The following are defined terms, which maybe further defined below or within this Agreement:
Program. Program is the Head Health, Inc.’s proprietary web or mobile application operated by Head Health; commonly referred to as MENT ™ Protocol. Personal Data. Personal Data means information about a living individual who can be identified from the information (or from those and other information either in our possession or likely to come into our possession); Shared Data. Aggregate data of users at any one time or over time to collect and report usage, detect trends, analyze behavior, or outcomes typically through statistical, mathematical, or algorithmic means. Restricted Data. Restricted Data is information associated with account openings such as passwords, emails, addresses, and usernames, including information or credentials obtained from third-party login mechanisms including, but not limited to, Facebook, Google, or Twitter; Usage Data. Usage Data is data collected automatically, either generated by the use of Services or from the infrastructure of the Program, Site, or application itself (for example, the duration of a page visit); Cookies. Cookies are small files stored on your device (computer or mobile device). Third Parties. Third Parties are companies, government entities, individuals, or professional organizations outside of the direct control, agency, or ownership of the Company.
COLLECTION OF DATA
We primarily collect two kinds of data: Restricted Data and Shared Data. Shared Data is viewable to those not registered to join MENT ™ Protocol. We may report publicly Shared Data in aggregate, such as the number of patients on a particular treatment or the number of patients experiencing a particular symptom. Restricted Data is not automatically shared with, sold to, or displayed for other users or Third Parties. Some information is also collected from Cookies. Shared Data is the information You provide the Program to customize your experience regarding biological or daily events when you create an account, an account profile, or register within the MENT ™ Protocol in order to customize Services or information provided to US in surveys we conduct. For example, You can customize your MENT ™ Protocol experience by recording biographical information, such as: Gender, Age (deduced from your birth date), location (city, state, and country).
(a) EXPERIENCE DATA. Full use of the Program requires that you record information related to your migraines, such as your pain intensity, your pain location, your symptoms, your triggers, your medication, your reliefs, your menstruation, etc.
(b) PUBLIC DATA. For Users benefit, Company may facilitate or provide an online community and public forum, and users acknowledge and accept that any information shared through free text fields (e.g. forum, treatment evaluations, surveys, annotations, journals, feeds, adverse event reports) or images might be connected to users’ Shared Data (which may be shared with, sold to, or displayed for others). The personal notes that you can record within MENT ™ Protocol, however, shall be deemed Restricted Data.
While using our Program, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to: (a) Email address, (b) First name and last name, (c) Phone number, (d) Address, State, Province, ZIP/Postal code, City; or (e) Cookies and Usage Data. We may also use your Personal Data to contact you with newsletters, marketing or promotional materials regarding relevant services and/or other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.
Information and data used in the registration processes of Our program (usernames, addresses, location), any personal notes that You can record in MENT ™ Protocol, personally identifiable information solicited by the Company or Program, are typically deemed Restricted Data under this Agreement.
When you access the Program with a mobile device or web browser, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data (“Usage Data”).
TRACKING COOKIES DATA
USE OF DATA
Head Health uses the collected data for various purposes: (a) to provide and maintain our Program, (b) to notify you about changes to our Program and services, (c) to allow you to participate in interactive features of our Program when you choose to do so, (d) to provide customer support, (e) To gather analysis or valuable information so that we can improve our Program, (f) to monitor the usage of our Program, (g) To detect, prevent and address technical issues, (h) to provide you with news, special offers and general information about other goods, services or events (i) and for sale to Third Parties; subject to restrictions in this Agreement.
DATA WE MAY PROVIDE TO THIRD PARTIES
Third Parties may either compensate, not compensate, or compel the Company for the disclosure of User Data, Shared Data, Usage Data, information from Cookies, and to the extent required by law, court order, or legislation, some or all, of Your Restricted Data. You consent to all such disclosures to Third Parties.
TRANSFER OF DATA
DISCLOSURE OF PERSONAL DATA
We may disclose your Personal Data in the good faith belief that such action is necessary to: (a) to comply with a legal obligation, (b) to protect and defend the rights or property of Head Health, (c) to prevent or investigate possible wrongdoing in connection with the Program, (d) to protect the personal safety of users of the Program or the public, (e) to protect against legal liability.
SECURITY OF DATA
The security of your data is important to us but Client recognizes that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
We may employ third party companies and individuals to facilitate our Program (“Service Providers”), provide the Program on our behalf, perform Program-related services or assist us in analyzing how our Program is used. These third parties may have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
LINKS TO OTHER SITES
Our Program does not address anyone under the age of 18 (“Children”). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we can take steps to remove that information from our servers.
It is the policy of the Company to adopt, maintain and comply with our privacy practices of customer and end-user data, which shall be consistent with HIPAA/HITRUST, California and EU GDPR laws.
ASSIGNING PRIVACY AND SECURITY RESPONSIBILITIES
MINIMUM NECESSARY USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
It is the policy of the Company that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the customer, client or end-user or 2) as required by law for HIPAA/HITRUST/GDPR compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. It is also the policy of the Company that non-routine uses and disclosures will be handled pursuant to established criteria. It is also the policy of the Company that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request.
PROHIBITED ACTIVITIES-NO RETALIATION OR INTIMIDATION
It is the policy of the Company that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA/GDPR regulations. It is also the policy of the Company that no employee or contractor may condition payment on the provision of an authorization to disclose protected health information except as expressly authorized under federal and state regulations.
It is the policy of the Company that the responsibility for designing and implementing procedures to implement this policy lies with the Privacy Official.
VERIFICATION OF IDENTITY
It is the policy of the Company that the identity of all persons who request access to protected health information be verified before such access is granted.
It is the policy of the Company that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.
It is the policy of the Company that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.
It is the policy of the Company that business associates must be contractually bound to protect health information to the same degree as set forth in this policy. It is also the policy of the Company is organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.
TRAINING AND AWARENESS
It is the policy of the Company that all members of our workforce have been trained by the compliance date on the policies and procedures governing protected health information and how the Company complies with the HIPAA Privacy and Security Rules, HITRUST and GDPR rules. It is also the policy of the Company that new members of our workforce receive training on these matters within a reasonable time after they have joined the workforce. It is the policy of the Company to provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, it is the policy of the Company that training will be documented indicating participants, date and subject matter.
RETENTION OF RECORDS
It is the policy of the Company that the HIPAA Privacy Rule records retention requirement of seven years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this Company’s discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.
COOPERATION WITH PRIVACY OVERSIGHT AUTHORITIES
It is the policy of the Company that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this Company. It is also the policy of the Company that all personnel must cooperate fully with all privacy compliance reviews and investigations.
If you have any questions about this User Agreement, please contact: firstname.lastname@example.org