Our Policies

Chearful.com is a website platform (the "Platform") owned and maintained by Pathfinder Innovation Portal LLC. (Company/We), which is a company of limited liability registered in Dubai (UAE). The User (You), must carefully read the following terms and conditions before you use the Platform. The terms and conditions set forth below, together, with our Privacy Policy, will constitute a binding contractual user agreement (the “User Agreement”) that you voluntarily and knowingly agree to enter by accessing the Platform. The Platform is not for use by anyone who is under the age of 18. Your use of the Platform constitutes your confirmation that you are 18 years of age or older. If you are under 18 years of age or you do not agree to be bound to any term of this User Agreement, you are not authorized to access the Platform - the Company will have no liability whatsoever arising from your unauthorized use of the Platform. Customers using the website who are Minors (under the age of 18) shall not register as a User of the website - Minors shall not transact on or use the website.

Payments

Visa or MasterCard debit and credit cards in AED and USD are accepted by the Platform for payment. Maintaining their account’s confidentiality is the responsibility of the User. The Platform will not provide any services to or trade with OFAC and sanctioned countries. The Cardholder must retain a copy of Merchant policies, Merchant rules, and transaction records.

Fees

We only act as a conduit between the clients and specialists for wellbeing services. The specialists shall set their price for the session on their profiles at their sole discretion. We will charge a certain amount of commission from the specialists. Such commission will be decided by us at our sole discretion. With respect to any refunds or cancellations, kindly send a request to support@chearful.com

Compliance With “Applicable Laws”

This User Agreement evidences the commitment of the Company to comply with the government’s current legal authority laws, which are applicable to your use of this Platform. By using the Platform, you express your consent to enter into this User Agreement - in other words, using this Platform constitutes your consent that this User Agreement is governed by “Applicable Laws” (defined below). You specifically agree to be bound by the relevant provisions of all UAE federal laws, policies and regulations, without giving effect to any conflicts of laws principles, including the following points below -

1. the Constitution of the UAE (Federal Law 1 of 1971);
2. the Penal Code (Federal Law 3 of 1987 as amended);
3. the Cyber Crime Law (Federal Law 5 of 2012 regarding “Information Technology Crime Control”) (as amended by Federal Law No. 12 of 2016 and Federal Law by Decree No. 2 of 2018); and
4. Regulating Telecommunications (Federal Law by Decree 3 of 2003 as amended), which includes several implementing regulations/policies enacted by the Telecoms Regulatory Authority ('TRA') in respect of data protection of telecoms consumers in the UAE. (the “Applicable Laws”).

The UAE is our “country of domicile” and hence stipulates the local law is the governing law, which means all disputes arising in connection therewith shall only be heard by a court of competent jurisdiction in UAE. We reserve our right to amend or terminate any portion of this User Agreement, or your use of the Platform without prior notice and/or for any reason, including if the information provided by you (the User) is incomplete and/or in the event we find that the account does not actually pertain to you.

Specialists And Their Services

The Platform is designed to be used to create an account with the Company to connect you with a Wellbeing Specialist who will deliver professional wellbeing related services to you exclusively through the use of the Platform (“Specialist Services”). The Company, through the Platform, provides a panel of Wellbeing Specialists with whom you can interact for the purposes of seeking wellbeing services. Although we provide details for you to review about the Specialists, including their professional profiles, we do not conduct due diligence on the accuracy of all facts included in the profiles visible on our Platform. You alone, as a User, make the independent decision regarding which Specialist you choose to consult/retain, and which modes of consultation you choose to utilize (i.e. live online chat messaging, video consultations or teleconferences). You agree the Company will not be held responsible for any omission or act by the Specialist during the / any consultation(s). You agree to not record, resell or recreate any session or any content without the Company’s prior consent. Please note the Company does not provide any health-related advice or medical services. You shall engage in all interactions with the Specialist at your risk - this is based solely upon your own personal decision. You agree all the information you provide to the Specialist regarding your identity, personal history, past emotions or your present situation is accurate. The Company will not be liable for any damages and/or harm arising out of such interactions - please note the Company specifically disclaims any responsibility for any miscommunication and / or misinformation on the part of the Specialist. The Wellbeing Specialists you are connected with through the use of the Platform are independent contractors, agents or employees of Chearful.com, and they hence are not entitled to bind the Company in any way whatsoever. The Platform’s role is limited to simply providing technologies enabling the Wellbeing Services to be provided to you by the Specialists - it is the Wellbeing Specialists who assume full and sole responsibility for the delivery of the Wellbeing Services.The Company has no obligation to supervise and / or monitor any of the Wellbeing Services that are provided to you. You agree, understand and acknowledge that Wellbeing Services may not be the appropriate solution for every particular situation or for everyone’s needs, and/or may not be a complete substitute for the face-to-face delivery of said Services. If you feel the Specialist’s Services do not fit your needs or expectations, you are solely responsible for switching to a different Specialist who provides services through the Platform or to cease use of the Platform. By creating your account, you are offering consent to receive communications from the Company, which may include - but is not limited to - e-mails, reminders, offers, text messages, newsletters and other updates. By clicking on the “unsubscribe” link provided on the Platform, you can opt-out of these communications. The Company does not endorse any brands or advertise any clinics, businesses or other institutions owned, operated or offered by any Specialists. Kindly note the Company will not use this data for any commercial purpose unless compelled to otherwise disclose data in compliance with an order issued to Company by a governmental agency.

Booking Sessions And Making Payments

The Sessions for the Wellbeing Services your selected Specialist provides are booked by paying a fee “per-session” and associate Chearful transaction fees. Only registered users are authorized to book an appointment and participate in a consultation session; or, if you are an unregistered user, by booking an appointment, a Chearful ‘User’ account is created on your behalf (the credentials are sent across to the email address provided). You agree to be personally liable for the payment of all fees charged by the Company to you when you use the Specialist Services - all such payments will be made exclusively through the Platform’s payment functionality. When creating your account, you will be required to accurately provide personal data such as: your name and contact details; contact details of your family member or designated friend; payment details (such as credit card/bank account numbers); gender and date of birth. Furthermore, you will be required to have paid the per session fee and associated transaction fees at the time of booking. You confirm and agree to use only debit/credit cards or other payment means (collectively “Payment Means'') which you are duly and fully authorized to use, and that all payment-related information you have provided / will provide, to or through the Platform, is accurate, current and correct and will continue to be accurate, current and correct. You agree to pay all fees / charges associated with your account in a timely manner, according to the fees schedule and the terms and the rates as published on the Platform. By providing the Company with your Payment Means you authorize the Company to bill and charge you through that Payment Means and you agree to maintain valid Payment Means information in your account information. You agree that no payment shall be refundable, unless otherwise explicitly agreed to by the Company. If, for any reason, the Platform does not provide the Specialist Services you purchased, you can send an email raising the issue along with necessary details. Following the notification of such an issue, the Company will review it and refund the amount if, in its sole discretion, it is determined you are entitled to the refund. You agree that your payment will not be refunded if you have -

1. committed any breach of this User Agreement or
2. violated any applicable law while accessing the Platform.

Kindly note, the Company reserves the right to modify, terminate or suspend any subscription plans or payment modes, at its sole discretion. You acknowledge that all interactions with Wellbeing Specialists will be carried out exclusively through using the Platform, and the fee charged shall include any taxes applicable now or in the future. Furthermore, you shall not communicate or interact with the Specialists directly without the Company’s advance consent and payment of the fee for their Services. You agree that the Company will not be liable for any changes in the schedule of the specialist, and it is at the specialist’s discretion to change their availability, and notify you, as the client. Furthermore, the company will not be responsible for any changes the client makes to their appointment time, such as cancelation and/or rescheduling. The Company will not be liable for any damages and/or harm arising out of such interactions.

