Hogrefe Testsystem HIPAA Privacy Policy

Hogrefe Publishing Corporation (“Hogrefe”) is committed to protecting your privacy and the privacy of your clients and/or patients who reside within or are otherwise located within the United States and its territories (“Patients”) whose electronic protected personal health information (“PHI”) is provided to Hogrefe by virtue of your use as Hogrefe’s customer of the Hogrefe Testsystem made available at www.hogrefe.com (“HTS”).  This HIPAA Privacy Policy is maintained by Hogrefe as part of its compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the privacy and security regulations promulgated under Title II, Subtitle F, §§ 261-264 of HIPAA, the administrative regulations issued by the Department of Health and Human Services (“DHHS”) as found in 45 C.F.R. Parts 160 through 164 (hereinafter HIPAA or DHHS regulations), and the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-005 (“the HITECH Act”), as such laws and regulations may be amended from time to time.

This HIPAA Privacy Policy applies only to the extent that you are a Covered Entity as defined under HIPAA and to the extent that PHI of your Patients collected from you and/or your Patients is provided to Hogrefe through HTS. This HIPAA Privacy Policy does not apply to information that you furnish to us offline or in any other manner. This HIPAA Privacy Policy is intended to supplement Hogrefe’s general Privacy Policy   that governs the HTS platform and, to the extent of any inconsistency with Hogrefe’s general Privacy Policy, this HIPAA Privacy Policy shall control.  This HIPAA Privacy Policy shall not apply to the handling of PHI of Patients who reside outside the United States and its territories.

HTS is made available by Hogrefe and provides an online testing platform for selected Hogrefe assessment tools, giving clinicians and practitioners the capability to remotely test Patients. It additionally allows qualified users to present assessments online while a Patient is in the practitioner’s office, and it may allow you to use HTS to gather client responses from remotely located Patients and run reports based on those responses. This HIPAA Privacy Policy reflects your standing as a Covered Entity with access to confidential electronic Protected Health Information (“PHI”) related to your Patients’ data that is received, collected, processed, transmitted, and stored through HTS.

By providing the HTS platform, Hogrefe is your Business Associate under HIPAA.  HTS customers (“Customers”) capture and enter Patient data within HTS, including PHI, and may administer and score selected Hogrefe assessments. Patient data are pseudonymized on HTS, and authorized Hogrefe employees do not have access to PHI except strictly as needed to perform their duties in maintaining the HTS platform. All Hogrefe employees who may have access to PHI must comply with this HIPAA Privacy Policy.  For purposes of this Policy and Hogrefe’s use and disclosure procedures, the term “employees” include Hogrefe employees, consultants, trainees, agents, and other persons whose performance is under the direct control of Hogrefe, regardless of whether they are paid directly by Hogrefe.

No third-party rights, including, but not limited to, the rights of Patients or beneficiaries, are intended to be created by this Policy. Hogrefe reserves the right to amend or change this Policy at any time without notice. This Policy does not address requirements under other international, federal, state or local laws.

General HIPAA Privacy Policies and Practices

Privacy Officer and Contact Person
The Data Protection Officer of Hogrefe is responsible for the development and implementation of policies and procedures relating to privacy for Hogrefe, including, but not limited to, this HIPAA Privacy Policy and Hogrefe’s use and disclosure procedures related to any PHI that Hogrefe employees may come in contact with. The DPO also serves as the contact person for Customers and Customer Patients who have questions, concerns, or complaints about the privacy of their PHI. You may contact the Data Protection Officer through the Hogrefe General Manager at pamela.becker(at)hogrefe.com.

Employee Training
Hogrefe trains all employees who have access to PHI on its privacy policies and procedures.

Technical and Organizational Safeguards
Hogrefe has implemented reasonable technical and organizational safeguards for HTS to prevent Customer Patient PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA. Technical safeguards include limiting access to information by using encryption, implementing firewalls and requiring users to have unique, secure user IDs and passwords. Physical safeguards include locking doors and/or filing cabinets, establishing secure methods of access to Hogrefe facilities, and undertaking other measures to secure computer workstations, laptops, mobile devices, and other devices/methods used to access HTS by Hogrefe employees.

