Introduction & General Scope.
Unless otherwise stated to the contrary herein, this Policy applies to this Site, and any website that references this Policy, any of Patient Pass’ operated websites, as well as any data Patient Pass may collect across partnered and unaffiliated websites.
“Covered Entity” shall mean, as per HIPAA rules, a person or entity, including physicians, health plans, health care clearinghouses and health care providers, who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.
“EPHI” shall mean Electronic Protected Health Information, with the meaning set forth in 45 CFR 160.103, and limited to information created, received, maintained, or transmitted by Patient Pass on behalf of a Covered Entity.
“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996.
“HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act.
“Non-Personal Information” shall mean information that cannot be used to personally identify an individual person, such as anonymous usage data, general demographic information that we may collect, number of clicks, platform types, certain browser preferences and files that are generated based on the data you submit.
“Patient” shall mean means the person who is the subject of PHI treated by a Covered Entity.
“Patient Pass” and “our”, “us” or “we” shall mean Patient Pass LLC.
“Personal Information” or “PI” shall mean information that can be used to personally identify an individual person, such as name, address, email address, home/business address, mobile number and payment processing account details.
“PHI” shall mean Protected Health Information, with the meaning set forth in 45 CFR 160.103, and limited to the information created or received by Patient Pass from or on behalf of a Covered Entity. For reference purposes, PHI shall include EPHI.
“Site” shall refer to www.patientpass.com and its web pages and sub-domains and software applications.
“Terms” shall refer to our Terms and Conditions of Service.
“You”, “your(s)” or “yourself” shall refer to a Patient, Covered Entity, visitor or registered user of our Site.
The terms “collect”, “process”, “treat”, “use”, “share”, “disclose”, “divulge” and analogous words shall refer to your PI, PHI and other data collected from our visitors and registered users.
Patient Pass provides, operates and manages a HIPAA Act and HITECH Act complaint platform where Patients can use their devices connected to the Internet in order to communicate PHI with the Covered Entities, all done via a chat interface (and/or voice and/or video) and text via two-way means of SMS communication.
User Agreement & Registration.
As users of our Site, each Covered Entity will be asked to create a profile with us, by clicking on the “I Agree” checkbox on the registration form or box or other similar means. Through that action, The Covered Entity thereby acknowledges and agrees to the terms of this Policy, which is and constitutes a legal, binding agreement between Covered Entity and Patient Pass.
This Policy is freely available for review prior to registration, and if you do not agree to its terms, your remedy shall consist of communicating your desires to Covered Entity involved.
For purposes of this Policy, the Covered Entity shall be the initial point of contact between you and Patient Pass regarding PI, and will serve as the point of collection of any personal data you may provide; though if not remedied from that means, you may connect Patient Pass itself through our site.
We constantly try to develop our user experience, and continuously work in order to:
- notify you concerning the ways in which your PI may be utilized and shared (overseas included);
- preserve the security and protection of your PI; and/or
- enforce the accessibility of your PI in order for you to exercise your rights for said PI.
Collection of Information.
As per HIPAA and HITECH rules, we do not always need express consent from Patients in order to collect PHI, which includes, but will not be limited to, Patient’s Personal Information, Covered Entity’s staff names and e-mails, personal addresses, cell phone numbers, Social Security Numbers, insurance carriers’ information and PHI exchanged using our platform.
Regarding both “Non-Personal Information” and “Personal Information”, we do collect (as needed and required for function internal to Services) only such from our users through their interactions made through the Site, including but not limited to, name, surname, email, profile picture, company/Covered Entity email address, personal mobile number, company phone number and other credentials.
Accordingly, by registering with us or otherwise using our products and services, you consent to the collection, transfer, processing, storage, and disclosure of your PI as described in this Policy.
Purpose of PI Collection.
We will store your PI for the purposes of managing your collaboration with other users and clients, improve your user experience, send newsletters and contact you about inquiries for our services. Overall, we use the collected PI to provide and improve our services. Accordingly, we will generally collect, use and disclose your PI to:
- Provide, operate, maintain, improve, and promote our platform and our products and services.
- For our internal business practices.
- Verify your e-mail address, access your account and other account notices.
- Develop, research, process, safeguard and improve our services.
- For purposes disclosed at the time you provide your information or as otherwise set forth in this Policy.
- Offer promotions, newsletters, sweepstakes entries, send service related announcements and contact you about inquiries for our products and services.
