Legal - HIPAA Notice

Legal - HIPAA Notice
Octo Health Health LLC (“Administrator” or “Octo Health”) is committed to respecting all users’ privacy and the security of their identifiable information. This Privacy Policy and HIPAA Notice (the “Policy and Notice”) applies to Octo Health (the “Site”) and Octo Health Products or Services related to or derived from Octo Health, whether directly or indirectly through your healthcare professional, and is incorporated into Administrator’s Terms and Conditions and complements Administrator’s Data Protection Policy. Use of the Site will be conclusively deemed an acceptance of the Terms and Conditions, including the privacy provisions disclosed in this Policy and Notice. Please read this page carefully before using the Site and/or Octo Health Products or Services, and if you (the “User”) do not accept the Policy and Notice stated here, do not use the Site and/or Octo Health Products or Services. Administrator is the owner to all right, title, and interest to the Site and may revise the Policy and Notice at any time by updating this posting. You should visit this page periodically to review the Policy and Notice, as it is binding on you.
1.1. “Affiliates” means Administrator’s affiliated entities, including but not limited to subsidiary entities, predecessor and successor entities, officers, directors, employees, representatives, agents, and licensees.
1.2. At times we may qualify as a “Business Associate” or a “Covered Entity” under the federal law called the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Regulations under that law set forth how identifiable health information can be used and disclosed by covered entities and the obligations of covered entities to safekeep and secure identifiable health information collected or received from and about individuals, such as you. For example, once you (or your physician) enrolls in the Site or purchase Octo Health Products, we collect information directly from you (or your physician) via questionnaires or health information obtained from you by an attending healthcare professional, such as your physician or their assistants, nurses, or other healthcare professionals. Sometimes, to ensure we are operating the Octo Health Services efficiently and in a clinically effective manner, we may give or receive health information about you to or from others such as labs. For example, we may be required to provide some of your information to a clinical laboratory in the event of an adverse reaction or to a manufacturing affiliate in the event of a recall. This information is treated as protected health information under HIPAA, and this Policy and Notice applies to all such information.
1.3. “Octo Health Products” means the Octo Health patient experience platform, including but not limited to patient education content, patient outcome tracking, patient surveys, and any other related content available on the Site or through associated mobile applications, such as the Waiting Room, Find a Specialist, and Reputation Enhancement tools.
1.4. Protected health information or “PHI” is identifiable health information about you (such as your name, social security number, or address), and that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care. We need PHI to provide you with quality care and to comply with certain legal requirements.
1.5. “Services” include Software as a Service offering for Octo Health Products and implementations of any Octo Health Product on the Site or related mobile applications provided directly and/or indirectly on behalf of Octo Health.
1.6. “Third-Party Content” means any links or other materials available through the Site that allow users to be redirected to or browse third-party information and/or services.
Octo Health may provide to you, or receive from you, information, including health-care-related information or other information related to your use or access of and to the Site or Octo Health Products. This is a joint notice of our information privacy practices and disclosures required by the Privacy Regulations Promulgated Pursuant to HIPAA. The following people or groups will follow this Policy and Notice:
2.1. Any health care provider who provides or uses Octo Health Products or Services;
2.2. All departments and units of our organization; and
2.3. Our employees, contractors, volunteers, and affiliates. These individuals or entities may share health information with each other for treatment, payment, or health care operations purposes described in this Policy and Notice. In addition, we also use and share your information for other reasons as allowed and required by law. If you have any questions about this Policy and Notice, please contact us at [email protected] or by calling 1-425-651-6734.
This Notice of Privacy Practices describes how we may use and disclose your protected health information to carry out treatment, payment, or healthcare operations and for other purposes that are permitted or required by law. It also describes your rights to access and controls your protected health information. “Protected Health Information” or “PHI” is defined above in Section 1.4 and generally encompasses information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health or condition and related health care services.
