Dossia Privacy Statement
Dossia's Personal Health Management System
THIS NOTICE DESCRIBES DOSSIA'S PRIVACY POLICIES.
Dossia believes that:
- Individuals should have quick and easy access to health and medical information about themselves and their families,
- Individuals should have the tools and information necessary to manage their own health and medical care, and
- Everyone's health and medical information should be private and secure.
What does this mean for you?
- If you create a Dossia Personal Health Management System (PHMS), you can use it to securely store copies of your personal health information.
- As a Dossia participant, you maintain control over the information in your PHMS.
- As a Dossia participant you will have access to a wide variety of tools to manage your health and medical care. Your health plan or health care provider and Dossia will offer many of these tools to you through subcontractors and, oftentimes, at no cost to you.
What does this mean for us?
- Dossia understands that you have a legal right to have your health and medical information keep private and secure.
- Dossia will not disclose information about you to employers, researchers, marketers or other third parties without your explicit permission, except for several very narrow exceptions - for example, if a court requires Dossia to disclose information about you.
Dossia's Obligations to You
- We are required to seek your consent before disclosing any information about you (except if we are required by law to do so, or other limited situations described in this Privacy Statement).
- We are required to provide you with a copy of our Privacy Statement, Terms of Agreement, our legal duties to you, and the practices we use to keep your information private and secure (collectively, "privacy policies.").
- We are required to keep your information private and secure.
- We are required to notify you of any change in our privacy policies prior to making these changes. We will seek your consent before applying any material changes in our privacy policies as they affect you.
- We are required to describe the reason we are seeking your consent to disclose information about you.
- We are required to disclose only the information necessary for the purposes described.
- You have the right to request restrictions on certain uses and disclosures of your information. Dossia will comply with your request to restrict the use and disclosure of your information, unless required by law to limit or negate your request.
- You have the right to receive private communications about your information.
- You have the right to inspect and copy any information Dossia has about you.
- You have the right to amend health information others add to your Dossia PHMS.
- You have the right to receive an accounting of any disclosures of your information.
- You have the right to obtain a paper copy of this notice.
Right to Change our Privacy Policies and Terms of Agreement
Dossia reserves the right to change its Terms of Agreement at any time. We will notify you 30 days prior to any change unless immediate changes are necessary to protect your information. We will seek your consent before applying any material changes to you. If you do not consent to these changes, in some cases it is possible that the features and tools offered by Dossia may be unavailable to you.
Security of Your PHMS
- Dossia understands that your PHMS contains sensitive and personal information and that safeguarding it properly is essential.
- Dossia uses administrative, physical, and technical safeguards to protect your personal information from unauthorized access, use, and disclosure.
- Our use of subcontractors does not diminish your right to have your information held private and secure. Dossia is both a subcontractor to health plans and providers and uses subcontractors. These subcontractors must comply with the same privacy requirements as Dossia.
See below for the complete Dossia PHMS Privacy Statement.
Dossia's Personal Health Management System (PHMS)
Dossia collects and stores personal information about you, including the health information you enter, or authorize others to enter, into your PHMS. Dossia protects the privacy and security of this information as described in this Privacy Statement. Dossia will use this information to provide you with the tools you need to manage your health and medical care. Except for the narrow exceptions explained in this Privacy Statement, Dossia will not disclose information in your PHMS to third parties without your explicit permission.
A. Information Collected and Used by Dossia
1. Information in Your PHMS
You can enter your own health information, such as a symptom diary or immunization records, directly into your PHMS. You can also authorize your health care entities to send your health information directly to you or to your PHMS.
Additionally, with your consent, certain health-related websites may send health information directly to your PHMS. (See Glossary for definitions of "health care entities," "health information," and other relevant terms used in this Privacy Statement.)
2. Information Dossia Collects and Uses to Create and Maintain Your PHMS
Dossia collects and uses some Protected Health Information about you for enrollment, ongoing account and system administration, communications with you about your account, and internal operations. Dossia may also collect and store web usage information, including IP addresses and related information, needed to create and maintain a data connection between your computer and Dossia servers. Dossia uses this web usage information, which may be logged, to enhance system security and to aid system improvement.
Dossia may collect aggregate, statistical information about you and other individuals who have created a Dossia PHMS in order to help your health plan, providers or Personal Health Applications you use improve the quality of services they offer to you.
B. Your Choices
When you create a PHMS, your choices include the following.
1. Importing Information
- You can choose to directly enter your own health information, authorize your health care entities (e.g., health plans and health care providers) to submit your information electronically, or import information from certain websites.
