Privacy Statement

Dossia Personally-Controlled Health Record

Privacy Statement Summary


  • Dossia is a Personally-Controlled Health Record (PCHR) system.  If you create a Dossia PCHR, you can use it to store copies of your personal health information.
  • Privacy principles are crucial to Dossia.  Dossia was founded by a group of employers who believe in the benefits of individuals having access to health information at their fingertips.  These founders are committed to the principle that PCHR information must be private, secure, and under the control of the participants.
  • As a Dossia participant, you maintain control over the information that comes into your records. And you decide if you want to share your information with others.
  • Dossia will not disclose information in PCHRs to third parties without your explicit permission.  This includes employers, insurers, researchers, marketers, or any other third parties.  The only narrow exceptions to this restriction are explained in the Privacy Statement, such as that Dossia will disclose information if required by law.
  • Please read the complete Privacy Statement.

Information Collected by Dossia

  • You control what information will be entered into your Dossia PCHR, as explained under “Your Choices.”
  • Dossia collects personally identifiable information needed to enroll you and maintain your PCHR.

Your Choices

  • You can enter your own health information into your PCHR manually.
  • You can also choose to have your  health care entities send your electronic health information directly into your PCHR, as that information becomes available over time.
  • You choose whether to share your PCHR with family members, healthcare providers, independent websites, or any third parties.
  • You can change or revoke your previous decisions about sharing information.
  • You (and only you) can choose to allow your information to be used for research, public health, marketing, or other purposes.

Security of Your Personally-Controlled Health Record

  • Dossia understands that your PCHR contains sensitive and personal information and that safeguarding it properly is essential.
  • Dossia uses security technologies and internal controls to protect your personal information from unauthorized access, use, and disclosure.

See Below for Complete Dossia PCHR Privacy Statement

For privacy questions, complaints, or concerns, contact us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Dossia Personally-Controlled Health Record

Privacy Statement

Dossia collects the personal information you voluntarily enter into the Dossia website, including the health information you enter, or authorize others to enter, into your Personally-Controlled Health Record (PCHR).  Dossia protects the privacy and security of this information as described in this Privacy Statement and uses this information to provide you with your PCHR and associated services.   Except for any narrow exceptions explained in this Privacy Statement, Dossia will not disclose information in PCHRs to third parties without your explicit permission.

A. Information Collected and Used by Dossia

1. Information in Your Personally-Controlled Health Record

You can enter your own health information, such as a symptom diary or immunization records, directly into your PCHR. You can also authorize your health care entities to send your health information directly to you into your PCHR.  Initially, only a limited number of health care entities will be set up to send health information directly to PCHRs.  Over time, Dossia expects that you will be able to direct additional health care entities and independent health-related websites to send your health information directly into your PCHR.  (See Glossary for definitions of “health care entities” and “health information.”)

2. Information Dossia Collects and Uses to Create and Maintain PCHRs

Dossia collects and uses identifiable information about you for enrollment, ongoing account and system administration, communications with you about your account, and internal operations. Dossia may also collect and store web usage information, including IP address and related information, needed to create and maintain a data connection between your computer and Dossia servers.  Dossia uses this web usage information, which may be logged to enhance system security, to aid system improvement.

B. Your Choices

When you create a PCHR, your choices include the following.

C. Dossia and Marketing

Dossia may post information on its website about Dossia enhancements or other products and services available to its participants.  If you choose to receive more information about the enhancements, products, or services, you will be able to request it.

Unless you explicitly and specifically consent:

  1. Dossia will not e-mail or mail marketing communications to you.  Dossia will not call you for marketing purposes.
  2. Dossia will not disclose your health information or contact information to third parties for them to use for marketing purposes.
  3. Dossia will not authorize any portion of your health information to be accessed (or “mined”) for marketing purposes, even on a non-personally identifiable or aggregated basis.

