Last Updated: August 20th, 2020
selectinjurydoctors.com provides information, including a directory of physicians (the “Providers”) specializing in the treatment of sports injuries and accidents as well as tools to connect with physicians (the “Service”) by users (the “Users”, “you”) offered from time to time via www.selectinjurydoctors.com, related websites, applications, services and mobile applications (the “Site” or “Sites”). The Service is owned and operated by selectinjurydoctors.com (“Company”, “we” or “us”).
- Types and Uses of Collected Information. Company collects two types of information about you:
- How we use your personal data.
3.1 In this Section 3 we have set out:
(a) the general categories of personal data that we may process, and
(b) the purposes for which we may process personal data.
3.2 We may process data about your use of our website and services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system. This usage data may be processed for the purposes of analyzing the use of the website and services.
3.3 We may process your account data (“account data”). The account data may include your name and email address. If you are placing an order via the Service, we may collect your credit card information. The source of the account data is you. The account data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you.
3.4 We may process information contained in any inquiry you submit to us regarding goods and/or services (“inquiry data”). The inquiry data may be processed for the purposes of offering, marketing and selling relevant goods and/or services to you.
3.6 We may process information contained in or relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping.
3.7 If you exchange messages with others through the Company Service, we may store them to process and deliver them, allow you to manage them, and we may review and disclose them in connection with investigations related to the operation and use of the Company Service. We may not deliver messages that we believe are objectionable, such as spam messages or requests to exchange reviews for compensation. If you send or receive messages through the Company Service via SMS text message, we may log phone numbers, phone carriers, and the date and time that the messages were processed. Carriers may charge recipients for texts that they receive. We may also store information that you provide through communications to us, including from phone calls, letters, emails and other electronic messages, or in person. If you are a representative of a business listed on the Company Service, we may contact you, including by phone or email, using the contact information you provide us, make publicly available, or that we have on record for your business.
3.8 We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
3.9 In addition to the specific purposes for which we may process your personal data set out in this Section 3, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
- Providing your personal data to others.
4.1 We may disclose your inquiry data to one or more of those selected Providers of services on or linked from our website, identified on our website for the purpose of enabling them to connect you with their Services.
4.2 We will not share your personal data to advertisers.
4.3 In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. 4.4 We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- Release of Non-Personally Identifiable Information.
5.1 We may disclose or share Non-Personally Identifiable Information with Third Party Service Providers and the public. For example, we may share aggregated demographic information (which does not include any Personally Identifiable Information) or use Third Party Service Providers to track and analyze Non-Personally Identifiable usage and volume statistical information from our users to administer the Company Service. We may also publish this aggregated information for promotional purposes. Such data is collected on our behalf and is owned and used by us.
5.2 We may use Third Party Service Providers to serve ads when you participate in the Company Service. These companies may use Non-Personally Identifiable Information about your visits and use of the Company Service, and visits to other websites or locations to provide, through the use of network tags, advertisements about goods and services that may be of interest to you.
- Choices on Collection/Use of Information. You can always choose not to provide certain information, although a certain level of information is required to engage and participate in the Company Service. Other users may be able to identify you, or associate you with your account, if you include personal information in the content you post publicly. You can reduce the risk of being personally identified by using the Company Service pseudonymously, though doing so could detract from the credibility of your contributions to the Company Service.
- About cookies.
7.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
7.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
7.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
- Cookies used by our service providers and/or affiliates.
- Managing cookies
9.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
(a) https://support.google.com/chrome/answer/95647?hl=en (Chrome);
(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
(c) http://www.opera.com/help/tutorials/security/cookies/ (Opera);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
(e) https://support.apple.com/kb/PH21411 (Safari); and
(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).
9.2 Blocking all cookies will have a negative impact upon the usability of many websites.
9.3 If you block cookies, you will not be able to use all the features on our website.
- Security of Information.
10.1 In the event you are provided with an opportunity to establish and account or profile on our Site, you may be able to access your Personally Identifiable Information via the Company Service with your password and username. This password is encrypted. We advise against sharing your password with anyone. If you access your account via a third-party site or service, you may have additional or different sign-in protections via that third-party site or service. You need to prevent unauthorized access to your account and Personal Information by selecting and protecting your password and/or other sign-in mechanism appropriately and limiting access to your computer, browser, or mobile device by signing off after you have finished accessing your account. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. If we believe that the security of your information may have been compromised, we may seek to notify you of that development.
