Regulatory Compliance

NMA ZSentry HIPAA & HITECH Safe Harbor Compliance and Certification of Business Data Security

American Recovery and Reinvestment Act (ARRA)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH) & HITECH Safe Harbor
Family Educational Rights and Privacy Act (FERPA)
Federal Financial Institutions Examination Council (FFIEC)
International Standards Organization (ISO) 17799
Gramm-Leach Bliley Act (GLBA)
Sarbanes-Oxley Act (SOA)
U.S. State Security Breach Notification Laws

THIS DOCUMENT IS INCORPORATED BY REFERENCE IN THE NMA ZSENTRY PREMIUM TERMS OF SERVICE AND DOES NOT EXIST INDEPENDENTLY. UNLESS OTHERWISE DEFINED HEREIN, THE PROVISIONS OF THE NMA ZSENTRY PREMIUM TERMS OF SERVICE APPLY TO THIS DOCUMENT.

1. SERVICE: NMA ZSentry offers users online access to on-demand services, providing for secure reception and transmission of messages electronically (the "Service"), using ZSentry technology and a variety of technologies and methods. Each Service may be web-, desktop-, server-, or mobile-based. Each Service utilizes an interface (the "Interface") accessed through compatible and allowed means, such as a web-browser, an email client, or a server.

2. SERVICE LICENSE: License to use the Service (the "Service License") is regulated and provided in terms of the NMA ZSENTRY PREMIUM TERMS OF SERVICE, which current copy may be found at zsentry.com (the "Website").

3. RESTRICTIONS: The term "Service User" shall refer exclusively to Service use that is licensed in terms of the Service License and is not limited herein. This document does not apply to Service that is provided as a trial, or that is free of charge, or that is licensed for less than one-year, or that is not licensed in terms of the Service License. This document shall be applicable only under the laws or regulations cited herein, with applicable successor provisions, in the event and to the extent that the Service License meets with respect to the Service User. Service Users are asked to read and be familiar with this document; in case of any questions, check the Service guides online at the Support Center, the screen-by-screen icons, or request a Support Ticket.

4. HIPAA AND HITECH USE: The Interface and the data viewed or generated for transmission constitute fully compliant Standard Transactions as defined under the Health Insurance Portability and Accountability Act of 1996 and its Privacy Rule and Security Rule (HIPAA), as may be amended or otherwise modified by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Compliance is provided on a technical level, guarding data integrity, confidentiality and availability.

5. DEFINITIONS: Terms used, but not otherwise defined in this document, shall have the same meanings given them in HIPAA and the HITECH Act. Specifically, Covered Entity (HIPAA, 45 CFR § 160.202) shall be limited to a Covered Entity that is a Service User. Further, Protected Health Information (HIPAA, 45 CFR § 160.103), also called PHI, shall be limited to the PHI received through the Service from you, and exclude email headers; the latter information is protected through the Service PRIVACY POLICY specified in the Service License. "We", "Our" and "Us" as used herein refer to NMA,Inc. and NMA ZSentry Service, qualified herein.

6. HITECH SAFE HARBOR: HITECH addresses breach notification rules and implements a tiered system that increases civil monetary penalties for noncompliance, and also allows state attorney generals to file civil actions on behalf of residents of their states who they believe were adversely affected by a HIPAA violation. The HITECH Act also defines a Safe Harbor provision (Section 13402, Title XIII), exempt of the breach notification rules and reporting (45 CFR Parts 160 and 164). The Service falls within the HITECH Safe Harbor provision because all PHI is encrypted to prevent disclosure, PHI decryption keys are not stored, and the PHI is de-identified, so that the Service has no PHI target that might be affected by a security breach.

7. FORWARD HIPAA COMPLIANCE: Our compliance with HIPAA includes modifications to the compliance deadlines that may be published in the future, and to maintain compliance from that point forward for as long as the HIPAA regulations are deemed to apply to the Service. Additional privacy and security enhancements, even if not currently required by HIPAA, may be provided as defined in the ZSENTRY TERMS OF SERVICE.

8. BUSINESS ASSOCIATE AGREEMENT: We do not share, create or use PHI to provide the Service, PHI is de-identified whether in transit or at rest, the Service is not made aware of PHI, and the Service works solely as a conduit between end points of a user's choosing, so that for multiple reasons we are not required to enter into a Business Associate Agreement (45 CFR §§ 164.502(d) (2), 164.514(a) and (b)). The Service is also provided under the Safe Harbor provision of the HITECH Act, which is exempt of duties of breach notification rules and reporting. Nonetheless, if desired and for the same effect under HIPAA, NMA ZSentry can sign a Business Associate Agreement with your organization as a Service User. To request, submit a Support Ticket for "HIPAA BAA" and provide the organization's characterization as a Covered Entity under HIPAA.

9. U.S. STATE SECURITY BREACH NOTIFICATION LAWS: Since 2002, forty-six U.S. states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. States with no security breach law as of 2011 are: Alabama, Kentucky, New Mexico, and South Dakota. In 2011, at least 14 states introduced legislation expanding the scope of laws, setting additional requirements related to notification, or changing penalties for those responsible for breaches. Legislation usually requires all organizations that collect certain personal information to protect it against possible impersonation fraud ("identity theft"). In addition, it stipulates that if there is a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained personal information. However, organizations can generally avoid breach notification duties under certain conditions called Safe Harbor. The Service complies with the Safe Harbor conditions, protecting personal information and other sensitive information by using ZSENTRY technology and a variety of technologies and methods. Further, the Service is not made aware of personal information and has, thus, no personal information that might be affected by a security breach.

10. OTHER USES: The Service provides a proven anti-phishing solution with mutual authentication, two-factor authentication of users, and identity validation for email communications, guarding data integrity, confidentiality and availability. Further, the Service provides layered security so that if security is breached, no user access data or personal data can be recognized or accessed.

THIS DOCUMENT IS INCORPORATED BY REFERENCE IN THE NMA ZSENTRY PREMIUM TERMS OF SERVICE AND DOES NOT EXIST INDEPENDENTLY. UNLESS OTHERWISE DEFINED HEREIN, THE PROVISIONS OF THE NMA ZSENTRY PREMIUM TERMS OF SERVICE APPLY TO THIS DOCUMENT.

- ZSentry Premium Terms of Service

RESOURCES:
- ZSentry Technical Reference >>
- Support Center >>
- Request Support Ticket >>