(I) Introduction
In addition to the Terms and Conditions of Use, the Medical Provider Portal Terms and Conditions (“Terms and Conditions”) govern the use of the New York State Insurance Fund (“NYSIF”) Medical Provider Portal (the “Portal”). The “Portal User” shall mean any individual or entity entering the Portal, including but not limited to a medical provider or health care provider and their employees (“Provider”) and a third party billing vendor (“Vendor”) and their employees who provides billing and payment services to a Provider.
The Portal is an internet web portal designed to provide a point of access to billing and payment information for the needs of Providers and Vendors. The Portal is a private, secure network available only to authorized Portal Users. For the purposes of the Terms and Conditions, the Portal includes Portal data, website, and all relevant parts and components thereof. NYSIF may make improvements and/or changes in the products and/or programs described in these Terms and Conditions at any time without notice.
The Terms and Conditions govern the use of the Portal. Unless a Provider or a Vendor accepts the Terms and Conditions, as set forth below, in full, and so indicates acceptance by clicking that they agree, they will not be allowed to access and use the Portal.
(II) Terms and Conditions
By assenting to the Terms and Conditions:
- Any Provider who has authorized a Vendor to utilize the Portal on behalf of the Provider is affirming to NYSIF that the Provider has entered into a “Business Associate Agreement,” as described below, with that Vendor; and
- Any Vendor is affirming to NYSIF that it has entered into a “Business Associate Agreement” as described below, with the Provider who has authorized the Vendor access to the Portal on its Provider’s behalf.
A “Business Associate” is a person or entity, other than a member of the workforce of the Provider, who performs functions or activities on behalf of, or provides certain services to, the Provider that involves access by the Business Associate to protected health information (“PHI”). A “Business Associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another Business Associate. Federal regulations require that Providers and the Business Associate enter into a “Business Associate Agreement” to ensure that the Business Associates will appropriately safeguard protected health information.
A “Business Associate Agreement” is an agreement between a Provider and a Business Associate that requires the inclusion of several provisions that must state the following, including but not limited to:
- establish the permitted and required uses and disclosures of PHI;
- provide that there will be no further disclosure of the protected health information other than as permitted or required by the agreement or as required by law;
- require implementation of appropriate safeguards to prevent unauthorized use or disclosure of the protected health information;
- require reporting to the Provider any use or disclosure of the information not provided for by its agreement, including incidents that constitute breaches of unsecured protected health information;
- at termination of the agreement, if feasible,require the return or destroying of all protected health information received from, or created or received by the Business Associate on behalf of, the Provider;
- require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and;
- authorize termination of the agreement by the Provider that if the Business Associate violates a material term of the agreement.
(III) Protected Health Information
Protected Health Information refers to information as defined in the Health Insurance Portability and Accountability Act of 1996, or any successor federal statute, and the rules and regulations thereunder, all as may be amended or supplemented from time to time. In the event the Portal User creates, receives, maintains, or otherwise is exposed to PHI, personally identifiable aggregate patient or other medical information, Portal User shall:
- Not use or further disclose the PHI, except as permitted by federal or state law;
- Not use or further disclose HIV related PHI in violation of New York State Public Health Law §2782(5)a. PHL §2782(5)a prevents further disclosure of HIV related information without the specific written consent of the person to who it pertains, or as otherwise permitted by law. Any authorized further disclosure in violation of state law may result in a fine or jail sentence or both. A general authorization for the release of medical or other information is NOT sufficient authorization for further disclosure of HIV related PHI.
- Not use or further disclose, the PHI in a manner that violates New York State Workers' Compensation Law §110-a Confidentially of Workers’ Compensation Records or any other state or federal law.
- Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by the Terms and Conditions;
- Report immediately to NYSIF any security incident or other use or disclosure of PHI not permissible under the Terms and Conditions of which Portal User becomes aware;
- Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are provided the Terms and Conditions and agree to the same restrictions and conditions;
- Make its internal practices, books, and records that relate to the use and disclosure of PHI available to NYSIF for purposes of determining compliance with the Terms and Conditions.
(IV) Information Security Breach
In the event of a Breach of Security as defined in NY CLS Gen Bus §899-aa and NY CLS State Technology Law §208, or otherwise, involving NYSIF-supplied Personal Information or Private Information from systems owned, operated, sub-contracted or otherwise routed through Providers or Vendors systems or networks, the Provider or Vendor shall notify NYSIF immediately, without unreasonable delay.
“Breach of Security” shall mean the unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.
“Personal Information” shall mean any information concerning a person which, because of name, number, mark or other identifier, can be used to identify such person.
