1. Who We Are. Providentis, LLC, owns and operates Providentis.com website. All references to “we”, “us”, this “website” or this “site” shall be construed to mean Providentis, LLC.
2. What We Do. We provide data processing services to Covered Entities and other organizations under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as amended, including without limitation amendments by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively referred to herein as “HIPAA”). In the process of providing our services, we may access, receive process, maintain, archive, and/or transmit information defined by HIPAA as Protected Heath Information (PHI) and/or Electronic Protected Health Information (ePHI) from our Covered Entity customers (PHI and ePHI are collectively referred to herein as “PHI”).
3. Business Associate Agreement. A Business Associate Agreement is a formal written contract between us and a Covered Entity that obligates us to satisfy certain specific obligations regarding PHI of a Covered Entity that we may access, receive process, maintain, archive, and/or transmit in connection with our services.
4. Covered Entity. A Covered Entity is a health plan, health care provider, healthcare clearinghouse, or any authorized entity representative that must comply with the HIPAA Privacy Rule.
5. Protected Health Information (PHI). PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.
7. Use and Disclosure of PHI.
7.1 We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under our services agreements to Covered Entities, provided that such use or disclosure is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.
7.2 We may use PHI internally for our own internal management, administration, data aggregation and legal obligations, but only to the extent such use of PHI is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.
7.3 We may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena.
7.4 We may disclose PHI to downstream subcontractors or agents that provide supporting services to us; however, we will require such subcontractors and agents to comply with the same terms and conditions that apply to us under the applicable Business Associate Agreement and PHI, including the implementation and maintenance of required safeguards.
8. Safeguards. We have established and maintained safeguards that are required by the applicable Business Associate Agreement and HIPAA, including its Privacy Rule and Security Rule as applicable to Business Associates. These safeguards include administrative, physical, and technical safeguards that are reasonable and appropriate for the protection of the PHI that we access, receive process, maintain, archive, and/or transmit on behalf of our Covered Entity customers. Examples of safeguards include but not limited to: Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follow appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting PHI over the Internet;
- Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
- Utilizing appropriate authentication and access controls to safeguard PHI;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.
Material Modifications Since Effective Date: none.