TradeMark Insurance Agency, LLC

PRIVACY & SECURITY POLICY

TABLE OF CONTENTS

·         Policy Scope & Focus

·         Definitions

·         Uses and Disclosures of Information

·         Permitted and Required Uses

·         Authorized Uses & Disclosures

·         Whistleblowers

·         Sale of Protected Health Information

·         Availability

·         Audits, Inspections & Enforcement

·         Litigation/ Administrative Proceedings

·         Minimum Necessary

·         De-identification

Information Guidance

·         Document Retention

·         Associate Sanctions Safeguards

·         Administrative

·         Physical

·         Technical Agreements

·         Associate Confidentiality Agreement

·         Confidentiality/Non-disclosure Agreement

·         Business Associate Agreement Individual Privacy Rights

Privacy & Security Procedures & Guidelines

·         Reporting a Privacy & Security Breach

·         Return / Destruction of Information

·         HIPAA Privacy & Security Training Program

·         Performing Authentication

·         Minimum Necessary Guidelines

·         Responding to Individual Privacy Rights

PRIVACY & SECURITY POLICY SCOPE & FOCUS

TradeMark Insurance Agency, LLC adopts the following privacy and security policy. This document is the formal written policy regarding the protection and security of information as required by federal and state laws, rules and regulations. All associates of this agency are required to follow the guidance provided in this policy. This policy also applies to any temporary associates, all contractors, vendors and any others who are provided access to this agency’s data and systems. Associates who violate or fail to comply with this policy are subject to disciplinary actions and may also be subject to civil penalties.

This policy applies to oral, written and electronic individually-identifiable information, and non- public information. The information protected applies to individuals, members, clients, agents, brokers, employer groups, providers, and vendors including person(s) who are deceased. The scope of protected information by this policy includes all requirements as indicated in agreements with covered entities. The terms of this policy will continue to apply in the event the agency no longer does business.

This agency will follow all Federal and state laws and regulations. In the event of conflicting regulations, this agency will follow the most stringent requirement or seek assistance from legal counsel.

The contents of the following privacy and security policy include: definitions of terms used frequently in the privacy and security regulations, information on how our agency uses and discloses protected health information, provides information on the various safeguards in place to protect information, agreements between the agency and its employees, the agency and its vendors and sub-contractors, and the agency and the covered entity, definitions of individual privacy rights, and privacy and security procedures and guidelines.

DEFINITIONS

The following are terms commonly used within the Federal HIPAA Privacy and Security rules. Familiarity with these terms will assist in your overall understanding of the Privacy rule and Business Associate requirements.

Access - means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Administrative Safeguards - this term is used to define the administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect information.

American Recovery & Reinvestment Act of 2009 - ARRA, commonly referred to as the Stimulus or The Recovery Act is an economic stimulus package enacted by the 111th U S Congress in February 2009. The act included specific healthcare incentives.

Authentication - process used to verify the identity of a person whose protected health information is being requested, and the authority of the requester to access that person’s protected health information.

Authorization - document that gives Covered Entities the permission to use or disclose Protected Health Information for specific purposes, typically for reasons other than treatment, payment or health care operations.

Breach - the unintentional or unauthorized release of Protected Health Information.

Business Associate - a person or organization that performs certain functions or activities that involve the use or disclosure of Protected Health Information on behalf of a Covered Entity.

Business Associate Agreement - an agreement mandated by the Privacy rule between a Covered Entity and a business associate providing services involving Protected Health Information.

Complaint - any concern or expression of dissatisfaction regarding privacy issues of protected information.

Confidentiality - means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Confidentiality Agreement (Non-disclosure Agreement) - executed contract which requires a third party to safeguard protected information.

Covered Entity - as defined by federal Privacy regulation:

Ø  Health Care clearing houses – public or private organizations that process or facilitate the processing of data elements of health information received from other covered entities, including billing services.

Ø  Health Plans – individual or group plans that provide, or pay the cost of, medical care, including group health plans, HMOs, etc.

Ø  Health Care Providers – physicians or other health care providers, licensed, accredited, or certified to perform specific health care services.

De-identification - is the process of removing key identifiers from an individual’s protected health information so that the remaining information no longer identifies the individual, and the information cannot be re-identified to the individual.

Disclosure - is the act of releasing, transferring, divulging, or providing access to protected health information to an organization other than the Covered Entity maintaining the information.

Electronic Health Record - EHR is the systematic collection of electronic health information about individual patients.

Encryption - means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Financial Information - as defined in Gramm-Leach-Bliley regulations, term pertains to elements such as bank account numbers, routing numbers and loan numbers.

Gramm-Leach-Bliley Act (GLBA) - federal law passed in 1999 that includes provisions to protect consumer’s personal financial information and governs the collection and disclosure of their financial information.

Health Insurance Portability and Accountability Act (HIPAA) Title II - Administrative Simplification – federal law containing administrative provisions for health plans, providers, and health care clearinghouses. The privacy portion of the law, designed to ensure the privacy of protected health information became effective April 14, 2003.

HITECH Act - part of ARRA. ARRA contains specific healthcare incentives including information on enforcement of privacy and security, breach notification requirements, electronic health record access and additional impacts to Business Associate agreements.

Incidental Disclosure - secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use and disclosure.

Individual - Individual means the person who is the subject of Protected Health Information.