- To ensure that content on the Site is presented in the most effective manner for you and for your computer or mobile device.
- Investigate and prevent fraudulent transactions, unauthorized access to our services, and other suspicious activities.
- Monitor and analyze trends, usage, and activities in connection with our products and services and for marketing or advertising purposes.
Patient Pass will keep any collected PI only as long as it is necessary, with regard to the purpose of its processing. This means that PI collected and processed for marketing and commercial purposes will be stored for as long as you have an active account, and for up to twelve (12) months, or more, after your subscription has ended or where your account has been deleted or deactivated.
If you do not wish to disclose any or part of your PI to us, you may still be able to use some of the functionalities of our Site, though we will not be able to guarantee that you will be able to enjoy them at their fullest if you elect not to disclose it to us.
Disclosures to Business Successors.
If our business is sold, if all or substantially all of its assets are transferred or if it merges in whole or in part with another business that would become responsible for providing the service to you, we retain the right to transfer your PI and PHI to the new business.
Accordingly, we may transfer your PI and PHI if we have a good faith belief that such disclosure is reasonably necessary to satisfy any applicable law, regulation or legal process appertaining to our business sale or transfer. Henceforth, the new business would retain the right to use your PI and PHI, according to the terms of this Policy as well as to any changes to this privacy notice as instituted by the new business.
Third Party Tools and PI Processors.
We will keep a list of any sub-processors that will be involved in the processing of your PI and PHI, due to the provision of our service and, if deemed advisable by Patient Pass, or if any should run counter to any claims or procedures set herein, Patient Pass will inform you of any intended material changes concerning the addition or replacement of sub-processors before such changes are effective, thereby giving you the opportunity to object to such changes.
You can learn more about how to opt-out by browsing Google’s opting-out and privacy pages located at www.google.com, or the Network Advertising Initiative website located at www.networkadvertising.org.
You must have the legal power, right and authorization in order represent yourself as a Patient seeking connection with Covered Entity in the use of our services. For the case of individual practitioners and health providers, along with general users of the Site, you must at least be eighteen (18) years of age, or older.
Patient Pass does not knowingly collect any kind of information from persons under the age of thirteen (13) for use other than the exchange of PHI between Covered Entity and Patient as Services are intended. If we learn or have reason to suspect that any user or that any Patient or customer data appertains persons under the age of thirteen (13), we will freeze and/or delete any PI under that user’s account, without prior notice and without responsibility.
Lawful Disclosure of Personal Information.
We, or our affiliates, clients, contractors, licensors, officers, agents and/or representatives, reserve the right to allow third party access to any of your PI when we think it is reasonably important or when you violate the terms mentioned in this policy. Hereafter, we will have the right to disclose any or all gathered PI and/or data, when the following circumstances arise: (i) if necessary under an applicable law; (ii) in reply to a legal demand or subpoena from an agency of the law; (iii) to protect ourselves and our affiliates from any legal third party claims and procedures that may be brought to us (inclusive of takedown notices); and/or (iv) to prevent or cause cessation of any undertakings that may be construed by us as having the ability to be or cause a predicament or hazard to us.
Email Communications & Opting Out.
We collect the e-mail addresses of those who communicate with us via e-mail, aggregate information on what pages users’ access or visit, and information volunteered by the customer (such as survey information and/or website registrations).
We may send you service-related announcements on occasions when it is necessary to do so. For instance, if our service is temporarily suspended for maintenance, or a new enhancement is released, which will affect the way you use our service, we might send you an email.
Generally, you may not opt-out of these communications, which are not promotional in nature.
Based upon the PI that you provide us, we may communicate with you in response to your inquiries to provide the services you request and to manage your account. We will communicate with you by email or telephone/SMS text, in accordance with your wishes.
We may also use your PI and PHI to send you updates and other promotional communications, associated with Patient Pass.
If you no longer wish to receive those email/SMS updates, you may opt-out of receiving them by following the instructions included in each update or communication.
From time to time, we may place the so-called cookies in your computer/phone device in order to track and collect data regarding your use of our products and services. Cookies are small text files that our services transfer to you and that allow us permit us to recognize you and obtain data such as the environment in which our products are operating, e.g. OS type and version.
We may also use the so-called beacons, which are small files, sometimes only a pixel in size, embedded onto the pages of our websites. Beacons are used to identify each of our pages in order to be analyzed by our system tools.
