Our Policies
The Chearful’s Privacy Policy
Pathfinder Innovation Portal LLC (“Company”), a limited liability company established in the United Arab Emirates, owns and maintains that Chearful.com is a wellbeing website (the "Platform"). The Company is dedicated to maintaining privacy protections that provide users a feeling of confidence and clarity whenever using the Platform. Respecting each User’s privacy is one of the most important pillars of Chearful’s operations. This Privacy Policy describes the basis upon which any personal data Chearful collects from the User or that the User will provide in using the Platform (collectively, “Personal Data”, further defined below) will be processed in connection with the User’s use of the Platform and the Services (defined below). Please read this Privacy Policy carefully before using the Platform, to understand our views, policies and practices regarding the User’s Personal Data and how we will treat it. The Platform will not store, sell, share, rent or lease credit/debit cards’ details and personally identifiable information with any third parties. Chearful will not pass any debit/credit card details to third parties.
Privacy Policy And The User Agreement
The User Agreement, which all Users voluntarily and knowingly agree to enter into by accessing the Platform, and this Privacy Policy constitute all terms and conditions for the use of the Platform. You agree to the handling of your Personal Data in accordance with this Privacy Policy by using the Platform to obtain wellbeing services. If you do not understand any aspect of the Privacy Policy and/or have any queries in relation to it, please email contact@chearful.com. The Platform may include links to third-party websites, plug-ins and applications, including those of Specialists whose services are offered through the use of the Platform. Clicking on those links or enabling those connections may allow third parties to collect or share data about you (the User). The Company does not control these third-party websites and applications; hence, the Company is not responsible for their privacy policies or their use of your personal data. You are encouraged to read the privacy policy of every website and application you visit when you leave the Platform.
Restricted Use Of The Platform By Minors - Parent/Guardian Consent
People under the age of 18 are not to use the Platform; parents or guardians shall restrict minors' access to the Platform. The Company does not knowingly collect Personal Data from persons under the age of 18. If you are under the age of 18, you are not authorized to use the Platform, and you shall not provide any information about yourself to us (the Platform). By accessing, using and/or submitting information to or through the Platform, you represent you are not under the age of 18. If the Platform learns we have collected or received Personal Data from a person under the age of 18, we will use that information only to respond directly to that child (or his/her parent or legal guardian) to inform the child (or his/her parent or legal guardian) that he/she cannot use the Platform, and we will subsequently delete that information. If you believe we might have any information from or about a person under 18, for which there is no legal parental or guardian consent, please contact us immediately at contact@chearful.com.
Personal Information
Personal Data (or, Personal Information) means any information about an individual from which they can be identified. We may collect, transfer, use and store different kinds of Personal Data about you, which includes but is not limited to -
- Identity and Contact Data, which includes but is not limited to, billing address, delivery address, email address, and/or telephone numbers.
- Communications Data, which includes your interactions with The Company via social media platforms, electronic messages, email and other electronic and non-electronic communication
- Specialists’ Data, which includes but is not limited to - title and full name; languages spoken; clinic locations; education and qualifications; relevant expertise, symptoms, and procedures
- Financial Transaction Data, which includes but is not limited to, bank account and payment card details, history of payments to and from you and other details of online consultations with Specialists you have booked through the Platform
- Technical Data, which includes but is not limited to, internet protocol (IP) address, browser type and version, login data, make and model (mobile phones only), hardware version, operating system, platform, device settings and other technology identification on the devices used to access the Platform, file and software names and types, time zone setting and location(s), device identifiers, device locations such as through GPS, Bluetooth or Wi-Fi signals, browser plug-in types and versions, browser type, operating system and Platform, connection information such as the name of your mobile operator or ISP, language and time zone, mobile phone number and IP address
- Profile Data, which includes but is not limited to, your password and username, bookings or transactions made by you (the User), your interests, feedback, preferences and survey responses
- Usage Data, includes but is not limited to, information about how you (the User) use the Platform, how you use your devices to access the Platform (including the searches you make and the screens you visit)
- Marketing and Communications Data includes but is not limited to, your preferences in receiving marketing from us (the Platform) and our third parties, as well as your communication and communication-related preferences
Aggregated Data
We collect, share and use aggregated data such as demographic or statistical data for any purpose. Aggregated data may be derived from your Personal Data, but is not considered Personal Data as this data does not directly or indirectly reveal your identity. We may aggregate your usage data to calculate the percentage of users accessing a specific feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.
If You (The User) Fail To Provide Personal Data
If you fail to provide Personal Data we (the Platform) need to collect by law or under the terms of the agreements we have with you, we cannot perform the agreement we have or are trying to enter into with you. In this case, we may cancel an appointment you have booked through the Platform , but we will notify you about the cancellation.
How Is Your (The User’s) Personal Data Collected?
To collect data from and about you, we use different methods, including through -
- Information provided to us through Direct interactions - You (the User), by using the Platform, filing in forms or by corresponding with us via email, phone, in person or otherwise may give us your Identity and Contact Data, Financial Transaction Data, Profile Data and Marketing and Communications Data. This includes Personal Data provided when you apply for or purchase our services; fill in forms or create an account on the Platform; enter a survey; request further information to be sent to you; request marketing materials to be sent to you; give us feedback; contact the support team; subscribe to our services or publications; use our services with a Platform Specialist; etc.
- Information we collect about you (the User) through automated technologies or interactions - As you interact with the Platform, we may automatically collect Technical Data about your equipment, patterns and browsing actions. We collect this Personal Data through using server logs, cookies and other similar technologies. If you visit Websites employing our cookies, we may also receive Technical Data about you.
- We may collect the following information regarding each of your visits to our Platform - Data provided by your Insurer; Information obtained from video consultation; Communications with us through social media platforms, electronic messages, email and other electronic and non-electronic communications; Your networks and connections made available to us from your mobile and desktop devices’ address book contacts and social media platforms (i.e. Facebook, Instagram, Twitter, etc.), depending on the permissions you have granted.
- Information we receive from publicly available sources and/or third parties - We may receive Personal Data about you from various third parties and public sources such as - Technical Data from analytics providers, advertising networks and search information providers; Contact, Financial or Transaction Data from providers of technical and payment services.
How We Use Your Personal Data
The Platform will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data when it is necessary -
- For performance of the User Agreement we are about to enter into or have entered into with you - i.e. for processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
- For our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Legitimate Interest means the interest of our business in managing and conducting our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). Please feel free to contact us to obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities.
- To comply with a legal obligation - Complying with a legal obligation means processing your Personal Data where it is necessary for compliance with a legal obligation we are subject to.
The following are some of the most common purposes or activities for which the Data may be processed -
- We keep a record of the Services provided to you to be used for billing purposes.
- If you are seeking to recoup the expense of the Services from your chosen insurance company, information may be provided to the insurance company.
- We may be required to provide your Personal Data to regulators as and when necessary.
- When a court order has been issued, we will pass on your Personal Data to a court of law.
- To provide you, or permit selected third parties to provide you, with information about services we feel may interest you. If you are an existing Client, we will only contact you by electronic means (SMS, e-mail or push message) with information about services similar to those which were the subject of a previous sale or negotiations of a sale to you. Kindly note, if you are a new user, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this.
- To ensure content from the Platform is presented in the most effective manner on your device.
- To notify you about changes in our service.
- To improve the Platform to ensure content is presented in the most effective manner for you and your electronic device.
- To administer the Platform for internal operations, including data analysis, troubleshooting, research, testing, statistical and survey purposes.
- To allow you to participate in interactive features of our service (when you choose to do so), as part of our efforts to keep the Platform safe and secure.
- To measure or understand the effectiveness of advertising and/or marketing we send you and others, and to deliver relevant advertising and/or marketing to you
- To comply with a legal or regulatory obligation.
- To make suggestions and recommendations to you and other users of the Platform about services that may interest you or them.
Withdrawal Of Consent
As specified in this Privacy Policy, we do not rely on consent as a legal basis for processing your Personal Data, although we will get your consent before sending third-party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
Change Of Purpose
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose of personal data collection. If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at contact@chearful.com. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so. Please note we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Location Information
Through the device’s Privacy Settings, you can choose whether or not to allow the Platform to collect and use real-time information about your device’s location. If you block the use of location information, some parts of the Platform may not function properly or be inaccessible.
Links To Third-Party Sites
From time to time, the Platform may contain links to and from the websites of our partner networks, affiliates and advertisers. If you follow a link to any of these websites, please note these websites have their own privacy policies - we do not accept any responsibility or liability for these policies. Before you submit any Personal Data to these Websites, please check these policies carefully.
Where We Store Your Personal Data
At all times, we will comply with the applicable laws, regulations, policies and decrees issued by relevant authorities in the UAE (collectively, “Local Laws”) and will take all steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy. We store all your personal wellbeing data (including your primary and secondary care information, medication information and diagnostic information) on secure servers. Any payment transactions will be encrypted. We do not store any credit or debit card information. Payments are processed via a third-party payment provider that is fully compliant with Payment Card Industry (PCI) data security standards. SSL technology encrypts any payment transactions. Once we have received your information, we will use strict procedures, industry standard physical, technical and administrative safeguards and security features to try to prevent unauthorized access.
Disclosures Of Your Personal Data
You (the User) agree we (the Platform) have the right to share your Personal Data, with the exception of your personal health records, with any employee or contractor of The Company. We may disclose your Personal Data to third parties in the following scenarios, with third parties being -
- Our users through the Platform, in the case of Specialists’ Data.
- Specialists with whom you have booked appointments through the Platform (in the case of Contact Data and Identity Data).
- Specialists with whom you have booked appointments for online consultations through the Platform (in the case of Identity, Financial Data, Contact and Transaction Data).
- Service providers acting as processors who provide IT, payment processing services and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, auditors, bankers and insurers who provide consultancy, legal, banking insurance and accounting services.
- Regulators and other authorities acting as joint controllers or processors who require reporting of processing activities in certain circumstances.
Other Third Parties Disclosure
- If we (the Platform) are under a duty to disclose or share your Personal Data to comply with any legal obligation, court order, regulation, subpoena, legal process or government request or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of us, our Clients, or others.
- In good faith, if we believe it is necessary to protect the rights, property, or safety of us, our Clients, or others, to investigate fraud or respond to a government request
- To notify or assist in notifying a family member, personal representative or another person responsible for your care of your location and general condition.
- To whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy policy.
- Contractors, wellbeing specialists,, business associates, service providers, our staff and any third parties we use to support our business and to provide health care services.
- Advertisers that require the data to select and serve relevant adverts to you and others.
- Analytics and search engine providers that assist us in the optimisation and improvement of the Platform.