Account Creation and Usage Restrictions

1. Account Limitation: Users are only permitted to create and maintain one account on Chearful Platform. The creation of multiple accounts by a single user using different email addresses for the purpose of availing of free services or any other unauthorized purpose is strictly prohibited.
2. Enforcement and Consequences: In the event of a violation of the above account limitation, Chearful Platform reserves the right to take appropriate action. This may include, but is not limited to, issuing a warning to the user.
3. Repeat Violations: If a user is found to be in repeated violation of the account limitation clause, Chearful Platform reserves the right to suspend or permanently bar the user from accessing and using the platform. This action is taken to ensure fair usage and maintain the integrity of our services.
4. Legal Compliance: This clause is designed in compliance with the laws and regulations of the United Arab Emirates. It is intended to uphold the legal standards and ethical use of the platform.

In Case Of Emergencies

PLEASE CEASE USE OF THE PLATFORM IN CASES OF EMERGENCIES. THE PLATFORM IS NOT DESIGNED FOR EMERGENCY SITUATIONS. THE SPECIALISTS CANNOT PROVIDE ANY ASSISTANCE DURING EMERGENCY SITUATIONS. IF YOU ARE - A) CONTEMPLATING SUICIDE, B) CONSIDERING HARMING YOURSELF OR OTHERS, C) FEELING ANY OTHER PERSON MAY BE IN ANY DANGER OR D) HAVING ANY MEDICAL EMERGENCY - YOU MUST CEASE USING THIS PLATFORM, NOTIFY THE RELEVANT AUTHORITIES IMMEDIATELY AND SEEK IMMEDIATE PERSONAL ASSISTANCE. THE PLATFORM IS NOT INTENDED FOR THE PROVISION OF CLINICAL DIAGNOSIS REQUIRING AN IN-PERSON EVALUATION. NOR, IS THE PLATFORM INTENDED FOR DIAGNOSES AND/OR TREATMENTS PRESCRIBING THE USE OF DRUGS OR MEDICAL TREATMENT. YOU SHOULD DISREGARD ANY SUCH ADVICE, IF DELIVERED THROUGH THE PLATFORM, AND NOTIFY THE PLATFORM IMMEDIATELY. DO NOT DISREGARD, DELAY OR AVOID OBTAINING IN-PERSON CARE FROM YOUR DOCTOR OR OTHER QUALIFIED HEALTH PROFESSIONALS BECAUSE OF THE INFORMATION OR ADVICE YOU RECEIVED THROUGH THE PLATFORM.

Intellectual Property Ownership; Third-Party Content

The Company is the owner or the licensee of all the Platform’s intellectual property rights. Applicable copyright laws protect the materials published on the Platform. You must not download, use, copy and/or modify any materials available on the Platform for any other purpose other than personal use. You will not use the site for - a) violating any laws or b) attempting to hack or disassemble any software on the Platform. You agree that the Company shall not be responsible or liable for any communication between you and the Specialist offline or through any other means. If you download, recreate, print or copy any materials from the Platform in breach of the terms mentioned, you agree you shall destroy the same after your personal use. The Platform may contain other content, services or products that are offered or provided by third parties ("Third Party Content"), including, but not limited to, links to Third Party Content (including, but not limited to, links to other websites) or advertisements that are related to Third-Party Content. The Company has no responsibility for the creation of any such Third-Party Content, (including, but not limited to) any related products, terms or policies or practices - the Company will not be liable for any damage or loss caused by any Third-Party Content. The Company may make software updates to the Platform at any given time. To use Wellbeing Services, you may be obligated to download the updated version of the Platform as a required precedent to continue the use of Wellbeing Services. However, the Company makes no guarantees that any subsequent version of the Platform will work on the user’s mobile phones, computers or other devices. The Company is expressly not liable for any loss incurred due to the user’s inability to use Wellbeing Services stemming from the inability to use an updated version of the Platform application on their chosen equipment.

Disclaimer Of Warranty; Limitation Of Liability

You hereby release The Company, its present and future officers, directors, employees, members, volunteers, contractors, representatives, parent or subsidiary entities, owners, affiliates, agents, successors and assigns (collectively, the “Company Related Parties”) and agree to hold the company related parties harmless from any and all causes of action and claims of any nature resulting from the Wellbeing Services or The Platform, including (without any limitation) any act, opinion, response, advice, omission, suggestion, information and/or service of any Specialist and/or any other content or information accessible through the Platform. You hereby understand, agree and acknowledge the Platform is provided “as is,” without any express or implied warranties of any kind, including, but not limited to, merchantability, security, fitness, non-infringement for a particular purpose or accuracy. The use of the Platform is at your own risk entirely. We expressly disclaim all warranties of any kind (whether expressed or implied) to the fullest extent of the law. You understand, acknowledge and agree the Company related parties will not be liable to you or to any third party for any incidental, indirect, special, consequential, punitive or exemplary damages. If the Applicable Law does not permit the limitation of liability (as set forth above), the limitation will be deemed modified solely to the extent necessary to comply with the Applicable Law. This limitation of liability contained in this Section (Section 5) shall survive the termination or expiration of this User Agreement.

Your Account, Representations, Conduct And Commitments

You (the User) hereby confirm you are legally able enter into this User Agreement and to consent to receive Wellbeing Services. You hereby confirm and agree that all the information you provided (and will provide in the future) in or through the Platform is accurate, true, complete and current. You also agree you will make sure to maintain and update this information during the term of this User Agreement so it will continue to be accurate, current and complete. You agree, confirm and acknowledge you are solely responsible for maintaining the confidentiality of your password and any other security information related to your account (collectively "Account Access"). You are advised to change your password on a frequent basis and to take extra precaution in safeguarding your password. In the event of any unauthorized use of your Account Access or any concern for breach of your account security, you agree to immediately notify the Company at contact@chearful.com. You agree, confirm and acknowledge the Company may be compelled to provide the relevant UAE and Emirate-level Authorities, including, but not limited to the UAE Cyber Security Council (“Government Authorities”), with cyber security issue(s)-related information. Under such circumstances, the Company may provide such Government Authorities with reports and data that contain your information. If you are a Specialist using the Platform, you hereby agree not to promote any business venture or take direct bookings outside the Platform’s ecosystem. You agree, confirm and acknowledge the Company will not be liable for any loss or damage incurred as a result of someone else using your account, either with or without your consent and/or knowledge. You also agree, confirm and acknowledge that -

1. you are solely and fully responsible and liable for all activities performed using your Account Access and
2. the Company may hold you responsible and liable for any damage or loss incurred as a result of the use of your Account Access by any person (whether authorized by you or not), and
3. you agree to indemnify the Company for any such damage or loss.