We may also collect and use the data contained in Log and Data Link files, which may include your IP (internet protocol) address, your ISP (internet service provider), the browser you used to visit our platform, the time you visited our platform and which sections you visited, among other statistics.
We may also use Embedded Scripts, which are programming code that is designed to collect information about your interactions with the Site, such as the links you click on. The code would be temporarily downloaded onto your device from our web server or a third-party service provider, and is active only while you are connected to the Site and is deactivated or deleted thereafter.
We may also use ETags, which are a feature of the cache in web browsers. It is an opaque electronic data identifier assigned by a web server to a specific version of a resource found at a URL. Such tracking may generate unique tracking values even where the user blocks HTTP, Flash or HTML5 cookies.
We do not currently offer “do-not-track” or similar mechanisms.
When you access our platform via a mobile device, we may use your mobile device ID (i.e. the unique identifier assigned to a mobile device by the manufacturer) and/or Advertising ID (for Apple iOS 6 and later) instead of cookies in order to recognize you and track displayed web pages, along with their performance. Unlike cookies, device IDs cannot be deleted, but you can select to reset your Advertising IDs in the “Settings” section of your mobile device, among other settings.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. If you wish so, you can easily disable cookies on your web browsing software by following the step-by-step guides located at www.allaboutcookies.org and at www.youronlinechoices.com.
Third Party Links.
Our Site may present you with our commercial partner’s hyperlinks as well as those of other third parties. Once you have used these links to leave our Site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
International Transfer Notice.
We have our headquarters in the State of Texas, United States of America (USA). Henceforth, your PI may be accessed by us or our affiliates, agents, partners and third-party service providers in the USA and our locations which may or may not be located in your country of residence, and you hereby consent to such access and transfer by simple disclosure. For European Union (EU) Patients, please be reminded that the EU has not found the United States and some other countries to have an adequate level of protection of PI under Article 45 of the GDPR.
Patient Pass-related entities are subject to the privacy practices set out in this Policy and any applicable jurisdictional legislation.
Notice to Texas Residents
In compliance with the Texas Electronic Privacy Bill (HB No. 2268), we are responsible for any and all factual or suspected security data breaches into our PI databases, and are also required to notify our Texas customers of any such factual or suspected breach (by email and/or post). We will also comply with any and all restrictions in your favor regarding when law enforcement agencies can access electronic communications by requiring warrants for all emails held by service providers like us.
Henceforth, in compliance with HB Bill No. 2268, we have hereby posted this conspicuous Policy to the public, indicating the PI being collected and the manner in which it may be disclosed and with whom. Accordingly, our users can may visit our Site using anonymous browsing, this Policy linked in our home page, with the link including the word ‘Privacy’ or similar. We also comply with Policy changes notification to our users, and provide mechanisms that allow our users to manage their PI personal information.
Your Rights as Patient.
We understand the importance of privacy and are committed to maintaining the confidentiality of your PHI. Accordingly, we make a secured record of the medical-related text messages that we process.
We are required by law to maintain the privacy of PHI, in order to provide Patients with notice of our legal duties and privacy practices related thereto, and to notify affected Patients of a data breach.
Accordingly, our service and Site are hosted on different servers and infrastructure than those that host the actual PHI that we process. For purposes of clarification, the servers and infrastructure that host the PHI are at least SSL compliant, as mandated by HIPAA and HITECH.
We hereby remind you that you may have specific legal rights under we may, under HIPAA and HITECH rules, such as: (a) the right to request certain restrictions on uses and disclosures of your PHI; and (b) the right to inspect your PHI, with limited exceptions; and (c) the right to amend your PHI that you believe is incorrect or incomplete.
In order to enforce your rights, please first contact the Covered Entity treating your PHI by a written request specifying what PHI you want to limit, what limitations on our use or disclosure of that PHI you wish to have imposed, or if you want to inspect it or get a copy of it; and if you want a copy, your preferred form and format.
We will comply with all reasonable requests submitted in writing which specify how or where you wish to receive these communications. We reserve the right to charge a reasonable fee which covers our costs for labor, supplies, postage, and if requested and agreed to in advance, the cost of preparing an explanation or summary.
We may deny your request under limited circumstances. If we deny your request to access your child’s records or the records of an incapacitated adult you are representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient, you will have a right to appeal our decision. If we deny your request to access your psychotherapy notes, you will have the right to have them transferred to another mental health professional.
