GET REAL HEALTH® PLATFORM END USER PRIVACY POLICY
Last Updated April 6, 2020
Talk With My Doc™, Lydia, and Ellie are health management tools provided to you by Computer Programs and Systems, Inc. ™ and its wholly-owned subsidiaries, including Get Real Health®, Trubridge™, and Evident™ (“CPSI”). CPSI is committed to protecting Your privacy. This privacy statement describes CPSI’s® privacy practices in relation to your use of its software, including but not limited to InstantPHR®, CHBase™, Ellie™, Lydia™, and Talk With My Doc™ (“the Service”), including any data that may be collected by CPSI through Your Service account. “We” “Us” and “Our” refer to CPSI and “You” and “Your” refers to you (the end user). We do not use or disclose your information except as described in this privacy statement. This Privacy Policy is intended to be read alongside the Get Real Health Platform End User License Agreement and, if you are a user who is subject to the European General Data Protection Regulation (“GDPR”), the Lydia Code of Conduct.
Table of Contents
- Introduction
- Signing into the Service and Creating and Account
- Sharing Health Data
- Access and Controls
- Email Communications
- Connection of Personal and Usage Information
- How Your Personal Information is Stored
- How Your Personal Information and Usage Information are Used and Shared
- HIPAA
- CCPA
- GDPR
- Countries Supported
- Third Party Links
- How We Use Cookies
- Complaint Process
- Changes to Our Privacy Statement
Introduction
The Service is a health management software tool from CPSI that lets you gather, edit, store and share health data online. The Service is intended for you to store your personal health-related information. You may also be able to access information about other people (such as your family) with their consent and invitation. Service accounts are not for use by healthcare providers or for any other commercial or non-personal purpose. The Service is capable of providing personalized health guidance for you and your family. The Service is hosted by Us using Microsoft Azure. You should review Microsoft Azure’s terms and conditions of use and privacy policy, which are available on Microsoft Azure’s website. The Service may assist you in assembling health information in a usable format. It is important for you to understand how the information that you submit, review and edit in the Service is used by Us.
The contents of the Service, such as text, graphics, images, personal health information, and other material contained in the Service and all information and data produced by the Service (“Content”) are for informational purposes only. The Content is not intended to be a substitute for professional medical advice, diagnosis, or treatment. The information in your account may not always be accurate or up-to-date and should be viewed by any health care provider as informational only. The Service does not hold records for healthcare providers or other medical or case management purposes. For example, Service records may not be designated record sets as defined under U.S. regulations. If a healthcare provider decides to include any data made available from the Service in its records, it should store a copy in its own system. If there is a co-custodian of a record in your account (because one of you invited the other), you acknowledge that the co-custodian has full control over that record and may cancel your access to the record, manage the record is used. The health information and guidance you will receive is automatically generated by the Service, based on information that you enter into or make available to the Service through your Service account. This information is not reviewed by a physician, nurse, or other health care provider for your treatment purposes. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition. You agree that the Service and the information and guidance provided by the Service do not constitute the practice of medicine or any medical, nursing, or other professional health care advice, diagnosis, or treatment. Never disregard professional medical advice or delay in seeking it because of something you have read when using the Service.
Signing in to the Service and Creating an Account
To sign in to the Service, the Service uses a Microsoft authentication service. If you close your Service account or lose your account credentials, you may not be able to access your data. Before using the Microsoft authentication service, we recommend you review the security and privacy commitments offered by Microsoft.
To create a new Service account, you must provide personal data such as name, date of birth, e-mail address, postal code, and country/region. Depending on which features you use, you may be asked for additional information. A Service account allows you to manage one or more health records, such as the ones you create for yourself and your family members. You can add or remove data to a health record you manage at any time.
Sharing Health Data
A key value of the Service is the ability you have to share your health data with people and services that can help you meet your health-related goals. By default, you are the custodian of any records you create. Custodians have the highest level of access to a health record. As a custodian, you can share data in a health record with another person by sending an e-mail invitation through the Service. You can specify what type of access they have (including custodian access), how long they have access, and whether they can modify the data in the record. When you grant someone access, that person can grant the same level of access to someone else (for example, someone with view-only access can grant another user view-only access). Because inappropriate granting of access could allow someone to violate your privacy or even revoke your access to your own records, you should be cautious about granting access to your records.
You can choose to share specific data (or all of the data) in a health record with other services, including participating third party services that you authorize (where available). No service has access to your data through the Service unless an authorized user grants it access through the Service. The Service allows you to control access by accepting or denying requests. For each service granted access, you choose what health information in a specific health record to share and what actions each service may perform on the health information.
