®
®
This white paper details how and why patient privacy monitoring provides a foundation for automated and sustainable compliance with a series of HIPAA and ARRA HITECH Security and Privacy provisions including those listed below:

HIPAA Security Technical Safeguard - Audit Controls

HIPAA Security Administrative Safeguard - Information Systems Activity Review

HIPAA Privacy Administrative Requirement - Complaint responses

HIPAA Privacy Administrative Requirement - Mitigation

HIPAA Security Administrative Safeguard - Sanctions


HIPAA Security Administrative Safeguard - Information Access Management
HIPAA Privacy Administrative Requirement - Workforce Training

ARRA HITECH Privacy Provisions

ARRA HITECH Meaningful Use Stage 1 and 2

California AB 211, SB 541, Texas House Bill 300
A Best Practices Pyramid is detailed early in the white paper and referred to throughout so that care providers can evaluate their readiness for an external HIPAA audit. Additionally, this white paper details how patient privacy monitoring replaces the semi-manual processes traditionally associated with Audit
Controls and Systems Activity Review providing a significant return on investment while mitigating the escalating risks of patient privacy breaches.
A growing number of leading care providers have already deployed patient privacy monitoring, or have prioritized it above all other security initiatives due to proven deployment models, ease and speed of deployment and ability to address so many core regulatory requirements with single thread of effort.
Thus, the content contained in this white paper represents lessons learned from these leading care providers and other regulatory experts.
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 1
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

®
FairWarning
®
is the inventor and global leader in software solutions which monitor and protect patient privacy in electronic health records, enabling healthcare providers and health information exchanges to confidentially connect physicians, clinics, patients and affiliates. FairWarning
® ’s patient privacy monitoring solutions are compatible with healthcare applications from every major vendor, and available as either onpremise or software-as-a-service, with managed services available to complement existing resources.
Customers consider FairWarning
®
privacy auditing solutions essential for compliance with healthcare privacy regulations such as ARRA HITECH privacy and meaningful use criteria, HIPAA, EU Data
Protection, UK Freedom of Information Act, California SB 541 and AB 211, Texas HB 300, and Canadian provincial healthcare privacy law. For more information, visit http://www.FairWarning.com
or email
Solutions@FairWarning.com
.
© 2012 FairWarning
®
. All rights reserved.
The materials in this document and available on the FairWarning
FairWarning
®
®
web site are the property of
, and are protected by copyright, trademark and other intellectual property laws.
FairWarning
®
, the logo, Trust but Verify
®
and other trademarks of FairWarning
®
may not be used without permission.
THIS FAIRWARNING
® REPORT IS FURNISHED “AS IS” WITHOUT ANY WARRANTY OF ANY KIND
AND FAIRWARNING
®
HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO
NON-INFRINGEMENT, AND IN NO EVENT SHALL FAIRWARNING
®
BE LIABLE FOR COSTS
PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL FAIRWARNING
®
BE LIABLE FOR ANY
INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR DAMAGES WHETHER OR
NOT FAIRWARNING
®
HAS BEEN ADVISED OF THE POSSIBLITY OF SUCH LOSS OR DAMAGE.
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 2
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