If you elect to contact us before contacting the Covered Entity treating your PHI, we may, under HIPAA and HITECH rules, deny your request if we do not have the PHI that you refer to, if we did not create the information (unless the Covered Entity that created the information is no longer available to make the amendment), if you would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is. If we deny your request, you may submit a written statement of your disagreement with that decision, and we may, in turn, prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information.
Right to a Paper or Electronic Copy of this Notice. You have a right to notice of our legal duties and privacy practices with respect to your PHI, including a right to a paper copy of this Policy and our Business Associate Agreement, even if you have previously requested its receipt by e-mail or if you reviewed it online on the Site. If you would like to have a more detailed explanation of these rights or if you would like to exercise one or more of these rights, please contact our Privacy Practices Office.
GDPR Notice and your Rights as Data Subject.
For the purposes of the general Data Protection Regulation (GDPR), in the EU, Patient Pass is a “data processor” of the PHI that a Patient who is a legal resident of the European Union provides to the Covered Entity for which we process PHI.
Regarding the PI that we treat and process for the primary purposes of providing you with our services, Patient Pass is a “data processor” and a “data controller”.
For European Union customers and users, by clicking the “I Accept” button or otherwise accepting the terms and conditions of our services through a clickable action or similar action, you hereby acknowledge, agree and unequivocally consent to the collection, process, management, treatment, transfer and authorized of your PI by Patient Pass, its affiliates and authorized third parties.
The section below covers certain situations that you, as data subject, and we as a data controller, are most likely to see, but you should also carefully review the full list of data subject rights here: https://gdpr-info.eu/chapter-3/. You retain the right to access, amend, correct or delete your PI where it is inaccurate at any time. To do so, please contact email@example.com.
- Right to Data Portability: Under the GDPR, our users located in the EU may request Patient Pass to send them any PI in our possession. In this case, we will provide you with any PI that you have in a commonly used, machine-readable format.
- Right to Data Access: As a data subject, you can ask Patient Pass to confirm how and where your PI is being stored and processed. You also have the right to know how such that data is shared with third parties by us.
- Right to be Informed: You have the right to be informed about the PI we collect from you, and how we process it.
- Right to Object: You have the right to object to us processing your PI for the following reasons:
- Processing was not based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling);
- Processing for purposes of scientific/historical research and statistics; and
- Rights in relation to automated decision-making and profiling.
- Automated Individual Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- Right to Complain: You have the right to file a complaint with supervisory authorities if your information has not been processed in compliance with the GDPR. If the supervisory authorities fail to address your complaint properly, you may have the right to a judicial remedy.
Your privacy request must include, at the least, the following information: (i) your complete name, address and/or e-mail address in order for us to notify you the response to your request; (ii) attached documents establishing your identity; and (iii) a clear and concise description of the PI with regard to which you seek to enforce any of your privacy rights. If you request rectification, please indicate amendments to be made and attach documentation to back up your request.
Upon receipt of your privacy request, and after due review, we may then edit, deactivate and/or delete your PI from our services within thirty (30) days. In case of secure databases under our control where deletion is impossible, we will make such information permanently inaccessible.
From time to time, this Policy may be translated into other languages for your convenience, such as Spanish. The English language version of each of these documents shall be the version that prevails and governs your use of Site and our products and services. Upon the case of any conflict between the English language version and any translated version, the English language version will prevail.
Amendments to this Policy.
Periodically, and at the final discretion of ourselves, we may update, change, suspend and/modify or our Site, our services, this Policy and/or our Terms, in whole or in part. We hereby reserve such right in order to operate our business and protect ourselves. Your use after any changes indicate your acceptance thereof and we will post a notice regarding such changes on our Site, and may also write an email to you or otherwise notify you.
Complaints about this Policy or the handling of your health information should be directed to our Privacy Practices Office:
P.O. Box 1771
Fort Worth, Texas, 76101
AND via e-mail at firstname.lastname@example.org
If you are not satisfied with the manner in which Patient Pass handles a user complaint, you may submit a formal complaint to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by email to email@example.com or call the U.S. Department of Health and Human Services, Office for Civil Rights toll-free at: 1-800-368-1019, TDD: 1-800-537-7697.
The complaint form may be found at www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaint.pdf. You will not be penalized in any way for filing a complaint.
If you have any questions or comments about us, our Site, our Terms and/or this Policy, please contact us at firstname.lastname@example.org or the above listed P.O. Box.
Date of last effective update is July 11, 2019.