Automatic Family Alert System
afas Privacy Policy
Introduction
The Automated Family Alert System (AFAS) application has been developed by Joint Technology Solutions, Inc. (“JTS”) for healthcare providers (“Providers”) to enable them to send out alerts about changes in the status or condition of patients (“Patients”) to their registered emergency contacts.
This AFAS Privacy Policy (the “Privacy Policy”) applies to JTS’s operation and administration of the AFAS application, and to the personal and sensitive information that Patients, Providers and associated authorized users may provide or that we may have access to through the interaction between the AFAS application and the health information systems of AFAS application subscribers and serves an expression of our commitment to respect and protect the privacy of all such information.
There are four sections to this Privacy Policy:
- Part I. If you are a Provider (or employee or agent of a Provider).
- Part II. If you are a Patient of a Provider.
- Part III. If you are the registered emergency contact of a Patient.
- Part IV. Additional terms (including those applying to Authorized Users that are California residents).
Acceptance of Privacy Policy
All access to and use of the AFAS application, including any dispute concerning privacy, is subject to the terms of this Privacy Policy and the AFAS Application License Agreement. JTS may revise this Privacy Policy at any time without notice. BY USING THE AFAS APPLICATION, YOU ARE ACCEPTING THE PRACTICES SET OUT IN THIS PRIVACY POLICY, AS MAY BE AMENDED FROM TIME TO TIME.
Definitions
For the purposes of this Privacy Policy:
- Authorized User is an individual authorized to access and use the AFAS application as an employee or agent of the Provider, as a Patient or as an Emergency Contact.
- Company means Joint Technology Solution, Inc., a Virginia corporation, with its principal office located at 9255 Center Street, Suite 300, Manassas, VA 20110.
- Electronic Health Record (EHR)- The Electronic Health Record Software system used by a Provider for patient records.
- Emergency Contact refers to the next-of-kin or other individual(s) listed as an emergency contact for a Patient.
- Patient refers to an individual receiving medical care from a Provider.
- Personal Data is any information that relates to an identified or identifiable individual.
- Protected Health Information (PHI) means any health-related information as defined by applicable law.
- Provider means a hospital, medical group, doctor or other healthcare professional who is listed and defined as such on the EHR and covered by a subscription to the AFAS application.
- Usage Data refers to data generated and collected automatically in connection with the operation of the AFAS application.
Usage Data
- The AFAS application automatically reads systems data for the purpose of identifying certain conditions in the health records of Patients. However, not all the data read by the AFAS application in order to generate an alert about a Patient will be saved.
- All AFAS notifications are saved for historical and legal purposes in accordance with the requirements of applicable laws and regulations.
- However, upon discharge from the hospital or other facility, Usage Data is de-identified and anonymized and not linked to a particular EHR. As such, it is no longer considered personal information.
- Usage Data may include information such as location changes, vital signs, phone numbers and communication history.
Part I.
If You are a Provider:
- Personal Data. None of a Provider’s personal information will be retrieved or stored in the AFAS application. We only store usage and access data as it relates to all alert notifications generated on behalf of Providers by the AFAS application. All data from the clients EHR is processed by the AFAS application in a secure and HIPAA-compliant cloud. The AFAS application has been designed to include the requisite elements of high security and privacy by default. The Company relies upon industry-best security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data.
- Protected Health Information (PHI). No disclosure or use of PHI is necessary in order for a Patient to authorize individuals listed as their NOK to receive alerts generated by the AFAS application. At the time such an alert is generated by the AFAS application, any PHI or other sensitive information communicated to a Patient’s NOK will be encrypted over a secure channel.
Part II.
If You are a Patient
- Personal Data. In order to generate alert notifications, the AFAS application will access and read certain personal information about Patients and will be constantly searching for changes in location, status or condition. As previously stated, certain details of all alert notifications generated by the AFAS application will be stored for a period of time. All data is processed by the AFAS application in a secure and HIPAA-compliant cloud. The AFAS application has been designed to include the requisite elements of high security and privacy by default. The Company relies upon industry-best security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of Patient data.
- Protected Health Information (PHI). No disclosure or use of PHI is necessary in order for a Patient to authorize individuals listed as their Emergency Contact to receive alerts generated by the AFAS application. At the time such an alert is generated by the AFAS application, any PHI or other sensitive information communicated to a Patient’s Emergency Contact will be encrypted over a secure channel.
AFAS Consent Forms for Patients.</strong”>
Providers may require Patients to sign a Consent Form in order to authorize the Provider to allow the AFAS application to access and utilize their personal information. Such a form is intended to memorialize each party’s rights and obligations and that Provider has the requisite consents necessary for the generation of alert notifications by the AFAS application. If requested, the Company will provide Provider a template of such a Consent Form.
Part III.
If You are the Emergency Contact
- Personal Information. In order to generate alert notifications, the AFAS application will access and read certain personal information about Emergency Contacts. As previously stated, certain details of all alert notifications generated by the AFAS application will be stored for a period of time. All data is processed by the AFAS application in a secure and HIPAA-compliant cloud. The AFAS application has been designed to include the requisite elements of high security and privacy by default. The Company relies upon industry-best security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of Emergency Contact data.
- Protected Health Information (PHI). No disclosure or use of PHI is necessary in order for a Patient to authorize individuals listed as their Emergency Contact to receive alerts generated by the AFAS application. At the time such an alert is generated by the AFAS application, any PHI or other sensitive information communicated to a Patient’s Emergency Contact will be encrypted over a secure channel.
AFAS Consent Forms for Emergency Contacts.
