Privacy Statement

Dossia Personally-Controlled Health Record

Privacy Statement Summary

Introduction

  • Dossia is a Personally-Controlled Health Record (PCHR) system.  If you create a Dossia PCHR, you can use it to store copies of your personal health information.
  • Privacy principles are crucial to Dossia.  Dossia was founded by a group of employers who believe in the benefits of individuals having access to health information at their fingertips.  These founders are committed to the principle that PCHR information must be private, secure, and under the control of the participants.
  • As a Dossia participant, you maintain control over the information that comes into your records. And you decide if you want to share your information with others.
  • Dossia will not disclose information in PCHRs to third parties without your explicit permission.  This includes employers, insurers, researchers, marketers, or any other third parties.  The only narrow exceptions to this restriction are explained in the Privacy Statement, such as that Dossia will disclose information if required by law.
  • Please read the complete Privacy Statement.

Information Collected by Dossia

  • You control what information will be entered into your Dossia PCHR, as explained under “Your Choices.”
  • Dossia collects personally identifiable information needed to enroll you and maintain your PCHR.

Your Choices

  • You can enter your own health information into your PCHR manually.
  • You can also choose to have your  health care entities send your electronic health information directly into your PCHR, as that information becomes available over time.
  • You choose whether to share your PCHR with family members, healthcare providers, independent websites, or any third parties.
  • You can change or revoke your previous decisions about sharing information.
  • You (and only you) can choose to allow your information to be used for research, public health, marketing, or other purposes.

Security of Your Personally-Controlled Health Record

  • Dossia understands that your PCHR contains sensitive and personal information and that safeguarding it properly is essential.
  • Dossia uses security technologies and internal controls to protect your personal information from unauthorized access, use, and disclosure.

See Below for Complete Dossia PCHR Privacy Statement

For privacy questions, complaints, or concerns, contact us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it



Dossia Personally-Controlled Health Record

Privacy Statement

Dossia collects the personal information you voluntarily enter into the Dossia website, including the health information you enter, or authorize others to enter, into your Personally-Controlled Health Record (PCHR).  Dossia protects the privacy and security of this information as described in this Privacy Statement and uses this information to provide you with your PCHR and associated services.   Except for any narrow exceptions explained in this Privacy Statement, Dossia will not disclose information in PCHRs to third parties without your explicit permission.

A. Information Collected and Used by Dossia

1. Information in Your Personally-Controlled Health Record

You can enter your own health information, such as a symptom diary or immunization records, directly into your PCHR. You can also authorize your health care entities to send your health information directly to you into your PCHR.  Initially, only a limited number of health care entities will be set up to send health information directly to  PCHRs.  Over time, Dossia expects that you will be able to direct additional health care entities and independent health-related websites to send your health information directly into your PCHR.  (See Glossary for definitions of “health care entities” and “health information.”)

2. Information Dossia Collects and Uses to Create and Maintain PCHRs

Dossia collects and uses identifiable information about you for enrollment, ongoing account and system administration, communications with you about your account, and internal operations. Dossia may also collect and store web usage information, including IP address and related information, needed to create and maintain a data connection between your computer and Dossia servers.  Dossia uses this web usage information, which may be logged to enhance system security, to aid system improvement.

B. Your Choices

When you create a PCHR, your choices include the following.

  • Importing Information. You can choose to directly enter your own health information, authorize your health care entities to submit your information electronically, or import information from independent websites. 
  • If you choose to authorize your health care entities to submit your information electronically, you will be asked to submit a HIPAA Authorization form to Dossia.  This form will authorize all of your present and future health care entities to submit your information directly to you into your PCHR.
  • Dossia will then make available to you a list of specific health care entities that are currently ready to send information into Dossia PCHRs.  You can select which specific entities you want to send your information into your PCHR.  Dossia will notify those entities that you have authorized them to send information about you into your PCHR.
  • Information from the entities you selected will begin to appear in your PCHR once the request is processed.  (Information from some entities may be delayed initially, however.)*
  • The entities you selected will continue to send future information about you to your PCHR, unless you choose to revoke their authorization to continue.  (See HIPAA Authorization for details about how to revoke authorizations.)
  • Initially, only a limited number of  health care entities will be set up to send information to Dossia.  Over time, Dossia expects that you will be able to direct additional health care entities to send your  information directly into your Dossia PCHR.
  • Sharing and Disclosing Information.  Dossia allows you to control whether you share or disclose any information in your PCHR.  Certain mandatory exceptions to this general rule, such as a court order requiring disclosure, are described in section (E). Except for these narrow exceptions, the following choices will be under your control.
  • You can choose to share with no one at all.
  • You can choose to print out your PCHR or save it to your computer or portable storage media.  Given the sensitivity of this information, Dossia suggests that you save it in encrypted form.
  • You can choose to share with a family member, friend, or caregiver.
  • You can choose to share with a healthcare provider.
  • Not only do you choose who can see your health information, you also choose the type of information access you want each recipient to have.  For example, you could let your sibling only read your record, while letting your spouse read your record and add annotations.  Only you will have the authority to close your account.
  • You can choose to grant access to your information to an independent website you find useful, such as a website related to a particular disease, once electronic connections to these independent websites become available.
  •  If Dossia presents you with the option of granting an independent website access to your information, or exporting your information to an independent website, Dossia will present that choice to you clearly and specifically.
  • You can add an annotation to an item in your record, if you believe the item is incorrect or needs to be explained.  Your annotation will be dated and will identify you as the author of the comment.
  • You can choose whether you want your health information included in medical research projects, consumer health surveys or public health data-gathering. 
  • You can choose to disclose your health information for marketing purposes.
  • Before granting any third party access to your health information, you should know that:
  • Dossia’s Privacy Statement will not apply to the third party’s uses or disclosures of your information.
  • The third party’s privacy policies applies to its own uses and disclosures, so please review them carefully.
  • Closing your account.  You can close your account, and Dossia will permanently destroy its copies of your health information according to its data destruction security procedures.
  • Changing your choices.  Except for closing your account, which is permanent, you can change any of the above choices as often as you like.
  • To summarize, only you, not Dossia, can make the choices described here.  Dossia is designed to give you control  over when and to whom you disclose your health information.

