User Agreement | Privacy Statement | Technical Security Policy


Terms and Conditions of Use Agreement

Your Agreement with HealthHighway.com to Terms and Conditions of Use HealthHighway.com web site use depends on your agreement to adhere to the terms and conditions of use set forth in the following document.

Patient Client Terms and Conditions of Use Agreement

Your Agreement with HealthHighway.com to Terms and Conditions of Use HealthHighway.com web site use depends on your agreement to adhere to the terms and conditions of use set forth in the following document.

Cookies

Our web site places small, temporary text files, known as cookies, on your computer to help us in making our web site more personalized and efficient. We use cookies to monitor your navigation within our web site and to monitor the status of your session. We never use cookies to save your personal passwords. These cookies expire at the end of each session on logout. None of our employees will ever ask for a password.

Security

Your personal demographic and health data is stored and secured using state-of-the-art technology. Connections to your data by HealthHighway.com and by your personal Provider's office are only possible using Secure Socket Layer (SSL) technology. SSL technology provides sufficient means to maintain a very high level of security for your personal health data, however no system is unconditionally secure.

Encrypted Internal Communication

All internal communication between HealthHighway.com and your personal Health Care Provider's office, as well as your communications with your personal Provider, are secured using high-level encryption technology via SSL. This level of encryption effectively defeats unwanted intrusion into your private communications between you and your personal Health Provider.

Access to Personal and Health Information

Your account with HealthHighway.com is password protected. Access to your personal and health information is limited to your personal Provider's office and those individuals who "need to know" about you to better administer your interactions with certain entities (e.g. insurance companies and other 3rd party payers) and to certain individuals directly involved in your care. You may ask your provider's office at any time to review the identity of those individuals who have seen your online health information. No HealthHighway.com employee should access your personal or health information unless there is a problem with an account that requires the attention of our technicians to address. Every HealthHighway.com employee signs a Privacy and Confidentiality Agreement. Inappropriate access to a family member's health information is prohibited

General Disclaimer

THE HEALTHHIGHWAY.COM WEB SITE IS PROVIDED ON AN "AS IS" BASIS AND YOUR USE OF THE WEB SITE IS AT YOUR OWN RISK. HEALTHHIGHWAY.COM MAKES NO WARRANTIES EITHER EXPLICIT OR IMPLICIT INCLUDING THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT. HEALTHHIGHWAY.COM MAKES NO REPRESENTATION OR WARRANTY THAT ANY CONTENT WILL BE ACCURATE, COMPLETE, OR TIMELY NOR DOES IT WARRANTY IT FOR ITS PROVIDER CLIENT OFFICES. ALTHOUGH WE WILL STRIVE TO MAINTAIN HIGHEST TECHNOLOGICAL STANDARDS, HEALTHHIGHWAY.COM MAKES NO REPRESENTATIONS OR WARRANTIES THAT YOUR ACCESS OF THE SITE WILL BE UNINTERRUPTED, ERROR FREE, VIRUS FREE OR UNCONDITIONALLY SECURE.

Medical Disclaimer

The HealthHighway.com web site is not intended to substitute for medical diagnosis / treatment or in lieu of consulting with a Provider or other health care professional for medical diagnosis / treatment. HealthHighway.com does not practice medicine or dispense medical services and therefore does not assume any liability for data contained within the application related to any diagnosis or treatment. HealthHighway.com assumes no liability for the medical content of any site linked to its own.

Copyrights, Trademarks and Intellectual Property

All contents, processes and functions of the HealthHighway.com web site and applications, with the exception of your personal patient health information, are copyrighted and protected under domestic copyright law. Trademarks of HealthHighway.com are the sole property of the company and cannot be used without permission. All intellectual property, software and code contained within the HealthHighway.com web site and its applications are the property of HealthHighway.com and cannot be used without permission.

Limitation of Liability

By agreeing to these Terms and Conditions of Use, you agree that the liability of HealthHighway.com, or its agents, if any, arising out of any legal claim (whether in contract or tort) in connection with the use of the HealthHighway.com web site or its applications shall not exceed $1000. HealthHighway.com shall not be liable for any direct, indirect, consequential, punitive or incidental damages resulting from use or misuse by you of the HealthHighway.com web site or applications.

No Warranty

By accepting these Terms and Conditions of Use, you acknowledge that the service and function found within the HealthHighway.com web site are provided on an "as is" basis and without warranty either express or implied. By accepting these Terms and Conditions of Use you also acknowledge that your use of this web site is at your own risk.

