Effective Date: May 4, 2023
As Required by the Privacy Regulation Pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), QorumPartners is required by law to maintain the privacy of your protected health information (PHI) and to provide you with notice of our legal duties and privacy practices with respect to your PHI. This notice provides you with information on how QorumPartners may use and disclose your PHI; your privacy rights in your PHI; and QorumPartners’ obligations concerning the use and disclosure of your PHI.
1. How do we process your personal data?
1.1. How we collect personal data
We collect your information when the Healthcare provider registers you through the Qora Portal, or otherwise use our services (“Services”).
1.2. Purpose of treatment, legal basis and storage period
Your information will not be used in a manner that is inconsistent with the purposes for which the information was collected. We process your information for the purposes listed below.
1.2.1. Provide you with your user account
In order to provide you with our Services, a user account is required, and we collect the personal information you provide us, including your name, email, password, and birthdate. Furthermore, we use your information to ensure your identity. The legal basis for personal data processing for this purpose is that it is necessary for us to fulfill our obligations under our agreement with you as a user.
1.2.2. Provide our Services
We use your personal data to provide you with our Services. We record, digitize and store information such as your heart sound and your ECG, blood glucose levels, blood pressure, weight, height, what medicines are taken regularly, if you smoke or have a pacemaker/implanted device. We collect additional information about how you were feeling during the measurement and the data and time when the measurement was taken. The legal basis for personal data processing for this purpose is that it is necessary for us to fulfill our obligations under our agreement with you.
1.2.3. Carry out research
We use your personal data for research purposes. We use your medical information only after you specifically consent to this and your information will then be collected to our database You choose whether you want the data to be anonymized and used in the research in unidentified form or if they are identifiable. The legal basis for personal data processing for this purpose is your consent.
1.2.4. Provide support
We also use your personal data to help you if you contact us in support matters, such as if you have questions about our products or services. We use your personal data to identify you, communicate with you, and investigate any complaints or support matters. We process your personal data to provide support for at least 12 months after you have terminated your agreement with us.
The legal basis for personal data processing for this purpose is that it is necessary to fulfill our and your legitimate interest in providing support.
1.2.5. Improve our Services
We will process your information to obtain statistics on how you use our Services. This can be done by perform user satisfaction and market research or by analyzing your use of the Services. When we use your information to improve our Services, we use your data in an aggregated form (i.e. studying overall user patterns using unidentified data) to the extent possible. We also use your data to make the Services more user-friendly, such as to troubleshoot, fix bugs, change the interface so that you can easily access the information you are looking for or highlight features in our Services that are commonly used by our users. We process your personal data to improve our Services for 12 months from the collection of the data.
The legal basis for personal data processing for this purpose is that it is necessary to fulfill our legitimate interest in continuously improving the Services.
1.2.6. Prevent abuse
Your information can also be used to prevent abuse of our services or to prevent or investigate violations of our services. Misuse refers to suspected fraud, junk mail, harassment, attempted illegal login to user accounts and other actions prohibited by our terms or by law. The legal basis for personal data processing for this purpose is that it is necessary for our legitimate interest in preventing our services from being abused or preventing and investigating violations against us.
1.2.7. Completing legal obligations
We may also process your information in order to fulfill our legal obligations under laws, judgments or government decisions. The requirements may include requirements for accounting, product liability and money laundering legislation. The legal basis for personal data processing for this purpose is that it is necessary for us to fulfill our legal obligations.
1.2.8. Storage period
By registering as a user, we will keep your data as long as you are a registered user of QorumPartners and to the extent necessary for a certain period of time thereafter, for example, the payment and fulfillment of our commitments. You can terminate services at any time as a user.
Unless otherwise stated above, we will store your information for at least twelve months after your agreement has been terminated. This is what we do for you to have access to your heart data.
If you do not want your data stored for the specified time period, you can request that your data to be deleted as soon as our relationship has been terminated by emailing us at firstname.lastname@example.org.
1.3. How we share your information
We will not share your information with any third party except as described below.
a. Other external healthcare providers: If you wish, you can share your data with external healthcare providers by giving them access to your records via the Qora Portal. In order for external healthcare providers to be able to share your records, you need to give your approval.
d. Legal Process: We may disclose your personal data in order to comply with the law, judicial proceeding, court order, or other legal process, such as response to court order or a subpoena.
