ABA ENGINE, LLC
NOTICE OF PRIVACY PRACTICES
ABA Engine, LLC’s Notice of Privacy Practices (this “Notice”) sets out the key elements of how we address the privacy and security of the data and other information entrusted to us by our customers through their access and use of ABA Engine’s Schedule Zipper software, including its related mobile applications and other online services (collectively, “Services”).
As privacy laws and practices evolve, we may amend this Notice from time to time. While we will endeavor to give reasonable notice of such changes, we do reserve the right to do so without prior notice where it is necessary (e.g. required by changes in applicable law). For our customers, we will endeavor to communicate any changes and updates as provided in our contracts and also through the communication channels provided in the Schedule Zipper software.
For any questions, requests, or concerns regarding privacy you can contact us anytime at [e-mail] and we will respond within 24 hours.
This Notice explains what Personal Information we collect, why we collect it, how we use it, and how we take instructions regarding the protection and management of this information. For health data and other information provided to us through our Services, we have contracts (“Provider Agreements”) with our customers that provide specific provisions relating to their use of that information in their provision of medical services. This Notice supplements specific provisions in those Provider Agreements, however in the event of a conflict, the Provider Agreements shall control. In addition, we enter into Business Associate Agreements (“BAA’s”) with our customers pursuant to HIPAA.
I – OVERVIEW
We process Customer Data under the direction and control of our customers. We retain no ownership, nor do we have control over the origination or validity of the Personal Data we process on behalf of our customers. We do not request, nor do we maintain, direct relationships with individuals whose Personal Data we maintain in Customer Databases we host and manage as part of our Services to our customers. Accordingly, we do not directly request nor collect consents nor instructions to access, correct, update, or delete personal information, which requests should be made directly to our customers. We will honor and support any instructions our customers provide us with respect to Personal Data maintained in our databases.
Our customers are responsible for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring Personal Data to the Schedule Zipper software.
II – PROTECTING PERSONAL INFORMATION
ABA Engine is a provider of hosted, electronic health record and scheduling solutions to its customers who are health care providers and subject to laws and regulations governing the use and disclosure of Protected Health Information or PHI. In the United States, HIPAA and HITECH, along with the regulations adopted under those statutes, and similar state laws govern the handling of PHI. ABA Engine, delegated by its customers to access and manage PHI, is considered a Business Associate under HIPAA and has entered into Business Associate Agreements with its customers as required by HIPAA.
III – SECURITY, THREATS, AND BREACH NOTIFICATION
ABA Engine’s software platform and the Services we provide to our customers have physical, administrative, and technical security measures in place to protect against the loss, misuse, unauthorized access, and alteration of data and Personal Health Information under our direct control. When the Services are accessed using current browser technology, Secure Socket Layer or SSL technology protects information using both server authentication and data encryption to help ensure that data is safe, secure, and available only to each specific customer. ABA Engine also implements a security methodology and hosts the Service in a secure server environment using firewalls and other advanced technology to prevent interference or access from outside intruders. Unique user names and passwords are also required and must be entered each time a customer logs onto our software platform. We are committed to educating our staff about the protection of Personal Health Information , and the importance of compliance with relevant privacy legislation and company policies. All employees and contractors are required to sign confidentiality agreements.
These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Personal Health Information; however, it is important to remember that no system can guarantee 100% security at all times. In the event that we detect a threat to security or security vulnerability, we may attempt to contact our customers to recommend protective measures. Additionally, incidents of suspected or actual unauthorized handling of Personal Health Information are always directed to our legal and compliance teams, which are responsible for determining escalation and response procedures, depending on the severity and nature of the incident. Incidents involving unauthorized handling of PHI or equivalent will be governed by relevant legislation and the BAA between ABA Engine and the customer. If we determine that Personal Health Information has been misappropriated or otherwise wrongly acquired, we will promptly issue a report to each affected customer.
IV – RETENTION AND DELETION
ABA Engine will retain Personal Health Information as necessary for the purposes outlined in this Notice:
- as required to manage and administer the Services;
- as required to carry out any legal responsibilities (e.g. legal holds and other legal procedures);
- to resolve a dispute (including enforcement of a contract); or
- as expressly communicated to a customer at the time of collection.
For as long as a customer’s account remains active, and then until all applicable retention periods have expired, we will retain all Personal Health Information in a manner designed to ensure that it cannot be reconstructed or read. Following such periods, if it is not feasible for us to delete or destroy such retained Personal Health Information, we will continue using the same safeguards of protection and security outlined in this Notice and related subordinate policies, for as long as it cannot be destroyed.
V – SHARING AND DISCLOSURE
IN NO CASE WILL ABA ENGINE SELL OR RENT PERSONAL HEALTH INFORMATION TO THIRD PARTIES. ABA Engine will only share Personal Health Information to the following:
- Law enforcement officials, governmental agencies, or other legal authorities (i) in response to their request; (ii) when permitted or required by law; (iii) to establish our compliance with applicable laws, rules, regulations, or guidelines; or (iv) to establish, protect, or exercise our legal rights or defend against legal claims or demands.
- Any other person we are directed to share the PHI with by our customers.