Privacy and Security Standards

These Privacy and Security Standards (“Standards”) are incorporated into and made part of the Terms and Conditions of Use of Twistle as agreed and accepted by each health care provider that is a registered user of Twistle (the “Agreement”), and is a further agreement between such each health care provider user (“Provider”) and Twistle, Inc. (“Twistle”). Performing the Agreement requires Twistle to be provided with, have access to, transmit, or create Protected Health Information that are subject to the federal law and regulations with respect to privacy, security, and breach notification: Health Insurance Portability and Accountability Act of 1996 (HIPAA), including all pertinent regulations issued by the agencies of the United States Department of Health and Human Services (45 C.F.R. Parts 160 and 164), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (collectively as “HIPAA Standards”). Both parties are committed to complying with the HIPAA Standards. This Agreement sets forth the terms and conditions under which Protected Health Information or Electronic Protected Health Information that is provided by, or created or received by, Twistle from or on behalf of the Provider, will be handled between Twistle and the Provider and with third parties during the term of the Agreement and after its termination. In the event of an inconsistency between a term of the Agreement and these Standards, the terms of these Standards shall govern in regard to the handling of Protected Health Information and/or Electronic Protected Health Information. The Parties agree as follows:

1. DEFINITIONS
(a) Protected Health Information or PHI shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Twistle from or on behalf of Provider.

(b) Electronic Protected Health Information (“ePHI”) shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Twistle from or on behalf of Provider.

(c) Unsecured Protected Health Information or Unsecured PHI shall mean Protected Health Information that is not secured through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in Section 13402(h) of the HITECH Act.

(d) Breach shall have the same meaning as the term “breach” has in Section 13400 of the HITECH Act and shall include the unauthorized acquisition, access, use, or disclosure of Protected Health Information, which compromises the security or privacy of such information.

(e) Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160, part 162 and part 164, subparts A and E.

(f) Security Rule shall mean the Security Standards for the Protection of ePHI at 45 C.F.R. part 160 and part 164, subpart C.

(g) Secretary shall mean the Secretary of the Department of Health and Human Services or his/her designee.

(h) Terms used, but not otherwise defined, in these Standards shall have the same meaning as those terms in the HIPAA Standards, the HITECH Act, or the Terms of Use, as applicable.

(i) The term Protected Health Information or PHI shall include both Protected Health Information and ePHI; however, ePHI shall be used when only Electronic Protected Health Information is being referenced.

2. OBLIGATIONS AND ACTIVITIES OF TWISTLE
(a) Twistle agrees not to use or disclose Protected Health Information other than as permitted or required by the Agreement (including these Standards) or as Required By Law.

(b) Twistle agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by these Standards.

(c) Twistle agrees to mitigate, to the extent practicable, any harmful effect that is known to Twistle of a use or disclosure of Protected Health Information by Twistle in violation of the requirements of these Standards.

(d) Twistle agrees to report to Provider any use or disclosure of the Protected Health Information not provided for by the Terms of Use or these Standards of which it becomes aware. In event of a Breach of these Standards by Twistle or any of its officers, directors, employees, and subcontractors or agents, Twistle shall immediately notify Provider in accordance with the requirements of Section 13402 of HITECH Act.

(e) Twistle agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Twistle on behalf of, Provider agrees to the same restrictions and conditions that apply through these Standards to Twistle with respect to such information.

(f) Twistle agrees to provide access, within ten (10) days of receiving a written request from Provider, to Protected Health Information in a Designated Record Set to Provider or, as directed by Provider, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524, and any subsequent legislation or guidance regarding an Individual’s right to access his or her Protected Health Information, including, but not limited to, the requirements of Sections 13405 of HITECH Act and the regulations thereunder.

(g) Twistle agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Provider directs or agrees to pursuant to 45 C.F.R. § 164.526 and any subsequent legislation or guidance regarding an Individual’s right to request amendment of his or her Protected Health Information within thirty (30) days of receiving a written request from Provider.

(h) Twistle agrees to implement administrative, physical, and technical safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by 45 C.F.R. Part 164 Subpart C (“Security Rule”) (see §164.314 (a)(2)(i)(A)).

(i) Twistle agrees to ensure that any agent and subcontractor to whom Twistle provides ePHI agree to implement reasonable and appropriate safeguards to protect ePHI (see 45 C.F.R. §164.314 (a)(2)(i)(B)).

(j) Twistle agrees to report promptly to Provider any Security Incident of which Twistle becomes aware (see 45 C.F.R. § 164.314 (a)(2)(i)(C)).

(k) Twistle agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Twistle on behalf of, Provider available to the Provider within ten (10) days of receiving a written request from Provider, or to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary’s determining Provider’s compliance with the Privacy Rule.

(l) Twistle agrees to make its policies, procedures and documentation required by the Security Rule relating to the Safeguards for protecting ePHI that it creates, receives, maintains, or transmits on behalf of Provider available to the Secretary for purposes of determining Provider’s compliance with the Security Rule.

(m) Twistle agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Provider to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and any subsequent legislation or guidance regarding an Individual’s right to an accounting of the disclosures of his or her Protected Health Information, including but not limited to, the requirements of Sections 13405 of HITECH Act and the regulations thereunder.

(n) Twistle agrees to provide to Provider, within thirty (30) days of receiving written notice, information collected in accordance with Section 2(m) of these Standards to permit Provider to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and any subsequent legislation or guidance regarding an Individual’s right to an accounting of the disclosures of his or her Protected Health Information, including, but not limited to, the requirements of Section 13405 of HITECH Act and the regulations thereunder.