You agree and commit not to use the account or Account Access of any other person for any reason whatsoever. You agree and confirm your use of the Platform, including the Wellbeing Services, is only for your own personal use and you are not using the Platform or the Practitioner Services for or on behalf of any other person and / or organization. You agree and commit not to interfere with or disrupt or attempt to interfere with or disrupt any of our systems, servers, networks, services or infrastructure, or any of the Platform's systems, networks, services, servers or infrastructure, including without limitation obtaining unauthorized access to the aforementioned. You acknowledge the teleconferencing, online messaging and video conferencing experience depends on the services of internet service providers and/or other third parties outside of the control of Pathfinder Innovation Portal LLC, and that the Company accepts no liability for any time-lags, interruptions or disconnections during any of the online sessions. You agree and commit not to make any use of the Platform for the posting, delivering or sending of either of the following -

1. unsolicited email and/or advertisement and/or promotion of goods and services;
2. malicious software, malwares, viruses or codes;
3. unlawful, harassing, privacy invading, vulgar, obscene, abusive, threatening, racist or potentially harmful content;
4. any content that may cause damage to a third party;
5. any content that infringes a third party right, including intellectual property (IP) rights;
6. any content which may constitute, encourage or cause a criminal action and/or violate any applicable law(s).

You agree not to solicit private information relating to a client’s use of the Platform, including secret questions, passwords or other such information. You agree and commit not to violate any applicable national or international law, statute, rule, ordinance, regulation or ethical code in relation to your use of the Platform and/or your relationship with the Specialists and Company. If you receive any file from the Company or from a Specialist - whether through the Platform or not - you agree to check and scan the file for any virus or malicious software prior to opening or using the file. You will indemnify, defend and hold the Company Related Parties harmless from and against any and all claims, demands, losses, causes of action, liabilities, costs or expenses (including, but not limited to, litigation and reasonable attorneys' fees and expenses) arising out of or relating to any of the following:

1. your access to or use of the Platform;
2. your violation of any of the provisions of this User Agreement;
3. any actions made with your account or Account Access (whether by you or by someone else);
4. non-payment for any of the services (including Wellbeing Services), which were provided through the Platform;
5. your violation of any third party right, including, without limitation, any intellectual property (IP) right, publicity, confidentiality, property or privacy right.

Kindly note, this clause shall survive the expiration or termination of this User Agreement.

Modifications, Termination, Interruption And Disruptions To The Platform

You understand, acknowledge and agree the Company may modify, disrupt, suspend or discontinue the Platform, any part of the Platform or the use of the Platform, whether to all clients or to you specifically, at any time, with or without notice to you. You agree and acknowledge the Company will not be liable for any of the aforementioned actions or for any damages or losses that are caused by any of the aforementioned actions. The use of the Platform depends on various factors such as hardware, tools and software, either owned by the Company or those owned and/or operated by the Company’s contractors and suppliers. While the Company makes commercially reasonable efforts to ensure the Platform’s reliability and accessibility, you understand and agree that no platform can be 100% reliable and accessible, and hence the Company cannot guarantee access to the Platform will be uninterrupted or that it will be accessible, timely, consistent or error-free at all times.

Modifications To This User Agreement

From time to time, this User Agreement is subject to modification. The email address you have provided to the Company will be provided with notice, and you can review the most current version of the User Agreement at any time at https://www.chearful.com/terms-and-conditions. Kindly note, by accessing and/or using the Platform following the effective date of any revised User Agreement, you accept and agree to be bound by and become a party to the terms and provisions of such a revised User Agreement.

Resolution Of Disputes

Any disputes or claims arising out of or in connection with this User Agreement shall be resolved exclusively through confidential arbitration conducted in Dubai (UAE) and governed by the local laws. The Company and you both agree any awards obtained in the arbitration proceeding shall be enforceable in any government courts or departments having jurisdiction over the parties, including without limitation the Dubai Courts. By registering onto the platform you confirm your acceptance of this Agreement, you acknowledge you are the party identified in the registration process and that you have the full legal authority to enter this Agreement and you acknowledge your agreement to be bound by the terms and conditions set forth or referenced below. If you do not wish to be bound by these Terms, you must not access or use the Chearful Platform or the Wellbeing Services offered through the Platform.

I. INTRODUCTION

Purpose

Chearful.com is committed to informing clients and associates of the privacy practices and privacy rights with respect to their personal health information. Including the implementation of reasonable and appropriate measures to safeguard the confidentiality, availability, and integrity of that information. This Policy establishes and describes the procedures and protocols regarding the privacy and confidentiality of PHI.

Rationale

The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information.

Policy Statement

Chearful.com takes reasonable steps to provide a notice in plain language that describes:

• The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to Chearful.com
• Chearful.com’s legal duties with respect to the information, including a statement that the to maintain the privacy of protected health information.
• Whom individuals can contact for further information about the covered entity’s privacy policies.

Chearful.com will ensure the notice is made available in plain sight to any person who asks for it.

Scope

This Policy and Procedures applies to Chearful.com and its employees, and as per the Business Associate agreement to its partners.

Definitions

• For the purposes of this Policy, the following terms shall have the meanings specified below: The term “breach” refers to the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of such information in a way that poses a significant risk of financial, reputational or other harm to the affected individual.
• The term “business associate” refers to a person or entity not affiliated with Chearful.com that performs or assists in performing for or on behalf of Chearful.com, business support functions/services that involve the use of PHI.

NOTE: A health care provider that assists in providing treatment to patients is not considered to be a business associate.

• The term “covered entity” refers to a health care provider/facilitator that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
• The term “disclosure” refers to the release, transfer, provision of access to, or divulging in any manner of PHI by a person within the Chearful.com with a person or entity outside.
• The term “discovery” refers to the first day Chearful.com is notified of an incident.
• The term “electronic media” includes both (1) electronic storage and (2) electronic transmission media and does not include certain transmission(s) such as paper, facsimile, voice, or telephone exchanges because the information exchanged did not exist in electronic form prior to the transmission.
• The term “electronic protected health information” (ePHI) refers to any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
• The term “health care” refers to care, services, or supplies related to the health of an individual, which includes, but is not limited to:
• • 1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and/or
  • 2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
• The term “health care provider” refers to, in general, services performed by health care professionals and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
• The term “health information” refers to any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
• The acronym “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which is federal regulation requiring providers and others who maintain health information to implement security measures to guard the integrity, confidentiality, and availability of patient information.
• The term “individual” refers to the person or the patient who is the subject of PHI.
• The term “individually identifiable health information” refers to information that is a subset of health information including demographic information collected from an individual and:
• • Is created or received by a health care provider, health plan, employer, or health care clearinghouse.
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
  • That identifies the individual.
  • With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
• The term “client” refers to an individual who is receiving needed professional services directed by a licensed practitioner of the healing arts toward maintenance, improvement or protection of health or lessening of illness, disability, or pain (US Centers for Medicare & Medicaid Services).
• The term “patient confidentiality” refers to keeping information about a patient’s health care private and the information is shared only with those who need to know to perform their duties on behalf of the patient.
• The term “Privacy Officer” refers to a person(s) designated by Chearful.com to carry out and coordinate activities designed to prevent and detect the unlawful disclosure of protected health information (PHI) as defined by HIPAA.
• The term “protected health information” (PHI) refers to information, including demographic information, which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g. name, address, birthdate, ID number) when such can be associated with the health information listed above. PHI does not include student records held by educational institutions or employment records held by employers. However, this information is still treated confidentially under other applicable laws.
• The term “personal representative” refers to a person authorized (under applicable law) to act on behalf of the individual in making health care related decisions.
• The term “reporting party” refers to a person who makes a HIPAA breach report or on whose behalf a report is made under this policy. The term “responding party” refers to a person who has been accused of violating this policy.
• The term “transaction” refers to the transmission of information between two parties to carry out financial or administrative activities related to health care. The following are types of information transmissions:
• • Health care claims or equivalent encounter information.
  • Health care payment and remittance advice.
  • Coordination of benefits.
  • Health care claim status
  • Enrollment and disenrollment in a health plan
  • Referral certification and authorization
  • First report of injury
  • Health claims attachments

• The term “unsecured protected health information” refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology
• The term “use” refers to the sharing, employment, application, utilization, examination, or analysis of PHI by a person withinChearful.com and its Associates
• The term “workforce” refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such an entity, whether or not they are paid by the covered entity.

