Table of Contents for Privacy Policy

1. Introduction………………………………………………………………………………………..2
2. Collection and Use of Personally Identifiable Information…………………………………….2
3. Collection and Use of Your Health Information…………………………………………….….3
4. Collection and Use of Non-personal Information; Third Party Websites…………………….3
5. Access Rights of drIDme Workforce…………………………………………………………….4
6. De-identified Data…………………………………………………………………………………5
7. Access to Data for Research…………………………………………………………………….6
8. Responding to Subpoenas and Discovery Requests…………………………………………7
9. Access to Data by Government Agencies……………………………………………………..8
10. Use of Cookies……………………………………………………………………………………9
11. Security of Personal Information and Your Health Information………………………………9
12. Changes to this Privacy Policy…………………………………………………………………10
13. Your Comments are Welcome…………………………………………………………………10

drIDme Privacy Policy

1. Introduction

drIDme a for-profit organization that has established a medical data company to exchange of health information among participants, health care providers, and other health industry stakeholders. The goal of drIDme is to assist participants, employers, and health care organizations in improving the quality care and controlling the cost of health care services through enhanced access to medical information and analytics. drIDme is committed to protecting the security of your personal information. We have adopted and adhere to stringent security standards designed to protect non-public personal information on drIDme.com against accidental or unauthorized access or disclosure. These Policies are not designed to supersede any applicable state or federal laws or regulations, all of which continue to apply to any activities subject to these Policies. These Policies may be amended from time to time by the drIDme Board of Directors.

This Privacy Policy is part of the Terms of Use Agreement (“Agreement”) drIDme Privacy Statement; capitalized terms that are not defined in this Privacy Policy are defined in the Agreement.

drIDme takes your privacy seriously and encourages you to read this Privacy Policy so that you understand how we collect and use your information. This Privacy Policy governs that collection and use when you use the Site and Service. By using the Site and/or Service, you consent to the collection and use of your information, as described herein.

2. Collection and Use of Personally Identifiable Information

drIDme collects and stores personally identifiable information, such as your e-mail address, name, home or work address, telephone number, and credit card or other payment related information (collectively, “Personal Information”). We collect Personal Information in order to register you so that you can use and access the Service, to process payments and to operate and maintain the Site and Service. Since the Site and other components of the Service may be operated, maintained or serviced by third parties, you understand and agree that in order to process your registration, provide customer service, perform certain administrative functions and otherwise operate, maintain or service your account and/or the Service, we may share your Personal Information with third parties for such purposes. All such third parties are prohibited from using your Personal Information except to provide these services to drIDme, and they are required to maintain the confidentiality of your information.

drIDme may also use your Personal Information to inform you of other products or services available from drIDme and its affiliates. drIDme may also occasionally contact you to request your participation in surveys regarding the Site, Service or future products or services. From time to time, we may also contact you on behalf of third party business partners about a particular offering that may be of interest to you. In those cases, your Personal Information is not provided to the third party. You may “opt-out” of receiving such third party information at any time by visiting your “Subscriber Profile.”

We do not currently share your Personal Information with third parties for promotional purposes, but we reserve the right to do so in the future.

As part of our effort to always provide you with timely and relevant information, drIDme may deliver customized content and advertising within drIDme to you. We use standard internet navigation tracking tools to determine if your behavior on the Site indicates that you may be interested in the product or service contained in the customized content or advertising.

drIDme will never share your Personal Information with any unauthorized third party, except as expressly provided otherwise in this Privacy Policy; drIDme may disclose your Personal Information without your consent or notice only to: (i) satisfy any applicable law, regulation, legal process or governmental request; (ii) protect and defend our rights and property; (iii) enforce the Terms of Use Agreement and this Privacy Policy; (iv) protect against misuse or unauthorized use of the Service; and/or (v) protect the interests of our users or the public.

3. Collection and Use of Your Health Information

drIDme also collects and stores Your Health Information (the health related information that you, or a third party on your behalf, upload, input, create or otherwise transmit and/or display on or to the Site) in accordance with applicable industry standards. You may not store health information for other people in your drIDme account. If health information of other people is included in your drIDme account as part of your own health history, it shall also be considered “Your Health Information” for the purposes of this Privacy Policy.

You may choose to share Your Health Information with separate third party systems and/or websites that can connect with the Service (“Third Party Systems”) to use, edit and add to your health record. This Privacy Policy does not apply to any Third Party Systems; you are encouraged to review the separate privacy policies of those third party Programs. Once Your Health Information is shared by you with a Third Party System, drIDme no longer has any control over the collection or use of that information when it is in the possession or control of the Third Party System. This Privacy Policy will continue to apply to any of Your Health Information that remains stored on the Site after you share it with any Third Party System.

drIDme will never share Your Health Information with any unauthorized third parties, except as expressly provided otherwise in this Privacy Policy or the Agreement. drIDme may disclose Your Health Information without your consent or notice only to: (i) satisfy any applicable law, regulation, legal process or governmental request; (ii) protect and defend our rights and property; and/or (iii) protect the interests or safety of our users or the public.

