FHASES Privacy Policy

Son Information Systems, Inc. (“Son-IS”) is committed to maintaining the security and privacy of Protected Health Information (“PHI”) and Personally Identifiable Information (“PII”) maintained within our FHASES electronic health record (the “System”). This Privacy Policy discloses Son-IS’ information hosting and dissemination practices in connection with the System and applies solely to the PHI and PII that we maintain through those means. This Privacy Policy does not address personal information that you provide to us in other contexts (e.g., through a business or investment relationship not expressly described in this Privacy Policy).

FHASES

Son-IS provides the web-based System to customers who enter into a Son-IS Master Service Agreement (“Customers”), who then authorize Systems users, including clinical, non-clinical and administrative workforce (“Authorized Users”). Customers and Authorized Users are responsible for determining uses and disclosures of PHI maintained in the System, in accordance with their legal and professional responsibilities as health care professionals and state and federal medical privacy laws, including the federal Health Insurance Portability and Accountability Act (“HIPAA”). To the extent that Son-IS receives or maintains PHI in the course of providing the System, that information is secured, used and disclosed only in accordance with Son-IS’ legal obligations as a “business associate” under HIPAA.
The purpose of the System is to store Electronic PHI and

1. to make it available to the Customer and the Customer’s Authorized Workforce;
2. to facilitate the sharing of individuals’ health information among Users, and
3. to make health information available to the Customer’s patients through the Patient Portal.

The Customer may make Electronic PHI accessible to other Users and to the Customer’s patients through the System for these purposes. The Customer authorizes Son-IS, as the Customer’s business associate, to use and disclose Electronic PHI as follows, subject to the recipient’s agreement to comply with Son-IS Policies and Procedures and with applicable laws and regulations relating to the use and disclosure of health information, and subjection to the Business Associate Provisions section of the Agreement.

1. Son-IS may permit access to Electronic PHI to the Customer and the Customer’s Authorized Workforce.
2. Son-IS may permit access to Electronic PHI to the Customer’s patients to whom the Customer has agreed to grant access through the Patient Portal.
3. Son-IS may permit access to Electronic PHI by health care providers and the Customer’s business associates for treatment when the Customer or the Customer’s Authorized Workforce shares this information through the System.
4. Son-IS may disclose or permit access to Electronic PHI to health plans, health care clearinghouses, medical groups, independent practice associations, and other parties responsible for payment and their business associates for the purpose of payment for services the Customer provide, when the Customer or the Customer’s Authorized Workforce initiates such use through the System.
5. Son-IS may disclose or permit access to Electronic PHI to parties and their business associates for reporting and data aggregation for services the Customer provides, when the Customer or the Customer’s Authorized Workforce initiates such use through the System.
6. Son-IS may create limited data sets from Electronic PHI, and disclose them for any purpose for which the Customer may disclose a limited data set; and the Customer hereby authorize Son-IS to enter into data use agreements on the Customer’s behalf for the use of limited data sets, in accordance with applicable law and regulation.

The Customer will be solely responsible for affording individuals their rights with respect to Electronic PHI, such as the rights of access and amendment. The Customer will not undertake to afford an individual any rights with respect to any information in the System other than Electronic PHI.

SYSTEM USE

Acceptance of Privacy Policy

By using the System, you signify your acceptance of this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use this System. Your continued use of the System following the posting of changes to these terms will mean that you accept those changes.

Personal Information Provided by Authorized Users

Except as described in this Privacy Policy, Son-IS only collects personally identifiable information (“PII”) through this System when the Authorized User chooses to provide such information. PII may include email addresses, phone numbers, and IP addresses. Son-IS uses your PII to address your requests for information, products or services. Son-IS will not sell, rent, license, or trade your PII with third parties for their own direct marketing use unless we receive your express consent to do so. Unless you give us permission to do so, Son-IS will not share your PII other than as specified in this Privacy Policy.

We and our partners automatically gather information whenever you visit, log in, or otherwise interact with our System, including when you receive emails delivered via our System or Son-IS employees and partners. We and our partners use the technologies described below and similar technologies that may not be expressly described (which we collectively call "Engagement Tools") to gather this information to enhance and operate our Services in a number of ways, such as to:

• Save user preferences and information;
• Preserve session settings and activity;
• Authenticate users;
• Enable support and security features;
• Tailor the delivery of informational messages; and
• Analyze the performance and use of our Services and its various features and content.

Even if you do not register with us or submit any information on our System, our Engagement Tools will automatically receive information about, and the software running on, the computer, mobile phone, or tablet (each, a "Device") you use to interact with our Services.

Device Information: When you interact with our System, we collect information about your Device such as the URL of services your Device is requesting and the referring web pages, your IP address, Device type, operating system, browser type, application identifier, and, under certain circumstances, the location information your Device sends to us.

Disclosures to Third Parties Assisting in Son-IS Operations

Son-IS may share your PII under confidentiality agreements with other companies that work with, or on behalf of, Son-IS to provide products and services. These companies may use your PII to assist Son-IS in its operations. However, these companies do not have any independent right to share this information.