II. INFORMATION PROTECTED BY THE PRIVACY POLICY

Protected Health Information

The Privacy Rule protects all "individually identifiable health information" held or transmitted by Chearful.com or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." "Individually identifiable health information" is information, including demographic data, that relates to:

• the individual's past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

De-Identified Health Information

There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. However, Chearful.com will endeavor to protect as much as possible and hold to confidentiality all client information

III. PRINCIPLES FOR DISCLOSURE

Required Disclosure

1. to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information
2. to a government regulatory body when it is undertaking a compliance investigation or review or enforcement action.

Permitted Uses and Disclosures

Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization. The content of a consent form, and the process for obtaining consent, are as per the policies followed for confidentiality, by Chearful.com. Chearful.com is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:

1. To the Individual (unless required for access or accounting of disclosures);
2. Treatment, Payment, and Health Care Operations
3. Opportunity to Agree or Object
4. Incident to an otherwise permitted use and disclosure
5. Public Interest and Benefit Activities
6. Limited Data Set for the purposes of research, public health, or health care operations.

To the Individual

Chearful.com may disclose protected health information to the individual who is the subject of the information.

Treatment, Payment, Health Care Operations

Chearful.com may use and disclose protected health information for treatment, payment, and health care operations activities.

Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual21 and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.

Uses and Disclosures with Opportunity to Agree or Object

Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency, or not available, Chearful.com may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.

Incidental Use and Disclosure

In the event of a requirement to share PHI, CHearful.com will endeavor as much as possible to limit it to the minimum necessary.

Public Interest and Benefit Activities

Chearful.com will release PHI in specific conditions with limitations applicable to each purpose, striking the balance between the individual privacy interest and the need for this information.

Required by Law

Chearful.com may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).

Public Health Activities

Chearful.com may disclose protected health information to:

1. public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect
2. entities subject to government regulation regarding regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance
3. individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law;

Victims of Abuse, Neglect or Domestic Violence

In certain circumstances, CHearful.com may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.

Health Oversight Activities

Chearful.com may disclose protected health information for purposes of legally authorized health oversight activities, such as audits and investigations

Judicial and Administrative Proceedings

Chearful.com may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal.

Law Enforcement Purposes

Chearful.com may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34

Decedents

Chearful.com may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.35

Cadaveric Organ, Eye, or Tissue Donation

Chearful.com may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.36

Research

"Research" is any systematic investigation designed to develop or contribute to generalizable knowledge.37 The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual's authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals' authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.38 A covered entity also may use or disclose, without an individuals' authorization, a limited data set of protected health information for research purposes (see discussion below)

Serious Threat to Health or Safety

Chearful.com may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).

Essential Government Functions

An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law.

Workers' Compensation

Chearful.com may disclose protected health information as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

Authorized Uses and Disclosures

Authorization

Chearful.com will obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A request for authorization will include the following:

• It may allow use and disclosure of protected health information
• In plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.

Psychotherapy Notes Chearful.com will require a written authorization to use or disclose psychotherapy notes.

Marketing

Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service. The Privacy Rule carves out the following health-related activities from this definition of marketing:

• Communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication.
• Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan's enrollees that add value to, but are not part of, the benefits plan.
• Communications for treatment of the individual; and
• Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.

Chearful.com will obtain an authorization to use or disclose protected health information for marketing,

Limiting Uses and Disclosures to the Minimum Necessary

Minimum Necessary

A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. Chearful.com will make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

INTRODUCTION

Purpose

Chearful.com is committed to protect the privacy of individuals' health information while allowing its operations and performance to adopt new technologies to improve the quality and efficiency of client care. This Policy establishes and describes the procedures and protocols regarding security of information.

Rationale

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that Chearful.com must put in place to secure individuals' "electronic protected health information" (e-PHI).

Policy Statement

Chearful.com takes steps to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically:

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
• Identify and protect against reasonably anticipated threats to the security or integrity of the information.
• Protect against reasonably anticipated, impermissible uses or disclosures; and
• Ensure compliance by their workforce.

Scope

This HIPAA Security Policy and Procedures applies to Chearful.com and its employees, and as per the Business Associate agreement to its partners. The scope of this policy includes all systems, networks, procedures, and operations related to Chearful.com that contain, manipulate, or access electronic protected health information (EPHI). All present and future personnel, equipment, systems, and vendors that access or store client information are covered under this policy. In developing the Security policy Chearful.com has considered the following:

• Its size, complexity, and capabilities,
• Its technical, hardware, and software infrastructure,
• The costs of security measures, and
• The likelihood and possible impact of potential risks to e-PHI.

Definitions

• For the purposes of this Policy, the following terms shall have the meanings specified below: The term “breach” refers to the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of such information in a way that poses a significant risk of financial, reputational, or other harm to the affected individual.
• The term “business associate” refers to a person or entity not affiliated with Chearful.com that performs or assists in performing for or on behalf of Chearful.com, business support functions/services that involve the use of PHI.

NOTE: A healthcare provider that assists in providing treatment to patients is not considered to be a business associate.

• The term “covered entity” refers to a health care provider/facilitator that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
• The term “disclosure” refers to the release, transfer, provision of access to, or divulging in any manner of PHI by a person within the Chearful.com with a person or entity outside.
• The term “discovery” refers to the first day Chearful.com is notified of an incident.
• The term “electronic media” includes both (1) electronic storage and (2) electronic transmission media and does not include certain transmission(s) such as paper, facsimile, voice, or telephone exchanges because the information exchanged did not exist in electronic form prior to the transmission.
• The term “electronic protected health information” (ePHI) refers to any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
• The term “health care” refers to care, services, or supplies related to the health of an individual, which includes, but is not limited to:
• • 1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and/or
  • 2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

• The term “health care provider” refers to, in general, services performed by health care professionals and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
• The term “health information” refers to any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
• The acronym “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which is federal regulation requiring providers and others who maintain health information to implement security measures to guard the integrity, confidentiality, and availability of patient information.
• The term “individual” refers to the person or the patient who is the subject of PHI.
• The term “individually identifiable health information” refers to information that is a subset of health information including demographic information collected from an individual and:
• • Is created or received by a health care provider, health plan, employer, or health care clearinghouse.
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
  • That identifies the individual.
  • With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
• The term “client” refers to an individual who is receiving needed professional services directed by a licensed practitioner of the healing arts toward maintenance, improvement or protection of health or lessening of illness, disability, or pain.
• The term “patient confidentiality” refers to keeping information about a patient’s health care private and the information is shared only with those who need to know to perform their duties on behalf of the patient.
• The term “Privacy Officer” refers to a person(s) designated by Chearful.com to carry out and coordinate activities designed to prevent and detect the unlawful disclosure of protected health information (PHI) as defined by HIPAA.
• The term “protected health information” (PHI) refers to information, including demographic information, which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birthdate, ID number) when such can be associated with the health information listed above. PHI does not include student records held by educational institutions or employment records held by employers. However, this information is still treated confidentially under other applicable laws.
• The term “personal representative” refers to a person authorized (under applicable law) to act on behalf of the individual in making health care related decisions.
• The term “reporting party” refers to a person who makes a HIPAA breach report or on whose behalf a report is made under this policy. The term “responding party” refers to a person who has been accused of violating this policy.
• The term “transaction” refers to the transmission of information between two parties to carry out financial or administrative activities related to health care. The following are types of information transmissions:
• • Health care claims or equivalent encounter information.
  • Health care payment and remittance advice.
  • Coordination of benefits.
  • Health care claim status
  • Enrollment and disenrollment in a health plan
  • Referral certification and authorization.
  • First report of injury.
  • Health claims attachments

• The term “unsecured protected health information” refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology
• The term “use” refers to the sharing, employment, application, utilization, examination, or analysis of PHI by a person withinChearful.com and its Associates
• The term “workforce” refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such an entity, whether they are paid by the covered entity.