LEVEL 5 BEST PRACTICE
Ability to add new ePHI system audit sources rapidly through well-known Data Definitions
Centralized, electronic work-flow and reporting for all known privacy breaches through common portal
Certification training available for patient privacy monitoring technology and business processes
Condition
External Audit Ready and Accounting of Disclosure Access Report Ready
Sustainable, affordable compliance and patient privacy monitoring
LEVEL 4
Automated and proactive behavior based analytics enforcing care provider policies
Privacy breach analytics with filtering using user and patient data
Patient privacy monitoring technology massively scale-able
Condition
External HIPAA Audit “Ready”
Best practices ARRA HITECH breaches as related to EHR misuse - Best Practices Meaningful Use Stage I
Sustainable and predictable patient privacy monitoring platform
LEVEL 3
Automated investigations for patients and users across all critical systems that access ePHI
Scheduled, semi-automated random patient audits for significant percentage of encounters
Formal remediation, work-force training and sanctioning processes in place
Condition
Depending on consistency could be compliant with HIPAA Audit Controls, Information Systems Activity Review
Exposure to risks of ePHI privacy breach as defined under ARRA HITECH and applicable state laws in TX, CA
LEVEL 2
Automated extractions of audit logs from all critical systems that access ePHI
Centralized and managed audit logs of all critical systems that access ePHI
Manual / semi-automated investigations and manual random patient audits
Condition
Exposure to HIPAA Audit Control and Information Systems Activity Review, others
Exposure to external HIPAA audit
Exposure to risks of ePHI privacy breach as defined under ARRA HITECH and applicable state laws in TX, CA
LEVEL 1
Manual, reactionary extraction of audit logs from systems that access ePHI
Audit logs from systems that access ePHI are not centralized and managed
Reactionary investigation process conducted by non-dedicated personnel
Condition
Non-compliant with HIPAA Audit Controls and Information System Activity Review, others - Exposure to external HIPAA audits
Exposure to risks of ePHI privacy breach as defined under ARRA HITECH and applicable state laws in TX, CA
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 3
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

Care provider and electronic health record manufacturer responsibilities regarding the production, uses and management of audit logs from systems that access protected health information (PHI) are firmly embedded in existing and pending healthcare privacy regulations, including those listed below:

HIPAA Multiple Sections of the Privacy and Security Rules

ARRA HITECH of 2009 Privacy Provisions

ARRA HITECH of 2009 HIPAA Rule Accounting of Disclosures

ARRA HITECH of 2009 Meaningful Use Stage I

California Assembly Bill 211, California State Bill 541, Texas House Bill 300
If healthcare privacy regulations are considered and addressed independently, care providers can become paralyzed by complexity opening themselves up to escalating risks, or they can easily come to own a quagmire of confusing, expensive and unsustainable technologies and processes. The better alternative is to consider privacy regulation holistically, enabling care providers to make strategic, targeted investments that address multiple regulatory responsibilities in a single thread of effort .
Further, if conducted as part of an overall compliance, privacy and security plan, regulatory responsibilities can be addressed with a natural sequence of sustainable processes.
In considering the deployment of patient privacy monitoring and its associated administrative processes, care providers are encouraged to observe a progressive series of healthcare privacy regulation beginning with some very specific provisions of HIPAA.
In 1996, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), through its Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), established, for the first time, a set of national standards for the protection of certain health information. Revisions and extensions to
HIPAA have been made from the time of its original passage, however its history is not holistically reviewed by this white paper. Instead the numerous sections of HIPAA now applicable to patient privacy monitoring are considered and additional related privacy legislation is pointed out where applicable.
HIPAA Security Technical Safeguard - Audit Controls.
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
” The pertinent Health and Human Services (HHS) HIPAA
Resource can be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
(Technical Safeguards)
HIPAA Security, Administrative Safeguard - Information Systems Activity Review.
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” According to the HHS web site, “The information system activity review enables covered entities to determine if any ePHI is used or disclosed in an inappropriate manner.” Source HHS material can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
HIPAA Privacy Rule Administrative Requirement - Complaints.
“A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice.
”
Source HHS material can be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
(Administrative Safeguards)
HIPAA Security, Administrative Safeguard - Information Access Management.
Consistent with the
Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access). Through the
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 4
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