4. Collection and Use of Non-personal Information; Third Party Websites

drIDme may also collect non-personally identifiable information including, without limitation, information regarding your operating system, browser, domain name, and your navigation through, to and from the Site or Service (collectively, “Non-personal Information”).

Non-personal Information is not Personal Information or Your Health Information and is not covered by this Privacy Policy. Non-personal Information is collected in the aggregate and used to improve the Site, Service and for other business purposes. drIDme may provide Non-personal Information to third parties for various business reasons.

You may find chat boards, message boards, bulletin boards, blogs and other similar features on the Site (collectively, “Chat Boards”) to be useful to connect with other users of the Service who may have similar interests. Please be aware that information you disclose on a Chat Board is not Personal Information, or Non-personal Information, or Your Health Information, and is not covered by this Privacy Policy, even if the information would otherwise be so considered and even if it is identical to the Personal Information, Non-personal Information or Your Health Information collected by or provided to drIDme. What you post or disclose on Chat Boards may be read, collected and used by others, including used to send you unsolicited messages. drIDme has no control over such actions by third parties and is not responsible for any information you disclose on a Chat Board.

For your convenience, the Site and Service may include links to third party websites. drIDme encourages you to review the privacy policies of those third party websites you choose to link to or from drIDme (either directly from a link on the Site or otherwise) so that you can understand how those websites collect, use and share your information. drIDme is not responsible for the privacy policies or other content on third party websites.

5. Access Rights Of drIDme Workforce

drIDme may authorize its own Workforce to access Protected Health Information through the drIDme database to the extent consistent with the terms of the HIPAA Privacy and Security Rule along with Business Associate Contracts of each Medical Facility. Members of employee workforce has the ability for one or more of the following purposes:

5.1.1. To facilitate the Disclosure of Protected Health Information to Participants or for Research or Public Health purposes as permitted by the Policies.
5.1.2. To process or otherwise implement Opt Out requests.
5.1.3. To perform patient identity or patient records maintenance.
5.1.4. To create De-identified Data in accordance with Privacy and Security Rules.
5.1.5. To conduct or assist in the performance of audits permitted or required by the Policies, including audits of Emergency Access required by Section 5.
5.1.6. To perform data analysis on behalf of and at the request of one or more Participants, to the extent consistent with HIPAA and Security Policies.
5.1.7. To evaluate the performance of or develop recommendations for improving the operation of the drIDme Database.
5.1.8. To conduct technical system support and maintenance on the HIE Network.
5.1.9. To engage in any other activities reasonably related to the operation of the drIDme that are authorized by the drIDme Board of Directors and are consistent with applicable law.

5.1.10. Role-Based Access.

drIDme shall establish role-based access standards reasonably designed to enable each Workforce member to access only such Protected Health Information that is necessary for the performance of his or her authorized activities. These standards shall ensure that drIDme Workforce member’s access and use only the minimum necessary amount of Protected Health Information reasonably required to carry out the authorized purpose.

5.1.11. Training.

No drIDme Workforce member may access Protected Health Information through the drIDme database unless the Workforce member has received training regarding the Policies and acknowledged in writing the receipt thereof.

5.1.12. Discipline for Non-Compliance.

drIDme shall discipline Workforce members who violate the Policies or engage in any other unauthorized or inappropriate behavior that undermines the privacy or security of Protected Health Information available through the drIDme Database. Depending on the circumstances, disciplinary measures may include verbal and written warnings, retraining, demotion, suspension or termination of employment.

5.1.13. Reporting and Non-Retaliation.

drIDme shall require all Workforce members to report any actual or suspected violation of the Policies of which they become aware. No Workforce member may be subject to retaliation of any kind for reporting a violation in good faith.

5.1.14. Business Associates.

drIDme may authorize its own Business Associates to access Protected Health Information for a purpose that is consistent provided drIDme has entered into a Business Associate Contract with the Business Associate. Such Business Associates may include, but are not limited to, Qualified Organizations.

6. De-identified Data

6.1.1. Creation of De-Identified Data.

drIDme, through its Workforce or Business Associates, may access Protected Health Information through drIDme to create De-Identified Data in accordance with this section.

