Dossia Privacy Statement
Health Management System
DESCRIBES DOSSIA'S PRIVACY POLICIES.
Dossia believes that:
- Individuals should have quick and easy access to health and medical information about themselves and their families,
- Individuals should have the tools and information necessary to manage their own health and medical care, and
- Everyone's health and medical information should be private and secure.
What does this mean for you?
- If you create a Dossia Personal Health Management System (PHMS), you can use it to securely store copies of your personal health information.
- As a Dossia participant, you maintain control over the information in your PHMS.
- As a Dossia participant you will have access to a wide variety of tools to manage your health and medical care. Your health plan or health care provider and Dossia will offer many of these tools to you through subcontractors and, oftentimes, at no cost to you.
What does this mean for us?
- Dossia understands that you have a legal right to have your health and medical information keep private and secure.
- Dossia will not disclose information about you to employers, researchers, marketers or other third parties without your explicit permission, except for several very narrow exceptions - for example, if a court requires Dossia to disclose information about you.
Dossia's Obligations to You
- We are required to seek your consent before disclosing any information about you (except if we are required by law to do so, or other limited situations described in this Privacy Statement).
- We are required to provide you with a copy of our Privacy Statement, Terms of Agreement, our legal duties to you, and the practices we use to keep your information private and secure (collectively, "privacy policies.").
- We are required to keep your information private and secure.
- We are required to notify you of any change in our privacy policies prior to making these changes. We will seek your consent before applying any material changes in our privacy policies as they affect you.
- We are required to describe the reason we are seeking your consent to disclose information about you.
- We are required to disclose only the information necessary for the purposes described.
- You have the right to request restrictions on certain uses and disclosures of your information. Dossia will comply with your request to restrict the use and disclosure of your information, unless required by law to limit or negate your request.
- You have the right to receive private communications about your information.
- You have the right to inspect and copy any information Dossia has about you.
- You have the right to amend health information others add to your Dossia PHMS.
- You have the right to receive an accounting of any disclosures of your information.
- You have the right to obtain a paper copy of this notice.
Right to Change our Privacy
Policies and Terms of Agreement
Dossia reserves the right to
change its Terms of Agreement at any time. We will notify you
30 days prior to any change unless immediate changes are necessary to
protect your information. We will seek your consent before applying
any material changes to you. If you do not consent to these changes,
in some cases it is possible that the features and tools offered by
Dossia may be unavailable to you.
Security of Your PHMS
- Dossia understands that your PHMS contains sensitive and personal information and that safeguarding it properly is essential.
- Dossia uses administrative, physical, and technical safeguards to protect your personal information from unauthorized access, use, and disclosure.
- Our use of subcontractors does not diminish your right to have your information held private and secure. Dossia is both a subcontractor to health plans and providers and uses subcontractors. These subcontractors must comply with the same privacy requirements as Dossia.
See below for the complete
Dossia PHMS Privacy Statement.
Personal Health Management System (PHMS)
Dossia collects and stores
personal information about you, including the health information you
enter, or authorize others to enter, into your PHMS. Dossia protects
the privacy and security of this information as described in this Privacy
Statement. Dossia will use this information to provide you with the
tools you need to manage your health and medical care. Except for the
narrow exceptions explained in this Privacy Statement, Dossia will
not disclose information in your PHMS to third parties without your
A. Information Collected
and Used by Dossia
Information in Your PHMS
You can enter your own health
information, such as a symptom diary or immunization records, directly
into your PHMS. You can also authorize your health care entities to
send your health information directly to you or to your PHMS.
Additionally, with your consent,
certain health-related websites may send health information directly
to your PHMS. (See Glossary for definitions of "health care entities,"
"health information," and other relevant terms used in this Privacy
Information Dossia Collects and Uses to Create and Maintain Your PHMS
Dossia collects and uses some
Protected Health Information about you for enrollment, ongoing account
and system administration, communications with you about your account,
and internal operations. Dossia may also collect and store web usage
information, including IP addresses and related information, needed
to create and maintain a data connection between your computer and Dossia
servers. Dossia uses this web usage information, which may be
logged, to enhance system security and to aid system improvement.