D. Security of Your Personally-Controlled Health Record

Dossia understands that PCHRs contain sensitive information and that safeguarding PCHRs properly is essential.  Dossia uses administrative, physical, and technical security technologies and internal controls, including encryption of health information, to protect your information from unauthorized access, use, and disclosure.  In addition to these controls, Dossia subjects itself to review and testing by independent information security experts.  Despite Dossia’s precautions, there is always some risk that unauthorized, wrongful, or illegal access to your information could occur or that transmissions of your information over the Internet could be intercepted.

To protect the security of your health information, Dossia does not authorize access to health information by Dossia technical system administrators (or anyone else at Dossia) on a regular or routine basis. Even where technical problems occur, Dossia anticipates that most technical problems will be resolved without any need for such access.  Dossia’s access to your health information is limited to these technical issues and other system, administrative, or security issues.  In the unusual case where internal access to identifiable health information is required to resolve a problem, Dossia requires adherence to strict internal access controls.

E. Disclosures of Your Personally-Controlled Health Record

As described above, you choose whether you share or disclose information in your PCHR. In addition to the disclosures that you direct, Dossia may need to make certain disclosures to third parties, which are explained here.

1. Disclosures to Third Parties Involved in Dossia Operations

Dossia may use outside entities such as vendors, hosting websites, and information security experts to assist in its operations.  Companies engaged by Dossia are permitted to access only the information necessary to perform their services.  They are contractually required to abide by relevant provisions in this Privacy Statement and are prohibited from using any information acquired through Dossia for any other purpose.

2.  Other Possible  Disclosures

Although Dossia is structured to give participants control over their PCHRs, Dossia must also comply with applicable laws.  If Dossia reasonably believes that it is required by law to disclose health or other information about you to a third party, it will do so.  (See Glossary for definition of “required by law.”)  For example, Dossia, just like any other entity that holds health information, might be required to disclose your health information if it were served with a subpoena related to litigation concerning an accident.  Similarly, a doctor’s office might have to disclose your medical records if it were served with a subpoena in similar circumstances. If Dossia is required by law to disclose health information in your PCHR, Dossia will, unless prohibited by law, make reasonable efforts to send you advance notice of the mandatory disclosure or seek a court order to protect the information. If Dossia is prohibited by law from disclosing health information in your PCHR, Dossia will, unless prohibited by law, make reasonable efforts to send you advance notice of the prohibition.

In extraordinary circumstances, Dossia might disclose information in a PCHR if it reasonably believes the disclosure is needed in response to an imminent physical threat to you or others, to defend or assert legal rights, or in response to an immediate health risk authenticated by medical personnel.

3. Will Dossia Disclose Information to Employers?

Dossia was founded by a group of employers who want their employees to be able to have their own health information at their fingertips if they choose.  The founders believe that better consumer access to health information will ultimately help contain health care costs, reduce medical errors, and improve individual health.

A core belief of the Dossia founders is that PCHRs should be private.  Therefore, unless required by law or specifically authorized by you, Dossia will not disclose any information in your PCHR to your employer for any purpose.

Dossia may disclose aggregated, statistical data about PCHR usage in general to participating employers, but even this data will not include any health information about participants or tell employers which employees have opened Dossia accounts. For example, Dossia may tell a participating employer that 50% of its employees have chosen to create a PCHR, but Dossia will not inform the employer that, say, 10% of its employees have diabetes.

4. Will Dossia Disclose Information to Insurers or Employer Health Plans?

Unless required by law or specifically authorized by you, Dossia will not share any information in your PCHR with insurers or employer health plans.

If you share information in your PCHR with a third party, such as a health care provider, you should be aware that there is a possibility that the third party might share your information with an insurer or employer health plan.  For example, a hospital might need to share health information with an insurer to seek pre-authorization for surgery.  But Dossia itself will not share your health information with insurers or employer health plans unless required by law or specifically authorized by you.

