Close up of tree growth rings

Privacy Policy

Waystar understands how important privacy is to our customers, relating both to their personal information and to any personally identifiable healthcare information that they relay to us for claim transaction processing and submission to payers. Waystar is committed to honoring your privacy and that of your patients, and to offering special protections for any personally identifiable healthcare information you transfer to us. This document is the privacy policy for both the public (open to members and visitors alike), and private (open to customers after authentication) portions of our Web site. It describes what information we may collect about you, what uses we may make of it, how you can tell us what to do with this information, and also what we do to protect personally identifiable information about your patients that you transmit to us for submission to payers. We also review the precautions we take against unauthorized access to, or use of, any of this information.

About this Privacy Policy

Coverage of Waystar Web Site

This privacy policy applies only to our Web site (www.Waystar.com), as it is used by healthcare providers and payers, and their representatives, to provide claim processing services and related products, services, reports, and other information to said parties after presentation of appropriate authentication. When we refer to ourselves as “we” or “Waystar”, we mean our entire company, including any company that we control (for example, a subsidiary that we own). We may share information among the subsidiaries that we own or control, but it is always protected under the terms of this privacy policy. Since this privacy policy only applies to Waystar’s Web site, you should read the privacy policy at each Web site that you visit after you leave our site, especially if you are referred to or linked to it from our site. We are not responsible for how other Web sites treat your privacy, once you leave our Web site.

Privacy Policy Changes

As our privacy policies change in significant ways, we will make every effort to notify you of the changes. For minor changes to the policy that will not affect our use of your individual information or your patients personally identifiable health information, we will note the change at the end of the policy statement. When the privacy policies change in a way that significantly affects the way we handle personal information, we will not use the information we have previously gathered or accumulated without obtaining consent from the appropriate individual/entity. We will post privacy policy changes on our Web site in a timely manner.

HIPAA

This Policy is separate from, but directly affected by, HIPAA requirements on privacy and security. Waystar continues to track HIPAA’s “administrative simplification” roll out and aids regulators, and ultimately our customers, by providing comments and consultation on the roll out through our membership on the WEDI contact committee (a consultative body composed of healthcare service providers, payers, and interested professionals organized in association with HCFA (now renamed “CMS” — Centers for Medicare and Medicaid Services). Waystar has made a corporate commitment to the privacy and security of our customers’ (and their patients’) personal, and especially, healthcare information, in addition to required compliance with any regulatory mandates issued under HIPAA. We are presently compliant with HIPAA regulations on transaction sets, and intend to remain compliant as final regulations are issued after legislative scrutiny. Recent CMS rulings have revealed another major benefit that our provider customers receive from utilizing Waystar’s HIPAA – compliant product: providers facing HIPAA privacy and security requirements in regard to their own practice management systems may be “exempted” from a major portion of the regulations if they receive material claim processing services that are deemed HIPAA-compliant from a third party processor like Waystar. Thus, Waystar’s compliance with HIPAA transaction mandates can be attributed to applicable portions of a provider customer’s internal practice management system through its contract relationship with, and service undertaking from Waystar. We also understand that this exemption is applicable to the payer community and its HIPAA-related obligations. In addition, it should be noted that our transaction clearinghouse has brought us a long way toward HIPAA compliance, since, unlike all others in the industry, it has been built using HIPAA mandated transaction sets at its core. We track regulatory changes and political debates regarding the scope of HIPAA, work with industry groups to educate our staff on privacy and security issues, and regularly revise and redraft implementation guides to include increasing privacy and security features with an eye both to customer/patient protection and commercial reasonability. By providing staff education and awareness programs, designating a corporate HIPAA compliance team, and conducting a number of business impact analyses on ourselves and several of our customers, we have forged a culture of privacy at Waystar that will put us in good stead for implementing all HIPAA regulations.

Information We Collect

Information We Collect From Non-Subscriber Visitors

Visitors to our Web site can access the Web site’s home page, and browse some areas of the site, without disclosing any personally identifiable information. We do track information provided to us by your browser, including the Web site you came from (known as the “referring URL”), the type of browser you use, the time and date of access, and other information that does not personally identify you. A person/entity must enroll with us to use much of the site.

Information We Collect When You Register/Enroll

A customer registering or enrolling for use of our services, whether the registration is done on our Web site or via a paper contract entered into by Waystar and the customer, is asked to provide us with identifying information, such as name, address, and contact information. On our registration screen and in our contracts we clearly specify what information is required for enrollment, and what information is optional and may be given at your discretion. Waystar allows users to correct and update their personal information at any time by changing their Personal Profile on-line. Information Included in Claim Transactions We Receive from You (That We Process, Validate, and Amend if necessary, and Submit to Appropriate Payers for Adjudication, Especially Personally Identifiable Healthcare and Medical Record Information Contained In Such) As part of the rendition of our claim transaction processing services, we will receive certain information from our customers about their patients and healthcare procedures associated with them that is either personally identifiable or otherwise sensitive. In accordance with the spirit and letter of HIPAA, best corporate practices, and rational business ethics for the healthcare industry, we do all within our power to keep such information both secure and private. We work with provider and payer customers to develop ever more precise communication vehicles for encrypting and otherwise securing this information.