ADMINISTRATIVE SAFEGUARDS

A. Risk Analysis

• Items covered within the scope of this policy will be regularly reviewed for known vulnerabilities. Operational procedures will be assessed to ensure maximum efficiency, security, and subject confidence while maintaining the highest level of confidentiality, availability, and integrity to EPHI.
• A statement of intent will be developed prior to each assessment, outlining the actions to be taken during the assessment, the dates, times, and responsible parties for conducting the assessment.

B. Risk Management

• The security measures and safeguards that Chearful.com will implement for its EPHI will be based upon results of risk analysis and information systems reviews. Reviews of system activity shall cover both routine operations and emergency operations.
• Chearful.com will implement security measures and safeguards for each EPHI repository sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The measures must be commensurate with the data classification of the repository. Safeguards may include normal best practice security measures such as user accounts, passwords, and firewalls; high risk EPHI repositories may require additional security measures.
• Chearful.com will appropriately discipline and sanction employees and other workforce members for violations of the HIPAA Security Policy.
• The following controls, which provide reasonable risk mitigation, will be employed by Chearful.com on all applicable information technology systems:
• Strict password policies will be set and enforced
• Default administrator accounts and guest/user accounts will be renamed, and all default (shipped) passwords will be changed.
• Executable and dangerous email attachments will be blocked at the email server
• Security audits will be set up and logs will be regularly reviewed for unusual activity.
• Unnecessary applications and services will be removed from systems.
• Frequent data backups will be taken and stored in a safe place.
• Password protected screen savers will be used to restrict access to workstations.
• Users will be educated about good security practices.

C. Sanction Policy

This sanction policy is intended to supplement the disciplinary and sanction provisions to specifically address handling of issues related to compliance with HIPAA regulations. Any employee who witnesses a violation of the Security policy is responsible for notifying their supervisor or the supervisor of the person violating policy. That supervisor is responsible for notifying the Human Resources representative. Upon notification of a violation of policy that is related to HIPAA compliance practices, the Human Resources representative will take overall responsibility for the issue. The Privacy Officer will be notified in order to take responsibility for any legally required external notification of the event. Any incident that requires activation of this policy must be clearly documented in the appropriate personnel file.

D. Information System Activity Review

Chearful.com will assign staff operational responsibility to regularly review all sources of information system activity, including but not limited to audit logs, access reports, and security incident tracking reports. This review will be conducted at least weekly. At a minimum, a review of the procedures and reports will be conducted during the annual review of Chearful.com documentation by the HIPAA Privacy Officer and the Security Officer. The following will be evaluated:

• Inventory Management
• Event log monitoring
• Network port monitoring
• System log monitoring
• Virus protection
• Intrusion detection system
• Vulnerability Assessment

WORKFORCE SECURITY

Authorization and/or Supervision & Workforce Clearance Procedure

• Initial authorization of workforce members to access EPHI must be approved by the designated Chearful.com departmental administrator or system owner, and records of such authorization must be maintained.
• On an annual basis, all authorizations for access will be reviewed for applicability, and removed or modified as necessary to comply with the provision for need to know.
• Procedures will be implemented to review and determine that the access of workforce members is appropriate. This may include, but does not require, the completion of criminal background checks on new workforce members, credential checks, employment and reference checks, character reference checks, or similar clearance measures. It also covers the review of groups or categories of workforce members to ensure appropriate access to EPHI.

Termination Procedure

• Workforce members who end employment or relationship with Chearful.com will have all access to EPHI canceled at the time of departure from the organization. Termination for any reason must result in cancellation of all access to information technology, especially EPHI. Cancelation of access must occur as soon as possible after the termination is in effect and will be automated wherever possible.
• Human Resources systems will automatically provide notification processes for terminations. Notification will result in elimination of access to applicable information technology systems, physical access control systems, and removal from group memberships. A checklist of termination activities will be completed for each terminated employee and filed in the person’s personnel folder.
• Workforce members who transfer from one department to another will be flagged and reported for access control review, and all authorizations that are no longer applicable under the need-to-know principle will be removed.

INFORMATION ACCESS MANAGEMENT

Access Authorization, Establishment and Modification

• Workforce members must be authorized to have access to EPHI through electronic means. This will be accomplished through a documented request for access, supervisor approval, and finally by granting authorization to the workforce member. System or server logs will be activated to track logins to EPHI resources and these will be reviewed for unusual activity on a periodic basis.
• Unusual activity will be defined as system access at unusual times, attempts to access resources by persons who are not authorized, and/or attempts to copy and/or relocate files or folders containing EPHI.
• Any changes to EPHI access through an employment change in status must be authorized, controlled, and supervised. Change in status may be a transfer, leave of absence, or termination. A leave or termination condition must result in revocation of all access to EPHI. A transfer must result in a review of access authorizations, with appropriate changes.

SECURITY AWARENESS & TRAINING

Security Reminders

• Periodic security reminders will be delivered through one or more mechanisms to members of the workforce. These may be delivered via signs or posters in employee areas, newsletters, e-mail, message boards, intranet web sites, or verbally. Reminders will include, but are not limited to, the following basic security principles
• Passwords cannot ever be shared for any reason, and workforce members should avoid unintended disclosures of passwords such as making them easy to guess, or recording it/them where others may be able to find it.
• Applications should be locked before you leave your workstation, using a password protected screen saver, or other method. When you are no longer using a workstation, log out.
• E-mail attachments should never be opened unless they are expected and you know the sender.
• Do not follow/click on any links in unsolicited advertising, whether from email, an instant message, newsgroup, or other electronic communication.
• Do not download software from the Internet without prior authorization from UNIT technology support staff, and without running an antivirus scan of the object before it’s opened.
• Do not discuss client's health information in public, and do not leave printed documents where they can be viewed by others.

Protection from Malicious Software

• All eligible devices connecting to, accessing, or housing EPHI will have appropriate anti-virus software installed, and updated daily. This software will be configured to scan all incoming file objects and electronic mail.
• All software, including operating systems and application programs, will be kept up to date with security patches. Chearful.com’s technology support staff are responsible to ensure that critical security updates are installed within seven days of being released, or that a commensurate protection is implemented in its place.

Log-in Monitoring

• Chearful.com will log and document failed login attempts on each system containing medium and high-risk PHI.
• Log-in activity reports and logs are reviewed on a periodic basis.
• All failed log-in attempts of a suspicious nature, such as continuous attempts, must be reported to the HIPAA Security Officer.