- Other Service providers, health plans or their related entities for their treatment or payment activities or health care activities.
We require all Third Parties and Other Third Parties to respect the security of your Personal Data and to treat it in accordance with the laws of the United Arab Emirates. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
Data Privacy
The Personal Data we collect from you (the User) is stored in the UAE, but may be shared within The Company by The Company employees/agents/contractors. This may involve your data being transferred to and stored at a destination outside of your country of residence, or outside of the jurisdictions in which the persons to whom such Personal Data relates. The Personal Data may also be processed by staff operating outside such jurisdictions who work for The Company or a vendor. Such staff may be engaged in, among other things, the provision of support services and the fulfillment of your booking/appointment. Your Personal Data may be transferred, stored, processed and used by our affiliated companies and/or non-affiliated service providers in one or more countries outside your country. In such cases, we ensure your Personal Data is protected by requiring all our group companies to follow the same rules when processing your Personal Data. Whenever we transfer your Personal Data out of such jurisdictions or to third parties, we use contractual obligations to aim to ensure a similar degree of protection is afforded to it. Where we use certain service providers, we may use specific contracts that give Personal Data the same protection it has in such relevant jurisdiction. In the event of a conflict between applicable laws, regulations, decrees and policies issued by relevant authorities in the UAE (collectively, “Local Laws”) and any legal authorities issued by foreign governments, kindly note the Local Laws will prevail.
This Privacy Policy and User Agreement is clear on what consent we seek with regards to your data and prior to your engagement with your Specialist. We will provide our Clients notice of any data breach involving Personal Data that may occur. Applicable individual country medical retention laws are generally considered an acceptable compliance in relation to regulations regarding the right to deletion of certain data. Consequently, The Company will not erase private health data directly upon a Client’s request, because of legal duties making it essential for medical file retention purposes.
Data Security
The Platform uses a highly secure and encrypted backend system to ensure optimal functionality, security and privacy; however, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to the Platform - any transmission is at your own risk. The only risk of jeopardizing the User’s privacy would be as a result of having their own personal email account hacked (and that would have no relation to the Platform).
Passwords And Confidentiality
If you are provided with a password or any other piece of information as part of our security procedures for a registration-only section of the Platform, you are solely responsible to maintain the confidentiality of your password and username for the Platform and you are also solely responsible for all activities that are carried out under them. It is important you safeguard yourself against unauthorized access to your password and to the devices used to access our Services. You are solely responsible for keeping your password confidential at all times. We urge you to take necessary steps to keep your personal information safe by not disclosing your password with anyone and by immediately logging out of your account after each use, especially when you have finished using a shared device. It is your sole responsibility to control the dissemination and use of your password and to control access to and use of your user ID and password. We (the Platform) do not have the means to check the identities of people using the Platform and we will not be liable where your password or user name is used by someone else. You (the User) agree to immediately notify us of any unauthorized use of your password or user name or any other breach of security of which you become aware. We (the Platform) have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our opinion, you have failed to comply with any of the provisions of these terms or the Terms of Use. Please promptly inform us if you need to deactivate your account.
Data Retention
We (the Platform) will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, regulatory, tax or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, sensitivity and nature of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, tax, accounting, regulatory or other requirements. Usually, the retention periods for different aspects of your Personal Data will be six years. We may retain your Personal Data for a longer period of time in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. In some circumstances, we will anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without any further notice to you. In some circumstances you can ask us to delete your data (please see your legal rights below for further information).
Cookies
The Platform may use "Cookies" to personalize your online experience. Cookies are small computer text files placed on your computer’s hard drive by a web page server transferred to your hard drive that contain information such as user ID, lists of pages visited, user preferences and lists of activities conducted while browsing the Platform. Cookies cannot be used to deliver viruses to your computer or to run programs. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you. Cookies provide a convenience feature to save you time - its purpose is to improve user-experience. Cookies tell the Platform you have returned to a specific page. For example, if you register an account with The Platform, a cookie helps us recall your specific information on subsequent visits. Cookies simplify the process of recording your personal information. When you return to the Platform, the information you previously provided can be retrieved, so you can easily use the features you customized. At your option, responsibility and expense, you may accept or decline cookies. You may block cookies or delete cookies from your hard drive. By disabling cookies, however, you may not have access to the entire set of features of this Platform and some parts of them may either become inaccessible or not function properly. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies (if you prefer so). If you choose to decline cookies, you may not be able to fully experience the interactive features of the Platform. The Platform uses cookies to distinguish you from other users to provide you with a good user-experience when you browse the Platform and it also allows us to improve our services. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
Promotional Offers From Us
We (the Platform) may use your Identity, Technical, Usage, Contact and Profile Data and Special Categories of Personal Data to form a view on what we think you may want or need and/or what may be of interest to you. This is how we decide which products, offers and services may be relevant for you. This is what we call marketing. You will receive marketing communications from us if you have - a) requested information from us, b) created an account, c) purchased services from us or d) provided us with your details when you entered a competition or registered for a promotion (and, in each case, you have not opted out of receiving that marketing).
Marketing And Opt Out
We strive to provide you with choices regarding certain usage of Personal Data, particularly around marketing and advertising. We will always give you the option to choose not to receive marketing communications from us. Contact us to opt out from having your Personal Data used by us to promote our own or third parties’ products or services. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time by sending us an email. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions.
Third-Party Marketing
Before we share your Personal Data with any third-party company for marketing purposes, we will get your opt-in consent. We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. Contact us to opt-out of using information that we collect or that you provide to us to deliver advertisements according to our advertisers’ target-audience preferences.
Your Legal Rights
We (the Platform) may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information regarding your request to speed up our response. You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, excessive or repetitive (alternatively, we may refuse to comply with your request in these circumstances). We try to respond to all legitimate requests within one month, however, it may occasionally take us longer than a month if your request is particularly complex or you have made a number of requests. We will notify you and keep you updated in this case. Under certain circumstances, you have rights under data protection laws in relation to your Personal Data, such as the right to make the following requests at any time (for which you can contact us at contact@chearful.com) -
- Request access to your Personal Data (commonly known as a “data subject access request”) to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data we hold about you to have any incomplete or inaccurate data we hold about you corrected (we may need to verify the accuracy of the new data you provide to us). The correction of medical records will only be done as a time-stamped addendum. Kindly note, previous notes written by our doctors will never be changed or erased.
- Request erasure of your Personal Data – with the exception of medical records – where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with Local Law. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground if you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. We may demonstrate, in some cases, we have compelling legitimate grounds to process your information, which overrides your rights and freedoms.
- Request restriction of processing of your Personal Data - this enables you to ask us to suspend the processing of your Personal Data in the following scenarios - If you want us to establish the data's accuracy; Where our use of the data is unlawful but you do not want us to erase it; You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it; Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- You (the User) may withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you (we will advise you if this is the case at the time you withdraw your consent).
- You may request a copy of your information to be provided to another person.
Changes To This Privacy Policy
Periodically, the Privacy Policy is reviewed and adjusted. Any changes made to the Privacy Policy will be posted on this page and, where appropriate, it may be notified to you via email. It shall be your obligation to regularly check the Privacy Policy for updates. Continued use of the Platform following notice of such changes will indicate your acknowledgment of such changes and agreement to be bound by the terms and conditions of such changes. Please feel free to contact us with any questions at contact@chearful.com
THIS SECTION DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN OBTAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
- Chearful.com will share protected health information of clients as necessary to carry out treatment, payment, and health care operations as permitted by law.
- We are required by law to maintain the privacy of our clients’ protected health information and to provide clients with notice of our legal duties and privacy practices with respect to protected health information.
- We are required to abide by the terms of this Notice for as long as it remains in effect.
- We reserve the right to change the terms of this Notice as necessary and to make a new notice of privacy practices effective for all protected health information maintained by Chearful.com.
- We are required to notify you in the event of a breach of your unsecured protected health information.
- We are also required to inform you that there may be a provision of the local law that relates to the privacy of your health information that may be more stringent than a standard or requirement.
- A copy of any revised Notice of Privacy Practices or information pertaining to it may be obtained by mailing a request to contact@chearful.com
USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION:
Authorization and Consent:
Except as outlined below, we will not use or disclose your protected health information for any purpose other than treatment, payment, or health care operations unless you have signed a form authorizing such use or disclosure. You have the right to revoke such authorization in writing, with the revocation being effective once we actually receive the writing; however, such revocation shall not be effective to the extent that we have taken any action in reliance on the authorization, or if the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.
Uses and Disclosures for Payment
We will make uses and disclosures of your protected health information as necessary for payment purposes. During the normal course of business operations, we may forward information regarding your medical procedures and treatment to your insurance company to arrange payment for the services provided to you. We may also use your information to prepare a bill to send to you or to the person responsible for your payment.
Uses and Disclosures for Health Care Operations:
We will make uses and disclosures of your protected health information as necessary, and as permitted by law, for our operations, which may include technology & clinical improvement, professional peer review, business management, accreditation, and licensing, etc. For instance, we may use and disclose your protected health information for purposes of improving our services and client care.
Individuals Involved in Your Care:
We may from time to time disclose your protected health information to designated family, friends and others who are involved in your care or in payment of your care in order to facilitate that person's involvement in caring for you or paying for your care. If you are unavailable, incapacitated, or facing an emergency medical situation and we determine that a limited disclosure may be in your best interest, we may share limited protected health information with such individuals without your approval. We may also disclose limited protected health information to a public or private entity that is authorized to assist in disaster relief efforts for that entity to locate a family member or other persons that may be involved in some aspect of caring for you.
Business Associates:
Certain aspects and components of our services are performed through contracts with outside persons or organizations, such as auditing, accreditation, outcomes data collection, legal services, etc. At times it may be necessary for us to provide your protected health information to one or more of these outside persons or organizations who assist us with our operations. In all cases, we require these associates to appropriately safeguard the privacy of your information
Appointments and Services:
We may contact you to provide appointment updates or information about your treatment or other health-related benefits and services that may be of interest to you. You have the right to request, and we will accommodate reasonable requests by you to receive communications regarding your protected health information from us by alternative means or at alternative locations. For instance, if you wish appointment reminders to not be left on voice mail or sent to a particular address, we will accommodate reasonable requests. With such a request, you must provide an appropriate alternative address or method of contact. You also have the right to request that we not send you any future marketing materials and we will use our best efforts to honor such requests. You must make such requests in writing, including your name and address, and send such writing to the Privacy Officer at this address contact@chearful.com
Research:
In limited circumstances, we may use and disclose your protected health information for research purposes. In all cases where your specific authorization is not obtained, your privacy will be protected by strict confidentiality requirements applied by an Institutional Review Board which oversees the research or by representations of the researchers that limit their use and disclosure of your information.
