ATMOS Inc.’s Policy On The Privacy Of Patient Health Information

Background

ATMOS Germany develops and manufactures medical devices and its US subsidiary, ATMOS Inc., sometimes sponsors clinical trials to bring new products to the US market. In performing their duties, representatives of ATMOS Inc. (ATMOS Representatives) sometimes visit and consult with, or receive information from ATMOS Inc.’s customers such as clinical consultants, physicians, hospitals, nursing homes and other allied health care entities. Due to the fact that ATMOS Representatives may have access to patient health information in performing these activities, some ATMOS Inc. customers have requested that ATMOS Inc. execute a “Business Associate Agreement” pursuant to the Business Associate requirements under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA Privacy Regulations).

Status & Policy

ATMOS Inc. is not a “Business Associate” under the HIPAA Privacy Regulations. ATMOS Inc. is aware of the many legal responsibilities of and the challenges faced by health care providers with respect to protecting the privacy of patient information, including complying with the HIPAA Privacy Regulations. ATMOS Inc. along with other medical device manufacturers and trade association advisory personnel have reviewed the HIPAA Privacy and Security Regulations and have concluded that companies like ATMOS Inc. are not a “Business Associate” of their customers because ATMOS Inc. is not performing services, functions or activities for or on behalf of their customers. The definitions in the HIPAA Privacy Regulations make clear that medical device manufacturers are not considered “Business Associates” in their capacity as sponsors of clinical research. Similarly, when one of ATMOS Inc.’s customers provides patient health information to an ATMOS Representative so that ATMOS Inc. can provide a product replacement, handle a product warranty claim / safety incident, or provide other information about its products, the disclosure of information concerns the treatment of the patient and Section 164.502(e) of the HIPAA Privacy Regulation specifically excludes such disclosures from the Business Associate Agreement requirements.

ATMOS Representatives may also inadvertently view or overhear patient health information when they visit a customer’s site. When this occurs, ATMOS Representatives are not materially different from other office visitors who may be inadvertently exposed to patient health information such as cleaning staff or other patients. The Department of Health and Human Services has indicated that such disclosures are permissible under the HIPAA Privacy Regulations and it merely expects health care providers to take reasonable steps to minimize such inevitable exposures. On occasion ATMOS Representatives may also receive faxed, mailed or emailed patient health information documents. When this occurs, ATMOS Representatives are instructed to destroy these documents and report the exposures to the sending customer. In any event, a Business Associate relationship is not created by such inadvertent disclosures.

HIPAA Privacy and Security Terms & Conditions

“PHI” means information in any form or medium, shared by ATMOS Representatives or ATMOS customers that:

(a) relates to the physical or mental health, treatment or condition of a person, the provision of health care to a person, or payment for the provision of health care to a person; and which

(b) identifies the person or for which there is a reasonable basis to believe could be used to identify the person.

“Electronic Protected Health Information,” or “ePHI,” is a subset of PHI and means PHI that is transmitted by or maintained in electronic media. All ATMOS Representatives and ATMOS customers agree that:

(a) you may only use PHI for the purpose for which it was provided to you and for your internal business administration and operations;

(b) you may only disclose it to a third party as required by law;

(c) you will use or disclose PHI only in the minimum amount and to the minimum number of persons necessary to achieve the permitted purpose of the use or disclosure;

(d) you will use appropriate safeguards to prevent other uses or disclosures of PHI;

(e) you will promptly report to us any non-permitted use or disclosure of PHI of which you become aware;

(f) you will promptly mitigate, to the extent practicable, any harmful effect that is known to you arising from a non-permitted use or disclosure of PHI by you;

(g) you will provide access to PHI in accordance with 45 CFR 164.524;

(h) you will make your internal practices, books and records relating to the use and disclosure of PHI available to ATMOS Inc. for audit purposes of determining the customer’s compliance with the Privacy Rule or the Security Rule;

(i) you will develop, maintain, and use reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of ePHI that has been created, received, maintained or transmitted;

(j) you will report to us any attempted or successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with your system operations in your information systems, of which you become aware;

(k) you will ensure that any third parties to whom you provides PHI agree to the same restrictions and obligations with respect to PHI as you have agreed to hereunder; and

(l) at ATMOS Inc. or ATMOS customer’s request, you will return or destroy all PHI, and certify the same in writing.

- March 2010 ATMOS, Inc. -