- If your PHMS is provided by your health plan or health care provider, and if you choose to authorize your health care entities to submit your information electronically, you will be asked to submit a HIPAA Authorization form to Dossia. This form will authorize all of your present and future health care entities to submit your information directly to your PHMS. If your PHMS is not provided by your health plan or provider, and if you choose to authorize your health care entities to submit your information electronically to your PHMS, you will be asked to submit a HIPAA Authorization form to Dossia for each health care entity.
- You may contact your provider, outside of Dossia, to request withholding certain types of information you do not want sent to or stored in your PHMS. Such decisions should be taken in consultation with your health care provider.
- In addition, a health care provider may decide not to send (or may be prohibited by law from sending) certain types of information to your PHMS. Dossia disclaims any responsibility for the failure of your health care provider to comply with a request under this section.
- Any entity you authorize to send information to Dossia will continue to send information about you to your PHMS, unless you revoke the authorization. (See HIPAA Authorization for details about how to revoke authorizations.)
- Dossia may not be able to include information from some health care entities in your PHMS if the entity does not send the information in a standard electronic format.
- You can choose to print out your PHMS or save it to your computer or portable storage media. Given the sensitivity of this information, if you do so, Dossia suggests that you save it in an encrypted form.
- You can choose, for any reason, to add an annotation to any item in your record. Your annotation will be dated and will identify you as the author of the comment.
2. Sharing and Disclosing Information
You control whether or not to share or disclose any information in your PHMS. Certain exceptions to this general rule, such as a court order requiring disclosure, as well as disclosures to subcontractors, are described in section (E).
- You can choose to share your information with a family member, friend, or caregiver.
- You can choose to share your information with a health care provider.
- In many cases, you may also choose the type of information access you want each recipient to have.
- You can choose to use a Personal Health Application offered by Dossia as a subcontractor.
- You can choose to send your information to other Personal Health Applications offered by your health plan or provider but not as a subcontractor. Dossia will only send your information to this type of Personal Health Application if you give your consent.
- You can choose to send your information to a website outside of Dossia, such as a website related to a particular disease and not associated with Dossia, or a health care entity working with Dossia. However, Dossia will not send your information to a website outside of Dossia. Dossia can not assure that any information you send to a website outside of Dossia will be private or secure. Dossia does not assume any liability for the disclosure and use of information provided to websites and others outside of Dossia.
- You can choose whether you want your health information included in medical research projects, consumer health surveys, or public health data-gathering.
- You can choose to disclose your health information for marketing purposes.
Before granting any third party (for example, a family member or a website outside of Dossia) access to your health information, you should know that:
- Dossia's Privacy Statement may not apply to the third party's uses or disclosures of your information.
- Before sending any information to any third party, you should recognize that information about you may no longer be protected, kept private or be secure.
3. Closing Your Account
If you choose to close your account, Dossia will permanently destroy its copies of your health information according to its data destruction security procedures. Prior to destroying your information, Dossia will offer you the opportunity to retrieve or transfer your information. If you are no longer eligible to participate in Dossia through your health plan or provider (for example, due to loss of employment), Dossia will offer you the opportunity to maintain your account on an individual basis or to close your account and retrieve or transfer your information.
4. Changing Your Choices
Except for closing your account, which is permanent, you can change any of the above choices as often as you like.
5. Accounts for Minor Dependents
Subject to applicable law, parents and guardians may establish accounts for minor dependents (those under the age of 18). Both a parent/guardian AND a dependent minor age 12 or older must agree to the conditions under which the contents of the dependent minor's account are shared with the parent/guardian. Unless both the parent/guardian and the dependent minor age 12 or older explicitly and specifically consent, Dossia will not permit health care entities to send information to the dependent minor's PHMS. In this instance, only the dependent minor may enter information to the Dossia PHMS. Parents/guardians have full access to the accounts of minor dependents age 11 and younger.
C. Dossia and Marketing
If your PHMS is provided by your health plan or health care provider, then Dossia, acting on behalf of your health plan or provider, may ask for your consent to make certain Personal Health Applications and other products and services available to you. If your PHMS is provided by Dossia, Dossia may ask directly for your consent to make these Personal Health Applications and other products and services available to you.
In some instances, Federal law describes this activity as "marketing", and requires that you give your consent and explicit authorization before Dossia conducts these activities. It is important to understand that your consent is purely voluntary, and your decision about whether to give your consent for marketing will not affect your ability to use your PHMS.
Unless you explicitly and specifically consent:
- Dossia will not e-mail or mail marketing communications to you.
- Dossia will not call you for marketing purposes.
- Dossia will not disclose your health information or contact information to third parties for marketing purposes.
- Dossia will not authorize any portion of your health information to be accessed (or "mined") for marketing purposes.
