Inflexxion, an integrated Behavioral Health (IBH) Company Statement
The privacy, confidence, and trust of individuals who visit or log into the PainCAS Clinical Assessment System (PainCAS) website are very important to us. No personal information is collected at this site unless it is provided voluntarily by an individual while participating in an activity that asks for the information. The following paragraphs disclose the information gathering and usage practices for the web site.
Secure Handling of PainCAS Data
In the PainCAS application, Protected Health Information (PHI) is entered by the customer via a secured web browsing session and transferred to a secured database. When entering assessment data, the browsing session is protected by TLS. This type of information is then transferred to an encrypted database. Communication between the web server and the database server is encrypted using TLS.
Inflexxion’s receipt of the PainCAS data from Data Sources (customers) is pursuant to either a business associate agreement (“BAAs”) between Inflexxion and licensees of the PainCAS application or a research study approved by an Institutional Review Board. The aggregation of data into PainCAS datasets (“Datasets”) pursuant to the BAA and its disclosure of those de-identified Datasets to its customers for treatment, healthcare operations and research purposes are in accordance with the terms of the BAA. Also, its sale and disclosure of those de-identified Datasets to third parties for research purposes is also in accordance with the terms of the BAA, and complies in all material respects with HIPAA Privacy Requirements.
Inflexxion is not itself a “covered entity” within the meaning of HIPAA since it is not a health plan, health care provider or health care clearinghouse, and does not transmit health information in electronic form in any transaction covered by the HIPAA Privacy Requirements except for at the request of covered entities and their designees. Inflexxion is a business associate per HIPAA requirement and is therefore compliant with HIPAA regulations. The PainCAS data for all versions of the product that will be used by Inflexxion will be aggregated into de-identified Datasets. The only purposes for which the Datasets will be used are for (1) treatment and health care operations purposes by or for the benefit of the Data Source that furnished PainCAS data included in the Dataset, and (2) public health surveillance activities and research purposes by the Data Source, Inflexxion and others, including sale of Datasets by Inflexxion to third parties for research purposes.
PHI that is “de-identified” is not individually identifiable health information for HIPAA purposes, and falls outside the scope of the HIPAA Privacy Requirements, 45 CFR 164.514(a). Inflexxion has adopted a good faith legal position that the PainCAS data in the form they are received by Inflexxion from Data Sources are fully de-identified and follow the standards outlined by the BAA.
BAA associates standards
Inflexxion obtains the Retained Data from its Data Sources, including any PHI in the Retained Data, pursuant to a Business Associate Agreement.
Under that BAA, Inflexxion is authorized and contractually obligated to engage in data aggregation and data de-identification services for and on behalf of its Data Sources for health care operations purposes. Inflexxion may perform such data aggregation services for such purposes under the BAA consistent with the HIPAA Privacy Requirements.
In addition, a business associate, like Inflexxion, is permitted by the HIPAA Privacy Requirements to use PHI from a covered entity to create de-identified information, and to disclose such de-identified information to third parties, such as purchasers of the Datasets. In particular, 45 CFR 164.501(d)(1) provides that a “covered entity may use protected health information to create information that is not individually identifiable health information or may disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.” Thus, consistent with the HIPAA Privacy Requirements, Data Sources may disclose PHI to Inflexxion to be de-identified and sold for use by third parties. To the extent that the Retained Data and resulting Datasets generated by Inflexxion contain only de-identified information (which is the case), then Inflexxion is free to disclose those Datasets to third parties.
Inflexxion is in material compliance with the HIPAA Privacy Requirements because it (1) enters into a Business Associate Agreement with its Data Sources that are covered entities, (2) Protects PHI received in PainCAS by utilizing a secured web browsing session, and data encryption to protect its database (3) aggregates the Retained Data into a Dataset (that is also a limited data set for HIPAA purposes), (4) discloses or sells those Datasets to third parties either as (i) de-identified Datasets, to the extent such Datasets meet safe harbor de-identification standards (which they appear to meet) or (ii) limited data sets for research, public health surveillance, and health care operations purposes, and (5) otherwise conforms its conduct to the terms of the form Business Associate Agreement.
