Privacy Policy and HIPAA – DermDetect LLC

DermDetect LLC is committed to ensuring your personal information is kept secure and private. This privacy notice sets out what you can expect when we collect information about you or when you use our website.

Use of Our Website

When you visit our website we collect standard internet log information and details of visitor behavior patterns. We collect this information to find out things such as the number of visitors to the various parts of the site and we do so in a way which does not identify anyone.

Cookies

Cookies are small text files which are placed on your computer by websites that you visit. There are two main types: ‘session’ and ‘persistent’. ‘Session’ cookies are temporary and only remain in the cookie file of your computer until you close your browser when they are deleted. ‘Persistent’ cookies are stored permanently on your computer until they either expire or are deleted. DermDetect uses both types.

Cookies are widely used to enable the collection of information, to enable navigation around a website or to make websites work, or work more efficiently. To enhance a user’s experience cookies can also be used to remember information so you do not have to retype it each time you visit a website, for example, your name and email address, or to remember preferences like the language in which the website is displayed.

DermDetect also uses cookies to enable better understanding of how the website is used (for example which pages are seen, how often, return visits to the site), so that we can improve and tailor the content of the site, and also to help ensure the security and authenticity of our registration for access to secure areas of our site.

DermDetect does not use cookies to track your internet usage after leaving our website, nor do we use cookies which can store personal information about you which others could read and understand. Cookies cannot be used to access your computer and obtain information about you or read any material held on your computer. Cookies will not be used to contact you for marketing purposes.

Most web browsers are usually set up to accept cookies. You can delete cookies and you can usually adjust your browser so that your computer rejects cookies, but please note if you disable cookies you will not be able to register or log on to secure areas on our site. Information about cookies and how to reject them can be found from the Information Advertising Bureau at www.allaboutcookies.org

Security of Data

If you register to use online, password-protected portions of our website we will ask you to provide us with certain up to date information about you, which we will handle securely. We maintain strict security standards and procedures intended to prevent unauthorized access to your data and we use technologies such as data encryption and firewalls to achieve this.

Use of the Information We Collect From You

We use the information we collect from you to:

  • Administer your account.
  • Assess your needs to determine suitable products and services
  • Fulfill your order for our services.
  • Link or combine with other information we receive from third parties to help understand your needs, provide you with better service and for marketing purposes.
  • Provide, improve, maintain and operate our services.
  • Send you administrative messages, invoices, order confirmations, security alerts, support messages, technical notices, and updates.
  • Investigate and respond to illegal activities or fraudulent transactions and/or fraudulent use of our website.
  • Respond to customer service requests and provide support.
  • Respond to your comments, concerns and questions.
  • Send you requested information and for other purposes which we have notified you about.

We are based in the United States and the information we collect is governed by U.S. law. By accessing or using our services or website or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S.

Information Sharing

Except as provided for in any service or subscription agreement you entered into with us, if any, and this Policy, we do not disclose your personal information to third parties without your consent.

We do not sell any of your personal information to third parties or allow third parties to use it for their marketing purposes. We use third-party intermediaries to manage payment processing. These intermediaries are solely links in the distribution chain and are not permitted to store, retain, or use the information provided except for purposes of payment processing.

We may share your information with third party vendors, consultants and other service providers who are working on our behalf and require access to your information to carry out that work, such as to process billing, provide customer support, etc. For example, we may use third-party data centers to host our website or to store documents uploaded to our application. We obtain appropriate contractual and technical protections to limit these service providers’ use and disclosure of your personal information.

We release personal information if we believe we must do so to comply with the law, to comply with a subpoena, bankruptcy proceedings, or similar legal process, to enforce any agreements you entered into with us, if any, or to protect the rights and safety of our company, our customers, our individual users, and the general public.

If we involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via a prominent notice on our Web site of any change in ownership that affects your personal information, as well as any choices you may have regarding your personal information.

On-Line Payments

The security of your payment information is important to us. If you make payments on our website, you will be asked for credit card or PayPal information. We use a payment gateway – a site specifically secured to process this information – for these payments, for which we pay a fee. Your personal credit card information is never stored or available anywhere on our website.

HIPAA AND HITECH SECURITY

HIPAA and HITECH provide national minimum standards to protect an individual’s protected health information (PHI). The U.S. Department of Health and Human Services (HHS) manages and enforces these standards.

The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of a HIPPA encryption strategy.

The HITECH act then expands the compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule.

HIPAA was originally created to streamline healthcare processes and reduce costs by standardizing certain common health care transactions while protecting the security and privacy of individuals’ PHI. HITECH expanded on the privacy and security requirements of HIPAA.

HIPAA and HITECH focus on PHI, which generally includes any personally identifiable information regarding an individual’s physical or mental health, the provision of health care to him or her, or payment for related services. PHI also includes any personally identifiable demographic information, including, for example, name, address, phone numbers, and Social Security numbers

These standards affect the use and disclosure of PHI by covered entities (such as health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) and their business associates.

DermDetect enables all users of our website to process, maintain, and store protected health information.

The 4 HIPAA Rules

HIPAA Privacy Rule

HIPAA’s Privacy Rule restricts intentional and unintentional use or disclosure of PHI that is in violation of the requirements of HIPAA.

  1. Do not allow impermissible use or disclosure of PHI
  2. Provide breach notification to the covered entity
  3. Provide individual or the covered entity access to the PHI
  4. Disclose PHI to the secretary of the HHS if compelled to do so
  5. Provide an accounting of disclosures
  6. Comply with the requirements of HIPAA security rule

HIPAA Security Rule

HIPAA’s Security Rule requires covered entities to put in place detailed administrative, physical, and technical safeguards to protect electronic PHI

HIPAA Enforcement Rule

It spells out penalties, and procedures for hearings

HIPAA Breach Notification Rule

It requires healthcare providers to notify patients in the case of breach of unsecured PHI

The DermDetect website is delivered via servers hosted in data centers that are HIPAA compliant.

Our Security policy mandates all of the following

  • Physical Safeguards – Only authorized DermDetect employees can access the servers
  • Administrative Safeguards – Access to the data within the application is controlled by the covered entity, while Access to the server is controlled by DermDetect team. DermDetect provides role-based access control to restrict access to certain users.
  • Technical Safeguards – DermDetect maintains an active monitoring system to find and fix any vulnerabilities in Operating System, Web Server, and Database.

A note on encryption – DermDetect doesn’t encrypt data ‘in rest’.

Contact data is stored in a database without encryption. Direct access to the database is only allowed to users who can log in to the server directly. This is restricted to only a few administrators in our operations team. We have logs tracking all access to the servers.

When being transmitted the data is encrypted using SSL.

Breach notification

If a breach has occurred at the service level, DermDetect will alert you.

CONTACT INFORMATION

Questions regarding our Policy or the practices concerning our Web Properties should be directed here as a security question, or by regular mail addressed to DermDetect LLC, Attn: Legal, 320 North Carson Street, Carson City, NV 89701 USA.