Fundraising:
We may use your information to contact you for fundraising purposes. We may disclose this contact information to a related foundation so that the foundation may contact you for similar purposes. If you do not want us or the foundation to contact you for fundraising efforts, you must send such a request in writing to contact@chearful.com
Other Uses and Disclosures:
We are permitted and/or required by law to make certain other uses and disclosures of your protected health information without your consent or authorization for the following:
- Any purpose required by law; Public health activities such as required reporting of immunizations, disease, injury, birth, and death, or in connection with public health investigations
- If we suspect child abuse or neglect; if we believe you to be a victim of abuse, neglect, or domestic violence
- To the respective government entities to report adverse events, product defects, or to participate in product recalls
- To your employer when we have provided services to you at the request of your employer
- To a government oversight agency conducting audits, investigations, civil or criminal proceedings
- Court or administrative ordered subpoena or discovery request
- To law enforcement officials as required by law if we believe you have been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law
- To coroners and/or funeral directors consistent with law
- If necessary to arrange an organ or tissue donation from you or a transplant for you
- If you are a member of the military, we may also release your protected health information for national security or intelligence activities; and
- To workers' compensation agencies for workers' compensation benefit determination.
DISCLOSURES REQUIRING AUTHORIZATION:
Specific to Mental Wellbeing Practitioners: Psychotherapy Notes
We must obtain your specific written authorization prior to disclosing any mental wellbeing notes unless otherwise permitted by law. However, there are certain purposes for which we may disclose mental wellbeing notes, without obtaining your written authorization, including the following:
- to carry out certain treatment, payment, or operations (e.g., use for the purposes of your treatment, to defend ourselves in a legal action or other proceeding brought by you)
- to the government health sector entity to determine our compliance with the law
- as required by law
- for health oversight activities authorized by law
- to medical examiners or coroners as permitted by state law
- for the purposes of preventing or lessening a serious or imminent threat to the health or safety of a person or the public.
Genetic Information:
We must obtain your specific written authorization prior to using or disclosing your genetic information for treatment, payment, or health care operations purposes. We may use or disclose your genetic information, or the genetic information of your child, without your written authorization only where it would be permitted by law.
Marketing:
We must obtain your authorization for any use or disclosure of your protected health information for marketing, except if the communication is in the form of
- a face-to-face communication with you,
- a promotional gift of nominal value.
Sale of Protected Information:
We must obtain your authorization prior to receiving direct or indirect remuneration in exchange for your health information; however, such authorization is not required where the purpose of the exchange is for:
- Public health activities
- Research purposes, if we receive only a reasonable, cost-based fee to cover the cost to prepare and transmit the information for research purposes
- Treatment and payment purposes
- Health care operations involving the sale, transfer, merger or consolidation of all or part of our business and for related due diligence
- Payment, we provide to a business associate for activities involving the exchange of protected health information that the business associate undertakes on our behalf (or the subcontractor undertakes on behalf of a business associate) and the only remuneration provided is for the performance of such activities.
- Providing you with a copy of your health information or an accounting of disclosures
- Disclosures required by law
- Disclosures of your health information for any other purpose permitted by and in accordance with the respective government Privacy Rule, if the only remuneration we receive is a reasonable, cost-based fee to cover the cost to prepare and transmit your health information for such purpose or is a fee otherwise expressly permitted by other law
RIGHTS THAT YOU HAVE REGARDING YOUR PROTECTED HEALTH INFORMATION:
Access to Your Protected Health Information:
You have the right to copy and/or inspect much of the protected health information that we retain on your behalf. For protected health information that we maintain in any electronic designated record set, you may request a copy of such health information in a reasonable electronic format, if readily producible. Requests for access must be made in writing and signed by you or your legal representative.
Amendments to Your Protected Health Information:
You have the right to request in writing that protected health information that we maintain about you be amended or corrected. We are not obligated to make requested amendments, but we will give each request careful consideration. All amendment requests, must be in writing, signed by you or legal representative, and must state the reasons for the amendment/correction request. If an amendment or correction request is made, we may notify others who work with us if we believe that such notification is necessary.
Accounting for Disclosures of Your Protected Health Information:
You have the right to receive an accounting of certain disclosures made by us of your protected health information. Requests must be made in writing and signed by you or your legal representative.
Restrictions on Use and Disclosure of Your Protected Health Information:
You have the right to request restrictions on uses and disclosures of your protected health information for treatment, payment, or health care operations. We are not required to agree to most restriction requests but will attempt to accommodate reasonable requests when appropriate. You do, however, have the right to restrict disclosure of your protected health information to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and the protected health information pertains solely to a health care item or service for which you, or someone other than the health plan on your behalf, has paid in full. If we agree to any discretionary restrictions, we reserve the right to remove such restrictions as we appropriate. We will notify you if we remove a restriction imposed in accordance with this paragraph. You also have the right to withdraw, in writing or orally, any restriction by communicating your desire to do so to the individual responsible for medical records.
Right to Notice of Breach:
We take very seriously the confidentiality of our patients’ information, and we are required by law to protect the privacy and security of your protected health information through appropriate safeguards. We will notify you in the event a breach occurs involving or potentially involving your unsecured health information and inform you of what steps you may need to take to protect yourself.
Complaints:
If you believe your privacy rights have been violated, you can file a complaint in writing to contact@chearful.com. There will be no retaliation for filing a complaint.
Terms & Conditions
Chearful.com is a website platform (the "Platform") owned and maintained by Pathfinder Innovation Portal LLC. (Company/We), which is a company of limited liability registered in Dubai (UAE). The User (You), must carefully read the following terms and conditions before you use the Platform. The terms and conditions set forth below, together, with our Privacy Policy, will constitute a binding contractual user agreement (the “User Agreement”) that you voluntarily and knowingly agree to enter by accessing the Platform. The Platform is not for use by anyone who is under the age of 18. Your use of the Platform constitutes your confirmation that you are 18 years of age or older. If you are under 18 years of age or you do not agree to be bound to any term of this User Agreement, you are not authorized to access the Platform - the Company will have no liability whatsoever arising from your unauthorized use of the Platform. Customers using the website who are Minors (under the age of 18) shall not register as a User of the website - Minors shall not transact on or use the website.
Payments
Visa or MasterCard debit and credit cards in AED and USD are accepted by the Platform for payment. Maintaining their account’s confidentiality is the responsibility of the User. The Platform will not provide any services to or trade with OFAC and sanctioned countries. The Cardholder must retain a copy of Merchant policies, Merchant rules, and transaction records.
Fees
We only act as a conduit between the clients and specialists for wellbeing services. The specialists shall set their price for the session on their profiles at their sole discretion. We will charge a certain amount of commission from the specialists. Such commission will be decided by us at our sole discretion. With respect to any refunds or cancellations, kindly send a request to support@chearful.com
Compliance With “Applicable Laws”
This User Agreement evidences the commitment of the Company to comply with the government’s current legal authority laws, which are applicable to your use of this Platform. By using the Platform, you express your consent to enter into this User Agreement - in other words, using this Platform constitutes your consent that this User Agreement is governed by “Applicable Laws” (defined below). You specifically agree to be bound by the relevant provisions of all UAE federal laws, policies and regulations, without giving effect to any conflicts of laws principles, including the following points below -
- the Constitution of the UAE (Federal Law 1 of 1971);
- the Penal Code (Federal Law 3 of 1987 as amended);
- the Cyber Crime Law (Federal Law 5 of 2012 regarding “Information Technology Crime Control”) (as amended by Federal Law No. 12 of 2016 and Federal Law by Decree No. 2 of 2018); and
- Regulating Telecommunications (Federal Law by Decree 3 of 2003 as amended), which includes several implementing regulations/policies enacted by the Telecoms Regulatory Authority ('TRA') in respect of data protection of telecoms consumers in the UAE. (the “Applicable Laws”).
The UAE is our “country of domicile” and hence stipulates the local law is the governing law, which means all disputes arising in connection therewith shall only be heard by a court of competent jurisdiction in UAE. We reserve our right to amend or terminate any portion of this User Agreement, or your use of the Platform without prior notice and/or for any reason, including if the information provided by you (the User) is incomplete and/or in the event we find that the account does not actually pertain to you.
Specialists And Their Services
The Platform is designed to be used to create an account with the Company to connect you with a Wellbeing Specialist who will deliver professional wellbeing related services to you exclusively through the use of the Platform (“Specialist Services”). The Company, through the Platform, provides a panel of Wellbeing Specialists with whom you can interact for the purposes of seeking wellbeing services. Although we provide details for you to review about the Specialists, including their professional profiles, we do not conduct due diligence on the accuracy of all facts included in the profiles visible on our Platform. You alone, as a User, make the independent decision regarding which Specialist you choose to consult/retain, and which modes of consultation you choose to utilize (i.e. live online chat messaging, video consultations or teleconferences). You agree the Company will not be held responsible for any omission or act by the Specialist during the / any consultation(s). You agree to not record, resell or recreate any session or any content without the Company’s prior consent. Please note the Company does not provide any health-related advice or medical services. You shall engage in all interactions with the Specialist at your risk - this is based solely upon your own personal decision. You agree all the information you provide to the Specialist regarding your identity, personal history, past emotions or your present situation is accurate. The Company will not be liable for any damages and/or harm arising out of such interactions - please note the Company specifically disclaims any responsibility for any miscommunication and / or misinformation on the part of the Specialist. The Wellbeing Specialists you are connected with through the use of the Platform are independent contractors, agents or employees of Chearful.com, and they hence are not entitled to bind the Company in any way whatsoever. The Platform’s role is limited to simply providing technologies enabling the Wellbeing Services to be provided to you by the Specialists - it is the Wellbeing Specialists who assume full and sole responsibility for the delivery of the Wellbeing Services.The Company has no obligation to supervise and / or monitor any of the Wellbeing Services that are provided to you. You agree, understand and acknowledge that Wellbeing Services may not be the appropriate solution for every particular situation or for everyone’s needs, and/or may not be a complete substitute for the face-to-face delivery of said Services. If you feel the Specialist’s Services do not fit your needs or expectations, you are solely responsible for switching to a different Specialist who provides services through the Platform or to cease use of the Platform. By creating your account, you are offering consent to receive communications from the Company, which may include - but is not limited to - e-mails, reminders, offers, text messages, newsletters and other updates. By clicking on the “unsubscribe” link provided on the Platform, you can opt-out of these communications. The Company does not endorse any brands or advertise any clinics, businesses or other institutions owned, operated or offered by any Specialists. Kindly note the Company will not use this data for any commercial purpose unless compelled to otherwise disclose data in compliance with an order issued to Company by a governmental agency.
