Effective Date: January 1, 2020
For purposes of this Policy, the following terms have the corresponding definitions:
Customers can capture and enter Client data (including Client ePHI) and administer and score selected PAR instruments on PARiConnect. If you are a Covered Entity under HIPAA, PAR is your Business Associate with respect to PARiConnect and the confidential ePHI relating to your Clients submitted, stored, or generated via PARiConnect. (You may review the Business Associate Agreement here).
Client data are encrypted on PARiConnect. Although PAR Employees are NOT intended to have access to such data, to ensure full compliance with HIPAA, all PAR Employees who incidentally or accidentally have access to Client ePHI must comply with this Policy.
This Policy further describes:
This Policy is not intended to create any third-party rights, including, without limitation, rights in Clients or other beneficiaries.
To the extent that this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspiring and shall not be binding. This Policy does not address requirements under other federal laws or under state laws.
This Policy may be modified or amended from time to time and must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including regulatory changes and modifications). In such an event, the Policy will be revised and made available promptly.
Any changes to this Policy will be effective only with respect to ePHI created or received after the effective date of the Policy, which will be reflected in the "Last Updated" date at the top of the Policy.
Privacy officer and contact person
A copy of PAR's privacy complaint procedure will be provided to any Customer or Client on request.
PAR will use and disclose ePHI only as required or permitted under HIPAA and as described below.
HIPAA requires PAR to disclose ePHI:
PAR may disclose ePHI without the Client's authorization only after satisfying specific requirements (described in PAR's and HIPAA's use and disclosure procedures) and obtaining the Privacy and Security Officer's prior approval if the disclosure is:
PAR may disclose ePHI for any purpose if the Client provides an authorization that satisfies all HIPAA's requirements for a valid authorization. All uses and disclosures of ePHI based on a signed authorization must be consistent with the terms and conditions of such authorization.
The Customer agrees that PAR shall be entitled to de-identify and aggregate data provided to PAR for internal analytical purposes so long as PAR ensures that such data ("De-identified Aggregated Data") are effectively and irreversibly anonymized and de-identified prior to such internal use and that no individual will be identifiable from such data once anonymized and aggregated such that the De-identified Aggregated Data will not constitute "protected health information" or "individually identifiable health information" as defined by 45 C.F.R. §160.103. PAR may use De-identified Aggregated Data internally to improve our products and services. PAR has never and will never deliberately disclose Client ePHI to outside parties.
Access to ePHI, copies, and requests for amendment
It is PAR's policy is to abide by FERPA guidelines, including with respect to Clients who are Students and, where applicable, their parents or legal guardians ("Parents").
PAR will assist Educational Agencies or Institutions (collectively referred to as "Schools") in providing Parents/Students with an opportunity to inspect education-related reports. Specifically:
Parents have the right to request that inaccurate information in an Education Record be changed. Such requests must be directed to the relevant School, which is responsible for confirming the necessity of a correction and communicating the corrected information to PAR. PAR will review requests for correction received only from a School that has confirmed the need for correction and only with respect to information in reports based on Assessments given by PAR Customers. PAR cannot change grades, opinions, or decisions made by the teaching staff of Schools.
PAR will use and disclose personally identifiable information relating to Students and submitted, created, generated, and/or stored via PARiConnect only as permitted as to ePHI under HIPAA, or as to Education Records under FERPA, whichever applies.
A Customer may access generated reports by logging into PARiConnect and is responsible for complying with FERPA or HIPAA, as applicable.
If a report is considered part of the Student's Education Record, the Student's Parent (or the Student, if age 18 years or older) seeking access to the report must request the report from the School, which can request the report from PAR. PAR will release a report only to the School and only on receipt of a valid signed consent.
If the School wishes to disclose the report, it must comply with all FERPA requirements for a valid signed consent for disclosure of Education Records (an "Authorization") from the Parent or Student, as applicable, and all uses and disclosures made pursuant to an Authorization must be consistent with the terms and conditions of such Authorization.
Under FERPA, Schools may release the report without an Authorization to the following entities or for the following purposes:
Copyright © 2019 by PAR, Inc. Any rights not expressly granted herein are reserved.
From its modest beginnings in Bob and Cathy Smith's home years ago, PAR has grown into a leading publisher of psychological assessment materials designed to help our Customers better serve their clients.