Effective Date: November 20, 2018
MDofficeManager, LLC (“us”, “we”, or “our”) operates the www.MDofficeManager.com website (the “Service”).
1. Our Commitment to Privacy
Our customers and business partners also can access the Services via the Site.
As privacy laws and practices evolve, we will amend this Policy from time to time. While we will endeavor to give reasonable notice of such changes, we do reserve the right, where necessary, to do so without prior notice.
What is considered private?
Information that is used by a government authority, financial institution or insurance carrier to distinguish a person from other individuals ( e.g., social security number, social insurance number, credit card information, or insurance policy number) is private. Such information can be used to identify an individual (e.g., a person who works at a healthcare facility, or a resident or patient in a healthcare facility). Certain information may be used to contact a person directly (e.g., an email address, home mailing address or telephone number). Depending on the jurisdiction, the above identifiers are considered to be Personal Information (“PI”), Personally Identifiable Information (“PII”), Sensitive Personal Information (“SPI”) or a similar term, and it is private. An individual’s business contact information and business title generally are exempt from privacy laws. Information about an individual’s health, including insurance and billing information, is also considered – depending on the jurisdiction – to be PI, Protected Health Information (“PHI”), Personal Health Information (also known as “PHI”), Individually Identifiable Health Information (“IIHI”) or a similar term, and it also is private. In and the United States, the laws that primarily govern how we deal with the PI, PII, SPI, PHI and IIHI which you provide to us in relation to the Services are listed in Table 1.
For the remainder of this Policy, we will refer to all PI, PII, SPI, PHI, IIHI, and “Health Information” as “Personal Information” unless we specifically note otherwise. If we wish to refer only to information about a specific individual’s health but not to other forms of Personal Information, we will refer to “PHI.”
This Policy also will apply to non-personal information if such information can be used in combination with other Personal Information or non-personal information to identify an individual.
Please be aware that this Policy only covers information manually submitted to, or automatically collected by, us through use of the Site and/or the Services. If you contact or exchange information with another MDofficeManager, LLC customer or business partner in person or through a means other than through the Site or Services, such activity is not covered by this Policy. Additionally, if you are not a customer or a business partner of MDofficeManager, LLC by way of written agreement, and are contacting us out of interest in the Services, a business partnership or a job opportunity, please be aware that the information that you share with us is not covered by this Policy, unless required by law.
2. Personal Information Collection & Use
There are two ways Personal Information can be submitted to us. The first is through direct submission or what we call ‘Manual Submission’ and the second is by way of ‘Automatic Submission’ triggered by any interaction with the Site through a computer, Point of Care station, mobile device or tablet.
Personal Information can be submitted to us directly when you communicate with us offline (in person or by telephone), via email or via the Site (by entering data or uploading files) or when you authorize MDofficeManager, LLC to access, retrieve and/or import Personal Information from another user or third party on your behalf. Additionally, if you become a customer of MDofficeManager, LLC, you will be required to register by submitting Personal Information via the Services, email or offline. This could include name, email address, mailing address, telephone number(s) and other contact and billing information.
Whenever your computer, mobile device or tablet visits, logs in or otherwise interacts with the Site, we gather data from your device and the operating software of your device transmits a ‘request’ to us. That request includes non-personal information that is necessary to identify and route the information your device is requesting. This communication is necessary for all website and Internet services.
Types of Data Collected using cookies can include but not limited to:
- Date and time a ‘request’ is transmitted through the Site
• The model of the device making the request
• The type and version of the operating software running on the device
• The web browser used on the device and making the request
• IP address
• Geographic location
• Time zone
• Search terms used
• URLs visited
• Information about some of the cookies that are installed on your computer, mobile device or tablet
• Internet service provider
• Previous activity on the Site
to notify you about changes to our Service
to allow you to participate in interactive features of our Service when you choose to do so
to provide customer care and support
to provide analysis or valuable information so that we can improve the Service
to monitor the usage of the Service
to detect, prevent and address technical issues
to register customer accounts
• to contact customers to discuss their experience with the Services, current and future needs as a customer, or to communicate future promotions or special events which might benefit them
• to contact a prospective customer
• to provide our cloud-hosted SaaS Services
• to operate, maintain, manage and administer the Services, including processing registrations and payments, and diagnosing technical problems
• to respond to questions and communications
•to make service or administrative announcements to customers about unscheduled downtime or new features, services, products, functionality, terms, or other aspects of the Services
• to perform audits, research, measurements and analyses in an effort to maintain, administer, support, enhance and protect the Services, including determining usage trends and patterns and measuring the effectiveness of content, advertising, features or services
• to create new features, products or services
• to contribute to certain health and medical research (only non-personal
information will be used)*
• to provide bench-marking and performance tracking solutions*
*We may track and analyze non-identifying, aggregate usage, and volume statistical information from our visitors and customers and may provide such information to third parties. We are committed to ensuring privacy and protecting Personal Information. We also are committed to providing valuable insights and analytics to enable better performance and quality.