Booking Sessions And Making Payments
The Sessions for the Wellbeing Services your selected Specialist provides are booked by paying a fee “per-session” and associate Chearful transaction fees. Only registered users are authorized to book an appointment and participate in a consultation session; or, if you are an unregistered user, by booking an appointment, a Chearful ‘User’ account is created on your behalf (the credentials are sent across to the email address provided). You agree to be personally liable for the payment of all fees charged by the Company to you when you use the Specialist Services - all such payments will be made exclusively through the Platform’s payment functionality. When creating your account, you will be required to accurately provide personal data such as: your name and contact details; contact details of your family member or designated friend; payment details (such as credit card/bank account numbers); gender and date of birth. Furthermore, you will be required to have paid the per session fee and associated transaction fees at the time of booking. You confirm and agree to use only debit/credit cards or other payment means (collectively “Payment Means'') which you are duly and fully authorized to use, and that all payment-related information you have provided / will provide, to or through the Platform, is accurate, current and correct and will continue to be accurate, current and correct. You agree to pay all fees / charges associated with your account in a timely manner, according to the fees schedule and the terms and the rates as published on the Platform. By providing the Company with your Payment Means you authorize the Company to bill and charge you through that Payment Means and you agree to maintain valid Payment Means information in your account information. You agree that no payment shall be refundable, unless otherwise explicitly agreed to by the Company. If, for any reason, the Platform does not provide the Specialist Services you purchased, you can send an email raising the issue along with necessary details. Following the notification of such an issue, the Company will review it and refund the amount if, in its sole discretion, it is determined you are entitled to the refund. You agree that your payment will not be refunded if you have -
- committed any breach of this User Agreement or
- violated any applicable law while accessing the Platform.
Kindly note, the Company reserves the right to modify, terminate or suspend any subscription plans or payment modes, at its sole discretion. You acknowledge that all interactions with Wellbeing Specialists will be carried out exclusively through using the Platform, and the fee charged shall include any taxes applicable now or in the future. Furthermore, you shall not communicate or interact with the Specialists directly without the Company’s advance consent and payment of the fee for their Services. You agree that the Company will not be liable for any changes in the schedule of the specialist, and it is at the specialist’s discretion to change their availability, and notify you, as the client. Furthermore, the company will not be responsible for any changes the client makes to their appointment time, such as cancelation and/or rescheduling. The Company will not be liable for any damages and/or harm arising out of such interactions.
Account Creation and Usage Restrictions
- Account Limitation: Users are only permitted to create and maintain one account on Chearful Platform. The creation of multiple accounts by a single user using different email addresses for the purpose of availing of free services or any other unauthorized purpose is strictly prohibited.
- Enforcement and Consequences: In the event of a violation of the above account limitation, Chearful Platform reserves the right to take appropriate action. This may include, but is not limited to, issuing a warning to the user.
- Repeat Violations: If a user is found to be in repeated violation of the account limitation clause, Chearful Platform reserves the right to suspend or permanently bar the user from accessing and using the platform. This action is taken to ensure fair usage and maintain the integrity of our services.
- Legal Compliance: This clause is designed in compliance with the laws and regulations of the United Arab Emirates. It is intended to uphold the legal standards and ethical use of the platform.
In Case Of Emergencies
PLEASE CEASE USE OF THE PLATFORM IN CASES OF EMERGENCIES. THE PLATFORM IS NOT DESIGNED FOR EMERGENCY SITUATIONS. THE SPECIALISTS CANNOT PROVIDE ANY ASSISTANCE DURING EMERGENCY SITUATIONS. IF YOU ARE - A) CONTEMPLATING SUICIDE, B) CONSIDERING HARMING YOURSELF OR OTHERS, C) FEELING ANY OTHER PERSON MAY BE IN ANY DANGER OR D) HAVING ANY MEDICAL EMERGENCY - YOU MUST CEASE USING THIS PLATFORM, NOTIFY THE RELEVANT AUTHORITIES IMMEDIATELY AND SEEK IMMEDIATE PERSONAL ASSISTANCE. THE PLATFORM IS NOT INTENDED FOR THE PROVISION OF CLINICAL DIAGNOSIS REQUIRING AN IN-PERSON EVALUATION. NOR, IS THE PLATFORM INTENDED FOR DIAGNOSES AND/OR TREATMENTS PRESCRIBING THE USE OF DRUGS OR MEDICAL TREATMENT. YOU SHOULD DISREGARD ANY SUCH ADVICE, IF DELIVERED THROUGH THE PLATFORM, AND NOTIFY THE PLATFORM IMMEDIATELY. DO NOT DISREGARD, DELAY OR AVOID OBTAINING IN-PERSON CARE FROM YOUR DOCTOR OR OTHER QUALIFIED HEALTH PROFESSIONALS BECAUSE OF THE INFORMATION OR ADVICE YOU RECEIVED THROUGH THE PLATFORM.
Intellectual Property Ownership; Third-Party Content
The Company is the owner or the licensee of all the Platform’s intellectual property rights. Applicable copyright laws protect the materials published on the Platform. You must not download, use, copy and/or modify any materials available on the Platform for any other purpose other than personal use. You will not use the site for - a) violating any laws or b) attempting to hack or disassemble any software on the Platform. You agree that the Company shall not be responsible or liable for any communication between you and the Specialist offline or through any other means. If you download, recreate, print or copy any materials from the Platform in breach of the terms mentioned, you agree you shall destroy the same after your personal use. The Platform may contain other content, services or products that are offered or provided by third parties ("Third Party Content"), including, but not limited to, links to Third Party Content (including, but not limited to, links to other websites) or advertisements that are related to Third-Party Content. The Company has no responsibility for the creation of any such Third-Party Content, (including, but not limited to) any related products, terms or policies or practices - the Company will not be liable for any damage or loss caused by any Third-Party Content. The Company may make software updates to the Platform at any given time. To use Wellbeing Services, you may be obligated to download the updated version of the Platform as a required precedent to continue the use of Wellbeing Services. However, the Company makes no guarantees that any subsequent version of the Platform will work on the user’s mobile phones, computers or other devices. The Company is expressly not liable for any loss incurred due to the user’s inability to use Wellbeing Services stemming from the inability to use an updated version of the Platform application on their chosen equipment.
Disclaimer Of Warranty; Limitation Of Liability
You hereby release The Company, its present and future officers, directors, employees, members, volunteers, contractors, representatives, parent or subsidiary entities, owners, affiliates, agents, successors and assigns (collectively, the “Company Related Parties”) and agree to hold the company related parties harmless from any and all causes of action and claims of any nature resulting from the Wellbeing Services or The Platform, including (without any limitation) any act, opinion, response, advice, omission, suggestion, information and/or service of any Specialist and/or any other content or information accessible through the Platform. You hereby understand, agree and acknowledge the Platform is provided “as is,” without any express or implied warranties of any kind, including, but not limited to, merchantability, security, fitness, non-infringement for a particular purpose or accuracy. The use of the Platform is at your own risk entirely. We expressly disclaim all warranties of any kind (whether expressed or implied) to the fullest extent of the law. You understand, acknowledge and agree the Company related parties will not be liable to you or to any third party for any incidental, indirect, special, consequential, punitive or exemplary damages. If the Applicable Law does not permit the limitation of liability (as set forth above), the limitation will be deemed modified solely to the extent necessary to comply with the Applicable Law. This limitation of liability contained in this Section (Section 5) shall survive the termination or expiration of this User Agreement.
Your Account, Representations, Conduct And Commitments
You (the User) hereby confirm you are legally able enter into this User Agreement and to consent to receive Wellbeing Services. You hereby confirm and agree that all the information you provided (and will provide in the future) in or through the Platform is accurate, true, complete and current. You also agree you will make sure to maintain and update this information during the term of this User Agreement so it will continue to be accurate, current and complete. You agree, confirm and acknowledge you are solely responsible for maintaining the confidentiality of your password and any other security information related to your account (collectively "Account Access"). You are advised to change your password on a frequent basis and to take extra precaution in safeguarding your password. In the event of any unauthorized use of your Account Access or any concern for breach of your account security, you agree to immediately notify the Company at contact@chearful.com. You agree, confirm and acknowledge the Company may be compelled to provide the relevant UAE and Emirate-level Authorities, including, but not limited to the UAE Cyber Security Council (“Government Authorities”), with cyber security issue(s)-related information. Under such circumstances, the Company may provide such Government Authorities with reports and data that contain your information. If you are a Specialist using the Platform, you hereby agree not to promote any business venture or take direct bookings outside the Platform’s ecosystem. You agree, confirm and acknowledge the Company will not be liable for any loss or damage incurred as a result of someone else using your account, either with or without your consent and/or knowledge. You also agree, confirm and acknowledge that -
- you are solely and fully responsible and liable for all activities performed using your Account Access and
- the Company may hold you responsible and liable for any damage or loss incurred as a result of the use of your Account Access by any person (whether authorized by you or not), and
- you agree to indemnify the Company for any such damage or loss.
You agree and commit not to use the account or Account Access of any other person for any reason whatsoever. You agree and confirm your use of the Platform, including the Wellbeing Services, is only for your own personal use and you are not using the Platform or the Practitioner Services for or on behalf of any other person and / or organization. You agree and commit not to interfere with or disrupt or attempt to interfere with or disrupt any of our systems, servers, networks, services or infrastructure, or any of the Platform's systems, networks, services, servers or infrastructure, including without limitation obtaining unauthorized access to the aforementioned. You acknowledge the teleconferencing, online messaging and video conferencing experience depends on the services of internet service providers and/or other third parties outside of the control of Pathfinder Innovation Portal LLC, and that the Company accepts no liability for any time-lags, interruptions or disconnections during any of the online sessions. You agree and commit not to make any use of the Platform for the posting, delivering or sending of either of the following -
- unsolicited email and/or advertisement and/or promotion of goods and services;
- malicious software, malwares, viruses or codes;
- unlawful, harassing, privacy invading, vulgar, obscene, abusive, threatening, racist or potentially harmful content;
- any content that may cause damage to a third party;
- any content that infringes a third party right, including intellectual property (IP) rights;
- any content which may constitute, encourage or cause a criminal action and/or violate any applicable law(s).
