Privacy

Mirth respects individual privacy and strives to collect, use and disclose Personal Data in a manner consistent with the laws of the countries in which it does business, and prides itself on upholding the highest ethical standards in its business practices. This Privacy Policy sets forth the privacy principles that Mirth follows with respect to Personal Data.

Mirth shares a commitment with HIPAA Covered Entities to protect the privacy and confidentiality of Protected Health Information (PHI) that we obtain subject to the terms of a Business Associate Agreement.

This Policy is provided to help you better understand how we at Mirth use, disclose, and protect PHI in accordance with the terms of Business Associate Agreements.

Business Associate Agreement (BA Agreement): A Business Associate Agreement is a formal written contract between Mirth and a Covered Entity that requires Mirth to comply with specific requirements related to PHI.

Covered Entity: A Covered Entity is a health plan, health care provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.

Protected Health Information (PHI): PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.

We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by the BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate the Privacy Rule.

In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.

We may also use PHI to report violations of law to appropriate federal and state authorities.

We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BA Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include:

• Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
• Providing appropriate training for our staff to assure that our staff complies with our security policies;
• Making use of appropriate encryption when transmitting PHI over the Internet;
• Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
• Utilizing appropriate authentication and access controls to safeguard PHI;
• Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
• Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.

In the event of a use or disclosure of PHI that is in violation of the requirements of the BA agreement, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:

• Reporting any use or disclosure of PHI not provided for by the BA Agreement and any security incident of which we become aware to the Covered Entity; and
• Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

As provided in the BA Agreement, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations. Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.

The EU Directive on Data Protection requires EU member states to adopt laws protecting Personal Data collected within their borders. These laws must, among other provisions, restrict the transfer of Personal Data only to countries that have data protection laws deemed adequate under standards established in the EU Directive. The U.S. Department of Commerce and the European Commission have agreed on the Principles to enable U.S. Companies to satisfy the requirement under EU law that adequate protection be given to Personal Data transferred from the EU to the U.S.

In regard to Personal Data transferred from the European Union (EU) to the United States, Mirth will adhere to the Safe Harbor Principles and Frequently Asked Questions published by the U.S. Department of Commerce (collectively referred to as the Principles) at http://export.gov/safeharbor/ with respect to all such data, and will self-certify to the U.S. Department of Commerce compliance with the Principles. If there is any conflict between the policies in this statement and the Principles, the Principles will govern. This statement outlines the general policy and practices for implementing the Principles, including the types of information Mirth gathers, how the information is used, and the choices affected individuals have regarding Mirth’s use of, and their ability to correct, that information.

Definitions

Identifiable Person - means a natural person that is or can be identified, directly or indirectly, as a particular person by reference to an identification number or to one or more aspects of the person’s physical, physiological, mental, economic, cultural or social identity. Identifiable Persons may include individuals whose Personal Data is collected by clients and business associates of Mirth as well as any employee, applicant, former employee, or retiree of Mirth, its operating divisions, or subsidiaries.

Personal Data - is any information about an Identifiable Person that

• is within the scope of the EU Directive or other applicable laws,
• is received by Mirth in the U.S. from the EU,
• is recorded in any form and is about, or pertains to, a specific individual; and can be linked to that individual.

Personal Data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Data.

Processing - means any online, offline or manual processing and includes such activities as copying, filing, and inputting Personal Data into a database.

Sensitive Data - is data that pertains to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or any other data that is identified as sensitive by the Identifiable Person.

This Privacy Policy will be published in the Mirth online policy manual and on the web at http://www.mirthcorp.com/policies/privacy.htm.

1. Notice

Where Mirth collects Personal Data directly from Identifiable Persons, it will inform them about the type of Personal Data collected, the purposes for which it collects and uses the Personal Data, and the types of non-agent third parties to which Mirth discloses or may disclose that information, and the choices and means, if any, Mirth offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in a clear and conspicuous language when individuals are first asked to provide Personal Data to Mirth, or as soon as practicable thereafter, and in any event before Mirth uses or discloses the information for a purpose other than that for which it was originally collected.

