2. Collection and Use of Personally Identifiable Information…………………………………….2
3. Collection and Use of Your Health Information…………………………………………….….3
4. Collection and Use of Non-personal Information; Third Party Websites…………………….3
5. Access Rights of drIDme Workforce…………………………………………………………….4
6. De-identified Data…………………………………………………………………………………5
7. Access to Data for Research…………………………………………………………………….6
8. Responding to Subpoenas and Discovery Requests…………………………………………7
9. Access to Data by Government Agencies……………………………………………………..8
11. Security of Personal Information and Your Health Information………………………………9
13. Your Comments are Welcome…………………………………………………………………10
drIDme a for-profit organization that has established a medical data company to exchange of health information among participants, health care providers, and other health industry stakeholders. The goal of drIDme is to assist participants, employers, and health care organizations in improving the quality care and controlling the cost of health care services through enhanced access to medical information and analytics. drIDme is committed to protecting the security of your personal information. We have adopted and adhere to stringent security standards designed to protect non-public personal information on drIDme.com against accidental or unauthorized access or disclosure. These Policies are not designed to supersede any applicable state or federal laws or regulations, all of which continue to apply to any activities subject to these Policies. These Policies may be amended from time to time by the drIDme Board of Directors.
2. Collection and Use of Personally Identifiable Information
drIDme collects and stores personally identifiable information, such as your e-mail address, name, home or work address, telephone number, and credit card or other payment related information (collectively, “Personal Information”). We collect Personal Information in order to register you so that you can use and access the Service, to process payments and to operate and maintain the Site and Service. Since the Site and other components of the Service may be operated, maintained or serviced by third parties, you understand and agree that in order to process your registration, provide customer service, perform certain administrative functions and otherwise operate, maintain or service your account and/or the Service, we may share your Personal Information with third parties for such purposes. All such third parties are prohibited from using your Personal Information except to provide these services to drIDme, and they are required to maintain the confidentiality of your information.
drIDme may also use your Personal Information to inform you of other products or services available from drIDme and its affiliates. drIDme may also occasionally contact you to request your participation in surveys regarding the Site, Service or future products or services. From time to time, we may also contact you on behalf of third party business partners about a particular offering that may be of interest to you. In those cases, your Personal Information is not provided to the third party. You may “opt-out” of receiving such third party information at any time by visiting your “Subscriber Profile.”
We do not currently share your Personal Information with third parties for promotional purposes, but we reserve the right to do so in the future.
As part of our effort to always provide you with timely and relevant information, drIDme may deliver customized content and advertising within drIDme to you. We use standard internet navigation tracking tools to determine if your behavior on the Site indicates that you may be interested in the product or service contained in the customized content or advertising.
3. Collection and Use of Your Health Information
4. Collection and Use of Non-personal Information; Third Party Websites
drIDme may also collect non-personally identifiable information including, without limitation, information regarding your operating system, browser, domain name, and your navigation through, to and from the Site or Service (collectively, “Non-personal Information”).
For your convenience, the Site and Service may include links to third party websites. drIDme encourages you to review the privacy policies of those third party websites you choose to link to or from drIDme (either directly from a link on the Site or otherwise) so that you can understand how those websites collect, use and share your information. drIDme is not responsible for the privacy policies or other content on third party websites.
5. Access Rights Of drIDme Workforce
drIDme may authorize its own Workforce to access Protected Health Information through the drIDme database to the extent consistent with the terms of the HIPAA Privacy and Security Rule along with Business Associate Contracts of each Medical Facility. Members of employee workforce has the ability for one or more of the following purposes:
5.1.1. To facilitate the Disclosure of Protected Health Information to Participants or for Research or Public Health purposes as permitted by the Policies.
5.1.2. To process or otherwise implement Opt Out requests.
5.1.3. To perform patient identity or patient records maintenance.
5.1.4. To create De-identified Data in accordance with Privacy and Security Rules.
5.1.5. To conduct or assist in the performance of audits permitted or required by the Policies, including audits of Emergency Access required by Section 5.
5.1.6. To perform data analysis on behalf of and at the request of one or more Participants, to the extent consistent with HIPAA and Security Policies.
5.1.7. To evaluate the performance of or develop recommendations for improving the operation of the drIDme Database.
5.1.8. To conduct technical system support and maintenance on the HIE Network.
5.1.9. To engage in any other activities reasonably related to the operation of the drIDme that are authorized by the drIDme Board of Directors and are consistent with applicable law.
5.1.10. Role-Based Access.
drIDme shall establish role-based access standards reasonably designed to enable each Workforce member to access only such Protected Health Information that is necessary for the performance of his or her authorized activities. These standards shall ensure that drIDme Workforce member’s access and use only the minimum necessary amount of Protected Health Information reasonably required to carry out the authorized purpose.
No drIDme Workforce member may access Protected Health Information through the drIDme database unless the Workforce member has received training regarding the Policies and acknowledged in writing the receipt thereof.