You agree not to solicit private information relating to a client’s use of the Platform, including secret questions, passwords or other such information. You agree and commit not to violate any applicable national or international law, statute, rule, ordinance, regulation or ethical code in relation to your use of the Platform and/or your relationship with the Specialists and Company. If you receive any file from the Company or from a Specialist - whether through the Platform or not - you agree to check and scan the file for any virus or malicious software prior to opening or using the file. You will indemnify, defend and hold the Company Related Parties harmless from and against any and all claims, demands, losses, causes of action, liabilities, costs or expenses (including, but not limited to, litigation and reasonable attorneys' fees and expenses) arising out of or relating to any of the following:
- your access to or use of the Platform;
- your violation of any of the provisions of this User Agreement;
- any actions made with your account or Account Access (whether by you or by someone else);
- non-payment for any of the services (including Wellbeing Services), which were provided through the Platform;
- your violation of any third party right, including, without limitation, any intellectual property (IP) right, publicity, confidentiality, property or privacy right.
Kindly note, this clause shall survive the expiration or termination of this User Agreement.
Modifications, Termination, Interruption And Disruptions To The Platform
You understand, acknowledge and agree the Company may modify, disrupt, suspend or discontinue the Platform, any part of the Platform or the use of the Platform, whether to all clients or to you specifically, at any time, with or without notice to you. You agree and acknowledge the Company will not be liable for any of the aforementioned actions or for any damages or losses that are caused by any of the aforementioned actions. The use of the Platform depends on various factors such as hardware, tools and software, either owned by the Company or those owned and/or operated by the Company’s contractors and suppliers. While the Company makes commercially reasonable efforts to ensure the Platform’s reliability and accessibility, you understand and agree that no platform can be 100% reliable and accessible, and hence the Company cannot guarantee access to the Platform will be uninterrupted or that it will be accessible, timely, consistent or error-free at all times.
Modifications To This User Agreement
From time to time, this User Agreement is subject to modification. The email address you have provided to the Company will be provided with notice, and you can review the most current version of the User Agreement at any time at https://www.chearful.com/terms-and-conditions. Kindly note, by accessing and/or using the Platform following the effective date of any revised User Agreement, you accept and agree to be bound by and become a party to the terms and provisions of such a revised User Agreement.
Resolution Of Disputes
Any disputes or claims arising out of or in connection with this User Agreement shall be resolved exclusively through confidential arbitration conducted in Dubai (UAE) and governed by the local laws. The Company and you both agree any awards obtained in the arbitration proceeding shall be enforceable in any government courts or departments having jurisdiction over the parties, including without limitation the Dubai Courts. By registering onto the platform you confirm your acceptance of this Agreement, you acknowledge you are the party identified in the registration process and that you have the full legal authority to enter this Agreement and you acknowledge your agreement to be bound by the terms and conditions set forth or referenced below. If you do not wish to be bound by these Terms, you must not access or use the Chearful Platform or the Wellbeing Services offered through the Platform.
PRIVACY POLICY
I. INTRODUCTION
Purpose
Chearful.com is committed to informing clients and associates of the privacy practices and privacy rights with respect to their personal health information. Including the implementation of reasonable and appropriate measures to safeguard the confidentiality, availability, and integrity of that information. This Policy establishes and describes the procedures and protocols regarding the privacy and confidentiality of PHI.
Rationale
The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information.
Policy Statement
Chearful.com takes reasonable steps to provide a notice in plain language that describes:
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to Chearful.com
- Chearful.com’s legal duties with respect to the information, including a statement that the to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
Chearful.com will ensure the notice is made available in plain sight to any person who asks for it.
Scope
This Policy and Procedures applies to Chearful.com and its employees, and as per the Business Associate agreement to its partners.
Definitions
- For the purposes of this Policy, the following terms shall have the meanings specified below: The term “breach” refers to the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of such information in a way that poses a significant risk of financial, reputational or other harm to the affected individual.
- The term “business associate” refers to a person or entity not affiliated with Chearful.com that performs or assists in performing for or on behalf of Chearful.com, business support functions/services that involve the use of PHI.
NOTE: A health care provider that assists in providing treatment to patients is not considered to be a business associate.
- The term “covered entity” refers to a health care provider/facilitator that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
- The term “disclosure” refers to the release, transfer, provision of access to, or divulging in any manner of PHI by a person within the Chearful.com with a person or entity outside.
- The term “discovery” refers to the first day Chearful.com is notified of an incident.
- The term “electronic media” includes both (1) electronic storage and (2) electronic transmission media and does not include certain transmission(s) such as paper, facsimile, voice, or telephone exchanges because the information exchanged did not exist in electronic form prior to the transmission.
- The term “electronic protected health information” (ePHI) refers to any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
- The term “health care” refers to care, services, or supplies related to the health of an individual, which includes, but is not limited to:
-
- 1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and/or
- 2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- The term “health care provider” refers to, in general, services performed by health care professionals and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
- The term “health information” refers to any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
- The acronym “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which is federal regulation requiring providers and others who maintain health information to implement security measures to guard the integrity, confidentiality, and availability of patient information.
- The term “individual” refers to the person or the patient who is the subject of PHI.
- The term “individually identifiable health information” refers to information that is a subset of health information including demographic information collected from an individual and:
-
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse.
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
- That identifies the individual.
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- The term “client” refers to an individual who is receiving needed professional services directed by a licensed practitioner of the healing arts toward maintenance, improvement or protection of health or lessening of illness, disability, or pain (US Centers for Medicare & Medicaid Services).
- The term “patient confidentiality” refers to keeping information about a patient’s health care private and the information is shared only with those who need to know to perform their duties on behalf of the patient.
- The term “Privacy Officer” refers to a person(s) designated by Chearful.com to carry out and coordinate activities designed to prevent and detect the unlawful disclosure of protected health information (PHI) as defined by HIPAA.
- The term “protected health information” (PHI) refers to information, including demographic information, which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g. name, address, birthdate, ID number) when such can be associated with the health information listed above. PHI does not include student records held by educational institutions or employment records held by employers. However, this information is still treated confidentially under other applicable laws.
- The term “personal representative” refers to a person authorized (under applicable law) to act on behalf of the individual in making health care related decisions.
- The term “reporting party” refers to a person who makes a HIPAA breach report or on whose behalf a report is made under this policy. The term “responding party” refers to a person who has been accused of violating this policy.
- The term “transaction” refers to the transmission of information between two parties to carry out financial or administrative activities related to health care. The following are types of information transmissions:
-
- Health care claims or equivalent encounter information.
- Health care payment and remittance advice.
- Coordination of benefits.
- Health care claim status
- Enrollment and disenrollment in a health plan
- Referral certification and authorization
- First report of injury
- Health claims attachments
- The term “unsecured protected health information” refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology
- The term “use” refers to the sharing, employment, application, utilization, examination, or analysis of PHI by a person withinChearful.com and its Associates
- The term “workforce” refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such an entity, whether or not they are paid by the covered entity.
II. INFORMATION PROTECTED BY THE PRIVACY POLICY
Protected Health Information
The Privacy Rule protects all "individually identifiable health information" held or transmitted by Chearful.com or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." "Individually identifiable health information" is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
De-Identified Health Information
There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. However, Chearful.com will endeavor to protect as much as possible and hold to confidentiality all client information
III. PRINCIPLES FOR DISCLOSURE
Required Disclosure
- to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information
- to a government regulatory body when it is undertaking a compliance investigation or review or enforcement action.
Permitted Uses and Disclosures
Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization. The content of a consent form, and the process for obtaining consent, are as per the policies followed for confidentiality, by Chearful.com. Chearful.com is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:
- To the Individual (unless required for access or accounting of disclosures);
- Treatment, Payment, and Health Care Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for the purposes of research, public health, or health care operations.
To the Individual
Chearful.com may disclose protected health information to the individual who is the subject of the information.
Treatment, Payment, Health Care Operations
Chearful.com may use and disclose protected health information for treatment, payment, and health care operations activities.
Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual21 and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.
Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Uses and Disclosures with Opportunity to Agree or Object
Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency, or not available, Chearful.com may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
Incidental Use and Disclosure
In the event of a requirement to share PHI, CHearful.com will endeavor as much as possible to limit it to the minimum necessary.
Public Interest and Benefit Activities
Chearful.com will release PHI in specific conditions with limitations applicable to each purpose, striking the balance between the individual privacy interest and the need for this information.
Required by Law
Chearful.com may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).
Public Health Activities
Chearful.com may disclose protected health information to:
- public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect
- entities subject to government regulation regarding regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance
- individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law;
Victims of Abuse, Neglect or Domestic Violence
In certain circumstances, CHearful.com may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.
Health Oversight Activities
Chearful.com may disclose protected health information for purposes of legally authorized health oversight activities, such as audits and investigations
Judicial and Administrative Proceedings
Chearful.com may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal.
Law Enforcement Purposes
Chearful.com may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34
Decedents
Chearful.com may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.35
Cadaveric Organ, Eye, or Tissue Donation
Chearful.com may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.36
Research
"Research" is any systematic investigation designed to develop or contribute to generalizable knowledge.37 The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual's authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals' authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.38 A covered entity also may use or disclose, without an individuals' authorization, a limited data set of protected health information for research purposes (see discussion below)
Serious Threat to Health or Safety
Chearful.com may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
Essential Government Functions
An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law.
Workers' Compensation
Chearful.com may disclose protected health information as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work-related injuries or illnesses.
Authorized Uses and Disclosures
Authorization
Chearful.com will obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A request for authorization will include the following:
- It may allow use and disclosure of protected health information
- In plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.
Psychotherapy Notes Chearful.com will require a written authorization to use or disclose psychotherapy notes.
Marketing
Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service. The Privacy Rule carves out the following health-related activities from this definition of marketing:
- Communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication.
- Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan's enrollees that add value to, but are not part of, the benefits plan.
- Communications for treatment of the individual; and
- Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.
Chearful.com will obtain an authorization to use or disclose protected health information for marketing,
Limiting Uses and Disclosures to the Minimum Necessary
Minimum Necessary
A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. Chearful.com will make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
SECURITY POLICY
INTRODUCTION
Purpose
Chearful.com is committed to protect the privacy of individuals' health information while allowing its operations and performance to adopt new technologies to improve the quality and efficiency of client care. This Policy establishes and describes the procedures and protocols regarding security of information.
Rationale
The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that Chearful.com must put in place to secure individuals' "electronic protected health information" (e-PHI).
Policy Statement
Chearful.com takes steps to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Scope
This HIPAA Security Policy and Procedures applies to Chearful.com and its employees, and as per the Business Associate agreement to its partners. The scope of this policy includes all systems, networks, procedures, and operations related to Chearful.com that contain, manipulate, or access electronic protected health information (EPHI). All present and future personnel, equipment, systems, and vendors that access or store client information are covered under this policy. In developing the Security policy Chearful.com has considered the following:
- Its size, complexity, and capabilities,
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to e-PHI.
Definitions
- For the purposes of this Policy, the following terms shall have the meanings specified below: The term “breach” refers to the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of such information in a way that poses a significant risk of financial, reputational, or other harm to the affected individual.