A third party service that you authorize for a record will get the full name associated with your Service account, the nickname of the authorized record(s), and your relationship to that record. The third party service will continue to have access through the Service until you revoke the permission. CPSI can revoke a third party service’s access to the Service if it does not meet its privacy commitments to CPSI. However, except for applying the access permissions you have granted to third-party services, We do not control or monitor third-party services, and their privacy practices will vary.
Access and controls
You can review, edit, or delete your Service account data, or close your Service account at any time. Only custodians can permanently delete an item. When you delete a heath record, it is also deleted for all users who had access to it.
When you close your Service account, we delete all records for which you are the sole custodian. If you share custodian access for a record, you can decide whether to delete the record. CPSI will wait a limited amount of time before permanently deleting your data in order to help avoid accidental or malicious removal of your health data.
The Service maintains a full history of each access, change or deletion by users and services, which includes the date, action, and name of the person or service. Custodians of records can examine the history of those records.
Email communications
We will use the email address you provide to share invitations you send through the Service, and to send you service notifications, such as email notifications that information is available to add to your Service records.
Collection of Personal and Usage Information
Any data that you enter into the Service (“Personal Health Information” or “Personal Information”) is stored in a secure hosted environment. The secure hosted environment is located in The Netherlands. The Service does not permanently store any of your data. The Service uses the information that you authorize for access from your Service account to provide you with personalized health information. You can review and edit information contained in your Service account using the Patient Portal.
The Service uses personal information collected from You and from CHBase™, a proprietary data repository owned and operated by Us, including Personal Health Information, to provide the Service as described in this policy. CPSI does not access the Personal Health Information that is stored in the secure hosted environment without your prior permission (for example, for maintenance or support purposes) and is not accessible by third parties without your secret login password information.
We may collect information about your interaction with the Service. For example, we may use web site analytics tools the Service to retrieve information from your browser, including the site you came from, the search engine(s) and the keywords you used to find the Service, the pages you view within the Service and your browser’s width and height. We also may use technologies, such as cookies (described below), to collect information about the pages you view, the links you click and other actions you take on the Service. Additionally, we may collect certain standard information that your browser sends to every web site you visit, such as your IP address, browser type and language, access times, and referring web site addresses. This information is referred to as “Usage Information.”
We may use Google Analytics to help us understand how our customers use the Site — you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
How Your Personal Information is Stored
The Service stores or “caches” Personal Information as necessary to provide you the Service.
All of the Personal Information you enter, edit, delete or view in the Service is added to your CHBase account once you click on “Save” or another similar button.
When you click the “Save” button, the cache of information used by the Service is also updated with the new information you added or changed. When you select that link, the Service updates all the information in the cache with the most current information in CHBase.
How Your Personal Information and Usage Information are Used and Shared
The Service uses Your Personal Information and Usage Information are used to provide you the Service and to personalize your user experience. We and our suppliers may also use some of this information to improve our respective products and services, including the Service. We may use aggregated information from the Service to improve the quality of the Service and for marketing of the Service (for example, to tell potential advertisers how many Service users live in a particular country or region). This aggregated information is not associated with any individual account. Except as set forth in this statement, we will not share your Personal Information and Usage Information in personally identifiable form with any other party without your consent, unless we are required to do so (1) to comply with the law; (2) to prevent, report or investigate illegal activity; or (3) to protect Our rights or property (including the enforcement of our agreements).
HIPAA
CPSI is not a Healthcare Provider under the definitions and meaning contained in HIPAA. Therefore, HIPAA does not apply to CPSI. The Service is not subject to HIPAA because Our organization is not a healthcare provider. However, CPSI is committed to maintaining your privacy using all of the measures described in this Privacy Policy.
CCPA
CPSI complies with the California Consumer Privacy Act (CCPA). You have a right to know what personal information is collected about you and how it is used, shared or sold. CPSI does not sell any of your personal information. This privacy policy describes how your personal information is used and shared. If you want to know more about how your personal information is used or shared, you can email your question to TWYD_Support@cpsi.com. We will use information contained in the portal to verify that You are the person requesting information about You.
You also have a right to delete any personal information that we hold. Please see the “Access and Controls” section and “How Your Personal Information Is Stored” section for additional details. If you want to request deletion of your personal information, you can email your request to TWYD_Support@cpsi.com. We will use information contained in the portal to verify that You are the person requesting information about You. You may also delete Your personal information using the features contained in the portal or by submitting a request via U.S. Mail to the address contained in the Complaint Process section, below.
You may use an agent to request any information from Us contained in this section. In order to use any agent, please have an agent contact Us at TWYD_Support@cpsi.com and we will provide detailed instructions regarding how an agent may act on your behalf for rights contained in this Privacy Policy.