5.Continuity of Operations

If Dossia were to transfer assets or operations in connection with a merger, sale, bankruptcy, or other transaction, Dossia might transfer PCHR information to the acquiring or merging entity.  In that event, Dossia would use good faith efforts to require that PCHRs remain subject to essentially the same restrictions as in the current Dossia Privacy Statement and Terms of Agreement.  Furthermore, because of Dossia’s commitment to individual control over PCHRs, Dossia would make reasonable efforts to send you advance notice of such a transfer in order to give you an opportunity to close your PCHR before the transfer if you wish.

F. Information Integrity and Individual Access

Dossia will employ technical and operational measures to maintain the integrity of the health information provided to it.  You will control and access the contents of your PCHR, as described in this Privacy Statement, and Dossia will also permit you to view any contact or enrollment information it holds about you. 

If you ask Dossia to provide an accounting of any mandatory disclosures we may have been compelled to make under section (E)(2), we will, unless prohibited by law, comply with your request.  You could request such an accounting by writing to Dossia at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

You are responsible for safeguarding your ID and password.  Dossia’s privacy protections explained in this Privacy Statement may not apply if you allow someone else to control your PCHR by providing access to your ID and password.

G. Cookies

Dossia may use cookies to manage and improve our website and enhance the administration of PCHR technology. Dossia does not use cookies to collect or store personally identifiable information.  A cookie is a small text file that a website can send to your browser, which your computer stores as a tag that identifies the computer.  You can set your browser to decline cookies or notify you before accepting cookies, although if you decline them, the Dossia website may not work properly for you.

H. Children

Except as permitted by explicit, fully informed parental consent, this website does not knowingly collect personal information from any person under the age of 13.

I.  Updates to this Privacy Statement

Any updates to this Privacy Statement will be posted here.  Most updates are anticipated to be editorial in nature or reflect ongoing enhancements to Dossia’s operations.  If, however, Dossia makes changes to the Privacy Statement that would materially affect your protections or choices explained here, Dossia will, at least 30 days in advance, take the following steps:

J. Scope of this Privacy Statement

This Privacy Statement applies to Dossia PCHRs created at the request of individual participants.  Please be aware that this Privacy Statement does not apply to the following:

Before choosing to submit your information to independent websites or other entities, you should carefully review their privacy policies and terms of use.  This Dossia Privacy Statement does not apply to your health information once you share it with any third party or submit it to any non-Dossia website, person, or entity.

K. Effective Date of this Privacy Statement

The effective date of this Privacy Statement is September 10, 2009.

L.  How to contact us

If you have any questions, concerns, or complaints about Dossia’s privacy protections, please write to us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it , and we will attempt to resolve your concerns.


Various terms used in the Privacy Statement are defined here.

“Health Information” means health or medical information about you, including claims information from your insurers, medical records from your health care providers, prescription drug records, and other records related to your health care or medical treatment.   It also includes less formal health information you or others may create, such as a symptom diary. The term does not include other personally identifiable information about you, such as name, address, telephone number, e-mail address, or other non-health-related information you may have provided for Dossia enrollment or administration.

“Health care entities” means entities that may send health information electronically into Dossia accounts.  They include (a) health care providers, such as physicians, dentists, pharmacies, laboratories, eye care providers, and hospitals, (b) information processors such as prescription processing companies, health information storage organizations, claims administrators, and pharmacy benefit managers, and (c)  health insurance companies and employer health plans, including their claims administrators, pharmacy benefit managers, and other service providers.

“Required by law” means required directly by applicable law or required by subpoena, court order, or other legal process.


* In some cases, state laws may impose extra requirements regarding authorizing disclosure of specific types of medical records.  These may include, depending on the state, records regarding mental health, substance abuse, HIV or other sexually transmitted diseases, cancer, or genetic information.  If you were expecting such information to be sent to your PCHR and it has not appeared, you may have to contact your health care entities directly and sign an additional authorization form.