- The term “business associate” refers to a person or entity not affiliated with Chearful.com that performs or assists in performing for or on behalf of Chearful.com, business support functions/services that involve the use of PHI.
NOTE: A healthcare provider that assists in providing treatment to patients is not considered to be a business associate.
- The term “covered entity” refers to a health care provider/facilitator that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
- The term “disclosure” refers to the release, transfer, provision of access to, or divulging in any manner of PHI by a person within the Chearful.com with a person or entity outside.
- The term “discovery” refers to the first day Chearful.com is notified of an incident.
- The term “electronic media” includes both (1) electronic storage and (2) electronic transmission media and does not include certain transmission(s) such as paper, facsimile, voice, or telephone exchanges because the information exchanged did not exist in electronic form prior to the transmission.
- The term “electronic protected health information” (ePHI) refers to any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
- The term “health care” refers to care, services, or supplies related to the health of an individual, which includes, but is not limited to:
-
- 1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and/or
- 2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- The term “health care provider” refers to, in general, services performed by health care professionals and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
- The term “health information” refers to any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
- The acronym “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which is federal regulation requiring providers and others who maintain health information to implement security measures to guard the integrity, confidentiality, and availability of patient information.
- The term “individual” refers to the person or the patient who is the subject of PHI.
- The term “individually identifiable health information” refers to information that is a subset of health information including demographic information collected from an individual and:
-
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse.
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
- That identifies the individual.
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- The term “client” refers to an individual who is receiving needed professional services directed by a licensed practitioner of the healing arts toward maintenance, improvement or protection of health or lessening of illness, disability, or pain.
- The term “patient confidentiality” refers to keeping information about a patient’s health care private and the information is shared only with those who need to know to perform their duties on behalf of the patient.
- The term “Privacy Officer” refers to a person(s) designated by Chearful.com to carry out and coordinate activities designed to prevent and detect the unlawful disclosure of protected health information (PHI) as defined by HIPAA.
- The term “protected health information” (PHI) refers to information, including demographic information, which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birthdate, ID number) when such can be associated with the health information listed above. PHI does not include student records held by educational institutions or employment records held by employers. However, this information is still treated confidentially under other applicable laws.
- The term “personal representative” refers to a person authorized (under applicable law) to act on behalf of the individual in making health care related decisions.
- The term “reporting party” refers to a person who makes a HIPAA breach report or on whose behalf a report is made under this policy. The term “responding party” refers to a person who has been accused of violating this policy.
- The term “transaction” refers to the transmission of information between two parties to carry out financial or administrative activities related to health care. The following are types of information transmissions:
-
- Health care claims or equivalent encounter information.
- Health care payment and remittance advice.
- Coordination of benefits.
- Health care claim status
- Enrollment and disenrollment in a health plan
- Referral certification and authorization.
- First report of injury.
- Health claims attachments
- The term “unsecured protected health information” refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology
- The term “use” refers to the sharing, employment, application, utilization, examination, or analysis of PHI by a person withinChearful.com and its Associates
- The term “workforce” refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such an entity, whether they are paid by the covered entity.
ADMINISTRATIVE SAFEGUARDS
A. Risk Analysis
- Items covered within the scope of this policy will be regularly reviewed for known vulnerabilities. Operational procedures will be assessed to ensure maximum efficiency, security, and subject confidence while maintaining the highest level of confidentiality, availability, and integrity to EPHI.
- A statement of intent will be developed prior to each assessment, outlining the actions to be taken during the assessment, the dates, times, and responsible parties for conducting the assessment.
B. Risk Management
- The security measures and safeguards that Chearful.com will implement for its EPHI will be based upon results of risk analysis and information systems reviews. Reviews of system activity shall cover both routine operations and emergency operations.
- Chearful.com will implement security measures and safeguards for each EPHI repository sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The measures must be commensurate with the data classification of the repository. Safeguards may include normal best practice security measures such as user accounts, passwords, and firewalls; high risk EPHI repositories may require additional security measures.
- Chearful.com will appropriately discipline and sanction employees and other workforce members for violations of the HIPAA Security Policy.
- The following controls, which provide reasonable risk mitigation, will be employed by Chearful.com on all applicable information technology systems:
- Strict password policies will be set and enforced
- Default administrator accounts and guest/user accounts will be renamed, and all default (shipped) passwords will be changed.
- Executable and dangerous email attachments will be blocked at the email server
- Security audits will be set up and logs will be regularly reviewed for unusual activity.
- Unnecessary applications and services will be removed from systems.
- Frequent data backups will be taken and stored in a safe place.
- Password protected screen savers will be used to restrict access to workstations.
- Users will be educated about good security practices.
C. Sanction Policy
This sanction policy is intended to supplement the disciplinary and sanction provisions to specifically address handling of issues related to compliance with HIPAA regulations. Any employee who witnesses a violation of the Security policy is responsible for notifying their supervisor or the supervisor of the person violating policy. That supervisor is responsible for notifying the Human Resources representative. Upon notification of a violation of policy that is related to HIPAA compliance practices, the Human Resources representative will take overall responsibility for the issue. The Privacy Officer will be notified in order to take responsibility for any legally required external notification of the event. Any incident that requires activation of this policy must be clearly documented in the appropriate personnel file.
D. Information System Activity Review
Chearful.com will assign staff operational responsibility to regularly review all sources of information system activity, including but not limited to audit logs, access reports, and security incident tracking reports. This review will be conducted at least weekly. At a minimum, a review of the procedures and reports will be conducted during the annual review of Chearful.com documentation by the HIPAA Privacy Officer and the Security Officer. The following will be evaluated:
- Inventory Management
- Event log monitoring
- Network port monitoring
- System log monitoring
- Virus protection
- Intrusion detection system
- Vulnerability Assessment
WORKFORCE SECURITY
Authorization and/or Supervision & Workforce Clearance Procedure
- Initial authorization of workforce members to access EPHI must be approved by the designated Chearful.com departmental administrator or system owner, and records of such authorization must be maintained.
- On an annual basis, all authorizations for access will be reviewed for applicability, and removed or modified as necessary to comply with the provision for need to know.
- Procedures will be implemented to review and determine that the access of workforce members is appropriate. This may include, but does not require, the completion of criminal background checks on new workforce members, credential checks, employment and reference checks, character reference checks, or similar clearance measures. It also covers the review of groups or categories of workforce members to ensure appropriate access to EPHI.
Termination Procedure
- Workforce members who end employment or relationship with Chearful.com will have all access to EPHI canceled at the time of departure from the organization. Termination for any reason must result in cancellation of all access to information technology, especially EPHI. Cancelation of access must occur as soon as possible after the termination is in effect and will be automated wherever possible.
- Human Resources systems will automatically provide notification processes for terminations. Notification will result in elimination of access to applicable information technology systems, physical access control systems, and removal from group memberships. A checklist of termination activities will be completed for each terminated employee and filed in the person’s personnel folder.
- Workforce members who transfer from one department to another will be flagged and reported for access control review, and all authorizations that are no longer applicable under the need-to-know principle will be removed.
INFORMATION ACCESS MANAGEMENT
Access Authorization, Establishment and Modification
- Workforce members must be authorized to have access to EPHI through electronic means. This will be accomplished through a documented request for access, supervisor approval, and finally by granting authorization to the workforce member. System or server logs will be activated to track logins to EPHI resources and these will be reviewed for unusual activity on a periodic basis.
- Unusual activity will be defined as system access at unusual times, attempts to access resources by persons who are not authorized, and/or attempts to copy and/or relocate files or folders containing EPHI.
- Any changes to EPHI access through an employment change in status must be authorized, controlled, and supervised. Change in status may be a transfer, leave of absence, or termination. A leave or termination condition must result in revocation of all access to EPHI. A transfer must result in a review of access authorizations, with appropriate changes.
SECURITY AWARENESS & TRAINING
Security Reminders
- Periodic security reminders will be delivered through one or more mechanisms to members of the workforce. These may be delivered via signs or posters in employee areas, newsletters, e-mail, message boards, intranet web sites, or verbally. Reminders will include, but are not limited to, the following basic security principles
- Passwords cannot ever be shared for any reason, and workforce members should avoid unintended disclosures of passwords such as making them easy to guess, or recording it/them where others may be able to find it.
- Applications should be locked before you leave your workstation, using a password protected screen saver, or other method. When you are no longer using a workstation, log out.
- E-mail attachments should never be opened unless they are expected and you know the sender.
- Do not follow/click on any links in unsolicited advertising, whether from email, an instant message, newsgroup, or other electronic communication.
- Do not download software from the Internet without prior authorization from UNIT technology support staff, and without running an antivirus scan of the object before it’s opened.
- Do not discuss client's health information in public, and do not leave printed documents where they can be viewed by others.
Protection from Malicious Software
- All eligible devices connecting to, accessing, or housing EPHI will have appropriate anti-virus software installed, and updated daily. This software will be configured to scan all incoming file objects and electronic mail.
- All software, including operating systems and application programs, will be kept up to date with security patches. Chearful.com’s technology support staff are responsible to ensure that critical security updates are installed within seven days of being released, or that a commensurate protection is implemented in its place.
Log-in Monitoring
- Chearful.com will log and document failed login attempts on each system containing medium and high-risk PHI.
- Log-in activity reports and logs are reviewed on a periodic basis.
- All failed log-in attempts of a suspicious nature, such as continuous attempts, must be reported to the HIPAA Security Officer.
Password Management
These minimum procedures will be followed:
- All users, employees, vendors, and agencies who have access to network resources or systems will have a unique user identification and password.
- All computers, network resources, systems and applications will require the user to supply a password in conjunction with their unique user identification to gain access.
- A role-based user identification and password may be utilized for access to shared or common area workstations so long as the login provides no access to PHI. Access to PHI will be permitted if there is a second unique user id and password required.
- All passwords will be of sufficient complexity to ensure that it is not easily guessable by dictionary attacks.
- Elected Official and Department Heads will be responsible for making their employees aware of all password-related policies and procedures, and any changes to those policies and procedures.
- Chearful.com will be responsible for setting password aging times for systems, networks, and applications.
- All users and employees are responsible for the proper use and protection of their passwords and must adhere to the following guidelines
- Passwords are only to be used for legitimate access to networks, systems, or applications
- Passwords must not be disclosed to other users or individuals
- Employees must not allow other employees or individuals to use their password
- Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad or posted on the workstation.
Security Training
Training will consist of the following:
- HIPAA Security Policies
- HIPAA Business Associate Policy
- HIPAA Sanction Policy
- Confidentiality, integrity, and availability
- Individual security responsibilities
- Common security threats and vulnerabilities
In addition, those who set up, manage or maintain systems and workstations will receive this training.
