Wound RX Inc.’s Policy On The Privacy Of Patient Health Information
Wound RX develops and manufactures medical devices and its US subsidiary, Wound RX LLC., sometimes sponsors clinical trials to bring new products to the US market. In performing their duties, representatives of Wound RX Inc. (Wound RX Representatives) sometimes visit and consult with, or receive information from Wound RX LLC.’s customers such as clinical consultants, physicians, hospitals, nursing homes and other allied health care entities. Due to the fact that WOUND RX Representatives may have access to patient health information in performing these activities, some Wound RX LLC. customers have requested that Wound RX LLC. execute a “Business Associate Agreement” pursuant to the Business Associate requirements under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA Privacy Regulations).
Status & Policy
Wound RX LLC. is not a “Business Associate” under the HIPAA Privacy Regulations. Wound RX LLC. is aware of the many legal responsibilities of and the challenges faced by health care providers with respect to protecting the privacy of patient information, including complying with the HIPAA Privacy Regulations. Wound RX LLC. along with other medical device manufacturers and trade association advisory personnel have reviewed the HIPAA Privacy and Security Regulations and have concluded that companies like Wound RX LLC. are not a “Business Associate” of their customers because Wound RX LLC. is not performing services, functions or activities for or on behalf of their customers. The definitions in the HIPAA Privacy Regulations make clear that medical device manufacturers are not considered “Business Associates” in their capacity as sponsors of clinical research. Similarly, when one of Wound RX LLC.’s customers provides patient health information to an WOUND RX Representative so that Wound RX LLC. can provide a product replacement, handle a product warranty claim / safety incident, or provide other information about its products, the disclosure of information concerns the treatment of the patient and Section 164.502(e) of the HIPAA Privacy Regulation specifically excludes such disclosures from the Business Associate Agreement requirements.
WOUND RX Representatives may also inadvertently view or overhear patient health information when they visit a customer’s site. When this occurs, WOUND RX Representatives are not materially different from other office visitors who may be inadvertently exposed to patient health information such as cleaning staff or other patients. The Department of Health and Human Services has indicated that such disclosures are permissible under the HIPAA Privacy Regulations and it merely expects health care providers to take reasonable steps to minimize such inevitable exposures. On occasion WOUND RX Representatives may also receive faxed, mailed or emailed patient health information documents. When this occurs, WOUND RX Representatives are instructed to destroy these documents and report the exposures to the sending customer. In any event, a Business Associate relationship is not created by such inadvertent disclosures.
HIPAA Privacy and Security Terms & Conditions
“PHI” means information in any form or medium, shared by WOUND RX Representatives or WOUND RX customers that:
(a) relates to the physical or mental health, treatment or condition of a person, the provision of health care to a person, or payment for the provision of health care to a person; and which
(b) identifies the person or for which there is a reasonable basis to believe could be used to identify the person.
“Electronic Protected Health Information,” or “ePHI,” is a subset of PHI and means PHI that is transmitted by or maintained in electronic media. All WOUND RX Representatives and WOUND RX customers agree that:
(a) you may only use PHI for the purpose for which it was provided to you and for your internal business administration and operations;
(b) you may only disclose it to a third party as required by law;
(c) you will use or disclose PHI only in the minimum amount and to the minimum number of persons necessary to achieve the permitted purpose of the use or disclosure;
(d) you will use appropriate safeguards to prevent other uses or disclosures of PHI;
(e) you will promptly report to us any non-permitted use or disclosure of PHI of which you become aware;
(f) you will promptly mitigate, to the extent practicable, any harmful effect that is known to you arising from a non-permitted use or disclosure of PHI by you;
(g) you will provide access to PHI in accordance with 45 CFR 164.524;
(h) you will make your internal practices, books and records relating to the use and disclosure of PHI available to Wound RX LLC. for audit purposes of determining the customer’s compliance with the Privacy Rule or the Security Rule;
(i) you will develop, maintain, and use reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of ePHI that has been created, received, maintained or transmitted;
(j) you will report to us any attempted or successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with your system operations in your information systems, of which you become aware;
(k) you will ensure that any third parties to whom you provides PHI agree to the same restrictions and obligations with respect to PHI as you have agreed to hereunder; and
(l) at Wound RX LLC. or WOUND RX customer’s request, you will return or destroy all PHI, and certify the same in writing.
- April 2013 WOUND RX, LLC. -