‍

The Scope of This Privacy Policy

This Privacy Policy describes Medchart’s approach to protecting the privacy of Personal Information in its possession or control, in accordance with applicable law and Medchart's policies. This Privacy Policy governs our service offerings in the United States.

Changes to this Privacy Policy



This Policy is effective as of the “last updated” data listed above.  We reserve the right to change this Privacy Policy from time to time to ensure that it accurately reflects applicable law and Medchart policies. Non-material changes will be effective immediately, but Medchart will provide 30 days advance notice of material changes through, for example, website postings and/or Medchart newsletters. Please check this page regularly to ensure that you understand how Medchart Processes your Personal Information. By continuing to use Medchart services after the effective date of a change, you automatically accept the change.

Definition of Terms Used in this Privacy Policy


Privacy

Privacy is an individual's right to retain control over the collection, use, and disclosure of her/his personal information.

Custodians

Custodians are health care plans, insurers, health care clearinghouses, health care providers, and other entities who transmit Personal Health Information to Medchart with your consent. Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.  Personal Information Personal Information is information that identifies, relates to, describes, or could reasonably be linked or associated, directly or indirectly, with a particular consumer or household. 

Personal Health Information

Personal Health Information is Personal Information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained (collectively, “Processed”) by Custodians.  This includes health information that can be tied to an individual through identifiers such as: name; address; email address; telephone and fax numbers; social security numbers or other government issued IDs; insurance, medical record, or other account numbers; biometric identifiers; photographs or images; device identifiers; or other persistent identifiers that can reasonably be used to identify an individual.  Data from which all personal identifiers have been removed, such that the information cannot reasonably be used to identify the individual, is not considered Personal Information, nor is it Personal Health Information.

Capacity and Substitute Decision-Making

An individual is capable of consenting to Medchart’s Processing of Personal Health Information if the individual is able to understand the relevant information and the consequences of giving or withholding consent. Medchart presumes individual capacity unless it has reasonable grounds to believe that the individual is incapable of consenting.

An individual who is capable of consenting to Medchart’s Processing of Personal Health Information may also authorize another person – including family members, advisors, lawyers, or other health care providers - as a Personal Representative to act on her or his behalf. If the individual is incapable of making and understanding health decisions, for example if the individual is unconscious, deceased, or otherwise incapacitated, substitute decision-makers authorized by state or federal law to act as Personal Representatives may consent on her or his behalf.

Substitute Decision-Maker or Personal Representative

A Personal Representative, in relation to an individual, means, unless the context requires otherwise, a person who is authorized by law as a substitute decision-maker to consent on behalf of the individual to the collection, use or disclosure of Personal Health Information about the individual.

Collection, Use, and Disclosure of Personal Information


Collection

Information that you affirmatively give us or ask us to collect:

When you register for a Medchart account, we collect the Personal Information that you or your Personal Representative provide directly, including your full name, contact information (including physical and email addresses, phone and fax numbers, etc.).  We also collect any other information that you provide including, without limitation, information about your health care providers, insurers, medical conditions.

At your direction and with your consent, Medchart collects medical records and Personal Health Information from Custodians.

If you have designated a Personal Representative, including an attorney or family member, you may give them access to and the ability to add additional Personal Information to your Medchart records.

Information that we collect passively when you visit our website:

Medchart collects information about how and when you use our website and our service offerings, including information about the pages you visit, the content you view on our sites and in our portals, We collect information about the apps, browsers, and devices you use to access our services, which helps us provide features like automatic product updates.  The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.  

Use of Cookies

The Site uses "cookies" to help personalize and maximize your online experience. Cookies are small amounts of data that often include unique identifiers that enable the Site to recognize you and to keep track of your preferences. These identifiers are usually alpha-numeric strings, which cannot be used to identify you without additional information.

Two types of cookies may be employed during your visit to the Site:

- "Session" cookies, which are not permanently stored on your hard drive and are permanently deleted from your computer after two hours of inactivity or when you end your session, are used to help you to navigate around the site; and

- "Persistent" cookies, which remain on your computer so that the Site can recognize you when you return. These cookies, which are used primarily to personalize your site experience and save you time, will remain on your computer after you have left our Site and will expire when you log out of the Site, or 60 days after your last visit for security cookies, or two years after your last visit for advertisement and information notice cookies.

