Faces HIPAA Privacy Policy

Faces HIPAA Privacy Policy

Faces HIPAA Privacy Policy

Faces (“we, “us” or “our”) respects you and your (“User”) privacy and is committed to protecting it through our compliance with this Privacy Policy (“Policy”). This Policy is provided to you pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”). 

This Policy is designed to inform you of our practices, under federal law, for collecting, maintaining, using or disclosing your personal information and client PHI through the Faces mobile application (the "App").

This Policy DOES apply to the types of information that:

  • We may collect or that you provide to us when you download, install, sign up on, access or use the App.
  • We may collect in this App and via email, text and other electronic communications sent through or in connection with this App.

This Policy DOES NOT apply to information that:

  • We collect offline or on any other apps or websites, including those you may access through this App.
  • You provide to or is collected by any third-party that is not used or controlled by us.

We are required by law to:

  • Maintain the privacy of personal information and your clients’ information
  • Provide you with this Policy of our legal duties and privacy practices with respect to your personal information and your client’s information
  • Notify you if you are affected by a breach of user data and/or personal information 
  • Follow the terms of this Policy that is currently in effect

HIPAA Notice of Privacy Practices

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule allows clients the right to receive a notice that describes how personal health information may be used and/or disclosed and how to acquire access to this information. We are fully committed to the spirit and letter of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including but not limited to the Privacy Rule that was issued pursuant to HIPAA. 

An important provision of the Privacy Rule is to protect sensitive, personal information. This information is referred to as Protected Health Information (PHI) and includes personally identifiable health care and demographic data.

Personal information concerning your clients’ health and treatment (PHI) will be provided to us by you, whether upon opening an Account, uploading or submitting the user data or otherwise. Any personal information or PHI that you choose to provide us will be protected following the most stringent standards of the HIPAA and other applicable laws.

Usage and Disclosure of Your Personal Information and PHI 

We are required to maintain the confidentiality of your personal information and PHI (collected through client consent & consultation forms), and thus, we have implemented strict policies, procedures and other safety measures to help protect your information from improper usage and disclosure. We protect your PHI in accordance with HIPAA, GDPR and all other applicable laws and regulations. Where an applicable state law or any other law or regulation requires more protection for the PHI besides HIPAA, we comply with that law or regulation as well.

We have described below various ways in which we may use the information among ourselves and disclose the PHI to other applicable persons and entities. We have not listed every possible usage or disclosure below, but all these ways come under one of the categories. Some of these uses and disclosures would require your specific authorisation.

The amount of PHI that we may legally use or disclose without your written permission will vary based on the circumstances, including the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, while at other times, we may need to use or disclose more PHI.

The following list includes some of the ways that we may use or disclose PHI without written authorisation from you:

  • Disclosure at Your Request: If you ask us to send PHI to a third party, we will do so if we believe that your request is authentic. For example, we may use and disclose the PHI to another healthcare provider for treatment or other services to you. 
  • Business Associates: We provide some aspects of our services through contracts with business associates for whom we are legally responsible. Examples of our business associates include companies for secure server hosting, quality assurance reviewers, accreditation agencies and billing services. We may disclose your Personal Information or PHI to our business associates so that they can perform the jobs we have asked them to/they need to perform. To protect the PHI, we require our business associates to sign written agreements (BAA) to safeguard the PHI and use it only as we permit.
  • Healthcare Operations of Other Covered Entities: We can also share the PHI with other covered entities for their healthcare operations and with certain companies that provide those covered entities with services as their business associates. 

Few examples of covered entity’s healthcare operations may include using the PHI for quality assessment activities, disease management programs, improving quality of care, patient satisfaction surveys, benchmarking and other purposes. In each of these cases, these covered entities may only seek the PHI that is the minimum necessary* for their healthcare operations purposes.

*To the extent required by law, when using or disclosing PHI or when requesting the PHI from another covered entity, we will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations.

  • Specialized Government Functions: We may use and disclose the PHI to units of the government with special functions, such as the Government of the UK, under certain circumstances. We may use and disclose the PHI to authorised federal officials for intelligence, counterintelligence and other national security activities authorized by law. We may use and disclose PHI to authorised federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
  • Lawsuits and Other Legal Disputes: We may use and disclose the PHI in response to a court or administrative order, a subpoena or a discovery request. We may also use and disclose PHI without your authorisation to the extent permitted by law in any other way related to our legal disputes, such as to defend against a lawsuit or in arbitration.
  • Law Enforcement Officials: We may disclose the PHI to the police or other law enforcement officials as required or permitted by law, including: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) to identify or locate a suspect, fugitive, material witness or missing person; (3) when concerning the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; and (5) in emergency circumstances to report a crime, the location of the crime or victims or to report the identity, description or location of the person who committed the crime.
  • As Required by Law: We may use and disclose the PHI when required to do so by any other law not already mentioned in the preceding categories. For example, the Department of Health and Social Care (DHSC) may review our compliance efforts, which may include access to PHI.

