BMR CUSTODIAL PRIVACY POLICY

BMR is thoroughly aware of the nature of the information we handle daily on behalf of our clients worldwide, and therefore we take every possible precaution to protect, insure, and secure our client’s personal data at all times.

The following is a description of the safeguards and chain-of-custody policies and procedures you can trust are in place for transferring personal data material from a client’s archive location directly to our secure facility in Knoxville TN:

Description of Personal Data Processing and Destruction:

BMR processes secure destruction of healthcare medical records and radiological images for hospital facilities worldwide for purposes of proper compliant destruction of medical records as well as the reclamation of certain raw materials associated with those records and images, primarily silver recovery. As a result of the inherent future value of the raw materials, and in conjunction with our contracted Clients, we adhere to the highest level of scrutiny, including our participation in the US Department of Commerce’ International Trade Administration’s Privacy Shield framework.

Medical records may contain certain patient personal information that must be protected at all times from access by any unauthorized third party. Information that is considered personal data may include a patient’s date of birth, social security number, address, name, and or medical history, all of which will never be disclosed to any unauthorized third party, at any time, once BMR has taken possession of such materials. All such documentation is fully and US HIPAA compliantly destroyed by BMR upon entering our secure facilities in the United States, by BMR US HIPAA compliant employees.

Logistic Transport Description

Shipment of materials will be scheduled and coordinated between BMR logistics manager and the Client project manager. The logistics company, driver contact, and dispatch coordinator information will be visible to the project manager. All materials will be placed in shipping container and sealed with (bolt-cutter seal provided by BMR). This seal number will correspond to the Control Number issued for the specific load of material to be recycled. All materials will be covered in black PE wrap and stretched wrapped into a secure package by skid.

Daily tracking updates will be sent as the material is in transit. If required, the GPS signal devices can be added to the packages of material and/or to the truck door seal to send out an hourly location update. An alarm is sent if the truck seal is opened at any location other than the coordinates of our processing plant in Knoxville, TN. When being transported by vessel, the ships GPS location is substituted for the local container location.

Upon arrival at the BMR facility, a photo of the unbroken seal is emailed to the project manager and permission is requested to break the seal. A Client representative or their authorized third party representative can also be on-site to witness unloading. Once the emailed permission is granted, the seal is broken and the contents weighed into the receiving department. A bar code tracking lable is produced for each skid received and the itemized list is emailed to the project manager within 24 hours of receipt. Each skid is track through grinding and processing. All materials are destoyed and a Certificate-of-Destruction issued within 14 days of arrival.

Client Rights, and BMR Disclosures and Liabilities

Our healthcare industry Clients have the right at any time to access their patient records we have received on their behalf. However, as a result of the nature of our service, such records become unavailable at a certain point in the process destruction. Until such time, our Clients, and their patients, maintain every right under law to request certain records be retuned, and/or not be destroyed until authorization is given to BMR by Client. BMR will make every effort to achieve such requests until such time as records are formally destroyed, as described herein.

Information Security

We will take reasonable precautions to protect all Personal Information in our possession from loss, misuse, and unauthorized access, disclosure, alteration or destruction. We will make reasonable efforts to keep your Personal Information reliable for its intended use, accurate, current and complete. As necessary, we will take additional precautions regarding the security of particularly sensitive information, such as Date of Birth, or medical history information. While we strive to secure your Clients’ Personal Information, we cannot warrant or guarantee that this information will be protected under all circumstances, including those beyond our reasonable control.

Enforcement

We will conduct periodic internal compliance audits of our relevant privacy practices to verify adherence to this Privacy Policy. We encourage you to raise any questions or concerns that you may have about the way we process your Personal Information by contacting us at the address set forth below.

Third Party Disclosure Liability

Before any service agreement is in place, BMR will execute a proper US HIPAA compliant Business Associate Agreement (BAA) with our Clients. This BAA will ensure our Clients that all policies and procedures under the US Federal Health Information Portability and Accountability Act of 1996 (HIPAA) will be followed by all BMR employees at all times.

BMR also maintains proper insurance policy coverages for General Liability, Errors and Omissions, and Workman Compensation; and upon Client contracted engagement, our Clients are listed as an additional insured for the time periods that BMR is in possession of any Client records.

Our facilities are AAA certified with the National Association of Information Destruction (NAID). This third party verification can be reviewed at https://naidonline.org.

The Barrington Medical Recycling LLC control systems comply with
42 CFR 482.24(b) and 42 CRR 485.638 ©
29 CFR 1910.1020 (d) (1)
45 CFR 164.530 (j) (2)
42 CFR part 1003

To Whom We May Share Information:

BMR provides materials recycling services to the healthcare industry. In that process, any patient information within such materials is fully destroyed upon the arrival at our facilities. At no time does BMR share any personal information of our Clients’ patient records to any third party, subject to all US applicable laws. BMR is subject to US Federal Homeland Security Department and/or local law enforcements agencies request for release of any personal information requested under lawful subpoena, while and if such records are in BMR’s possession.

BMR commits to resolve questions and complaints about your privacy and our collection of processing of Client patient personal information. If you believe that we are not complying with the terms of th is Privacy Policy or other legal requirements, you should first contact us at the address below, or by email at [email protected]. We will investigate and will do our best to internally resolve any complaints and disputes you bring to our attention regarding the use and disclosure of any Client patient personal information.

EU AND SWISS DATA SUBJECTS AND PRIVACY SHIELD

BMR, located in the United States, participates in the EU-U.S. and Swiss-US Privacy Shield Framework (collectively the “Framework”). BRM’s participation in the Framework applies to personal data received in the United States from the European Union or Switzerland (collectively “Personal Data”). . We are committed to subjecting such EU or Swiss Personal Data to the Framework, including its Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. To learn more about the Framework, visit the U.S. Department of Commerce’s Privacy Shield List https://www.privacyshield.gov

Please contact us as specified below if you have any questions, need access to your Personal Data, or otherwise need assistance. We remain responsible for our collection, and disclosure of Personal Data in accordance with the Framework. Although we currently do not subcontract any third party, BMR is responsible for third party agents that are transporting, securing and or processing such data on our behalf, unless we prove that we are not responsible for the event giving rise to the damage. In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

If you are a Swiss or European Data Subject with an unresolved complaint or dispute arising under the requirements of the Framework, we agree to refer your complaint under the Framework to an independent dispute resolution mechanism. That independent dispute resolution mechanism is the International Centre for Dispute Resolution, operated by the American Arbitration Association. For more information and to file a complaint, you may contact the International Centre for Dispute Resolution by phone at 1-212-484-4181, or by visiting the website http://info.adr.org/safeharbor.

We are also subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to the Framework. In addition, under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, Swiss or EU data subjects may invoke binding arbitration for non-monetary issues when other dispute resolution procedures have been exhausted. With respect to onward transfers of data subject to the EU-US and Swiss-US Privacy Shield, BMR remains liable for any processing such transfers in accordance with the EU-US and Swiss-US Privacy Shield Principles.

Choices and Means of limiting Personal data disclosure:

Clients have the right to exercise choice (opt-out) from our possession of their or their Clients’ Personal Data. We do not otherwise use or disclose Personal Data in a manner that is subject to choice requirements under the Framework because we do not provide Personal Data to third parties other than those acting as our agent to perform tasks on our behalf.

Please contact us here at [email protected] if you have any questions, wish to exercise your rights of access, or seek other assistance as described above.