Where Mirth receives Personal Data from their business associates, clients, subsidiaries or operating divisions, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to which the Personal Data relates.

With the exception of human resources activities related to staff members, Mirth does not collect personal data directly from the Identifiable Person. Mirth does, however, provide application and support services that may contain or transport personal data collected by Mirth’s clients and business associates. Mirth adheres to all business associate and client privacy agreements in the course of its business and will cooperate with the principle of Notice as per those agreements. In those cases where Mirth collects Personal Data from other persons, it takes measures to respect the privacy preferences of the Identifiable Persons. Examples of when Mirth may seek information from others include, without limitation, evaluating employees, recruiting, benefit administration and succession planning.

Mirth’s collection and use of Personal Data in the employment context is essential to the conduct of Mirth’s human resources and business functions. Examples of the purposes for which Mirth collects and uses Personal Data include, without limitation, recruitment, payroll, and personnel management, such as compensation, promotion, evaluation, benefit administration and succession planning.

While recognizing that all Personal Data deserves to be protected, Mirth exercises special precautions and safeguards for Sensitive Data. Unless required by applicable law, Mirth does not request or record Sensitive Data.

2. Choice

Opt-Out Rights: In a case where Mirth is the collector of data directly from Identifiable Persons, Mirth will offer Identifiable Person(s) the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. In addition, where consent of Identifiable Persons or their representatives is required by law, contract, or agreement for the collection, use, or disclosure of Personal Data, Mirth will request such consent and respect the Identifiable Person’s choice in such matters.

In certain limited or exceptional circumstances, in accordance with applicable legal and compliance requirements, Mirth may disclose Personal Data without notice or the consent of the Identifiable Person. For example, this may occur when Mirth is required to disclose information by law or legal process or in the vital interests of the Identifiable Person, such as when life or health are at stake.

Opt-In Requirement: Except as provided by the Safe Harbor Principles or applicable law, an Identifiable Person must give affirmative permission (opt-in consent) before Mirth will disclose Sensitive Data to a third party or use Sensitive Data for a purpose other than those for which it was originally collected or subsequently authorized by the Identifiable Person.

Mirth will provide Identifiable Persons with reasonable mechanisms to exercise their choices.

3. Onward Transfer

Mirth may transfer Personal Data across state and country borders for the purposes of data analysis and consolidation of information worldwide.

Mirth will comply with the provisions of this Privacy Policy, applicable legislation, compliance requirements and any business associate or client agreements in any such transfer. Mirth will also ensure the security of transferred information in transit through appropriate means such as encryption.

US Employee Services: To enable Mirth to provide US employees with certain services such as payroll direct deposit, personnel benefits, or other human resource services, Mirth may disclose Personal Data without consent to sub-contractors, vendors or other third parties, if the third party is under agreement or contract that protects Personal Data at the same or greater level than this privacy policy and in accordance with applicable laws.

EU Employee Services: To enable Mirth to provide EU employees with certain services such as payroll direct deposit, personnel benefits, or other human resource services, Mirth may disclose Personal Data without consent to sub-contractors, vendors or other third parties, if the third party

1. subscribes to the Safe Harbor Principles,
2. is subject to laws meeting the minimum standards required by the EU Directive or
3. enters into an agreement with Mirth obligating the third party to provide at least the same level of privacy protection as required by Safe Harbor Principles.

4. Security

Mirth takes reasonable precautions to protect Personal Data against loss, misuse and unauthorized access, disclosure, alteration, destruction and theft in accordance with its internally-published security policy.

These precautions include password protections for online information systems and restricted access to Personal Data. All inquiries from outside Mirth, whether written or oral, concerning the identity, employment record or performance of an employee or former employee must be referred to the Human Resources Department.

Employees are responsible for helping maintain security through safeguarding Personal Data, e.g., by protecting passwords used to access Mirth computer systems, by keeping paper records under lock and key when not in use, and by disposing of files and reports no longer needed in a secure manner.

