Privacy Policy

The privacy, confidence, and trust of individuals who visit the Inflexxion ASI-MV Connect Web site are important to us. No personal information is collected at this site unless it is provided voluntarily by an individual while participating in an activity that asks for the information. The following paragraphs disclose the information gathering and usage practices for the web site.

ASI-MV Connect has been designed to be fully secure in all aspects of handling customer information and client/patient Protected Health Information (PHI) data is de-identified before it leaves the local computer hosting the ASI-MV Connect application. A local computer is defined as the computer or server hard drive which is owned or controlled by the customer. ASI-MV Connect does not have functionality for electronic claims processing, and therefore, is not covered by the Health Insurance Portability and Accountability Act (HIPAA) requirements regarding the designated electronic transactions or the electronic signature standards associated with these transactions.

Inflexxion‟s receipt of the ASI-MV data from Data Sources (customers) pursuant to the Business Associate and Limited Data Set Use Agreement referenced herein (“BAA”), its aggregation of that data into aggregated ASI-MV datasets (“Datasets”) pursuant to the BAA, its disclosure of those aggregated Datasets to its customers for treatment, healthcare operations and research purposes in accordance with the terms of the BAA, as well as its sale and disclosure of those aggregated Datasets to third parties for research purposes in accordance with the terms of the BAA, comply in all material respects with HIPAA Privacy Requirements.

Inflexxion is not itself a “covered entity” within the meaning of HIPAA since it is not a health plan, health care provider or health care clearinghouse, and does not transmit health information in electronic form in any transaction covered by the HIPAA Privacy Requirements. The ASI-MV data that will be used by Inflexxion is for aggregation into de-identified Datasets, and that the only purposes for which the Datasets will be used are for (1) treatment and health care operations purposes by or for the benefit of the Data Source that furnished ASI-MV data included in the Dataset, and (2) research purposes by the Data Source, Inflexxion and others, including sale of Datasets by Inflexxion to third parties for research purposes.

De-Identification
PHI that is “de-identified” is not individually identifiable health information for HIPAA purposes, and falls outside the scope of the HIPAA Privacy Requirements. 45 CFR 164.514(a). There are two methods by which PHI can be “de-identified” for HIPAA purposes: (1) “safe harbor de-identification”, by removing 18 specified identifiers, or (2) “statistical de-identification”, based on the professional opinion of a statistical expert. 45 CFR 164.514(b). As discussed below, it appears that Inflexxion has a good faith legal position that the ASI-MV data in the form they are received by Inflexxion from Data Sources are fully de-identified under the safe harbor standards.

The Inflexxion Application is installed in the Data Source‟s (customer‟s) computer. The Inflexxion Application produces a screen with data fields into which the data subject (client/patient) at the Data Source enters the ASI-MV data. The ASI-MV data that is entered at the Data Source includes substantial PHI regarding the data subject. Before any such data is transmitted to Inflexxion, the Inflexxion Application on the Data Source‟s computer converts the ASI-MV data entered by the data subject into (1) a linking key encrypted in accordance with the Opinion, and (2) only the following information about the data subject (a) initial three digits of zip code for combined geographic areas with the same initial three digit zip code that have a population of more than 20,000 (or a 000 zip code for combined geographic areas of 20,000 or fewer people), (b) gender, (c) marital status, (d) race, (e) religion, (f) age (except for ages over 80 which are combined into a single category of age 90 or older). These data elements are hereinafter referred to as Inflexxion‟s “Retained Data”. We understand and assume for purposes of this analysis that Inflexxion does not receive any ASI-MV data regarding any data subject other than the Retained Data.

The Retained Data received by Inflexxion appears to meet safe harbor de-identification standards. PHI is fully de-identified under safe harbor de-identification standards if the following 18 identifiers of the individual (and of relatives, employers, or household members of the individual) are removed, and if the covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information to identify the data subject:
“(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
 (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people;
 and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs)
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images;
and (R) Any other unique identifying number, characteristic, or code.”