C. Dossia and Marketing

Dossia may post information on its website about Dossia enhancements or other products and services available to its participants.  If you choose to receive more information about the enhancements, products, or services, you will be able to request it.

Unless you explicitly and specifically consent:

  1. Dossia will not e-mail or mail marketing communications to you.  Dossia will not call you for marketing purposes.
  2. Dossia will not disclose your health information or contact information to third parties for them to use for marketing purposes.
  3. Dossia will not authorize any portion of your health information to be accessed (or “mined”) for marketing purposes, even on a non-personally identifiable or aggregated basis.

D. Security of Your Personally-Controlled Health Record

Dossia understands that PCHRs contain sensitive information and that safeguarding PCHRs properly is essential.  Dossia uses administrative, physical, and technical security technologies and internal controls, including encryption of health information, to protect your information from unauthorized access, use, and disclosure.  In addition to these controls, Dossia subjects itself to review and testing by independent information security experts.  Despite Dossia’s precautions, there is always some risk that unauthorized, wrongful, or illegal access to your information could occur or that transmissions of your information over the Internet could be intercepted.

To protect the security of your health information, Dossia does not authorize access to health information by Dossia technical system administrators (or anyone else at Dossia) on a regular or routine basis. Even where technical problems occur, Dossia anticipates that most technical problems will be resolved without any need for such access.  Dossia’s access to your health information is limited to these technical issues and other system, administrative, or security issues.  In the unusual case where internal access to identifiable health information is required to resolve a problem, Dossia requires adherence to strict internal access controls.

E. Disclosures of Your Personally-Controlled Health Record

As described above, you choose whether you share or disclose information in your PCHR. In addition to the disclosures that you direct, Dossia may need to make certain disclosures to third parties, which are explained here.

1. Disclosures to Third Parties Involved in Dossia Operations

Dossia may use outside entities such as vendors, hosting websites, and information security experts to assist in its operations.  Companies engaged by Dossia are permitted to access only the information  necessary to perform their services.  They are contractually required to abide by relevant provisions in this Privacy Statement and are prohibited from using any information acquired through Dossia for any other purpose.

2.  Other Possible  Disclosures

Although Dossia is structured to give participants control over their PCHRs, Dossia must also comply with applicable laws.  If Dossia reasonably believes that it is required by law to disclose health or other information about you to a third party, it will do so.  (See Glossary for definition of “required by law.”)  For example, Dossia, just like any other entity that holds health information, might be required to disclose your health information if it were served with a subpoena related to litigation concerning an accident.  Similarly, a doctor’s office might have to disclose your medical records if it were served with a subpoena in similar circumstances. If Dossia is required by law to disclose health information in your PCHR, Dossia will, unless prohibited by law, make reasonable efforts to send you advance notice of the mandatory disclosure or seek a court order to protect the information.

In extraordinary circumstances, Dossia might disclose information in a PCHR if it reasonably believes the disclosure is needed in response to an imminent physical threat to you or others, to defend or assert legal rights, or in response to an immediate health risk authenticated by medical personnel.

3. Will Dossia Disclose Information to Employers?

Dossia was founded by a group of employers who want their employees to be able to have their own health information at their fingertips if they choose.  The founders believe that better consumer access to health information will ultimately help contain health care costs, reduce medical errors, and improve individual health.

A core belief of the Dossia founders is that PCHRs should be private.  Therefore, unless required by law or specifically authorized by you, Dossia will not disclose any information in your PCHR to your employer for any purpose.

Dossia may disclose aggregated, statistical data about PCHR usage in general to participating employers, but even this data will not include any health information about participants or tell employers which employees have opened Dossia accounts. For example, Dossia may tell a participating employer that 50% of its employees have chosen to create a PCHR, but Dossia will not inform the employer that, say, 10% of its employees have diabetes.

