systems using the electronic protected health information,

regardless of whether the security incident is successful.

2. The Compliance Officer will notify the applicable covered entities in writing of the

incident and any mitigation measures that may have been initiated in accordance

with the timeframes set forth in the business associate agreement.

D. Documentation. The Security and Compliance Officers will ensure that all

documentation regarding this policy and procedure will be retained for a minimum of six

(6) years in accordance with the Plan’s policy.

REFERENCES:

45 CFR § 164.308(a)(6) (Security incidents)

45 CFR § 164.400 (Breach of unsecured protected health information)

45 CFR § 164.530(d) (Sanctions)

45 CFR § 164.530(j) (Documentation)

SOP 200-1 (Security Incidents and Breaches of Unsecured Protected Health Information

Notification)

73

4. The Security Officer will ensure that periodic tests of the disaster recovery plan that

are specific to the electronic protected health information are tested, if feasible, and

revised, as necessary.

5. The Security Officer will periodically review Axial Exchange’s overall disaster

recovery plan and update the disaster recovery plan specific to the electronic

protected health information, as necessary.

C. Emergency mode operation plan. The Security Officer is responsible for establishing

and implementing, as needed, procedures to enable continuation of critical business

processes that protect the security of electronic protected health information while

operating in an emergency mode, such as during and immediately following a crisis

situation, including identifying:

1. The critical business processes to protect the security of the electronic protected

health information while operating in an emergency mode.

2. Any alternative security measures that should be employed to safeguard the

electronic protected health information.

3. The names and contact information for all persons that must be notified in the event

of a disaster, as well as the roles and responsibilities of those individuals.

D. Testing and revision procedures. The Security Officer is responsible for periodically

reviewing, testing, and updating the data backup, disaster recovery, and emergency

mode operations plans, as necessary.

E. Applications and data criticality. The Security Officer is responsible for assessing the

relative criticality of specific applications and data in support of other contingency plan

components.

1. The Security Officer will identify the software applications that store, maintain, or

transmit electronic protected health information and determine how important each is

to business needs.

2. Using the criticality determination, the Security Officer will prioritize the software

applications identified for data backup, disaster recovery, and emergency operations

plans.

3. The Security Officer will periodically reassess the applications and data criticality

determinations and revise them as appropriate.

F. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(7) (Contingency plan)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.4 (RACKSPACE)

SOP 100-1, Sct. 5.5 (CONTINGENCY PLAN))

75

POLICY NO.: 164.310(a)

TITLE: Facility Access Controls.

POLICY: Axial Exchange will implement appropriate facility access controls to limit physical

access to the electronic protected health information systems and the facility or facilities in which

they are housed, while ensuring that properly authorized access is allowed.

PROCEDURE:

A. Facility security plan. The Security Officer is responsible for identifying reasonable and

appropriate protocols to safeguard the facility and equipment from unauthorized physical

access, tampering, and theft.

1. The Security Officer will document the physical access controls that ensure only

authorized individuals have access to facilities and equipment that contain electronic

protected health information, such as electronic key access to a building or floor, key

access to a building or floor, electronic access to designated rooms such as the data

center, and surveillance cameras.

a. Only designated information systems personnel are authorized to access the

data center facilities where information systems and data are housed, and such

access to such facilities is restricted to only those information systems personnel

identified as having a business need for access based on their job description or

function. The Security Officer will ensure that a list of all designated information

systems personnel is maintained at each such facility.

b. The Security Officer will ensure that authorized personnel and visitors are

identified as such while at the facility.

c. The Security Officer shall ensure that each personal computer, server, and all

related computer equipment has an asset tag, that an up-to-date inventory is

actively maintained by information systems personnel, and that any

discrepancies between the inventory and actual equipment are resolved quickly.

2. The Security Officer will identify additional reasonable and appropriate safeguards, if

necessary, to further protect the facility and equipment from authorized physical

access, tampering, or theft, including

a. Posting security personnel at the main entrance lobby;

b. Posting security personnel throughout the main building;

c. Installing cameras at all entrances and within the elevators; and

d. Instructions to all employees to not let unknown persons into the building and to

call Security if they see a suspicious individual in the building.

