Effective January 24, 2022
I. PURPOSE
The purpose of the Zus Privacy Policy (“Policy”) is to provide important protections for privacy of Patients or Users whose PHI or PII is stored in the Zus Platform and to detail the conditions and requirements for access to such data through the Zus Platform (including the Builder Services). This Policy applies to all Zus Platform services, including the Builder Services, and to all Builders who use them, and to any and all users of Zus Platform, whether they use the Zus Platform directly or indirectly through a Builder’s Application.
This Policy is incorporated into the Builder Terms and may be updated or amended from time to time in accordance with provisions of the Builder Terms.
II. POLICY
A. DEFINITIONS
- General. Capitalized terms used but not defined in this Policy or the Builder Terms will have the meanings set forth in HIPAA or other Applicable Law.
- Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent across all types of Patient Data, where this Policy incorporates definitions or a standard from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in these Builder Terms, which includes both PHI and PII (not covered by HIPAA).
- Privacy Policy Definitions:”Application” means a digital health or other software application, technology or service which uses, integrates with, or incorporates elements of the Builder Services.
“Authorized Activities” means either Consumer Health Activities or HIPAA Activities as they are defined in the Zus Privacy Policy.
“Builder Account Status” means either Unverified Status or Verified Status as described in Section A(2)(b) of the Builder Terms.
“Builder Content” means material which you create with, or which are pre-existing (whether created by you, or created by a third-party and appropriately licensed by you) and you incorporate into your Application using, the Builder Services, including unique questionnaires and forms, proprietary algorithms, workflows, processes, and clinical protocols or guidelines which you have developed.
“Builder Data” means proprietary or personal information identifying and pertaining to a Builder or a Builder Account, including data about Builder Users and Application End Users, your use or configuration of the Builder Services, or any data which embodies Builder IP, which we collect or create as we manage and administer the Builder Services and provide support to you.
“Builder Documentation” means any documentation or materials you create or share with Zus relating to your Application.
“Builder IP” means an Application, Builder Content, Builder Data, Builder Documentation, Patient Data, and any other Confidential Information shared by a Builder with Zus or the Builder Services.
“Builder Privacy Documentation” means privacy policies and documentation created by a Builder that disclose how a Builder collects, uses, stores and discloses Patient Data or other User Data, as described in Section A(5)(b)(iii) of the Builder Terms.
“Builder Users” means either an operational or technical user associated with a Builder Account who logs into or uses the Builder Services.
“BAA” or “Business Associate Agreement” means the Zus BAA incorporated into these Builder Terms by reference.
“Business Associate” means an organization that meets the definition at 45 CFR 160.103 and which is either a Business Associate of a Covered Entity, or a Sub-Business Associate to a Business Associate serving a Covered Entity under HIPAA.
“Closed Patient Data” means Patient Data that is not included in the Common Patient Record, as set forth in Section A(5)(a)(iv) of the Builder Terms.
“Common Builder” means a Builder with which you share a Common Patient, as set forth in Section A(7)(c)(ii) of the Builder Terms.
“Common Patient” means a Patient for which two or more Builders have a Patient Relationship, as described in this Policy and Section A(7)(c)(ii) of the Builder Terms.
“Common Patient Data” means Patient Data contained in the Common Patient Record as described in this Policy and Section A(5)(a)(iii) of the Builder Terms.
“Common Patient Record” means the Patient Data shared by all Builders participating in the Zus Network, stored in the Zus Platform, and accessible by and contributed through Builder Services, as further described in the Zus Privacy Policy.
“Consumer Health Activities” means products or services relating to Health Care provided to a Patient by an Non-Covered Entity under HIPAA, including without limitation software applications, devices and hardware, or personal services that relate to the health of an individual, an individual’s physical or mental condition or functional status, or which affects the structure or function of the body.
“Covered Entity” is an organization which meets the definition of Covered Entity under the HIPAA Privacy Rule.
“Designated Record Set”, as set forth in 45 CFR 154.501 of the HIPAA Privacy Rule, means (1) A group of records maintained by or a for a Covered Entity that is: (i) the medical records and billing records about the individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a Health Plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals. For purposes of this definition the term record means any item, collection or grouping of information that includes Patient Data and is maintained, collected, used or disseminated by or for a Covered Entity.