6.1.2. Standards for De-Identification.

Data will be deemed De-identified Data only if one of the following standards is satisfied:

6.1.2.1.1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and rendering information not individually identifiable determines that the that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. The methods and results of the analysis that justify such determination must be documented.
6.1.2.1.2. The following identifiers are removed from the data: a. Names; b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census (1) the geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; c. All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; d. Telephone numbers; e. Fax numbers; f. Electronic mail addresses: g. Social security numbers; h. Medical record numbers; i. Health plan beneficiary numbers; j. Account numbers; k. Certificate/license numbers; l. Vehicle identifiers and serial numbers, including license plate numbers; m. Device identifiers and serial numbers; n. Web Universal Resource Locators; o. Internet Protocol address numbers; p. Biometric identifiers, including finger and voice prints; q. Full face photographic images and any comparable images; and r. Any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met, as set forth under HIPAA.
6.1.2.1.3. Information will not be deemed De-Identified Data if drIDme has actual knowledge that the information could be used, alone or in combination with other information, to identify an Individual who is a subject of the information.

6.1.3. Re-identification.

6.1.3.1.1. The drIDme Board of Directors shall develop guidelines that specify when drIDme will assign a code or employ other means of record identification to allow De-Identified Data to be re-identified in the event appropriate for clinical or other valid purposes. If such a code is assigned or other means of record identification is established:
6.1.3.1.2. The code or other means of record identification must not be derived from or related to information about the Individual and may not otherwise be capable of being translated so as to identify the Individual; and
6.1.3.1.3. drIDme may not use or disclose the code or other means of record identification for any other purpose, and may not disclose the mechanism for re-identification.

6.1.4. Uses of De-Identified Data.

6.1.4.1.1. drIDme may use or make available to other parties De-identified Data for any purpose approved by the drIDme Board of Directors. The drIDme Board of Directors may authorize drIDme to charge a fee to Participants or other parties requesting De-identified Data to the extent consistent with applicable law. No Participant shall have the right to restrict the drIDme’s use or transmission of De-identified Data.

7. Access To Data For Research

7.1.1. Requirements for Disclosure for Research.

drIDme may Disclose Protected Health Information to appropriately qualified researchers for Research if one of the following requirements is satisfied:

7.1.1.1.1. All Individuals whose Protected Health Information is being Disclosed have signed a written authorization for the Disclosure that complies with HIPAA.
7.1.1.1.2. The Research has been approved by a Designated IRB, which has waived the requirement of obtaining Individuals’ authorization for the Disclosure in accordance with 45 C.F.R. § 512(i)(2).
7.1.1.1.3. The Protected Health Information is limited to that of decedents, the deaths of the relevant Individuals have been documented by the researcher requesting the information and the researcher represents to drIDme in writing that the information is necessary for Research.
7.1.1.1.4. The Protected Health Information requested constitutes a limited data set, as defined at 45 C.F.R. § 164.514(e), and a data use agreement, as described under 45 C.F.R. § 164.514(e), has been executed by the researcher and drIDme.
7.1.1.1.5. Appointment of Designated IRB. The NC HIE shall enter into a written agreement with each Designated IRB to carry out the functions contemplated. Such agreement shall ensure that the Designated IRB performs its obligations in accordance with 45 C.F.R. §164.512(i).

7.1.2. Minimum Necessary.

Except for Research carried out pursuant to drIDme shall Disclose only the minimum necessary Protected Health Information for the permitted Research purpose.

7.1.3. Verification.

drIDme shall verify the identity and authority of any researcher requesting access to Protected Health Information for Research prior to Disclosing such information to the researcher.

7.1.4. Accounting.

drIDme shall maintain a record of all Disclosures for Research.

7.1.5. Fees.

drIDme may charge fees to researchers seeking access to Protected Health Information available through the drIDme Database, provided that such fees must be reasonably related to the costs incurred by drIDme in connection with reviewing and complying with the Research request, including but not limited to, the cost of review by a Designated IRB.

8. Responding To Subpoenas And Discovery Requests

8.1.1. Disclosures In Response to Court Orders.

drIDme may Disclose Protected Heath Information in its possession in response to a court order provided drIDme Discloses only the Protected Heath Information expressly authorized by such order.

8.1.2. Disclosures in Response to Subpoenas and Discovery Requests.

drIDme may Disclose Protected Heath Information in its possession in response to a subpoena, discovery request or other lawful process that is not accompanied by an order of a court only if the subpoena, discovery request or other lawful process is accompanied by a written authorization from the Individual who is the subject of the requested Protected Health Information.

drIDme shall respond to subpoenas, discovery requests or other lawful processes by transmitting a written objection to the party requesting the Protected Health Information setting forth the need for either a court order or a written authorization from the Individual in connection with such request.