implementation of Audit Controls and Information Systems Activity Review, access controls are adjusted to limit access to what is appropriate for users. Source HHS material can be found at - http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Prior to ARRA HITECH of 2009, the consequences of a patient privacy breach were negligible and HIPAA was not enforced so most conscientious care providers made a reasonable effort to fulfill the above provisions by conducting manual investigations of audit logs for a limited number of critical systems.
These activities were typically conducted on a patient complaint-driven basis by non-dedicated personnel.
Some care providers also conducted semi-automated manual random patient audits by visually examining audit logs in an effort to fulfill the Information Systems Activity Review requirement. These manual processes prove to be unsustainable, immensely time consuming, monotonous and largely ineffective. For example, due to the time required to conduct a manual patient audit, it is only feasible for far less than 1 % of patient encounters to be randomly reviewed. In the case of complaint driven investigations, a reactionary care provider might dedicate days, weeks or even months of personnel to investigate a subset of the systems that access PHI. Almost always, the investigation is an “extra duty” to investigation team’s full-time roles. Lastly, by definition care providers are non-compliant with HIPAA unless they are able to conduct these activities for all “information systems that contain or use electronic protected health information”.
The semi-manual processes map to Level 3 in this white paper’s Best Practices Pyramid. At any given instance in time, a care provider may be compliant with the afore described HIPAA requirements, however, both the technology and business processes are non-sustainable and provide limited ability to scale with growing governmental privacy mandates. Leading care providers recognized the limitations of the semi-manual approach and began deploying patient privacy monitoring technology that maps to
Levels 4 and 5 of the Best Practices Pyramid. Lastly, unconcerned care providers consider all of these efforts not worth the time, expense and energy and continue to map to Level 1 and Level 2 of the Best
Practices Pyramid . These care providers have significant risk to breaches and external audits that likely go well beyond Audit Controls and Systems Activity below.
As this white paper proceeds, there are several other general HIPAA provisions that should be considered as they can largely be addressed within the thread of effort of a patient privacy monitoring deployment. Compliance minded care providers realize that the deployment of a technology is not sufficient for compliance. In fact, appropriate technology based on the care provider’s size as well as sustainable appropriate business processes are required for compliance.
Thoughtful care providers have deployed training, remediation and sanctioning processes surrounding their Systems Activity Review and Audit Controls in order to address the administrative HIPAA requirements detailed below.
HIPAA Privacy Rule Administrative Requirement - Mitigation.
“A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
”
HIPAA Security Rule Administrative Safeguard - Workforce Training and Management.
“A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-
PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and pr ocedures.”
HIPAA Security Rule Administrative Safeguard – Sanction Policy.
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
”
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 5
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

Source HHS material can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
Healthcare privacy laws were significantly strengthened with the 2009 passage of the American Recovery and Reinvestment Act ( “ARRA”) Health Information Technology for Economic and Clinical Health
( “HITECH”) Act and Meaningful Use, which introduced a series of requirements that provided a specific definition for privacy breach, clearly defined notification requirements, increased fines and penalties and mandated the systemic enforcement of HIPAA.
Definition of Privacy Breach
“A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individua l”. Source HHS references and exceptions can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
(Definition of Breach)
Breach Notification
ARRA HITECH privacy provisions mandate very specific individual, governmental and in certain circumstances media notification responsibilities when a privacy breach occurs. This represents a dramatic change from the complaint driven system of the past which required care providers to do nothing about a breach unless they received a specific patient complaint. And even then, the centralized complaint response process was slow and over burdened. Source HHS reference can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
(Breach Notification)
Fines, Penalties and HIPAA Enforcement
ARRA HITECH of 2009 introduced willful neglect and escalating fines and penalties associated with noncompliance. A causal search of the World Wide Web will provide numerous examples of multi-million dollar fines as well as the latest on planned HIPAA audits. Example HHS resources are provided below:

Case Examples and Resolution Agreements - http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

HIPAA Privacy and Security Audit Program - http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Summary Best Practice Observations
With a much clearer definition of breach and dramatically increased consequences, more and more care providers recognize that misuse of access to electronic health records and electronic PHI (ePHI) in general represents the most significant privacy breach risks and realized that to deter and prevent breaches, they much first be discovered. Leading care providers are abandoning manual patient reviews and investigations in favor of automatically extracting and collecting their audit logs into a central location then proactively examining audit logs for the behavior based signatures of snooping, identity theft, medical identity theft and other privacy breaches. The processes and technologies associated with automating the extraction and centralization of audit logs, applying behavior based filtered analytics accompanied by mitigation, remediation, training and sanctioning processes is now known as “patient privacy monitoring ” and maps to Levels 4 and 5 of the Best Practices Pyramid .
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 6
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

Leading care providers recognized that patient privacy monitoring provides a foundation for automated and sustainable compliance with a now growing list of HIPAA provisions as well as ARRA HITECH
Privacy provisions, including:

HIPAA Security Technical Safeguard - Audit Controls


HIPAA Security Administrative Safeguard - Information Systems Activity Review
HIPAA Security Administrative Safeguard - Sanctions