Individually-Identifiable Health Information - any information that may identify an individual and relates to the past, present, or future mental or physical condition of the individual. For example, a name, address, telephone number, birth date, or Social Security number in combination with a diagnosis or other health-related information.

Individual Privacy Rights - according to HIPAA Title II regulations, individuals are entitled to individual privacy rights that include the following items:

Ø  Right to Notice of Privacy Practices

Ø  Right to Restrictions on Use and Disclosure of Protected Health Information

Ø  Right to Alternate Communications

Ø  Right of Access to Protected Health Information

Ø  Right to Amend Protected Health Information

Ø  Right to an Accounting of Disclosures of Protected Health Information

Ø  Right to file a privacy complaint

Information system - means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Integrity - means the property that data or information have not been altered or destroyed in an unauthorized manner.

Malicious software - means software, for example, a virus, designed to damage or disrupts a system.

Minimum Necessary Standard - is the practice of limiting the amount of information to the minimum amount of Protected Health Information necessary to accomplish the intended purpose of the Use or Disclosure.

Nonpublic Personal Information - “personally identifiable information” is information about a consumer which is provided by the individual in order to obtain a product or service.

Non-Routine Disclosure - disclosure of protected health information is a disclosure that does not ordinarily happen in routine operations or on a recurring basis.

Notice of Privacy Practices - a document required by the HIPAA Privacy rule that health care providers and health plan operations must provide individuals to inform the individual of their privacy rights and explains how their organization uses & discloses their Protected Health Information.

Password - means confidential authentication information composed of a string of characters.

Privacy Officer- the person designated to develop, implement, and oversee the entity’s compliance with the HIPAA Privacy Rule.

Physical safeguards - are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Protected Health Information (PHI) - as defined by federal privacy regulation is information that:

Ø  Contains data elements or combinations of data elements that could identify a person, or provides a reasonable basis to believe someone could be identified;

Ø  Contains health-related information about that person; and

Ø  Is maintained or transmitted in any form (electronic, written, or oral).

Routine Disclosures - is a disclosure of protected health information that ordinarily happens in payment and health plan operations, or on a recurring basis.

Safeguards - processes and procedures to provide protection of PHI using administrative, physical and technical methods.

Sanction - penalty for non-compliance.

Security or Security measures - encompass all of the administrative, physical, and technical safeguards in an information system.

Security Incident - means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Technical Safeguards - security controls, safeguards and counter measures applied to an information system.

TPO - term that stands for treatment, payment and health care/plan operations.

Transaction - means the transmission of information between two parties to carry out financial or administrative activities related to health care.

Treatment - means the provision, coordination, or management of health care or health care related services by one or more health care providers.

US Department of Health and Human Services - The Department of HHS responsible for the enforcement and administration of the HIPAA law.

Use - is the sharing, Use, examining, or analysis of Protected Health Information within a Covered Entity that maintains that information.

User - means a person or entity with authorized access.

Workforce - term for employees, volunteers, trainees, and other persons who perform work for a Covered Entity.

Workstation - means an electronic computing device, for example, a lap or desk computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

USES AND DISCLOSURES OF INFORMATION

This agency may use and disclose protected health information (referred to in this policy as PHI) as described in the Federal HIPAA Privacy regulation, 45 C.F. R. §164.501 and as outlined in this Policy.

Permitted & Required Uses and Disclosures – This agency is allowed to use and disclose any protected health information for the following purposes. Refer to the Privacy Officer or obtain assistance from legal counsel for other allowed uses and disclosures.

Provide and conduct administrative functions related to payment and operations for and on behalf of a covered entity that include the following:

·         For conducting enrollment

·         To allow for and/ or audit claims payments

·         To allow for quoting

·         For underwriting activities

·         To allow for case issuance

·         Use of eligibility information for commissions and bonus processing and inquiries.

·         For conducting Customer service activities

·         To assist with request for identification cards

·         To assist with requested demographic changes

·         Use of financial information for the sole purpose of processing insurance premiums

Ø  To respond to the Secretary of the Department of Health and Human Services and all other regulatory bodies to determine compliance.

Ø  For compliance programs and oversight audit functions

Ø  To report privacy violations to the appropriate Federal and State authorities consistent with the HIPAA Privacy regulations

Ø  For data aggregation to permit data analysis for contracted covered entities

Ø  To public health and safety authorities

Ø  To report abuse, neglect or domestic violence

Ø  To law enforcement officials under certain circumstances

Ø  For judicial and administrative proceedings

Ø  To fulfill any obligations under workers’ compensation laws or contract

Ø  To assist with the procurement, banking, or transplantation of organs, eyes or tissues

Ø  To an individual upon request to provide access to his or her own protected health information

Ø  To an individual to provide an accounting of disclosures of protected health information

Ø  To request proposals for services to be provided to or on behalf of a covered entity

Ø  To investigate fraud

The following are situations of additional uses and /or disclosures of protected health information where the individual has the opportunity to agree, object or restrict the use or disclosure:

Ø  To assist in disaster relief efforts

Ø  To another individual to assist with care or payment

Ø  In an emergency situation

AUTHORIZED USES AND / OR DISCLSOURES

There are situations which require an individual’s authorization prior to the use/ and or disclosure of their protected health information.

