Privacy Policy
  1. PURPOSE
    The purpose of the Zus Privacy Policy (“Policy”) is to provide important protections for privacy of Patients or Users whose PHI is stored in the Zus Platform and to detail the conditions and requirements for access to such data when using the Builder Services. This Policy applies to all Builders and your Users and is incorporated into the Builder Terms of Service (“Builder Terms”). This Policy may be updated or amended from time to time in accordance with provisions of the Builder Terms.
  2. POLICY
    1. DEFINITIONS
      1. General. Capitalized terms used but not defined in this Policy or the Builder Terms will have the meanings set forth in HIPAA or other Applicable Laws.
      2. Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent across all types of Patient Data, where this Policy incorporates definitions from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in these Builder Terms.
      3. Policy Definitions:
        Authorized Activities” means Treatment Activities, Payment Activities, Health Care Operations Activities, and Public Health Activities, as defined in the Policy.

        Designated Record Set”, as set forth in 45 CFR 154.501 of the HIPAA Privacy Rule, means (1) A group of records maintained by or a for a Covered Entity that is: (i) the medical records and billing records about the individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a Health Plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals. For purposes of this definition the term record means any item, collection or grouping of information that includes Patient Data and is maintained, collected, used or disseminated by or for a Covered Entity.

        DRS Requirements” mean the minimum requirements set forth in this Policy for which Patient Data provided must be included in the Designated Record Set made available through the Common Patient Record

        Health Care” means care, services, or supplies related to the health of an individual; Health Care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other term in the accordance with a prescription, as defined at 45 CFR 160.103.

        Health Care Operations Activities” means any of the following activities of a Covered Entity to the extent they relate to covered functions: (1) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines (providing that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities); patient safety activities; population-based activities relating to improving health or reducing healthcare costs, protocol development, case management and care coordination, contacting of Health Care Providers and Patients with information about treatment alternatives; and related functions that do not include treatment; (2) reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) except where excluded under and consistent with the requirements of HIPAA, underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for Health Care; (4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity; including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) business management and general administrative activities of the entity, including but not limited to management activities relating to implementation and compliance of HIPAA; customer service, including provision of data analyses for policy holders, plan sponsors, or other customers (provided that PHI is not disclosed to such policy holder, plan sponsor or customer); resolution of internal grievances; the sale, transfer, merger or consolidation of all or part of the Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity, and due diligence related to such activity; and consistent with the applicable provisions of HIPAA, creating de-identified health information or a limited data set, and fundraising for the benefit of the Covered Entity; as defined in 45 CFR 164.501.

        Health Care Provider” means a facility-based provider of services (such as a hospital, skilled nursing facility, home health agency or hospice), a provider of medical or health services under Medicare or Medicaid, and any other person or organization who furnishes, bills or is paid for Health Care in the normal course of business, as defined in 45 CFR 160.103.

        Information Blocking” has the same meaning as the term is defined in the ONC Cures Rules at 45 CFR Part 171.

        Patient Relationship” has the meaning set forth in Section B(1)(b) of this Policy.

        Payment Activities” mean activities of (A) a Health Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; (B) a Health Care Provider or Health Plan to obtain or provide reimbursement for the provision of Health care, including (but not limited to) the following: determinations of eligibility or coverage and adjudication or subrogation of health benefit claims; risk adjusting amounts due based on enrollee health status and demographic characteristics; billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing; review of Health Care services with respect to medical necessity, coverage under a health plan, appropriateness of car, or justification of charges; utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; as defined at 45 CFR 164.501.

        Permitted Access Requirements” mean the criteria set forth in Section B(1)(a) below.

        Public Health Activities” means, for public health authorities (as defined in 45 CFR 164.501), preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, and for an entity subject to the jurisdiction of the Food and Drug Administration (FDA) for an FDA-regulated product or activity, activities related to the quality, safety or effectiveness of FDA products or activities (including collecting or reporting adverse events, product defects or problems, or biological product deviations, tracking FDA-regulated products, enabling product recalls, repairs, replacement or lookback to notify individuals who have received products that have been recalled, withdrawn, or to conduct post marketing surveillance, as described in 45 CFR 164.512(b).