5.1.12. Discipline for Non-Compliance.
drIDme shall discipline Workforce members who violate the Policies or engage in any other unauthorized or inappropriate behavior that undermines the privacy or security of Protected Health Information available through the drIDme Database. Depending on the circumstances, disciplinary measures may include verbal and written warnings, retraining, demotion, suspension or termination of employment.
5.1.13. Reporting and Non-Retaliation.
drIDme shall require all Workforce members to report any actual or suspected violation of the Policies of which they become aware. No Workforce member may be subject to retaliation of any kind for reporting a violation in good faith.
5.1.14. Business Associates.
drIDme may authorize its own Business Associates to access Protected Health Information for a purpose that is consistent provided drIDme has entered into a Business Associate Contract with the Business Associate. Such Business Associates may include, but are not limited to, Qualified Organizations.
6. De-identified Data
6.1.1. Creation of De-Identified Data.
drIDme, through its Workforce or Business Associates, may access Protected Health Information through drIDme to create De-Identified Data in accordance with this section.
6.1.2. Standards for De-Identification.
Data will be deemed De-identified Data only if one of the following standards is satisfied:
220.127.116.11.1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and rendering information not individually identifiable determines that the that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. The methods and results of the analysis that justify such determination must be documented.
18.104.22.168.2. The following identifiers are removed from the data: a. Names; b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census (1) the geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; c. All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; d. Telephone numbers; e. Fax numbers; f. Electronic mail addresses: g. Social security numbers; h. Medical record numbers; i. Health plan beneficiary numbers; j. Account numbers; k. Certificate/license numbers; l. Vehicle identifiers and serial numbers, including license plate numbers; m. Device identifiers and serial numbers; n. Web Universal Resource Locators; o. Internet Protocol address numbers; p. Biometric identifiers, including finger and voice prints; q. Full face photographic images and any comparable images; and r. Any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met, as set forth under HIPAA.
22.214.171.124.3. Information will not be deemed De-Identified Data if drIDme has actual knowledge that the information could be used, alone or in combination with other information, to identify an Individual who is a subject of the information.
126.96.36.199.1. The drIDme Board of Directors shall develop guidelines that specify when drIDme will assign a code or employ other means of record identification to allow De-Identified Data to be re-identified in the event appropriate for clinical or other valid purposes. If such a code is assigned or other means of record identification is established:
188.8.131.52.2. The code or other means of record identification must not be derived from or related to information about the Individual and may not otherwise be capable of being translated so as to identify the Individual; and
184.108.40.206.3. drIDme may not use or disclose the code or other means of record identification for any other purpose, and may not disclose the mechanism for re-identification.
6.1.4. Uses of De-Identified Data.
220.127.116.11.1. drIDme may use or make available to other parties De-identified Data for any purpose approved by the drIDme Board of Directors. The drIDme Board of Directors may authorize drIDme to charge a fee to Participants or other parties requesting De-identified Data to the extent consistent with applicable law. No Participant shall have the right to restrict the drIDme’s use or transmission of De-identified Data.
7. Access To Data For Research
7.1.1. Requirements for Disclosure for Research.
drIDme may Disclose Protected Health Information to appropriately qualified researchers for Research if one of the following requirements is satisfied:
18.104.22.168.1. All Individuals whose Protected Health Information is being Disclosed have signed a written authorization for the Disclosure that complies with HIPAA.
22.214.171.124.2. The Research has been approved by a Designated IRB, which has waived the requirement of obtaining Individuals’ authorization for the Disclosure in accordance with 45 C.F.R. § 512(i)(2).
126.96.36.199.3. The Protected Health Information is limited to that of decedents, the deaths of the relevant Individuals have been documented by the researcher requesting the information and the researcher represents to drIDme in writing that the information is necessary for Research.
188.8.131.52.4. The Protected Health Information requested constitutes a limited data set, as defined at 45 C.F.R. § 164.514(e), and a data use agreement, as described under 45 C.F.R. § 164.514(e), has been executed by the researcher and drIDme.
184.108.40.206.5. Appointment of Designated IRB. The NC HIE shall enter into a written agreement with each Designated IRB to carry out the functions contemplated. Such agreement shall ensure that the Designated IRB performs its obligations in accordance with 45 C.F.R. §164.512(i).
7.1.2. Minimum Necessary.
Except for Research carried out pursuant to drIDme shall Disclose only the minimum necessary Protected Health Information for the permitted Research purpose.
drIDme shall verify the identity and authority of any researcher requesting access to Protected Health Information for Research prior to Disclosing such information to the researcher.
drIDme shall maintain a record of all Disclosures for Research.
drIDme may charge fees to researchers seeking access to Protected Health Information available through the drIDme Database, provided that such fees must be reasonably related to the costs incurred by drIDme in connection with reviewing and complying with the Research request, including but not limited to, the cost of review by a Designated IRB.
8. Responding To Subpoenas And Discovery Requests
8.1.1. Disclosures In Response to Court Orders.
drIDme may Disclose Protected Heath Information in its possession in response to a court order provided drIDme Discloses only the Protected Heath Information expressly authorized by such order.
