How does The Health Portability and Accountability Act (HIPAA)
control the use and security of your health information?
HIPAA does not control your use of your health information. HIPAA grants you the legal right to view and access your legal health record. It is a set of federal rules designed for health care providers, health insurance companies and other identified “covered entities” that control who can look at and receive your health information. HIPAA regulations also ensure that your privacy is protected to the greatest extent, with best practice policies and safeguards in place to minimize any exposure or misuse.
Must MyID comply with HIPAA?
No, we are working on behalf of health care consumers who are exercising their legal right to obtain, aggregate and use their own health information. Because we are not what the federal government considers a “covered entity”, MyID is not subject to HIPAA regulations.
Just because MyID is not legally required to be HIPAA compliant does it still meet its security standards?
Yes! We respect your privacy and understand the importance of securing your information. Therefore we choose to meet the highest possible standards to earn your trust. We meet the technical, physical and administrative safeguard requirements defined by the HIPAA Security Rule to be considered “safe” with regards to privacy protection for the MyID Private Profile. The MyID Public profile is designed to be shared in case of emergency and falls outside of HIPAA for this reason.
In addition to following HIPAA security recommendations, MyID adheres to the FTC's Security by Design Guidelines:
- Data security is carefully considered for each component of the MyID platform
- Data is encrypted both in transit and at rest
- MyID uses two-factor authentication
- MyID is protected from common vulnerabilities
- Our team stays current with knowledge of new vulnerabilities and keeps software appropriately updated
MyID servers and supporting systems are protected from hackers and network intrusion using firewalls and other leading security measures.
CONTROLLED EMPLOYEE ACCESS
Certain MyID employees and system administrators may need to access the MyID system to provide operational / administrative support. Access rights are strictly controlled and access is only granted to those who require it to support the MyID system and its users. All MyID employees and subcontractors are required to sign confidentiality agreements. Access to the system is only granted after validation of the user’s identification credentials, assigned role and system permissions.
Users must enter their username and password to be granted access to the MyID system. These credentials are created by users upon registration. To reset a password, the information will be sent to the user’s email on file. If two-factor authentication is enabled, then once the user enters the account password a unique passcode is sent via text message. Administrators will not have access to user passwords and passwords can only be reset by following a link sent by email upon user request.
Encryption provides a secure way for users to exchange information with web sites via their web browsers by “scrambling” the information as it is submitted. This makes it unusable to anyone who does not possess a protected decryption key to “unscramble” the information. MyID provides encryption for user interactions through Secure Socket Layer (SSL) technology using a robust 256 bit encryption key. MyID also leverages industry best practice encryption standards (e.g. S/MIME, X.509 certificates, TLS) whenever health information is transmitted in or out of MyID.
PHYSICAL SITE SECURITY
The MyID servers and supporting systems are physically secured and protected in Amazon Web Services' world class data centers in the United States. Access to the physical systems is carefully controlled by security measures including multiple levels of authentication requirements (e.g. user keys, biometrics), security guard and registry check-in requirements, and state of the art security monitoring and alerting systems.
TRACKING ACCESS AND DISCLOSURES
According to HIPAA standards, MyID logs or the User logs pertinent details, anytime health information is viewed edited or exported in order to ensure the integrity of the system.
PERSONAL IDENTIFIABLE INFORMATION/ PUBLIC PROFILE
Mobile Apps (“Apps”), including information related to your past use of the Websites. Your Personal Information is information about you that may or may not be personally identifiable like your user name, password, email address, or personal profile data that is not otherwise publicly available. Your Personal Information also includes all of the information that you input onto the MyID Website or MyID App and which is also accessible via QR code reader. This policy does not apply to the practices of companies that MyID does not own or control or to people that MyID does not employ or manage. All Personal Information that is entered into the Websites or App by you is private to you except to the extent that you opt to share such Personal Information with other persons who may access the Websites and App. Other than for the reasons explicitly described below, it is the policy of MyID not to disclose Personal Information to any third party at any time.
Conversely, given that a portion of the purpose of the Websites and App is to share what its customers have experienced with others, our policy regarding Submissions is very different. While our objective is to safeguard your identity, privacy and anonymity, our goal is also to publicly publish and promote the Submissions that describe what you have experienced without identifying who you are so that others can recognize experiences that have been shared by people who are similar in background to themselves. Always use caution when giving out any personally identifiable information about yourself, other family members or friends in the Websites and App. MyID does not control or endorse the content, messages or information exchanged by means of the Websites and, therefore, MyID specifically disclaims any liability with regard to the Websites and App and any actions resulting from your participation in the Websites and App.
MyID collects Personal Information when you register with, use or visit the Website, and when you visit the pages of certain MyID partners. MyID may combine information about you that we have with information we obtain from business partners or other companies. When you register, we ask for information such as your user name, password, email address, and personal profile. Once you register with MyID and sign in to a Website you may not be completely anonymous to us. MyID may collect information about your transactions with us and with some of our business partners. MyID may set and access cookies on your computer.
MEDICATION REMINDERS WITHIN THE APP
The MyID Application is intended as a helpful backup reminder system that you can personalize for taking your medications. You should not and must not rely on the Application as your primary tool for determining whether and when to take medication, the Application might not function as intended. Specifically, the Application will not function properly if your device is broken or powered off, if the Application software is not enabled or if any hardware or software on your device prevents the Application from operating as intended. The maintenance of your mobile and computing devices is your responsibility. You acknowledge that the Application, and the utility of any of its alerts or notifications, depends on information that you input into the Application. You are solely responsible for ensuring that the correct medication is taken at the proper times and in the proper dosages. Persons using the Application assume full responsibility for the use of the Application and agree that we are not responsible or liable for any claim, loss, or damage arising from the use of the Application.
MyID DATA COLLECTION
MyID may automatically receive and record Personal Information on our server logs from your browser, including your IP address, MyID cookie information, and the pages you request.
HOW MYID USES DATA
MyID may use Personal Information for the following general purposes: to customize the content you see, fulfill your requests for products and services, improve our services, provide paid content, contact you, conduct research, and provide reporting for internal and external clients.
MyID does not rent, sell, or share your Personal Information with third parties except to provide products or services you’ve previously requested, or unless we have your express permission, or under the following circumstances:
We provide the information to trusted partners who work on behalf of or with MyID under confidentiality agreements. These companies may use your Personal Information to help communicate with you about news and information related to MyID. However, these companies do not have any independent right to share this information.
We transfer information about you if MyID is acquired by or merged with another company.
California Residents: Your California Privacy Rights Under California law, our Members customers that are California residents may request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. As detailed above, we do not share our customer’s personal information with unaffiliated third parties for direct marketing purposes without their approval.
If at any time you wish to opt out of having your Personal Information shared with third parties and or receiving information from MyID (via email or postal mail) about new products, services, or promotions, you can do so. You may contact us by emailing us at firstname.lastname@example.org. Please indicate what publications or services you no longer wish to receive so that we may better address your needs.
MyID believes that it is especially important to protect children’s privacy online. MyID does not knowingly collect or use any Personal Information from children under the age of 13 and MyID does not knowingly provide any Personal Information, regardless of its source, to any third party for any purpose whatsoever from visitors younger than 13 years old. No information should be submitted to or posted at MyID by visitors younger than 13 years old.