- Password structure and management procedures
- Server, desktop computer, and mobile computer system security procedures, including security patch and update procedures and virus and malicious code procedures
- Device and media control procedures
- Incident response and reporting procedures
SECURITY INCIDENT
Response and Reporting, Contingency Plan, Data Backup Plan
- Procedures will be established and implemented to create and maintain retrievable exact copies of all EPHI. Routine backups of EPHI from all appropriate locations will be made on a regular basis (no less than daily for volatile information and weekly for more static information). Backup media will be properly indexed and labeled to allow for identification and retrieval by individuals other than the original workforce member who made the backup. The backup media and restore procedures will be tested periodically (at least annually), to ensure they are reliable and kept up to date.
- Backup information will be made available on alternative (backup, redundant) servers in case of an emergency resulting from a significant interruption of critical services. Alternative emergency operations must be sustained until the original systems and processes are restored. At least one full copy of EPHI data will be stored in a secure, off-site location for disaster recovery purposes. Backup media stored on-site must be in a physically secure location that is separate from the location of the system it represents.
- Procedures for the restoration of all systems and data in the event of a disaster will be documented. The procedures will be sufficiently clear to allow someone other than the IT staff to perform the recovery. It must include the steps for recovering individual files or folders, steps for the recovery of database instances, steps for recovery of entire servers or collections of servers, prioritization information for systems if applicable, and contact information for server, network, and application administrators.
PHYSICAL SAFEGUARDS
Workstation Use, Security, Device and Media Controls
- Workstations and other devices will be controlled to prevent improper access, usage, loss, damage, or disclosure of EPHI. This includes any device that is network enabled, including personal computers, hand-held devices and PDAs, laptops, or servers. Network enabled includes both hard wired and wireless connection methods and includes local as well as remote access.
- No EPHI can be permanently stored on a single user workstation, laptop, wireless device, or handheld computing device. All EPHI must be transferred to secure servers at the end of the day or shift, to allow for it to be backed up using set procedures. All such (local, personal) uses of EPHI must be authorized in advance by management. EPHI is not to be transported out of the Chearful.com server on portable devices without written authorization.
- Workforce members are not to alter the configuration of personal devices or load software onto them without prior approval from management and IT support staff. Monitors should be positioned to prevent inadvertent disclosure of EPHI from passersby. Screensavers that are password protected will be implemented on all devices.
- Remote access to systems containing EPHI must be authorized by management on an as needed basis, and should be conducted through secure, encrypted channels to avoid the possibility of inadvertent disclosure. Workforce members accessing EPHI remotely must not retain the EPHI permanently on the remote device.
- When the useful life of equipment or media has been reached, the media is to be rendered unreadable by either a) forensic wiping of the media, b) physical destruction of the media, or c) degaussing of the media.
- When equipment or media is to be repurposed, the management must determine if any EPHI is present, if it must be removed, and the method by which it must be removed. If servers, workstations, or data storage devices are relocated, all data including EPHI will be backed up to insure its protection during the move.
- It is Chearful.com’s responsibility to ensure that procedures are implemented to adequately inventory and track all devices that contain EPHI.
TECHNICAL SAFEGUARDS
Access Control
- Chearful.com will ensure in relation to its employees and business associates that all servers and desktops used to access, transmit, receive, or store PHI are appropriately secured.
- Servers will be in a secure environment.
- The system administrator or root account will be password protected.
- A user identification and password authentication mechanism will be implemented to control user access to the server
- A security patch and update procedure will be established and implemented to ensure that all security patches and updates are promptly applied.
- Servers must be located on a secure network with firewall protection.
- All unused or unnecessary services or daemons shall be disabled.
- A virus detection system will be implemented including a procedure to ensure that the virus detection software is maintained and up to date.
- Desktop systems that are located in open, common, or otherwise insecure areas must also implement the following measures:
-
- An inactivity timer (screen saver with password protection) or automatic logoff mechanisms must be implemented.
- The workstation screen or display must be situated in a manner that prohibits unauthorized viewing. The use of a screen guard or privacy screen is recommended.
- Mobile stations that are located or used in open, common, or otherwise insecure areas must also implement the following measures:
-
- A theft deterrent device, if available, such as a laptop locking cable should be utilized when the device is unattended or secured in another manner (stored in a locked cabinet).
- An inactivity timer (screen saver with password protection) or automatic logoff mechanism must be implemented
- Reasonable safeguards used to prohibit unauthorized entities from viewing confidential information such as logins, passwords, or PHI.
- Personal Digital Assistants (PDAs) and other handheld mobile devices must not be used for long-term storage of PHI. PHI stored on handheld mobile devices must be purged as soon as it is no longer needed on that device.
- Each mobile system that is used to access, transmit, receive, or store EPHI must comply with as many of the measures as is allowed by the system and operating system architecture.
Unique User Identification
- Unique User Identification a. All users that require access to any network, system, or application will be provided with a unique user identification.
- Users will not share their unique user identification or password with anyone.
- Users must ensure that their user identification is not documented, written, or otherwise exposed in an insecure manner.
- If a user believes their user identification has been compromised, they must report that security incident to Information Systems for a new password
Emergency Access Procedure
- Chearful.com will implement as needed procedures for obtaining necessary electronic PHI during an emergency. Necessary PHI is defined as information if not available could inhibit or negatively affect patient care.
- Systems that do not affect client care are not subject to the emergency access requirement.
Automatic Logoff
- Any server or workstation that stores or access PHI will have the password protected screensaver turned on.
- The system will be configured to lock the server or workstation after 15 minutes of inactivity.
- Any servers or workstations that are in locked or secure environments need not implement inactivity timers.
- When leaving a server or workstation unattended, the users must lock or activate the systems automatic logoff mechanism (e.g., CNTL, ALT, DELETE and Lock Computer) or logout of all applications and database systems containing PHI.
Encryption and Decryption
- Encryption of PHI as an access control mechanism is not required unless the custodian of said PHI deems the data to be highly critical or sensitive. Encryption of PHI is required in some instances as a transmission control and integrity mechanism.
Audit Controls
- Audit Control Mechanisms
-
- Chearful.com will implement system logging mechanisms for all systems that contain PHI.
- Each system’s audit log will include at least User ID, Login Date/Time, and Logout Date/Time
- System audit logs will be reviewed on a regular basis.
- Audit Control and Review Plan
- systems and applications to be logged
- information to be logged for each system
- log-in reports for each system
- procedures to review all audit logs and activity reports
-
- An Audit Control and Review Plan will be developed by Information Systems. The plan will include:
Integrity
- Transmitting PHI via removable media will require the documents to be password protected.
- All receiving entities will be authenticated before transmission.
- Any transmissions should include only the minimum amount of PHI.
Mechanism to Authenticate Electronic Protected Health Information
- Chearful.com will use mechanisms to protect data from alteration or being destroyed.
- Chearful.com will be protected from data alterations or destruction by viruses or other malicious code.
- For data integrity during transmission Chearful.com will implement a mechanism (FTP or HTTPS) to corroborate that PHI is not altered or destroyed during transmission.
Person or Entity Authentication
- All users who use any network, workstation, system, or application that contains PHI will be required to login (provide user authentication) with user id and password.
- Users must not misrepresent themselves by using another person’s User ID and Password.
- Users are not permitted to allow other persons or entities to use their unique User ID and password.
- A reasonable effort will be made to verify the identity of the receiving person or entity prior to transmitting PHI.
Transmission Security
- All transmissions of PHI files, folders or documents will be secured by using either FTP or HTTPS.
- All receiving entities will be authenticated before transmission.
- Any transmissions should include only the minimum amount of PHI.
- Use of Email to transmit PHI can be used if the following conditions are met:
-
- The PHI data must be in a password protected document.
- The sender can authenticate the receiver.
- The receiver has given permission to have their PHI sent via Email.
- The receiver has been made aware of the risks involved.
- Use of internal E-mail to send PHI is allowed if the following conditions are met:
-
- The PHI data must be in a password protected document.
- The minimum amount of PHI is sent.
- The E-mail is not forwarded to any parties.
Breach Notification Policy
INTRODUCTION
Purpose
Chearful.com is committed to identifying and evaluating the likelihood and consequences of threats to the security of Protected Health Information (PHI) and implementing reasonable and appropriate measures to safeguard the confidentiality, availability, and integrity of that information. This Policy establishes and describes the procedures and protocols regarding PHI.
Rationale
The HIPAA Breach Notification Rule, 45 CFR 164.400-414 under the Health Insurance Portability and Accountability Act (HIPAA), requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Additionally, the HIPAA Breach Notification Rule, 45 CFR §§ 164.530(e), requires HIPAA covered entities to have, apply and document appropriate sanctions against the persons who violate HIPAA or other privacy policies.
Policy Statement
Chearful.com takes reasonable steps to:
- Review, assess and, if appropriate, investigate all reports or complaints of any potential or actual breaches that might involve the acquisition, access, use or disclosure of unsecured protected health information
- Determine if there is a breach
- Where breaches are found to have occurred, make notification to: affected individuals
- Where breaches are found to have occurred, take appropriate steps to prevent its recurrence and remedy its effects.
- Where prohibited conduct is found to have occurred, take appropriate actions to eliminate any misconduct, prevent its recurrence and remedy its effects, including but not limited to applying and documenting appropriate sanctions against persons who violate HIPAA or other privacy policies.
Scope
This HIPAA Breach Policy and Procedures applies to Chearful.com and its employees, and as per the Business Associate agreement to its partners.
Definitions
- For the purposes of this Policy, the following terms shall have the meanings specified below: The term “breach” refers to the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of such information in a way that poses a significant risk of financial, reputational or other harm to the affected individual.
- The term “business associate” refers to a person or entity not affiliated with Chearful.com that performs or assists in performing for or on behalf of Chearful.com, business support functions/services that involve the use of PHI.
NOTE: A health care provider that assists in providing treatment to patients is not considered to be a business associate.
- The term “covered entity” refers to a health care provider/facilitator that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
- The term “disclosure” refers to the release, transfer, provision of access to, or divulging in any manner of PHI by a person within the Chearful.com with a person or entity outside.
- The term “discovery” refers to the first day Chearful.com is notified of an incident.
- The term “electronic media” includes both (1) electronic storage and (2) electronic transmission media and does not include certain transmission(s) such as paper, facsimile, voice, or telephone exchanges because the information exchanged did not exist in electronic form prior to the transmission.
