Data Stewardship Policy

Effective Date: 1/1/2025
Last Updated: 6/1/2025

Purpose: to provide information and direction to SKF employees and data analysis partners and data providers on SKF Health’s data transmission, storage and use of received health claims data.

These Terms and Conditions ("Terms") govern your (“Data Provider”) submission of medical and pharmaceutical claims data to SKF Health ("Data Steward", "we", "us", or "our") for the purpose of claims analysis and reporting.

By transmitting data to us or by authorizing a third party to do so on your behalf, you acknowledge and agree to these Terms.

1. Purpose of Data Submission

You authorize us to receive and process medical and pharmaceutical claims data from employer groups, unions, or third-party data transmitters solely for the purposes of:

  • Performing claims analysis; and

  • Delivering reporting outputs exclusively to you or your designated third-party transmitter.

2. Permitted Use of Data

The data will only be used for claims analysis and reporting. We are strictly prohibited from:

  • Using the data for marketing, advertising, or any unrelated commercial purpose;

  • Sharing the data with any third party unless they are a designated business partner under our BAB partnership program and are contractually bound to use the data only for claims analysis and reporting purposes;

  • Selling, licensing, sublicensing, or redistributing the data in any way.

3. Data Format Requirements

All data must be submitted in one of four pre-approved standardized templates. We reserve the right to return or reject data submissions that do not meet the required formatting or structural standards.

4. Data Security & Storage

We implement and maintain reasonable and appropriate technical, administrative, and physical safeguards to protect data confidentiality, integrity, and availability, including:

  • Secure transmission protocols (e.g., SFTP, HTTPS, encrypted email);

  • Data encryption at rest and in transit;

  • Role-based access controls;

  • Employee training and confidentiality agreements;

  • Regular risk assessments and system audits.

5. Compliance with Laws and Regulations

We comply with all applicable federal and state laws and regulations governing health information, including but not limited to:

Federal Regulations:

  • Health Insurance Portability and Accountability Act (HIPAA)

    • Privacy, Security, and Breach Notification Rules

  • Health Information Technology for Economic and Clinical Health (HITECH) Act

  • 21 CFR Part 11 (where applicable to electronic records)

  • CMS Guidelines for claims data use and Medicare/Medicaid compliance

  • ERISA and Department of Labor regulations (as applicable for union data)

State-Specific Laws (non-exhaustive):

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

  • New York SHIELD Act

  • Massachusetts Data Security Regulations (201 CMR 17.00)

  • Texas Medical Records Privacy Act

  • Illinois Personal Information Protection Act (PIPA)

  • Washington Consumer Health Data Law (effective 2024)

  • Other relevant state laws applicable to data received based on patient location or source.

You are responsible for ensuring that your submission of data is authorized and compliant under applicable federal and state laws.

6. Data Retention and Deletion

We retain your data only for the duration necessary to fulfill the claims analysis and reporting functions. Upon completion, data will be:

  • Returned to the submitting party, or

  • Permanently and securely deleted upon request or at the end of the data lifecycle.

We will retain data only if required by federal, state, or contractual obligations.

7. Confidentiality and Access

Access to submitted data is limited to authorized personnel involved in analysis and compliance. All staff are trained in data privacy and subject to confidentiality agreements.

8. De-identificaiton of Protected Health Information

The Privacy Regulations allow SKF Health to de-identify protected health information (“PHI”). SKF Health will comply with the HIPAA standard for de-identification.

PROCEDURE

1.          SKF Health may de-identify PHI as follows:

1.          a person with appropriate knowledge of, and experience with, generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

1.          applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

2.          documents the methods and results of the analysis that justify such determination.

2.          In the alternative, de-identified information may be created by removing the following identifiers of the individual, or of relatives, employers, or household members of the individual:

1.          names

1.          all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

1.          the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

2.          the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;

2.          all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

3.          telephone numbers;

4.          fax numbers;

5.          electronic mail addresses;

6.          social security numbers;

7.          Medical record numbers;

8.          health plan beneficiary numbers;

9.          account numbers;

10.       certificate/license numbers;

11.       vehicle identifiers and serial numbers, including license plate numbers;

12.       device identifiers and serial numbers;

13.       web Universal Resource Locators (URLs);

14.       internet Protocol (IP) address numbers;

15.       biometric identifiers, including finger and voice prints;

16.       full face photographic images and any comparable images; and

17.       any other unique identifying number, characteristic, or code, except as permitted for purposes of re-identification.

2.          SKF Health may assign a code or other means of record identification to allow information that has been de-identified to be re-identified by SKF Health, provided that:

1.          the code or other means of record identification is not derived from or related to information about the individual and is not

otherwise capable of being translated so as to identify the individual; and

3.          SKF Health does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

9. Breach Notification

In the event of a data breach, we will notify the Data Provider within 72 hours of becoming aware of the incident, in accordance with HIPAA and applicable state breach notification laws.

Notifications will include:

  • A description of the incident;

  • Affected data elements;

  • Mitigation measures taken;

  • Recommendations for affected parties.

10. Audit Rights

You may request a security or compliance audit of our systems and data handling practices with 30 days’ notice, limited to once annually unless a breach or suspected non-compliance occurs.

10. Limitation of Liability

To the maximum extent permitted by law, our liability for any claims arising under these Terms shall be limited to direct damages, and shall not exceed the fees (if any) paid to us for services rendered in the 12 months prior to the claim.

We are not liable for:

  • Indirect, consequential, or incidental damages;

  • Any data breach caused by your own agents or unauthorized third-party submissions.

11. Termination

You may terminate these Terms at any time by providing written notice. Upon termination, all stored data will be returned or deleted per Section 6.

We reserve the right to terminate data access or processing at our discretion if we determine that continued use poses a compliance, legal, or security risk.

112. Changes to These Terms

We may update these Terms from time to time. You will be notified of any material changes and continued data submission or authorization after such notification will be deemed acceptance of the updated Terms.