Xealth recognizes the importance of the privacy and confidentiality of your protected health information (“PHI”).
Xealth provides a digital health platform (the “Xealth Platform”) that enables your physician and care team members (“Health System”) to provide you with digital content, apps or services that can help you manage your health. The Xealth Platform is used by Health Systems to connect digital health care solutions partners (“Partners”) with patients to increase patient education, engagement and improve outcomes.
What is Protected Health Information?
PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information accessed by the Xealth Platform includes any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
How Does PHI Differ from Personally Identifiable Information?
Personally identifiable information (“PII”) is information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
The PHI shared on the Xealth Platform may, in some instances, include certain data metrics about you that do not identify you as an individual. For example, your PHI might only include your gender, weight, and age. In many cases, and whenever possible, no PII will be exchanged.
What Information Does Xealth Obtain About Me and How is it Used?
When a physician or a member of their care team selects a Partner for a patient, Xealth will provide the minimum amount of PHI required so that the Partner can fulfill on the value of their services.
Xealth temporarily stores data that would be necessary to ensure that the transfer of data was successful. For instance, if we know you scheduled an appointment with your doctor and that this visit means that you should get a video describing what to expect during your visit, we would hold onto the details of this visit until we are sure that our Partner has successfully processed the data and gotten you connected with the right solution.
If you are interested in the legal construct of the above, Xealth functions as a HIPAA Business Associate of its health system clients, facilitating the transfer of information between the health system and third-party Apps that clinicians may need to use, or request that their patients use, for permissible purposes under HIPAA.
The type of data Xealth temporarily stores and the length of time this data is stored is bound by the data privacy and security obligations set forth within the Business Associate Agreement that are executed with each Xealth client (your Health System) along with additional terms that may be included in the underlying contracts. The nature of any specific data elements that may be accessed, as well as any retention or processing requirements, will depend largely on the nature of the services requested by the health systems.
For instance when we are processing data to help care givers recommend digtal solutions, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entitles to keep HIPAA-related documents for a minimum of 6 years from when the document was created. In the case of policies, the time requirement is six years from the date it was last in effect.
In scenarios where PHI data is being exchanged with Partners (who operate as Business Associates of the health system clients, subject to the legal framework established by HIPAA) this exchange is governed by the contractual relationship between that Partner and the Health System.
Perhaps most importantly, Xealth does not rent or sell PHI or transfer the data to anyone other than those specifically approved by our Health Systems.
Xealth may use PHI internally for our own internal management, administration, data aggregation and legal obligations, but only to the extent such use of PHI is permitted by our clients or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.
How is My Personal Health Information Protected?
By using the Xealth Platform, Partners can get access to the minimum amount of PHI that enables them to provide their services to the patient.
Maintaining the privacy and security of PHI made available via the Xealth Platform is vitally important to us. Xealth has implemented appropriate privacy safeguards to prevent unlawful use or disclosure of PHI. This includes administrative, physical, and technical security safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that we receive, maintain, or transmit.
All PHI stored in our system is encrypted at all times and secured in compliance with federal and state laws. In addition, those allowed to connect to the network use secure connections in accordance with applicable laws and industry standards.
Whenever possible, we look to exceed the legal requirements for additional protection to our Partners and users. For this reason, we engage in the following additional safeguarding measures:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting PHI over the Internet;
- Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
- Utilizing appropriate authentication and access controls to safeguard PHI;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.
Last Updated: February 18, 2022