Privacy Policy
Who We Are and Scope of this Privacy Policy

We are AndorHealth, a company incorporated in Florida, United States. In this Privacy Policy we may be referred to as “AndorHealth,” “we,” “our,” or “us.” We are a developer of information technology products for the delivery of healthcare services and patient engagement.

This Privacy Policy is applicable to any Personal Information (“PI”) or Protected Health Information (“PHI”) that you may be provided to us or is collected via any online service, including the website (“Web site”) or mobile application, that posts a link to these Privacy Policy, as well as ‎any interactive features, widgets, plug-ins, applications, content, downloads and other services ‎that we may own and control and make available ‎‎(collectively, the “Services”), regardless of how you access or use them, whether via personal ‎computers, mobile devices or otherwise.‎. It also includes PI and PHI that we collect in our capacity as a business associate to a healthcare provider. The terms listed in this Privacy Policy generally apply to “ThinkAndor,” “AndorNow,” and the Web site. By using any of these Services or Web site, or voluntarily providing your PI or a patient’s PHI to us, you consent to our use and collection of this data as set in this Privacy Policy. If you do not agree, please do not provide us with any information and do not use our Services.

PI and PHI may reside in hard copy or electronic records; both forms of PI and PHI fall ‎within the scope of this Privacy Policy.

This Privacy Policy does not apply to PI collected by third-party services, applications, or websites that are linked to, or accessible from, the Web site. The PI or other information collected by third parties (such as Microsoft Teams), is subject to their own privacy policies and under no circumstances is AndorHealth responsible or liable for the third party’s compliance. AndorHealth is not liable for the third party’s adherence or compliance to this Privacy Policy. This includes any links to third-party websites. The Web site and application include functionalities provided by Microsoft Teams.

Please additionally review our Terms of Use and End User License Agreement. By accessing our Web site or using our Services, you consent to the collection, use and sharing of your data as described herein, and you agree to be bound by our Terms of Use and End User License Agreement. This Privacy Policy does not apply to third-party websites, products, or services, even if they link to our Web site or Service.

Purpose of this Policy

AndorHealth recognizes its need to maintain the confidentiality of PI and PHI. AndorHealth understands that such information is unique to each individual. The PI covered by this Privacy Policy may come from individuals using the Web site, performing tasks on behalf of AndorHealth and includes users, employees, applicants, independent contractors and any PI maintained on its customer database. The scope of this Privacy Policy is intended to be comprehensive and will include company requirements for the security and protection of such information throughout AndorHealth and its approved vendors both on and off work premises. Departments named in this Privacy Policy have delegated authority for developing and implementing procedural guidance for ensuring that their departmental responsibilities under this Privacy Policy are communicated and enforced. This Privacy Policy is also intended to assist AndorHealth in fulfilling its obligations under HIPAA as a business associate.

Data Collection and Use

In addition to any collection of PI on the Web site or Services, AndorHealth collects PHI and PI from its customers under the terms of service contracts and associated HIPAA business associate agreements (together, “Customer Agreements”). AndorHealth will not collect, use, maintain or disclose PHI or PI that is not required to provide services under the Customer Agreements and such data will be used only to provide the services called for under Customer Agreements, and AndorHealth will not use PHI in a manner that is not permitted by the HIPAA Business Associate Agreement with its Customer or applicable law. We do not sell PI or PHI to third parties.

In the event of a sale, merger, or similar transaction, PI or PHI may be transferred as part of that transaction. This Privacy Policy or a similar policy will apply to such data as transferred to the new entity.

To the fullest extent permitted by applicable law, we may also disclose PI and PHI if we ‎believe in good faith that doing so is necessary or appropriate to protect or defend the ‎rights, safety, or property of AndorHealth, or to comply with legal and regulatory ‎obligations, such as law enforcement inquiries, subpoenas, and court orders. To the ‎fullest extent permitted by applicable law, we have sole discretion in electing to make or ‎not make such disclosures.

Personal Information

Generally, PI includes the name, address, phone number of an individual combined with any one or more unique personal identification numbers or data, including:

  • Social Security Numbers (or their equivalent issued by governmental entities outside the United States).
  • Taxpayer Identification Numbers (or their equivalent issued by governmental revenue entities outside the United States).
  • Employer Identification Numbers (or their equivalent issued by government entities outside the United States).
  • State or foreign driver’s license numbers or other government issued identification numbers.
  • Date(s) of birth.
  • Corporate or individually held credit or debit transaction card numbers (including PIN or access numbers) maintained in organizational or approved vendor records.
  • Other financial account numbers, such as bank account numbers or insurance account numbers.
  • Personal e-mail addresses.
Protected Health Information

PHI is information that relates to the past, present, or future ‎physical or mental health or condition of an individual; the provision of health care to an ‎individual; or the past, present, or future payment for the provision of health care to an ‎individual; or the past, present or future payment for health care rendered or to be rendered to ‎the individual. Information can be PHI even if the name of the individual is not specified, so ‎long as it is associated with sufficient other information (such as an address or email address, among others) that could be used to identify the ‎individual.‎ PHI does not include health information we collect and retain in our capacity as an employer.