3. The Security Officer will periodically review the facility security plan and update as

appropriate.

B. Access control and validation procedures. The Security Officer will ensure that

reasonable and appropriate safeguards exist to control and validate a person’s access to

facilities and to software programs for testing and revision.

77

POLICY NO.: 164.310(b)

TITLE: Workstation Use (and Protection).

POLICY: Axial Exchange will specify the proper functions to be performed, the manner in which

those functions are to be performed, and the physical attributes of the surroundings of a specific

workstation or class of workstations that can access electronic protected health information.

PROCEDURE:

A. Appropriateness of Use. The Security Officer will review Axial Exchange’s existing

policies and procedures regarding the appropriate use of equipment, including its

workstations. The Security Officer will suggest updates to the policies and procedures to

address the unique concerns of safeguarding electronic protected health information if

such concerns are not adequately addressed in the policies and procedures.

B. Physical Surroundings.

1. The Security Officer will identify the workstations that have access to electronic

protected health information.

2. The Security Officer will assess the physical surroundings of the workstations that

access electronic protected health information and identify any risks associated with

a workstation’s surroundings.

3. The Security Officer will make recommendations for improving or reducing the risk of

inadvertent breaches of electronic protected health information that may occur

through the use of the workstation, if necessary, such as automatic passwordprotected

screen savers, privacy screens, or repositioning of computer screens.

4. The Security Officer will periodically reassess the adequacy of the physical

surroundings of workstations with access to electronic protected health information.

C. Remote Use. Axial Exchange does permit remote access to electronic protected health

information and the use of laptop computers purchased and configured by Axial

Exchange. Workforce members with access to electronic protected health information

are required to maintain the same level of confidentiality as if they were in the office. Any

remote access is established through password protection, and electronic protected

health information is not stored on portable memory devices. Workforce members are

instructed to avoid leaving laptop computers in a car or any unsecured location.

D. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.310(b) (Workstation use)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.2.2 (Computers)

SOP 100-1, Sct. 5.2.9 (Remote use)

79

POLICY NO.: 164.310(d)

TITLE: Device and Media Controls.

POLICY: Axial Exchange will oversee the receipt and removal of hardware and electronic media

that contain electronic protected health information into and out of a facility, as well as the

movement of such electronic media within the facility.

PROCEDURE:

A. Disposal. The Security Officer will ensure that the final disposition of electronic

protected health information or the hardware or electronic media on which it is stored is

cleaned of all electronic protected health information prior to final disposition.

1. Hard drives will be wiped clean of data or physically destroyed.

2. Before hardware is redeployed, it will be wiped clean of data and verified.

3. Personal computers taken out of service will be sent to a reclamation vendor who

invokes data destruction processes using U.S. Department of Defense standards, to

ensure data cleansing. All personal computers will be tracked throughout the process

according to serial number. Certificates of data destruction will be obtained from the

vendor and will be retained.

B. Media re-use. The Security Officer will ensure that electronic protected health

information is removed from electronic media before making such media available for reuse.

1. Prior to re-using electronic media that may contain electronic protected health

information, the media will undergo an erasure/overwriting process using

commercially available tools.

2. Verification of erasure/overwriting will be performed prior to re-use.

C. Accountability. The Security Officer is responsible for maintaining a record of the

movements of hardware and electronic media and any person responsible for the

hardware and electronic media.

1. All movement of hardware and electronic media will be recorded on an equipment

inventory log.

2. Laptops will be purchased and configured by Axial Exchange and signed out by the

borrower. Laptop data is cleaned when the laptop is returned prior to redeployment.

E. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.310(d) (Device and media controls)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.2 (TECHNICAL SAFEGUARDS)

81

an appropriate and reasonable measure to minimize risk and take such other steps as

may be necessary as a result of that review. In the event that the Security Officer

determines that it is not a reasonable or appropriate safeguard, the Security Officer shall

specify the alternative measures necessary to meet this implementation specification.

E. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(4) (Information access management)

45 CFR § 164.312(a) (Access controls)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.2 (TECHNICAL SAFEGUARDS)

83

POLICY NO.: 164.312(c)

TITLE: Integrity.

POLICY: Axial Exchange is a secondary recipient of the protected health information that it

receives from clients and not a system of record. Axial Exchange’s clients, as the primary sources

of protected health information, are responsible for testing the integrity of their protected health

information. Additional tests of data integrity at Axial Exchange include encrypting protected

health information before transmission, encrypting all hard drives, and cleaning computer caches

monthly. Axial Exchange will safeguard electronic protected health information from improper

alteration or destruction.

PROCEDURE:

A. Authentication. The Security Officer will ensure that Axial Exchange employs

reasonable and appropriate electronic mechanisms for corroborating that electronic

protected health information has not been altered or destroyed in an unauthorized

manner.

1. The Security Officer will consider the various risks to the integrity of the electronic

protected health information identified during the risk analysis and will identify

security measures to address these risks.

2. The Security Officer will identify existing electronic mechanisms for protecting the

integrity of electronic protected health information, if any, and document the extent to

which Axial Exchange employs them.

3. The Security Officer will identify any additional appropriate electronic mechanisms

that are reasonable and appropriate for Axial Exchange’s use.

4. In the event that the Security Officer determines that it is not a reasonable or

appropriate safeguard, the Security Officer shall specify the alternative measures

necessary to meet this implementation specification.

B. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(1)(ii)(A) (Risk analysis)

45 CFR § 164.312(c) (Integrity)

45 CFR § 164.530(j) (Documentation)

SOP 100-1, Sct. 5.2.6 (Encryption and decryption)

SOP 100-1, Sct. 5.2.7 (Transmission)

SOP 100-1, Sct. 5.2.8 (Integrity)

85

POLICY NO.: 164.312(e)

TITLE: Transmission Security.

POLICY: Axial Exchange will implement and maintain reasonable and appropriate technical

security measures to guard against unauthorized access to electronic protected health

information transmitted over an electronic communications network.

PROCEDURE:

A. Current transmission controls.

1. The Security Officer will ensure that encryption and decryption software is installed

on all Axial Exchange computers and laptops, that hard drives are encrypted, and

that only encrypted protected health information will be transmitted. Decryption keys

are conveyed verbally to recipients of transmitted protected health information.

2. The Security Officer will maintain a log containing the encryption and decryption keys

used for hard drives and for the transmission of non-transient protected health

information.

B. Integrity controls.

1. The Security Officer will identify reasonable and appropriate technical security

measures to ensure that the electronic protected health information is not improperly

modified during transmission through such mechanisms as network communications

protocols, data authentication codes, or other mechanisms and will also consult with

the Axial Exchange’s Information Security Department and Axial Exchange’s

subcontractors and trading partners to identify appropriate technical security

measures.

2. In the event that the Security Officer determines that it is not a reasonable or

appropriate safeguard, the Security Officer shall specify the alternative measures

necessary to meet this implementation specification.

C. Documentation. The Security Officer will ensure that all documentation regarding this

policy and procedure will be retained for a minimum of six (6) years.

REFERENCES:

45 CFR § 164.308(a)(1)(ii)(A) (Risk analysis)

45 CFR § 164.312(e) (Transmission security)

SOP 100-1, Sct. 5.2.6 (Encryption and decryption)

SOP 100-1, Sct. 5.2.7 (Transmission)

SOP 100-1, Sct. 5.2.8 (Integrity)

this protected health information and I understand my obligations under these policies and

procedures. I understand that I am obligated to abide by Axial Exchange, Inc.’s policies and

procedures for protecting the privacy of such information. I understand that my violation of this

obligation will result in sanctions against me, up to and including dismissal. I also understand that

my obligation to not further disclose the protected health information survives my association with

Axial Exchange, Inc. I also understand that my failure to adhere to these obligations could result

in either civil or criminal penalties against me under federal or state law in addition to any

sanctions that Axial Exchange, Inc. may impose.