3.1. Uses and Disclosures of Protected Health Information. Your PHI may be used and disclosed by our organization, our office staff, and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you, to pay your health care bills, to support the operation of the organization, and any other use required by law.
3.1.1. Treatment. We are not healthcare providers. We are a distributor of healthcare-related information, such as Octo Health Products and Services. In this role, we may have your PHI disclosed to us as a Business Associate of your health care provider to coordinate or manage your health care or to supply your health care provider with Octo Health Products or Services. We may also act as a Covered Entity in our dealings with Affiliates, and in this capacity, we may use or disclose your PHI to Affiliates so they can fulfill requirements associated with FDA guidelines and/or product development.
3.1.2. Payment. We will not use your PHI to obtain payment for your healthcare services. Your healthcare provider will be responsible for obtaining approval for equipment or supplies coverage that may require your relevant PHI to be disclosed to a health plan to obtain approval for coverage.
3.1.3. Health Care Operations. We may use or disclose, as needed, your PHI in order to support the business activities of our organization. These activities include but are not limited to, quality assessment activities, accreditation activities, and conducting or arranging for other business activities. For example, we may disclose your PHI to accrediting agencies as part of an accreditation survey. We may use or disclose your PHI, as necessary, to your health care provider, Octo Health Affiliates, or government agencies for regulatory, quality, efficacy, or safety purposes.
3.2. We may use or disclose your PHI in the following situations without your authorization as required by law: public health issues as required by law, communicable diseases, health oversight, abuse or neglect, Food and Drug Administration requirements, legal proceedings, law enforcement, criminal activity, inmates, military activity, national security, and workers’ compensation.
3.3. Required Uses and Disclosures: Under the law, we must make disclosures to you when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of § 164.500.
3.4. Other permitted and required uses and disclosures will be made only with your consent, authorization, or opportunity to object unless required by law. You may revoke this authorization, at any time, in writing, except to the extent that your physician or this organization has taken an action in reliance on the use or disclosure indicated in the authorization.
3.5. Your Rights. Following is a statement of your rights with respect to your PHI.
3.5.1. You have the right to inspect and copy your PHI. Under federal law, however, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and PHI that is subject to law(s) that prohibits access to PHI.
3.5.2. You have the right to request a restriction of your PHI. This means you may ask us not to use or disclose any part of your PHI for the purposes of treatment, payment, or healthcare operations. You may also request that any part of your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described herein. Your request must state the specific restriction requested and to whom you want the restriction to apply. Our organization is not required to agree to a restriction that you may request. If our organization believes it is in your best interest to permit use and disclosure of your PHI, your PHI will not be restricted. You then have the right to use another Healthcare professional.
3.5.3. You have the right to request to receive confidential communications from us by alternative means or at an alternative location.
3.5.4. You have the right to obtain a paper copy of this notice from us, upon request, even if you have agreed to accept this notice alternatively, e.g., electronically.
3.5.5. You may have the right to have our organization amend your PHI. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.
3.5.6. You have the right to receive an accounting of certain disclosures we have made, if any, of your PHI.
3.5.7. We reserve the right to change the terms of this notice and will inform you by e-mail of any changes. You then have the right to object or withdraw, as provided in this SECTION 3 (regarding HIPAA Notice).
3.6. Complaints. You may complain to us or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You may file a complaint with us by notifying us by phone at 1-425-651-6734 or by email at [email protected] Health of your complaint. We will not retaliate against you for filing a complaint.
3.7. We are required by law to maintain the privacy of PHI and to provide individuals with these notices regarding our legal duties and privacy practices with respect to PHI. If you have any questions concerning, or objections to, this Policy and Notice, please ask to speak with our Privacy Officer, Dan, in person or by phone at 1-425-651-6734 or by emailing us at [email protected].
3.8. As discussed in greater detail in Section 4.4 (regarding Information Security), we work to protect ourselves from unauthorized access to or unauthorized alteration, disclosure, or destruction of information we hold. In the unlikely event of a breach of unsecured PHI, we are required by law to notify affected individuals.