For PainCAS, PHI is protected in the manner described above via a secured web browsing session and database encryption.
Use of Aggregate, De-identified Client Data
Patients’ de-identified, aggregate data is stored in the PainCAS data warehouse for two reasons: (1) This data will eventually be available to the PainCAS product customers and other parties interested in the trends and characteristics of chronic pain treatment outcomes, such as, state and federal agencies, pharmaceutical companies and research organization. (2) The platform for PainCAS allows clinicians to link to patients with an online assessment that can be completed at home or in the clinic (anywhere with internet access). This platform allows for ongoing reassessment of patients on a periodic basis and allows providers to consistently measure opioid risk for patients throughout the continuum of care. The system generates provider and patient reports in a PDF format to allow for the ability to import the reports into an electronic medical record. In addition, the database housing assessment data and the platform itself is fully HIPAA compliant.
The PainCAS product’s Data Source (customer) is responsible for ensuring that its staff use PainCAS in a secure and confidential manner consistent with the HIPAA Privacy Rule (45 CFR Parts 160 and 164) and all applicable laws and regulations.
CUSTOMERS / STAFF USING THE PAINCAS CLINICAL ASSESSMENT SYSTEM WEBSITE
Collection of information
Inflexxion only collects the personal information that is necessary to provide the information or services requested by an individual. "Personal information" refers to any information relating to an identified or identifiable individual who is the subject of the information. This is the same information that an individual might provide when visiting a government office and includes such items as an individual's name, address, or phone number. We also collect statistical information that helps us understand how people are using the web site so we can continually improve our services. The information collected is not associated with any specific individual and no attempt is made to profile individuals who browse the web site. You may be asked to participate in surveys at this site. Participation is optional, and the choice to participate or not to participate will have no effect on your ability to use other features of the site.
Inflexxion does not disclose, give, sell or transfer any personal information about our visitors to third parties, except to comply with legal requirements, as may be required by law, regulation, search warrant, subpoena or court order. However, if we are required to make such a disclosure to a third party, we will make a reasonable attempt to notify you first, unless we are prohibited from doing so by law or court order.
Inflexxion is the sole owner of the information collected on the PainCAS web site and collects identifiable information from clinical sites and their patients or users at several different points on our Website.
In order to use the PainCAS web site, a registration process must be completed; a user name and password must be created for the clinician. During registration the clinician is required to give contact information, such as name, email address and phone numbers. We use this information to verify the clinician is an authorized user/customer and to contact the clinician about the functionality, services and updates on the PainCAS web site.
Special offers and updates
We will occasionally send you information on products, services and special deals. Out of respect for your privacy, we present the option not to receive these types of communications.
We will send you strictly service-related announcements on rare occasions when it is necessary to do so. For instance, if our service is temporarily suspended for maintenance, we might send you an email. Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account.
Based upon the personally identifiable information the clinical users that use our website provide us (NOT patient or user of the PainCAS assessment data), we will send the clinical user a welcoming email to verify their registration. We will also communicate with clinical users to respond to inquiries, to provide the services requested, and to manage clinical user accounts. We will communicate with the clinical user by email or telephone, in accordance with his/her wishes. Patients of the PainCAS assessment will receive an email each time their clinic sends them an assessment to complete with the link to the assessment.
Information collected and stored automatically
If you do nothing during your visit but browse through the PainCAS web site, read pages, or download information; we will gather and store certain information about your visit automatically. This information does not identify you personally. We automatically collect and store only the following information about your visit:
- The Internet domain and IP address from which you access our website;
- The type of browser and operating system used to access our site;
- The date and time you access our site.
- The pages you visit; and
- If you linked to the PainCAS web site from another website, the address of that website.
We use this information to help us make our site more useful to visitors -- to learn about the number of visitors to our site and the types of technology our visitors use. We do not track or record information about individuals and their visits.
Web site security
Inflexxion is committed to the security of the information that is either available from or collected by the PainCAS web site. Inflexxion has taken multiple steps to safeguard the integrity of its telecommunications and computing infrastructure, including but not limited to, authentication, monitoring, auditing, and encryption.
Integrated Behavioral Health
3070 Bristol St. Suite 350
Costa Mesa, CA 92626