Termination of Agreement Resulting from Client Conduct

HealthHighway.com reserves the right terminates services to a patient client for breach of any part of this agreement or for cause, which shall be considered misuse of the web site, or applications as described below. If HealthHighway.com should decide to terminate your use of the web site, we will disable your password and notify your personal Provider by fax within 72 hours. Your personal Provider then has an obligation to establish an alternate means of communication.

Any unlawful use or misuse of the web site or applications shall be grounds for termination of this agreement. Misuse is exemplified by willful or otherwise malicious interaction with your personal Provider's office, which jeopardizes patient care or the ability of the Provider to care for the patient. An example of such misuse is the sharing of passwords, which is prohibited. HealthHighway.com believes that it has a responsibility to its user client community to maintain a high level of standards and is committed to enforcing those standards.

Complete Agreement

You acknowledge that this document is complete and is the entire agreement.

Severability

The provisions of this agreement are severable and complete. In the event that any provision is determined to be invalid or unenforceable, this will not affect the validity of the remaining provisions.

 

 

 

 


Privacy Statement

General Statement and Verification of Standards

HealthHighway.com has adopted this privacy statement in order to demonstrate our firm commitment to Provider and Patient privacy. This Privacy Statement tells you how our company gathers information at the http://www.HealthHighway.com/ website. It also describes the protections we have in place for that information

Types of Information

This web site handles three broad categories of information. Contact and demographic information, such as patient name, age and contact information, unique identifiers such as social security numbers or office medical ID numbers. Other types of information includes personally identifiable health information, practice management, scheduling, billing, financial and clinical information. The high level of security for each of these types of information is the same. We protect all Provider and patient data by encrypting it whenever that data is transmitted (see technical security below for details), and by requiring a series of user identification symbols, authentication techniques and passwords when the data is stored on the website.

Use of E-mail Address, Name and other Contact Information

Our site's registration form asks you to give us contact information (such as name and email address), which we use to contact you when necessary and to identify you when you visit the web site. We do not provide this information available to other entities, and we protect it from unauthorized access.

Use of Cookies and Internet Address

We do not use "cookies", small temporary text files, placed on your computer in order to help you more easily navigate and get your information. We also do not use cookies to save passwords.

We may use your Internet address to diagnose problems with our server, administer our web site and assist with your web site sessions as described above.

Unique Identifiers

Unique Identifiers (such as social security number or other unique identifying number) may be collected to verify your identity or for use as account numbers in our system

Secure Electronic Messaging System

Our secure electronic messaging for communications between providers and patients may be used only when both agree to use the system. We recommend that you discuss any questions your patients may have regarding the privacy of information that might be contained in the messaging system, should you and your patient(s) both decide to use it..HealthHighway.com is not responsible for the privacy policies or practices of individual Provider's offices or their associations.

Employees and Contractors

Each HealthHighway.com employee and independent contractor signs a Confidentiality and Privacy Agreement in which they agree to uphold the privacy policies and practices of HealthHighway.com

Your have Right to Not to Participate in Portions of this Web Site

When you register for this website, you have a choice whether or not to participate in any or all of the services that we offer.

Demographic Data and Opt-In Option for Receipt of Additional Information

When we ask you for demographic information during registration and other applications in the web site. The site allows you to choose whether or not to receive any online or mail communications from ProvidersAccess.com or its partners. You will not receive any unsolicited information without your consent.

Third Party Disclaimer

Although HealthHighway.com makes every effort to seek out and associate with companies who respect your privacy as much as we do, we do not control and therefore cannot be responsible for the privacy policy or practices of any third party whose links and/or content may be found within the HealthHighway.com web site. If you are concerned about or interested in the privacy practices or policies of these other web sites, you may wish to review the statements posted on their web sites and/ or contact them directly with your questions.

Advertisement and Sponsorship

Certain companies and their products sponsor the HealthHighway websites. The accuracy and use of the information provided by them including their product and services is yours and theirs responsibility. If you are concerned about or interested in the privacy practices or policies of these other vendors, you may wish to review the statements posted on their web sites and or contact them directly with your questions.

Contacting HealthHighway.com If you have questions regarding this privacy statement or the practices of this web site you can contact us by e-mail at: support@HealthHighway.com.

 

 


Technical Security Policy

Introduction

As an application service provider facilitating communications between patients and Provider offices and their associations, as an enterprise that maintains individually identifiable health information on behalf of these parties, and as a company dependent on health care transaction revenues for a significant portion of its income, HealthHighway.com (the Company) has a vital stake in ensuring the highest level of data security and confidentiality on behalf of its constituent users. For one thing, it will soon be mandated in regulations from the US Department of Health and Human Services (DHHS); criminal penalties will be exacted for knowingly and inappropriately releasing individually identifiable health information. For another, knowing how important confidentiality is to Provider-patient relationships, it simply is good business for Company employees to act as trustworthy stewards of this data

On the other hand, there will never be perfect data security; malicious or inadvertent confidentiality breaches will occur. However, companies at least must be diligent in protecting confidentiality and in maintaining data security to the greatest practical extent. And when breaches inevitably occur, companies must actively monitor its systems to detect them, must take corrective action as quickly as possible upon detection, and must continually adjust its security and confidentiality policies and procedures to insure that they remain adequate. All of this is recognized implicitly or explicitly in the proposed rules on privacy that have resulted from the original HIPAA legislation from DHHS.