Password Management

These minimum procedures will be followed:

• All users, employees, vendors, and agencies who have access to network resources or systems will have a unique user identification and password.
• All computers, network resources, systems and applications will require the user to supply a password in conjunction with their unique user identification to gain access.
• A role-based user identification and password may be utilized for access to shared or common area workstations so long as the login provides no access to PHI. Access to PHI will be permitted if there is a second unique user id and password required.
• All passwords will be of sufficient complexity to ensure that it is not easily guessable by dictionary attacks.
• Elected Official and Department Heads will be responsible for making their employees aware of all password-related policies and procedures, and any changes to those policies and procedures.
• Chearful.com will be responsible for setting password aging times for systems, networks, and applications.
• All users and employees are responsible for the proper use and protection of their passwords and must adhere to the following guidelines
• Passwords are only to be used for legitimate access to networks, systems, or applications
• Passwords must not be disclosed to other users or individuals
• Employees must not allow other employees or individuals to use their password
• Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad or posted on the workstation.

Security Training

Training will consist of the following:

• HIPAA Security Policies
• HIPAA Business Associate Policy
• HIPAA Sanction Policy
• Confidentiality, integrity, and availability
• Individual security responsibilities
• Common security threats and vulnerabilities

In addition, those who set up, manage or maintain systems and workstations will receive this training.

• Password structure and management procedures
• Server, desktop computer, and mobile computer system security procedures, including security patch and update procedures and virus and malicious code procedures
• Device and media control procedures
• Incident response and reporting procedures

SECURITY INCIDENT

Response and Reporting, Contingency Plan, Data Backup Plan

• Procedures will be established and implemented to create and maintain retrievable exact copies of all EPHI. Routine backups of EPHI from all appropriate locations will be made on a regular basis (no less than daily for volatile information and weekly for more static information). Backup media will be properly indexed and labeled to allow for identification and retrieval by individuals other than the original workforce member who made the backup. The backup media and restore procedures will be tested periodically (at least annually), to ensure they are reliable and kept up to date.
• Backup information will be made available on alternative (backup, redundant) servers in case of an emergency resulting from a significant interruption of critical services. Alternative emergency operations must be sustained until the original systems and processes are restored. At least one full copy of EPHI data will be stored in a secure, off-site location for disaster recovery purposes. Backup media stored on-site must be in a physically secure location that is separate from the location of the system it represents.
• Procedures for the restoration of all systems and data in the event of a disaster will be documented. The procedures will be sufficiently clear to allow someone other than the IT staff to perform the recovery. It must include the steps for recovering individual files or folders, steps for the recovery of database instances, steps for recovery of entire servers or collections of servers, prioritization information for systems if applicable, and contact information for server, network, and application administrators.

PHYSICAL SAFEGUARDS

Workstation Use, Security, Device and Media Controls

• Workstations and other devices will be controlled to prevent improper access, usage, loss, damage, or disclosure of EPHI. This includes any device that is network enabled, including personal computers, hand-held devices and PDAs, laptops, or servers. Network enabled includes both hard wired and wireless connection methods and includes local as well as remote access.
• No EPHI can be permanently stored on a single user workstation, laptop, wireless device, or handheld computing device. All EPHI must be transferred to secure servers at the end of the day or shift, to allow for it to be backed up using set procedures. All such (local, personal) uses of EPHI must be authorized in advance by management. EPHI is not to be transported out of the Chearful.com server on portable devices without written authorization.
• Workforce members are not to alter the configuration of personal devices or load software onto them without prior approval from management and IT support staff. Monitors should be positioned to prevent inadvertent disclosure of EPHI from passersby. Screensavers that are password protected will be implemented on all devices.
• Remote access to systems containing EPHI must be authorized by management on an as needed basis, and should be conducted through secure, encrypted channels to avoid the possibility of inadvertent disclosure. Workforce members accessing EPHI remotely must not retain the EPHI permanently on the remote device.
• When the useful life of equipment or media has been reached, the media is to be rendered unreadable by either a) forensic wiping of the media, b) physical destruction of the media, or c) degaussing of the media.
• When equipment or media is to be repurposed, the management must determine if any EPHI is present, if it must be removed, and the method by which it must be removed. If servers, workstations, or data storage devices are relocated, all data including EPHI will be backed up to insure its protection during the move.
• It is Chearful.com’s responsibility to ensure that procedures are implemented to adequately inventory and track all devices that contain EPHI.

TECHNICAL SAFEGUARDS

Access Control

• Chearful.com will ensure in relation to its employees and business associates that all servers and desktops used to access, transmit, receive, or store PHI are appropriately secured.
• Servers will be in a secure environment.
• The system administrator or root account will be password protected.
• A user identification and password authentication mechanism will be implemented to control user access to the server
• A security patch and update procedure will be established and implemented to ensure that all security patches and updates are promptly applied.
• Servers must be located on a secure network with firewall protection.
• All unused or unnecessary services or daemons shall be disabled.
• A virus detection system will be implemented including a procedure to ensure that the virus detection software is maintained and up to date.
• Desktop systems that are located in open, common, or otherwise insecure areas must also implement the following measures:
• • An inactivity timer (screen saver with password protection) or automatic logoff mechanisms must be implemented.
  • The workstation screen or display must be situated in a manner that prohibits unauthorized viewing. The use of a screen guard or privacy screen is recommended.
• Mobile stations that are located or used in open, common, or otherwise insecure areas must also implement the following measures:
• • A theft deterrent device, if available, such as a laptop locking cable should be utilized when the device is unattended or secured in another manner (stored in a locked cabinet).
  • An inactivity timer (screen saver with password protection) or automatic logoff mechanism must be implemented
  • Reasonable safeguards used to prohibit unauthorized entities from viewing confidential information such as logins, passwords, or PHI.
• Personal Digital Assistants (PDAs) and other handheld mobile devices must not be used for long-term storage of PHI. PHI stored on handheld mobile devices must be purged as soon as it is no longer needed on that device.
• Each mobile system that is used to access, transmit, receive, or store EPHI must comply with as many of the measures as is allowed by the system and operating system architecture.

Unique User Identification

• Unique User Identification a. All users that require access to any network, system, or application will be provided with a unique user identification.
• Users will not share their unique user identification or password with anyone.
• Users must ensure that their user identification is not documented, written, or otherwise exposed in an insecure manner.
• If a user believes their user identification has been compromised, they must report that security incident to Information Systems for a new password

Emergency Access Procedure

• Chearful.com will implement as needed procedures for obtaining necessary electronic PHI during an emergency. Necessary PHI is defined as information if not available could inhibit or negatively affect patient care.
• Systems that do not affect client care are not subject to the emergency access requirement.

Automatic Logoff

• Any server or workstation that stores or access PHI will have the password protected screensaver turned on.
• The system will be configured to lock the server or workstation after 15 minutes of inactivity.
• Any servers or workstations that are in locked or secure environments need not implement inactivity timers.
• When leaving a server or workstation unattended, the users must lock or activate the systems automatic logoff mechanism (e.g., CNTL, ALT, DELETE and Lock Computer) or logout of all applications and database systems containing PHI.

Encryption and Decryption

• Encryption of PHI as an access control mechanism is not required unless the custodian of said PHI deems the data to be highly critical or sensitive. Encryption of PHI is required in some instances as a transmission control and integrity mechanism.

Audit Controls

• Audit Control Mechanisms
• • Chearful.com will implement system logging mechanisms for all systems that contain PHI.
  • Each system’s audit log will include at least User ID, Login Date/Time, and Logout Date/Time
  • System audit logs will be reviewed on a regular basis.
• Audit Control and Review Plan
  • systems and applications to be logged
  • information to be logged for each system
  • log-in reports for each system
  • procedures to review all audit logs and activity reports
• • An Audit Control and Review Plan will be developed by Information Systems. The plan will include:

Integrity

• Transmitting PHI via removable media will require the documents to be password protected.
• All receiving entities will be authenticated before transmission.
• Any transmissions should include only the minimum amount of PHI.