Additionally, we use Google Analytics to track and analyze page usage behavior to improve performance in the use of the Services and the Site. We use this to track only what page you are clicking on, and do not use it to track any Personal Information. You can read more about how Google uses your Personal Information here. You can also opt-out of Google Analytics here.
MDofficeManager is a cloud-based Software-as-a-Service (SaaS) platform designed to help health care providers manage both clinical and financial aspects of residents and patients in their care and to connect MDofficeManager are customers with a variety of related healthcare networks and service providers. We primarily collect Personal Information as necessary to communicate with you and/or to provide the Services. Some Personal Information (but not PHI) also may be collected for marketing and sales purposes (e.g., if you complete a form to register for a webinar or download content, or if you visit a part of our Site where we deploy cookies from LinkedIn, Facebook, Twitter, etc. [in which case, their privacy policies will apply]).
Personal Information and non-personal information may be used for the following reasons:
We may also collect information how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
Session Cookies. We use Session Cookies to operate our Service.
Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
Cookies and purpose:
MDofficeManager uses a persistent cookie to help save and retrieve org codes for a user who has accessed the Services. We issue a session cookie  only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the username or password of a customer. For user convenience, in relation to touchscreen logins, we also use a non-session-based cookie to store a user’s ID; however, this is configurable. We do not store passwords in session cookies, persistent cookies or headers. If a cookie is rejected, access to and usage of the Services will be denied. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
≈ Piwik or Matomo
Mixpanel is provided by Mixpanel Inc
You can prevent Mixpanel from using your information for analytics purposes by opting-out. To opt-out of Mixpanel service, please visit this page: https://mixpanel.com/optout/
• saving user preferences
• preserving session settings and activities
• providing limited auto-fill functionality for those who use the Services frequently
• analyzing various features and content of the Services
We will never sell your Personal Information (or non-personal information if it can be used in any way to identify you).
Support, Education Services and Purchase Orders
Personal Information collected through the Site may be accessed and used by MDofficeManager to respond to customer requests for support, to provide education or consulting services and/or to confirm customer compliance with the terms of its purchase (as set forth in signed orders). This may include testing and applying new product or system versions, patches, updates and upgrades; monitoring and testing system usage and performance; and, resolving bugs and other issues which a customer reports to MDofficeManager.
Personal Information collected for these purposes is only used for time periods relevant to fulfill such purposes.
Provider Directories and Communication Services
As a customer of MDofficeManager, LLC, and depending on the Services you subscribe to or enroll in, your contact and directory information may be listed in one or more public or professional directories. These directories may include profile information such as contact information or name.
We also offer services that facilitate communications, including secure and encrypted transmission of data between users and non-users through in-product instant messaging services, service-branded emails, short message service (“SMS”) and other electronic communication channels. The identity of the sender and the receiver always will be evident with every communication transmitted via the Services. The information you choose to share with such parties is not the responsibility of MDofficeManager, LLC. We cannot take responsibility for the actions of other users or persons with whom you share information, including Personal Information.
MDofficeManager, LLC Annual SUMMIT, Community Forums and Surveys
Many MDofficeManager, LLC customers share their experiences of the Services, either at our annual SUMMIT, Convention, or online via customer-driven Community Forums. During our annual SUMMIT, we may solicit testimonies of the Services or your relationship with MDofficeManager, LLC, either as a customer or business partner. We will never use any such testimony, or video or audio footage, in conjunction with information that identifies you (or the organization you represent) without your express consent.
Community Forums are public and allow customers to communicate between each other and, possibly, with the general public. Any information posted within Community Forums is public and we recommend against any disclosure of Personal Information or other sensitive information that could be traced, directly or indirectly, to an individual.