“Documentation” means the information, content and materials available on the Zus documentation portal.
“DRS Requirements” mean the minimum requirements set forth in the Privacy Policy for which Patient Data provided must be included in the Designated Record Set made available through the Zus Common Patient Record.
“Health Care” means care, services, or supplies related to the health of an individual; Health Care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other term in the accordance with a prescription, as defined at 45 CFR 160.103.
“Health Care Operations Activities” means any of the following activities of a Covered Entity to the extent they relate to covered functions: (1) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines (providing that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities); patient safety activities; population-based activities relating to improving health or reducing healthcare costs, protocol development, case management and care coordination, contacting of Health Care Providers and Patients with information about treatment alternatives; and related functions that do not include treatment; (2) reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) except where excluded under and consistent with the requirements of HIPAA, underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for Health Care; (4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity; including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) business management and general administrative activities of the entity, including but not limited to management activities relating to implementation and compliance of HIPAA; customer service, including provision of data analyses for policy holders, plan sponsors, or other customers (provided that PHI is not disclosed to such policy holder, plan sponsor or customer); resolution of internal grievances; the sale, transfer, merger or consolidation of all or part of the Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity, and due diligence related to such activity; and consistent with the applicable provisions of HIPAA, creating de-identified health information or a limited data set, and fundraising for the benefit of the Covered Entity; as defined in 45 CFR 164.501.
“Health Care Provider” means a facility-based provider of services (such as a hospital, skilled nursing facility, home health agency or hospice), a provider of medical or health services under Medicare or Medicaid, and any other person or organization who furnishes, bills or is paid for Health Care in the normal course of business, as defined in 45 CFR 160.103.
“HIN” or “Health Information Network” has the same meaning as the term is defined in the ONC Cures Rules.
“HIPAA Activities” mean Treatment Activities, Payment Activities, Health Care Operations Activities, and Public Health Activities, as defined in the Zus Privacy Policy.
“HIPAA Category” means the type of Covered Entity or Business Associate that a Builder represents to Zus that it is during the Account Verification process and during its use of the Builder Services.
“Information Blocking” has the same meaning as the term is defined in the ONC Cures Rules at 45 CFR Part 171.
“Minimum Necessary Standard” is the standard described in 45 CFR 164.502(b) and 164.514(d).
“Network Opt Out” means a Patient’s decision to opt-out of any sharing of Patient Data through the Builder Services or the Zus Platform as described in this Policy.
“Non-Covered Entity” or “Non-CE” means an organization which is not a Covered Entity under HIPAA.
“Patient” means any patient for whom Zus receives Protected Health Information or any individual for which Zus receives Personally Identifiable Information.
“Patient Data” means either Protected Health Information or Personally Identifiable Information. Patient Data does not include any information on a Builder User or Application User related to their use of the Builder Services or your Application, but does include information on a Builder User or Application User to the extent related to their participation in or receipt of Authorized Activities in their individual capacity.
“Patient Relationship” has the meaning set forth in Section B(1)(d) of this Privacy Policy.
“Participant” or “Zus Network Participant” means a Covered Entity, Business Associate, Non-CE Service Provider, Network Partner, Service Partner or Patient that uses the Zus Platform to interact or share data for Authorized Activities.
“Payment Activities” mean activities of (A) a Health Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; (B) a Health Care Provider or Health Plan to obtain or provide reimbursement for the provision of Health care, including (but not limited to) the following: determinations of eligibility or coverage and adjudication or subrogation of health benefit claims; risk adjusting amounts due based on enrollee health status and demographic characteristics; billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing; review of Health Care services with respect to medical necessity, coverage under a health plan, appropriateness of car, or justification of charges; utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; as defined at 45 CFR 164.501.
“Permitted Access Requirements” mean the criteria which you must satisfy in order to access or receive Patient Data through the Builder Services as set forth in the Privacy Policy.
“PHI” or “Protected Health Information” is individually identifiable health information as defined in the HIPAA Privacy Rule (45 CFR 160.103).
“PII” or “Personally Identifiable Information” is defined in the Zus Privacy Policy.