Dossia may collect aggregate,
statistical information about you and other individuals who have created
a Dossia PHMS in order to help your health plan, providers or Personal
Health Applications you use improve the quality of services they offer
B. Your Choices
When you create a PHMS, your
choices include the following.
- You can choose to directly enter your own health information, authorize your health care entities (e.g., health plans and health care providers) to submit your information electronically, or import information from certain websites.
- If your PHMS is provided by your health plan or health care provider, and if you choose to authorize your health care entities to submit your information electronically, you will be asked to submit a HIPAA Authorization form to Dossia. This form will authorize all of your present and future health care entities to submit your information directly to your PHMS. If your PHMS is not provided by your health plan or provider, and if you choose to authorize your health care entities to submit your information electronically to your PHMS, you will be asked to submit a HIPAA Authorization form to Dossia for each health care entity.
- You may contact your provider, outside of Dossia, to request withholding certain types of information you do not want sent to or stored in your PHMS. Such decisions should be taken in consultation with your health care provider.
- In addition, a health care provider may decide not to send (or may be prohibited by law from sending) certain types of information to your PHMS. Dossia disclaims any responsibility for the failure of your health care provider to comply with a request under this section.
- Any entity you authorize to send information to Dossia will continue to send information about you to your PHMS, unless you revoke the authorization. (See HIPAA Authorization for details about how to revoke authorizations.)
- Dossia may not be able to include information from some health care entities in your PHMS if the entity does not send the information in a standard electronic format.
- You can choose to print out your PHMS or save it to your computer or portable storage media. Given the sensitivity of this information, if you do so, Dossia suggests that you save it in an encrypted form.
- You can choose, for any reason, to add an annotation to any item in your record. Your annotation will be dated and will identify you as the author of the comment.
Sharing and Disclosing Information
You control whether or not
to share or disclose any information in your PHMS. Certain exceptions
to this general rule, such as a court order requiring disclosure, as
well as disclosures to subcontractors, are described in section (E).
- You can choose to share your information with a family member, friend, or caregiver.
- You can choose to share your information with a health care provider.
- In many cases, you may also choose the type of information access you want each recipient to have.
- You can choose to use a Personal Health Application offered by Dossia as a subcontractor.
- You can choose to send your information to other Personal Health Applications offered by your health plan or provider but not as a subcontractor. Dossia will only send your information to this type of Personal Health Application if you give your consent.
- You can choose to send your information to a website outside of Dossia, such as a website related to a particular disease and not associated with Dossia, or a health care entity working with Dossia. However, Dossia will not send your information to a website outside of Dossia. Dossia can not assure that any information you send to a website outside of Dossia will be private or secure. Dossia does not assume any liability for the disclosure and use of information provided to websites and others outside of Dossia.
- You can choose whether you want your health information included in medical research projects, consumer health surveys, or public health data-gathering.
- You can choose to disclose your health information for marketing purposes.
Before granting any third party
(for example, a family member or a website outside of Dossia) access
to your health information, you should know that:
- Dossia's Privacy Statement may not apply to the third party's uses or disclosures of your information.
- Before sending any information to any third party, you should recognize that information about you may no longer be protected, kept private or be secure.
Closing Your Account
If you choose to close your
account, Dossia will permanently destroy its copies of your health information
according to its data destruction security procedures. Prior to
destroying your information, Dossia will offer you the opportunity to
retrieve or transfer your information. If you are no longer eligible
to participate in Dossia through your health plan or provider (for example,
due to loss of employment), Dossia will offer you the opportunity to
maintain your account on an individual basis or to close your account
and retrieve or transfer your information.
Changing Your Choices
Except for closing your account,
which is permanent, you can change any of the above choices as often
as you like.
