CUSTOMER APPLICATION DATA PRIVACY POLICY
I. Introduction
Mednition, Inc. (referred to as “Mednition,” “we,” “us,” or “our”) offers its customers subscriptions to use our KATE cloud-based machine learning software provided as a managed service (the “Service”). The Mednition Service uses predictive analytics and machine learning to improve triage risk assessment in hospital emergency departments. Mednition’s customers are these hospitals.
Mednition is committed to protecting the electronic medical record data of its customers regarding their patients, as well as data resulting from the operation of our software and Service in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”), regulations issued under HIPAA, and other applicable laws. We refer to this data as customers’ “application data.” Also, Mednition is committed to preventing the unauthorized disclosure, use, modification, or access of or to customers’ application data. We recognize the importance of appropriate policies and procedures to protect application data. We have therefore created this policy to describe Mednition’s privacy practices and procedures relating to customers’ application data.
This policy summarizes the types of customer application data we collect, how we process application data, the circumstances in which we will disclose application data, how we safeguard application data, gaining access to application data, updating or correcting application data, and resolving disputes relating to Mednition’s privacy practices concerning application data.
II. Types of Customer Data Mednition Collects
When we begin providing the Service to a customer, we ingest data into our cloud-hosted storage systems from the customer’s electronic medical record system (“EMR data”). The EMR data we receive helps us provide the Service to improve triage risk assessment in the customer’s emergency department regarding individual patients. The Service also generates data resulting from the operation of our software. For instance, the Service stores customer application data, data transformations for machine learning and reporting, maintains log data of individual patient visits and sends to customers applicable messages to communicate with clinicians. EMR data Mednition receives is considered “protected health information” under HIPAA and the regulations under HIPAA.
III. Mednition’s Role as a Service Provider
When customers provide EMR data to Mednition, it is the customer’s or other healthcare providers that have the direct contact with individual patients whose protected health information was ingested into the Service. It is the customers or healthcare providers that would provide HIPAA privacy notices to patients. These customers or healthcare providers would handle any requests from patients to exercise individual rights that may be available under applicable law. Mednition has no such contact with these individuals.
We may process any protected health information when customers use the Mednition service to collect, store, analyze, process and transmit protected health information in connection with the operation of the Service. When performing its services, Mednition acts as a service provider. As such, Mednition processes protected health information only to provide the Service and in accordance with instructions from the applicable customer. For instance, customers have the ability to generate reports and export them for further processing.
As a service provider, with certain exceptions, Mednition has an obligation under its master subscription agreement and business associate agreement with the customer not to disclose or otherwise transfer protected health information and other application data to a third party except to provide the Mednition Service or the customer has instructed us to disclose or transfer the application data. Except as noted below, Mednition processes any protected health information and other application data solely for the purpose of delivering the Service to the customer and providing related professional and other services. Mednition may use third party data processors to assist it in delivering the Service to its customers as described below.
IV. Statement of Privacy Practices
A. How Mednition Collects Application Data
Mednition collects EMR data from new customers via bulk transfer or stream messaging. Mednition’s Service generates additional application data as described above in Section II.
B. How Mednition Uses Application Data
We process EMR data transmitted by customers to us by providing them with Mednition’s cloud-based managed service for predictive analytics and machine learning to improve triage risk assessment in their emergency departments. Mednition uses application data to provide the Service, including for purposes of administering, managing, deploying, enhancing, and improving the Service. Mednition also acts pursuant to customers’ instructions or our agreements with customers. The Service can generate clinical and operational reports.
C. Disclosures of Application Data to Third Parties and Their Use of Application Data
We use certain third party service providers to help Mednition provide the Service, including service providers that host and maintain application data that we receive from customers. More specifically, we use the Google Cloud Platform and, in the future, may use other HIPAA-compliant cloud platform providers with at least substantially the same levels of data protection to host the Mednition Service and collect and maintain application data uploaded to the Service.
We enter into service, business associate, and other service, business associate, and other agreements with third parties hosting application data and providing other services necessary to our delivery of the Service. These agreements require our third party service providers to commit to confidentiality restrictions requiring them to use application data only for the purposes of delivering their services to us, not to disclose application data without authorization, and to adhere to the practices equivalent to those disclosed in this privacy statement. These agreements also require service providers to notify Mednition if there is any unauthorized access, use, or disclosure of application data, or if they are no longer able to meet the agreements’ security requirements. Mednition monitors the activities of third party service providers where necessary to verify that they process the application data transferred to them in a manner consistent with their obligations under their agreements with Mednition.
We do not sell or rent application data to anyone. Nonetheless, our customers may instruct us to export application data to third party services or other service providers. We will transfer application data in accordance with these instructions.
In connection with a merger, acquisition, reorganization, or sale of assets of our business, or in the event of bankruptcy, any protected health information in our possession will continue to be governed by our existing customer agreements or destroyed. Before any successor in interest can receive any protected health information, it must commit to complying with existing customer agreements or new agreements with our customers. Except for such protected health information, we may sell, transfer, or otherwise share some or all of Mednition’s assets in connection with a merger, acquisition, reorganization, or sale of assets of our business, or in the event of bankruptcy.
Finally, we may disclose application data when required by a subpoena, court order, search warrant, other legal process, lawful requests by law enforcement or other public agencies, or applicable law. These requests may include those pursuant to national security or law enforcement requirements. Moreover, we may disclose application data to the extent necessary to maintain the security of our information processing facilities, resolve disputes, or investigate possible misconduct.
D. How Mednition Safeguards Application Data
Consistent with its business associate agreements with customers, Mednition is committed to protecting application data and preventing loss, misuse, or unauthorized disclosure, use, alteration, destruction, or access of or to application data. In specific, Mednition is committed to maintain reasonable and appropriate administrative, physical, and technical safeguards to:
Provide assurances of the integrity and confidentiality of application data,
Protect against any reasonably anticipated threats or hazards to the security or integrity of application data, and unauthorized uses or disclosures of application data, and
Maintain compliance with HIPAA, regulations under HIPAA, and other applicable laws regarding the privacy and security of application data.
E. Accessing Application Data and Making Changes
If a customer needs to update protected health information, it can use the features of the Service to transmit updated protected health information to Mednition.
If a patient believes that Mednition holds protected health information about that patient, and the patient wants to access that protected health information or wishes to make changes to that protected health information, they should contact us at the contact information below in Section V(F). Patients must provide us with the name of the hospital customer that he or she believes uploaded the patient’s protected health information to our Service. We will work with that customer to respond to the patient’s request.
F. Contact Information
If you would like to discuss this policy or ask questions about regarding application data, please contact Mednition’s Chief Compliance Officer at the following contact information:
Christian Reilly: [email protected]
G. Individual Rights
Mednition will cooperate with customers in connection with meeting their obligations towards an individual patent under 45 C.F.R. §§ 164.524, 164.526, or 164.528 consistent with obligations in its business associate agreements with customers.
H. Resolving Disputes
If a patient has a complaint about our privacy practices regarding application data, a patient may submit a complaint to us at the above contact information. Our privacy team will look into the complaint and provide a response. Patients must provide sufficient information for us to evaluate the complaint and we may ask the patient to provide additional information as a condition of evaluating the patient’s complaint.
V. Changes to this Privacy Policy
Mednition reserves the right to review and update this policy periodically in light of changing legal, technical, and business developments and events. If we make a change to this policy, we will provide a new copy to our customers. Customers’ continued use of the Mednition Service after being sent a copy of the policy indicates their continued agreement to the terms of this policy as amended. Please review this policy frequently to be informed of the latest information about our privacy practices for handling customer data.