Sign In   
Sign In        

PARiConnect HIPAA Privacy Policy

Last Updated: December 10, 2012

Psychological Assessment Resources, Inc. (“PAR”) is committed to protecting your privacy and the privacy of your clients/patients. We developed this HIPAA Privacy Policy to share with you our information collection practices and your options when visiting www.PARiConnect.com, hereinafter referred to as “PARiConnect.” This Privacy Policy is an online Privacy Policy and applies only to information collected from you and related to your clients/patients through PARiConnect. This Privacy Policy does not apply to information that you furnish to us offline or in any other manner except through this Web site.

PARiConnect is made available by PAR and provides an online testing platform for selected PAR assessment tools, giving clinicians and practitioners the capability to remotely test clients/patients. It additionally allows qualified users to present assessments online while a client/patient is in the practitioner’s office, and it may allow the PAR Customer to use his or her PAR desktop software application to gather client responses from remotely located clients/patients and run reports based on those responses. These additional stipulations and representations reflect your standing as a Covered Entity with access to confidential electronic Protected Health Information (“ePHI”) related to your clients/patients’ data that is stored on PARiConnect.

By providing the PARiConnect platform, PAR is your Business Associate. PARiConnect Customers (“Customers”) capture and enter client/patient data within PARiConnect, and may administer and score selected PAR instruments. Customer client/patient data are encrypted on PARiConnect, and PAR employees do NOT have access to such data. However, it is PAR’s policy to comply fully with HIPAA’s requirements; thus, all PAR employees who incidentally or accidentally have access to Customer client/patient ePHI must comply with this Privacy Policy. For purposes of this Policy and PAR’s use and disclosure procedures, employees include employees, consultants, trainees, agents, and other persons whose work performance is under the direct control of PAR, whether or not they are paid by PAR. The term “employee” includes all of these types of workers.

No third-party rights, including, but not limited to, the rights of Customer clients/patients or beneficiaries, are intended to be created by this Policy. PAR reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent that this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspiring and shall not be binding. This Policy does not address requirements under other federal laws or under state laws.

General HIPAA privacy policies and practices

Privacy officer and contact person

Travis White is the Privacy and Security Officer for PAR, the owner and developer of PARiConnect. The Privacy and Security Officer of PAR is responsible for the development and implementation of policies and procedures relating to privacy for PAR, including, but not limited to, this Privacy Policy and PAR’s use and disclosure procedures related to any ePHI that PAR employees may come in contact with. The Privacy and Security Officer also serves as the contact person for Customers or Customer clients/patients who have questions, concerns, or complaints about the privacy of their ePHI. You may contact this individual at privacyofficer@parinc.com.

Employee training

It is PAR’s policy to train all employees who might have access to ePHI on its privacy policies and procedures. The Privacy and Security Officer is charged with developing training plans and programs so that all employees receive the training necessary and appropriate to permit them to carry out their functions.

Technical and physical safeguards and firewall

PAR will establish on behalf of PARiConnect appropriate technical and physical safeguards to prevent Customer client/patient ePHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards include limiting access to information by creating computer firewalls and by requiring users to have unique, secure user IDs and passwords. Technical standards also include encrypting all Customer client/patient ePHI. Physical safeguards include locking doors and/or filing cabinets, establishing secure methods of access to PAR facilities, and undertaking other measures to secure computer workstations, laptops, mobile devices, and other devices/methods used to access PARiConnect by PAR employees.

Firewalls also help ensure that only authorized parties will have access to Customer ePHI and that Customers will have access to only the minimum amount of client/patient ePHI necessary for assessment administration and/or scoring/interpretation and related administrative functions.

Privacy notice

The Privacy and Security Officer is responsible for developing and maintaining a notice of PARiConnect's privacy practices that describes:

  • the uses and disclosures of Customer client/patient ePHI that may be made by PAR;
  • the individual rights of the client/patient; and
  • PAR’s legal duties with respect to Customer client/patient ePHI.

This document constitutes such Privacy Notice with respect to PARiConnect.

Complaints

Travis White is PARiConnect’s contact person for receiving complaints. The Privacy and Security Officer is responsible for creating a process for individuals to lodge complaints about PARiConnect’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any PARiConnect Customer upon request.

Sanctions for violations of privacy policy

Sanctions for obtaining, using, or disclosing Customer client/patient ePHI in violation of this HIPAA Privacy Policy will be imposed in accordance with PAR’s disciplinary action policy, up to and including termination. The disciplinary policy is described in the PAR employee handbook within the section on performance improvement.

Mitigation of inadvertent disclosures of protected health information

PAR shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of Customer client/patient ePHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of protected health information, either by an employee or an outside consultant/contractor, that is not in compliance with this Policy, the employee shall immediately contact the Privacy and Security Officer so that the appropriate steps to mitigate the harm to the individual can be taken.

Documentation

PARiConnect’s HIPAA privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

If a change in law affects the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to ePHI created or received after the effective date of the notice. The date at the top of this document shall indicate the most recent date of this Policy revision.

PAR will document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to a PARiConnect Customer client/patient’s privacy rights.

The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. PAR will maintain such documentation for at least six years.

Policies on use and disclosure of ePHI

PAR, as it relates to PARiConnect, will use and disclose PARiConnect client/patient ePHI only as permitted under HIPAA. Such permitted uses and disclosures may occur under the following circumstances.

Mandatory Disclosures of ePHI: To Individual and DHHS

A Customer client/patient’s ePHI must be disclosed as required by HIPAA in two situations:

  • The disclosure is to the individual who is the subject of the information (see “Access to Protected Health Information and Requests for Amendment” further in this Policy); and
  • The disclosure is made to DHHS for purposes of enforcing HIPAA.

Permissive disclosures of ePHI: For legal and public policy purposes

Customer client/patient ePHI may be disclosed in the following situations without a participant’s authorization, when very specific requirements are satisfied. PAR’s and HIPAA's use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. The requirements include prior approval of PAR’s Privacy and Security Officer. Permitted are disclosures:

  • about victims of abuse, neglect, or domestic violence;
  • for judicial and administrative proceedings;
  • for law enforcement purposes;
  • for public health activities;
  • for health oversight activities;
  • about decedents;
  • for cadaver organ, eye, or tissue donation purposes;
  • for certain limited research purposes;
  • to avert a serious threat to health or safety;
  • for specialized government functions; and
  • that relate to workers’ compensation programs.

Disclosures of ePHI pursuant to an authorization

Customer client/patient ePHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the client/patient. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

Policies on individual rights

Access to protected health information and requests for amendment

HIPAA gives individuals the right to access and obtain copies of their ePHI that PARiConnect may contain. HIPAA also provides that participants may request to have their ePHI amended. PAR will provide access to ePHI, and it will consider requests for amendment that are submitted in writing by participants. Such requests must contain appropriate identify verification documents. All such requests for ePHI must be submitted to the Privacy and Security Officer. As a professional courtesy, PAR may additionally contact the PARiConnect Customer whose account maintains such client/patient electronic PHI and inform him or her of the request for PHI.

Other PAR Privacy Policies