At MeddiPop (“MeddiPop”, “we”, “us”, “our”), we take all necessary measures to comply with the most stringent privacy and security regulations. In addition, to the Delaware Online Privacy and Protection Act (“DOPPA”) and the EU`s General Data Protection Regulation (“GDPR”) compliance, we work hard meet or exceed industry standards with respect to the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) of 1996.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) establishes two important rules for in connection with the use of protected health information: the security provision and the privacy provision, which are established under a general HIPAA category called the Administrative Simplification Act. Both provisions affect the transmission, storage, and management of protected health information.

In the security provision: the HIPAA security provision became effective on April 21, 2003. Its purpose is to protect confidential medical information. The security provision establishes guidelines to facilitate the storage, maintenance, and transmission of protected health information in a “secure electronic environment”. This includes administrative procedures and physical safeguards, as well as technical measures to control and monitor access to protected health information and prevent unauthorized access to data during transmission.

Privacy Rule: HIPAA’s privacy rule addresses the use and disclosure of protected health information and became effective April 14, 2001. The Privacy Rule requires to make reasonable efforts to limit the use and disclosure of such protected health information by staff to the “minimum necessary” to perform their services. Service Providers are further expected to limit the likelihood of “inadvertent disclosure” to individuals for whom there is no reasonable need to know as a matter of law. In addition, service providers must maintain a log of disclosures of certain protected health information that is not directly related to the patient’s care.

Our Policy

To implement these requirements for business associates and to protect the confidentiality and integrity of protected health information received, the HIPAA Policy sets forth the following:

• It provides that MeddiPop will retrieve and use confidential protected health information provided by its users only to the extent necessary to perform customer service and support.
• It restricts access to such data to those employees and agents who provide specific service and support.
• It prohibits the disclosure of protected health information provided by users to anyone who is not an employee or agent of MeddiPop, unless specifically authorized by MeddiPop and by the service user, as appropriate.
• It requires all MeddiPop employees and agents to report any use or disclosure of protected health information in violation of our HIPAA Policy.
• It provides that MeddiPop will investigate all reports that protected health information has been used in a manner not permitted by our HIPAA Policy and will impose appropriate sanctions on conduct prohibited by the policy.
• It specifies that MeddiPop employees who may come into contact with protected health information receive training on our privacy and security policies and the importance of protecting the confidentiality and security of protected health information.
• It provides for transferring protected health information provided by users in a secured manner so that the integrity, confidentiality, and availability of the data is protected.

In addition to complying with HIPAA security recommendations, MeddiPop adheres to the FTC’s Security by Design Guidelines:

• Data security is carefully assessed for each component of the MeddiPop platform
• Data is encrypted both in transit and at rest
• MeddiPop is protected against common vulnerabilities
• Our team keeps up to date with new vulnerabilities and keeps the platform updated accordingly

Network Protection

MeddiPop servers and supporting systems are protected from hackers and network intrusion by firewalls and other leading security measures.

Controlled Employee Access

Certain MeddiPop staff and system administrators may need to access the MeddiPop platform to provide operational / administrative support. Access rights are strictly controlled, and access is granted only to those who need it to support the MeddiPop platform and its users. All MeddiPop employees and subcontractors are required to sign confidentiality agreements. Access to the system is granted only after validation of the user’s identification data, assigned role and system permissions.

Encryption

Encryption provides users with a secure way to exchange information. This makes it unusable for anyone who does not have a protected decryption key to (decrypt) the information. MeddiPop provides encryption for user interactions through Secure Socket Layer (SSL) technology with a robust 256-bit encryption key. MeddiPop also uses industry-proven encryption standards, TLS) when health information is transmitted into or out of MeddiPop.

Physical Security 

The MeddiPop server and supporting systems are physically secured and protected in world-class data centers. Access to the physical systems is carefully controlled through security measures at multiple levels. of authentication requirements (e.g., user keys, biometrics), security guard and registration check-in requirements, and state-of-the-art security monitoring and alert systems.

Access tracking and disclosure

In accordance with HIPAA standards, MeddiPop logs relevant details each time health information is viewed, edited, or exported to ensure system integrity.

Your HIPAA Rights

When it comes to your health information, you have additional rights. To exercise any of these rights, contact us at the contact information listed above.

In particular:

• You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you.
• You can ask us to correct health information about you that you think is incorrect or incomplete.
• You can ask us to contact you in a specific way (for example, home or office phone) or at a specific location (for example, to send mail to a different address).
• You can tell us your choices about what we share.
• You can ask us to limit what we use or share
• You can get a list of those with whom we have shared information
• You can get a copy of this Notice
• You can choose someone to act for you
• You can file a complaint if you feel your rights are violated

We encourage you to contact us if you have any information requests, requests for information or objections about data processing or concerns. However, you also have the right to file a complaint with your local supervisory authority. However, we would appreciate it if you would contact us with your concern before turning to a supervisory authority.

Updating your information

If you believe that the information, we hold about you is inaccurate or request its rectification, deletion, or object to its processing, please do so by contacting us.

Withdrawing your consent 

You can withdraw consents you have given at any time by contacting us. 

Access Request 

In the event you want to make a Data Subject Access Request, please contact us. We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days, we will tell you why and when we will be able to respond to your request. If we are unable to provide you with any PII or to make a correction requested by you, we will tell you why.

Validity and questions

This HIPAA Statement was last updated on Wednesday, April 12, 2023, and is the current and valid version. However, we want to point out that from time to time due to actual or legal changes a revision to this statement may be necessary. If you have any data protection questions, please feel free to contact us.