D. Security of Your PHMS
Dossia understands that your PHMS contains sensitive information and that safeguarding your PHMS properly is essential. Dossia uses administrative, physical, and technical security technologies and internal controls, including encryption of health information, to protect your information from unauthorized access, use, and disclosure. In addition to these controls, Dossia subjects itself to review and testing by independent information security experts. Despite Dossia's precautions, there is always some risk that unauthorized, wrongful, or illegal access to your information could occur or that transmissions of your information over the Internet could be intercepted.
To protect the security of your health information, Dossia does not authorize access to health information by Dossia technical system administrators (or anyone else at Dossia) on a regular or routine basis. Even where technical problems occur, Dossia anticipates that most technical problems will be resolved without any need for such access. Dossia's access to your health information in such cases is limited to these technical issues and other system, administrative, or security issues. In the unusual case where internal access to identifiable health information is required to resolve a problem, Dossia requires adherence to strict internal access controls.
In the event that Dossia discovers a breach of unsecured health information, Dossia will take immediate action and notify the appropriate parties without delay. If your PHMS is provided by your health plan or provider, Dossia will immediately notify your health plan or provider of the breach, in accordance with Federal law. You will receive more information about the breach directly from your health plan or provider. If PHMS is not provided by your health plan or provider, Dossia will notify you of the breach directly, again, in accordance with Federal law.
E. Disclosures of Your PHMS
Dossia may need to make certain disclosures to third parties, which are explained here.
1. Disclosures to Third Parties Involved in Dossia Operations
Dossia may use outside entities such as vendors, hosting websites, and information security experts to assist Dossia in its operations. Companies engaged by Dossia are permitted to access only the information necessary to perform their services. They are contractually required to abide by relevant provisions in this Privacy Statement and are prohibited from using any information acquired through Dossia for any other purpose.
ii. Personal Health Applications - Subcontractors
Your health plan or provider and Dossia may share your information with subcontractors that provide Personal Health Applications and other services designed to help you manage your health and medical services. Dossia subcontractors must comply with this Privacy Statement and are required to protect your information in a manner at least as restrictive as Dossia. Neither Dossia, nor your health plan or provider, will receive any remuneration from these Personal Health Applications.
iii. Personal Health Applications - Not Subcontractors
If your PHMS is provided by your health plan or provider, your health plan or provider has chosen to work through Dossia to provide you with a number of additional tools to manage your health and medical care. If your PHMS is provided outside your health plan or provider, Dossia has chosen to provide you with these tools directly. It is your choice whether or not to use these tools. Dossia will not provide any information about you to these Personal Health Applications unless you choose to use these tools. If you do choose to use these tools, Dossia will only provide the minimum information necessary for these Personal Health Applications to function.
2. Disclosures Required by Law
Although Dossia is structured to give you control over your PHMS, Dossia must also comply with applicable Federal and state laws. If Dossia reasonably believes that it is required by law to disclose health or other information about you to a third party, it will do so. (See Glossary for definition of "required by law.") If Dossia is required by law to disclose health information in your PHMS, Dossia will, unless prohibited by law, make reasonable efforts to send you advance notice of the mandatory disclosure or seek a court order to protect the information.
In extraordinary circumstances, Dossia might disclose information about you to the proper authorities, if Dossia reasonably believes the disclosure is needed in response to an imminent physical threat to you or others, to defend or assert legal rights, or in response to an immediate health risk authenticated by medical personnel.
3. Will Dossia Disclose Information to Employers?
Dossia believes that better consumer access to health information will help reduce health care costs, reduce medical errors, and help you better manage your own health and medical care.
A core belief of the Dossia founders is that your PHMS should be private. Therefore, unless required by law or specifically authorized by you, Dossia will not disclose any information in your PHMS to your employer for any purpose.
Dossia may disclose to employers the aggregate number of employees and beneficiaries using Dossia and some of the tools offered through Dossia. Aggregate data will not include any health information about individual participants.
4. Will Dossia Disclose Information to Your Health Plan or Provider?
If your Dossia PHMS is provided by your health plan or health care provider, Dossia may only provide your health plan or provider information about you that Dossia received from your health plan or provider. In other words, Dossia will not provide your health plan or provider any information about you that you or a third party (other than your health plan or provider) added to your PHMS. However, you can choose to share additional information with your health plan or provider.
If your Dossia PHMS is not provided by your health plan or health care provider, Dossia will not disclose any information about you to your health plan or provider, unless you give your explicit consent.
5. Sharing Information with Others
If you choose to share information in your PHMS with a third party, such as a health care provider, you should be aware that there is a possibility that the third party might share your information with an insurer or employer health plan. For example, a hospital might need to share health information with an insurer to seek pre-authorization for surgery.
