HIPAA

Our Commitments under HIPAA

Internet Privacy Policy
Navicure is very sensitive to privacy issues. We respect your right to privacy and feel it is important for you to know how we handle the information we receive from you via the Internet. Additionally, our online and offline business practices are in full compliance with the privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA).

Protecting Your Confidential Information
We have taken precautionary measures to make all information received from our online visitors as secure as possible against unauthorized access and use.

It may be necessary for us to provide your information to contracted external partners in order to provide you with Navicure services. They may only use the information provided for the specified use and project and are strictly prohibited from unauthorized distribution and release.

Your Online Preferences
Navicure uses "cookie" technology to obtain usage information from our online visitors. You may disable your cookie information by adjusting your browser preferences on your personal computer at any time. Keep in mind that cookies do not identify a specific user and are not used to collect any personal information. In order to provide the best possible service and relevant information to you, we use cookies to:

• Track resources and data accessed on the site per visitor
• Record general site statistics and activity
• Assist users experiencing Web site problems

Your Data is Safe
We have appropriate security measures in place in our physical facilities to protect against the loss, misuse or alteration of information that we have collected from you at our site.

Our Online Communication Practices > General Email Communications
The email functionality on our site, unless otherwise noted, does provide a completely secure and confidential means of communication. Only communication through the Navicure Secure web site provides a secure and private means for sending email to Navicure, and Navicure does not guarantee or warrant that email transmitted through other means is secure or confidential during transit.

Effective: April 14, 2003, Navicure is required by law to protect the privacy of your health information. We are also required to send you this notice, which explains how we may use information about you and when we can give out or "disclose" that information to others. You also have rights regarding your health information that are described in this notice.

The terms "information" or "health information" in this notice include any personal information that is created or received by a health care provider or health plan that relates to your physical or mental health or condition, the provision of health care to you, or the payment for such health care.

We have the right to change our privacy practices. If we do, we will provide the revised notice to you within 60 days by direct mail or post it on this website.

How We Use or Disclose Information
We must use and disclose your health information to provide information:

• To you or someone who has the legal right to act for you (your personal representative);
• To the Secretary of the Department of Health and Human Services, if necessary, to make sure your privacy is protected; and Where required by law.
• We have the right to use and disclose health information to operate our business or to comply with HIPAA regulations stipulated by this law. For example, we may use your health information:
• For Public Health Activities such as reporting disease outbreaks.
• For Health Oversight Activities such as governmental audits and fraud and abuse investigations.
• For Judicial or Administrative Proceedings such as in response to a court order, search warrant or subpoena.
• For Law Enforcement Purposes such as providing limited information to locate a missing person.
• To Avoid a Serious Threat to Health or Safety by, for example, disclosing information to public health agencies.
• For Specialized Government Functions such as military and veteran activities, national security and intelligence activities, and the protective services for the President and others.
• For Workers Compensation including disclosures required by state workers compensation laws of job-related injuries.
• For Research Purposes such as research related to the prevention of disease or disability, if the research study meets all privacy law requirements. If a use or disclosure of health information is prohibited or materially limited by other applicable law, it is our intent to meet the requirements of the more stringent law. In some states, your authorization may also be required for disclosure of your health information. In many states, your authorization may be required in order for us to disclose your highly confidential health information, as described below.

• All access from the Internet to the database server is restricted with the exception of the web server. From the web server only SQL*Net traffic is allowed. All other services between the web server and Navicure’s internal network have been disabled.
• All application web page requests, uploads and downloads require an SSL secured connection with 128-bit cipher strength.
• To connect to the application, the system requires a username/password/company logon combination for access.
• Each user is assigned their own logon combination.
• All failed attempts to connect to the application are recorded and monitored.
• As the user navigates through the application, each page visited is recorded.
• Access to claim data is logged; whether access was to patient sensitive or non-sensitive data is also logged.
• Customers are assigned a local administrator to manage user access specific to their company. Users can be restricted from application modules, functionality and/or claim data.
• All claim data is stored under specific customer identifiers preventing unauthorized access of data between clients. Customers do not share patient data.
• Direct access to the database is restricted to key systems personnel.
• FTP transfers are conducted in one of three methods for security:
  A) A VPN is setup between both sites to transmit the file
  B) A secure dialup line is established to transmit the file
  C) The file is encrypted before being transmitted
• All modifications made to the data are stored in the database as revisions. Revisions contain the user that modified the data and the date/time the modification was made.
• All inbound and outbound transmissions of data are recorded. That data includes who transmitted the data, what data was transmitted, and when the transmission occurred.
• A full database backup is made once a week and delivered offsite to a secure storage facility in case disaster recovery is needed.
  A) An online backup is done every night for data recoverability.
  B) A data export is done daily for data recoverability.
  C) Archive logs are maintained to allow point-in-time recovery.
  D) Claim data is available online for 2 years.
  E) Claim data is stored for 7 years.