HIPAA Security Administrative Safeguard - Information Access Management

HIPAA Privacy Administrative Requirement - Mitigation

HIPAA Privacy Administrative Requirement - Complaint responses

HIPAA Privacy Administrative Requirement - Workforce Training

ARRA HITECH Privacy Provisions - Additionally, by proactively discovering and reporting the breaches leading care providers are demonstrating their commitment to privacy and compliance rather than sitting on a powder keg of unknown on-going risk associated with the fine, penalties, state attorney general lawsuit exposure, negative media attention and HIPAA enforcement contained in ARRA HITECH of 2009.
In 2010, Meaningful Use Criteria were established: Level 1 certification requires an EHR to produce an audit log. To qualify for Meaningful Use incentives, every EHR vendor must be Meaningful Use certified and able to routinely produce audit logs for their customers, thus easing the creation of a centralized infrastructure of audit logs as well as enabling the proactive patient privacy monitoring in the process.
Additionally, entities must conduct a security risk analysis per HIPAA 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies. The HITECH Act also authorizes substantial support to help support provider adoption of EHRs.
ARRA HITECH of 2009 in its full form can be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf
Summary and Best Practice Observations
The audit log requirement of Meaningful Use Stage I is a big practical step forward for care providers wishing to fulfill the HIPAA Audit Control and Information Systems Activity Review requirements because previously some EHR manufacturers did not make it easy to obtain audit logs. Care providers who have achieved Level 4 and Level 5 are best positioned to take advantage of this development. FairWarning
® operates a no-cost, open copyright© program to assist care providers and healthcare application manufacturers with consistent, low cost production of audit logs that contain best practice data for patient privacy monitoring. For more information visit http://www.fairwarning.com/subpages/Applications_and_Systems.asp#fwr
State laws including California Assembly Bill 211, California Senate Bill 541, California Senate Bill 850, and Texas House Bill 300 mandate various legal requirements regarding patient privacy for individuals and/or institutions. California Assembly Bill 211 and California Senate Bill 541 impose penalties against individuals and institutions, respectively, that fail to protect the privacy of patient medical records.
Further, CA SB 541 creates a stricter standard than any currently in effect under existing state law or
HIPAA because facilities are required under this bill to “prevent” unauthorized access, not merely to take reasonable steps to try to monitor and stop inappropriate access.
Texas House Bill 300 reduces the timeframe a covered entity has to produce EHR following a patient’s request to fifteen days from thirty days under HIPAA. Texas HB 300 also mandates penalties and fines
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 7
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

that are in addition to similar penalties that can be assessed by HHS under HITECH, so a covered entity could be facing fines up to $3 million per year for the same violations under state and federal law.
Summary Best Practice Observations
California and Texas states laws ultimately motivate care providers toward the same end as ARRA
HITECH Privacy provisions, detect, train, sanction, deter and prevent privacy breaches. By deploying patient privacy monitoring and the surrounding business processes as those outlined and required under the Federal HIPAA law, care providers can address the bulk of these laws with little to no extra effort beyond the specific state reporting requirements.
Under the May 27, 2011 proposed Accounting of Disclosure rule, care providers will be responsible for providing access reports for disclosures of information even for treatment, payment and healthcare operations. The timeline to respond for access inquiries is thirty days. Access reports will cover patient access in electronic designated record sets. Providers, plans and their business associates will be required to maintain for 3 years the information required to produce the reports. The source Health and
Human resource can be found at http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf
Summary and Best Practices Observations
Compliance with this rule is impossible without a patient privacy monitoring solution. Manual process simply will not scale to fulfill the pending rule. If the right patient privacy monitoring technology is selected and deployed, the efforts and investments care providers put forth for the deployment can be directed leveraged in complying with a final form of the Accounting of Disclosures Access Report Rule. The key elements of appropriate technology include:

Massively scalable for the management of the many ePHI audit sources required for compliance

Ability to rapidly add new ePHI audit sources to a patient privacy monitoring deployment. This is only possible if the technology leverages audit log Data Definition standards and actively works with healthcare application vendors to ensure compatibility