Ø  Marketing - this agency will ensure that an authorization has been completed prior to the marketing of any insurance product.

Ø  Psychotherapy notes - this agency will obtain a written authorization from the individual to use and/or disclose psychotherapy notes of any client for any activities outside of treatment, payment or health plan operations.

Ø  Fund-raising - this agency will discuss any proposed fund-raising activities with the Privacy Officer to ensure covered entity obligations are met.

Ø  SMS Communications- Text message opt-in data and consent are not shared with any third parties (including subsidiaries and affiliates). If you wish to be removed from receiving future communications, text STOP to opt out. (See Page 33 for SMS Terms & Conditions.)

DISCLOSURES BY WHISTLEBLOWERS

Agency associates may disclose protected health information if they believe that agency has been unlawful or committed professional violations of privacy. These types of disclosures can be made to:

Ø  A health oversight agency or public health authority authorized by law to investigate professional agency standards.

Ø  An attorney retained by or on behalf of the agency associate for the purpose of determining the legal options of the associate with regard to the conduct.

SALE OF PROTECTED INFORMATION

Ø  This agency prohibits the selling for profit of protected information or data.

AVAILABILITY OF INFORMATION

This agency shall prepare, maintain and retain records relating to the use and disclosure of PHI in such form and for such time periods as required by applicable state and federal laws, rules and regulations. Upon reasonable request, covered entities may obtain copy and have access to any medical, administrative or financial record of the agency related to the use and disclosure of PHI. Review executed business associate agreement with covered entity to determine any appropriate charges for copies of the records. The agency shall make available information to covered entities to fulfill obligations to provide access to, provide a copy of and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Regulations.

AUDITS, INSPECTIONS and ENFORCEMENT

This agency upon reasonable notice and determination will comply with legal obligations of HIPAA relating to audits, inspections and enforcement.

LITIGATION or ADMINISTRATIVE PROCEEDINGS

This agency shall make itself, and any contractors, employees or agents assisting the Agency in the performance of its obligations with covered entities to be available to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against a covered entity, based upon claimed violation of HIPAA, the HIPAA Regulations or other laws relating to security and privacy except where the Agency or its contractor, employee or agent is a named adverse party.

MINIMUM NECESSARY

The privacy regulation describes minimum necessary as limiting the use, disclosure, or request of protected information to the least amount required to accomplish the intended purpose.

Limiting access to protected information to those associates who have a "need to know" work function associated with their specific role at the agency also falls under minimum necessary.

This agency will apply minimum necessary guidelines to include written and oral communications. Engaging in casual conversation regarding protected health information is prohibited.

This agency makes reasonable efforts to limit the use and disclosure of protected health information to the least amount required to accomplish the task, and applies the minimum necessary standards when requesting, using, or disclosing protected health information.

DE-IDENTIFICATION

De-identification is a formal process of removing key identifiers (name, address, SSN, etc.) from an individual's protected information so that the remaining information no longer identifies the individual, and the information cannot be re-identified to the individual. De-identified data require no individual privacy protection and is not covered by the Privacy regulations. Refer to the Privacy & Security Official for further assistance regarding de-identification of data.

INFORMATION GUIDANCE

DOCUMENT RETENTION

Agency will maintain documents containing protected information as required by state and/or federal laws, rules, standards and regulations. All documents containing protected health information will be maintained a minimum of six (6) years in accordance with the Federal HIPAA privacy regulation.

 ASSOCIATE SANCTIONS

Failure to comply with agency privacy and security policy and procedures will result in appropriate sanctions with the associate. Sanction will be determined by severity of event and risk of harm.

SAFEGUARDS

In accordance with the Federal HIPAA privacy regulations, this agency maintains reasonable administrative, physical and technical safeguards to assist with the protection of personal information. The safeguards below were implemented by this agency with consideration for our organization size and available technology. Additional details regarding specific procedures are located in “Procedure Section” of this policy.

ADMINISTRATIVE SAFEGUARDS

Jeremy Vorheier has been designated as the Security Official for this agency. The acceptance of this designation includes the responsibility to administer the agency’s security policy and procedures.

Ø  Our agency purchased a privacy and security training program. This program includes the basic requirements of the Federal HIPAA privacy regulation.

Ø  A signed attestation indicating completion of privacy and security training is maintained for all associates.

Ø  Our agency conducts privacy and security refresher training as needed.

Ø  Our agency promptly removes system access upon associate termination.

Ø  Our agency revises allowed system access based upon job role changes.

Ø  Disciplinary actions will be imposed on associates that fail to comply with the agency’s privacy & security policy and procedures up to and including potential termination. Sanctions are determined by the severity and circumstance of the violation.

Ø  All associates are required to sign a confidentiality agreement upon employment. Refer to “Agreement Section” for sample template.

Ø  Agency will require executed written Confidentiality or Non-disclosure agreements with contractors, including subcontractors and independent contractors to whom we provide any protected health information of a contracted covered entity. Refer to “Agreement Section” for sample template.

Ø Our agency associates perform an authentication process prior to the release of protected health information.

Ø Our agency follows the “minimum necessary” guidelines. Refer to “Minimum Necessary procedure”.

Ø Agency will follow specific instructions provided by a covered entity on the return or destruction of data if contract is terminated. Upon termination of contract with covered entity, review executed Business Associate Agreement for instructions. Contact covered entity to verify instructions.