The Site uses cookies for the following:

- When you return to the Site, cookies enable us to retrieve the information you previously provided, so you can easily use the features that you customized. Because of our use of cookies, we can deliver faster and more accurate results and a more personalized site experience. For example, if you personalize Medchart pages, or register for services, a cookie helps us to recall your specific information (such as user name, password and preferences).  When you watch a video clip or listen to an audio clip on or through the Medchart Site, a cookie may take note of which media player and which type of clip (high or low bandwidth) you prefer to use on your computer. Note, however, that you can change your video and audio preferences at any time or choose a player each time you view or listen to a clip.

- Some parts of the Site use cookies to track user traffic patterns. We do this in order to determine the usefulness of the Site’s information to our users and to see how effective our navigational structure is in helping users reach that information.

- We also use cookies to identify users who have been banned from using our forums for behavior that violates these General Terms and Conditions and to track click streams, for load balancing and to enable you to navigate through the site using redirection pages.

Please note that you have the ability to disable cookies if you wish, generally through changing your internet browser settings. It may also be possible to change your browser settings to enable acceptance of specific cookies. For more information on enabling and disabling cookies, please refer to the help section on your browser. If cookies are disabled it may mean that not all the services of this Site might be available.  If you do not agree with Medchart’s use of cookies, please discontinue the use of this website.

Use

Medchart uses Personal Information about you for the exclusive purposes of collecting, maintaining, and disclosing that information, including Personal Health Information, at your direction and on your behalf.  If we want to use your information for any other purpose, we will seek your explicit consent to do so.

Disclosure

Medchart discloses Personal Information about you, including Personal Health Information, in order to provide the service, including to collect Personal Health Records from Custodians and to facilitate the disclosure of that information to third parties on your behalf and at your direction.  Medchart may also disclose Personal Information about you to third parties as required by applicable law and/or as necessary to protect our rights and the rights of third parties.  Unless prohibited by law, we will notify you of any such disclosures.

Retention

Medchart will retain Personal Information associated with your Medchart account for so long as it is necessary to provide our services to you.  Subject to certain limitations necessary to provide our services, operate our business, and comply with applicable law, you may delete your Personal Information at any time by contacting our Privacy Team. We will delete it within a reasonabletime, except for the minimum necessary in our audit logs and our backup systemsas required by our information security program, and to comply with applicable law.

Privacy Principles


Medchart Processes your Personal Information in accordance with globally recognized fair information practice principles described below:

Accountability

Medchart is an information technology service provider that allows users to access, consolidate, and control their Personal Health Information collected from Custodians using electronic means. Medchart has established policies and procedures to protect patient privacy and safeguard Personal Information, including Personal Health Information.  Our Chief Privacy Officer (CPO), identified at the end of this document, is Medchart’s designated contact person and is accountable for our compliance with this Privacy Policy and applicable law.

Consent

Medchart will normally obtain consent from you or your properly designated Personal Representative before Processing Personal Information about you. An individual can provide consent to the collection, use and disclosure of Personal Information about them expressly, implicitly, or through an authorized Personal Representative. When you sign up for Medchart's services, whether as an individual or an individual’s personal representative, we will ask for your express consent during the account creation process. You have the right to withdraw consent at any time, with certain exceptions.

Purpose Specification

Medchart will identify the purposes for which Personal Information is Processed at or before the time the information is collected. We will not use your Personal Information for any other purpose without your express consent.

Collection, Use, Disclosure, and Retention Limitations

With your consent, Medchart helps you consolidate and access your Personal Health Information on a secure online account. Specifically, we: collect copies of your official medical records from Custodians; if necessary, convert your paper records into an electronic format, and promptly and securely dispose of the paper copy; upload the electronic copy of your records onto a secure, encrypted online database; allow you to access these records on your personal password-protected Portal on our website; and allow you to authorize other users (such as your healthcare provider, family members, or lawyers) to securely access, use, and disclose your records.