2. How we protect your information
We have taken reasonable precautions and enforce security standards to protect your personal data we collect from loss, misuse, and unauthorized access, disclosure, alteration and destruction. We always encrypt your personal data and we cannot access your data such as measurements and results without your consent. We store your personal data on files available only to our employees, our agents and our service providers who need the information for their service. We use technical tools such as firewalls and passwords, and we ensure that our employees are educated on the importance of maintaining security and confidentiality in relation to the personal data we process. Please be aware that despite our best efforts, no data security measures can guarantee security. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.
3. Where do we process your personal data
We guarantee an adequate level of protection for our Services by processing your personal data within the US. Other third-party IT systems, such as websites and support tools, guarantee that your personal data is only processed in countries with adequate protection levels, according to the US Department of Homeland Security.
4. Your rights
This section describes the rights you have as registered. You can always make these rights by contacting us at email@example.com.
4.1. Right of access
If you want information about what personal data we processing about you, you can request access to the information. The information will then be provided in the form of a registry extract which specifies the personal data we process, the purposes for which we handle them, where the information has been obtained, the third parties to whom the data has been transferred and how long the data will be stored.
4.2. Right to rectification
You are entitled to have incorrect information about you rectified without delay. You are also entitled to complete incomplete information.
4.3. Right to erasure
You may, in certain circumstances, delete your personal data if your personal data are no longer necessary for meeting the purposes for which they were collected or processed if you have objected to the processing of personal data and we do not have a legitimate interest as weighs heavier than your interest, whether your personal data have been processed illegally or if your personal data has to be deleted to comply with a legal obligation. However, in some cases, we are entitled to oppose the deletion of your personal data and we will inform you if applicable.
4.4. Right to restriction of processing
You are entitled to require restriction of processing of your personal data in some cases if you contest the accuracy of the personal data during the time it takes for us to check if the information is correct, if the processing is illegal and you oppose the deletion of the data and request instead a restriction, if we no longer need personal data but you need them to determine, enforce or defend legal claims or if you have objected to a treatment based on our legitimate interest during the time we check if our interest weighs heavier than your interests.
4.5. Right to object
You are entitled to object to the processing of your personal data, which is based on our legitimate interest. If so, in order to continue the processing, we must be able to show compelling legitimate reasons that weigh heavier than your interests, rights and freedoms.
4.6. Right to data portability
If we process your personal data on the basis of an agreement with you or your consent, you are entitled to obtain the personal data you have provided to us that concerns you in an electronic format that is widely used when technically possible and this can be done by automated route. You may transfer such data to other personal data controller (data portability) where applicable.
5. Breach Notification and Accounting of Disclosure.
We are obligated by law to notify you of any breach of your unsecured PHI. Additionally, you have the right to request an “accounting of disclosure” (disclosures QorumPartners has made of your PHI). QorumPartners is not bound to account for disclosures made for purposes of health care operations or disclosures made to you. To obtain an accounting of disclosures, you must submit your request in writing to the Data Privacy Officer of QorumPartners. All requests for an “accounting of disclosure must state a time period which may not be longer that 6 years. QorumPartners will provide one list per 12-month period at no charge. Additional lists requests within the same rolling 12-month period will be charged to you. QorumPartners will make every attempt to notify you of the cost involved with additional requests and you may withdraw your request before you incur any costs.
6. Right to a Paper Copy of this Notice.
7. Changes to this Notice of Privacy Practices.
If you believe QorumPartners has violated your privacy rights, you may file a complaint with QorumPartners or with the Secretary of the Department of Health and Human Services. To file a complaint with QorumPartners, send it to the Data Privacy Officer. All complaints must be submitted in writing. You will not be penalized for filing a complaint.
9. Legal notice and credits
“Made for iPhone” mean that an electronic accessory has been designed to connect specifically to iPhone and has been certified by the developer to meet Apple performance standards. Apple is not responsible for the operation of this device or its compliance with safety and regulatory standards. Please note that the use of this accessory with iPhone may affect wireless performance. iPhone is a trademark of Apple Inc., registered in the U.S. and other countries.