YOUR RIGHTS TO PRIVACY DURING USE OF OUR SERVICES
The Program and Our Services are heavily driven by data. This section (“Privacy Policy”) informs you of our policies regarding the collection, use and disclosure of information obtained during the use of Our Services and the choices you have associated with that data. We use your data to provide and improve the Program or Services. By using the Program, you agree to the collection and use of information in accordance with this Agreement and the Privacy Policy. Unless otherwise defined in this Agreement, the terms used in this privacy section, whether defined explicitly or in the context of this Privacy Policy shall have the final and controlling meaning of the term used herein.
DEFINED TERMS
The following are defined terms, which maybe further defined below or within this Agreement:
Program. Program is the Head Health, Inc.’s proprietary web or mobile application operated by Head Health; commonly referred to as MENT ™ Protocol. Personal Data. Personal Data means information about a living individual who can be identified from the information (or from those and other information either in our possession or likely to come into our possession); Shared Data. Aggregate data of users at any one time or over time to collect and report usage, detect trends, analyze behavior, or outcomes typically through statistical, mathematical, or algorithmic means. Restricted Data. Restricted Data is information associated with account openings such as passwords, emails, addresses, and usernames, including information or credentials obtained from third-party login mechanisms including, but not limited to, Facebook, Google, or Twitter; Usage Data. Usage Data is data collected automatically, either generated by the use of Services or from the infrastructure of the Program, Site, or application itself (for example, the duration of a page visit); Cookies. Cookies are small files stored on your device (computer or mobile device). Third Parties. Third Parties are companies, government entities, individuals, or professional organizations outside of the direct control, agency, or ownership of the Company.
COLLECTION OF DATA
We primarily collect two kinds of data: Restricted Data and Shared Data. Shared Data is viewable to those not registered to join MENT ™ Protocol. We may report publicly Shared Data in aggregate, such as the number of patients on a particular treatment or the number of patients experiencing a particular symptom. Restricted Data is not automatically shared with, sold to, or displayed for other users or Third Parties. Some information is also collected from Cookies. Shared Data is the information You provide the Program to customize your experience regarding biological or daily events when you create an account, an account profile, or register within the MENT ™ Protocol in order to customize Services or information provided to US in surveys we conduct. For example, You can customize your MENT ™ Protocol experience by recording biographical information, such as: Gender, Age (deduced from your birth date), location (city, state, and country).
(a) EXPERIENCE DATA. Full use of the Program requires that you record information related to your migraines, such as your pain intensity, your pain location, your symptoms, your triggers, your medication, your reliefs, your menstruation, etc.
(b) PUBLIC DATA. For Users benefit, Company may facilitate or provide an online community and public forum, and users acknowledge and accept that any information shared through free text fields (e.g. forum, treatment evaluations, surveys, annotations, journals, feeds, adverse event reports) or images might be connected to users’ Shared Data (which may be shared with, sold to, or displayed for others). The personal notes that you can record within MENT ™ Protocol, however, shall be deemed Restricted Data.
PERSONAL DATA
While using our Program, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to: (a) Email address, (b) First name and last name, (c) Phone number, (d) Address, State, Province, ZIP/Postal code, City; or (e) Cookies and Usage Data. We may also use your Personal Data to contact you with newsletters, marketing or promotional materials regarding relevant services and/or other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.
RESTRICTED DATA
Information and data used in the registration processes of Our program (usernames, addresses, location), any personal notes that You can record in MENT ™ Protocol, personally identifiable information solicited by the Company or Program, are typically deemed Restricted Data under this Agreement.
This Privacy Policy does not and shall not apply to any unsolicited information you provide to us, whether such information should otherwise fall within the definition of Restricted Data or Personal Data in this Agreement.
USAGE DATA
When you access the Program with a mobile device or web browser, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data (“Usage Data”).
TRACKING COOKIES DATA
We use cookies and similar tracking technologies to track the activity on our Program and we hold certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyze our Program. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services. Examples of some Cookies we use: Session Cookies. We use Session Cookies to operate our Program; Preference Cookies. We use Preference Cookies to remember your preferences and various settings; Security Cookies. We use Security Cookies for security purposes.
