Last Updated April 6, 2020
Table of Contents
- Signing into the Service and Creating and Account
- Sharing Health Data
- Access and Controls
- Email Communications
- Connection of Personal and Usage Information
- How Your Personal Information is Stored
- How Your Personal Information and Usage Information are Used and Shared
- Countries Supported
- Third Party Links
- Complaint Process
- Changes to Our Privacy Statement
The contents of the Service, such as text, graphics, images, personal health information, and other material contained in the Service and all information and data produced by the Service (“Content”) are for informational purposes only. The Content is not intended to be a substitute for professional medical advice, diagnosis, or treatment. The information in your account may not always be accurate or up-to-date and should be viewed by any health care provider as informational only. The Service does not hold records for healthcare providers or other medical or case management purposes. For example, Service records may not be designated record sets as defined under U.S. regulations. If a healthcare provider decides to include any data made available from the Service in its records, it should store a copy in its own system. If there is a co-custodian of a record in your account (because one of you invited the other), you acknowledge that the co-custodian has full control over that record and may cancel your access to the record, manage the record is used. The health information and guidance you will receive is automatically generated by the Service, based on information that you enter into or make available to the Service through your Service account. This information is not reviewed by a physician, nurse, or other health care provider for your treatment purposes. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition. You agree that the Service and the information and guidance provided by the Service do not constitute the practice of medicine or any medical, nursing, or other professional health care advice, diagnosis, or treatment. Never disregard professional medical advice or delay in seeking it because of something you have read when using the Service.
Signing in to the Service and Creating an Account
To sign in to the Service, the Service uses a Microsoft authentication service. If you close your Service account or lose your account credentials, you may not be able to access your data. Before using the Microsoft authentication service, we recommend you review the security and privacy commitments offered by Microsoft.
To create a new Service account, you must provide personal data such as name, date of birth, e-mail address, postal code, and country/region. Depending on which features you use, you may be asked for additional information. A Service account allows you to manage one or more health records, such as the ones you create for yourself and your family members. You can add or remove data to a health record you manage at any time.
Sharing Health Data
A key value of the Service is the ability you have to share your health data with people and services that can help you meet your health-related goals. By default, you are the custodian of any records you create. Custodians have the highest level of access to a health record. As a custodian, you can share data in a health record with another person by sending an e-mail invitation through the Service. You can specify what type of access they have (including custodian access), how long they have access, and whether they can modify the data in the record. When you grant someone access, that person can grant the same level of access to someone else (for example, someone with view-only access can grant another user view-only access). Because inappropriate granting of access could allow someone to violate your privacy or even revoke your access to your own records, you should be cautious about granting access to your records.
You can choose to share specific data (or all of the data) in a health record with other services, including participating third party services that you authorize (where available). No service has access to your data through the Service unless an authorized user grants it access through the Service. The Service allows you to control access by accepting or denying requests. For each service granted access, you choose what health information in a specific health record to share and what actions each service may perform on the health information.
A third party service that you authorize for a record will get the full name associated with your Service account, the nickname of the authorized record(s), and your relationship to that record. The third party service will continue to have access through the Service until you revoke the permission. CPSI can revoke a third party service’s access to the Service if it does not meet its privacy commitments to CPSI. However, except for applying the access permissions you have granted to third-party services, We do not control or monitor third-party services, and their privacy practices will vary.
Access and controls
You can review, edit, or delete your Service account data, or close your Service account at any time. Only custodians can permanently delete an item. When you delete a heath record, it is also deleted for all users who had access to it.
When you close your Service account, we delete all records for which you are the sole custodian. If you share custodian access for a record, you can decide whether to delete the record. CPSI will wait a limited amount of time before permanently deleting your data in order to help avoid accidental or malicious removal of your health data.
The Service maintains a full history of each access, change or deletion by users and services, which includes the date, action, and name of the person or service. Custodians of records can examine the history of those records.
We will use the email address you provide to share invitations you send through the Service, and to send you service notifications, such as email notifications that information is available to add to your Service records.
Any data that you enter into the Service (“Personal Health Information” or “Personal Information”) is stored in a secure hosted environment. The secure hosted environment is located in The Netherlands. The Service does not permanently store any of your data. The Service uses the information that you authorize for access from your Service account to provide you with personalized health information. You can review and edit information contained in your Service account using the Patient Portal.
The Service uses personal information collected from You and from CHBase™, a proprietary data repository owned and operated by Us, including Personal Health Information, to provide the Service as described in this policy. CPSI does not access the Personal Health Information that is stored in the secure hosted environment without your prior permission (for example, for maintenance or support purposes) and is not accessible by third parties without your secret login password information.