Accounts for Minor Dependents
Subject to applicable law,
parents and guardians may establish accounts for minor dependents (those
under the age of 18). Both a parent/guardian AND
a dependent minor age 12 or older must agree to the conditions under
which the contents of the dependent minor's account are shared with
the parent/guardian. Unless both the parent/guardian and the dependent
minor age 12 or older explicitly and specifically consent, Dossia will
not permit health care entities to send information to the dependent
minor's PHMS. In this instance, only the dependent minor may
enter information to the Dossia PHMS. Parents/guardians have full access
to the accounts of minor dependents age 11 and younger.
C. Dossia and Marketing
If your PHMS is provided by
your health plan or health care provider, then Dossia, acting on behalf
of your health plan or provider, may ask for your consent to make certain
Personal Health Applications and other products and services available
to you. If your PHMS is provided by Dossia, Dossia may ask directly
for your consent to make these Personal Health Applications and other
products and services available to you.
In some instances, Federal
law describes this activity as "marketing", and requires that you
give your consent and explicit authorization before Dossia conducts
these activities. It is important to understand that your consent
is purely voluntary, and your decision about whether to give your consent
for marketing will not affect your ability to use your PHMS.
Unless you explicitly and specifically
- Dossia will not e-mail or mail marketing communications to you.
- Dossia will not call you for marketing purposes.
- Dossia will not disclose your health information or contact information to third parties for marketing purposes.
- Dossia will not authorize any portion of your health information to be accessed (or "mined") for marketing purposes.
D. Security of Your PHMS
Dossia understands that your
PHMS contains sensitive information and that safeguarding your PHMS
properly is essential. Dossia uses administrative, physical, and
technical security technologies and internal controls, including encryption
of health information, to protect your information from unauthorized
access, use, and disclosure. In addition to these controls, Dossia
subjects itself to review and testing by independent information security
experts. Despite Dossia's precautions, there is always some
risk that unauthorized, wrongful, or illegal access to your information
could occur or that transmissions of your information over the Internet
could be intercepted.
To protect the security of
your health information, Dossia does not authorize access to health
information by Dossia technical system administrators (or anyone else
at Dossia) on a regular or routine basis. Even where technical
problems occur, Dossia anticipates that most technical problems will
be resolved without any need for such access. Dossia's access
to your health information in such cases is limited to these technical
issues and other system, administrative, or security issues. In
the unusual case where internal access to identifiable health information
is required to resolve a problem, Dossia requires adherence to strict
internal access controls.
In the event that Dossia discovers
a breach of unsecured health information, Dossia will take immediate
action and notify the appropriate parties without delay. If your
PHMS is provided by your health plan or provider, Dossia will immediately
notify your health plan or provider of the breach, in accordance with
Federal law. You will receive more information about the breach
directly from your health plan or provider. If PHMS is not provided
by your health plan or provider, Dossia will notify you of the breach
directly, again, in accordance with Federal law.
E. Disclosures of Your PHMS
Dossia may need to make certain
disclosures to third parties, which are explained here.
Disclosures to Third Parties Involved in Dossia Operations
Dossia may use outside entities
such as vendors, hosting websites, and information security experts
to assist Dossia in its operations. Companies engaged by Dossia
are permitted to access only the information necessary to perform their
services. They are contractually required to abide by relevant
provisions in this Privacy Statement and are prohibited from using any
information acquired through Dossia for any other purpose.
ii. Personal Health Applications
Your health plan or provider
and Dossia may share your information with subcontractors that provide
Personal Health Applications and other services designed to help you
manage your health and medical services. Dossia subcontractors
must comply with this Privacy Statement and are required to protect
your information in a manner at least as restrictive as Dossia.
Neither Dossia, nor your health plan or provider, will receive any remuneration
from these Personal Health Applications.
iii. Personal Health Applications
- Not Subcontractors
If your PHMS is provided by
your health plan or provider, your health plan or provider has chosen
to work through Dossia to provide you with a number of additional tools
to manage your health and medical care. If your PHMS is provided
outside your health plan or provider, Dossia has chosen to provide you
with these tools directly. It is your choice whether or not to use these
tools. Dossia will not provide any information about you
to these Personal Health Applications unless you choose to use these
tools. If you do choose to use these tools, Dossia will only provide
the minimum information necessary for these Personal Health Applications
Disclosures Required by Law
Although Dossia is structured
to give you control over your PHMS, Dossia must also comply with applicable
Federal and state laws. If Dossia reasonably believes that it is required
by law to disclose health or other information about you to a third
party, it will do so. (See Glossary for definition of "required by
law.") If Dossia is required by law to disclose health information
in your PHMS, Dossia will, unless prohibited by law, make reasonable
efforts to send you advance notice of the mandatory disclosure or seek
a court order to protect the information.