Present Measures

The Company has NEVER planned nor suggested to customers that it would be advisable to eliminate paper records from its customer's practices. In fact, the Company has always regarded the data it collects and maintains on behalf of its users to be supplemental to medical care processes. Its operating model has been to function as an "electronic shadow chart" - recording information maintained for the convenience and improved efficiency of the Providers and other health care providers that use the system; as with other shadow charts; the final arbiter of, and source of documentation about, patient care remains the main (paper) chart. We recommend the Health care Providers to keep the paper backups, as they do it now.

Nevertheless, the Company has put in place a number of measures to assure the security of its users data. First, data is hosted at the co-location facility (COLO) of an Internet Service Provider (ISP). The COLO is monitored by ISP personnel, and the hosted systems are monitored continuously by ISP systems to detect a variety of possible attacks.

The Company is notified by pager of any suspected security breaches.

The computers on which customer data is located at the COLO. The COLO has security, and policies and procedures are in place to log all entry and access to the computers containing customer data. ISP electrical power is carefully conditioned. There is an on-line battery and automatic backup to temporarily keep the servers running for a short period of time.

The Company has automatic tape-backup units for all computers containing customer data. Backup tapes are made at least nightly and stored in locked vaults that only selected Company employees can access.

Beyond that, the Company designed its systems to be compliant with industry standards. In particular, all data interchange through company applications is encrypted (currently using up to strong domestic triple-DES 56-bit encryption via SSL where supported by client browser). Data access is protected by a system of User IDs and passwords. All updates to data are accompanied by audit information stored with it that records (among other things) date, time, user, nature of the change, and optional user comments. Finally, the system has an office-administrator-definable time-out, which upon expiration requires re-authentication of the user before further data access is allowed. In addition, the Company protects its customers' (and its own) data using a state-of-the-art, market leading firewall, with a strict security policy. Additionally, strong encryption and industry standard access controls are used to safeguard the privacy and availability of customer information.

The Company is planning to regular internal security assessments.

Future Measures

The most important aspect of the proposed HIPAA regulations is the following: any organization that plans to exchange individually identifiable health information electronically with another individual or organization can only do so when appropriate "chain-of-trust" agreements are in place between these organizations or individuals.

Specifically, this means that these entities must themselves have an explicitly set of policies assuring some level-of-protection of this data, that there is effective administrative enforcement of these policies, and that there is continuous monitoring of the policies and their enforcement to insure that protection endures and improves over time to meet any threats.

Of course, the requirements for entering into chain-of trust agreements apply to the Company itself. HIPAA has a proposed two-year phase-in period before compliance is required. During that time, the Company must:

a. Hire or designate a Chief Security Officer to assume responsibility for the Company's security measures.

b. Have in place specific policies and procedures for ensuring adequate security and privacy protections; fully document this activity.

c. Have in place adequate monitoring procedures to detect security breaches in a timely manner, and to assure that corrective measures are instituted as quickly as possible; fully document this activity.

d. Upgrade technical security and privacy protections as needed to keep up with technical requirements; fully document this activity.

e. Formally engage the Company's data interchange partners with chain-of-trust agreements based on the above; fully document this activity.

The requirement for entering into chain-of-trust agreements applies equally to small-office Providers (Providers in practices of 10 or fewer providers - including solo practitioners). The Company is uniquely positioned to make it feasible for this constituency to enter into these chain-of-trust agreements.

The Company plans to offer to its office users a system of templates and reminders that will assist them in becoming and remaining HIPAA-compliant. In particular (almost exactly parallel to what the Company itself must do), it will implement a system that:

a. Helps assign a party responsible for office security; documents this activity.

b. Creates and periodically updates policies and procedures for ensuring adequate security and privacy protections; documents this activity

c. Monitors and reports possible security breaches to these offices as soon as they occur; recommends corrective measures; documents this activity

d. Continuously updates its own technical security and privacy protections (on behalf of its office and consumer users); documents this activity.

e. Creates and submits to data interchange partners chain-of-trust agreements based on the above; fully documents this activity. The Company is committed to providing users with the information necessary to stay ahead of industry regulations, and keep their medical data secure.