No third-party rights, including, but not limited to, the rights of Patients or beneficiaries, are intended to be created by this Policy. Hogrefe reserves the right to amend or change this Policy at any time without notice. This Policy does not address requirements under other international, federal, state or local laws.
Privacy Officer and Contact Person
Hogrefe trains all employees who have access to PHI on its privacy policies and procedures.
Technical and Organizational Safeguards
Hogrefe has implemented reasonable technical and organizational safeguards for HTS to prevent Customer Patient PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA. Technical safeguards include limiting access to information by using encryption, implementing firewalls and requiring users to have unique, secure user IDs and passwords. Physical safeguards include locking doors and/or filing cabinets, establishing secure methods of access to Hogrefe facilities, and undertaking other measures to secure computer workstations, laptops, mobile devices, and other devices/methods used to access HTS by Hogrefe employees.
Hoegrefe also ensures that only authorized employees have access to PHI and that Customers will have access to only the minimum amount of PHI of their Patients necessary for assessment administration and/or scoring/interpretation and related administrative functions.
The Data Protection Officer is responsible for developing and maintaining a notice of Hogrefe’s privacy practices for HTS that describes:
This Policy constitutes Hogrefe’s HIPAA Privacy Notice for HTS.
The Data Protection Officer is responsible for creating a process for individuals to lodge complaints about HTS’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any HTS Customer upon request.
Mitigation of Inadvertent Disclosures of Protected Health Information
Hogrefe shall mitigate, to the extent reasonably possible, any harmful effects that become known to it because of a use or disclosure of Customer Patient PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of protected health information, either by an employee or an outside consultant/contractor, that is not in compliance with this Policy, the employee shall immediately contact the Data Protection Officer so that the appropriate steps to mitigate the harm to the individual can be taken.
HTS’s HIPAA privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
Hogrefe will document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to a HTS Customer Patient’s privacy rights.
The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. Hogrefe will maintain such documentation for at least six (6) years.
Hogrefe, as it relates to HTS, will use and disclose HTS Patient PHI only as permitted under HIPAA. Such permitted uses and disclosures may occur under the following circumstances.
Mandatory Disclosures of PHI: To Individual and DHHS
A Customer Patient’s PHI must be disclosed as required by HIPAA in two situations:
For Legal and Public Policy Purposes
Customer Patient PHI may be disclosed in the following situations without a Patient authorization, when certain specific requirements are satisfied under HIPAA. Hogrefe’s and HIPAA's use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. The requirements include prior approval of Hogrefe’s Data Protection Officer. Permitted disclosures include those made:
Disclosures of PHI pursuant to an authorization
Customer Patient PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the Patient. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
Access to Protected Health Information and Requests for Amendment
HIPAA gives individuals the right to access and obtain copies of their PHI that HTS may contain. HIPAA also provides that participants may request to have their PHI amended. Hogrefe will provide access to PHI, and it will consider requests for amendment that are submitted in writing by participants. Such requests must contain appropriate identify verification documents. All such requests for PHI must be submitted to the Data Protection Officer. As a professional courtesy, Hogrefe may additionally contact the HTS Customer whose account maintains such Patient electronic PHI and inform them of the request for PHI.
Last Updated: March 1, 2022