8.1.2. Disclosures in Response to Subpoenas and Discovery Requests.
drIDme may Disclose Protected Heath Information in its possession in response to a subpoena, discovery request or other lawful process that is not accompanied by an order of a court only if the subpoena, discovery request or other lawful process is accompanied by a written authorization from the Individual who is the subject of the requested Protected Health Information.
drIDme shall respond to subpoenas, discovery requests or other lawful processes by transmitting a written objection to the party requesting the Protected Health Information setting forth the need for either a court order or a written authorization from the Individual in connection with such request.
8.1.3. Opportunity for Participants to Resist Request.
drIDme shall notify all Participants whose Protected Health Information is subject to a potential Disclosure of the drIDme intention to make the Disclosure no less than five days prior to the anticipated date of the Disclosure. drIDme shall not Disclose any Participant’s Protected Health Information if (i) the Participant notifies the drIDme within such five-day period of the Participant’s intention to move to quash the subpoena or otherwise resist the request and (ii) the Participant takes such action within the time period necessary to prevent the NC HIE from failing to comply with any legal duty to which it is subject. The NC HIE shall not make any Disclosure under this Section 12 to the extent any request for Protected Health Information is withdrawn by the requesting party or rejected by a court or administrative tribunal in response to an objection by a Participant.
8.1.4. No Obligation to Search Participant Records.
drIDme shall Disclose only those records under its custody and control. drIDme shall not Disclose any records drIDme may be capable of obtaining by conducting searches through the drIDme Database of the records maintained by Participants or Qualified Organizations in their own record systems.
8.1.5. Consultation with Counsel.
drIDme shall consult with its counsel regarding its authority to Disclose Protected Health Information under this Section prior to making any such Disclosure.
8.1.6. Minimum Necessary.
drIDme shall Disclose only the minimum necessary Protected Heath Information in response to requests covered by this Section.
8.1.7. Verification of Identity.
drIDme shall verify the identity and authority of the requesting party prior to Disclosing Protected Heath Information under this Section.
8.1.8. Accounting of Disclosures.
drIDme shall maintain a record of Disclosures made under this Section in accordance with drIDme Policies.
9. Access To Data By Government Agencies
9.1.1. Disclosures Required by Law.
drIDme may Disclose Protected Health Information to a government agency or its representatives or agents when the Disclosure is Required by Law. Nothing in this Section shall be construed as obligating drIDme to Disclose Protected Health Information to a government agency on behalf of a Participant when the Participant, rather than drIDme, is Required by Law to make the Disclosure.
9.1.2. Disclosures for Public Health Purposes.
drIDme may Disclose Protected Health Information to Public Health Authorities for Public Health purposes. drIDme Board of Directors shall approve the general types of Public Health purposes for which Protected Health Information may be Disclosed under this Section.
9.1.3. Minimum Necessary.
drIDme shall Disclose only the minimum necessary Protected Health Information for the purposes specified in Section 13.1 or 13.2. The NC HIE may rely on a public health official’s or other government official’s determination that the information requested represents the minimum necessary for the requested purpose.
The NC HIE shall verify the identity and authority of the representative or agent of the government agency making the request prior to Disclosing Protected Health Information for the purposes specified in this Section.
9.1.5. Accounting of Disclosures.
drIDme shall maintain a record of Disclosures made under Section 13.1 or 13.2 in accordance with Section 9.1.2 of the Policies.
9.1.6. Participant Notification.
Except as restricted by applicable law, the NC HIE shall promptly notify Participants whose Protected Heath Information has been Disclosed by the NC HIE under Section 13.1.
9.1.7. Other Disclosures Not Permissible.
drIDme shall not Disclose Protected Health Information to government agencies or their representatives or agents for any purpose not permitted by this Section 13 or another provision of the Policies.
drIDme may store information on your computer in the form of a “cookie” or similar file. Cookies serve to “remember” you and information you have entered, allowing you to save time when you return to features or functions you have customized.
Your web browser may allow you to erase or block such files, or notify you when such file is stored. Please check your browser’s instructions for further information about such functions. However, the Service may not operate correctly, and you may not have access to all available features and functionality if you do not permit the installation of cookies, or if you disable them.
11. Security of Personal Information and Your Health Information
The Site has security measures in place to help secure your Personal Information and Your Health Information; we use industry standard security protocols, such as firewalls to help prevent unauthorized access to our systems by third parties, and user requirements such as unique user IDs and passwords in order to access various features of the Site and Service. We use Secure Socket Layer (“SSL”) encryption when processing credit card transactions and when transmitting your Personal Information and Your Health Information when you upload it over the internet.
Data and internet security works best when all parties are properly secured. That means that you should properly secure your computer using virus protection, anti-spyware, passwords, firewalls and other security technology and practices. We are not responsible for the security (or lack thereof) of any non-drIDme computer, internet provider or other system.
13. Your Comments are Welcome