In extraordinary circumstances,
Dossia might disclose information about you to the proper authorities,
if Dossia reasonably believes the disclosure is needed in response to
an imminent physical threat to you or others, to defend or assert legal
rights, or in response to an immediate health risk authenticated by
Will Dossia Disclose Information to Employers?
Dossia believes that better
consumer access to health information will help reduce health care costs,
reduce medical errors, and help you better manage your own health and
A core belief of the Dossia
founders is that your PHMS should be private. Therefore, unless required
by law or specifically authorized by you, Dossia will not disclose
any information in your PHMS to your employer for any purpose.
Dossia may disclose to employers
the aggregate number of employees and beneficiaries using Dossia and
some of the tools offered through Dossia. Aggregate data will
not include any health information about individual participants.
Will Dossia Disclose Information to Your Health Plan or Provider?
If your Dossia PHMS is provided
by your health plan or health care provider, Dossia may only provide
your health plan or provider information about you that Dossia received
from your health plan or provider. In other words, Dossia will not provide
your health plan or provider any information about you that you or a
third party (other than your health plan or provider) added to your
PHMS. However, you can choose to share additional information with your
health plan or provider.
If your Dossia PHMS is not
provided by your health plan or health care provider, Dossia will not
disclose any information about you to your health plan or provider,
unless you give your explicit consent.
Sharing Information with Others
If you choose to share information
in your PHMS with a third party, such as a health care provider, you
should be aware that there is a possibility that the third party might
share your information with an insurer or employer health plan. For
example, a hospital might need to share health information with an insurer
to seek pre-authorization for surgery.
Continuity of Operations
If Dossia were to transfer
assets or operations in connection with a merger, sale, bankruptcy,
or other transaction, Dossia might transfer PHMS information to the
acquiring or merging entity. In that event, Dossia would use good faith
efforts to require that your PHMS remain subject to essentially the
same restrictions as in the current Dossia Privacy Statement and Terms
of Agreement. Furthermore, because of Dossia's commitment to individual
control over your PHMS, Dossia would make reasonable efforts to send
you advance notice of such a transfer in order to give you an opportunity
to close your PHMS before the transfer if you wish.
F. Information Integrity
and Individual Access
Dossia will employ administrative,
physical and technical safeguards to maintain the integrity of the health
information provided to it. You will control and access the contents
of your PHMS, as described in this Privacy Statement, and Dossia will
also permit you to view any contact or enrollment information it holds
You are responsible for safeguarding
your ID and password. Dossia's privacy protections explained in this
Privacy Statement may not apply if you allow someone else to control
your PHMS by providing access to your ID and password.
and improve our website. A cookie is a small text file that a
website can send to your browser, which your computer stores as a tag
that identifies your computer. You can set your browser to decline
cookies or notify you before accepting cookies, although if you decline
them, the Dossia website may not work properly for you. We may
also collect and track automatically (1) the home server domain names,
IP addresses, type of client computer, and type of web browser of visitors
to our Sites, and (2) aggregate and specific information on what pages
Except as permitted by explicit,
fully informed parental consent, this website does not knowingly collect
personal information from any person under the age of 13.
I. Updates to this Privacy
Any updates to this Privacy
Statement will be posted here. Most updates are anticipated to be editorial
in nature or reflect ongoing enhancements to Dossia's operations.
If, however, Dossia makes changes to the Privacy Statement that would
materially affect your protections or choices explained here, Dossia
will, at least 30 days in advance, take the following steps:
- Post a notice about the change on the home page of your PHMS,
- Send an e-mail about the change to your e-mail address in our records, and
- Post the new Privacy Statement here.