45 CFR 164.514(b)(2)(i) and (ii).
The Retained Data do not appear to include any of the enumerated identifiers. The zip code information retained is de-identified in accordance with the standard under 45 CFR 164.514(b)(2)(i)(B). The age information retained is de-identified in accordance with the standard under 45 CFR 164.514(b)(2)(i)(C). None of the remaining elements of Retained Data (i.e., linking key, marital status, race, and religion) is specifically enumerated in 45 CFR 164.514(b)(2)(i)(A)-(Q) as a specific item of information that must be removed for data to be de-identified. The only potential question is whether any of those remaining elements of Retained Data constitute a “unique identifying number, characteristic or code” within the meaning of 45 CFR 164.514(b)(2)(i)(R). The characteristics of race, religion and marital status generally should not be viewed as “unique” to any particular data subject. These characteristics are shared by very large numbers of people. Moreover, the categories and subcategories of marital status, religion and race appear to be sufficiently broad and populous that none would alone identify a data subject. Therefore, none of these data elements appear to be a “unique identifying” characteristic.

Linking Key (Unique Identifier)
The purpose of the linking key is to enable Inflexxion to track Retained Data relating to a single data subject longitudinally and across different Data Sources. The linking code is generated by the Inflexxion Application before any ASI-MV data is transmitted to Inflexxion by the Data Source. The linking key is a 14 character code derived from: the data subject‟s gender (1 for male; 2 for female), the first three letters of the subject‟s last name, year of birth (two digits), the first three letters of subject‟s first name, the first three letters of the subject‟s mother‟s first name, and the first two letters of the subject‟s place of birth. The Inflexxion Application surrounds this 14 characteristic code with an encrypted prefix and suffix of letters and numbers. This cryptographic technique renders the key unable to be recognized or reverse-engineered into information that can be associated with any particular individual. As such, upon receipt by Inflexxion, the linking key is a “unique” code, but it should not be viewed as an “identifying” code (and thus not a “unique identifying code”).

The encrypted linking key received by Inflexxion cannot be used by Inflexxion (or any third party) to identify the data subject. The linking key is thus not patient-identifying, and appears to meet the safe harbor de-identification standard of 45 CFR 164.514(b)(2)(i)(R).

No Data Source that is a covered entity has any actual knowledge that PHI disclosed to Inflexxion and maintained by Inflexxion in the Retained Data could be used alone or in combination with other
Privacy Policy - ASI-MV Connect - Inflexxion, Newton, MA - rev.7/21/09 page 4 of 10
information to identify an individual who is a subject of the PHI. Since this is true, then the Retained Data meet all of the standards for “safe harbor de-identification”.

Re-Identification
It is not enough for HIPAA compliance purposes that the Retained Data be de-identified, but they also must not be subject to re-identification by any third party. In this regard, the patient linking key does not appear to be a “re-identification code” within the meaning of the HIPAA Privacy Requirements since, as discussed above, it cannot be used to identify (or re-identify) a data subject.

Under 45 CFR 164.514(c), “a covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: (1) The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (2) The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”

While the patient linking key generated by the Inflexxion Application is derived, in part, from PHI of the data subject, the linking key, as encrypted, is not capable of being used as a re-identification code (according to the Opinion) since it does not allow any de-identified information to be re-identified with any particular data subject.

The HIPAA Privacy Requirements also provide that:
“(i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and (ii) if de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.” 45 CFR 164.502(d)(2).

As noted above, the encrypted patient linking key is not a re-identification code, and neither the Inflexxion Application nor Inflexxion creates or receives any other code or other means of record identification by which Inflexxion or any third party could re-identify any Retained Data as being the data of any particular person. Accordingly, Inflexxion does not have any means of re-identifying the de-identified Retained Data.

Business Associate Standards
Even if the Retained Data do not meet all of the safe harbor de-identification standards (which they do meet), Inflexxion can receive the Retained Data under the Business Associate and Limited Data Set Use Agreement, and use the Retained Data to create the aggregated Datasets, and to use and disclose those Datasets, in accordance with the terms of the BAA.