Disclosures Under Special Circumstances

We may provide information PII to respond to subpoenas, court orders, legal process or governmental regulations, or to establish or exercise our legal rights or defend against legal claims. We believe it is necessary to share information in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law.

Business Transfers

We may share your PII with other business entities, in connection with the sale, assignment, merger or other transfer of all or a portion of Son-IS to such business entity. We will require any such successor business entity to honor the terms of this Privacy Policy.

Automatically Collected Information and Anonymous Information

Each time an Authorized User accesses the System, Son-IS collects information to improve the overall quality of the user’s experience.

Aggregated Data

Son-IS collects aggregate queries for internal reporting and also counts, tracks, and aggregates the user’s activity into Son-IS’ analysis of general user-flow on the System. To these ends, Son-IS may merge information PII into aggregated group data. In some cases, Son-IS may remove personal identifiers from PII and maintain it in aggregate form that may later be combined with other information to generate anonymous, aggregated statistical information. Such anonymous, group data may be shared on an aggregated basis with Son-IS’ affiliates, business partners, service providers and/or vendors; if it does so, Son-IS will not disclose your individual identity.

Web Server Logs and IP Addresses

An Internet Protocol (“IP”) address is a number that automatically identifies the computer/device you have used to access the Internet. The IP address enables our server to send you the web pages that you want to visit, and it may disclose the server owned by your Internet Service Provider. Son-IS may use IP addresses to conduct website analyses and performance reviews and to administer the System.

Cookies and Web Beacons

Cookies are pieces of information that a website transfers to a user’s computer for purposes of storing information about a user’s preferences. Cookies in and of themselves do not personally identify users, although they do identify a user’s computer. Many websites use cookies as a standard practice to provide useful features when a user visits the website and most web browsers are set up to accept cookies. Son-IS uses cookies to improve your online experience when visiting the System. You can set your browser to refuse cookies, but some portions of the System may not work properly if you refuse cookies. Some of the System’s web pages may use web beacons in conjunction with cookies to compile aggregate statistics about website usage. A web beacon is an electronic image (also referred to as an “action tag,” “single-pixel,” or “clear GIF”) that is commonly used to track the traffic patterns of users from one web page to another in order to maximize web traffic flow and to otherwise analyze the effectiveness of websites. Some web beacons may be unusable if you elect to reject their associated cookies.

Referrals/Links

The System may contain links to third-party websites that may offer information of interest. This Privacy Policy does not apply to those websites, and Son-IS recommends reviewing those websites’ privacy policies individually. Son-IS assumes no responsibility for any material outside of the System, including any website that may be accessed through a link from the System.

Security

Son-IS understands that storing our data in a secure manner is essential. Son-IS stores PHI and PII using industry-standard physical, technical and administrative safeguards to secure data against foreseeable risks, such as unauthorized use, access, disclosure, destruction or modification. While Son-IS has endeavored to create a secure and reliable System for users, the confidentiality of any communication or material downloaded or exported from the System cannot be guaranteed by Son-IS and Son-IS assumes no responsibility for security outside of the System.

Viewing and Updating Your Information

Our System aims to provide you with access to the information you submit and the means to update it within our System consistent with applicable law. This can be accomplished by logging into our System and updating that information, although please be advised of the important limitations described below. Under certain circumstances, you may be required to undergo an authentication or access control procedure.

Please note that if your healthcare provider has enabled you to receive a patient portal account pursuant to the Privacy Policy, your healthcare provider also retains the ability to revoke your access to your patient portal account at any time. Patients should submit any questions or requests regarding access to their patient portal accounts directly to the healthcare provider that authorized the account.

If you have used our Services to share information with another user or a third party, you will not be able to access, update, or delete that shared information. Further, if another user of our services submits information that identifies you, you will not be able to access, update, or delete that information.

Certain users – such as healthcare providers – may be required under applicable laws or regulations to retain information about you for extended periods of time or indefinitely. Additionally, we may have independent obligations under applicable laws or regulations to retain such information indefinitely. Finally, for disaster recovery and business continuity purposes, we retain copies of data stored by our System for indefinite periods of time.

Changes

You may review and request changes to your PII that Son-IS has collected, including the removal of your PII from Son-IS’ databases in order to prevent receipt of future communications or to halt receipt of our System services, using any of the following options:

You can send your request via e-mail to: support@fhases.com

GENERAL TERMS

Policy Updates

This Privacy Policy may be revised from time to time as we add new features and services, as laws change, and as industry privacy and security best practices evolve. We display a version number and a date on the policy in the upper right corner of this Privacy Policy so that it will be easier for you to know when there has been a change. If we make any change to this Privacy Policy regarding use or disclosure of PII or PHI, we will provide advance notice on this System. Small changes or changes that do not significantly affect individual privacy interests may be made at any time and without prior notice.

Questions?

If you have any questions about this Privacy Policy or about Son-IS’ handling of your information, please contact support@fhases.com.