Xealth Privacy Policy

Xealth recognizes the importance of the privacy and confidentiality of your protected health information (“PHI”).

Xealth provides a digital health platform (the “Xealth Platform”) that enables your physician and care team members (“Health System”) to provide you with digital content that can help you manage your health. The Xealth Platform is used by Health Systems to connect digital health care solutions partners (“Partners”) with patients to increase patient education, engagement and improve outcomes.

Xealth handles PHI in connection with delivering this service. This Privacy Policy (“Privacy Policy”) explains Xealth’s role in accessing, transmitting, and maintaining PHI via the Xealth Platform.

What is Protected Health Information?

PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information accessed by the Xealth Platform includes any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

How Does PHI Differ from Personally Identifiable Information?

Personally identifiable information (“PII”) is information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

The PHI shared on the Xealth Platform may, in some instances, include certain data metrics about you that do not identify you as an individual. For example, your PHI might only include your gender, weight, and age. In many cases, and whenever possible, no PII will be exchanged.

What Information Does Xealth Obtain About Me?

Xealth’s Platform enables secure and reliable movement of electronic clinical health and demographic information between Health Systems and Partners. When a physician or a member of their care team selects a Partner for a patient, Xealth will provide the minimum amount of PHI required so that the Partner can fulfill on the value of their services. In scenarios where PHI data is being exchanged, this exchange is being governed by the contractual relationship between that Partner and the Health System and is usually covered by a Business Associates Agreement.

How is My Personal Health Information Used & Protected?

By using the Xealth Platform, Partners can get access to the minimum amount of PHI that enables them to provide their services to the patient.

Maintaining the privacy and security of PHI made available via the Xealth Platform is vitally important to us. Xealth has implemented appropriate privacy safeguards to prevent unlawful use or disclosure of PHI. This includes administrative, physical, and technical security safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that we receive, maintain, or transmit.

Xealth does not store PHI other than as a numeric representation of a patient ID. In other words, a patient’s identity is anonymized by substitution with a unique number representing that patient.

All PHI stored in our system is encrypted at all times and secured in compliance with federal and state laws. In addition, those allowed to connect to the network use secure connections in accordance with applicable laws and industry standards.

Whenever possible, we look to exceed the legal requirements for additional protection to our Partners and users. For this reason, we engage in the following additional safeguarding measures:

  • Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
  • Providing appropriate training for our staff to assure that our staff complies with our security policies;
  • Making use of appropriate encryption when transmitting PHI over the Internet;
  • Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
  • Utilizing appropriate authentication and access controls to safeguard PHI;
  • Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
  • Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.

Xealth does not rent or sell PHI.

Xealth may use PHI internally for our own internal management, administration, data aggregation and legal obligations, but only to the extent such use of PHI is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.

Updates to our Privacy Policy

We may change this Privacy Policy. Any changes to this Privacy Policy will become effective when we post the revised Privacy Policy on the Xealth Platform, make it available through the Xealth Platform, or otherwise notify you. Any change to this Privacy Policy will be effective for all information that we maintain, even information in existence before the change. Your use of the Xealth Platform following these changes means that you accept the revised Privacy Policy.

Contacting Us

If you have any questions about this Privacy Policy, please contact us by email at privacy@xealth.io, and please note that email communications are not always secure; so please do not include sensitive information in your emails to us.

Last Updated: November 17, 2016