Inflexxion obtains the Retained Data from its Data Sources, including any PHI in the Retained Data, pursuant to a Business Associate and Limited Data Set Use Agreement. Under the BAA, Inflexxion purports to serve as a “business associate” of its Data Sources for HIPAA purposes. A „business associate” is a person who, with respect to the covered entity “[p]rovides, other than in the capacity of a member of the workforce of such covered entity . . . data aggregation (as defined in Sec. 164.501 of this subchapter) . . . to or for such covered entity . . ., where the provision of the service involves the disclosure of individually identifiable health information from such covered entity . . ., to the person”. 45 CFR 10.103. Pursuant to 45 CFR 164.501, “data aggregation” means “with respect to protected health information created or received by a business associate in its capacity as a business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.” Accordingly, Inflexxion, as a business associate, can obtain PHI from multiple covered entities (Data Sources) for which it serves as a business associate, and can aggregate that PHI for use by the Data Sources in their health care operations.

By virtue of the BAA, Inflexxion is a “business associate” of its Data Sources (that are covered entities for HIPAA purposes). To be a “business associate” of a Data Source (and to be able to use PHI received from the Data Source for data aggregation purposes), Inflexxion must meet the business associate standards specified in 45 CFR 164.502(e) and 164.504(e). Under 45 CFR 164.502(e)(1), a covered entity may not disclose PHI to Inflexxion, as its business associate, or permit Inflexxion to create or receive PHI on its behalf, unless “the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.” Pursuant to 45 CFR 164.502(e)(2), the covered entity must document such “satisfactory assurances” through a written contract or arrangement that meets the requirements of 45 CFR 164.504(e). Those requirements are set out in the margin and are referred to herein as the “BA Requirements”, and the BAA meets all of the BA Requirements. Each Data Source that is a covered entity needs to enter into a BAA with Inflexxion in the form referenced in this letter, without any modification that would cause the BAA not to meet BA Requirements.

Under that BAA, Inflexxion is authorized and contractually obligated to engage in data aggregation and data de-identification services for and on behalf of its Data Sources for health care operations purposes. See Section 1.2(d) and (e) of the BAA. Inflexxion may perform such data aggregation services for such purposes under the BAA consistent with the HIPAA Privacy Requirements.

In addition, a business associate, like Inflexxion, is permitted by the HIPAA Privacy Requirements to use PHI from a covered entity to create de-identified information, and to disclose such de-identified information to third parties, such as purchasers of the Datasets. In particular, 45 CFR 164.501(d)(1) provides that a “covered entity may use protected health information to create information that is not individually identifiable health information or may disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.” Thus, consistent with the HIPAA Privacy Requirements, Data Sources may disclose PHI to Inflexxion to be de-identified and sold for use by third parties. To the extent that the Retained Data and resulting Datasets generated by Inflexxion contain only de-identified information (which is the case), then Inflexxion is free to disclose those Datasets to third parties.

Limited Data Set
Even if the Retained Data do not meet all of the safe harbor de-identification standards (which they do meet, as discussed above), the Data Source can disclose the Retained Data to Inflexxion for purposes of creating a so-called “limited data set” for research, public health or health care operations purposes. See 45 CFR 164.514(e).

A limited data set is PHI that excludes the 16 specified identifiers set forth in the margin. Note that, unlike safe harbored de-identified information, a limited data set can include date and age information about the data subject and any other (non-specified) unique identifying number, characteristic or code. The Retained Data fairly clearly constitutes a limited set for HIPAA purposes.

Pursuant to 45 CFR 514(e)(1), a Data Source that is a covered entity may disclose to Inflexxion a limited data set, such as the Retained Data, “if the covered entity enters into a data use agreement with the limited data set recipient [i.e., Inflexxion], in accordance with paragraph (e)(4) of this section.” The requirements specified in paragraph (e)(4) for a limited data set use agreement are set forth in the margin (the “LDS Requirements”). Under those Requirements, the data recipient can only use the limited data set for research, public health or health care operations purposes. 45 CFR 164.514(e)(3)(i) and (4)(i). As noted above, we understand and assume that the Retained Data, in the form of a limited data set, will only be used by Inflexxion for research and to support health care operations of Data Sources.