Ø Our agency has a documented procedure for handling of a security incident. Refer to “Reporting a Privacy & Security Breach” procedure located in procedure section.

Ø Our agency requires the prompt reporting of potential privacy and or security breaches

Ø Our agency documents any identified risks and takes appropriate actions to address identified risk.

Ø Our agency periodically conducts a security risk analysis to identify potential risks and vulnerabilities of our data.

Ø Our agency will maintain system tracking logs of access and use of data and periodically review the information for potential breaches of our privacy and security policy

Ø Our agency has a data backup plan that describes process to create and maintain retrievable exact copies of electronic protected health information.

Ø Our agency has a disaster recovery plan that describes process for restoring any lost data.

Ø Our agency conducts periodic testing of contingency plans.

Ø Our agency has an emergency mode operation plan that describes process to enable continuation of critical business processes while operating in an emergency mode.

Ø Our agency conducts periodic technical and nontechnical evaluations to ensure that appropriate security has been implemented.

Ø Our agency contracts with an external vendor periodically to conduct

technical and nontechnical evaluations of the agency for security measures.

Ø Our agency has developed and provides a Notice of Privacy Practices that describes the allowed uses and disclosures of protected health information.

Ø Our agency has developed and implemented a privacy web statement.

PHYSICAL SAFEGUARDS

Ø  Access to the agency is controlled by door lock and key.

Ø  Access to the agency is controlled by building entry key card.

Ø  Visitor access to the agency is controlled by requirement that all visitors be accompanied by employed agency associate.

Ø  All protected health information must be stored in a locked file cabinet overnight.

Ø  All protected health information must be secured when not in use for more than 30 minutes. Documents must be placed in desk drawer, file cabinet, or folder to protect unauthorized access of protected health information.

Ø  All documents containing protected information should be appropriately destroyed after meeting retention guidelines. Destruction of documents will occur by on-site shredding.

Ø  All documents containing protected information should be appropriately destroyed after meeting retention guidelines. Destruction of documents will occur by on-site shredding.

Ø  All documents are to be retrieved from printers, copiers, and facsimile machines as promptly as possible.

Ø  All documents that contain personal information requiring transport must be placed in a sealed envelope, sealing briefcase, locking box or other sealed container prior to the transport of the information.

Ø  All outgoing agency mail in a window envelope must be reviewed to verify that only name and address are displayed in window.

Ø  All agency mobile devices (such as cell phones, smartphones, BlackBerry devices or laptops, must be stored out of sight in a locked desk, locked office, or locked cabinet overnight.

Ø  Agency reviews physical layout of associate workstation screens and display monitors to safeguard protected health information from individuals not authorized.

Ø  Agency requires all associates utilizing “agency systems” when working from a remote location to follow security measures implemented for remote access.

Ø  Agency follows security processes such as degaussing, data wiping and physical destruction to ensure that protected health information is no longer accessible prior to the disposal or re-use of equipment.

TECHNICAL SAFEGUARDS

Ø  System access is restricted to only those associates that have a need to know information to perform their job role at the agency.

Ø  System access is reviewed and changed as needed due to change in job role.

Ø  System access is promptly terminated upon associate termination or resignation.

Ø  All outgoing faxes containing protected health information require a fax cover sheet.

Ø  All fax cover sheets include a privacy disclaimer of: The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.

Ø  All outgoing emails containing protected health information must be sent securely with encryption.

Ø  All documents containing protected information must be shredded after meeting retention requirements. Need to do

Ø  All documents containing protected health information must be placed in required bins for shredding by contracted vendor after meeting retention requirements.

Ø  This agency prohibits the use of any mobile device (laptops, hand held devices, BlackBerry’s, etc.) if they do not allow for secure access or transmission of protected health information.

Ø  All agency associates must log off computers at the end of the business day.

Ø  All computer workstations are automatically locked down by systems when associate is away from workstation for more than five minutes.

Ø  Password protection screen savers are applied to disable computers when inactive.

Ø  Our agency maintains a unique user identification convention.

Ø  Our agency has implemented technical procedures that verify the person or entity seeking access or protected health information.

Ø  Our agency has a disaster recovery plan to obtain access to critical data.

Ø  Our agency has a business continuity plan to obtain access to critical data.

Ø  Our agency has a procedure to allow data access in emergency situations.

AGREEMENTS

Our agency requires various agreements with our associates, vendors, and contractors to maintain the confidentiality of information and meet requirements with federal privacy regulations. A brief description of the various agreements and sample templates follow.

Associate Confidentiality Agreement:

The Associate Confidentiality Agreement is signed by every associate of our agency. The intent of this document is to obtain confirmation that associates understand that all information is the property of the agency and should only be used in the performance of the job with the agency. It further indicates that agreement remains in place upon termination.

Confidentiality Agreement/ Non-disclosure Agreement:

The Confidentiality / Non-disclosure Agreement is required by this agency for any contractors, including subcontractors and independent contractors to whom we provide any protected health information of a contracted covered entity.

Business Associate Agreement

A Business Associate Agreement is a document typically executed between a covered entity and an organization performing services (such as an independent broker/agency) involving the use and/or disclosure of Protected Health Information on behalf of the covered entity.