We will not discriminate against you in terms of price or service when you exercise your privacy rights under CCPA.
GDPR
Where the GDPR has jurisdiction, CPSI complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland, to the United States in reliance on Privacy Shield. CPSI has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Personal data collected by CPSI will be stored in the Netherlands. We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.
We transfer personal data from the European Economic Area and Switzerland to other countries, some of which have not yet been determined by the European Commission to have an adequate level of data protection. For example, their laws may not guarantee you the same rights, or there may not be a privacy supervisory authority there that is capable of addressing your complaints. When we engage in such transfers, we use a variety of legal mechanisms, including contracts, to help ensure your rights and protections travel with your data. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where CPSI processes personal data, visit the European Commission website.
If third-party agents process personal data on our behalf in a manner inconsistent with the principles of either Privacy Shield framework, we remain liable unless we prove we are not responsible for the event giving rise to the damage. You have an independent recourse mechanism where you can submit a complaint for investigation at http://go.adr.org/privacyshield.html.
You have the right to access your personal data. We, in turn, are required to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. This means that, as is required by the GDPR, we will disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We are liable if we transfer of data to third parties without notice to you under this Privacy Policy or your permission.
If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, visit the Privacy Shield website.
If you have a question or complaint related to participation by CPSI in the EU-U.S. or Swiss-U.S. Privacy Shield, we encourage you to contact us using the contact information provided below. For any complaints related to the Privacy Shield frameworks that CPSI cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, and with the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the Privacy Shield Principles, binding arbitration is available to address residual complaints not resolved by other means. CPSI is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Countries Supported
It is not possible for CPSI to know all privacy rules from every jurisdiction around the world. Therefore, CPSI offers Lydia only in the jurisdictions that are available in the country drop-down box at the time of user account creation. If your country of domicile is not listed in the drop-down menu, you are not permitted to use the Service. If your country is not listed in the drop-down box and you believe it should be, please contact CPSI using the contact details below.
Third Parties
The Service may contain links to web sites operated by third parties. We have no control over the privacy policies or practices of such third party sites, and you should review the privacy policies and terms of use of those sites for more information about the policies applicable to those sites. The choices you select in any third party sites which may be linked to the Service may allow other people, companies and applications to access the personal information that is stored in your Service account.
Talk to Your Doc utilizes APIs which are owned and licensed by Daily.co. Daily.co’s Terms of Use is applicable to this product and can be viewed at https://www.daily.co/terms-of-service. Daily.co’s Privacy Policy is applicable to this product and can be viewed at: https://www.daily.co/privacy. By using Talk With My Doc, you expressly agree to Daily.co’s Terms of Use and Privacy Policy.
How We Use Cookies
We may, but do not necessarily, use cookies with this Service to enable you to sign in and to help personalize the Service. A cookie is a small text file that a web page server places on your hard disk. It is not possible to use cookies to run programs or deliver viruses to your computer. A web server assigns cookies uniquely to you and only a web server in the domain that issued the cookie to you can read the cookies. Like many other web services, the Service may use cookies to provide information relating to the sources of site traffic and to help you personalize your experience.
One of the primary purposes of cookies is to provide a convenience feature to save you time. For example, if you personalize a web page, or navigate within a site, a cookie helps the site to recall your specific information on subsequent visits. Using cookies simplifies the process of delivering relevant content, eases site navigation, and so on. When you return to the web site, you can retrieve the information you previously provided, so you can easily use the site’s features that you customized.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline some or all cookies if you prefer. If you choose to decline all cookies, the Service may not be operable.
Complaint Process
If you have a complaint or problem related to the Service, or any questions regarding our privacy practices, you may write to CPSI’s Privacy, Security and Data Protection Officer at:
CPSI
Attn: Jason Harmon, Security and Privacy Officer
51 Monroe Street, Suite 1700
Rockville, MD 20850
United States
secofficer@getrealhealth.com
Designated Representative in the European Union
Bluedog CSL
Attn: Tom Termini
12 Eastwood
Finglas
Dublin, 11
Republic of Ireland
termini@bluedog.ie
If you’ve contacted CPSI’s Security and Privacy Officer about a privacy-related concern and you do not believe your problem has been addressed, you may file a complaint with the CPSI General Counsel by calling CPSI general number at 301-309-0058 and asking for the general Counsel.
Changes to Our Privacy Statement
We may update this Privacy Policy from time to time. When we do, we will revise the “last updated” date at the top of the privacy statement. You will be responsible to review this privacy policy to ensure prior to using the Service each time. By using the Service, you consent to the most recent version of this Privacy Policy. Your continued use of the Service constitutes your agreement and consent to this privacy policy and any updates.