3.9. Associated companies with whom we may do business, such as manufacturers of regenerative medicine products, are given only enough information to satisfy reporting, safety, and efficacy requirements.
3.10. The Effective Date of the notices provided in this SECTION 3 (regarding HIPAA Notice), is Octo Healthber 1, 2018, and may be updated from time to time, as required by law or in accordance with our updated practices and policies.
3.11. In our role as a Covered Entity, we must abide by the conditions of the notice currently in effect.
3.12. We welcome your comments. Please feel free to call or email us if you have any questions about how we protect your privacy. Our goal is always to provide you with the highest quality products and/or services.
The following information complements and adds to the foregoing, setting forth some additional policies related to what information of yours may be collected or used by us.
4.1. Information Collected.
4.1.1. Submitted Information. Administrator collects information actively submitted to the Site. This includes but is not limited to any information submitted when User creates an account, places an order, makes a return, inquires about or registers for Administrator’s services, requests emails about Administrator’s offerings, provides Administrator with marketing preferences, subscribes to or follows Administrator through the Sites, submits information (including postings or photographs) to the Sites, participates in a marketing survey, submits information to Administrator directly or through third-party services, or otherwise sends Administrator data via the Site. Administrator collects identifiable information from users, including the following: User’s contact information (such as User’s name, organization address, email address, phone number, fax number), username and password, shipping information (including the shipping address and phone number), purchase history at the Sites, demographic information, information User provides by interacting with Administrator through the Site or otherwise, and postings or photographs that User submits through the Site or otherwise. All postings or photographs submitted to the Site become the property of Administrator. By submitting a posting or photograph, User grants any rights thereto to Administrator and authorizes Administrator to copyright, use, and/or publish the same in print or electronically for any lawful purpose in exchange for User’s use of the Site. Note that any personal and identifiable information that User posts voluntarily now or in the future through the Site may be visible to others and collected by third parties. Administrator reserves the right to share non-personal information received via the Sites, including User’s unsolicited ideas, suggestions, or materials related to Administrator’s products, with the public or as it otherwise sees fit. Administrator does not seek such ideas, suggestions, or materials related to Administrator’s products other than in some surveys for feedback to improve the customer experience. If User does not want Administrator to use User ideas, suggestions, or materials related to Administrator’s products, User agrees not to submit them to Administrator; if User does submit them, User assigns any rights therein to Administrator and acknowledges that Administrator has the right to use them in any manner without further consent from User and without any compensation or remuneration to User. The User acknowledges and agrees that, among other things but at the very least, the User’s use of the Site is good and valuable consideration for the foregoing. In the event that Administrator elects to use User’s submitted ideas, suggestions, or materials, User agrees not to oppose any such use.