The Business Associate rule within the federal HIPAA privacy regulation seeks to ensure that as a business partner, the Business Associate adheres to the essential privacy protections required by the covered entity and that there is no degradation of privacy safeguards when data is shared with the Business Associate. As a Business Associate, the agency has accepted the responsibility to follow through on certain compliance requirements.

ASSOCIATE CONFIDENTIALITY AGREEMENT

I agree to the terms of this Confidentiality Agreement (“Agreement”) as a condition of my being hired by and continued employment with TradeMark Insurance Agency, LLC.

I understand and acknowledge that during the course of my employment I may prepare, come in

contact with, become knowledgeable of or possess trade secrets and other confidential and proprietary information belonging to the agency, its customers, business partners or other stakeholders. As used in this Agreement, "Confidential Information" includes but is not limited to: customer/member/provider or associate medical and dental information, claims information, other personal information, lists, billing, pricing, sales or other financial information, projections, research, product plans, products, services, business or marketing plans, developments, inventions, formulas, methods, processes, practices, specifications, designs, software, information technology systems, configuration information, drawings, images, recordings, contracts, negotiations, records, data, documents, presentations, manuals, and other information and documents concerning the agency, its business operations and relationships that are not generally available to the public. If I am unsure whether or not a particular fact, matter, conversation, information or document is covered by this Agreement, I agree to preserve the confidentiality of the item in question and receive clarification from the appropriate Agency owner or other internal authority.

I agree that such Confidential Information is and shall remain the sole property of the agency. I also

agree that all works of authorship, developments, improvements, designs, trademarks or trade secrets, whether or not patentable or under copyright or similar laws, which I conceive, develop or reduce to practice (solely or jointly with others) within the scope of and during the period of my employment with this agency are the agency’s sole property. I agree that I have no right or ownership interest in any such property or Confidential Information, and hereby assign to this agency any right, title or ownership interest in such property or Confidential Information that might be found to exist.

I agree at all times to hold such Confidential Information in strictest confidence and to only use it for the benefit of this agency and as authorized to perform my assigned position responsibilities. I agree to only access Confidential Information for which I have a legitimate business need to know. I will not in any way access, possess, divulge, copy, publish, release, sell, transfer, review, permit access to, remove from agency premises, alter or destroy any Confidential Information except as authorized by this agency, or as required by law or regulation.

I further agree that if my employment with this agency is terminated for any reason, I will deliver to this agency (and will not keep, recreate or deliver to anyone else) all Confidential Information, equipment, and other proprietary information or property affecting or relating to this agency’s business in any form, including but not limited to computers, PDA’s, cell phones and other devices, media, correspondence, documents, memos, electronic files, and any copies thereof, or other materials that belong to this agency and which are in my possession.

I further understand, acknowledge and agree that: (1) my obligations under this Agreement continue after I leave the employ of this agency (2) this agency has the right in its sole discretion to notify my new employer of my obligations under this Agreement; (3) violation of the terms or intent of this Agreement may subject me to disciplinary action, up to and including immediate termination of employment, and possible legal action regardless of my employment status; and (4) such violation will entitle this agency to injunctive relief to prevent unfair competition, misappropriation or the unlawful possession, use or disclosure of Confidential Information, and to any other claims or remedies available in law or equity, including but not limited to temporary restraining orders, preliminary injunctions and damages. For any such action that results in the enforcement of this Agreement or any of its provisions against me, I agree to pay the agency’s reasonable attorneys' fees, expenses and costs for bringing or defending the action.

In consideration for my employment as a new employee I do so agree, or in consideration of my continued employment I do so agree, or in consideration for my continued or new access to company trade secrets that may increase my role responsibilities and may increase opportunities for advancement, I do so agree.

Name                                                                                                          Date

CONFIDENTIALITY NONDISCLOSURE AGREEMENT

This Confidentiality Nondisclosure Agreement (“Agreement”) dated                               ,       201_,       is between (Agency Name)                               and                                                                       , (hereafter known as "Consultant").

WHEREAS, in the course of transacting business between the parties hereto, it may be necessary and desirable for either party to disclose proprietary or confidential information, the parties hereto agree as follows:

All information and documents given to the other party shall be considered either proprietary or confidential, whether or not marked as such, and shall be subject to the terms of this Agreement.

THEREFORE, In consideration of each party making the confidential information available to the other party, the parties agree as follows:

(i).  Each party warrants that it will retain all information belonging to the other party in strictest confidence and will neither use it nor disclose it to a third party, other than its employees having a need to know, without the explicit written permission of the other party.

(ii)                Each party will limit the number of copies made of such information to those necessary and will reproduce a legend as to confidentiality or secrecy on each copy.

(iii)              Each party will require its employees to whom confidential information has been disclosed to keep it in strictest confidence.

For purposes of this Agreement, proprietary and confidential information will include all internal business practices, software, information contained on LANs, computers or other magnetic media, devices, concepts, prototypes, inventions (some of which may be patentable), patent applications, designs, know-how, plans for development of new technology, procedures, informational plans, strategies, business records, including but not limited to information concerning members, providers, reimbursements, rates, products, pricing, the identity of Agency customers, any and all data identifying Agency customers either individually or as a group, including but not limited to, claims, rating, health information, and identifiable nonpublic personal information, Agency’s methods of doing business, and financial information regarding Agency’s customer contracts, both detailed information and the basic nature of the information, and contracts or business methods, in any form whatsoever.