Mechanism to Authenticate Electronic Protected Health Information

• Chearful.com will use mechanisms to protect data from alteration or being destroyed.
• Chearful.com will be protected from data alterations or destruction by viruses or other malicious code.
• For data integrity during transmission Chearful.com will implement a mechanism (FTP or HTTPS) to corroborate that PHI is not altered or destroyed during transmission.

Person or Entity Authentication

• All users who use any network, workstation, system, or application that contains PHI will be required to login (provide user authentication) with user id and password.
• Users must not misrepresent themselves by using another person’s User ID and Password.
• Users are not permitted to allow other persons or entities to use their unique User ID and password.
• A reasonable effort will be made to verify the identity of the receiving person or entity prior to transmitting PHI.

Transmission Security

• All transmissions of PHI files, folders or documents will be secured by using either FTP or HTTPS.
• All receiving entities will be authenticated before transmission.
• Any transmissions should include only the minimum amount of PHI.
• Use of Email to transmit PHI can be used if the following conditions are met:
• • The PHI data must be in a password protected document.
  • The sender can authenticate the receiver.
  • The receiver has given permission to have their PHI sent via Email.
  • The receiver has been made aware of the risks involved.
• Use of internal E-mail to send PHI is allowed if the following conditions are met:
• • The PHI data must be in a password protected document.
  • The minimum amount of PHI is sent.
  • The E-mail is not forwarded to any parties.

INTRODUCTION

Purpose

Chearful.com is committed to identifying and evaluating the likelihood and consequences of threats to the security of Protected Health Information (PHI) and implementing reasonable and appropriate measures to safeguard the confidentiality, availability, and integrity of that information. This Policy establishes and describes the procedures and protocols regarding PHI.

Rationale

The HIPAA Breach Notification Rule, 45 CFR 164.400-414 under the Health Insurance Portability and Accountability Act (HIPAA), requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Additionally, the HIPAA Breach Notification Rule, 45 CFR §§ 164.530(e), requires HIPAA covered entities to have, apply and document appropriate sanctions against the persons who violate HIPAA or other privacy policies.

Policy Statement

Chearful.com takes reasonable steps to:

1. Review, assess and, if appropriate, investigate all reports or complaints of any potential or actual breaches that might involve the acquisition, access, use or disclosure of unsecured protected health information
2. Determine if there is a breach
3. Where breaches are found to have occurred, make notification to: affected individuals
4. Where breaches are found to have occurred, take appropriate steps to prevent its recurrence and remedy its effects.
5. Where prohibited conduct is found to have occurred, take appropriate actions to eliminate any misconduct, prevent its recurrence and remedy its effects, including but not limited to applying and documenting appropriate sanctions against persons who violate HIPAA or other privacy policies.

Scope

This HIPAA Breach Policy and Procedures applies to Chearful.com and its employees, and as per the Business Associate agreement to its partners.

Definitions

• For the purposes of this Policy, the following terms shall have the meanings specified below: The term “breach” refers to the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of such information in a way that poses a significant risk of financial, reputational or other harm to the affected individual.
• The term “business associate” refers to a person or entity not affiliated with Chearful.com that performs or assists in performing for or on behalf of Chearful.com, business support functions/services that involve the use of PHI.

NOTE: A health care provider that assists in providing treatment to patients is not considered to be a business associate.

• The term “covered entity” refers to a health care provider/facilitator that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
• The term “disclosure” refers to the release, transfer, provision of access to, or divulging in any manner of PHI by a person within the Chearful.com with a person or entity outside.
• The term “discovery” refers to the first day Chearful.com is notified of an incident.
• The term “electronic media” includes both (1) electronic storage and (2) electronic transmission media and does not include certain transmission(s) such as paper, facsimile, voice, or telephone exchanges because the information exchanged did not exist in electronic form prior to the transmission.
• The term “electronic protected health information” (ePHI) refers to any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
• The term “health care” refers to care, services, or supplies related to the health of an individual, which includes, but is not limited to:

• • Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and/or
  • Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
• The term “health care provider” refers to, in general, services performed by health care professionals and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
• The term “health information” refers to any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
• The acronym “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which is federal regulation requiring providers and others who maintain health information to implement security measures to guard the integrity, confidentiality, and availability of patient information.
• The term “individual” refers to the person or the patient who is the subject of PHI.
• The term “individually identifiable health information” refers to information that is a subset of health information including demographic information collected from an individual and:
• Is created or received by a health care provider, health plan, employer, or health care clearinghouse
• Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual:
• That identifies the individual
• With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
• The term “client” refers to an individual who is receiving needed professional services directed by a licensed practitioner of the healing arts toward maintenance, improvement or protection of health or lessening of illness, disability, or pain (US Centers for Medicare & Medicaid Services).
• The term “patient confidentiality” refers to keeping information about a patient’s health care private and the information is shared only with those who need to know to perform their duties on behalf of the patient.
• The term “Privacy Officer” refers to a person(s) designated by Chearful.com to carry out and coordinate activities designed to prevent and detect the unlawful disclosure of protected health information (PHI) as defined by HIPAA.
• The term “protected health information” (PHI) refers to information, including demographic information, which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birthdate, ID number) when such can be associated with the health information listed above. PHI does not include student records held by educational institutions or employment records held by employers. However, this information is still treated confidentially under other applicable laws.
• The term “personal representative” refers to a person authorized (under applicable law) to act on behalf of the individual in making health care related decisions.
• The term “reporting party” refers to a person who makes a HIPAA breach report or on whose behalf a report is made under this policy. The term “responding party” refers to a person who has been accused of violating this policy.
• The term “transaction” refers to the transmission of information between two parties to carry out financial or administrative activities related to health care. The following are types of information transmissions:
• • Health care claims or equivalent encounter information
  • Health care payment and remittance advice
  • Coordination of benefits
  • Health care claim status
  • Enrollment and disenrollment in a health plan
  • Referral certification and authorization
  • First report of injury
  • Health claims attachments

• The term “unsecured protected health information” refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology
• The term “use” refers to the sharing, employment, application, utilization, examination, or analysis of PHI by a person withinChearful.com and its Associates
• The term “workforce” refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such an entity, whether they are paid by the covered entity.

II. REPORTING SUSPECTED BREACHES OF UNSECURED PHI

A. Responsibility to Report

All employees, and Associates are required to report any suspected or actual breaches that might involve the acquisition, access, use or disclosure of unsecured protected health information within 24 hours of discovery. Additionally, business associates must notify Chearful.com if a breach occurs at, or by, the business associate within 24 hours of discovery. Any person described above who fails to report any suspected or actual breaches of which they become aware may be subject to disciplinary action up to and including termination of employment.

B. Who to Contact to Make a Report

Reports may be made to Chearful.com through the following reporting options: By contacting the appropriate Privacy Officer by telephone, email or in person.

C. What to Report

All employees, and any associates are to report any of the following, but not limited to the following, occurrences:

1. Any event in which access to PHI might have been gained by an unauthorized person
2. Any event in which a device containing (or may be containing) PHI has (or might have been) lost, stolen, or infected with malicious software (e.g., viruses, trojans)
3. Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorized person (e.g., responding to phishing emails, someone shoulder surfing and writing down your password);
4. Any attempt to physically enter or break into a secure area where PHI is or might be stored; 5. Any other event in which PHI has been (or might have been) lost or stolen.
5. Any other event in which PHI has been (or might have been) improperly used (e.g., used without the individual’s written authorization if authorization is required)

D. Preparing a Report

Reports of suspected breaches of unsecured PHI may be reported orally or in writing. Reports should include the following information, if known:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
2. A description of the types of unsecured PHI that were involved in the breach (such as full name, identification number, date of birth, home address, account number, diagnosis, disability code, or other types of information).