4.1.2. Automatic Collection of Information. When User visits the Sites, Administrator automatically collects information, including but not limited to information about the devices User uses to access the Internet (such as the internet protocol (IP) address and the device, browser, and operating system type), URLs that refer User to the Sites, the dates and times of User’s visits, information on User’s shopping behavior on the Site (e.g., page views, paths User takes through the Sites, etc.), general geographic location information (e.g., country, state, or city) that shows User’s location when browsing the Sites, search terms that User enters to reach the Site or enters on the Site to find products, and/or information related to User’s receipt and/or access of Administrator’s emails. Administrator may utilize analytics services to help track the effectiveness or efficiency of the Site and to help learn more about users’ behaviors and interactions with the Site. Some information automatically collected is anonymous. Administrator and/or its Affiliates, analytics or service providers, and select businesses with whom Administrator has marketing relationships, use technologies such as cookies, beacons, tags, and scripts, to analyze trends, administer the Sites, track users’ movements around the Sites, and to gather demographic information about Administrator’s user base as a whole. Administrator may receive reports based on the use of these technologies by these companies on an individual or aggregated basis. The Site may include social media features, such as the Facebook “Like” button and widgets, the “share this” widget, or interactive mini programs that run on the Site. These features may collect User’s IP address, which page User is visiting on a Site, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on the Site. User’s interactions with these features are governed by the privacy policy of the company providing it. Administrator automatically collects aggregate anonymous information through cookies. Cookies are small text files stored by User’s Web browser on User’s computer, phone, tablet, or other device used to browse the Site. Cookies allow Administrator to identify and authenticate visitors, track aggregate behavior, and enable important site features. Administrator uses both session ID cookies and persistent cookies. A session ID cookie expires when User closes a browser. A persistent cookie remains on User’s hard drive for an extended period of time. The persistent cookie maintains User’s information, such as login information, so that, for example, a user’s cart and login remain available when the user returns to a site. Session cookies are used to maintain aspects of the User’s activity while visiting the Site. This can include, for example, a user’s shopping state as the user browses through a site. Administrator also contracts with analytics services and third-party advertising companies to collect similar information for specific purposes. Though User may disable cookies through User’s web browser, doing so may prevent User from taking advantage of some of the Sites’ features. To opt out of the services related to these cookies, please see Section 4.5 (regarding Preferences). The use of cookies by Administrator’s partners is not covered by this Policy and Notice. Administrator stores certain automatically collected information in log files. This information may include IP addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp, and/or clickstream data. Administrator may combine this automatically collected log information with other information collected about User.
4.2. Information Used.
4.2.1. General. Administrator may use the information it collects in a number of ways, including to register and manage User’s account; to process and track User’s procedures and/or outcomes; to provide status updates on User’s information or survey results; to provide customer service when User requires assistance; to improve customer service; to provide products and services that User requests; to identify preferences provided by User; to communicate with User about products and services; to send User email updates, promotions, surveys, and direct mailings; to customize the Site or Administrator’s communications with User; to track the efficacy of the Site and help us learn more about users’ behavior; to enable User to communicate with Administrator, the Sites, or other interactive media; publish testimonials or photos; analyze marketing strategies and trends regarding users’ use of the Sites; analyze marketing strategies and trends regarding users’ purchases; to protect against fraud, unauthorized transactions, claims, and other liabilities; to manage exposure to risk from unauthorized users; to understand users’ aggregate behavior; to improve Site experience; to improve effectiveness of marketing campaigns; to enforce terms and conditions and/or use on the Sites; and/or to comply with applicable legal mandates, policies, or industry standards.
4.2.2. Information Combinations. In an effort to provide users with the best possible experience on the Sites, Administrator may combine various types of collected data to the extent permitted by law. Administrator may conduct marketing analysis and similar research to assist in making business decisions. Such analysis and research activities may be conducted through third-party services, using anonymous data and aggregate statistics generated by Administrator’s collection of information.
4.2.3. User Contact. From time to time and in compliance with applicable law requirements (e.g. based upon User’s prior consent if required under applicable law), Administrator may use contact information that User has provided to send User information regarding products and services, as well as other information that Administrator thinks may be useful to User. If User orders products through the Sites, Administrator may contact User by email to provide information about User’s order (e.g., order confirmations, shipment notifications). If User has an account with the Sites, Administrator may also send User an email regarding User’s account status or changes to relevant agreements or policies. If User does not wish to receive marketing information from Administrator, User may opt-out by unsubscribing in emails received from Administrator or by contacting Administrator.
4.3. Information Shared.
4.3.1. Disclosure. Subject to SECTION 3 (regarding HIPAA Notice), Administrator will not disclose User’s personal information to third parties, except (a) with User’s consent; (b) to Administrator’s Affiliates and service providers to fulfill product orders or deliver services, or otherwise to fulfill a contractual obligation to User; (c) to service providers who act on Administrator’s behalf and under Administrator’s instructions to perform certain functions (e.g., IT companies, credit card processors, credit rating agencies, or legal, financial, and other advisors); (d) as required by applicable law, such as to cooperate with law enforcement investigations or upon receipt of a court order; or (e) to help courts and public authorities protect User, Administrator, or third parties from harm, including fraud or instances where somebody’s physical safety is at risk. Service providers acting on Administrator’s behalf shall be obliged to comply with this Policy and Notice and adhere to confidentiality requirements and will only receive access to User’s personal information as necessary to perform their functions.