The Business Associate and Limited Data Set Use Agreement meets the LDS Requirements. Therefore, any Data Source that is a covered entity may disclose to Inflexxion the Retained Data, as a limited data set, for research and health care operations purposes in accordance with the terms of the BAA. We also believe that Inflexxion may thereafter disclose or sell the Retained Data, in the form of a limited data set, to authorized third parties for research purposes in accordance with the terms of the BAA.

Compliance
Inflexxion is in material compliance with the HIPAA Privacy Requirements because it (1) enters into a Business Associate and Limited Data Set Use Agreement with its Data Sources that are covered entities, (2) receives PHI in the form of the Retained Data from the Data Sources, (3) aggregates the Retained Data into a Dataset (that is also a limited data set for HIPAA purposes), (4) discloses or sells those Datasets to third parties either as (i) de-identified Datasets, to the extent such Datasets meet safe harbor de-identification standards (which they appear to meet) or (ii) limited data sets for research and health care operations purposes, and (5) otherwise conforms its conduct to the terms of the form Business Associate and Limited Data Set Use Agreement.

ASI-MV® Connect Data Sources (customers) are to send only de-identified client data to Inflexxion. If a customer somehow sends Inflexxion client PHI, the customer must defend and indemnify Inflexxion as to any government or other third party complaint or damages.

Children, under the age of 18, are not permitted to use the ASI-MV Connect website.

Use of Aggregate, De-identified Client Data
Clients‟ de-identified, aggregate data is uploaded to ASI-MV Connect for two reasons: 1.) to enable customers to look at their aggregate client data in a number of ways, generate charts and graphs and to print reports; 2.) to allow Inflexxion to build a nationwide database on substance abuse trends and characteristics, including information on the growing problem of prescription drug abuse.

The ASI-MV Connect is an enhanced version of the ASI-MV and has additional prescription opioid drug questions only for clients who identify they have used opioids within the previous 30 days. Along with the addition of the prescription opioid questions that identify specific drugs, there are also other screens that ask questions such as how the individual got the drugs and route of administration.

These data will eventually be available to ASI-MV Connect customers and other parties interested in the trends and characteristics of alcohol and drug problems, including prescription drugs such as, state and federal agencies, pharmaceutical companies and research organizations.

Legal Compliance
The ASI-MV Connect Data Source (customer) is responsible for ensuring that its staff use the ASI-MV Connect, the Site, and the client PHI data available on their local computer in a secure and confidential manner consistent with the HIPAA Privacy Rule (at 45 CFR Parts 160 and 164 http://www.hhs.gov/ocr/hipaa) and all applicable laws and regulations.

CUSTOMERS / STAFF USING THE ASI-MV CONNECT WEBSITE

Collection of Information
Inflexxion only collects the personal information that is necessary to provide the information or services requested by an individual. "Personal information" refers to any information relating to an identified or identifiable individual who is the subject of the information. This is the same information that an individual might provide when visiting a government office and includes such items as an individual's name, address, or phone number. We also collect statistical information that helps us understand how people are using the web site so we can continually improve our services. The information collected is not associated with any specific individual and no attempt is made to profile individuals who browse the web site. You may be asked to participate in surveys at this site. Participation is optional, and the choice to participate or not to participate will have no effect on your ability to use other features of the site.

Disclosure
Inflexxion does not disclose, give, sell or transfer any personal information about our visitors to third parties, except to comply with legal requirements, as may be required by law, regulation, search warrant, subpoena or court order. However, if we are required to make such a disclosure to a third party, we will make a reasonable attempt to notify you first, unless we are prohibited from doing so by law or court order

Information Use
Inflexxion is the sole owner of the information collected on the ASI-MV Connect web site and collects identifiable information from our customers (NOT clients/patients or users of the ASI-MV Connect assessment) at several different points on our Website.