8.1.3. Opportunity for Participants to Resist Request.

drIDme shall notify all Participants whose Protected Health Information is subject to a potential Disclosure of the drIDme intention to make the Disclosure no less than five days prior to the anticipated date of the Disclosure. drIDme shall not Disclose any Participant’s Protected Health Information if (i) the Participant notifies the drIDme within such five-day period of the Participant’s intention to move to quash the subpoena or otherwise resist the request and (ii) the Participant takes such action within the time period necessary to prevent the NC HIE from failing to comply with any legal duty to which it is subject. The NC HIE shall not make any Disclosure under this Section 12 to the extent any request for Protected Health Information is withdrawn by the requesting party or rejected by a court or administrative tribunal in response to an objection by a Participant.

8.1.4. No Obligation to Search Participant Records.

drIDme shall Disclose only those records under its custody and control. drIDme shall not Disclose any records drIDme may be capable of obtaining by conducting searches through the drIDme Database of the records maintained by Participants or Qualified Organizations in their own record systems.

8.1.5. Consultation with Counsel.

drIDme shall consult with its counsel regarding its authority to Disclose Protected Health Information under this Section prior to making any such Disclosure.

8.1.6. Minimum Necessary.

drIDme shall Disclose only the minimum necessary Protected Heath Information in response to requests covered by this Section.

8.1.7. Verification of Identity.

drIDme shall verify the identity and authority of the requesting party prior to Disclosing Protected Heath Information under this Section.

8.1.8. Accounting of Disclosures.

drIDme shall maintain a record of Disclosures made under this Section in accordance with drIDme Policies.

9. Access To Data By Government Agencies

9.1.1. Disclosures Required by Law.

drIDme may Disclose Protected Health Information to a government agency or its representatives or agents when the Disclosure is Required by Law. Nothing in this Section shall be construed as obligating drIDme to Disclose Protected Health Information to a government agency on behalf of a Participant when the Participant, rather than drIDme, is Required by Law to make the Disclosure.

9.1.2. Disclosures for Public Health Purposes.

drIDme may Disclose Protected Health Information to Public Health Authorities for Public Health purposes. drIDme Board of Directors shall approve the general types of Public Health purposes for which Protected Health Information may be Disclosed under this Section.

9.1.3. Minimum Necessary.

drIDme shall Disclose only the minimum necessary Protected Health Information for the purposes specified in Section 13.1 or 13.2. The NC HIE may rely on a public health official’s or other government official’s determination that the information requested represents the minimum necessary for the requested purpose.

9.1.4. Verification.

The NC HIE shall verify the identity and authority of the representative or agent of the government agency making the request prior to Disclosing Protected Health Information for the purposes specified in this Section.

9.1.5. Accounting of Disclosures.

drIDme shall maintain a record of Disclosures made under Section 13.1 or 13.2 in accordance with Section 9.1.2 of the Policies.

9.1.6. Participant Notification.

Except as restricted by applicable law, the NC HIE shall promptly notify Participants whose Protected Heath Information has been Disclosed by the NC HIE under Section 13.1.

9.1.7. Other Disclosures Not Permissible.

drIDme shall not Disclose Protected Health Information to government agencies or their representatives or agents for any purpose not permitted by this Section 13 or another provision of the Policies.

10. Use of Cookies

drIDme may store information on your computer in the form of a “cookie” or similar file. Cookies serve to “remember” you and information you have entered, allowing you to save time when you return to features or functions you have customized.

Your web browser may allow you to erase or block such files, or notify you when such file is stored. Please check your browser’s instructions for further information about such functions. However, the Service may not operate correctly, and you may not have access to all available features and functionality if you do not permit the installation of cookies, or if you disable them.

11. Security of Personal Information and Your Health Information

The Site has security measures in place to help secure your Personal Information and Your Health Information; we use industry standard security protocols, such as firewalls to help prevent unauthorized access to our systems by third parties, and user requirements such as unique user IDs and passwords in order to access various features of the Site and Service. We use Secure Socket Layer (“SSL”) encryption when processing credit card transactions and when transmitting your Personal Information and Your Health Information when you upload it over the internet.

Data and internet security works best when all parties are properly secured. That means that you should properly secure your computer using virus protection, anti-spyware, passwords, firewalls and other security technology and practices. We are not responsible for the security (or lack thereof) of any non-drIDme computer, internet provider or other system.

12. Changes to this Privacy Policy

From time to time, drIDme may update this Privacy Policy to better serve you and us. We encourage you to review this Privacy Policy to remain informed of how drIDme is protecting your information.

13. Your Comments are Welcome

drIDme welcomes your comments regarding this Privacy Policy. If you have any questions or concerns, please contact our Privacy Officer at benjamin.d.jackson@drIDme.com.