Medchart collects Personal Information about you only by fair and lawful means, either from you directly or from Custodians. This information may include your name, date of birth, address, contact information, health history, records of your visits to medical service providers, and details of the care that you received. Upon enrolling in Medchart's services you agree and understand that the collection of Personal Information is for your personal record keeping purposes, including disclosure to third parties at your direction or at the direction of your Personal Representative.

Medchart will use your Personal Information only for the reasons it was collected, unless you expressly consent to our use or disclosure of that information for another reason. We will retain your Personal Information only for so long as necessary to provide the services you have requested.  Medchart may share your Personal Information with our affiliates and service providers who may be involved in delivering Medchart's services, providing customer support, and conducting customer research or satisfaction surveys. These service providers are obligated by contract to protect your Personal Information, they are not permitted to use this information for any purpose except providing the service, and they are only given the information necessary to perform their designated functions. Medchart does not authorize any service providers to use or disclose your Personal Information for their own marketing or other purposes. We may also share your Personal Information with our financial, insurance, legal, accounting or other advisors that provide such professional services to us.

Your Personal Information may be processed and/or stored outside of the United States as necessary or appropriate to provide our services. No matter where your data is stored, we undertake reasonable measures to protect your Personal Information.  When it is stored and/or Processed in other jurisdiction, our Processing of that data may be subject to the laws of such countries and made available to third parties under applicable law. By providing us with your information, you allow your Personal Information to be transferred outside of United States.

Accuracy

Medchart will keep the Personal Information in its possession or control accurate, complete, current and relevant, based on the most recent information available to Medchart. Please be aware that we cannot modify Personal Information provided by Custodians. However, if you believe that any other Personal Information is inaccurate or incomplete, please notify us [via email or your account.

Data Security

The safety and privacy of your information is our top priority, and Medchart has deployed appropriate physical, administrative, and technical measures designed to safeguard your Personal Information against theft, loss, unauthorized access, copying, modification, use, disclosure and disposal. These measures include appropriate security policies, employee training, the use of nondisclosure agreements, audits and compliance monitoring, and access controls (facility and workstation).

Medchart uses strong encryption technologies to secure your information, and monitors and upgrades our systems to reflect new technology and other developments. Access to your online profile and medical records is protected by your personal login details. We strongly encourage you to take advantage of our optional 2-factor authentication system (a verification code sent to your registered cell phone or email at time of login) to minimize the likelihood of unauthorized access in case your login details have been lost or stolen.

Transparency

This Privacy Policy is designed to provide a comprehensive description of Medchart’s privacy practices, including information about the Personal Information we collect, how we use that information, and to whom we disclose it.

- Medchart may disclose Personal Information to our service providers who help us provide the service or to third parties (such as family members, lawyers, or health care providers) at your direction.

- Medchart does not sell your Personal Information except as described in this Notice or as authorized by you.

- MedChart does not knowingly collect Personal Information about minors without the express consent of their parent, guardian, or duly appointed Personal Representative.

If you would like to know more about Medchart’s policies and practices related to the management of personal information, please contact our Chief Privacy Officer via email sent to privacy@medchart.com .

Access to Personal Information

Except as restricted by law, Medchart will inform you or your Personal Representative about the existence, use and disclosure of any personal information about you in our possession or control, and will provide access to that information. You may also have the right to challenge the accuracy and completeness of the information and to ask that it be amended or deleted. To ask if we are processing Personal Information about you, to learn what personal information about you that we have, and to whom we may have disclosed that information, please send an email to privacy@medchart.com .

Please be sure to include your full name, address, telephone number, and email address.  We may need to ask for additional information to verify your identity.

‍

Individual Access Services Privacy and Security Notice

Medchart provides Individual Access Services (“IAS”) as in conformance with the Trusted Exchange Framework and Common Agreement (“TEFCA”) issued by the U.S. Department of Health and Human Services. The following Individual Access Services Privacy and Security Notice provides an explanation of the additional privacy and security practices of Medchart with respect to Individually Identifiable Information maintained by Medchart in connection with Individual Access Services, whether obtained through TEFCA or otherwise as part of the IAS workflow, Individual Access Services Data (“IAS Data”), and your rights with respect Individually Identifiable Information maintained by Medchart in connection with the Individual Access Services.  