Registration
In order to use ASI-MV Connect web site, you must first complete the register and create a user name and password. During registration you are required to give contact information, such as name, email address and phone numbers. We use this information to verify you are an authorized user/customer and to contact you about the functionality, services and updates on the ASI-MV Connect web site.

Orders
If you purchase a product or service from us, we request certain personally identifiable information from you on our order form. You must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date). We use this information for billing purposes and to fill your orders. If we have trouble processing an order, we will use this information to contact you.

Special Offers and Updates
We will occasionally send you information on products, services and special deals. Out of respect for your privacy, we present the option not to receive these types of communications.

Newsletters
We will use your name and email address to send you a periodic newsletter. Out of respect for your privacy, we provide you a way to unsubscribe.

Service-related Announcements
We will send you strictly service-related announcements on rare occasions when it is necessary to do so. For instance, if our service is temporarily suspended for maintenance, we might send you an email. Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account.

Customer Service
Based upon the personally identifiable information you provide us (NOT client/patient or user of the ASI-MV Connect assessment data), we will send you a welcoming email to verify your username and password. We will also communicate with you in response to your inquiries, to provide the services you request, and to manage your account. We will communicate with you by email or telephone, in accordance with your wishes.

Information Collected and Stored Automatically
If you do nothing during your visit but browse through the ASI-MV Connect web site, read pages, or download information, we will gather and store certain information about your visit automatically. This information does not identify you personally. We automatically collect and store only the following information about your visit:

1. The Internet domain (for example, "xcompany.com" if you use a private Internet access account, or "yourschool.edu" if you connect from a university's domain) and IP address (an IP address is a number that is automatically assigned to your computer whenever you are surfing the Web) from which you access our website;
2. The type of browser and operating system used to access our site;
3. The date and time you access our site;
4. The pages you visit; and
5. If you linked to the ASI-MV Connect web site from another website, the address of that website.

We use this information to help us make our site more useful to visitors -- to learn about the number of visitors to our site and the types of technology our visitors use. We do not track or record information about individuals and their visits.

Cookies
Any web page or application at this site that uses cookies will identify itself as such. Cookies are short and simple text files that are stored on a user's computer hard drive by web sites. They are used to keep track of and store information so the user does not have to supply the information multiple times. The information that is collected through cookies at this site is handled in the same manner as other information collected here. You can configure your web browser to refuse cookies or to notify you when a web site attempts to send you a cookie. You can also check your hard drive for cookie files and delete them from your computer. If you chose to delete or refuse cookies, you may experience some inconvenience with the automated functionality that recognizes you as a returning user.

Web Site Security
Inflexxion is committed to the security of the information that is either available from or collected by ASI-MV Connect web site. Inflexxion has taken multiple steps to safeguard the integrity of its telecommunications and computing infrastructure, including but not limited to, authentication, monitoring, auditing, and encryption.

Links to Other Sites
ASI-MV Connect web site has links to some other web sites. Inflexxion is not responsible for the content or privacy practices of these sites and suggests you review their privacy policies.

Changes to the Privacy Policy
Inflexxion may change any of the terms in this Privacy Policy at any time. Changes will become effective when ASI-MV Connect posts the modified Privacy Policy on the website. Inflexxion will inform customers of any material changes to the Privacy Policy. If you do not agree to the changes, you must cease use of the website. Continued use of ASI-MV Connect by you constitutes acceptance of the changes to the Privacy Policy.

Email Disclaimer
Inflexxion‟s Privacy Policy has no application to proprietary information, ideas or other intellectual property that you send to Inflexxion via email or otherwise. If you want to keep such information private or proprietary, then do not include them in an email to Inflexxion.

Contact Information
Inflexxion welcomes comments regarding this Privacy Policy. Please convey any questions or concerns to:

Privacy Officer
Inflexxion, Inc.
320 Needham St, Ste 100
Newton, MA 02464
617-332-6028
privacy@inflexxion.com