The parties recognize that irreparable harm can be occasioned to the other party by disclosure of information relating to its business and any violation of this Agreement shall entitle the offended party to injunctive relief in addition to, and not in lieu of, any damages to which the offended party may be entitled. If confidential property or proprietary information is disclosed to a third party, the offending party will provide all reasonable assistance to the other party in obtaining retrieval of the information and shall hold harmless and indemnify the non-offending party from any claims, actions or suits arising out of the violation of this Agreement.

Notwithstanding anything to the contrary, neither party shall have an obligation to preserve the confidentiality of any information which:

(i)                 has been previously published or is now or becomes public knowledge through no fault of the other party;

(ii)               at the time of disclose is already in the lawful possession of the other party;

(iii)             was made available to the other party, without restriction on disclosure, by a third party not under obligation of confidentiality with respect to the disclosed information;

(iv)              is independently developed by the other party;

(i)                 constitutes know-how which in ordinary course becomes indistinguishable from the know- how of the other party;

(ii)               the communication is in response to a valid order by a court of competent jurisdiction or otherwise required by law.

At the termination of the relationship requiring the disclosure of proprietary and confidential information, Consultant will promptly, upon the request of the Agency, destroy all documents or other matters furnished hereunder constituting or containing proprietary or confidential information (including all electronic information or images of same), without retaining any copy thereof. Consultant shall certify in writing to the Agency that all proprietary and confidential information which had been disclosed to Consultant hereunder has been destroyed.

The validity, construction and performance of this Agreement and the legal relations among the parties to this Agreement shall be governed by and construed in accordance with the laws of the (applicable state) without giving effect to its conflict of law principles. The parties agree that the courts of (applicable city court) shall be the exclusive courts of jurisdiction and venue for any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise out of, or in connection with, or by reason of this Agreement and each party hereby irrevocably consents to the jurisdiction of such courts for the limited purposes stated herein. If any provision of this Agreement or the application of any such provision shall be held by a tribunal of competent jurisdiction to be contrary to law, the remaining provisions of this Agreement shall continue in full force and effect.

This Agreement constitutes the entire agreement between the parties in connection with the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, of the parties and/or subsidiaries of the parties with respect to the same subject matter hereof. There are no warranties, representations and/or agreements between the parties in connection with the subject matter hereof except as specifically set forth or referred to herein.

IN WITNESS WHEREOF, and intending to be legally bound hereby, the parties have caused this instrument to be duly executed as of the date above written.

ACCEPTED BY AGENCY:

BY:                                                    

ACCEPTED BY CONSULTANT:

BY:                                                    

(Signature)                                                                  (Signature)

(Printed Name)                                                            (Printed Name)

(Title)                                                                          (Title)

INDIVIDUAL PRIVACY RIGHTS

Privacy laws, rules, and regulations provide individuals with various options that are called individual rights. Individual privacy rights may be invoked by the individual or, if appropriate information is provided, by an authorized personal representative(s). The following are brief descriptions of the various individual rights.

Privacy Notice

The Federal HIPAA Privacy regulation requires that covered entities provide a Notice of Privacy Practices. This notice describes the permitted and required uses and disclosures of protected information, provides an explanation of individual privacy rights, and outlines how to file a privacy complaint. Individuals have the right to request and receive Notice of Privacy Practices.

Access

The right to request access to protected health information allows individuals the opportunity to review and/or obtain a photocopy (or other such format) of their information. Upon receipt of a written request, a response must be provided within thirty (30) days unless an extension is needed.

Accounting

The right to an accounting allows individuals to request a list of disclosures of their protected health information made for purposes other than treatment, payment, health plan operations, and other activities in the past six years. Some activities to account for include, but are not limited to, audits by health oversight agencies for audit, investigations, licensure, for judicial and administrative proceedings (court order, subpoena, discovery, etc.), and for research purposes.

Restriction

The right to restrict allows individuals to request a limit or restriction on the use and disclosure of their protected health information. The regulation does not requirement agreement to the restriction if it is determined that the restriction may interfere with treatment, payment or operations.

Restriction Termination

The right to remove a restriction allows individuals the ability to request or agree to the removal of a previously requested restriction.

Alternate Communications

The right for an individual to request that health information is sent to a different address or by a different communication method due to potential abuse.

Amendment

The right to amend allows individuals the right to request a correction of their protected health information created and maintained by a covered entity that is inaccurate and/or incomplete.

Regulations require a response to this request within sixty (60) days of receipt, unless an extension is needed.

File a Complaint

The right to file a privacy complaint allows individuals the opportunity to express to the covered entity or the Secretary of the Department of Health and Human Services, any concerns of dissatisfaction regarding privacy issues.

In the event our agency receives any Individual Privacy Rights or a privacy concern about a covered entity, the request should be forwarded to our agency Privacy & Security Officer as quickly as possible to coordinate the request with the specific covered entity.