From time to time, we may ask customers to complete surveys or ratings about the provision of the Services or of their own health care practices and operations. You should assume that the content of any Personal Information you provide would not be maintained in confidence. We will, however, tell you why we are collecting your responses and how they will be used. In completing such surveys, be mindful of what Personal Information is disclosed. We recommend against sharing any PI, PHI or other sensitive information that could be traced, directly or indirectly, to any individual.
Transfer of Data
Your information including Personal Data, may be transferred to — and maintained on — computers located outside of your state,province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
If you are located outside United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to United Stated and process it there.
Your consent to this Privacy Police followed by your submission of such information represents your agreement to that transfer.
Disclosure of Data
MDofficeManager, LLC may disclose your Personal Data in the good faith belief that such action is necessary to:
Θ To comply with a legal obligation
Θ To protect and defend the rights or property of MDofficeManager, LLC
Θ To prevent or investigate possible wrongdoing in connection with the Service
Θ To Protect the personal safety of users of the Service or the public.
Θ To protect against legal liability
4. Consent and Authorization
By visiting the Site, you are consenting to the use of your Personal Information for the aforementioned purposes. On occasion, we may request additional consent in connection with the use or sharing of Personal Information for a purpose not stated in this Policy or because the law requires such consent.
If you are a customer or business partner of MDofficeManager, LLC, we will never use your Personal Information in a manner not otherwise provided for in our written contracts with you, authorization forms you provide to us, or this Policy.
5. Protecting Health Information
As a provider of hosted, electronic health record solutions, MDofficeManager, LLC customers are health care providers and subject to laws and regulations governing the use and disclosure of PHI. In the United States, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health of 2009 (“HITECH”), along with the regulations adopted under those statutes, and similar state laws (where those laws are more stringent than HIPAA) govern the handling of PHI. Other laws may apply with respect to specific customers, as set forth in our contracts with those customers. Health care providers are considered to be Covered Entities under HIPAA and are subject to its rules regarding PHI. If a provider delegates some of its work to a third party, and that party must access PHI in order to perform the work, then such party is considered by HIPAA to be a Business Associate and is subject to the same rules regarding the protection of PHI as the Covered Entity. To enforce protection, HIPAA requires Covered Entities to execute a “Business Associate Agreement” or ”BAA” with each of its Business Associates. Our U.S.-based customers are required to sign a BAA with us. As a Business Associate, we are required to use reasonable and appropriate measures to safeguard the confidentiality, integrity and accessibility of PHI that is stored and processed on behalf of Covered Entities. From time to time, the terms of MDofficeManager, LLC’s standard BAA, and/or similar agreements may be posted on the Site.
6. Sharing Your Personal Information
Third-Party Websites, Software and Services
Our Site contains links to third-party websites, software and services. Customers and visitors who access a linked website via the Site may be disclosing Personal Information. It is the responsibility of the user to keep Personal Information private and confidential. Additionally, we allow third-parties to offer services to our customers through integration with the MDofficeManager software platform (“Connected Services”). Customers’ use of Connected Services is optional. Customers that choose to use a Connected Service acknowledge and authorize the transmission of Personal Information to a third party. We are not responsible for, nor can we control, the privacy practices of third parties. A third party’s use, storage and sharing of your Personal Information is subject to its own privacy policies and not this Policy.The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
We may employ third party companies and individuals to facilitate our service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We may use third-party Service Providers to monitor and analyze the use of our Service.
Link To other Sites
We may need to preserve, use or disclose your Personal Information in response to a court order, subpoena, search warrant, judicial proceeding or other legal process, if we have a good faith belief that the law requires us to do so, or to otherwise protect our rights. Some legal procedures may prohibit or prevent us from notifying users, other individuals or entities identified in such procedures or may compel us to take measures otherwise in violation of this Policy or a written agreement you have with us.
Personal Information preserved as a result of legal procedures can be maintained for an indefinite period of time and for as long as we have a good faith belief that it is necessary and appropriate under the circumstances.
These procedures may also involve your information; for example, if you’re contractual relationship with us has been terminated or disabled.
Our Service does not address anyone under the age of 18 (“Children”).
