Firewalls are fully implemented on our site. There are three basic types of firewalls: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically, an infrastructure has a combination of hardware and software firewalls, along with ones specifically designed for web applications, because apps create their own unique challenges and have become such a frequent target for intrusions. We making sure that technology is system-wide is one of the HIPAA compliant server requirements.
The VPN is encrypted.
We have our data backed up in an external location. This requirement is a reasonable way to ensure the EHRs are safe.
On all parts of our site (from the administrative control panel associated with the server to our CMS to the operating system running throughout the network), we have MFA ( multifactor authentication). Multifactor authentication similar to the other HIPAA compliant server requirements.
Private Hosted Environment
We do not have a platform that shares resources with any other entities. We have achieved HIPAA compliant server requirements by working with a hosting provider with experience related to properly privatizing our infrastructure.
We have secure sockets layer (SSL) certificate established throughout our site, for any domains and subdomains on which sensitive information is accessed. In other words, any parts of our site that need login credentials should always also have an SSL. Each server used for our site needs its own SSL certificate installed. Note that some companies provide certificates that can be installed on multiple or unlimited servers. Be aware that an EV certificate, creating a green address bar.
SSAE 18 SOC 1 SOC 2 Certifications
Note that Statement on Standards for Attestation Engagements (SSAE) 18, created by the American Institute of Certified Public Accountants (AICPA), is more stringent, in some ways, than HIPAA is regarding security. It’s not a requirement for HIPAA, but seeing that certification should make you feel more confident that our company meets HIPAA compliant hosting requirements.
Business Associate Agreement (BAA)
If you use any outside entity to assist with our EHR, including a hosting company, you must have a BAA signed with that organization. That document does not clear you of your own responsibilities related to HIPAA, but it does delineate the role that the hosting company takes and ways in which they should be held liable for any breaches, etc.
Other Privacy Policies:
[Effective Date: Aug 13, 2018]
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
VeraSafe Privacy Program
Where a privacy complaint or dispute cannot be resolved through UMS’s internal processes, UMS has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
If your dispute or complaint can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield.
UMS is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
Basis of Processing
Information Collection and Use
For example, we may collect the following personal information from you:
- Contact Information such as name, email address, mailing address, and phone number
- Unique Identifiers such as user name and job title
- Demographic information such as education, gender, ethnicity and citizenship status
We may collect such personal information when you:
- Submit contact form(s) on our website
- Post comment(s) to our blog
- Subscribe to our email alerts and/or newsletter
- Request printed materials to be sent to you in hardcopy
- Send us your resume via our website
We may use this information to:
- Assess the needs of your business to determine suitable products and services
- Send you requested product or service information
- Respond to customer service requests
- Send you a newsletter or email alerts
- Send you marketing communications
- Process a job application
- Respond to your questions and concerns
- Improve our website and marketing efforts
We may also disclose your personal information:
- as required by law, such as to comply with a subpoena, or similar legal process;
- when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
- if UMS is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information; and
- to any other third party with your prior consent to do so.
If we must disclose your PII in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your PII will maintain the privacy or security of your PII.
User Access and Choice
You may correct, update, amend, or request access to or deletion of your information by emailing our Customer Support at privacy@PactonGlobal.com or by contacting us by telephone or postal mail at the contact information listed below. We will respond to your access request within 30 days.
If you wish to subscribe to our newsletter(s), we will use your name and email address to send the newsletter to you. Out of respect for your privacy, you may choose to stop receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails, accessing the email preferences in your account settings page.
We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Tracking Technologies / Cookies
We use both session ID cookies and persistent cookies. A session ID cookie expires and is automatically deleted when you close your browser. When the user logs in to the website a new session cookie will be generated, which will store the user’s browsing information and will be active until the user leaves the website and closes the browser.
When the user restarts the browser and goes back to the website that had created the cookie, the website will not recognize the user. The user will have to log back in (if login is required). A session cookie tracks visitor behavior from page to page so the visitors don’t get asked repeatedly for the same information they had already given to the website. Session cookies allow users to proceed through many pages of a website quickly and easily without having to authenticate or reprocess each new area they visit. We are not using the information stored in session cookies for any other purpose nor are these shared with third party tools or websites.
A persistent cookie remains on your hard drive for an extended period of time. These files stay in one of the browser’s subfolders until these are deleted manually or the browser deletes them based on the duration period specified within the persistent cookie. Persistent cookies help websites remember user information and settings when they visit them in the future. This results in faster and more convenient browsing during subsequent visits. Some of the features made possible by persistent cookies include: language selection, theme selection, menu preferences, and internal site bookmarks or favorites, among many others. We are not using the information stored in persistent cookies for any other purpose nor are these shared with third party tools or websites. You can remove persistent cookies by following directions provided in your Internet browser’s “help” menu. If you configure your Internet browser to reject cookies, you may still use our website, but your ability to use some areas of our website will be limited.
Web Beacons / GIFs
Third party tracking technologies on our website may employ a software technology called clear GIFs (a.k.a. web beacons) that help us better manage content on our website by informing us what content is effective. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of website users. In contrast to cookies, which are stored on a user’s computer hard drive, clear GIFs are embedded invisibly on web pages and are about the size of the period at the end of this sentence. We are using analytics programs such as Google® Analytics, Hubspot and PardotTM. We do not tie the information gathered by clear GIFs to our visitors’ personally identifiable information, except for IP address. This information is used only for analytical purpose.
Analytics / Log Files
As is true of most websites, we gather certain information automatically through analytics programs such as Google Analytics, Hubspot and Pardot, and store it in log files. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information, which does not identify individual users beyond their IP address, to analyze trends, to administer the website, to track users’ movements around the website and to gather demographic information about our user base as a whole.
Third Party Tracking
Behavioral Targeting / Re-Targeting
The security of your personal information is important to us. UMS has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect PII from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction. UMS maintains the international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirement.”
Organizations can choose to comply with this information security management system that contains managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected and with the nature of our business. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
Links to Third Party Websites
UMS may provide links to Internet websites maintained by others. UMS is not responsible for the contents of, or any products or services offered in, those third party websites. You should be aware when you are leaving UMS’s website and be sure to read the privacy statements of each and every website that collects personally identifiable information. Any links provided by UMS to any third party website are provided to you as a convenience only. You should not infer that UMS endorses or accepts responsibility for non-UMS websites by the inclusion of any such links to those websites.
Blog / Forum
Our website may make message boards, forums, chat rooms, and/or news groups available to its users. Please understand that any information disclosed in these areas becomes public information. These areas shall be used in a noncommercial manner only. Except where expressly authorized by UMS, you agree not to store or collect data about other users on our website.
Social Media Widgets
Changes to This Policy
You can reach UMS through postal mail, phone or fax
Attn: UMS Privacy Officer
Unified Medical Systems, Inc.
1320 Tower Road
Schaumburg, Illinois 60173
In case of any grievance, please email firstname.lastname@example.org Grievances shall be redressed as expeditiously as possible, within 30 days of receipt.
If a privacy complaint or dispute cannot be resolved through UMS’s internal process, UMS has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure for EU- U.S. and Swiss-U.S. Privacy Shield disputes. To file a complaint with the Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/