PRIVACY & SECURITY PROCEDURES & GUIDELINES

1)                  Reporting a Privacy & Security Breach

2)                  Return / Destruction of Information

3)                  HIPAA Privacy & Security Training Program

4)                  Performing Authentication

5)                  Minimum Necessary Guidelines

6)                  Responding to Individual Privacy Rights

REPORTING A PRIVACY AND OR SECURITY BREACH

Purpose

This procedure establishes the required reporting of alleged or actual privacy and/or security breaches. As a contracted Business Associate of covered entities, we are required to report breaches of unsecured protected health information in accordance with privacy and security regulations. Additionally, many states have data breach notification laws that require covered entities to report incidents and notify affected individuals.

Scope

The scope of this procedure is applicable for all incidents of alleged or actual privacy and / or security breaches.

Definitions

Protected Health Information as defined by the federal privacy regulation is information that:

Ø  Contains data elements or combinations of data elements that could identify a person, or provides a reasonable basis to believe someone could be identified;

Ø  Contains health-related information about that person; and

Ø  Is maintained or transmitted in any form (electronic, written, or oral)

Breach – the unintentional or unauthorized release of Protected Health Information.

Policy

Our agency requires all associates and subcontractors to report any suspected breach of protected health information in accordance with legal and contractual requirements. Any and all suspected breaches of protected health information will be reported immediately to our designated Privacy & Security Official for investigation.

The Privacy & Security Official will quickly analyse the report of suspected or actual breach information to assess for potential risks and to determine whether a breach of unsecured protected health information has occurred. The assessment will also include a review on the level of risk and potential harm to the individual(s).

Our Privacy & Security Official will notify the Privacy Office of the covered entity of any incident without unreasonable delay and in any event no later than timeframe documented in the business associate agreement.

Our Privacy & Security Official and the designated contact from the covered entity Privacy Office will jointly discuss and determine notification requirements to be compliant with state and federal laws.

Procedure

1.       An actual or suspected breach of protected health information should be reported to the Privacy & Security Official as quickly as situation is determined.

2.       Provide all information regarding the suspected incident to the Privacy & Security Official or complete an incident notification form if available. At a minimum the information provided should include: names, dates, nature of the protected health information, the manner of the unauthorized use or disclosure and any written or electronic documentation concerning the incident.

3.       Upon receipt of potential breach incident, the Privacy & Security Official will promptly conduct an investigation and assess risk of incident.

4.       Privacy & Security Official will review contractual agreements with impacted covered entities to obtain reporting information, process and contact.

5.       The Privacy & Security Official will report the privacy incident to the covered entity’s Privacy office as quickly as discovery of the breach but not later than timeframes indicated within covered entity Business Associate agreement.

6.       The Privacy & Security Official will provide the covered entity the following information regarding the suspected / alleged privacy and/or security breach: identification of each individual whose unsecured protected health information has alleged to have been accessed, acquired or disclosed, a description of the event, date of potential breach, type of protected health information involved in incident, any preliminary steps that have been taken to mitigate the damage and description of investigatory steps taken to date or complete an incident notification form provided by a covered entity.

7.       The Privacy & Security Official will cooperate and assist the covered entity’s Privacy Office with mitigation of risk of harm, required notifications, implementation of any corrective actions, & retraining of associates. Review of the executed Business Associate Agreement will also assist with responsibilities and obligations regarding notification methods and contents.

8.       The Privacy & Security Official will document all actions of every incident in detail and retain documentation for a period of at least six years or follow agency retention requirements.

Return / Destruction of Protected Health Information upon Contract Termination Purpose

This procedure is to provide guidelines on the required return or destruction of protected health information upon termination of contract with a covered entity in accordance with contractual agreements.

Scope

The scope of this procedure is applicable for our agency and any subcontractors having access to protected health information of our covered entity(ies).

Definitions

Protected Health Information as defined by the federal privacy regulation is information that:

Ø  Contains data elements or combinations of data elements that could identify a person, or provides a reasonable basis to believe someone could be identified;

Ø  Contains health-related information about that person; and

Ø  Is maintained or transmitted in any form (electronic, written, or oral)

Policy

In accordance with the requirements of our executed Business Associate Agreements with covered entities, our agency is required to return or destroy protected health information of the covered entity upon contract termination. Our agency will contact the covered entity to discuss the best method of returning or destroying protected health information that was received, created or retrieved by our agency on behalf of the covered entity.

In the event that immediate contact can’t be made, our agency will continue to protect and safeguard the protected health information and limit further use or disclosure of such information until return / destruction has occurred.

Procedure

1.      Upon notification or decision that contract between our agency and covered entity has been terminated or will be terminated, agency Privacy and Security Official shall contact the covered entity to discuss most appropriate method for return or destruction of protected health information.

2.    Privacy Official will follow directions provided by the covered entity regarding the return or destruction of data and verify that all actions are complete.

3.  Privacy Official will document completed actions.

HIPAA PRIVACY & SECURITY TRAINING

Purpose

This procedure provides the general guidelines on the required privacy and security training of agency associates.

Scope

The scope of this procedure is applicable for all agency associates and any subcontracted associates as determined by the Privacy & Security Officer.

Definitions

Health Insurance Portability and Accountability Act (HIPAA) Title II – Administrative Simplification – the federal law containing administrative provisions for health plans, providers, and health care clearinghouses. The privacy portion of the law, designed to ensure the privacy of protected health information became effective April 14, 2003.

Policy

Our agency requires all associates to complete a HIPAA privacy and security training. Any subcontractor that has access to or uses any protected health information of a covered entity will also be required to complete our HIPAA privacy and security training. The agency Privacy & Security Officer will make determinations on requirements for subcontractors.