E-Mail Help and Customer Support

Waystar offers e-mail help and designated Customer Service representatives to its users. Only authorized personnel who are trained to provide these services under strict and secure parameters are permitted to provide these services. Therefore, you should assume that any information (personal to the provider, or patient-identifiable healthcare information) that is disclosed in communications with either or both of these areas will be seen by Waystar’s authorized personnel. However, although authorized personnel have all signed confidentiality agreements and undergo regular training on proper use and storage of customer transmitted information, customers should never send details of personal information or patient healthcare information. In order to further assure efficient and effective handling of customer problems referred to us, Waystar has created and maintains an incident tracking system that details referred problems and expedites speedy resolution.

Information From Outside Sources

We may also collect information about physicians and other healthcare professionals who register on our Web site from other sources in order to verify their licensure status and identity. In some cases we may ask customers for information after they enroll, such as credit card information. Where necessary (for example, to process automatic monthly subscription fee billing), our organization may contact financial or credit organizations to confirm customer credit card information.

Other Information

Additional Forms and E-Mails: We may ask you to provide additional information after you register if you want to obtain additional services or information on new products or to resolve complaints or concerns.

Use of Cookies

Cookies are a technology used by the Waystar Web site to identify a user (through using the login ID) as the user moves through the Web site. Your browser allows us to place some information on your computer’s hard drive that identifies the computer you are using and may indicate parts of the site you visited. We use cookies to personalize our Web site, to track your usage of the Web site, and to provide security protection in the form of an authentication barrier against unauthorized use of the site. There are two types of cookies used by the industry: (i) “session cookies” that are deleted when you close your browser and Web viewing session, and (ii) “permanent cookies” that are stored until a date we specify or until you remove them. Waystar ONLY USES session cookies which exist for only one session, and thus are less open to misuse by unauthorized parties. You do not have to accept cookies if you do not want to. You simply have to set your browser to reject cookies, or to notify you each time a cookie is sent to you. If your browser rejects cookies, Web sites that are “cookie enabled” will not recognize you when you return to them and you may have to re-register, etc. The “Help” section of your browser will aid you in whatever determination you make about retention or rejection of cookies.

Uses We Make of Information

Marketing and Advertising

We may target our advertising or marketing depending upon information we have about you. In any such case, the marketer or advertiser will not have access to any customer personal information or any patient-related personally identifiable healthcare information.

Third Parties

In addition to aggregate information, we may share some kinds of information with third parties, as described below:

Other Companies – We have strategic relationships with other companies who offer products and services on our Web site (these also include “powered by” partners, and co-branded and private-branded Web site partners). We may share certain information with these partners and will endeavor to have our users/subscribers updated as to the nature of the relationships with third parties as they affect any sharing of information. When and if you interact with these companies, you should be aware that different rules and privacy policies may apply. We do not control the collection or use of the information you provide under those circumstances, but we do require that those companies clearly state their policies so that you can decide whether to give them any information.

Companies and People Who Contract With Us – At times we contract with other companies and individuals to help us provide services. For example, we may host co-branded equivalents of our Web site on another company’s computers or hire technical consultants to aid us in some of our processing services through Web site access. In addition, if you are a healthcare professional, we may validate your licensure status or other information against available databases that list licensed health care professionals. In order to perform their jobs, these other companies may have limited access to some of the personal information we maintain about our users (not patient information). We require all such companies to comply with the terms of our privacy policies, to limit their access to any personal information to the minimum necessary to perform their obligations, and not to use the information they may access for purposes other than fulfilling their responsibilities to us. We use our best efforts to limit the use of any other companies in services where any patient personally identifiable healthcare information may be involved.
Business Transfers – If we were to transfer a business unit (such as a subsidiary) or an asset (such as a Web site or selected book of business for a particular product or region) to another company (we have not yet done so, nor do we anticipate such in the future), we will require them to honor the applicable terms of this privacy policy.

Legal Requirements – We may release account and other personal information of customers when we believe release is required to comply with law. We will only release personally identifiable health information, including information from a medical record if, in our best judgment, after review by our attorney, the release is compelled by law or regulation, or if the release is necessary to prevent the death or serious injury of an individual.

Medical Records – Waystar will not disclose personally identifiable healthcare information from patients’ medical records to an unrelated third party unless that disclosure is authorized in writing by the caregiver/provider for medical purposes, for treatment of the patient, or payment of claims, or if the patient authorizes it in writing.

When we share information with third parties, we ask that they agree in writing to abide by Waystar’s privacy policies. If we discover that a third party inadvertently disclosed personal information about any of our customers, we will take immediate action to prevent further occurrences.

