In addition to any collection of PI on the Web site or Services, AndorHealth collects PHI and PI from its customers under the terms of service contracts and associated HIPAA business associate agreements (together, “Customer Agreements”). AndorHealth will not collect, use, maintain or disclose PHI or PI that is not required to provide services under the Customer Agreements and such data will be used only to provide the services called for under Customer Agreements, and AndorHealth will not use PHI in a manner that is not permitted by the HIPAA Business Associate Agreement with its Customer or applicable law. We do not sell PI or PHI to third parties.
To the fullest extent permitted by applicable law, we may also disclose PI and PHI if we believe in good faith that doing so is necessary or appropriate to protect or defend the rights, safety, or property of AndorHealth, or to comply with legal and regulatory obligations, such as law enforcement inquiries, subpoenas, and court orders. To the fullest extent permitted by applicable law, we have sole discretion in electing to make or not make such disclosures.
Generally, PI includes the name, address, phone number of an individual combined with any one or more unique personal identification numbers or data, including:
PHI is information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; or the past, present or future payment for health care rendered or to be rendered to the individual. Information can be PHI even if the name of the individual is not specified, so long as it is associated with sufficient other information (such as an address or email address, among others) that could be used to identify the individual. PHI does not include health information we collect and retain in our capacity as an employer.
Under HIPAA, individuals have certain rights with respect to their PHI, such as the right to receive a copy of their PHI, amend their PHI, receive an accounting of uses or disclosures of PHI, and to have their PHI transferred to another organization or individual. In most instances, those rights will be administered and fulfilled by the hospital, medical group or other entity that provided us with the PHI, and our role will be limited to assisting that entity as set forth in our business associate agreement with that entity.
We may also collect “Usage Data” that is created through your use of our Web site or Service. This may include non-personally identifiable information about the browser and computer you use to access the Web site or Service, as well as log data and data input by registered users of the Service in the course of their use of the Service.
As there is presently no industry standard for recognizing Do Not Track browser signals, we do not take any action with regards to potential Do Not Track signals.
When you visit our Web site or use our Service, we collect Usage Data to improve our Web site and Service. We do not collect PI unless you provide us this data for a specific purpose.
Personal Information. Our Web sites include various contact and request forms, which visitors may complete in order to be contacted about specific products or services offered. When you provide your PI by completing one of these forms, we will always disclose for what purpose the data will be used, for example to schedule a product demonstration, and ask for your consent to collect and process this data.
Usage Data. We also collect non-personally identifiable data, including page load times, the URL that referred you to our Web site or Service, browser and operating system vendor and version, screen resolution, and approximate IP address as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Web site and Service.
If you create an account with AndorHealth, we require that you provide us with certain PI.
Whether you create your AndorHealth account yourself or through your institution, we will collect Usage Data when you access the Service as a registered user.
Personal Information. When you create an account, we require that you, or another organization, you will provide us with your first and last name and email address, to secure and maintain your account and provide you with a mechanism for authenticating with the Service. We also use this data, along with other identifying information to provide you with customer support when you request it.
If you choose to contact our customer support you will be asked to provide your name and phone number or email address in order to confirm your identify and allow our support agents to view your account data to provide support.
Usage Data. When you login to your account we record the IP address from which you accessed the Service. When you perform actions within the Service, we capture log data, including the URL accessed and the IP address it was accessed from. We use this data to audit and maintain the security of your data and account.
We also collect non-personally identifiable data, including page load times, the URL that referred you to the Web site or Service, browser and operating system vendor and version, processor vendor and version, video card vendor and version, available memory, screen resolution, and device identifiers as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Service.
AndorHealth's business operations are based in the United States but certain data also may be processed outside the United States. Data we collect, including Personal Data, may be stored and processed in any country in which we have operations or in which we engage third-party processors.
Individual(s) or companies that have been approved by the Contracts Department as a recipient of organizational PI and from which the Contracts Department has received certification of their data protection practices conformance with the requirements of this policy. Vendors include all external providers of services to AndorHealth and include proposed vendors. No PI information can be transmitted to any vendor in any method unless the vendor has been pre-certified for the receipt of such information. Subcontract business associates will be required to enter into appropriate business associate agreements before receiving PHI.
