Privacy Policy

NOTICE OF PRIVACY PRACTICES

CC2.3.5

CC6.1.5

Scope:

This Notice of Privacy Practices (NPP) describes how Two Point Conversions, Inc. (“Two Point,” “we,” “our,” and/or “us”) uses and discloses electronic Protected Health Information or “ePHI” to carry out its responsibilities to its Healthcare, Pharmaceutical, and Clinical clients and for other purposes permitted and required by law.

Two Point is a Business Associate under the HIPAA Privacy Law. We contract with Covered Entities such as pharmacies, hospitals, and other healthcare facilities providing data conversion, migration, and archiving services to Covered Entities so they can manage individuals’ ePHI.

Two Point does not create health records, does not provide healthcare, nor administer a health plan. The Covered Entities who create the health records provide their Notice of Privacy Policies to individuals at the time the record is created (for example when an individual fills a prescription at a pharmacy). Those Privacy Policies continue to be in effect, and as a Business Associate, Two Point agrees to be bound by those policies.

Policy:

Two Point Customers are Hospitals, Pharmacies, and other healthcare providers which are subject to laws and regulations governing the use and disclosure of Protected Health Information, or “PHI”. Specific legislation governing the protection of PHI includes the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health of 2009 (“HITECH”), and regulations adopted under those statutes (2013 Omnibus Rule), and similar state laws (where those laws are more stringent than HIPAA). Hospitals, Pharmacies, and other healthcare providers are considered to be “Covered Entities” under HIPAA and are subject to its rules regarding PHI. Other restrictions may apply with respect to specific customers, as set forth in our contracts with those customers. If a provider delegates some of its work to a third party, and that party must access PHI in order to perform the work, then such party is considered by HIPAA to be a Business Associate and is subject to the same rules regarding the protection of PHI as the Covered Entity. To enforce protection, HIPAA requires Covered Entities to execute a “Business Associate Agreement” or “BAA” with each of its Business Associates.

Our Customers are required to sign a BAA with us. As a Business Associate, we are required to use reasonable and appropriate measures to safeguard the confidentiality, integrity and accessibility of PHI that is stored and processed on behalf of Covered Entities.

From time to time, the terms of Two Point’s standard BAA or similar agreements may be posted on the Site.

Two Point has extensive physical, administrative and technical security measures in place to protect against the loss, misuse, unauthorized access and alteration of data and Personal Information under our direct control.

We are committed to educating our staff about the protection of Personal Information, and the importance of compliance with relevant privacy legislation and company policies.

These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Personal Information; however, it is important to remember that no system can guarantee 100% security at all times. Incidents involving unauthorized handling of PHI will be governed by relevant legislation and, where applicable, the provisions of a BAA with a Customer. If Two Point determines that Personal Information has been compromised, we will promptly report it to our Customer(s) and work with them to ensure the prompt notification of affected individuals.

Sample BAA

For more information, see https://www.hhs.gov/hipaa/index.html