Relationship to Other Agreements

‍

Once information retrieved through Individual Access Services isavailable to you in the Individual Access Services App, the Individual Access Services App’s terms of service and privacy notice apply to that information.

‍

Any conflict between these Terms and Individual Access Services App’s terms and privacy policy will be resolved with priority to protecting your privacy rights and the security of your information.
‍

How IAS Data is Accessed, Exchanged, Used, and/or Disclosed

‍

In general, we only share your information with you or your Personal Representative(s),any person or organization authorized by you or your Personal Representative(s),and our third-party service providers. We may also share your information when required by law or court order, or in connection with business transfers (suchas a merger or acquisition).

‍

We share the minimum information necessary to search for, locate andretrieve information. If authorized by you or your Personal Representative(s),we can also share information with organizations that you designate or their participating organizations.

‍

We share the minimum necessary information with our sub-processors tohelp us provide the Individual Access Services service. These companies are acting on our behalf and are required, by contract with us, to keep your information confidential, and are only authorized to use it for specified purposes, consistent with our contractual commitments, applicable law and other requirements.

‍

We closely scrutinize all law enforcement and regulatory requests. We do not disclose information to law enforcement or regulatory authorities unless we determine it is necessary to do so under law to comply with a valid court order, subpoena, civil investigation demand or search warrant, and our reasonable efforts to limit disclosures to anonymized, redacted or minimum necessary information are unsuccessful.

‍

If we are not prohibited from doing so (e.g. under the Patriot Act), we will attempt to notify you within three (3) business days of receiving any such legal process, and within three (3) business days of responding with your information. We also seek assurances from the requesting law enforcement or government agency that it will protect information to the highest degree possible and will not disclose it in violation of applicable federal or state confidentiality laws. While we cannot offer assurance that these efforts willbe successful, we will maintain a record of these disclosures.

‍

If we are a party to a legal proceeding with you, we will not disclose information retrieved from Individual Access Services for purposes of resolving a civil dispute. If we are not a party to a legal proceeding but receive avalid subpoena, discovery request or other lawful process, we will attempt to notify you, request a protective order, and use reasonable efforts to limit disclosures of your IAS Data to the minimum necessary to accomplish their intended purpose.  

‍

If we enter into a merger, acquisition, or the sale of all or part of our assets, Individual Access Services will likely be part of the assets transferred.  A successor cannot make a material change to these Terms without your opt-in consent.

‍

Medchart will never use information retrieved from Individual AccessServices to make claims against you, except (if applicable) to collect fees or costs for services you requested.

‍

We use your IAS Data to:

- Locate and retrieve information from Custodians

- Process this information so we can make it available to you

- Fix errors, analyze performance and improve the usability and effectiveness of our services

- Communicate with you as needed to provide essential information and respond to your questions or concerns

- Obey laws and help prevent theft, fraud and abuse

‍

Enforce our agreements and policies

- Maintain system security and the privacy of your information

- Resolve disputes

- Support other purposes that are reasonably related to these essential purposes

‍

We may deidentify and/or aggregate individually identifiable information, in accordance with the HIPAA de-identification standards at 45 CFR 164.514(b),in connection with our services or for our internal business purposes, such as creating and analyzing usage data. Usage data reflects general patterns and trends about how users interact with the Individual Access Services (forexample, feature utilization, navigation flows, and performance metrics) but does not identify any individual user. We use usage data to analyze, maintain,and improve the functionality, performance, and user experience in Individual Access Services and related services, and to generate reports, which we may share with customers and the public.

‍

We only collect and use the minimum necessary amount of personal information as necessary to fulfill the permitted uses and disclosures described in this Privacy Policy and Individual Access Services Privacy andSecurity Notice.

‍

Medchart is not a “covered entity” under the Health Insurance Portabilityand Accountability Act (“HIPAA”) so HIPAA Rules do not apply as a matter of law, but we apply the principles of HIPAA in our handling of IAS data. We also apply the same data practices for all our enterprise customers, regardless of whether they are regulated by HIPAA or not.

