Cortex maintains the latest standards of security for customer and patient protected health information (PHI). We have implemented a comprehensive suite of safeguards and systems to protect the data we are entrusted with.
Some of the measures we have in place include:
Under the HIPAA Privacy Rule, protected health information ("PHI") of a patient can be used or disclosed, without the patient's authorization, for the purposes of payment, treatment, or health care operations (commonly referred to as the "PTO" exception) [45 C.F.R. § 164.502]. As further outlined herein, 'treatment' and 'health care operations' are the relevant exceptions that allow the sharing of such information in the Cortex network.
Under HIPAA, "'Treatment' means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another" [45 C.F.R. § 164.501].
Thus, covered entities (e.g., hospitals, physicians, pharmacists, SNFs) involved in the treatment or care of a patient can exchange a patient's PHI if it is reasonably related to coordinating, managing, or providing patient care. For example, a pharmacist speaks with providers multiple times each day, discussing PHI in relation to filling of prescriptions and providing appropriate care to patients; a hospital provides PHI to a SNF as part of coordinating the patient's transfer to the SNF; a physician discusses a patient's medical case with a colleague, to get guidance and insight. In such cases, those involved can exchange PHI, without the patient's authorization, if the purpose of the PHI exchange is to facilitate the patient's care.
Under HIPAA's Privacy Rule, a covered entity may disclose PHI to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is for certain purposes, including (1) conducting quality assessment and improvement activities (e.g. patient safety activities (such as those intended to improve the quality of health care delivery), outcome evaluations, case management, care coordination, and related functions) or (2) evaluating provider performance [45 CFR §§ 164.501, 164.506(c)(4)].
Thus, without a patient's authorization, under the Health Care Operations exception, HIPAA allows covered entities to disclose PHI to other covered entities that have treated the patient or are currently treating the patient, if the purpose is to improve operations and the quality of care provided to patients.
Under HIPAA, Cortex acts as a business associate of each of our customers, each being a covered entity under HIPAA. As a business associate, under the terms and conditions of our respective business associate agreement (BAA) with each customer, we receive our customers' patient's PHI and share it on their behalf on the Cortex network. However, the Cortex platform (and our BAAs) only allow for sharing of this PHI between providers that are presently involved or have been involved in a patient's care over the prior 12 months; and further limits such access to those providers still reasonably tied to the patient's care ("Involved Providers"). For example, if a patient has used more than one home health provider in the last 12 months, only the most recent home health provider can view the patient's data. The assumption is that the patient has elected not to utilize the former home health service, and thus, that home health service is no longer involved in the coordination or care of the patient.
For these involved providers, Cortex's platform allows the sharing of PHI to better coordinate/manage patient treatment and improve health care operations. This is squarely allowed under the PTO exception of HIPAA's Privacy Rule [45 C.F.R. 164.502]. Additionally, any information that is obtained from local health information exchanges and/or networks, is shared in conformity with the terms and purposes thereof.
Additionally, Cortex's customer contracts (including the associated BAAs), terms of service, business practices, and internal policies are in alignment with the structures, purposes, and objectives outlined herein. Cortex has also engaged multiple 3rd parties in HIPAA audits conducted by a third-party vendor and instituted all identified privacy and security measures to ensure compliance. Such measures also include written policies and procedures and required employee training on HIPAA.
HIPAA compliance is an ongoing process and Cortex makes continual effort to ensure that our
policy and procedure safeguards remain effective. We also regularly traing staff so they do not
forget their responsibilities related to PHI and HIPAA. We conduct regular risk analyses,
identify new risks to the confidentiality, integrity, and availability of PHI in our systems,
and manage risks to acceptable levels. There is, however, no governing body from the government
that grants a "HIPAA Compliant" certification. We are pursuing SOC2 Type II Certification.
Yes, we have several monthly, quarterly and/or annual processes to ensure that we are in
compliance with our policies and procedures. We maintain subscriptions to industry and
regulatory changes, in order to monitor the ever-changing threat landscape related to security