Protection of Information — Security

General Policies

We have implemented technology and security policies, rules, and other measures to protect the personally identifiable data of customers and their patients that we have under our control from unauthorized access, improper use, alteration, unlawful or accidental destruction, and accidental loss. We also protect this information by requiring that all of our employees and others who have access to or are associated with the processing of this data to respect your confidentiality, and confirm this obligation to you by signing a confidentiality agreement with us. Where we allow a healthcare provider or payer to access actual medical records created by a healthcare provider, we require that the browser used support a high level of encryption to reduce security risks. Waystar uses security methods to determine the identity of its registered users, so that appropriate rights and restrictions can be enforced for the user. Reliable verification of user identity is called authentication. Waystar uses both passwords and usernames to authenticate users. Users are responsible for maintaining their own passwords. NEVER SHARE YOUR WAYSTAR USERNAME OR PASSWORD WITH ANYONE. PLEASE USE THE “LOG OFF” BUTTON WHEN EXITING THE WAYSTAR WEB SITE; THIS ENDS YOUR SESSION AND HELPS PREVENT UNAUTHORIZED USERS FROM ACCESSING YOUR ACCOUNT.

Security Practices and Technology

Positive User Identification — Access to our system, past the entry-level Web site information pages, is restricted to authorized users only. Users must supply a user id and a password to access their information on our Web site. Users who forget their password must pass our challenge/response process to ensure legitimacy before being given their forgotten password.
Positive Site Identification — The Waystar Web site is registered with the VerisignÔ site certification authority to enable a user’s Web browser to confirm the site identity before proceeding. With this technology, the identity of Waystar’s site is confirmed to the browser. If positive identification is not made, the user’s Web browser notifies the user that the receiving site is suspicious.

In-Transit Data Encryption — All data being passed between the user’s browser and the private portion of Waystar’s Web site is encrypted. This information is transmitted using Secure Sockets Layer (SSL) technology with 128-bit encryption.
Information Back-up — All sensitive information in our office data center is backed up routinely, in order to aid in the recovery of information in the event of accidental damage of information or due to a natural disaster. The backup media is stored in a physically secure storage facility.
Application Access Logs — All access to the Waystar applications is logged to the user level. We thus have a complete record of all users who access our system with dates and times of access.
Storage and Protection of Healthcare Information

Personally identifiable healthcare information of healthcare patients that our customers transmit to us for processing and submitting to payers, back-up information from the office data center, and any sensitive information that we obtain through our relationship with other healthcare professionals, is stored and protected as follows. Note that our third party storage provider is required, by contract, to observe Waystar’s Privacy Policy and keep all information entrusted to it as secure as is technologically possible in conformity with the tenets of commercial reasonability.

Firewall Protection — As a front-line defense to the Waystar system, we have implemented a firewall in front of all public servers. This firewall will help prevent any unauthorized access and guard against Internet hacking attempts.

Physical Data Center Security — Our servers are located in a secure hosting facility. This facility requires key card authorization to gain initial entry into the data center. A biometric hand scanner and camera surveillance additionally protect access to the actual server room. The center is monitored 24 X 7 X 365 by the Network Operation Center personnel.

Enforcement of Privacy and Property Protection — Waystar works with regulators and security professionals, including our own security firm, local police, the Federal Bureau of Investigation, and the Internet security division of the U.S. Postal Service to assure against, or speedily locate and abort, Internet-based or other attempts to access personally identifiable healthcare (or financial) data that we have in our possession or transmit for customers. Our Customer Service personnel keep in contact with customers regularly to determine any payment or transmission problems that may indicate illegal access attempts by third parties that would trigger our immediate response.

Access to Information

Correction of Information We Have About You

If you believe that non-healthcare-related registration information collected by our Web site is in error, you may edit your personal profile at any time that you wish. You can directly edit your user profile on our Web site. Requests for deletion of your record may result in your removal from our registry of customers causing some future disjunctions, but we are willing to accede to your wishes. Despite such removal, we may keep certain demographic information (non-identifiable) about you for product improvement purposes. You may contact Waystar Customer Support and ask for the changes you would like to make.

Waystar Employees

Waystar employees are required to keep customer information private, as a condition of their employment with the Company. Only selected, authorized Waystar employees are permitted to access your health information. Employees are required to attend confidentiality/privacy training class, and to sign a confidentiality agreement. All employees and contractors must abide by our privacy policy, and those who violate that policy are subject to disciplinary action, up to and including termination of their employment and legal action.

Privacy Questions

For privacy questions or concerns about Waystar’s Web site, please contact us at one of the following: Email: support@waystar.com Visit: www.waystar.com Call: 877-494-7633.

Related Information

Terms of Use

Our Terms of Use provisions are accessed from the first page of our Web site. These terms govern use of our Web site and apply to provider/members and visitors alike. Although all members are required to execute a sales agreement, a membership agreement, or both with Waystar, the Terms of Use contain the rules governing Web site use, confirming provisions of the cited agreement, and instructing non-members. The portion of the Terms of Use pertinent to this Policy involve warnings about third party documents and linked Web sites, both of which are out of Waystar’s control and both of which should have their own privacy policies that should be reviewed.