6. Continuity of Operations
If Dossia were to transfer assets or operations in connection with a merger, sale, bankruptcy, or other transaction, Dossia might transfer PHMS information to the acquiring or merging entity. In that event, Dossia would use good faith efforts to require that your PHMS remain subject to essentially the same restrictions as in the current Dossia Privacy Statement and Terms of Agreement. Furthermore, because of Dossia's commitment to individual control over your PHMS, Dossia would make reasonable efforts to send you advance notice of such a transfer in order to give you an opportunity to close your PHMS before the transfer if you wish.
F. Information Integrity and Individual Access
Dossia will employ administrative, physical and technical safeguards to maintain the integrity of the health information provided to it. You will control and access the contents of your PHMS, as described in this Privacy Statement, and Dossia will also permit you to view any contact or enrollment information it holds about you.
You are responsible for safeguarding your ID and password. Dossia's privacy protections explained in this Privacy Statement may not apply if you allow someone else to control your PHMS by providing access to your ID and password.
Except as permitted by explicit, fully informed parental consent, this website does not knowingly collect personal information from any person under the age of 13.
I. Updates to this Privacy Statement
Any updates to this Privacy Statement will be posted here. Most updates are anticipated to be editorial in nature or reflect ongoing enhancements to Dossia's operations. If, however, Dossia makes changes to the Privacy Statement that would materially affect your protections or choices explained here, Dossia will, at least 30 days in advance, take the following steps:
- Post a notice about the change on the home page of your PHMS,
- Send an e-mail about the change to your e-mail address in our records, and
- Post the new Privacy Statement here.
We will seek your consent before applying any material changes to this Privacy Statement to you. If you do not consent to these changes, in some cases it is possible that the features and tools offered by Dossia may be unavailable to you.
J. Scope of this Privacy Statement
This Privacy Statement applies to a Dossia PHMS created at the request of individual participants. Please be aware that this Privacy Statement does not apply to the following:
- Medical care providers or payers who may hold health information about you,
- Websites or other sources from which you imported medical information into your PHMS, and
- Websites or other people or entities to which you exported or otherwise disclosed your health information from your PHMS.
K. Termination of Your PHMS
Dossia reserves the right to decide, at its discretion, to no longer offer you a PHMS. If Dossia decides to terminate your PHMS, Dossia will permanently destroy its copies of your health information according to its data destruction security procedures. Prior to destroying your information, Dossia will offer you the opportunity to retrieve or transfer your information.
L. Effective Date of this Privacy Statement
The effective date of this Privacy Statement is September 15, 2011.
M. How to contact us
, and we will attempt to resolve your concerns.
Various terms used in the Privacy Statement are defined here.
"Health Information" means health or medical information about you, including claims information from your insurers, medical records from your health care providers, prescription drug records, and other records related to your health care or medical treatment. It also includes less formal health information you or others may create, such as a symptom diary. The term does not include other personally identifiable information about you, such as name, address, telephone number, e-mail address, or other non-health-related information you may have provided for Dossia enrollment or administration.
"Health care entities" means entities that may send health information electronically into Dossia accounts or to you. They include (a) health care providers, such as physicians, dentists, pharmacies, laboratories, eye care providers, and hospitals, (b) information processors such as prescription processing companies, health information storage organizations, claims administrators, and pharmacy benefit managers, and (c) health insurance companies and employer health plans, including their claims administrators, pharmacy benefit managers, and other service providers.
"Required by law" means required directly by applicable law or required by subpoena, court order, or other legal process.
"Dossia" or "we" means the Dossia Service Corporation, a corporation incorporated in Oregon.
"You" means an individual participant who creates a Dossia account or otherwise accesses a Dossia website.
"This website" means the Dossia website, including dossia.org and any Dossia website on which Dossia offers its Personal Health Management System (PHMS) and a Personal Health Record.
"Personal Health Management System" or "PHMS" means an account you create on the Dossia website to which you can send, or authorize others to send, your health information. Your PHMS will include a Personal Health Record and various tools to help you manage your health and medical care. Some of these tools will be part of the Dossia website. In some instances, Dossia will offer participants a link to website outside of the Dossia website.
"Personal Health Record" means an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. The term "Personal Health Record" shall have the same meaning as the term is defined in section 13400 of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).
"Protected Health Information" means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, with certain exceptions. The term "Protected Health Information" shall have the same meaning as the term is defined in Title 45, part 160.103 of the Code of Federal Regulations.
"Personal Health Application" means a website or software that uses health information about an individual to help diagnosis, manage, treat, or provide general or specific information about disease, injury, or conditions to improve an individual's general health status.
1. ^ In some cases, state laws may impose extra requirements regarding authorizing disclosure of specific types of medical records. These may include, depending on the state, records regarding mental health, substance abuse, HIV or other sexually transmitted diseases, cancer, or genetic information. If you were expecting such information to be sent to your PHMS and it has not appeared, you may have to contact your health care entities directly and sign an additional authorization form.