Under HIPAA, individuals have certain rights with respect to their PHI, such as the right to receive a copy of their PHI, amend their PHI, receive an accounting of uses or disclosures of PHI, and to have their PHI transferred to another organization or individual. In most instances, those rights will be administered and fulfilled by the hospital, medical group or other entity that provided us with the PHI, and our role will be limited to assisting that entity as set forth in our business associate agreement with that entity.

Usage Data

We may also collect “Usage Data” that is created through your use of our Web site or Service. This may include non-personally identifiable information about the browser and computer you use to access the Web site or Service, as well as log data and data input by registered users of the Service in the course of their use of the Service.

The data that we collect from you depends on your relationship with us. Sometimes we ask you for data directly, such as when you create an account on the Service. Other times we collect data by recording interactions with our Sites and Service by, for example using technologies such as cookies and JavaScript. The collection and processing of data from these sources is essential to our ability to provide our Web site and Service and to keep the Web site and Service secure.

Do Not Track

As there is presently no industry standard for recognizing Do Not Track browser signals, we do not take any action with regards to potential Do Not Track signals.

Data collected as a visitor to our Sites

When you visit our Web site or use our Service, we collect Usage Data to improve our Web site and Service. We do not collect PI unless you provide us this data for a specific purpose.

Personal Information. Our Web sites include various contact and request forms, which visitors may complete in order to be contacted about specific products or services offered. When you provide your PI by completing one of these forms, we will always disclose for what purpose the data will be used, for example to schedule a product demonstration, and ask for your consent to collect and process this data.

Usage Data. We also collect non-personally identifiable data, including page load times, the URL that referred you to our Web site or Service, browser and operating system vendor and version, screen resolution, and approximate IP address as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Web site and Service.

Data collected as a registered user of the Service

If you create an account with AndorHealth, we require that you provide us with certain PI.

Whether you create your AndorHealth account yourself or through your institution, we will collect Usage Data when you access the Service as a registered user.

Personal Information. When you create an account, we require that you, or another organization, you will provide us with your first and last name and email address, to secure and maintain your account and provide you with a mechanism for authenticating with the Service. We also use this data, along with other identifying information to provide you with customer support when you request it.

If you choose to contact our customer support you will be asked to provide your name and phone number or email address in order to confirm your identify and allow our support agents to view your account data to provide support.

Usage Data. When you login to your account we record the IP address from which you accessed the Service. When you perform actions within the Service, we capture log data, including the URL accessed and the IP address it was accessed from. We use this data to audit and maintain the security of your data and account.

We also collect non-personally identifiable data, including page load times, the URL that referred you to the Web site or Service, browser and operating system vendor and version, processor vendor and version, video card vendor and version, available memory, screen resolution, and device identifiers as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Service.

Where we store and transfer your personal data

AndorHealth's business operations are based in the United States but certain data also may be processed outside the United States. Data we collect, including Personal Data, may be stored and processed in any country in which we have operations or in which we engage third-party processors.


Individual(s) or companies that have been approved by the Contracts Department as a recipient of organizational PI and from which the Contracts Department has received certification of their data protection practices conformance with the requirements of this policy. Vendors include all external providers of services to AndorHealth and include proposed vendors. No PI information can be transmitted to any vendor in any method unless the vendor has been pre-certified for the receipt of such information. Subcontract business associates will be required to enter into appropriate business associate agreements before receiving PHI.

Data Retention and Destruction

PHI and PI will be retained for the longer of the period required to provide ‎services under Customer Agreements as required for internal business operations, and such longer period as may be mandated by ‎applicable law or as needed to fulfill our legal responsibilities. When no longer needed, ‎electronic and paper data will be deleted or destroyed in accordance with NIST Standards for ‎secure data destruction.‎ If data elements comprising PI or PHI cannot be deleted, those data elements we will continue to protect that data in accordance with our privacy and information security program.

A joint task force comprising members of the Legal, Finance, IT, Contracts and Human Resources departments maintains organizational record retention procedures, which dictate the length of data retention and data destruction methods for both hard copy and electronic records. The retention and destruction of PHI will be carried out as set forth in our business associate agreements.

PI Training: All new hires entering AndorHealth who may have access to PI are provided with introductory training regarding the provisions of this policy, a copy of this policy and implementing procedures for the department to which they are assigned. Employees in positions with regular ongoing access to PI or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PI data and shall receive annual training regarding the security and protection of PI data and company proprietary data.

PI Audit(s): AndorHealth conducts audits of PI information maintained by AndorHealth in conjunction with fiscal year closing activities to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PI information. Where the need no longer exists, PI information will be destroyed in accordance with protocols for destruction of such records and logs maintained for the dates of destruction. The audits are conducted by Finance, IT, Contracts and Human Resources departments under the auspices of the Legal department.

Data Breaches/Notification

Databases or data sets that include PI or PHI may be breached inadvertently or through wrongful intrusion.

Upon becoming aware of a data breach of PI, AndorHealth will notify all affected individuals whose PI data may have been compromised in accordance with law, and the notice will be accompanied by a description of action being taken to remediate the data breach. Notices will be provided as expeditiously as possible and in no event be later than the commencement of the payroll period after which the breach was discovered.