All new associates of our agency will complete the HIPAA privacy and security training within at least sixty (60) days of employment. Any identified remedial training is conducted at the discretion of the Privacy & Security Officer.

The Privacy & Security Officer will maintain all formal recording of training and completion dates.

The Privacy & Security Officer will determine contents of privacy and security training, implementation methods to meet the needs of the organization and need for any assessment of the training. The Privacy & Security Officer will revise privacy and security training to include new rules or regulations impacting privacy and or security.

Procedure

1.       Agency will develop or purchase a HIPAA privacy & security training program.

2.       Agency will review required audience to determine appropriate method of training delivery for associates.

3.       Agency will determine timeframe for required completion of training.

4.       Prior to planned training, Privacy & Security Officer will review existing training for any needed revisions. Review regulations for any revisions that need to be included.

5.       Prior to training, Privacy & Security Officer will review pattern of privacy and /or security incidents to determine if any topic or safeguard needs to be stressed in training.

6.       Privacy & Security Officer will coordinate any required review of proposed training program if applicable.

7.       Obtain documentation indicating completion of training for all associates.

8.       Privacy & Security Officer will maintain copy of training program and completion of training proof.

PERFORMING AUTHENTICATION

Purpose

This procedure establishes the required process of authentication prior to the release of protected health information.

Scope

The scope of this procedure is applicable for all requests for release of protected health information.

Definitions

Authentication – process used to verify the identity of a person whose protected health information is being requested, and the authority of the requester to access that person’s protected health information.

Policy

Our agency requires all associates and subcontractors to conduct authentication prior to the release of any requested protected health information. The agency requires verification of the identity of a person whose protected information is being requested prior to disclosing the information. Our process also includes verification of the authority of the person to have access to the requested protected health information. Both elements of identity and authority are required by this agency for valid authentication.

Procedure

1.      Receive a request that involves the release of protected health information.

2.      Ask a series of questions that require the requestor to provide information that allows the agency to validate the identity of the individual whose information is being requested. If the requestor is not the owner of the protected health information, determine what provides the authority for the requested protected health information (power of attorney, official title, etc.).

3.      If assistance is needed concerning the allowed release, contact the Privacy & Security Officer.

RESPONDING TO RECEIVED INDIVIDUAL PRIVACY RIGHTS

Purpose

This procedure establishes the required process of responding to the receipt of any individual privacy rights request or complaints received on behalf of a covered entity.

Scope

The scope of this procedure is applicable for all received individual privacy rights requests and privacy complaints intended for a covered entity.

1.      Receive a request or identify a required action that involves the use or release of protected health information.

2.      Review information to be provided to determine the minimal amount of information that will fulfill the request yet accomplish the intended purpose.

3.      Provide response or conduct action using the minimal amount of protected information.

4.      The minimum necessary requirement does NOT apply to:

 Uses or disclosures made to the individual who is the subject of the protected health information

  Uses or disclosures made pursuant to an individual's authorization

 Uses or disclosures required for compliance with HIPAA Administrative Simplification Rules

  Disclosures to a health care provider for treatment purposes

  Disclosures made to the Secretary of Health and Human

Services when disclosure is required for enforcement purposes of the HIPAA Privacy regulations; or

  Uses or disclosures required by law.

An agency associate may presume that a request for information from public officials, or covered entities (such as providers or hospitals) is for minimum necessary information.

Definitions

Individual Privacy Rights - are defined by the federal privacy regulation as various options allowed to individuals regarding their privacy. The Individual Rights include: right to access, right to amend, right to an accounting, right to restriction, right to complain, right to confidential communications and the right to a Notice of Privacy Practice.

Policy

Upon receipt of any individual privacy right or privacy complaint received for a covered entity, our agency will promptly contact and provide the covered entity with the individual privacy right or privacy complaint.

Procedure

1.   Receive an Individual Privacy Rights request or privacy complaint on behalf of a covered entity. *Note – some covered entities have forms to request these rights.

2.      Document all information pertaining to the individual privacy request or complaint and promptly provide the information or form to the agency Privacy & Security Officer.

3.      Upon receipt of individual privacy rights request or privacy complaint on behalf of a covered entity, identify Privacy & Security contact information for the covered entity and make contact as quickly as possible to allow covered entity to meet required response timeframes.

4.      Follow instructions provided by covered entity and forward information and/or forms to the covered entity.

5.      Document actions performed to forward information to covered entity.

TradeMark Insurance Agency, LLC SMS Terms & Conditions:

Whether by electing to enroll manually, or automatically by texting our Company, you agree to receive informational messages (appointment reminders, account notifications, etc.) from TradeMark Insurance Agency, LLC. Message frequency will vary. Message and data rates may apply. Carriers are not liable for delayed or undelivered messages. You can cancel SMS service at any time. Just reply STOP. Once you reply STOP to us, we will send a message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you want to join again, just sign up as you did the first time and we will start sending SMS messages to you again. If you are experiencing issues with the messaging program you can reply with the word HELP for more assistance, or you can get help directly at clientservices@tmia.biz. If you have any questions regarding privacy, please read our privacy policy.

Clientservices@tmia.biz (713) 932-7777

14825 St. Mary’s Lane, Suite 105

Houston, TX 77079