Required Conformance with the Privacy and Security Notice and TEFCA

‍

Medchart uses commercially reasonable efforts to protect IAS Data from unauthorized or illegal access, modification, Use, or destruction;

‍

We encrypt all of your information in transit and at rest, and our sub-processors are required to meet our minimum privacy and information security commitments.

‍

Medchart’s obligations under the Individual Access Services Privacy and Security Notice will continue for as long as the we maintain IAS Data.

‍

Medchart maintains a number of industry best practices for consumer privacy and information security practices for technology companies that manage health information, including regular and voluntary privacy impact assessments,threat risk assessments, and HIPAA assessments. We contract with independent assessors that are qualified to perform such testing and assessments as well as conduct self-assessments.

‍

While we implement reasonable privacy controls and information security measures to safeguard your personal information from unauthorized access, disclosure, use, modification and loss, there is always a risk of data breach outside of our reasonable control, and you accept that risk.  We have protocols in place to notify you and help you through next steps if your data is compromised.

Opt-In Consent

‍

We will not launch Individual Access Services without your affirmative opt-in consent.

‍

We will obtain your express documented consent to these terms of the Privacy Policy and Privacy and Security Notice prior to the access of your IAS Data other than for Disclosures that are required by Applicable Law.

How to Revoke Consent for Individual Access Services

‍

You can withdraw your consent at any time through the Individual Access Services App; we will immediately honor your request upon our receipt.  

‍

Be advised, A withdrawn consent does not undo our prior authorized requests or disclosures. It also does not stop any uses or disclosures that areeither required by law or that are otherwise permitted by applicable law.

‍

To relaunch Individual Access Services, you will need to provide a newopt-in consent.

‍

Individual’s Rights with respect to IAS Data

‍

We make your information accessible through your Individual Access Services App in a machine readable format. However, a machine-readable format in PDF can be requested by verified users by contacting our Privacy Office.

Incident Reporting

‍

We will notify you by email if we believe that the security of your personal information may have been compromised, as required by law, regulationand other requirements.

Fees and Consent to Sale

‍

We do not charge consumers fees for access to IAS Data.  We get paid by customers through their services which may include payment for your IAS Data. The fees and other business terms you accept to use these services to access your information are between you and these customers.

‍

To access and use Individual Access Services, you will need access atyour own expense to the internet, a computer, cell phone number, smartphone or similar handheld device, an acceptable digital identity credential from a recognized organization. We are not responsible for the fees that you incur from these third parties.

‍

We may use your IAS Data to provide you with better access to services through targeted marketing or advertising but will only do so if you provide prior consent.

Required Disclosures

‍

Commonwell Health Alliance (https://www.commonwellalliance.org/):

Any information retrieved through Commonwell is provided to you on anas-is, as available basis, with no warranty of any kind, and for information purposes only. You disclaim any claim that Commonwell’s services or any information retrieved through Commonwell is medical advice.

‍

The Trusted Exchange Network and Common Agreement (https://rce.sequoiaproject.org/tefca/)

‍

U.S. Centers for Medicare & Medicaid Services (CMS)

Be advised, CMS does not certify or endorse the Individual Access Services functionality. CMS disclaims any warranty relating to its’ services for facilitating the retrieval of information from CMS, or to the information itself. 

‍

U.S. Department of Veterans Affairs

Be advised, CMS does not certify or endorse the Individual AccessServices functionality. CMS disclaims any warranty relating to its’ services for facilitating the retrieval of information from CMS, or to the information itself. 

‍

Request-Only IAS Provider

MEDCHART DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THEABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOUWILL NOT BE ABLE TO USE MEDCHART TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.

‍

‍

‍

Complaints and Questions


For more information about our privacy protection practices, or to raise a concern you may have about our practices, please contact:

Juliana Doxey

Chief Privacy Officer, Medchart, Inc.

215 S. Denton Tap Rd., Suite 290 
Coppell, TX, 75019

USA

Email: privacy@medchart.com

Toll-free: 1-833-603-0407

Fax: 1-888-929-2687

‍