4.3.2. Merger. In the event of a merger, acquisition, or other reorganization or sale of Administrator’s business or assets, Administrator may share or transfer User’s information, and the recipient will be required to use the information in accordance with this Policy and Notice.
4.3.3. Security. In the event Administrator becomes aware that the security of the Site has been compromised or users’ identifiable information has been disclosed to unrelated third parties as a result of external activity, including but not limited to security attacks or fraud, Administrator reserves the right to take reasonably appropriate measures, including but not limited to investigation and reporting, as well as notification to and cooperation with law enforcement authorities. In the event of a data breach, Administrator will make reasonable efforts to notify affected individuals if Administrator believes that there is a reasonable risk of harm to users as a result of the breach or if notice is otherwise required by law.
4.4. Information Security.
4.4.1. Administrator’s Security. Administrator works to protect itself and users from unauthorized access to or unauthorized alteration, disclosure, or destruction of information Administrator holds. To prevent unauthorized access or disclosure, maintain data accuracy, and ensure the appropriate use of information, Administrator does the following: Administrator implements physical, electronic, and managerial procedures to safeguard and secure the information that Administrator collects. Administrator uses encryption when using the Internet to transfer or receive requested sensitive identifiable information. Administrator does NOT store credit card numbers in its database. Administrator keeps on file only the last 4 digits to verify the card that was used. Once the information is transmitted to Administrator’s servers for processing, Administrator uses encryption in the back end to transmit the request to Administrator’s payment processor to verify the credit card and place an authorization for the order total. Administrator restricts access to personally identifiable information to itself and its Affiliates on a need-to-know basis and subject to confidentiality agreements. Administrator takes commercially reasonable technical, physical, and organizational steps to safeguard any information User provides to us and to protect it from unauthorized access, loss, misuse, or alteration.
4.4.2. Information Retention. Administrator keeps data at least as long as required by applicable law and may keep data as long as permitted by applicable law. Administrator does retain and use user information as necessary to comply with any legal obligations, contractual statutes of limitations, resolution of disputes, and/or enforcement of agreements. Please note that Administrator may not be able to delete data upon request depending on the reasons above and the nature of User’s interactions (e.g., Administrator retains data to notify customers of product recalls).
4.4.3. Account Security. It is User’s responsibility to safeguard any passwords, ID numbers, or similar individual information associated with User’s use of the Site. To minimize the risk of having User’s account being compromised, Administrator recommends that User set up User’s account password using unique numbers, letters, and special characters. Do not disclose passwords to others. Please notify Administrator of any password compromises and change passwords periodically to maintain account protection. When User is finished using the Sites, User agrees to sign off and out of any accounts used in order to protect against unauthorized use.
