Dossia collects the personal information you voluntarily enter into the Dossia website, including the health information you enter, or authorize others to enter, into your Personally-Controlled Health Record (PCHR). Dossia protects the privacy and security of this information as described in this Privacy Statement and uses this information to provide you with your PCHR and associated services. Except for any narrow exceptions explained in this Privacy Statement, Dossia will not disclose information in PCHRs to third parties without your explicit permission.
You can enter your own health information, such as a symptom diary or immunization records, directly into your PCHR. You can also authorize your health care entities to send your health information directly to you into your PCHR. Initially, only a limited number of health care entities will be set up to send health information directly to PCHRs. Over time, Dossia expects that you will be able to direct additional health care entities and independent health-related websites to send your health information directly into your PCHR. (See Glossary for definitions of “health care entities” and “health information.”)
Dossia collects and uses identifiable information about you for enrollment, ongoing account and system administration, communications with you about your account, and internal operations. Dossia may also collect and store web usage information, including IP address and related information, needed to create and maintain a data connection between your computer and Dossia servers. Dossia uses this web usage information, which may be logged to enhance system security, to aid system improvement.
When you create a PCHR, your choices include the following.
Dossia may post information on its website about Dossia enhancements or other products and services available to its participants. If you choose to receive more information about the enhancements, products, or services, you will be able to request it.
Unless you explicitly and specifically consent:
Dossia understands that PCHRs contain sensitive information and that safeguarding PCHRs properly is essential. Dossia uses administrative, physical, and technical security technologies and internal controls, including encryption of health information, to protect your information from unauthorized access, use, and disclosure. In addition to these controls, Dossia subjects itself to review and testing by independent information security experts. Despite Dossia’s precautions, there is always some risk that unauthorized, wrongful, or illegal access to your information could occur or that transmissions of your information over the Internet could be intercepted.
To protect the security of your health information, Dossia does not authorize access to health information by Dossia technical system administrators (or anyone else at Dossia) on a regular or routine basis. Even where technical problems occur, Dossia anticipates that most technical problems will be resolved without any need for such access. Dossia’s access to your health information is limited to these technical issues and other system, administrative, or security issues. In the unusual case where internal access to identifiable health information is required to resolve a problem, Dossia requires adherence to strict internal access controls.
As described above, you choose whether you share or disclose information in your PCHR. In addition to the disclosures that you direct, Dossia may need to make certain disclosures to third parties, which are explained here.
Dossia may use outside entities such as vendors, hosting websites, and information security experts to assist in its operations. Companies engaged by Dossia are permitted to access only the information necessary to perform their services. They are contractually required to abide by relevant provisions in this Privacy Statement and are prohibited from using any information acquired through Dossia for any other purpose.
Although Dossia is structured to give participants control over their PCHRs, Dossia must also comply with applicable laws. If Dossia reasonably believes that it is required by law to disclose health or other information about you to a third party, it will do so. (See Glossary for definition of “required by law.”) For example, Dossia, just like any other entity that holds health information, might be required to disclose your health information if it were served with a subpoena related to litigation concerning an accident. Similarly, a doctor’s office might have to disclose your medical records if it were served with a subpoena in similar circumstances. If Dossia is required by law to disclose health information in your PCHR, Dossia will, unless prohibited by law, make reasonable efforts to send you advance notice of the mandatory disclosure or seek a court order to protect the information. If Dossia is prohibited by law from disclosing health information in your PCHR, Dossia will, unless prohibited by law, make reasonable efforts to send you advance notice of the prohibition.
In extraordinary circumstances, Dossia might disclose information in a PCHR if it reasonably believes the disclosure is needed in response to an imminent physical threat to you or others, to defend or assert legal rights, or in response to an immediate health risk authenticated by medical personnel.
Dossia was founded by a group of employers who want their employees to be able to have their own health information at their fingertips if they choose. The founders believe that better consumer access to health information will ultimately help contain health care costs, reduce medical errors, and improve individual health.
A core belief of the Dossia founders is that PCHRs should be private. Therefore, unless required by law or specifically authorized by you, Dossia will not disclose any information in your PCHR to your employer for any purpose.
Dossia may disclose aggregated, statistical data about PCHR usage in general to participating employers, but even this data will not include any health information about participants or tell employers which employees have opened Dossia accounts. For example, Dossia may tell a participating employer that 50% of its employees have chosen to create a PCHR, but Dossia will not inform the employer that, say, 10% of its employees have diabetes.
Unless required by law or specifically authorized by you, Dossia will not share any information in your PCHR with insurers or employer health plans.
If you share information in your PCHR with a third party, such as a health care provider, you should be aware that there is a possibility that the third party might share your information with an insurer or employer health plan. For example, a hospital might need to share health information with an insurer to seek pre-authorization for surgery. But Dossia itself will not share your health information with insurers or employer health plans unless required by law or specifically authorized by you.
If Dossia were to transfer assets or operations in connection with a merger, sale, bankruptcy, or other transaction, Dossia might transfer PCHR information to the acquiring or merging entity. In that event, Dossia would use good faith efforts to require that PCHRs remain subject to essentially the same restrictions as in the current Dossia Privacy Statement and Terms of Agreement. Furthermore, because of Dossia’s commitment to individual control over PCHRs, Dossia would make reasonable efforts to send you advance notice of such a transfer in order to give you an opportunity to close your PCHR before the transfer if you wish.
Dossia will employ technical and operational measures to maintain the integrity of the health information provided to it. You will control and access the contents of your PCHR, as described in this Privacy Statement, and Dossia will also permit you to view any contact or enrollment information it holds about you.
You are responsible for safeguarding your ID and password. Dossia’s privacy protections explained in this Privacy Statement may not apply if you allow someone else to control your PCHR by providing access to your ID and password.
Except as permitted by explicit, fully informed parental consent, this website does not knowingly collect personal information from any person under the age of 13.
Any updates to this Privacy Statement will be posted here. Most updates are anticipated to be editorial in nature or reflect ongoing enhancements to Dossia’s operations. If, however, Dossia makes changes to the Privacy Statement that would materially affect your protections or choices explained here, Dossia will, at least 30 days in advance, take the following steps:
This Privacy Statement applies to Dossia PCHRs created at the request of individual participants. Please be aware that this Privacy Statement does not apply to the following:
The effective date of this Privacy Statement is September 10, 2009.
Various terms used in the Privacy Statement are defined here.
“Health Information” means health or medical information about you, including claims information from your insurers, medical records from your health care providers, prescription drug records, and other records related to your health care or medical treatment. It also includes less formal health information you or others may create, such as a symptom diary. The term does not include other personally identifiable information about you, such as name, address, telephone number, e-mail address, or other non-health-related information you may have provided for Dossia enrollment or administration.
“Health care entities” means entities that may send health information electronically into Dossia accounts. They include (a) health care providers, such as physicians, dentists, pharmacies, laboratories, eye care providers, and hospitals, (b) information processors such as prescription processing companies, health information storage organizations, claims administrators, and pharmacy benefit managers, and (c) health insurance companies and employer health plans, including their claims administrators, pharmacy benefit managers, and other service providers.
“Required by law” means required directly by applicable law or required by subpoena, court order, or other legal process.
* In some cases, state laws may impose extra requirements regarding authorizing disclosure of specific types of medical records. These may include, depending on the state, records regarding mental health, substance abuse, HIV or other sexually transmitted diseases, cancer, or genetic information. If you were expecting such information to be sent to your PCHR and it has not appeared, you may have to contact your health care entities directly and sign an additional authorization form.