10.3 Please be aware that no data transmission over the Internet or via e-mail is completely secure and therefore we cannot guarantee protection of all personal information in all cases. For example, we cannot guarantee protection against interception, misappropriation, misuse, or alteration, or that your information will not be disclosed or accessed by the unauthorized acts of others. Consequently, we cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk. If you provide us with your credit card number, you should not send it electronically unless the email is encrypted, or your browser indicates that the access to our website is secure. Materials posted to online forums such as bulletin boards or chat rooms are public, not secure, and may be viewed by anyone. Any personal information you post may be collected and used by anyone and may result in unsolicited messages from other parties.
- Notice of Privacy Rights to California Residents. California law requires that we provide you with a summary of your privacy rights under the California Online Privacy Protection Act (“COPPA”) and the California Business and Professions Code. As required by COPPA, we will provide you with the categories of Personally Identifiable Information that we collect through the Company Service and the categories of third party persons or entities with whom such Personally Identifiable Information may be shared for direct marketing purposes at your request. California law requires us to inform you, at your request, (1) the categories of Personally Identifiable Information we collect and what third parties we share that information with; (2) the names and addresses of those third parties; and (3) examples of the products marketed by those companies. COPPA further requires us to allow you to control who you do not want us to share that information with. To obtain this information, please send a request by email or physical mail to the address found below. When contacting us, please indicate your name, address, email address, and what Personally Identifiable Information you do not want us to share with our marketing partners. The request should be sent to the attention of our legal department and labeled “California Customer Choice Notice.” Please allow 30 days for a response. Also, please note that there is no charge for controlling the sharing of your Personally Identifiable Information or requesting this notice.
- Children. The Company Service are not directed to people under the age of eighteen (18). If you become aware that your child has provided us with personal information without your consent, please contact us at the email address listed below. If we become aware that a child under this age has provided us with personal information, we take steps to remove such information and terminate the child’s account.
HIPAA Compliance Addendum
These HIPAA Terms and Conditions (“HIPAA Addendum”) shall be incorporated into the Terms of Service that are Covered Entities (as defined below) and that provide Protected Health Information (“PHI”) (as defined below) to Company in connection with interactions with Company. These terms supplement and are made part of the Terms of Service in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“Privacy Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).
Capitalized terms used in this Agreement and not otherwise defined herein shall have that meaning given to them in the HIPAA Rules.
“Breach” when capitalized, shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in this Agreement, the word shall have its ordinary contract meaning.
“Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Business Associate creates, accesses or receives from or on behalf of Covered Entity.
“Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and;
- is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual;
- the provision of health care to an individual; or the past, present or future payment for provision of health care to an individual; and
- that identifies the individual; or
- with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Protected Health Information” or “PHI” shall have the meaning set forth in the Privacy Rule, limited to information that Company, accesses or receives from or on behalf of Covered Entity. PHI includes EPHI.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D and E, as currently in effect.
“Security Incident” shall have the same meaning as the term “security incident” at 45 CFR 164.304.
“Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subpart C, as currently in effect.
“Unsecured Protected Health Information” or “Unsecured PHI” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
OBLIGATIONS AND ACTIVITIES OF PROVIDERS (“BUSINESS ASSOCIATE)
Provider acknowledge and agree that it is a “Business Associate” of Company as defined by the HIPAA Rules, and as such, Business Associate shall, in addition to complying with the other terms and conditions of the Terms of Service Agreement, comply with the HIPAA-required provisions set forth in this Agreement. In the event of a conflict between the terms of this Agreement and the Terms of Service Agreement with respect to the use or disclosure of PHI, the terms of this Agreement will govern. In all other circumstances, the terms of the Terms of Service Agreement will govern.
Performance of Services.