“Private Information” shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
- social security number;
- driver’s license number or non-driver identification cards number; or
- account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual’s financial account.
The Provider and/or Vendor additionally undertakes to, solely at its own cost and expense, provide any requisite notices that either the Provider and/or Vendor or NYSIF would have to provide pursuant to NY CLS Gen Bus §899-aa and NY CLS State Technology Law §208, or any other applicable statute, both on behalf of the Provider and/or Vendor on behalf of NYSIF. The Provider and/or Vendor’s notification shall include but not be limited to a description of the categories of information that were, or are reasonably believed, to have been acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired, or as otherwise provided for by applicable law. In addition to the above stated requirements, and to the extent permitted by law, the Provider and/or Vendor shall indemnify and hold harmless NYSIF for any Breach of Security by the Provider and/or Vendor, its sub-contractors, or its employees or agents.
(V) Provider Termination of Vendor
When a Provider no longer authorizes a Vendor to access its Portal data, it is the sole responsibility of the Provider to promptly remove Vendor’s access by deleting the Vendor as their authorized third party biller from the Provider’s Portal account.
(VI) Termination Upon Breach of Provisions
The Portal is provided by NYSIF solely as a courtesy and convenience to you, and we assume no obligation to continue to make the Portal available or to grant access to any person who we determine fails to comply with these Terms and Conditions. NYSIF reserves the right, in its sole discretion, to terminate, modify or discontinue (temporarily or permanently) your online account and access to the Portal and any application or web site accessed via this account, at any time, with or without notice. Notwithstanding any other provision of the Terms and Conditions, NYSIF may immediately, terminate, modify or limit Portal User’s online account and Portal User’s portal access if it determines that Portal User has breached any provision of the Terms and Conditions. Alternatively, NYSIF may provide written notice to Portal User in the event of a breach and give five (5) business days to cure such breach.
(VII) Return or Destruction of PHI by Vendor
Once Vendor is notified by Provider, in any manner, that Provider will no longer utilize Vendor’s services, unless otherwise directed by NYSIF, Vendor shall either return or destroy all PHI received from NYSIF, or created or received by Vendor from the Portal which Vendor maintains in any form. Vendor shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Vendor determines that returning or destroying the PHI is infeasible upon rescinding of Portal access, Vendor shall provide to NYSIF notification of the condition that makes return or destruction infeasible.
To the extent that it is not feasible for Vendor to return or destroy such PHI, Portal User shall (1) retain only that PHI which is necessary to carry out the legal responsibilities of the Portal Users subject to the Terms and Conditions and (2) continue to use appropriate safeguards and comply with federal and state laws with respect to PHI to prevent use or disclosure of the PHI, for as long as Portal User retains the PHI. The Terms and Conditions shall survive Provider’s rescission of Vendor’s access.
(VIII) Amendment
NYSIF may amend the Terms and Conditions to the extent necessary to allow compliance with the relevant state or federal laws or regulations created or amended to protect the privacy of patient information. All such amendments shall be made in writing.
(IX) Interpretation
Any ambiguity in the Terms and Conditions shall be resolved in favor of a meaning that permits NYSIF to comply with the most applicable federal and state laws and regulations.
(X) Survival
The obligations imposed by the Terms and Conditions shall survive the Portal User’s access to the Portal and PHI.
(XI) No Waiver
Failure or delay of the part of NYSIF to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of the Terms and Conditions may be waived by NYSIF except in writing.
(XII) Severability
The provisions of the Terms and Conditions shall be severable, and if any provision of the Terms and Conditions shall be held or declared to be illegal, invalid or unenforceable, the remainder of the Terms and Conditions shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
(XIII) Knowledge of Governing Law
Portal User agrees to review, understand, and comply with all applicable federal and all state laws.
(XIV) Rights of Proprietary Information
NYSIF retains any and all rights to the proprietary information released to any Portal User.
(XV) Choice of Law
The Terms and Conditions and the rights and the obligations of the Portal Users hereunder shall be governed by and construed under the laws of the State of New York, without regard to applicable conflict of laws principles.
(XVI) Indemnification
Portal User shall be fully liable for the actions of its agents, employees, partners or sub-contractors and shall fully indemnify and save harmless NYSIF, whether or not involving a third-party claim, from suits, actions, damages and costs of every name and description relating to injury and damage caused by any intentional act or negligence of Portal User, its agents, employees, partners or sub-contractors, without limitation.
© 2016 New York State Insurance Fund. All rights reserved. Last Updated: February 21, 2017.