The Legal department will handle breach notifications(s) to all governmental agencies to whom such notice must be provided in accordance with time frames specified under these laws. Notices to affected individuals will be communicated by Human Resources after consultation with the Legal department and within the time frame specified under the appropriate law(s).

Notification of breaches involving PHI will be handled as required under the applicable ‎business associate agreement and HIPAA.

Data Access Controls

AndorHealth maintains multiple IT systems where PI or PHI may reside. User access controls relating to such IT systems are the responsibility of the IT department. The IT department has created internal controls for such systems to establish legitimate access for users of data, and access shall be limited to those approved by IT. Any change in vendor status or the termination of an employee or independent contractor with access will immediately result in the termination of the user’s access to all systems where the PI may reside.

Data Transmission and Transportation
  1. Company Premises Access to PI: The Finance, Human Resources and IT departments have defined responsibilities for on-site access of data that may include access to PI; IT has the oversight responsibility for all electronic records and data access capabilities. Finance and Human Resources have the operational responsibility for designating initial access and termination of access for individual users within their organizations and providing timely notice to IT.
  2. Vendors: AndorHealth may share data with vendors who have a business need to have PI data. Where such inter-company sharing of data is required, the IT department is responsible for creating and maintaining data encryption and protection standards to safeguard all PI data that resides in the databases provided to vendors. Approved vendor lists will be maintained by the Contracts department, and Contracts has responsibility to notify IT of any changes to vendor status with AndorHealth.
  3. Portable Storage Devices: AndorHealth reserves the right to restrict PI data it maintains in the workplace. In the course of doing business, PI data may also be downloaded to laptops or other computing storage devices to facilitate company business. To protect such data, AndorHealth will also require that any such devices use IT department-approved encryption and security protection software while such devices are in use on or off company premises. The IT department has responsibility for maintaining data encryption and data protection standards to safeguard PI data that resides on these portable storage devices.
  4. Off-Site Access to PI: AndorHealth understands that employees may need to access PI while off site or on business travel, and access to such data shall not be prohibited, subject to the provision that the data to be accessed is minimized to the degree possible to meet business needs and that such data shall reside only on assigned laptops/approved storage devices that have been secured in advance by the IT department.
Information Security Generally

AndorHealth, as a business associate, will use reasonable and appropriate administrative, ‎physical and technical safeguards to protect the confidentiality, integrity and availability of PHI ‎and PI. The administrative safeguards will include, among other things, a periodic risk analysis, privacy ‎policies, security policies, personnel policies, and appropriate subcontractor agreements. ‎Physical safeguards will include the use of secure data centers, means to secure unencrypted ‎devices from loss or theft, and damage. Technical safeguards will include encryption ‎of data at rest and in motion, firewalls, network activity monitoring, and penetration testing. In any event, all safeguards required by the HIPAA Information Security Rule and other ‎applicable law will be implemented, and the use of addressable safeguards will periodically be ‎evaluated.

Regulatory Requirements

It is the policy of AndorHealth to comply with any international, federal or state statute and reporting regulations. AndorHealth has assigned the responsibility for maintaining the security of PI and PHI provisions to the departments noted in this policy. AndorHealth’s Legal department shall be the sole entity named to oversee all regulatory reporting compliance issues. If any provision of this policy conflicts with a statutory requirement of international, federal or state law governing PI or PHI, the policy provision(s) that conflict shall be superseded. All inquiries can be directed to [email protected].

Confirmation of Confidentiality

All company employees must maintain the confidentiality of PI and PHI as well as company proprietary data to which they may have access and understand that that such PI is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this company requirement.

Violations of PI Policies and Procedures

AndorHealth views the protection of PI and PHI to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under AndorHealth’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PI violations and disciplinary actions are incorporated in AndorHealth’s PI onboarding and refresher training to enforce AndorHealth’s continuing commitment to ensuring that this data is protected by the highest standards.

Employee Hotline

If an employee has reason to believe that his or her PI (please refer to what constitutes PI) or ‎PHI data security has been breached or that company representative(s) are not adhering to ‎the provisions of this policy, an employee should contact an HR representative at the ‎employee’s location. HR contact information: [email protected].

Contact Information

Other questions about this policy should be addressed to: [email protected].

Inquiries from individual consumers, such as our customers’ patients or Web site or Services users, should be directed to [email protected] and will be referred to the appropriate contact person at the customer’s organization.

Updates to this Privacy Policy

We may revise this Privacy Policy from time to time. The most current version of the ‎policy will govern our processing of your PI and PHI and will always be available ‎at Andor Personal Identity Information (PII) Security Notification and Confidentiality Policy.pdf

When we revise the Privacy Policy, any changes will be effective immediately upon the ‎posting of the revised Privacy Policy. Registered users of the Service may be prompted ‎to consent to the updated version when accessing their AndorHealth account for the first ‎time after a policy change. By continuing to access or use our Sites or Service after ‎those changes become effective, users agree to be bound by the revised Privacy Policy.

Effective Date: February 6th, 2020