“Public Health Activities” means, for public health authorities (as defined in 45 CFR 164.501), preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, and for an entity subject to the jurisdiction of the Food and Drug Administration (FDA) for an FDA-regulated product or activity, activities related to the quality, safety or effectiveness of FDA products or activities (including collecting or reporting adverse events, product defects or problems, or biological product deviations, tracking FDA-regulated products, enabling product recalls, repairs, replacement or lookback to notify individuals who have received products that have been recalled, withdrawn, or to conduct post marketing surveillance, as described in 45 CFR 164.512(b).
“Specially Regulated Data” is Patient Data (such as HIPAA Psychotherapy Notes, mental health information, substance use disorder information, HIV status) which is subject to certain additional or specific notice, consent or authorization requirements, or other limitations on disclosure as defined in Section 5(b)(vi) of the Builder Terms.
“System Data” means data that we generate, create or derive from Patient Data, Builder Data, or Transaction Data that does not include any actual Patient Data or Builder Data or any other personally identifiable information.
“Transaction Data” means data about transactions conducted by, with or for you through the Builder Services, but does not include either Patient Data or Builder Data.
“Treatment Activities” mean the provision, coordination, or management of Health Care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another, as defined in 45 CFR 164.501.
“USCDI” means the United States Core Data for Interoperability developed, published and maintained by the ONC under the Cures Rules.
B. USE & ACCESS OF PATIENT DATA
- When we permit access to Patient Data.a. Zus Responsibility. Zus is responsible for ensuring that all Participants who share or access Patient Data in the Zus Network through the Zus Platform (including, but not limited to Builders using the Builder Services) satisfy the Permitted Access Requirements in this Section, and the other minimum requirements of our policies, terms and conditions, and that they are permitted to access Patient Data under Applicable Law.
b. Permitted Access Requirements. We will only enable access to Patient Data through the Builder Services or the Zus Platform to a Builder which meets the following Permitted Access Requirements: (i) the Builder has achieved Verified Status following our Account Verification process, (ii) the Builder has a Patient Relationship with the Patient for which it is requesting access to Patient Data, (iii) the Builder accesses the Patient Data only for Authorized Activities, and (iv) the Builder is currently satisfying all of its obligations under Zus Policies and the Builder Terms.
c. Builder Account Status. As described in Section A(2)(b) of the Builder Terms, while a Builder Account has an Unverified Status, the Builder may only use the Builder Services to access or use Patient Data which that Builder uploads to or shares with the Builder Services. They may not use the Builder Services to access Patient Data from another Builder or other Participant in the Zus Network or access the Common Patient Record. As soon as a Builder has a Verified Status, they will be able to use the Builder Services to access Patient Data from a Services Partner or Network Partner, and to access the Common Patient Record in the Zus Platform, assuming other requirements of this Policy or the Builder Terms are satisfied.
d. Patient Relationship. No Builder or other Participant may access Patient Data in the Zus Platform unless it has a documented Patient Relationship for that Patient.(i) Direct Patient Relationship. An entity has a Direct Patient Relationship with a Patient when it interacts directly with the patient to provide a service, benefit or product.(ii) Indirect Patient Relationship. An entity has an Indirect Patient Relationship when it has entered into a contract with an entity that has a Direct Patient Relationship under which it is providing a service, benefit or product to such entity or its Patient.(iii) Documenting a Patient Relationship. Zus supports the following methods for documenting that a Participant or Builder has a Patient Relationship:
(A) You make a assertion to Zus that you have a Patient Relationship with the Patient uploading a Patient Roster or Member Eligibility File with a list of Patients (“Patient Relationship Assertion”). When you make this assertion, you are making a legally binding representation to us that you have a Patient Relationship, and Zus is relying on this representation to give you access to the Patient Data you are requesting. Zus will cooperate with regulators or other legal authorities to hold you accountable to the fullest possible extent under Applicable Law if you falsely or fraudulently make a Patient Relationship Assertion.
(B) Zus may determine that you have a Patient Relationship by identifying the existence of the relationship in Patient Data we receive (e.g., an ADT Encounter Notification that identifies you as a treating provider or location, a medication order that identifies you as the prescribing provider, or a claim file that identifies you as the entity receiving payment for a service). In making these determinations we must rely on the quality and accuracy of the Patient Data we receive, and we are not responsible for any errors or mistakes that make about a Patient Relationship because of quality or accuracy issues in Patient Data we have received.
