Last Modified: March 12, 2015
SafeStart is HIPAA-compliant. We provide this overview so that you can better understand the security measures we've put in place to protect the information that you store using SafeStart.
All data stored in our databases is symmetrically encrypted using AES 256 keys. Amazon Web Services stores data over several large-scale data centers. You can find more information about Amazon Web Services' security at the Amazon Web Services' website. Encryption keys are stored using further encryption.
Your files are sent from SafeStart's mobile and web apps to our servers over a secure channel using SSL encryption, the standard for secure Internet network connections.
User accounts are password protected. Upon successful entry of a unique email, password and authentication token, the user then gains access to his or her account.
SafeStart and Amazon Web Services keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss.
SafeStart cooperates with United States law enforcement when it receives valid legal process, which may require SafeStart to disclose information contained in your SafeStart profile(s). In the case of being compelled to disclose information as above, SafeStart will decrypt the data before providing them to law enforcement.
Our auditing process tracks all records that are created, deleted and modified. We also track activity on the site by users, such as, login, page view, viewing images, adding notes and other activity on the site by Patients and Medical Professionals.
Last Modified: February 23, 2015
The Service is a health records platform that allows patients to view protected health information online and to communicate and share that information with designated Medical Professionals. This Service also allows Medical Professionals to gather, edit, add to, store and share protected health information online related to the treatment of their patients and share that information with their patients and other designated Medical Professionals.
When you use the Service, the Service collects identifying information about you (e.g., name and email address) as well as, if you are a Patient, your protected health information n (e.g., photos, videos, notes, doctor communications, and health history), and, if you are a Medical Professional, your patient communications.
We may collect and store the following information when you use the Service:
When you register to create an account with the Service, we collect some information about you, such as your email address. If you are a Medical Professional, we also may collect information about your medical credentials, such as your medical license number, degree, office number, email address, and specialty.
You cannot delete or alter any photos and/or information from your account.
When you make payment for your use of the Service, we collect additional financial information as required to process those purchase transactions.
When you use the Service, we automatically record information, from the computer, mobile phone or other consumer electronic device you use to access the Service, that device's software, and your activity using the Service (collectively, "Analytics Information"). This may include the device's Internet Protocol ("IP") address, browser type, the web pages you visit on our website, information you search for on our website, locale preferences, identification numbers associated with your device, your mobile carrier, date and time stamps associated with transactions, system configuration information, captured metadata from photos and video concerning your uploaded health information, and other interactions with the Service.
The Service allows you to view your health records or those of your dependent children.
How we use non-personally identifying information:
We may use Analytics Information to monitor and analyze use of the Service, for the Service's technical administration, to increase the Service's functionality and user-friendliness, and to verify users have the authorization needed for the Service to process their requests.
We may also use, or share with third parties, other non-personally identifying information in the aggregate for the purpose of improving the Service and for business and administrative purposes, or for medical studies of quality, safety, and outcomes.
How we use personally identifying information
We use personally identifying information collected through the Service, including Patients' protected health information:
We may also ask you to participate in use surveys, questionnaires or polls, to facilitate feedback and input from our users. When you respond to surveys, questionnaires or polls, this information is collected only as anonymous, aggregated information and is used for statistical purposes only.
A key purpose of the Service is to facilitate the sharing by Patients of health information with Medical Professionals that are designated members of the Patient's health care team.
Patients share protected health information with designated Medical Professionals once they have established a Medical Professional - Patient relationship as outlined in our Terms of Service. Once data is shared it will remain shared with the Medical Professional.
No Medical Professional who accepts a sharing invitation has the ability to use the Service to share a Patient's health information with third parties, the exception being that Medical Professionals can use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, photos, videos, and other medical information for treatment purposes only without the patient's authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.
We may disclose your personally identifying information to third parties when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of SafeStart or its users; or (d) to protect SafeStart's property rights. If we provide your personally identifying information to a law enforcement agency as set forth above, when legally required, we will remove SafeStart's encryption from the files before providing them to law enforcement.
If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personally identifying information may be transferred as part of that transaction, but we will notify you of this transfer of your information (for example, via email and/or a prominent notice on the Site). We will also notify you of choices you may have regarding the transfer of your information.
We may disclose your non-personally identifying information to third parties as described above under "How we use aggregate non-personally identifying information." We do not sell, trade or rent your personal information to third parties.
We will retain copies of your information if required by law.
We follow generally accepted industry standards to protect your health information and other personally identifying information that we collect about you. We use firewall barriers, SSL 256-bit high-grade encryption techniques and authentication procedures, among others, to maintain the security of your online session and to protect user accounts and systems from unauthorized access. However, no method of transmission over the Internet or method of electronic storage is 100% secure.
The Service is not intended for use by individuals under the age of 18. A parent or guardian can create a Profile for a child and grant others access to the data. If a parent or guardian becomes aware that his or her child has provided us with personally identifying information without their consent, he or she should contact us at firstname.lastname@example.org. If we become aware that a child has provided us with personally identifying information, we will take steps to delete such information from our files.
You have a right to:
1. View your medical records. You can access your medical records that have been provided to SafeStart within 30 days of your request to do so. You can view your medical records at any time by accessing your account online.
2. Inspect and copy your PHI. You must submit your request to inspect or copy your PHI online to SafeStart. SafeStart may impose a fee for the costs of copying, mailing, labor and supplies associated with your request. SafeStart may deny your request to inspect and/or copy your PHI in certain limited circumstances. If that occurs, SafeStart will inform you of the reason for the denial, and you may request a review of the denial.
3. Amend your PHI. If you believe your file is incomplete or incorrect, you can request that SafeStart add an addendum to your PHI. SafeStart may, under certain circumstances, deny your request. If that occurs, you have the right to submit a statement of disagreement for inclusion in your records. You cannot change any PHI after the information has been used for the completion of a surgical safety time out.
If you cancel your operation your information remains part of the the medical record and we will keep the information as long as specified by the law.
4. Accounting and disclosures. You always have the decision whether or not to give permission for your PHI to be shared before it is used or shared. Your chosen health professionals that use the Service are prohibited from using or sharing your personally identifiable medical records for any purposes that are not part of normal, routine health care processes. You have the right to receive an accounting of all disclosures SafeStart has made of your PHI. Accordingly, upon request, made in a 12 month period SafeStart shall provide the patient, at no charge, with a copy of accounting of disclosures.
SafeStart will provide you a notice that tells you how your PHI has been used and shared. This accounting will be provided without charge for the first request made in a 12-month period. Reasonable cost-based charges can be imposed to provide an additional accounting(s) if the request for the 2nd (3rd...) accounting is within the 12 month period, as permitted by law.
5. Complaint. You may complain to SafeStart and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated.
Last Modified: March 12, 2015