- The term “electronic protected health information” (ePHI) refers to any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
- The term “health care” refers to care, services, or supplies related to the health of an individual, which includes, but is not limited to:
-
- Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and/or
- Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- The term “health care provider” refers to, in general, services performed by health care professionals and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
- The term “health information” refers to any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
- The acronym “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, which is federal regulation requiring providers and others who maintain health information to implement security measures to guard the integrity, confidentiality, and availability of patient information.
- The term “individual” refers to the person or the patient who is the subject of PHI.
- The term “individually identifiable health information” refers to information that is a subset of health information including demographic information collected from an individual and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual:
- That identifies the individual
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- The term “client” refers to an individual who is receiving needed professional services directed by a licensed practitioner of the healing arts toward maintenance, improvement or protection of health or lessening of illness, disability, or pain (US Centers for Medicare & Medicaid Services).
- The term “patient confidentiality” refers to keeping information about a patient’s health care private and the information is shared only with those who need to know to perform their duties on behalf of the patient.
- The term “Privacy Officer” refers to a person(s) designated by Chearful.com to carry out and coordinate activities designed to prevent and detect the unlawful disclosure of protected health information (PHI) as defined by HIPAA.
- The term “protected health information” (PHI) refers to information, including demographic information, which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birthdate, ID number) when such can be associated with the health information listed above. PHI does not include student records held by educational institutions or employment records held by employers. However, this information is still treated confidentially under other applicable laws.
- The term “personal representative” refers to a person authorized (under applicable law) to act on behalf of the individual in making health care related decisions.
- The term “reporting party” refers to a person who makes a HIPAA breach report or on whose behalf a report is made under this policy. The term “responding party” refers to a person who has been accused of violating this policy.
- The term “transaction” refers to the transmission of information between two parties to carry out financial or administrative activities related to health care. The following are types of information transmissions:
-
- Health care claims or equivalent encounter information
- Health care payment and remittance advice
- Coordination of benefits
- Health care claim status
- Enrollment and disenrollment in a health plan
- Referral certification and authorization
- First report of injury
- Health claims attachments
- The term “unsecured protected health information” refers to PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology
- The term “use” refers to the sharing, employment, application, utilization, examination, or analysis of PHI by a person withinChearful.com and its Associates
- The term “workforce” refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such an entity, whether they are paid by the covered entity.
II. REPORTING SUSPECTED BREACHES OF UNSECURED PHI
A. Responsibility to Report
All employees, and Associates are required to report any suspected or actual breaches that might involve the acquisition, access, use or disclosure of unsecured protected health information within 24 hours of discovery. Additionally, business associates must notify Chearful.com if a breach occurs at, or by, the business associate within 24 hours of discovery. Any person described above who fails to report any suspected or actual breaches of which they become aware may be subject to disciplinary action up to and including termination of employment.
B. Who to Contact to Make a Report
Reports may be made to Chearful.com through the following reporting options: By contacting the appropriate Privacy Officer by telephone, email or in person.
C. What to Report
All employees, and any associates are to report any of the following, but not limited to the following, occurrences:
- Any event in which access to PHI might have been gained by an unauthorized person
- Any event in which a device containing (or may be containing) PHI has (or might have been) lost, stolen, or infected with malicious software (e.g., viruses, trojans)
- Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorized person (e.g., responding to phishing emails, someone shoulder surfing and writing down your password);
- Any attempt to physically enter or break into a secure area where PHI is or might be stored; 5. Any other event in which PHI has been (or might have been) lost or stolen.
- Any other event in which PHI has been (or might have been) improperly used (e.g., used without the individual’s written authorization if authorization is required)
D. Preparing a Report
Reports of suspected breaches of unsecured PHI may be reported orally or in writing. Reports should include the following information, if known:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of unsecured PHI that were involved in the breach (such as full name, identification number, date of birth, home address, account number, diagnosis, disability code, or other types of information).
E. Confidentiality
Chearful.com makes reasonable efforts to maintain the confidentiality of the information it receives in connection with reports of suspected HIPAA breaches. However, information is appropriately shared when disclosure is required by law, policy or is necessary to facilitate established processes, including the investigation and resolution of reports of suspected HIPAA breaches. The identity of participants in an investigation shall be maintained in confidence subject to the same limitations above. Any person who has reported suspected violations of this Policy, or who has initiated or participated in the reporting procedures available, are advised their identity may be known for reasons beyond the control of Chearful.com or investigators
IV. CHEARFUL.COM’s RESPONSE TO A REPORT
Chearful.com will take reasonable steps to review, assess and, if appropriate, investigate all reports or complaints of any suspected or actual breaches that might involve the acquisition, access, use or disclosure of unsecured protected health information.
V. INTERIM MEASURES
Chearful.com may impose any appropriate measures on an interim basis where it concludes that such action is needed to protect the health, safety, or welfare of members of its community, to facilitate an effective investigation or to avoid disruption to the environment.
VI. ANALYSIS PROCESS FOR POTENTIAL BREACH INVESTIGATION
- Discovery of Breach A breach of PHI shall be treated as “discovered” as of the first day on which an incident that may have resulted in a breach is known to Chearful.com.
- Conducting the Breach Analysis Upon notification of an incident, the HIPAA Privacy Officer shall conduct or coordinate an investigation to conduct a breach analysis. The breach analysis investigation includes, but is not limited to, the following four (4) factors to determine if PHI has been compromised:
- The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the PHI was disclosed
- Whether the PHI was acquired or viewed
- The extent to which the risk to the PHI has been mitigated; and other relevant factors may be considered when necessary.
If the breach analysis investigation fails to demonstrate that there is a low probability that the unsecured PHI has been compromised, breach notification is required. Breach Analysis Form the HIPAA Privacy Officer, upon completion of the investigation, shall complete the Breach Analysis Form within 14 calendar days of notification of the potential breach, absent exigent circumstances. The HIPAA Privacy Officer shall notify the Chearful Management Team if an investigation must continue beyond 14 (fourteen) calendar days and the reason for the delay. The HIPAA Privacy Officer shall log the incident into the Breach Tracking Form and shall update the Tracking Form with information from the HIPAA Breach Analysis Form to include the outcome of the breach analysis process. Chearful.com has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach. Based on the outcome of the breach analysis investigation, the Breach Tracking Form shall include information about notices sent to affected individuals. The HIPAA Privacy Officer shall maintain the completed HIPAA Breach Analysis Form
D. Breach Analysis Documentation
The HIPAA Privacy Officer shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of clients affected. The following information shall be collected/logged for each breach:
- A description of what happened, including the date of the breach, the date of the discovery of the breach and the number of clients affected, if known
- A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Identification number, date of birth, home address, account number)
- A description of the action taken regarding notification of patients, the media, and the HHS regarding the breach
- The results of the Breach Analysis
- Resolution steps taken to mitigate the breach and prevent future occurrences.
All documentation related to the breach analysis investigation including the Breach Analysis Form and notifications made shall be retained for a minimum of six (6) years.
VII. NOTIFICATIONS IN THE CASE OF BREACH OF UNSECURED PHI
A. Notification Following a Breach Determination
Following a breach of unsecured PHI, Chearful.com will provide notification of the breach to affected individuals, and in certain circumstances, to the media no later than 60 calendar days after the discovery of the breach.
B. Notification to Affected Individuals
Following the discovery of a breach of unsecured PHI, Chearful.com will provide notification to the affected individuals. Individual notification must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Individual notifications must include, to the extent possible, the following:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Identification number, date of birth, home address, account number or disability code)
- The steps individuals should take to protect themselves from potential harm resulting from the breach
- A brief description of what Chearful.com is doing to investigate the breach, to mitigate losses and to protect against any further breaches
- Contact information for Chearful.com (or business associate, as applicable) for individuals to ask questions or learn additional information, which shall include, an e-mail address, Web site or postal address.
The HIPAA Privacy Officer must notify everyone whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of a breach.
VIII. INFORMAL RESOLUTION PROCESS
The Privacy Officer, in consultation with the Chearful.com Management Team may determine if the report/complaint can be disposed of informally on an acceptable basis or if the matter will be resolved through the formal resolution process. Use of the informal process is not a prerequisite to initiating the formal resolution process. Any informal resolution will be documented and maintained by the Privacy Officer. Informal resolutions involving employees may also be placed in their employment files. Any failure to comply with the informal resolution terms may constitute grounds for an independent complaint or result in the reopening of the original complaint.
IX. FORMAL RESOLUTION PROCESS
Factors in Determining an Outcome Decision In determining an outcome, the Privacy Officer will consider, but is not limited to the following: Category 1: Accidental or Inadvertent Violation An inadvertent or accidental breach of confidentiality may or may not result in the actual disclosure of patient information. They may be caused by carelessness, lack of knowledge, lack of training or other human error. Examples of this type of incident include directing PHI via mail, e-mail or fax to a wrong party or incorrectly identifying a patient record. Category 2: Failure to Follow Established Privacy And Security Policies And Procedures These violations result from failure to follow existing policies/procedures governing client confidentiality. These violations may be caused due to poor job performance or lack of performance improvement, which may include talking about patients in areas where others might hear, failure to obtain appropriate consent to release information and failure to fulfill training requirements. Category 3: Deliberate or Purposeful Violation Without Harmful Intent Deliberate or purposeful violation(s) without harmful intent include inappropriately accessing a patient’s record without a job-related need-to-know, which may include accessing the record of a friend or family member out of curiosity without a legitimate need-to-know. Category 4: Willful and Malicious Violation with Harmful Intent Willful and malicious violation(s) with harmful intent include accessing and using patient information for personal gain or to harm another person, which may include disclosing PHI to an unauthorized person or entity for illegal purposes, posting PHI to social media websites or disclosing a celebrity’s PHI to the media
X. MITIGATING FACTORS
Mitigating factors that may increase the outcome severity include:
- Violation of sensitive information such as HIV-related, psychiatric, substance abuse and genetic date
- High volume of people or data affected
- High exposure for Chearful.com
- Large organizational expenses incurred, such as breach notifications
- Hampering the investigation, lack of truthfulness
- Negative influence on others
- History of performance issues and/or violations.
Mitigating factors that may decrease the outcome severity include:
- Violator’s knowledge of privacy and security practices (e.g., inadequate training)
- Culture of surrounding environment [e.g., investigation determines inappropriate practices in department(s)]
- Violation occurred because of attempting to help a patient
- Victim(s) suffered no financial, reputational, or other personal harm
- Violator voluntarily admitted the violation in a timely manner and cooperated with the investigation
- Violator showed remorse.
- Action was taken under pressure from a person in a position of authority.
XI. DISCIPLINE
HIPAA requires covered entities to impose appropriate sanctions for any person who violates HIPAA policies. Employees found to have violated HIPAA may be subject to disciplinary action up to and including termination of employment. Third parties who violate HIPAA may have their relationship with Chearful.com terminated.