Your privacy is very important to DrChrono. This Privacy Policy (this “Policy”) sets out how we handle and secure information collected by DrChrono’s onpatient website and applications (collectively, the “onpatient website”). Please review this policy carefully.
Information submitted that you submit: There are several ways you can submit data to DrChrono in using the onpatient website. Some examples of those are by:
Other information: the onpatient website stores additional data when you view, navigate to, log in or otherwise interact with it. As with other websites and interactive services, whenever you interact with the onpatient website, your computer, mobile phone or tablet (a “device”) and its software sends a “request” to us. That request will include non-personal information received from your Device (and any related software) that we use to identify and appropriately route the information your Device is requesting (in a “reply”). “Requests” and “replies” of this sort are used by all websites and Internet services. Therefore, whenever you:
your Device transmits non-personal information to DrChrono.
In addition to managing the appropriate routing of information, we use cookies, web beacons, server logs and other tools to enhance the quality of the onpatient website and the content you receive. We have several tools that we use that allow us to:
Thus, even when you do not submit any personal information on the onpatient website (for example, by logging in), your Device will transmit, and these tools will receive, information about your Device. We call such data “Engagement Data.”
Engagement Data can include several pieces of information such as the time a “request” was made, the type of browser used to make a request, the version of the onpatient application you are using on the iPad, IP address, the Device’s geographic location, the URL a Device most recently visited, and, when using the onpatient mobile application, an anonymous unique number. Engagement Data generally does not personally identify any particular user. Nevertheless, Engagement Data can be used in conjunction with personal information. If these circumstances, DrChrono treats such combined information as personal information. In the event that the tools we mentioned above collect data containing personal information, DrChrono will treat that data as personal information.
Personal Information: “Personal Information” is information that you submit to us that identifies you or can be used to contact you. Personal Information can include government-issued ID numbers (such as a social security number), information used by banks and credit cards to identify you or, as another example, insurance-issued ID numbers. DrChrono sometimes combines non-personal information with other information in a way that makes the combined information Personal Information. Drchrono treats this combined information the same way we treat personal information.
We use personal and non-personal information for:
We may also use non-personal information to prepare aggregate reports that illustrate trends about the general use of the onpatient website. Such reports may include age, gender or other general user information. These reports will not include personal information.
DrChrono may request your consent or authorization in connection with the use or sharing of your information. In some instances, this will be because this Policy or applicable law or regulations require us to obtain such consent. In other instances, such consent will be for informational purposes. Any request to obtain your consent does not narrow the scope of this Policy. By using the onpatient website, you accept and agree to DrChrono’s information handling practices in the manner described.
Scheduling appointments: When you contact or schedule an appointment with a provider, the provider will need your name, contact information, as well as other information.
Direct Communications: You can use the onpatient website to facilitate direct communications between users:
In any direct communication, users may send information to one another. Depending on the contents of this information, personal information could be included.
Surveys and Ratings: DrChrono sometimes asks users to provide feedback to help DrChrono improve its operations. The content of feedback is presumed public. DrChrono will let you know in advance how it will use survey or rating feedback in any such request. You should exercise care in selecting the information that you share in a survey or feedback communication. We strongly recommend against providing DrChrono any personal health or other sensitive information that could be traced to you or any other individual.
Records: The onpatient website allows you to store personal and health information (“Records”), including Records that identify other individuals, including other users. The onpatient website allows you to share all or portions of these Records at your discretion.
You should be aware that this Policy covers only the information you submit through the onpatient website or the information that is provided to you by your provider via the onpatient website. If you exchange or transmit information through any means other than the onpatient website, such activity is not covered by this Policy.
Because the onpatient website allows users to share information, you should take care in selecting the persons with whom you share your Records. Although the onpatient website processes and facilitates such transmissions, DrChrono does not take responsibility for the actions of other users or persons with whom you share your Records.
Confidentiality of Health Information: Some of our users—such as healthcare providers— are subject to laws and regulations governing the use and disclosure of health information they create or receive. Included among them is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health of 2009 (“HITECH”), and the regulations adopted thereunder. When DrChrono stores, processes or transmits “individually identifiable health information” (as such term is defined by HIPAA) on behalf of a health care provider who has entered a Healthcare Provider User Agreement, we do so as its “business associate” (as also defined by HIPAA). Under this agreement, DrChrono is prohibited from using individually identifiable health information in a manner that the provider itself may not. DrChrono is required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity and availability of individually identifiable health information we store and process on behalf of such providers. DrChrono is subject to laws and regulations governing the use and information of certain personal and health information, including HIPAA, when it operates as a business associate of a healthcare provider.
Email communications received from users and DrChrono’s administrative announcements are often transactional or relationship messages, such as appointment requests, reminders and cancellations and other notifications. DrChrono may not offer you the option of opting out of receiving some of these messages although DrChrono may allow you to modify how often you receive such messages. If you opt-in to receiving marketing announcements from DrChrono, we will allow you to opt-out of receiving those announcements.
In some instances, DrChrono may also use tools (such as “cookies,” “web beacons” and “server logs”) in its emails to users to collect Engagement Data, and DrChrono may use vendors to assist in sending you emails.
Of course, this Policy does not apply to emails or other communications from individuals that do not use DrChrono or the onpatient website, or that are being sent in connection with subject matter other than your use of the onpatient website. For example, if you were to apply to DrChrono for employment, that communication would not be covered by this Policy. Similarly, this Policy would not apply to ideas or suggestions you provide in feedback regarding the onpatient website or other products or services by any means—e.g., email or other communication channels.
