HIPAA

Our Commitments under HIPAA

Internet Privacy Policy

Navicure is very sensitive to privacy issues. We respect your right to privacy and feel it is important for you to know how we handle the information we receive from you via the Internet. Additionally, our online and offline business practices are in full compliance with the privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA).

Protecting Your Confidential Information

We have taken precautionary measures to make all information received from our online visitors as secure as possible against unauthorized access and use.

It may be necessary for us to provide your information to contracted external partners in order to provide you with Navicure services. They may only use the information provided for the specified use and project and are strictly prohibited from unauthorized distribution and release.

Your Online Preferences

Navicure uses "cookie" technology to obtain usage information from our online visitors. You may disable your cookie information by adjusting your browser preferences on your personal computer at any time. Keep in mind that cookies do not identify a specific user and are not used to collect any personal information. In order to provide the best possible service and relevant information to you, we use cookies to:

Track resources and data accessed on the site per visitor
Record general site statistics and activity
Assist users experiencing Web site problems

Your Data is Safe

We have appropriate security measures in place in our physical facilities to protect against the loss, misuse or alteration of information that we have collected from you at our site.

Our Online Communication Practices

General Email Communications
You should also know that unless otherwise noted, the email functionality on our site does provide a completely secure and confidential means of communication. Only communication through the Navicure Secure web site provides a secure and private means for sending email to Navicure, and Navicure does not guarantee or warrant that email transmitted through other means is secure or confidential during transit.

Effective: April 14, 2003

Navicure is required by law to protect the privacy of your health information. We are also required to send you this notice, which explains how we may use information about you and when we can give out or "disclose" that information to others. You also have rights regarding your health information that are described in this notice.

The terms "information" or "health information" in this notice include any personal information that is created or received by a health care provider or health plan that relates to your physical or mental health or condition, the provision of health care to you, or the payment for such health care.

We have the right to change our privacy practices. If we do, we will provide the revised notice to you within 60 days by direct mail or post it on our website www.navicure.com.

How We Use Or Disclose Information

We must use and disclose your health information to provide information:

To you or someone who has the legal right to act for you (your personal representative);
To the Secretary of the Department of Health and Human Services, if necessary, to make sure your privacy is protected; and Where required by law.

We have the right to use and disclose health information to operate our business or to comply with HIPAA regulations stipulated by this law. For example, we may use your health information:

For Public Health Activities such as reporting disease outbreaks.
For Health Oversight Activities such as governmental audits and fraud and abuse investigations.
For Judicial or Administrative Proceedings such as in response to a court order, search warrant or subpoena.
For Law Enforcement Purposes such as providing limited information to locate a missing person.
To Avoid a Serious Threat to Health or Safety by, for example, disclosing information to public health agencies.
For Specialized Government Functions such as military and veteran activities, national security and intelligence activities, and the protective services for the President and others.
For Workers Compensation including disclosures required by state workers compensation laws of job-related injuries.
For Research Purposes such as research related to the prevention of disease or disability, if the research study meets all privacy law requirements.

If a use or disclosure of health information is prohibited or materially limited by other applicable law, it is our intent to meet the requirements of the more stringent law. In some states, your authorization may also be required for disclosure of your health information. In many states, your authorization may be required in order for us to disclose your highly confidential health information, as described below.

Highly Confidential Information

Federal and applicable state laws may require special privacy protections for highly confidential information. "Highly confidential information" may include confidential information under Federal law governing alcohol and drug abuse information as well as state laws that often protect the following types of information:

HIV/AIDS;
Mental health;
Genetic tests;
Alcohol and drug abuse;
Sexually transmitted diseases and reproductive health information; and
Child or adult abuse or neglect, including sexual assault.

Transmission Of Secure Data

Practices submit claims through a secure, HTTPS, 128 bit encrypted,Web interface.

Navicure is committed to providing HIPAA/ANSI standards solutions to providers. As such, data is stored in a data schema designed entirely around the ANSI HIPAA standards in an Oracle relational database. Using a relational database allows rapid development and deployment of modifications or enhancements to the application and related transaction formats, edits, etc.

The Navicure system was designed to support all of the HIPAA/ANSI standard transaction sets. The 837P, 835, 997, and 277 transaction sets are currently in production. The 837I, 837D, 270, 276 and 278 transactions will be added as the payer community expands support for them.

The addition of these additional HIPAA transactions can be easily accomplished using Navicure's Oracle relational data store, and since Navicure's customer interface is a secure Web connection, no new software will be needed to enable customers to access these new transactions

Compliance With HIPPA Security Rules

The Security Standards define administrative, physical, and technical safeguards necessary to protect the confidentiality, integrity, and availability of electronic protected health information from unauthorized access, alteration, deletion, and transmission. As such Navicure has implemented the following policies:
• All access from the Internet to the database server is restricted with the exception of the web server. From the web server only SQL*Net traffic is allowed. All other services between the web server and Navicure’s internal network have been disabled.
• All application web page requests, uploads and downloads require an SSL secured connection with 128-bit cipher strength.
• To connect to the application, the system requires a username/password/company logon combination for access.
• Each user is assigned their own logon combination.
• All failed attempts to connect to the application are recorded and monitored.
• As the user navigates through the application, each page visited is recorded.
• Access to claim data is logged; whether access was to patient sensitive or non-sensitive data is also logged.
• Customers are assigned a local administrator to manage user access specific to their company. Users can be restricted from application modules, functionality and/or claim data.
• All claim data is stored under specific customer identifiers preventing unauthorized access of data between clients. Customers do not share patient data.
• Direct access to the database is restricted to key systems personnel.
• FTP transfers are conducted in one of three methods for security:
A) A VPN is setup between both sites to transmit the file
B) A secure dialup line is established to transmit the file
C) The file is encrypted before being transmitted
• All modifications made to the data are stored in the database as revisions. Revisions contain the user that modified the data and the date/time the modification was made.
• All inbound and outbound transmissions of data are recorded. That data includes who transmitted the data, what data was transmitted, and when the transmission occurred.
• A full database backup is made once a week and delivered offsite to a secure storage facility in case disaster recovery is needed.
A) An online backup is done every night for data recoverability.
B) A data export is done daily for data recoverability.
C) Archive logs are maintained to allow point-in-time recovery.
D) Claim data is available online for 2 years.
E) Claim data is stored for 7 years.

Compliance With HIPAA Privacy Rules

The Privacy Rule sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information.

Navicure does not disclose protected health information and only uses protected health information as authorized by our business associates.

Navicure reminds it’s users of the responsibility to safeguard the protected health information by displaying a “Privacy Notice” each time the customer logs into the application which the user must acknowledge to gain access to the application.