We may collect information about your interaction with the Service. For example, we may use web site analytics tools the Service to retrieve information from your browser, including the site you came from, the search engine(s) and the keywords you used to find the Service, the pages you view within the Service and your browser’s width and height. We also may use technologies, such as cookies (described below), to collect information about the pages you view, the links you click and other actions you take on the Service. Additionally, we may collect certain standard information that your browser sends to every web site you visit, such as your IP address, browser type and language, access times, and referring web site addresses. This information is referred to as “Usage Information.”
We may use Google Analytics to help us understand how our customers use the Site — you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
How Your Personal Information is Stored
The Service stores or “caches” Personal Information as necessary to provide you the Service.
All of the Personal Information you enter, edit, delete or view in the Service is added to your CHBase account once you click on “Save” or another similar button.
When you click the “Save” button, the cache of information used by the Service is also updated with the new information you added or changed. When you select that link, the Service updates all the information in the cache with the most current information in CHBase.
How Your Personal Information and Usage Information are Used and Shared
The Service uses Your Personal Information and Usage Information are used to provide you the Service and to personalize your user experience. We and our suppliers may also use some of this information to improve our respective products and services, including the Service. We may use aggregated information from the Service to improve the quality of the Service and for marketing of the Service (for example, to tell potential advertisers how many Service users live in a particular country or region). This aggregated information is not associated with any individual account. Except as set forth in this statement, we will not share your Personal Information and Usage Information in personally identifiable form with any other party without your consent, unless we are required to do so (1) to comply with the law; (2) to prevent, report or investigate illegal activity; or (3) to protect Our rights or property (including the enforcement of our agreements).
You also have a right to delete any personal information that we hold. Please see the “Access and Controls” section and “How Your Personal Information Is Stored” section for additional details. If you want to request deletion of your personal information, you can email your request to TWYD_Support@cpsi.com. We will use information contained in the portal to verify that You are the person requesting information about You. You may also delete Your personal information using the features contained in the portal or by submitting a request via U.S. Mail to the address contained in the Complaint Process section, below.
We will not discriminate against you in terms of price or service when you exercise your privacy rights under CCPA.
Personal data collected by CPSI will be stored in the Netherlands. We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.
We transfer personal data from the European Economic Area and Switzerland to other countries, some of which have not yet been determined by the European Commission to have an adequate level of data protection. For example, their laws may not guarantee you the same rights, or there may not be a privacy supervisory authority there that is capable of addressing your complaints. When we engage in such transfers, we use a variety of legal mechanisms, including contracts, to help ensure your rights and protections travel with your data. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where CPSI processes personal data, visit the European Commission website.
If third-party agents process personal data on our behalf in a manner inconsistent with the principles of either Privacy Shield framework, we remain liable unless we prove we are not responsible for the event giving rise to the damage. You have an independent recourse mechanism where you can submit a complaint for investigation at http://go.adr.org/privacyshield.html.
If you have a question or complaint related to participation by CPSI in the EU-U.S. or Swiss-U.S. Privacy Shield, we encourage you to contact us using the contact information provided below. For any complaints related to the Privacy Shield frameworks that CPSI cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, and with the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the Privacy Shield Principles, binding arbitration is available to address residual complaints not resolved by other means. CPSI is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
It is not possible for CPSI to know all privacy rules from every jurisdiction around the world. Therefore, CPSI offers Lydia only in the jurisdictions that are available in the country drop-down box at the time of user account creation. If your country of domicile is not listed in the drop-down menu, you are not permitted to use the Service. If your country is not listed in the drop-down box and you believe it should be, please contact CPSI using the contact details below.
One of the primary purposes of cookies is to provide a convenience feature to save you time. For example, if you personalize a web page, or navigate within a site, a cookie helps the site to recall your specific information on subsequent visits. Using cookies simplifies the process of delivering relevant content, eases site navigation, and so on. When you return to the web site, you can retrieve the information you previously provided, so you can easily use the site’s features that you customized.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline some or all cookies if you prefer. If you choose to decline all cookies, the Service may not be operable.
If you have a complaint or problem related to the Service, or any questions regarding our privacy practices, you may write to CPSI’s Privacy, Security and Data Protection Officer at:
Attn: Jason Harmon, Security and Privacy Officer
51 Monroe Street, Suite 1700
Rockville, MD 20850
Designated Representative in the European Union
Attn: Tom Termini
Republic of Ireland
If you’ve contacted CPSI’s Security and Privacy Officer about a privacy-related concern and you do not believe your problem has been addressed, you may file a complaint with the CPSI General Counsel by calling CPSI general number at 301-309-0058 and asking for the general Counsel.