We will not share any personal information you submit except under the following circumstances:
Other users (for example, providers or staff) that submit your information to, or receive your information from, the DrChrono website, could share that information with other persons, without separately notifying you or seeking your consent.
The onpatient website is not intended for or designed to attract persons under the age of 13 (“child” or “children”). DrChrono does not knowingly collect personal information from children. If DrChrono learns that it has obtained personal information from a child, DrChrono will delete that information as soon as practicable. If your child has provided us with personal information without your consent, please contact DrChrono immediately.
Without limiting the above, the onpatient website does allow persons above the age of 18 years—such as healthcare providers, parents and guardians—to provide, share and store personal information about others, including minors and children. Any user providing, storing or submitting information on behalf of a child assumes full responsibility over the submission, use and transmission of such information.
DrChrono employs technical measures to help safeguard the confidentiality, integrity and accessibility of sensitive information you might store and share through the onpatient website. Certain laws and regulations require us to investigate potential or suspected threats to the onpatient website or the confidentiality, integrity or availability of the information DrChrono stores and maintains. DrChrono may use, preserve and disclose information—including your personal and non-personal information—when it has a good faith belief that it is necessary or advisable to:
DrChrono may also use, preserve and disclose such information in order to respond to legal process, a search warrant, court order, subpoena or a judicial proceeding. Some legal processes may prohibit DrChrono from notifying the users or other individuals or entities identified in the requested information or take other actions that would otherwise be a violation of this Policy. DrChrono may preserve information pursuant to this section for extended periods of time as necessary or appropriate under the circumstances. This may include the preservation of information from accounts that have been disabled.
DrChrono employs a wide range of technical, physical and administrative safeguards to prevent unauthorized access, maintain data accuracy and ensure the appropriate use of your personal and non-personal information, including: encryption, firewalls, system alerts and other information system security technologies; housing information in secure facilities that restrict physical and network access and regular evaluation and enhancement of our information technology systems, facilities and practices. DrChrono applies reasonable and proportional measures to protect the confidentiality, integrity and availability of individually identifiable health information (as such term is defined by HIPAA) residing on and processed by the onpatient website. Nevertheless, no system can guarantee 100% security, thus DrChrono cannot and does not guarantee the security of information stored on or transmitted to or from the onpatient website.
DrChrono may notify you and inform you of potential countermeasures if DrChrono learns of a security vulnerability or risk. You can proactively take some precautionary steps to improve the security of your information and reduce the likelihood of unintended disclosure:
Access to the onpatient website is administered in the United States and is intended solely for users within the United States. You may not use the onpatient website in any jurisdiction where accessing or using the onpatient website would be illegal or unlawful. Any information that you submit to us while outside of the United States will be transferred to onpatient systems that reside in the United States. You consent to this transfer when you use the onpatient website. You also consent to the transfer and processing of any personal information by us or any of the other parties described in the sections above (in any country) for the purposes described in this Policy, or for any other specific purposes to which you consent. If you are located in a country other than the United States, you should be mindful that, at present, the laws of the United States and certain other countries have not been approved by the European Commission or privacy authorities in certain other countries as providing “adequate protection” for personal information within the meaning of the European Union Data Protection Directive or applicable laws of other countries.
DrChrono may change this Policy from time to time for example to respond to changing technical and security landscape, to respond to new laws and regulations or as circumstances may otherwise warrant. DrChrono will post such changes along with their effective date on this page. You should reread this Policy from time to time to see if there have been any changes that affect you. Your use of the onpatient website, including the continued storage of your information on onpatient systems, following any such change constitutes your agreement that all information collected from or about you through the onpatient website will be subject to the terms of the revised Policy.
The onpatient website aims to provide you with access to the information you submit and the means to update it. This can be accomplished by using the onpatient website or having your provider contact DrChrono on your behalf. Under certain circumstances, DrChrono may ask your provider to verify your identity before DrChrono request is processed. DrChrono may charge your provider an extra fee when, for example, it would require a disproportionate effort. DrChrono may reject requests that are unreasonably repetitive, require significant technical effort (for example, developing a new subsystem or fundamentally changing an existing practice), risk the privacy of others or would otherwise be extremely impractical (for instance, requests concerning information residing on backup storage).
If you desire to deactivate your account please have your provider contact us. Upon receiving such a request, DrChrono will deactivate your account and archive your personal information and Records. DrChrono may retain archived information for a period of five years (or longer if required by law) as necessary to comply with legal obligations, resolve disputes and enforce our agreements and other authorized uses under this Policy.
Unless you are an administrator that has administrative rights over another user’s account, you are not entitled to review another user’s personal information or Records. Accordingly, you will not be able to access, update or delete that shared information pursuant to this Policy for information that you share with another user or other party through the onpatient website. Others may also submit personal information that identifies you (for example, when submitting medical family history). You will also not be able to access, update or delete that information pursuant to this Policy. Certain users—such as healthcare providers—may be required under HIPAA and other applicable laws to retain such information for extended periods of time. DrChrono will continue to retain such information on their behalf. Patients should submit requests to access or correct their health information directly to their providers.
DrChrono indefinitely stores non-personal information, including Engagement Data and de-identified health information, as well as any feedback you provide us.
Last updated October 6th, 2014.