USE OF DATA
Head Health uses the collected data for various purposes: (a) to provide and maintain our Program, (b) to notify you about changes to our Program and services, (c) to allow you to participate in interactive features of our Program when you choose to do so, (d) to provide customer support, (e) To gather analysis or valuable information so that we can improve our Program, (f) to monitor the usage of our Program, (g) To detect, prevent and address technical issues, (h) to provide you with news, special offers and general information about other goods, services or events (i) and for sale to Third Parties; subject to restrictions in this Agreement.
DATA WE MAY PROVIDE TO THIRD PARTIES
Third Parties may either compensate, not compensate, or compel the Company for the disclosure of User Data, Shared Data, Usage Data, information from Cookies, and to the extent required by law, court order, or legislation, some or all, of Your Restricted Data. You consent to all such disclosures to Third Parties.
TRANSFER OF DATA
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. f you are located outside United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to United States and process it there. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to the transfer of your data into the United States. We will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
DISCLOSURE OF PERSONAL DATA
We may disclose your Personal Data in the good faith belief that such action is necessary to: (a) to comply with a legal obligation, (b) to protect and defend the rights or property of Head Health, (c) to prevent or investigate possible wrongdoing in connection with the Program, (d) to protect the personal safety of users of the Program or the public, (e) to protect against legal liability.
SECURITY OF DATA
The security of your data is important to us but Client recognizes that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
SERVICE PROVIDERS
We may employ third party companies and individuals to facilitate our Program (“Service Providers”), provide the Program on our behalf, perform Program-related services or assist us in analyzing how our Program is used. These third parties may have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
LINKS TO OTHER SITES
Our Program may contain links to other sites that are not operated by us. If you click a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
CHILDREN’S POLICY
Our Program does not address anyone under the age of 18 (“Children”). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we can take steps to remove that information from our servers.
CHANGES TO THIS PRIVACY POLICY
We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on Our Site this page. We will let you know via email and/or a prominent notice ion our Program, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
HIPAA POLICY
It is the policy of the Company to adopt, maintain and comply with our privacy practices of customer and end-user data, which shall be consistent with HIPAA/HITRUST, California and EU GDPR laws.
ASSIGNING PRIVACY AND SECURITY RESPONSIBILITIES
It is the policy of the Company that specific individuals within our workforce are assigned the responsibility of implementing and maintaining this HIPAA Privacy Policy. Furthermore, it is the policy of the Company that these individuals will be provided sufficient resources and authority to fulfill their responsibilities. At a minimum it is the policy of the Company to designate one individual as the Privacy Official. To contact the Privacy Official, email vadams@headhealth.org
MINIMUM NECESSARY USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
It is the policy of the Company that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the customer, client or end-user or 2) as required by law for HIPAA/HITRUST/GDPR compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. It is also the policy of the Company that non-routine uses and disclosures will be handled pursuant to established criteria. It is also the policy of the Company that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request.
PROHIBITED ACTIVITIES-NO RETALIATION OR INTIMIDATION
It is the policy of the Company that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA/GDPR regulations. It is also the policy of the Company that no employee or contractor may condition payment on the provision of an authorization to disclose protected health information except as expressly authorized under federal and state regulations.
RESPONSIBILITY
It is the policy of the Company that the responsibility for designing and implementing procedures to implement this policy lies with the Privacy Official.
VERIFICATION OF IDENTITY
It is the policy of the Company that the identity of all persons who request access to protected health information be verified before such access is granted.
MITIGATION
It is the policy of the Company that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.
SAFEGUARDS
It is the policy of the Company that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.
BUSINESS ASSOCIATES
It is the policy of the Company that business associates must be contractually bound to protect health information to the same degree as set forth in this policy. It is also the policy of the Company is organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.
TRAINING AND AWARENESS
It is the policy of the Company that all members of our workforce have been trained by the compliance date on the policies and procedures governing protected health information and how the Company complies with the HIPAA Privacy and Security Rules, HITRUST and GDPR rules. It is also the policy of the Company that new members of our workforce receive training on these matters within a reasonable time after they have joined the workforce. It is the policy of the Company to provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, it is the policy of the Company that training will be documented indicating participants, date and subject matter.
RETENTION OF RECORDS
It is the policy of the Company that the HIPAA Privacy Rule records retention requirement of seven years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this Company’s discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.
COOPERATION WITH PRIVACY OVERSIGHT AUTHORITIES
It is the policy of the Company that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this Company. It is also the policy of the Company that all personnel must cooperate fully with all privacy compliance reviews and investigations.
CONTACT US
If you have any questions about this User Agreement, please contact: vadams@headhealth.org