HIPAA Disclaimer l United States l RecoveryTrek

Privacy & Security

Cookie Use Notice

On a limited basis, RecoveryTrek employs “cookies” to provide better service to our customers. We do not use cookies to collect any personally-identifying information from users or to track user activities beyond our web site. We do not maintain copies of cookies on our web site after you leave our web site.
Cookies are small pieces of temporary data that are exchanged between a web site and a user’s computer which enable a “session”, or “dialog”, to be established between the two machines. With the session established, RecoveryTrek is able to tailor its responses (i.e., provide you with the information you want) and help you traverse our web pages in the most efficient and effective manner possible.

Security Procedures

For security purposes, our website employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. We protect the security of your information during transmission by using Secure Sockets Layer (SSL), which encrypts information you input. The SSL cipher is indicated by the “https” prefix in the uniform resource locator (URL) address. At any time, you can double-click the padlock icon or key icon (for Internet Explorer or Netscape, respectively) in the bottom corner of the browser window to view the details of our SSL certificate.

Encryption is based on a key that has two different parts: the public part and the private part. The public part of the key is distributed to those you want to communicate with. The private part is for the recipient’s use only. When you send personal information to RecoveryTrek.com, you use RecoveryTrek’s public key to encrypt your personal information. That means, if at any point during the transmission your information is intercepted, it is scrambled and very difficult to decrypt. Once RecoveryTrek receives your encrypted personal information, we use the private part of our key to decode it.

Our cloud-based Success Management Software and web site are hosted in a secure server environment that uses advanced firewall and other cutting edge technology to prevent interference or access from intruders. Your information and data is safe, secure, and available only to registered and authorized users.

Emails from RecoveryTrek

Never respond to emails claiming that an I.T. or I.S. administrator needs your username and password. These are phishing schemes. For future reference, the following are valid RecoveryTrek email accounts and are the only ones authorized to send out emails to participants or company-wide distribution lists or to send emails advising individual users about some aspect of RecoveryTrek technology:

• GreatSupport@RecoveryTrek.com
• Finance@RecoveryTrek.com / Billing@RecoveryTrek.com
• TechSupport@RecoveryTrek.com

You may also receive an email directly from your Account Manager. This email will always be the Account Manager’s first name followed by the ‘@RecoveryTrek.com’ – for example: Mary@RecoveryTrek.com

You can ignore and delete any messages pertaining to technology services NOT from one of the addresses listed above. As a reminder, members of our technology department WILL NEVER ask you for your password FOR ANY REASON. NEVER disclose your password to ANY third party. NEVER click on any links in these emails.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA)

RecoveryTrek LLC uses many security features to ensure that only authorized users access “protected health information (PHI).” The following measures are set forth for compliance of HIPAA regulations for Privacy and Security.

The Privacy Rule protects all PHI, or “individually identifiable health information” held or transmitted by RecoveryTrek. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number, credit card data), as well as the provision of health care to an individual (physical or mental).

How We Collect Information About You

Only authorized RecoveryTrek employees may collect data (through a variety of means including but not necessarily limited to letters, phone calls, emails, voice mails, and from the submission of enrollment applications) that is either required by law, or necessary to serve participants and clients. The CEO is responsible for developing and implementing privacy compliance and is the person to receive complaints and provide additional information.

How We Handle Your Information

Information about your financial situation and medical conditions that we receive from other providers or that you provide to us in writing, via email, on the phone (including information left on voice mails), contained in or attached to correspondence, or directly or indirectly given to us, is held in strictest confidence.

We do not give out, exchange, barter, rent, sell, lend, or disseminate any information about participants or clients who receive our services that is considered patient confidential, is restricted by law, or has been specifically restricted by a patient/client.

Information is only used as is reasonably necessary to process your enrollment or to provide you or your case manager with health or counseling services. We use, disclose, and request only the minimum amount of protected health information needed to accomplish this. We do not use cookies on our website to collect unique, personal data.

RecoveryTrek uses administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule. For example, this includes shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.

Workforce Training

RecoveryTrek provides regular, periodic training and ongoing supervision of those who work with PHI. Noncompliance is grounds for dismissal.

Limited Right to Use Non-Identifying Personal Information

Any pictures, correspondence, or thank you notes sent to us become the exclusive property of RecoveryTrek. We reserve the right to use non-identifying information for fundraising and promotional purposes. No identifying information (names or uniquely identifiable data) will be used without client’s express advance permission.

——————-

The Security Rule specifies our administrative, physical, and technical safeguards for the confidentiality, integrity, and availability of electronic protected health information (e-PHI).

HIPAA Security Risk Assessment regulations concerning Network Security Standards are effective April 21, 2005. Compliance ensures that only those who should have access to e-PHI actually have access.

RecoveryTrek:

Ensures the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identifies and protects against reasonably anticipated threats to the security or integrity of the information;
Protects against reasonably anticipated, impermissible uses or disclosures; and
Ensures compliance by our workforce.

The Security Standards are divided into three Safeguard categories including Administrative, Physical, and Technical. Administrative Safeguards deal primarily with the personnel and planning functions necessary for a Covered HealthCare Provider to comply. The majority of the Physical and Technical Safeguards are a function of a system’s network infrastructure, hardware capability, and our Software Application. The following list of risk factors represent the primary Security Implementation Specifications:

Does the RecoveryTrek system permit data encryption/decryption? Yes, any wide area network which is Internet based is fully encrypted with local connection optionally encrypted.
Does each user have a unique user identification code? Yes.
Does each user have a unique user password? Yes. The system requires the user to enter his/her password at login. Furthermore, the system can require users to change their passwords a set number of days.
Do users use unique tokens to access the application? Yes. The unique token is the RecoveryTrek password. In addition to the system password, each user is assigned a RecoveryTrek identity and password that is used to track operator activity and responsibility.
Are there integrity controls for transmission? Yes.
Are users automatically logged off after a period of inactivity? Yes, In compliance with the client’s security policy, this will be set up to log Users off after a pre-determined time of inactivity.
Is the data protected from unauthorized, unanticipated or unintentional alteration, including detection of such activities? Yes.
Are there mechanisms to record and examine user activity? Yes, RecoveryTrek tracks user activity in critical areas of software use. RecoveryTrek can also track a record of screens accessed without data change. This added functionality is available as an add-on module.
Are there procedures for accessing the application during an emergency? Yes.

Server, Network, and Application level Security

The most basic type of security is physical security of the server and backup media. Access and times are restricted to only authorized users (role-based access). In addition, the server is accessed only from authorized locations, and the data is protected while it is in transit. Router configurations, access lists, and other similar tools are used to ensure that only users in authorized locations are able to gain access.

We also encrypt data in transit between the user session and the server. In such cases, RecoveryTrek uses Secure Socket Layer (SSL) encryption, a standard Internet encryption, or Virtual Private Networking (VPN).

Our cloud-based web site is hosted in Salesforce.com’s secure server environment that uses a firewall and other advanced technology to prevent interference or access from intruders. RecoveryTrek and Salesforce.com utilize the most advanced technology for Internet security. In a HIPAA compliant fashion, your information and data is safe, secure, and available only to registered and authorized users.

RecoveryTrek complies with all government regulations for data transmission and storage, including the HIPAA Electronic Transaction and Code Sets Rule. Our CEO is the Security Official responsible for developing and implementing security policies and procedures, to include annual assessment of how well these meet requirements of the Security Rule.