5. Data Integrity

Mirth takes reasonable steps to keep Personal Data accurate, complete, and up-to-date. Each Identifiable Person is responsible for informing Mirth, its business associates, clients, or subsidiaries of any changes in Personal Data so that the information that Mirth holds about him or her is accurate, complete and up-to-date.

Mirth retains Personal Data only as long as necessary to meet the purposes for which it was collected or as required by law, contractual agreement, or the Safe Harbor Principles.

Certain Personal Data may be archived to administer post-employment benefits, to meet legal requirements, to provide evidence in cases of litigation, for statistical purposes, or to assist in decisions relating to re?employment.

Mirth uses reasonable procedures, following retention guidelines, to ensure that it archives or destroys Personal Data no longer required for the purposes for which it was originally collected, unless otherwise agreed to by the Identifiable Person.

6. Access

The nature of Mirth’s services to clients and business associates provide the principle of access through those clients and business associates. As such, Identifiable Persons have a reasonable opportunity through these clients and business associates to examine their Personal Data, to challenge its accuracy and to have it corrected, amended or deleted as appropriate, subject to certain exceptions. Upon request, Identifiable Persons will be given reasonable access to the Personal Data Mirth holds about them through the entity that collects and maintains the data and in accordance with business associate privacy agreements also subject to the safe harbor principles. Reasonable access means that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive.

If an Identifiable Person is denied access to Personal Data, Mirth will provide such Identifiable Person with the reason(s) for denying access and a contact point for further inquiries.

If the Identifiable Person notifies Mirth that the Personal Data on file is incorrect and provides Mirth with appropriate supporting documentation, Mirth will either correct the Personal Data or direct the Identifiable Person to the source of the information for correction.

If, upon review, Mirth believes that the existing Personal Data is correct, Mirth will inform the Identifiable Person. If the Identifiable Person continues to dispute the accuracy of the Personal Data, Mirth will note that dispute in the record of the Identifiable Person upon written request.

In accordance with regulations and legal agreements, access to confidential or proprietary information, such as business reorganization or succession plans, or where granting access has to be balanced against the privacy interests of others, may be restricted. In addition, access may be denied:

• when the information requested relates to an ongoing investigation, litigation or potential litigation,
• where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Identifiable Person or
• when the rights of persons other than the Identifiable Person would be violated.

7. Enforcement and Dispute Resolution

Identifiable Persons may contact the President at Mirth’s Corporate Headquarters in Irvine, CA, U.S.A. to submit data access requests, register complaints or address any other relevant issues under the Safe Harbor Principles or this privacy policy. It is the responsibility of all employees to act in accordance with the Privacy Policy and obligations with respect to Personal Data. Failure to do so may result in disciplinary action, if warranted, up to and including termination of employment.

Mirth is committed to assisting Identifiable Persons in protecting their privacy and in exercising their rights under this Privacy Policy and applicable laws. Identifiable Persons making complaints or reporting potential violations of the Privacy Policy shall not be subject to any form of retaliation. In addition, report of potential violations may be made on an anonymous basis.

For complaints regarding Personal Data from the EU that cannot be resolved between Mirth and the complainant, Mirth has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Principles. A complaint to these authorities may be filed through the procedures provided by the European data protection authorities.

Mirth’s privacy practices are self-certified annually. The Privacy Officer is responsible for:

• Ensuring that the privacy guidelines, programs, procedures, training and other measures necessary to implement the Privacy Policy are developed and put into practice;
• Overseeing responses to inquiries and resolutions of complaints relating to the privacy of Identifiable Persons;
• Working with Mirth’s legal department to ensure Mirth’s ongoing compliance with applicable privacy laws and agreements, as well as any obligations Mirth may enter into voluntarily, such as the Safe Harbor Principles; and
• Overseeing annual assessments of Mirth internal practices to ensure that they conform to the Privacy Policy and related company obligations.

This policy may be amended from time to time, consistent with the requirements of applicable law and the Safe Harbor Principles. The updated policy will be posted on Mirth’s web page at http://www.mirthcorp.com/policies/privacy.htm.

For more information on Mirth’s privacy policy, contact privacy@mirthcorp.com.