Moreover, if we need to use the PHI for reasons that have not been described above, we will obtain your written permission, which is referred to as a written “authorisation.” If you authorize us to use or disclose PHI about you, you may revoke that authorisation in writing at any time. If you revoke your authorisation, we will no longer use or disclose the PHI for the reasons stated in that written authorisation, except to the extent we have already acted in reliance on your authorisation. Any revocation of an authorisation applies only to what you or your representative had authorized and does not apply to the situations above where we are permitted to use or disclose PHI without an authorisation. You understand that we cannot take back any disclosures that we have already made with your permission and that we are required to retain our records of the services we provide to you. 

For example, we must obtain your written authorisation before using the PHI to send you any information that HIPAA defines as marketing information. HIPAA considers communications about a product or service that encourage you to purchase or use that product or service to be marketing when that product or service is not one of our services or when we are paid to communicate about the product or service to you. We may send some types of communications to you that are not part of our Services but that are not considered marketing communications for which we would need your prior authorisation. We may send these communications to you directly, or one of our business associates may send them for us.

Rights Regarding Patient PHI

When you access and use the App, we may automatically collect certain details of your access to and use of the App, including traffic data, logs and other communication data and the resources that you access and use on or through the App.

Moreover, you have the following rights with respect to the PHI that we maintain about your clients. You must submit a written request to exercise these rights and obtain forms for any of these purposes by contacting us either by writing to us at our mailing address or sending an email.

  • Right to Inspect/Obtain a Copy: You have the right to inspect and get a copy of PHI maintained by our App and that is used in decisions about patient care. We may charge you a reasonable cost-based fee to cover copying, postage and/or preparation of a summary. We may deny your request in certain circumstances.
  • Right to Amend: If you believe the PHI created is inaccurate or incomplete, you may ask us to amend it in writing. We cannot delete or destroy any PHI already included in the consent forms unless you ask us to do so. You must provide a reason for your request. We may deny your request if you ask to amend information that: 

    (i) we did not create (unless the person or entity that created the information is not available to make the amendment);

    (ii) is not part of the information we maintain; 

    (iii) is not part of the information you are permitted by law to inspect and copy; or 

    (iv) is accurate and complete.

  • Right to Accounting of Disclosures: You have the right to ask for a list or “accounting” of disclosures we have made of your patient PHI. We are not required to list all disclosures, such as those you authorised or disclosures made for treatment, payment, health care operations and certain other purposes. You must state a time period, which may not be longer than 6 years. You may obtain one accounting in a 12-month period for free; we may charge you a reasonable fee for additional accountings of disclosures.
  • Right to Request Restrictions: You have the right to request a restriction or limit on how we use or disclose your patient PHI. You must be specific in your request for restriction. We are not required to comply with your request, except when you request that we restrict disclosure of your patient PHI to a healthcare item or service for which you have paid out-of-pocket in full and the disclosure is for the purpose of carrying out payment or healthcare operations, and not otherwise required by law.
  • Right to Request Confidential Communications: You have the right to request, in writing, that we contact you in a certain way, such as by mail or at alternative locations. You must specify how or where you wish to be contacted; we will try to accommodate reasonable requests.
  • Right to a Copy of This Policy: You have the right to a paper or electronic copy of this Policy.

Accessing and Amending Patient PHI or Personal Information 

You can review and change the PHI or other information by logging into the App and visiting your account profile page. We cannot change PHI or other information, nor can we delete PHI or other information except by also deleting your user account. 

If there is a problem with your data, we’ll help you fix it, or if you need data deleted, contact the data controller and data will be completed within 30 days.

We may deny access to PHI or personal information when required by law or if we believe such access would cause the PHI or other information of a third-party to be revealed.

Aggregated and De-Identified Information

Subject to applicable state and federal law, including but not limited to our obligations under HIPAA, we may license, sell or otherwise share aggregated, de-identified versions of PHI and other data (“De-identified Information”) with our subsidiaries, partners, customers, investors and contractors for any purpose. You agree and acknowledge that we are the sole and exclusive owner of any De-identified Information created by Faces and that you have no ownership or other intellectual property rights in or to such De-identified Information.

Sharing of Your Information with Third Parties

From time to time we may provide selected third-party partners for the provision of products and services, in return we may receive compensation in return. This allows us to continue offering our app to you free of charge.  You may well be contacted by phone, sms, Whatsapp or email.

Please note that we are a HIPAA-compliant company, and each of our third-party service providers has entered into a data processing agreement and a BAA (Business Associate Addendum) agreement with us, ensuring that they will respect your personal rights and freedoms and not use your information for any purpose unless, as mentioned in this Policy.

Data Retention

We will retain your personal information and client PHI for as long as we believe that it is accurate and can be relied upon. Data that is no longer required for the purpose for which it was initially collected will be deleted unless we have a valid justification to retain it that is permitted under applicable law, such as to resolve disputes or comply with our legal obligations.