Hoegrefe also ensures that only authorized employees have access to PHI and that Customers will have access to only the minimum amount of PHI of their Patients necessary for assessment administration and/or scoring/interpretation and related administrative functions.

Privacy Notice
The Data Protection Officer is responsible for developing and maintaining a notice of Hogrefe’s privacy practices for HTS that describes:

  • the uses and disclosures of Customer Patient PHI that may be made by Hogrefe;
  • the individual rights of the Patient; and
  • Hogrefe’s legal duties with respect to Customer Patient PHI.

This Policy constitutes Hogrefe’s HIPAA Privacy Notice for HTS.

The Data Protection Officer is responsible for creating a process for individuals to lodge complaints about HTS’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any HTS Customer upon request.

Sanctions for Violations of Privacy Policy
Sanctions for obtaining, using, or disclosing Customer Patient PHI in violation of this HIPAA Privacy Policy will be imposed in accordance with Hogrefe’s disciplinary action policy, up to and including termination. The disciplinary policy is described in the Hogrefe employee handbook within the section on performance improvement.

Mitigation of Inadvertent Disclosures of Protected Health Information
Hogrefe shall mitigate, to the extent reasonably possible, any harmful effects that become known to it because of a use or disclosure of Customer Patient PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of protected health information, either by an employee or an outside consultant/contractor, that is not in compliance with this Policy, the employee shall immediately contact the Data Protection Officer so that the appropriate steps to mitigate the harm to the individual can be taken.

HTS’s HIPAA privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

If a change in law affects the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice. The date at the top of this document shall indicate the most recent date of this Policy revision.

Hogrefe will document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to a HTS Customer Patient’s privacy rights.

The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. Hogrefe will maintain such documentation for at least six (6) years.

Policies on Use and Disclosure of PHI

Hogrefe, as it relates to HTS, will use and disclose HTS Patient PHI only as permitted under HIPAA. Such permitted uses and disclosures may occur under the following circumstances.

Mandatory Disclosures of PHI: To Individual and DHHS

A Customer Patient’s PHI must be disclosed as required by HIPAA in two situations:

  • The disclosure is to the individual who is the subject of the information (see “Access to Protected Health Information and Requests for Amendment” further in this Policy); and
  • The disclosure is made to DHHS for purposes of enforcing HIPAA.


Permissive Disclosures of PHI

For Legal and Public Policy Purposes
Customer Patient PHI may be disclosed in the following situations without a Patient authorization, when certain specific requirements are satisfied under HIPAA. Hogrefe’s and HIPAA's use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. The requirements include prior approval of Hogrefe’s Data Protection Officer. Permitted disclosures include those made:

  • about victims of abuse, neglect, or domestic violence;
  • for judicial and administrative proceedings;
  • for law enforcement purposes;
  • for public health activities;
  • for health oversight activities;
  • about decedents;
  • for cadaver organ, eye, or tissue donation purposes;
  • for certain limited research purposes;
  • to avert a serious threat to health or safety;
  • for specialized government functions; and
  • that relate to workers’ compensation programs.

Disclosures of PHI pursuant to an authorization
Customer Patient PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the Patient. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.


Policies on Individual Rights

Access to Protected Health Information and Requests for Amendment
HIPAA gives individuals the right to access and obtain copies of their PHI that HTS may contain. HIPAA also provides that participants may request to have their PHI amended. Hogrefe will provide access to PHI, and it will consider requests for amendment that are submitted in writing by participants. Such requests must contain appropriate identify verification documents. All such requests for PHI must be submitted to the Data Protection Officer.  As a professional courtesy, Hogrefe may additionally contact the HTS Customer whose account maintains such Patient electronic PHI and inform them of the request for PHI.

Last Updated: March 1, 2022