3. REPORTING SECURITY INCIDENTS TO PROVIDER
Twistle shall promptly notify Provider of a Breach of Unsecured PHI following the first day on which Twistle (or Twistle’s employee, officer or agent) knows of such Breach or following the first day on which Twistle (or Twistle’s employee, officer or agent) should have known of such Breach. Twistle’s notification to Provider hereunder shall:

(a) Be made to Provider no later than sixty (60) calendar days after discovery of the Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security; and

(b) Include the individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach.

4. PERMITTED USES AND DISCLOSURES BY TWISTLE
(a) Except as otherwise limited in these Standards, Twistle may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Provider as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Provider.

(b) Except as otherwise limited in these Standards, Twistle may disclose Protected Health Information for the proper management and administration or to carry out the legal responsibilities of Twistle, provided that disclosures are Required By Law, or Twistle obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Twistle of any instances of which it is aware in which the confidentiality of the information has been breached.

(c) Except as otherwise limited in these Standards, Twistle may use Protected Health Information to provide Data Aggregation services to Provider as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

(d) Twistle may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

(e) Twistle may de-identify any and all Protected Health Information created or received by Twistle under this Agreement; provided, however, that the de-identification conforms to the requirements of the Privacy Rule. Such resulting de-identified information would not be subject to the terms of these Standards.

(f) Twistle may create a Limited Data Set and use such Limited Data Set under a Data Use Agreement with Provider that meets the requirements of the Privacy Rule.

5. OBLIGATIONS OF PROVIDER
(a) Provider shall notify Twistle of any limitation(s) in its notice of privacy practices of Provider in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Twistle’s use or disclosure of Protected Health Information.

(b) Provider shall notify Twistle of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Twistle’s use or disclosure of Protected Health Information.

(c) Provider shall notify Twistle of any restriction on the use or disclosure of Protected Health Information that Provider has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Twistle’s use or disclosure of Protected Health Information.

(d) Provider shall obtain any consent, authorization or permission that may be required by the Privacy Rule before disclosing to Twistle the Protected Health Information pertaining to an Individual.

6. PERMISSIBLE REQUESTS BY PROVIDER
Provider shall not request Twistle to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Provider. This provision does not apply to Twistle’s use or disclosure of Protected Health Information for data aggregation or management and administrative activities of Twistle.

7. TERM AND TERMINATION
(a) Term. The Term of these Standards shall be effective upon execution, and shall terminate when all of the Protected Health Information provided by Provider to Twistle, or created or received by Twistle on behalf of Provider, is destroyed or returned to Provider, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information in accordance with the termination provisions in this Section 7.

(b) Termination for Cause. Upon Provider’s knowledge of a material breach of these Standards by Twistle, Provider shall either:

(1) Provide an opportunity for Twistle to cure the breach or end the violation and terminate these Standards and the Agreement if Twistle does not cure the breach or end the violation within the time specified by Provider;

(2) Immediately terminate these Standards and the Agreement if Twistle has breached a material term of these Standards and cure is not possible; or

(3) If neither termination nor cure is feasible, Provider shall report the violation to the Secretary.

(c) Effect of Termination.

(1) Except as provided in paragraph (2) of this sub-Section (c), upon termination of the Standards, for any reason, Twistle shall return or destroy all Protected Health Information received from Provider, or created or received by Twistle on behalf of Provider. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Twistle. Twistle shall retain no copies of the Protected Health Information.

(2) In the event that Twistle determines that returning or destroying the Protected Health Information is infeasible, Twistle shall provide to Provider notification of the conditions that make return or destruction infeasible. Upon Provider’s review and acknowledgement that return or destruction of Protected Health Information is infeasible, Twistle shall extend the protections of these Standards to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Twistle maintains such Protected Health Information.

8. MISCELLANEOUS
(a) Regulatory References. A reference in these Standards to a section of the law means the section as in effect or as amended.

(b) Amendment. The Parties agree to take such action as is necessary to amend these Standards from time to time as is necessary for either Party or both Parties to comply with the requirements of the HIPAA Standards. The Parties further agree to be bound by all applicable legal requirements, including amendments to the HIPAA Standards, even in the absence of amended Standards.

(c) Survival. The respective rights and obligations of Twistle under Section 7(c) of these Standards shall survive the termination of these Standards. In addition, Sections 2(f) and 2(g) shall survive termination of these Standards, provided Provider determines that the Protected Health Information being retained under Section 7(c) constitutes a Designated Record Set.

(d) Interpretation. Any ambiguity in these Standards shall be resolved to permit Provider to comply with the HIPAA Standards and other applicable law.

(e) Construction of Terms. The terms of these Standards shall be construed in light of any applicable interpretation or guidance that may be issued from time to time on the HIPAA Standards by the Department of Health and Human Services or its Office of Civil Rights.

(f) No Third Party Beneficiaries. Nothing in these Standards shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

(g) Contradictory Terms. Any provision of the Agreement that is directly contradictory to one or more terms of these Standards (“Contradictory Term”) shall be superseded by the terms of these Standards as of the Effective Date of these Standards to the extent and only to the extent of the contradiction, only for the purpose of the Provider’s compliance with the HIPAA Standards, and only to the extent that it is reasonably impossible to comply with both the Contradictory Term and the terms of these Standards.

(h) HITECH Act Applicability. To the extent not referenced or incorporated herein, requirements applicable to Twistle and Provider under the HITECH Act are hereby incorporated by reference into these Standards. Twistle and Provider agree to comply with applicable requirements imposed under the HITECH Act, as of the effective date of each such requirement.

Revised: March 30, 2012