Abiding by the HIPAA Data Retention requirements, we will store and retain your data for at least 6 years from the date of creation.

Security of Your Information and Data Transmission 

We have implemented strict technical, physical, administrative and organizational measures designed to secure PHI, Personal and other information from accidental loss and unauthorized access, use, alteration and disclosure. All your Personal Information and client data you provide to us is securely stored on our UK-based dedicated Amazon servers, which comply with applicable state and federal regulations.

Unfortunately, the transmission of PHI, personal or other information via the internet and mobile platforms is not completely safe and secure, and you are thus advised to exercise discretion on using the same. 

Although we do our best to protect PHI and your personal information, we cannot guarantee the security of your information transmitted through our App. Any transmission of PHI and other personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures that occur.

Confidentiality Policy

All your confidential information (personal data, bank details, PHI, etc.) must remain secure at all times. The safety and security of your information also depend on you. Where you have chosen a password for logging into and accessing our App, you are responsible for keeping this password confidential and are required to not share it with anyone. Whether by a person or a computer program, you should ensure that your password is not susceptible to being guessed. 

For our Services for which an amount(s) is/are payable, we may require you to pay with a credit card, debit card, net banking or other online payment mechanisms. We will collect your card information and will use that for the billing and payment processes, including but not limited to the use and disclosure of such information to third parties as necessary to complete such operation. Verification of this information, however, is accomplished solely by you through the authentication process offered by a third-party payment gateway. Your card details are transacted upon secure sites of approved payment gateways that are digitally encrypted. 

Moreover, information that we collect, and process may be transferred to or accessed by our personnel for the sole purpose of enabling the operation of the App and contacting you. Please note that all our personnel who have access to your information are under an obligation of strict confidentiality. And to run the App, we use some third-party software tools and services; they have access to some of your data under a confidentiality obligation.

Encryption

You must acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we thus cannot guarantee the security of such sensitive data or information. 

You are required not to post or share any personal information or patient identifiable information on any platform not in connection with our App. Also, the email service that we provide may not be completely encrypted, so it is especially important that you do not use it for the transfer of PHI or personal information. 

If you choose to use the email service to transfer such data that you have yourself encrypted, then you do so at your own risk. 

Moreover, according to GMC (General Medical Council) and BMA (British Medical Association) guidelines, medical practitioners should not send any patient identifiable data across the internet as it may not be under encryption.

Email Disclaimer

As mentioned above, the information transferred via email may contain privileged and confidential information, including PHI and PII, which are protected by federal and state privacy laws. In case you send any information via email, we would assume (unless explicitly stated otherwise) that email communications are acceptable to you and you are well-informed of the risk involved. 

Furthermore, we may provide you with information (in the form of links, images, text, files and other formats) via email through our mobile channel to further facilitate communication between us and you. And while collecting your e-PHI using external forms or other means, we ensure that the third-party or custom application that we use complies with the HIPAA rules. 

Information collected through email may be shared with our customer service department, employees or applicable third parties that perform services on our behalf. Unless otherwise noted, email through our mobile channel may not be completely secure and encrypted and confidential means of communication.

Although it is unlikely, there is a possibility that any information you include in a non-encrypted email can be intercepted, accessed, viewed and/or read by other parties besides the person to whom it is addressed without your knowledge and permission while in transit to us.

Law Enforcement and Protection of Users and the App

We will, to the extent permitted or required by law, disclose user Personal Information to government/law authorities or third parties pursuant to a legal request, subpoena or other legal processes. We may also use or disclose your information as permitted by law to perform charge verifications, apply or enforce the App’s Terms & Conditions or protect our rights, interests or property and those of our clients and users. Following disclosure to any third party, your information may be accessible by others to the extent permitted or required by applicable law.

Updates to this Privacy Policy

We reserve the right to update this Privacy Policy at any time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. 

We will make reasonable efforts to post a clear notice on the App or will send you an email regarding such changes to the email address that you have provided us with. 

The new terms may be displayed on-screen, and you may be required to read and accept them to continue your use of our App.

Contact Us

For more information, or if you have questions or would like to make a complaint, please contact us by e-mail at [email protected] or by mail using the details provided below: Faces Consent, Anson Court. Centurion House. Staffordshire Technology Park, Stafford, STS, ST18 0GB, United Kingdom.

CONSENT TO SHARE AND RELEASE INFORMATION

Faces (“App”) may have access to and use my Personal Information (“PI”), which I provide to Faces as a User of the App. I understand that other applicable participants may also be able to see my user information, including PI that I post and/or disclose in the course of engaging with the App and/or Faces. Faces may provide PI to the third-party company for purposes of billing and payment for their services offered to me and running their App and services. Furthermore, Faces may share and use my PI to review and improve the quality of the App. I also understand that Faces may store my PI for the time period that is necessary under Faces’ policies regarding data retention.

You acknowledge that you have read and understood the terms of the Consent to Share and Release such Information.