Business Associate may use PHI only to perform the services and its other obligations pursuant to the Terms of Service Agreement or as Required by Law. Business Associate may disclose such PHI only within its organization and only to those of its employees who need to know such information in order to perform its obligations under the Terms of Service Agreement and, in such case, only the minimum amount of such PHI as is necessary for such performance. Business Associate shall not access, use or disclose PHI in any manner that would violate the HIPAA Rules if such access, use or disclosure was done by Business Associate or Covered Entity,
Privacy Rule Obligations
Business Associate shall comply with the Privacy Rule as it directly applies to business associates: To the extent Business Associate carries out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of HIPAA that apply to Business Associate or Covered Entity in the performance of such obligation(s).
Safeguards for Protection of PHI
Business Associate agrees that it will (a) protect and safeguard from any disclosure (whether oral, written or otherwise) all PHI with which it may come into contact with in accordance with the HIPAA Rules and more stringent state laws and regulations governing the handling of such information; and (b) use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by the Terms of Service Agreement or this Agreement or as Required by Law.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
Without unreasonable delay, and in no case later than ten (10) days after Business Associate knew or should have known of the impermissible use or disclosure, Business Associate shall notify Covered Entity, in writing, of any use or disclosure of PHI outside the purpose of this Agreement or the Terms of Service Agreement. Without unreasonable delay, Business Associate shall report to Covered Entity in writing of any Security Incident of which it becomes aware. In addition, upon Covered Entity’s request, Business Associate shall provide a report of any and all impermissible uses, disclosures, and/or Security Incidents.
Disclosure to Subcontractors
Business Associate agrees to ensure that any subcontractor that creates receives, maintains or transmits EPHI originating from the Covered Entity on behalf of the Business Associate, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
Right of Access
Business Associate agrees to provide access, at the request of Covered Entity, to PHI contained in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in in a time and manner that allows Covered Entity to meet the requirements under 45 CFR § 164.524.
Right to Amendment
Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity, in a time and manner that allows a Covered Entity to meet the requirements of 45 CFR 164.526. Business Associate shall notify Covered Entity immediately in writing upon receiving a request from an Individual to review, copy or amend his or her medical record information.
Patient Right to Request Accounting
Upon Covered Entity’s request, Business Associate shall document and make available to Covered Entity information relating to such Individual as is necessary for Covered Entity to respond to a request for an accounting of disclosures in accordance with §164.528 of the Privacy Rule.
Access to Books and Records
Until the expiration of four years after the furnishing of services pursuant to the Terms of Service Agreement, Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, for purposes of the Secretary determining compliance with the Privacy Rule.
If Business Associate has knowledge or a reasonable belief that a Breach of Unsecured PHI has occurred or may have occurred, Business Associate shall notify Covered Entity in accordance with the requirements of 45 CFR § 164.410. For avoidance of doubt, Business Associate shall notify Covered Entity if it has knowledge of a potential Breach so that Covered Entity may determine and confirm whether a Breach has occurred. Such notification shall include, to the extent possible, the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed during the Breach, along with any other information that Covered Entity will be required to include in its notification to the Individual including, without limitation, a description of the Breach, the date of the Breach and its discovery, the types of Unsecured PHI involved and a description of the Business Associate’s investigation, mitigation and prevention efforts.
Business Associate shall track and monitor all Security Incidents. Business Associate shall report a successful Security Incident in accordance with these Terms and shall report unsuccessful Security Incidents upon request by Covered Entity.
When using, disclosing or requesting PHI, Business Associate agrees to use, disclose or request the minimal amount of information necessary for the stated purpose, unless an exception to the minimum necessary rule applies, as set forth in 45 CFR §164.502(b)(2).
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
Business Associate shall be permitted to use and disclose PHI as follows: Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted under 45 CFR § 164.504(e)(2)(i)(B). Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
PERMITTED OBLIGATIONS OF COVERED ENTITY
Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
Effect of Termination; Return of Covered Entity’s PHI
Upon termination of the Terms of Service Agreement for any reason, Business Associate will return or destroy all PHI within thirty (30) days of the date of termination. Business Associate will not retain any records or copies of any such records. To the extent the return or destruction of such PHI is not feasible, Business Associate will remain bound by the provisions of this Agreement even after termination of the Terms of Service Agreement, until such time as all PHI has been returned or is destroyed.
The obligations of Business Associate under these Terms shall survive the termination of this Agreement and remain in force as long as Business Associate stores or maintains PHI in any form or format.