- We only permit use of Patient Data for Authorized Activities.a. Authorized Activities. We only permit Builders who meet Permitted Access Requirements to use or disclose Patient Patient Data through the Builder Services or Zus Platform for Authorized Activities, which include HIPAA Activities and Consumer Health Activities as defined in this Section II(C)(2).
b. HIPAA Activities. We use the term HIPAA Activities to mean Treatment Activities, Payment Activities, Health Care Operations Activities, or Public Health Activities, as set forth in Section II(A)(iii) (Definitions) of this Policy and in each case based on the definitions for those terms provided by the HIPAA Privacy Rule.
c. Consumer Health Activities. Non-Covered Entities may use the Builder Services or connect to the Zus Platform only for Consumer Health Activities, and in doing so only as permitted by Applicable Law. If an Affiliate of a Covered Entity functions as a Non-Covered Entity under HIPAA to conduct Consumer Health Activities that Affiliate may use the Builder Services or Zus Platform as a Non-Covered Entity provided that it register with a Zus for a separate Builder Account specifically designated for the Consumer Health Activities of the Non-Covered Entity Affiliate.
C. SHARING PATIENT DATA
- Designated Record Set.a. General Requirement. The HIPAA Privacy Rule and the Cures Rules require, and this Policy implements the requirement, that a Patient has certain rights relating to a Covered Entity’s Designated Record Set. Also, the ONC Cures Rules require that Covered Entities share a Designated Record Set and not engage in Information Blocking. This Policy establishes identical Patient Rights and requirements for sharing a Designated Record Set for all Patient Data, including PHI covered by HIPAA and PII which is not.
b. DRS Requirements. Zus requires that the categories of documents or records in this Section II(D)(2)(b) be included in the Designated Record Set which is available in the Common Patient Record. Zus will enable Builders to designate additional documents or records as included in the Designated Record Set at their discretion.
(i) Allergies and Intolerances
1. Substance (Medication)
2. Substance (Drug Class)
3. Reaction(ii) Assessment and Plan of Treatment
1. Assessment and Plan of Treatment(iii) Care Team Members
1. Care Team Members
2. Provider Name
3. Provider Identifier(iv) Clinical Notes
1. Consultation Note
2. Discharge Summary Note
3. History & Physical
4. Procedure Note
5. Progress Note(v) Diagnostic Imaging
1. Diagnostic Imaging Order
2. Diagnostic Imaging Report
3. Diagnostic Imaging Narrative(vi) Encounter Information
1. Encounter Type
2. Encounter Diagnosis
3. Encounter Time(vii) Health Concerns
1. Health Concerns(viii) Immunizations
1. Immunizations(ix) Laboratory
1. Tests
2. Values/Results
3. Laboratory Report Narrative
4. Pathology Report Narrative(x) Medications
1. Medications(xi) Patient Demographics
1. First Name
2. Last Name
3. Previous Name
4. Middle Name
5. Suffix
6. Birth Sex
7. Date of Birth
8. Race
9. Ethnicity
10. Preferred Language
11. Current Address
12. Previous Address
13. Phone Number
14. Phone Number Type
15. Email Address(xii) Procedures
1. Procedures(xiii) Problems
1. Problems
2. Date of Diagnosis
3. Date of Resolution(xiv) Provenance
1. Author Time stamp
2. Author Organization(xv) Smoking Status
1. Smoking Status(xvi) Unique Device Identifiers
1. Unique Device Identifier(s) for a Patient’s Implantable Device(s)(xvii) Vital Signs
1. Diastolic Blood Pressure
2. Systolic Blood Pressure
3. Body Height
4. Body Weight
5. Heart Rate
6. Respiratory Rate
7. Body Temperature
8. Pulse Oximetry
9. Inhaled Oxygen Concentration
10. BMI Percentile (2-20 Years)
11. Weight-for-length Percentile (Birth – 36 months)
12. Head Occipital-frontal Circumference Percentile (Birth – 36 months)