        Treatment Activities” mean the provision, coordination, or management of Health Care and related services by one or more Health Care Providers, including the coordination or management of health care by a Health Care Provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one Health Care Provider to another, as defined in 45 CFR 164.501.

        USCDI” means the United States Core Data for Interoperability developed, published and maintained by the ONC under the Cures Rules.

    2. USE & ACCESS OF PATIENT DATA
      1. When we permit access to Patient Data.
        1. Permitted Access Requirements. We will only enable access to Patient Data through the Builder Services or the Zus Platform to a Builder that meets the following Permitted Access Requirements: (i) the Builder has successfully completed our Verification Process, (ii) the Builder has a Patient Relationship (defined below) with the Patient for which it is requesting access to Patient Data, (iii) the Builder accesses the Patient Data only for Authorized Activities, and (iv) the Builder is currently satisfying all of its obligations under Zus Policies and the Builder Terms (collectively, “Permitted Access Requirements”).
        2. Patient Relationship. No Builder or Participant may access Patient Data in the Zus Platform for a particular patient unless it provides Zus documentation of an established and active patient relationship for that patient (“Patient Relationship”). Zus supports the following methods for documenting that a Participant or Builder has a Patient Relationship with a Patient:
          1. You make an assertion to Zus that you have a Patient Relationship with the Patient by uploading a Patient Roster or Member Eligibility File with a list of Patients. When you make this assertion, you are making a legally binding representation to us that you have a Patient Relationship, and Zus is relying on this representation to give you the requested access to the Patient Data. Zus will cooperate with regulators or other legal authorities to the fullest possible extent under Applicable Law if you falsely or fraudulently assert a Patient Relationship.
          2. Zus may determine that you have a Patient Relationship through the Patient Data we receive that evidences such a relationship (e.g., an ADT Encounter Notification that identifies you as a treating provider or location, a medication order that identifies you as the prescribing provider, or a claim file that identifies you as the entity receiving payment for a service). In making these determinations we must rely on the quality and accuracy of the Patient Data we receive, and we are not responsible for any errors or mistakes that make about a Patient Relationship because of quality or accuracy issues in Patient Data we have received.
      2. We only permit use of Patient Data for Authorized Activities. We only permit Builders who meet Permitted Access Requirements to use or disclose Patient Data through the Builder Services or Zus Platform for Authorized Activities.
    3. SHARING PATIENT DATA: DESIGNATED RECORD SET
      1. General Requirement. The HIPAA Privacy Rule and the Cures Rules require, and this Policy implements the requirement, that a Patient has certain rights relating to a Covered Entity’s Designated Record Set. Also, the ONC Cures Rules require that Covered Entities share a Designated Record Set and not engage in Information Blocking. This Policy establishes identical Patient Rights and requirements for sharing a Designated Record Set for all Patient Data, including PHI covered by HIPAA which is not.
      2. DRS Requirements. Zus requires that the categories of documents or records in this Section be included in the Designated Record Set which is available in the Common Patient Record. Zus will enable Builders to designate additional documents or records as included in the Designated Record Set at their discretion. These requirements are based on the currently adopted and published version of the USCDI and Zus may add additional requirements as the USCDI standard is expanded over time.
        Account DeviceRequest MedicationRequest
        AllegeryIntolerance DiagnosticReport MedicationStatement
        Appointment DocumentManifest MolecularSequence
        AppointmentResponse DocumentReference NutritionOrder
        BodyStructure Encounter Observation
        CarePlan EpisodeOfCare Patient
        CareTeam FamilyMemberHistory Person
        ClinicalImpression Flag Procedure
        Composition Goal Provenance
        Condition ImagingStudy RelatedPerson
        Consent Immunization RiskAssessment
        Coverage ImmunizationEvaluation ServiceRequest
        CoverageEligibilityRequest ImmunizationRecommendation Specimen
        CoverageEligibilityResponse MeasureReport SupplyDelivery
        DetectedIssue MedicationAdministration SuppyRequest
        Device MedicationDispense VisionPrescription