Providers may require Emergency Contacts to sign a Consent Form in order to authorize the Provider to allow the AFAS application to access and utilize their personal information. Such a form is intended to memorialize each party’s rights and obligations and that Provider has the requisite consents necessary for the generation of alert notifications by the AFAS application. If requested, the Company will provide Provider a template of such a Consent Form.
Part IV.
The following section includes additional privacy conditions and terms.
- Retention of Personal Health Information.We will retain and use Personal Data or PHI to the extent necessary to comply with our legal obligations (for example, if JTS is required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of the AFAS Application, or JTS is legally obligated to retain this data for longer time periods.
The HIPAA Privacy Rule provides additional guidelines for the use and disclosure of electronic personal health information (“ePHI”). The covered entity in partnership with JTS is responsible for allowing patients the necessary rights and access to their ePHI. As a possible “business associate” as defined under HIPAA, JTS complies with the HIPAA Privacy Rule by training employees on the proper handling of secure information, protecting and authenticating ePHI in our Cloud provider’s encrypted server, and conveying ePHI to Emergency Contacts in accordance with the directions and consent of the Provider’s Patients.
Security of Personal Data
The Company may disclose Personal Data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the AFAS application
- Protect the personal safety of Patients or Authorized Users of the AFAS application or the public
- Protect against legal liability
The security of the Personal Data is important to JTS, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While the Company strives to use commercially standard means to protect Personal Data, JTS cannot guarantee its absolute security.
Information for Residents of California. The provisions contained in this section apply to all Authorized Users who are “consumers” residing in the State of California in accordance with The California Consumer Privacy Act of 2018 (CCPA).
- Categories of personal information collected or disclosed. In this section we summarize the categories of personal information that we have collected or disclosed and the purposes thereof.
- Information we collect: the categories of personal information we collect. The AFAS application may collect Personal Data and PHI information about Patients and Personal Data about Emergency Contacts.
- How we collect and use information: what are the sources of the personal information we collect and how is it used? The above-mentioned categories of personal information are collected through the operation of the AFAS application and its interaction with the health information system of the Provider. For example, Patients that have consented to have the AFAS application generate alert notifications about them during their stay in a Provider hospital, certain personal information about them obtained during the check-in process, including the identities and contact information of their Emergency Contracts will be captured by the AFAS application and used by AFAS application for the duration of their hospital stay. From the time of their check-in until their ultimate discharge, the AFAS application will be scanning for any changes in the Patient’s health record, including but not limited to, changes in the Patient’s medical condition or status, and changes in the Patient’s physical location within the hospital, so that whenever appropriate, notification alerts can be generated to update Emergency Contacts about any urgent changes.
- What are the other purposes for which we may use personal information? As described above, the use of personal information is essential for the operational functioning of the AFAS application and features thereof (“business purposes”). Except as otherwise expressly described in this Privacy Policy, we will not use personal information for different, unrelated, or incompatible purposes without notifying the affected individual.
California privacy rights and how to exercise them
- The right to know and to portability. Any Authorized User that is a resident of California has the right to request that we disclose to you the categories and sources of the personal information that we collect about you, the purposes for which we use your information and with whom such information is shared.
- The right to request the deletion of personal information. You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on the AFAS application, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.). If no legal exception applies, as a result of exercising your right, we will delete your personal information.
- How to exercise your rights. To exercise the rights described above, you need to submit your verifiable request to us by contacting us via the details provided in this Privacy Policy. For us to respond to your request, it is necessary that we know who you are and your connection to a Provider and/or an Authorized User. Therefore, you can only exercise the above rights by making a verifiable request which must:
- provide sufficient information that allows us to reasonably verify you are a person about whom we collected personal information in connection with a Provider’s operation of the AFAS application; and
- describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will not respond to any request if we are unable to verify your identity and therefore cannot confirm that any personal information in our possession relates to you. If you cannot for any reason personally submit a verifiable request, you can authorize a person registered with the California Secretary of State to act on your behalf. If you are an adult, you can make a verifiable request on behalf of a minor under your parental authority. You can submit a maximum number of two (2) requests over a period of 12 months.
- How and when we are expected to handle your request. We will confirm receipt of your verifiable request within 10 days and provide information about how we will process your request. We will respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. In this regard, please note that we may take up to 90 days to fulfill your request. Our disclosure(s) will cover the preceding 12-month period. Should we deny your request, we will explain to you the reasons behind our denial. We do not charge a fee to process or respond to a verifiable request unless such request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee, or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind it.
Notice Regarding Epic App Orchard Program
We have an arrangement with Epic Systems Corporation, a Wisconsin corporation (“Epic”), to participate in its App Orchard program (the “Program”) to promote the AFAS application which is designed to work with Epic’s software. In connection with the Program, the following notices are provided and additional provisions shall apply:
- Whether you are a Provider, a Patient or Emergency Contact, certain information provided by you or about you may be disclosed by Epic’s software to the extent necessary for the operation of the AFAS application.
- The operation of the AFAS application will require us to retain such information about you or provided by you for a specified period of time if required by applicable laws and regulations. If at any time prior to expiration of that time period you wish to remove all such information, please notify us in writing and we will take commercially reasonable actions to do so.
- Except to the extent necessary for the operation of the AFAS application or as needed by certain authorized third parties engaged in connection the AFAS application (e.g., hosting services, auditors, etc.), we will not transfer any such information provided to us by you or about you to any third party.
Changes to this Privacy Policy
This Privacy Policy was issued on February [ ], 2021. We may update our Privacy Policy from time to time. We will notify you of any such updates upon your written request.
If you have any questions about this Privacy Policy, you can contact us by email at contactus@jtsi.net or by phone at 703.218.0372.