As used herein, the following definitions apply:
Protected Health Information (PHI):
PHI is Personally Identifiable Information that consists of health information, including demographic information, created or received by DANA and which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.
“Personally Identifiable Information”, “Personal Information”, or “PII” means any data element that:
1. is recorded in any form;
2. is about, or pertains to a specific individual; and
3. can be linked to that individual whether through the information or the collection of the information and other, publicly available, information on the individual. PII may include PHI.
Collection of Information
Information You Provide to Us
We collect information provided directly to us by a patient or his/her provider.
The types of information we may collect from you include:
• Account Information, such as name, email address, phone number, and any other information a patient or provider may choose to provide;;
• PII and PHI. PHI and PII are processed in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual.
• Information about others, such as the names, telephone numbers, and email addresses of patient caregivers.
• Other information you choose to provide, such as when you contact us, or when you request technical or customer support.
Information We Collect Automatically
When you access or use DANA, the types of information we may automatically collect about you include:
1. Non-personally identifiable information. We collect information about the DANA application and services used and how Users use them, such as the assessments completed within the DANA application. This information includes:
o Assessment data. We collect data regarding your responses on reaction time measurements and psychological questionnaires to share with your healthcare provider. These data include assessment type, date and time of the assessment, timestamps of responses, and responses (chosen or filled in).
o Device information. We collect device-specific information such as the mobile device model number and operating system version used for DANA.
o Log information. We may collect and store certain information when you use DANA to enable us to enhance future version of the application. This information may include the following:
a. The dates and times you use the application
b. Device event analytics such as application crashes
c. Hardware settings
2. Information Collected by Cookies and Other Tracking Technologies: We and our service providers use various tracking technologies, including cookies and web beacons, to collect information about you when you interact with DANA. Cookies are small data files stored on your hard drive or in device memory that help us improve DANA and your experience, and count visits. Web beacons are electronic images that may be used in the operation of DANA or emails and help deliver cookies, count visits and understand usage and campaign effectiveness.
DANA does not maintain any Designated Record Set (“DRS”) as that term is defined by HIPAA. Accordingly, all requests for access to PHI contained within a DRS should be directed to the third party institutional user that created and / or maintains the DRS, such as the group, institutional or medical provider that provided you access to the DANA products. Similarly, requests for amendments or restrictions to PHI or PII under HIPAA should be directed to the same third parties.
Use of Information
We may use collected information for various purposes, including to:
1. Provide, maintain and improve DANA;
2. Manage a patient or provider account and send related information, including confirmations, updates, technical notices, security alerts and support and administrative messages;
3. Respond to comments, questions and requests and provide customer service;
4. Communicate about DANA;
5. Monitor and analyze trends, usage and activities in connection with DANA;
6. Detect, investigate and prevent fraudulent and other illegal activities and protect the rights and property of ATinc and others;
7. Personalize and improve DANA;
8. Link or combine with information we get from others to help understand your needs and provide you with a better experience; and
9. Carry out any other purpose for which the information was collected.
Sharing of Information:
1. With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;
2. In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, rule, regulation or legal process;
3. If we believe your actions are inconsistent our license provisions or other policies, or to protect the rights, property or safety of ATinc or others;
5. Between and among ATinc and any current or future parent, subsidiary and/or affiliated company; and
6. With your consent or at your direction.
You may further elect as part of your use of DANA to authorize us to share your name, address, and other health and wellness related information about you with one or more third parties designated by you. You acknowledge and agree that we may use your information in a de-identified manner to create aggregated, de-identified data sets, including to evaluate and implement future products or services and to share such de-identified data sets with third parties in accordance with applicable law, including without limitation, HIPAA and HITECH regulations.
ATinc takes reasonable and industry appropriate measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. Please understand, however, that no security system is impenetrable. Like other companies, we cannot guarantee 100% the security or confidentiality of the information provided to us. Consequently, while we endeavor to safeguard PII and PHI against unauthorized access and disclosure, we do not warrant or guarantee the absolute security of any personal information transmitted to, from, or through DANA.
ATinc has established comprehensive data security and privacy policies to protect PHI and PII from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These include the implementation of appropriate administrative, physical, and technical safeguards to secure PHI and PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.
Our employees are trained on the requirements of HIPAA and their access to PII and PHI (including electronically provided PHI [“e-PHI”]) is based on job function. DANA requires user authentication prior to allowing access to e-PHI, and encryption is used to prevent unauthorized access to e-PHI. DANA implements other industry-standard security measures to protect e-PHI including, but not limited to, periodic audits of security controls.
The DANA application and Web Portal are HIPAA-compliant and use the security measures mentioned below. We maintain strict security standards for both hardware and software and have implemented policies and procedures to comply with federal, state and local laws and regulations regarding the use and disclosure of such PHI and PII, to protect confidentiality and integrity of PHI and PII we collect or create, and to prevent inappropriate access to or disclosure of such information. In addition to these security features, access to information is also restricted based on the minimum information necessary and user permission level.
Data are encrypted locally on the mobile device used and are decrypted via the application’s data export feature. The application is password-protected, requires a unique login to access, and includes an automatic logoff feature that activates when a.) the user switches to another application, b.) the user exits the application to go to the Home screen or c.) the mobile device is turned off or put to sleep..
DANA Cloud Database and Web Portal
All DANA data are securely encrypted and stored in a relational database on a dedicated server within a virtual private cloud (VPC). Primary access to the cloud database is provided via authentication on the DANA Web Portal (requiring the use of unique login credentials), which is also hosted on a HIPAA-compliant dedicated server. The Web Portal automatically logs out a user if they have been inactive on the site for ten minutes or longer. The DANA VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level. The dedicated servers provide an additional layer of security by ensuring data are physically isolated at the host hardware level. Transport layer security (TLS) safeguards have been implemented for any data transfers among the DANA cloud database, DANA Web Portal, and DANA mobile applications.
With your consent, we may collect information about your actual location when you use the DANA mobile applications. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our mobile applications may no longer function if you do so.
Native Applications on Mobile Device
Some features of our mobile applications may require access to certain native applications on your mobile device. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your mobile device.
We do not knowingly collect any personal information from children under the age of 13. DANA is not for use by children. We request that children under the age of 13 not download DANA or submit any personal information through DANA. If we are advised in writing that we have inadvertently received or collected personal information from a child under 13 years of age, we will remove such information from our database.
Your California Privacy Rights
Attn: Security and Privacy Officer
8820 Cameron Street
Silver Spring, MD 20910
Effective Date: January 18, 2017