Last updated: December 21, 2018
The Policy is designed and targeted to U.S. audiences and is governed by and operated in accordance with the laws of the U.S. We make no representation that our Website is operated in accordance with the laws or governed by other nations. If you are located outside of the U.S. and you use our Website contrary to the General Terms and Conditions or the laws, regulations, treaties and legal requirements of the U.S. or that otherwise apply to you in your country, community and legal governing jurisdiction (the “Law”), you do so at your own risk. You, not us, are responsible for compliance with the Law that applies to you.
Tellus and its subsidiaries take privacy seriously. Tellus shares a commitment with Covered Entities (as defined herein) to protect the privacy and confidentiality of Protected Health Information (“PHI”) that we may access during the course of providing Services to our end users. These Services are subject to the terms of a Business Associate Agreement.
This Policy is provided to help you better understand how to use, disclose, and protect PHI in accordance with the terms of Business Associate Agreements.
Business Associate Agreement (BAA). A Business Associate Agreement is a formal written contract between Tellus and a Covered Entity or between Tellus and a Tellus Business Associate that requires Tellus to comply with specific requirements related to PHI.
Covered Entity. A Covered Entity is a health plan, health care provider, or health care clearinghouse that must comply with the HIPAA Privacy Rule. Tellus provides Services to some Covered Entities.
Protected Health Information (PHI). PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.
Use and Disclosure of PHI
Tellus creates, receives, maintains and transmits PHI, and may have access to PHI of Covered Entities in the course of its performance of Services. In the event a Tellus representative accesses PHI, the procedures required by the Covered Entity should be followed. In no event should PHI leave the Covered Entity’s facility.
If required, Tellus may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by the BAA and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BAA and would not violate the Privacy Rule.
In the event that PHI must be disclosed to a subcontractor or agent, Tellus will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BAA with respect to PHI, including the implementation of reasonable and appropriate safeguards.
We may also use PHI to report violations of law to appropriate federal and state authorities.
Tellus uses appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BAA. We have implemented safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that Tellus may access in the course of performing its services. Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
Mitigation of Harm
In the event of a use or disclosure of PHI that is in violation of the requirements of a BAA, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:
- Reporting any use or disclosure of PHI not provided for by the BAA and any security incident of which we become aware to the Covered Entity; and
- Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.
Access to PHI
As provided in a BAA, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Tellus on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.
Personally Identifiable Information
Tellus takes great care to protect personally identifiable information (“Personal Information”) about you, and when we use it, we do so with respect for your privacy. We may use your Personal Information to provide Service to you, respond to inquiries from you, or to fulfill legal and regulatory requirements. Tellus may collect public and non-public Personal Information about you from any of the following sources: you on applications or forms (for example, name, address, telephone number, email address, birth date, etc.), other interactions with Tellus (for example, discussions with or emails to our customer service staff or information you enter about you into our Website), or other sources with your consent.
Tellus considers the protection of Personal Information about you to be a foundation of customer trust and a sound business practice. We employ physical, electronic, and procedural controls, and we regularly adapt these controls to respond to changing requirements and advances in technology. At Tellus, we restrict access to Personal Information about you to those who require it to develop, support, offer and deliver Services to you.
Tellus does not share Personal Information about you with unaffiliated third parties for use in marketing their products and services. We may share Personal Information about you with various Tellus corporate affiliates including internal service providers who perform, for example, printing, mailing, billing and data processing services.
Privacy, security and services in our online operations are just as critical as in the rest of our business. Tellus employs all of the safeguards described previously, along with the following Internet-specific practices. We use firewall barriers, encryption techniques and authentication procedures, among others, to maintain the security of your online session and to protect Personal Information about you from unauthorized access.
Commitment to Security
Tellus maintains a strong and clear commitment to maintaining and enforcing the Confidentiality, Integrity and Availability of Protected Health Information, Personally Identifiable Information and Non-Public Personal Information.
All reported security violations are investigated. We encourage you to contact us regarding any security concerns that you may have with regards to the Tellus, LLC, family of products and websites.
Conducting Security Tests
Tellus, as a responsible corporate citizen, understands that during routine use of computing systems, flaws may be discovered. While we welcome the reporting of all such flaws, any intentional security testing of any Tellus-owned resource, will be considered as a malicious intent to exploit our systems. And, as such, any and all activity shall be reported to the appropriate law enforcement agency. This includes both port scanning and exploitation testing, in either automated or manual forms.
Reporting Security Events
To report security events, we ask that you contact us via one of these methods:
When reporting a security event, please enclose as much detail as possible and include your contact information.
Use of “Cookies”
The Tellus Website, like most other commercial websites, may utilize a standard technology called “cookies” to collect information about how our site is used. Cookies help a website operator determine that a user had visited the site previously and save and remember any preferences that may have been set by the user while browsing the site. Cookies cannot retrieve any other data from your computer’s hard drive or obtain your e-mail address. If you are simply browsing a Tellus informational site, a cookie may be used to identify your browser as one that has visited the site before.