E. Confidentiality

Chearful.com makes reasonable efforts to maintain the confidentiality of the information it receives in connection with reports of suspected HIPAA breaches. However, information is appropriately shared when disclosure is required by law, policy or is necessary to facilitate established processes, including the investigation and resolution of reports of suspected HIPAA breaches. The identity of participants in an investigation shall be maintained in confidence subject to the same limitations above. Any person who has reported suspected violations of this Policy, or who has initiated or participated in the reporting procedures available, are advised their identity may be known for reasons beyond the control of Chearful.com or investigators

IV. CHEARFUL.COM’s RESPONSE TO A REPORT

Chearful.com will take reasonable steps to review, assess and, if appropriate, investigate all reports or complaints of any suspected or actual breaches that might involve the acquisition, access, use or disclosure of unsecured protected health information.

V. INTERIM MEASURES

Chearful.com may impose any appropriate measures on an interim basis where it concludes that such action is needed to protect the health, safety, or welfare of members of its community, to facilitate an effective investigation or to avoid disruption to the environment.

VI. ANALYSIS PROCESS FOR POTENTIAL BREACH INVESTIGATION

1. Discovery of Breach A breach of PHI shall be treated as “discovered” as of the first day on which an incident that may have resulted in a breach is known to Chearful.com.
2. Conducting the Breach Analysis Upon notification of an incident, the HIPAA Privacy Officer shall conduct or coordinate an investigation to conduct a breach analysis. The breach analysis investigation includes, but is not limited to, the following four (4) factors to determine if PHI has been compromised:
3. The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification
4. The unauthorized person who used the PHI or to whom the PHI was disclosed
5. Whether the PHI was acquired or viewed
6. The extent to which the risk to the PHI has been mitigated; and other relevant factors may be considered when necessary.

If the breach analysis investigation fails to demonstrate that there is a low probability that the unsecured PHI has been compromised, breach notification is required. Breach Analysis Form the HIPAA Privacy Officer, upon completion of the investigation, shall complete the Breach Analysis Form within 14 calendar days of notification of the potential breach, absent exigent circumstances. The HIPAA Privacy Officer shall notify the Chearful Management Team if an investigation must continue beyond 14 (fourteen) calendar days and the reason for the delay. The HIPAA Privacy Officer shall log the incident into the Breach Tracking Form and shall update the Tracking Form with information from the HIPAA Breach Analysis Form to include the outcome of the breach analysis process. Chearful.com has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach. Based on the outcome of the breach analysis investigation, the Breach Tracking Form shall include information about notices sent to affected individuals. The HIPAA Privacy Officer shall maintain the completed HIPAA Breach Analysis Form

D. Breach Analysis Documentation

The HIPAA Privacy Officer shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of clients affected. The following information shall be collected/logged for each breach:

1. A description of what happened, including the date of the breach, the date of the discovery of the breach and the number of clients affected, if known
2. A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Identification number, date of birth, home address, account number)
3. A description of the action taken regarding notification of patients, the media, and the HHS regarding the breach
4. The results of the Breach Analysis
5. Resolution steps taken to mitigate the breach and prevent future occurrences.

All documentation related to the breach analysis investigation including the Breach Analysis Form and notifications made shall be retained for a minimum of six (6) years.

VII. NOTIFICATIONS IN THE CASE OF BREACH OF UNSECURED PHI

A. Notification Following a Breach Determination

Following a breach of unsecured PHI, Chearful.com will provide notification of the breach to affected individuals, and in certain circumstances, to the media no later than 60 calendar days after the discovery of the breach.

B. Notification to Affected Individuals

Following the discovery of a breach of unsecured PHI, Chearful.com will provide notification to the affected individuals. Individual notification must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Individual notifications must include, to the extent possible, the following:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
2. A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Identification number, date of birth, home address, account number or disability code)
3. The steps individuals should take to protect themselves from potential harm resulting from the breach
4. A brief description of what Chearful.com is doing to investigate the breach, to mitigate losses and to protect against any further breaches
5. Contact information for Chearful.com (or business associate, as applicable) for individuals to ask questions or learn additional information, which shall include, an e-mail address, Web site or postal address.

The HIPAA Privacy Officer must notify everyone whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of a breach.

VIII. INFORMAL RESOLUTION PROCESS

The Privacy Officer, in consultation with the Chearful.com Management Team may determine if the report/complaint can be disposed of informally on an acceptable basis or if the matter will be resolved through the formal resolution process. Use of the informal process is not a prerequisite to initiating the formal resolution process. Any informal resolution will be documented and maintained by the Privacy Officer. Informal resolutions involving employees may also be placed in their employment files. Any failure to comply with the informal resolution terms may constitute grounds for an independent complaint or result in the reopening of the original complaint.

IX. FORMAL RESOLUTION PROCESS

Factors in Determining an Outcome Decision In determining an outcome, the Privacy Officer will consider, but is not limited to the following: Category 1: Accidental or Inadvertent Violation An inadvertent or accidental breach of confidentiality may or may not result in the actual disclosure of patient information. They may be caused by carelessness, lack of knowledge, lack of training or other human error. Examples of this type of incident include directing PHI via mail, e-mail or fax to a wrong party or incorrectly identifying a patient record. Category 2: Failure to Follow Established Privacy And Security Policies And Procedures These violations result from failure to follow existing policies/procedures governing client confidentiality. These violations may be caused due to poor job performance or lack of performance improvement, which may include talking about patients in areas where others might hear, failure to obtain appropriate consent to release information and failure to fulfill training requirements. Category 3: Deliberate or Purposeful Violation Without Harmful Intent Deliberate or purposeful violation(s) without harmful intent include inappropriately accessing a patient’s record without a job-related need-to-know, which may include accessing the record of a friend or family member out of curiosity without a legitimate need-to-know. Category 4: Willful and Malicious Violation with Harmful Intent Willful and malicious violation(s) with harmful intent include accessing and using patient information for personal gain or to harm another person, which may include disclosing PHI to an unauthorized person or entity for illegal purposes, posting PHI to social media websites or disclosing a celebrity’s PHI to the media

X. MITIGATING FACTORS

Mitigating factors that may increase the outcome severity include:

1. Violation of sensitive information such as HIV-related, psychiatric, substance abuse and genetic date
2. High volume of people or data affected
3. High exposure for Chearful.com
4. Large organizational expenses incurred, such as breach notifications
5. Hampering the investigation, lack of truthfulness
6. Negative influence on others
7. History of performance issues and/or violations.

Mitigating factors that may decrease the outcome severity include:

1. Violator’s knowledge of privacy and security practices (e.g., inadequate training)
2. Culture of surrounding environment [e.g., investigation determines inappropriate practices in department(s)]
3. Violation occurred because of attempting to help a patient
4. Victim(s) suffered no financial, reputational, or other personal harm
5. Violator voluntarily admitted the violation in a timely manner and cooperated with the investigation
6. Violator showed remorse.
7. Action was taken under pressure from a person in a position of authority.

XI. DISCIPLINE

HIPAA requires covered entities to impose appropriate sanctions for any person who violates HIPAA policies. Employees found to have violated HIPAA may be subject to disciplinary action up to and including termination of employment. Third parties who violate HIPAA may have their relationship with Chearful.com terminated.