We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
Business Reorganizations or New Management
There are two situations where we will need to share your Personal Information with a third party as a result of a business reorganization. The first situation concerns the acquisition of MDofficeManager, LLC by a third party, and the second concerns the acquisition of our customers. A reorganization involves a sale, merger, transfer, exchange or other disposition of all or part of a business.
If such a transaction occurs, be aware that your Personal Information may be made available to the acquiring party. If the reorganization concerns one of our customers, MDofficeManager, LLC requires the parties participating in the sale to show written evidence of the completed transaction, or some alternate form of written authorization (by both the buyer and the seller), to transfer Personal Information hosted by the Services from the seller to the buyer. A change in management of a customer facility could involve similar authorization requirements, if data must be transferred from the prior management company to the new management company (or to the owner).
We will not disclose your Personal Information to a party without sufficient and proper authorization from you, unless required by law.
7. Security, Threats and Breach Notification
Our Services have physical, administrative and technical security measures in place to protect against the loss, misuse, unauthorized access and alteration of data and Personal Information under our direct control. When the Services are accessed using current browser technology, Secure Socket Layer (“SSL”) technology protects information using both server authentication and data encryption to help ensure that data is safe, secure, and available only to you. MDofficeManager, LLC also implements an advanced security methodology based on dynamic data and encoded session identifications, and hosts the Services in a secure server environment which uses a firewall and other advanced technology to prevent interference or access from outside intruders. Unique user names and passwords also are required and must be entered each time a customer logs into the Services.
We are committed to educating our staff about the protection of Personal Information, and the importance of compliance with relevant privacy legislation and company policies. Employees and contractors are required to sign confidentiality agreements.
These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Personal Information; however, it is important to remember that no system can guarantee 100% security at all times. In the event that we detect a threat to security or a security vulnerability, we may attempt to contact you to recommend protective measures. Additionally, incidents of suspected or actual unauthorized handling of Personal Information are always directed to MDofficeManager, LLC’s Legal & Compliance team, which is responsible for determining escalation and response procedures, depending on the severity and nature of the incident. Incidents involving unauthorized handling of PHI will be governed by relevant legislation and, where applicable, the provisions of a BAA or similar agreement with a customer. If MDofficeManager, LLC determines that Personal Information has been misappropriated or otherwise wrongly acquired, MDofficeManager, LLC will report such misappropriation or acquisition to you promptly.
For customers who purchase Connected Services, it is important to note that the third-party vendors that provide Connected Services to you may have different procedures in place to protect your Personal Information than the standards MDofficeManager, LLC has implemented. We cannot be responsible for their policies or their compliance with them, regardless of whether we have integrated their solutions with our Services and/or made them available to you.
8. Openness, Transparency and Access to Personal Information
Upon written request by an authorized individual, MDofficeManager, LLC will allow access to any PHI collected and stored about such individual, unless providing access could reasonably be expected to interfere with the administration or enforcement of the law or it is impracticable or impossible for MDofficeManager, LLC to retrieve the PHI. However, MDofficeManager, LLC will first direct the individual to the applicable customer with the request that the customer provide such access to the individual as the majority of our contracts make the customer the appropriate party to respond to access requests. When provided with reliable evidence of an error in PHI data, MDofficeManager, LLC will correct any inaccurate PHI, unless to do so would interfere with the administration or enforcement of the law. However, where such a request comes from an individual whose PHI allegedly contains an error, MDofficeManager, LLC will first direct the individual to the applicable customer, with the request that the customer review the request and inform MDofficeManager, LLC whether there is, in fact, any clinical merit to the claim that an error exists (and, if so, will require the customer’s written authorization and instruction to correct such error). Unless otherwise prohibited or restricted by the applicable customer, MDofficeManager, LLC may transmit any corrected PHI to third parties that have had access to the erroneous PHI. Please note that any deletions performed by MDofficeManager, LLC to correct an error in PHI will only be “soft” deletes (i.e., the data will no longer be viewable from the front end of the platform). In order to be able to address any concerns about fraud which may be raised in the future by, for example, a resident or a government agency, we will retain evidence of: (i) the deletion; (ii) your authorization to make the deletion; and, (iii) the prior version of the data.
If customers or their users need to update or change their Personal Information stored by us, they may do so by editing the organization or user record via the Services.