Flexible reporting system so that the final form of the Access Report can be implemented quickly and with little technical effort
The decision to deploy patient privacy monitoring technology and the associated processes that meets these criteria is considered Level 5 in the Best Practices Pyramid.
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 8
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67

Patient privacy monitoring provides a foundation for automated and sustainable compliance with a long series of HIPAA provisions as well as ARRA HITECH Privacy provisions, including:

HIPAA Security Technical Safeguard - Audit Controls

HIPAA Security Administrative Safeguard - Information Systems Activity Review

HIPAA Privacy Administrative Requirement - Complaint responses

HIPAA Privacy Administrative Requirement - Mitigation

HIPAA Security Administrative Safeguard - Sanctions

HIPAA Security Administrative Safeguard - Information Access Management

HIPAA Privacy Administrative Requirement - Workforce Training

ARRA HITECH Privacy Provisions

ARRA HITECH Meaningful Use Stage I

California AB 211, SB 541, Texas House Bill 300
ARRA HITECH Meaningful Use Stage 1 makes patient privacy monitoring easier to deploy than ever before for all certified electronic health record systems. Leading care providers have already deployed patient privacy monitoring or have prioritized it above all other security initiatives due to proven deployment models, ease and speed of deployment and ability to address so many core regulatory requirements with single thread of effort.
Healthcare privacy compliance is here to stay. The legal, financial and regulatory risks associated with privacy breaches involving misuse of access to ePHI have grown dramatically since 2009. Federal
HIPAA audit programs introduced in November 2011 and underway during 2012 have also make it clear that federal and state governments investing in electronic health records mandate care providers to protect ePHI or risk fines, reputational damage and even loss of Meaningful Use funding under certain circumstances. This means the technology platform selected for patient privacy monitoring must be able to scale, grow, provide flexibility and leverage many sources of data for analytics and filtering. If any of these core technology requirements fails, then the entire platform is unusable and must be replaced which is expensive, time consuming, distracting as well as damaging to the credibility of those involved:

Ability to add new audit sources rapidly and inexpensively. HIPAA Audit Controls and
Information Systems Activity apply to all systems which access ePHI. Care providers have dozens and even hundreds of systems that meet these criteria. The patient privacy monitoring platform must demonstrate the ability to rapidly add new sources with little or no customization.
Further Data Definition standards need be applied in order to handle many audit sources. This requirement is magnified by the pending Accounting of Disclosures Access Report Rule

Massively scalable.
As a growing number of audit sources are added to a patient privacy monitoring deployment data volumes grow dramatically. Popular EHR vendors such as Epic,
Cerner, and McKesson have added significantly to the amount of audit data provided driving up volumes. And, the pending Accounting of Disclosure Access Reports Rule remains fluid, but currently mandates that care providers be able to look three years back. The bottom line is that audit log retention and management requirements will continue to grow

Proactive filtered analytics and reporting that incorporates outside user and patient data is a necessity.
With growing volumes of data to review, a patient privacy monitoring solution must provide proactive behavior-based analytics with strong filtering support otherwise deployments will result in reporting and analytics that cannot be used because there is simply too much information. Sources of filter criteria should include fields within the audit logs themselves as well as the addition of user and patient information
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 9
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67


Formal technology and business process certification training is emerging as a mandatory requirement. Due to increased risks and visibility associated with regulatory compliance as well as a shortage of qualified resources, formal training and certification on a patient privacy monitoring platform ensures that care provider personnel get the most use from their investment, develop redundant skills in their organization and reduce the risks associated with noncompliance and privacy breaches.
Care providers are best served by requiring that patient privacy monitoring manufacturers provide many or at least several references of customers who use their EHR and core healthcare applications. Further, care providers should insist the manufacturer participate in KLAS Research and require they are
“transparent” with KLAS. These simple “due diligence” steps can save a care provider from the financial, time and credibility loss associated with a failed patient privacy monitoring deployment. The right patient privacy monitoring technology can eliminate the window of risk of audit failure or patient privacy breaches.
FairWarning, Inc.
Email: solutions@FairWarning.com
Web: www.FairWarning.com
P a g e | 10
Phone: US 727 576 6700 ǀ UK +0 800 047 0933 ǀ Europe +33 6 26 26 84 67