4.5. Preferences.
4.5.1. User Options. Administrator offers User some choices regarding the information collected, how the information collected is used and disclosed, and how Administrator communicates with User: User may opt out of receiving marketing emails or direct mail from Administrator at any time by clicking on the unsubscribe link in Administrator emails or by contacting Administrator. User will continue to receive service-related emails (e.g. order status). User may disable cookies in User’s Web browser, though doing so will impact the usability of the Site. Administrator may also use technologies, such as Administrator’s own cookies, to provide User with personalized online display advertising tailored to User’s interests. User may opt-out of Google Analytics by following this link. User may update or correct User’s identifiable information related to User’s account directly on the Site or by contacting Administrator. If User wishes to request deletion of User’s personal information, then please contact Administrator at [email protected] Health.health. Administrator will respond to requests within a reasonable timeframe. User may access, correct, and/or update User’s information by accessing User’s accounts or profiles on the Site. Alternately, User may at any time request access to a summary of the information Administrator holds about User by contacting Administrator at [email protected] Health.health. User may also request corrections, updates, or deletion of User’s information. Administrator will make reasonable efforts to respond promptly to any such requests in accordance with applicable laws. From time to time, Administrator may provide User the opportunity to participate in contests or surveys connected to the Site. If User participates, Administrator will request certain personally identifiable information from User. Participation in these surveys or contests is completely voluntary and User therefore has a choice about whether or not to disclose this information. Administrator may use a third-party service provider to conduct these surveys or contests; in those cases, that third-party company will be prohibited from using User’s personally identifiable information for any other purpose. Administrator will not share the personally identifiable information User provides through a contest or survey with other third parties without first giving User prior notice and choice.
4.6. Do Not Track. Some internet browsers include the ability to transmit “Do Not Track” signals. Since uniform standards for “Do Not Track” signals have not yet been adopted, Administrator does not process or respond to “Do Not Track” signals.
4.7. Warranties And Disclaimers.
4.7.1. Assumption of Risk. Administrator follows generally accepted standards to protect submitted personal information, both during transmission and once Administrator receives it. However, no computer system or transmission of information can ever be completely secure or error-free, and User should not expect that User’s information will remain private under all circumstances. Administrator therefore cannot guarantee its absolute security.
4.7.2. Third Parties. This Policy and Notice does not apply to Third-Party Content or the practices of third-party companies outside of Administrator’s control, nor does it apply to individuals that Administrator does not employ or manage, even if User has accessed Third-Party Content through the Site. Third-Party Content is provided solely as a convenience to User. Once User leaves a Site, Administrator neither controls nor has responsibility for third-party sites, their content, or their privacy practices.
4.7.3. Minors. The Site is not intended for use by anyone under the age of 18. If User is under the age of 18, please do not create an account or send Administrator any identifiable information, including but not limited to User’s name, address, telephone number, or email address. Administrator does not knowingly collect personal information from anyone under the age of 18. If Administrator learns that identifiable information has been collected from anyone under the age of 18, Administrator will delete that information as quickly as possible. If User believes that Administrator may have any information from or about a person under the age of 18, please contact Administrator at [email protected].
4.8. Nevada Residents As Covered By Nevada Privacy Law. Administrator does not sell covered information as defined under Nevada law. To the extent that Administrator shares identifiable information for commercial purposes, User may opt out by contacting Administrator and specifying their residency in Nevada and election to opt out. If User would like to make a further inquiry regarding the sale of User’s covered information, as defined under Nevada law, please contact Administrator at [email protected].
4.9. Miscellaneous.
4.9.1. Policy and Notice Application. This Policy and Notice covers Administrator’s treatment of identifiable information that is gathered when User is accessing or using the Site. This Policy and Notice is incorporated into Administrator’s Terms and Conditions. Please reference the Terms and Conditions in addition to this Policy and Notice to understand all terms and conditions binding on User.
4.9.2. Effective Date. Use of the Site will be conclusively deemed an acceptance of the Terms and Conditions, including the additional privacy related provisions of this SECTION 4, which are effective and binding on User as of User’s first date of use of the Site.
4.9.3. Changes to the Policy and Notice. Administrator may revise this Policy and Notice from time to time. Administrator will post any adjustments to the Policy and Notice on this Site, and the revised version will be effective as defined by the relevant Effective Date provisions disclosed herein. If Administrator makes any material changes to this Policy and Notice, Administrator will notify User of such changes by posting them on this page or by sending User an email or other notification. User’s continued use of the Site following notice and/or posting of any modification, change, or amendment to this Agreement will be conclusively deemed an acceptance of such modification, change, or amendment. If necessary, this Policy and Notice will also be adjusted to meet updated requirements of legislation and case law as Administrator is made aware of such updated requirements, if any.