9. Retention and Deletion
MDofficeManager, LLC will retain Personal Information: as necessary for the purposes outlined in this Policy; for as long as a customer account remains active; as required to manage and administer the Services; as required to carry out legal responsibilities (e.g., legal holds and other legal procedures); to resolve a dispute (including enforcement of a contract); or, as communicated to you at the time of collection. After all applicable retention periods have expired, we will delete or destroy your Personal Information in a manner designed to ensure that it cannot be reconstructed or read. If, at any time, it is not feasible for us to delete or destroy your Personal Information, we will continue using the same safeguards of protection and security outlined in this Policy and related subordinate policies, for as long as it cannot be destroyed.
10. Cross-Border Transfers
Unless otherwise specified, MDofficeManager, LLC provides the Services from its headquarters in Marietta, Georgia, and hosts customer’s production database in the customer’s country of residence. In the case of American customers, MDofficeManager, LLC may access a customer’s data from for purposes of, for example: responding to support requests; fixing software issues; or, providing services to a customer on the back end of the platform (e.g., correcting errors in a resident record [subject to the conditions set forth in Section 8 of this policy], adding/removing a facility’s data to/from a customer’s database in the event of a purchase/sale/change in management, or performing simulation testing of our disaster recovery plan).
In the event of a disaster affecting MDofficeManager, LLC’s data center, we will host American customers’ data in India until the disaster is addressed.
11. Opt-Out Policy
We offer visitors to the Site and our customers using the Services a means to choose how we may use the information they provide to us. If, at any time, you change your mind about:
- i) our use of Personal Information submitted to the Site;
- ii) our use of Personal Information submitted viathe Services;
iii) receiving notices from us (including automatic notifications about updates to the Services and the frequency with which we send you such messages); or
- iv) receiving marketing or sales notices from us, including special offers, product enhancement details, event information, etc.;
- v) sharing your non-personal information with third parties (as described in this Policy), send us a request specifying your choice or change of permission by contacting us.
Please note that, if you choose to impose certain restrictions on our use of your Personal Information – e.g., if we may no longer access your database to perform any necessary quality testing or disaster recovery testing – you may no longer be able to use the Services. Similarly, if you choose to unsubscribe from receiving notifications or messages from us, your customer experience in using the Services may be compromised. If complying with your request would result in termination of the Services, we will make that clear to you and confirm that this is what you want before proceeding.
12. The MDofficeManager, LLC Vendor
The MDofficeManager, LLC Vendor (the “Vendor”) is a directory of products and services that are integrated with MDofficeManager, LLC services. MDofficeManager, LLC customers may use the Vendor to browse, locate, or request information for integrated products and services. These products and services are offered by third parties not affiliated with MDofficeManager, LLC. While MDofficeManager, LLC may integrate third-party products and services into MDofficeManager, LLC services, you understand and agree that MDofficeManager, LLC in no way controls or is responsible for any third-party product or service on the Vendor. MDofficeManager, LLC will not be liable for your interactions with any organizations or individuals found on the Vendor. You will need to contract separately for the integrated products and services offered by those third parties, and those dealings are solely between you and such organizations or individuals. Your use of any third-party product or service will not affect your relationship with MDofficeManager, LLC. MDofficeManager, LLC will require further consent or authorization prior to sending any of your or your employer’s or patients’ information or data to any third party with which you have a contract.
14. Contact Us
If you believe your Personal Information has been used in a way that is inconsistent with this Policy or your specified preferences, or if you have further questions related to our privacy practices, please contact us by mail at the address below:
Table 1: Privacy Laws Applicable to the Services
(includes any amendments and implementing regulations)
|Type of Personal Information Governed by the Law||Jurisdiction|
|Health Insurance Portability and Accountability Act of 1996, P.L. 104-191||Protected Health Information||United States|
|Health Information Technology for Economic and Clinical Health Act of 2009, P.L. 111-5, Title XIII (Amends HIPAA)||Health Information and Individually Identifiable Health Information||United States|
|Personal Information Protection and Electronic Documents Act, SC 2000, c. 5||“An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions….”
Personal Health Information is expressly excluded from Part 1 (“Protection of Personal Information in the Private Sector”).
|Digital Privacy Act, SC 2015, c. 32 (Amends PIPEDA) including email, text, or computer data||Personal Information|
A session cookie exists only in temporary memory while the user navigates a website or web-based application (i.e., the Services). Web browsers normally delete session cookies when the user closes the browser.