We will seek your consent before
applying any material changes to this Privacy Statement to you.
If you do not consent to these changes, in some cases it is possible
that the features and tools offered by Dossia may be unavailable to
J. Scope of this Privacy
This Privacy Statement applies
to a Dossia PHMS created at the request of individual participants.
Please be aware that this Privacy Statement does not apply to the following:
- Medical care providers or payers who may hold health information about you,
- Websites or other sources from which you imported medical information into your PHMS, and
- Websites or other people or entities to which you exported or otherwise disclosed your health information from your PHMS.
Before choosing to submit your
information to websites outside of Dossia or other entities, you should
Privacy Statement does not apply to your health information once you
share it with any third party or submit it to any non-Dossia website,
person, or entity.
K. Termination of Your PHMS
Dossia reserves the right to
decide, at its discretion, to no longer offer you a PHMS. If Dossia
decides to terminate your PHMS, Dossia will permanently destroy its
copies of your health information according to its data destruction
security procedures. Prior to destroying your information, Dossia
will offer you the opportunity to retrieve or transfer your information.
L. Effective Date of this
The effective date of this
Privacy Statement is September 15, 2011.
M. How to contact us
If you have any questions,
concerns, or complaints about Dossia's privacy protections, please
Various terms used in the Privacy
Statement are defined here.
means health or medical information about you, including claims information
from your insurers, medical records from your health care providers,
prescription drug records, and other records related to your health
care or medical treatment. It also includes less formal health information
you or others may create, such as a symptom diary. The term does not
include other personally identifiable information about you, such as
name, address, telephone number, e-mail address, or other non-health-related
information you may have provided for Dossia enrollment or administration.
"Health care entities"
means entities that may send health information electronically into
Dossia accounts or to you. They include (a) health care providers,
such as physicians, dentists, pharmacies, laboratories, eye care providers,
and hospitals, (b) information processors such as prescription processing
companies, health information storage organizations, claims administrators,
and pharmacy benefit managers, and (c) health insurance companies and
employer health plans, including their claims administrators, pharmacy
benefit managers, and other service providers.
"Required by law"
means required directly by applicable law or required by subpoena, court
order, or other legal process.
"Dossia" or "we"
means the Dossia Service Corporation, a corporation incorporated in
"You" means an individual
participant who creates a Dossia account or otherwise accesses a Dossia
"This website" means
the Dossia website, including www.dossia.org and any Dossia website
on which Dossia offers its Personal Health Management System (PHMS)
and a Personal Health Record.
Health Management System" or "PHMS" means an account
you create on the Dossia website to which you can send, or authorize
others to send, your health information. Your PHMS will include a Personal
Health Record and various tools to help you manage your health and medical
care. Some of these tools will be part of the Dossia website. In some
instances, Dossia will offer participants a link to website outside
of the Dossia website.
"Personal Health Record"
means an electronic record of identifiable health information on an
individual that can be drawn from multiple sources and that is managed,
shared, and controlled by or primarily for the individual. The term
"Personal Health Record" shall have the same meaning as the term
is defined in section 13400 of the American Recovery and Reinvestment
Act of 2009 (Pub. L. 111-5).
"Protected Health Information"
means individually identifiable health information that is transmitted
by electronic media, maintained in electronic media, or transmitted
or maintained in any other form or medium, with certain exceptions. The
term "Protected Health Information" shall have the same meaning
as the term is defined in Title 45, part 160.103 of the Code of Federal
"Personal Health Application"
means a website or software that uses health information about an individual
to help diagnosis, manage, treat, or provide general or specific information
about disease, injury, or conditions to improve an individual's general
1. ^ In some cases, state laws may impose extra requirements regarding authorizing disclosure of specific types of medical records. These may include, depending on the state, records regarding mental health, substance abuse, HIV or other sexually transmitted diseases, cancer, or genetic information. If you were expecting such information to be sent to your PHMS and it has not appeared, you may have to contact your health care entities directly and sign an additional authorization form.