Federal, State, and Other Privacy Laws:
1. HIPAA/HITECH: iHealthSync protects and secures all PHI/ePHI through administrative, physical, and technical safeguards consistent with the requirements of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) [45 C.F.R. Parts 160, 162, 164], and its implementing rules and regulations, as well as the mandates of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) [42 U.S.C. 13001, et. seq.].
a. iHealthSync has a responsibility to protect individually identifiable health information under the regulations implementing HIPAA/HITECH as well as other federal and state laws protecting the confidentiality of personally identifiable information, and under general professional ethics. As such, iHealthSync has adopted administrative, physical, and technical safeguards to comply with HIPAA/HITECH.
2. GDPR: iHealthSync also take appropriate safeguards to protect Personal Data (“PD”) and other information that may be subject to the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) requiring the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
a. It is the policy of iHealthSync to remain compliant with the Privacy Notice Requirements of GDPR as it pertains to individuals within the European Union as designated by the European Commission or Swiss Federal Data Protection Authority and particularly on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. All personnel of iHealthSync whom are responsible for processing, importing, or exporting personal data, including PHI of individuals who are patients that are being or have been treated by International Medical Record Providers, comply with the GDPR. The Chief Privacy Officer of iHealthSync is the Controller for GDPR compliance and ensures that Personal Data is processed on behalf of a patient in accordance with GDPR and iHealthSync standard policies on privacy and security and protecting health information.
3. SHIELD: iHealthSync has also developed, implemented, and maintains a data security program consistent with the New York State Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act [N.Y. General Business Law §899-aa and §899-bb, and N.Y. Technology Law §208] that includes Administrative, Physical, and Technical Safeguards that provide reasonable safeguards to protect the security, confidentiality and integrity of private information.
a. iHealthSync is obligated to disclose any breach of the security of its data systems to New York residents whose “private information” was, or is reasonably likely to have been, accessed or acquired without authorization by a third party consistent with NY General Business Law §899-aa. The disclosure must be made without unreasonable delay, and, in certain instances, disclosure may also need to be made to law enforcement and the New York Attorney General within five (5) business days of notifying the United States Secretary of the Department of Health and Human Services of a breach of information.
b. iHealthSync Chief Privacy Officer is designated as the appropriate individual to confirm that the corporation has a Data Security Program that is continuously updated by the Information Security Officer (or Acting Information Security Officer) and distributed for training to the Security and Compliance personnel of the corporation. In addition, iHealthSync Chief Privacy Officer is designated as the appropriate individual to provide any required breach notification to a customer, patient, consumer, Secretary of the United States Health and Human Services, or the New York State Attorney General.
4. CCPA: iHealthSync is considered a business associate of healthcare covered entities such as hospitals and medical facilities. Accordingly, protected health information that is collected by a covered entity or business associate is governed by the privacy, security, and breach notification rules of HIPAA, HITECH, and the State of California Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 ) of Division
1). Notwithstanding, iHealthSync has also developed and implemented a California Consumer Privacy Policy that is compliant with California Consumer Privacy Act of 2018 (“CCPA”) [California Civil Code 1798.100, et. seq.].
a. iHealthSync does not sell any Personal Information or otherwise collect, retain, use or disclose Personal Information for any purpose other than the services it provides as a business associate to its clients who are healthcare covered entities. Notwithstanding, iHealthSync may retain, use or disclose Personal Information for the following purposes pursuant to the CCPA:
(i) to process or maintain Personal Information on behalf of a Covered Entity as defined by HIPAA/HITECH and in compliance with the State of California Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 ) of Division 1), and the CCPA;
(ii) to retain and employ a Service Provider as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA;
(iii) for internal use by iHealthSync to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another Business or correcting or augmenting data acquired from another source;
(iv) to detect data security incidents, or protect against fraudulent or illegal activity; or
(v) for the purposes enumerated in Cal. Civ. Code section 1798.145(a):
(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