4. Will Dossia Disclose Information to Insurers or Employer Health Plans?

Unless required by law or specifically authorized by you, Dossia will not share any information in your PCHR with insurers or employer health plans.

If you share information in your PCHR with a third party, such as a health care provider, you should be aware that there is a possibility that the third party might share your information with an insurer or employer health plan.  For example, a hospital might need to share health information with an insurer to seek pre-authorization for surgery.  But Dossia itself will not share your health information with insurers or employer health plans unless required by law or specifically authorized by you.

5.Continuity of Operations

If Dossia were to transfer assets or operations in connection with a merger, sale, bankruptcy, or other transaction, Dossia might transfer PCHR information to the acquiring or merging entity.  In that event, Dossia would use good faith efforts to require that PCHRs remain subject to essentially the same restrictions as in the current Dossia Privacy Statement and Terms of Agreement.  Furthermore, because of Dossia’s commitment to individual control over PCHRs, Dossia would make reasonable efforts to send you advance notice of such a transfer in order to give you an opportunity to close your PCHR before the transfer if you wish.

F. Information Integrity and Individual Access

Dossia will employ technical and operational measures to maintain the integrity of the health information provided to it.  You will control and access the contents of your PCHR, as described in this Privacy Statement, and Dossia will also permit you to view any contact or enrollment information it holds about you. 

If you ask Dossia to provide an accounting of any mandatory disclosures we may have been compelled to make under section (E)(2), we will, unless prohibited by law, comply with your request.  You could request such an accounting by writing to Dossia at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

You are responsible for safeguarding your ID and password.  Dossia’s privacy protections explained in this Privacy Statement may not apply if you allow someone else to control your PCHR by providing access to your ID and password.

G. Cookies

Dossia may use cookies to manage and improve our website and enhance the administration of PCHR technology. Dossia does not use cookies to collect or store personally identifiable information.  A cookie is a small text file that a website can send to your browser, which your computer stores as a tag that identifies the computer.  You can set your browser to decline cookies or notify you before accepting cookies, although if you decline them, the Dossia website may not work properly for you.

H. Children

This website does not knowingly collect personal information from any person under the age of 13.  This website it not designed or intended for children under the age of 13.

I.  Updates to this Privacy Statement

Any updates to this Privacy Statement will be posted here.  Most updates are anticipated to be editorial in nature or reflect ongoing enhancements to Dossia’s operations.  If, however, Dossia makes changes to the Privacy Statement that would materially affect your protections or choices explained here, Dossia will, at least 30 days in advance, take the following steps:

  • Post a notice about the change on the home page of your PCHR,
  • Send an e-mail about the change to your e-mail address in our
    records, and
  • Post the new Privacy Statement here.
     

J. Scope of this Privacy Statement

This Privacy Statement applies to Dossia PCHRs created at the request of individual participants.  Please be aware that this Privacy Statement does not apply to the following:

  • Medical care providers or payers who may hold health information about you;
  • Independent websites or other sources from which you imported medical information into your PCHR;
  • Independent websites or other people or entities to which you exported or otherwise disclosed your health information from your PCHR.

Before choosing to submit your information to independent websites or other entities, you should carefully review their privacy policies and terms of use.  This Dossia Privacy Statement does not apply to your health information once you share it with any third party or submit it to any non-Dossia website, person, or entity.

K. Effective Date of this Privacy Statement

The effective date of this Privacy Statement is September 20, 2008.

L.  How to contact us

If you have any questions, concerns, or complaints about Dossia’s privacy protections, please write to us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it , and we will attempt to resolve your concerns.


Glossary

Various terms used in the Privacy Statement are defined here.

“Health Information” means health or medical information about you, including claims information from your insurers, medical records from your health care providers, prescription drug records, and other records related to your health care or medical treatment.   It also includes less formal health information you or others may create, such as a symptom diary. The term does not include other personally identifiable information about you, such as name, address, telephone number, e-mail address, or other non-health-related information you may have provided for Dossia enrollment or administration.

“Health care entities” means entities that may send health information electronically into Dossia accounts.  They include (a) health care providers, such as physicians, dentists, pharmacies, laboratories, eye care providers, and hospitals, (b) information processors such as prescription processing companies, health information storage organizations, claims administrators, and pharmacy benefit managers, and (c)  health insurance companies and employer health plans, including their claims administrators, pharmacy benefit managers, and other service providers.

“Required by law” means required directly by applicable law or required by subpoena, court order, or other legal process.


Footnotes

* In some cases, state laws may impose extra requirements regarding authorizing disclosure of specific types of medical records.  These may include, depending on the state, records regarding mental health, substance abuse, HIV or other sexually transmitted diseases, cancer, or genetic information.  If you were expecting such information to be sent to your PCHR and it has not appeared, you may have to contact your health care entities directly and sign an additional authorization form.

PDFPrintE-mail