PHI and PI will be retained for the longer of the period required to provide services under Customer Agreements as required for internal business operations, and such longer period as may be mandated by applicable law or as needed to fulfill our legal responsibilities. When no longer needed, electronic and paper data will be deleted or destroyed in accordance with NIST Standards for secure data destruction. If data elements comprising PI or PHI cannot be deleted, those data elements we will continue to protect that data in accordance with our privacy and information security program.
A joint task force comprising members of the Legal, Finance, IT, Contracts and Human Resources departments maintains organizational record retention procedures, which dictate the length of data retention and data destruction methods for both hard copy and electronic records. The retention and destruction of PHI will be carried out as set forth in our business associate agreements.
PI Training: All new hires entering AndorHealth who may have access to PI are provided with introductory training regarding the provisions of this policy, a copy of this policy and implementing procedures for the department to which they are assigned. Employees in positions with regular ongoing access to PI or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PI data and shall receive annual training regarding the security and protection of PI data and company proprietary data.
PI Audit(s): AndorHealth conducts audits of PI information maintained by AndorHealth in conjunction with fiscal year closing activities to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PI information. Where the need no longer exists, PI information will be destroyed in accordance with protocols for destruction of such records and logs maintained for the dates of destruction. The audits are conducted by Finance, IT, Contracts and Human Resources departments under the auspices of the Legal department.
Databases or data sets that include PI or PHI may be breached inadvertently or through wrongful intrusion.
Upon becoming aware of a data breach of PI, AndorHealth will notify all affected individuals whose PI data may have been compromised in accordance with law, and the notice will be accompanied by a description of action being taken to remediate the data breach. Notices will be provided as expeditiously as possible and in no event be later than the commencement of the payroll period after which the breach was discovered.
The Legal department will handle breach notifications(s) to all governmental agencies to whom such notice must be provided in accordance with time frames specified under these laws. Notices to affected individuals will be communicated by Human Resources after consultation with the Legal department and within the time frame specified under the appropriate law(s).
Notification of breaches involving PHI will be handled as required under the applicable business associate agreement and HIPAA.
AndorHealth maintains multiple IT systems where PI or PHI may reside. User access controls relating to such IT systems are the responsibility of the IT department. The IT department has created internal controls for such systems to establish legitimate access for users of data, and access shall be limited to those approved by IT. Any change in vendor status or the termination of an employee or independent contractor with access will immediately result in the termination of the user’s access to all systems where the PI may reside.
AndorHealth, as a business associate, will use reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of PHI and PI. The administrative safeguards will include, among other things, a periodic risk analysis, privacy policies, security policies, personnel policies, and appropriate subcontractor agreements. Physical safeguards will include the use of secure data centers, means to secure unencrypted devices from loss or theft, and damage. Technical safeguards will include encryption of data at rest and in motion, firewalls, network activity monitoring, and penetration testing. In any event, all safeguards required by the HIPAA Information Security Rule and other applicable law will be implemented, and the use of addressable safeguards will periodically be evaluated.
It is the policy of AndorHealth to comply with any international, federal or state statute and reporting regulations. AndorHealth has assigned the responsibility for maintaining the security of PI and PHI provisions to the departments noted in this policy. AndorHealth’s Legal department shall be the sole entity named to oversee all regulatory reporting compliance issues. If any provision of this policy conflicts with a statutory requirement of international, federal or state law governing PI or PHI, the policy provision(s) that conflict shall be superseded. All inquiries can be directed to [email protected].
All company employees must maintain the confidentiality of PI and PHI as well as company proprietary data to which they may have access and understand that that such PI is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this company requirement.
AndorHealth views the protection of PI and PHI to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under AndorHealth’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PI violations and disciplinary actions are incorporated in AndorHealth’s PI onboarding and refresher training to enforce AndorHealth’s continuing commitment to ensuring that this data is protected by the highest standards.
If an employee has reason to believe that his or her PI (please refer to what constitutes PI) or PHI data security has been breached or that company representative(s) are not adhering to the provisions of this policy, an employee should contact an HR representative at the employee’s location. HR contact information: [email protected].
Other questions about this policy should be addressed to: [email protected].
Inquiries from individual consumers, such as our customers’ patients or Web site or Services users, should be directed to [email protected] and will be referred to the appropriate contact person at the customer’s organization.