At NodOps, we understand the sensitive nature of healthcare data and we are committed to protecting the privacy of our clients' data. This privacy policy outlines how we collect, use, and safeguard our clients' data when providing data analytics and managed products to healthcare and healthcare-adjacent industries.
Data We Collect
Patient health information (PHI): This includes all information related to an individual's health, medical conditions, treatments, diagnoses, medications, test results, and other healthcare-related information.
Personally identifiable information (PII): This includes information that can be used to identify an individual, such as name, address, phone number, email address, social security number, date of birth, and other personal identifiers.
Non-personal data related to healthcare operations: This includes data related to the operations of healthcare providers, such as hospital admissions, discharge summaries, medical codes, billing and payment information, and other administrative and financial data.
Research data: This includes data collected for the purposes of clinical research, such as data from clinical trials, surveys, and other research studies.
Other data: This includes any other data that may be relevant to our clients' healthcare operations, such as data from electronic health records (EHRs), medical imaging systems, and other healthcare technologies.
Use of Data
Data analysis: We use advanced data analysis techniques to identify patterns, trends, and insights in the data. This can include data visualization, predictive modeling, and other data analytics tools.
Reporting: We create reports and dashboards to summarize and present the findings from our data analysis in a clear and actionable format. These reports can be used to inform decision-making at all levels of our clients' organizations.
Benchmarking: We compare our clients' healthcare operations data to industry benchmarks and best practices to identify areas for improvement and opportunities for optimization.
Risk assessment: We analyze our clients' data to identify potential risks to their healthcare operations, such as security breaches, compliance violations, or other operational risks.
Product development: We use the insights and findings from our data analysis to inform the development of new data analytics and managed products services for our clients.
Data Sharing
Identification and verification of the third party: We first verify the identity of the third party and ensure that they have a legitimate need for the data.
Data access restrictions: We restrict the third party's access to the data to only the data required to fulfill the purpose of the request, and we do not share any unnecessary or sensitive data.
Data use limitations: We ensure that the third party uses the data only for the purpose for which it was requested and does not use the data for any other purpose.
Data security and confidentiality: We require the third party to implement the same level of data security and privacy as NodOps and to protect the data from unauthorized access, use, disclosure, alteration, or destruction.
Legal agreements: We require the third party to sign a legally binding agreement that outlines the terms and conditions of the data sharing and includes strict confidentiality and security provisions.
Data Security
Access controls: We have strict access controls in place to ensure that only authorized personnel can access our clients' data. We use strong passwords and two-factor authentication to protect against unauthorized access.
Encryption: We use encryption to protect data both in transit and at rest. We use industry-standard encryption algorithms to ensure the confidentiality and integrity of the data.
Data backup and recovery: We regularly backup our clients' data to ensure that it can be recovered in the event of a disaster or data breach.
Vulnerability management: We regularly scan our systems for vulnerabilities and apply security patches as soon as they become available. We also conduct regular penetration testing to identify potential security weaknesses.
Employee training: We train our employees on data security and privacy best practices and require them to sign confidentiality and non-disclosure agreements.
Physical security: We maintain physical security measures, including access controls and monitoring systems, to ensure the safety and security of our data centers.
Data infrastructure: We rely on the latest technologies and data infrastructure from big companies, such as Amazon Web Services (AWS) and Google Cloud Platform, to ensure the highest level of data security and protection. These companies have a proven track record of maintaining the highest level of data security and have implemented multiple layers of security controls to protect against cyber attacks.
Data Retention
Data retention period: We determine the retention period for each type of data based on legal and regulatory requirements, the purpose of the data, and business needs. We retain data only for as long as necessary to fulfill the purpose for which it was collected and to comply with legal and regulatory requirements.
Data deletion: When data is no longer needed, we delete it securely using industry-standard data deletion methods. We ensure that all copies of the data, including backups and archives, are securely deleted.
Archiving: For some types of data, such as financial records, we may archive the data to comply with legal and regulatory requirements. Archived data is stored securely and is not actively used.
Access controls: We restrict access to retained data to only authorized personnel and use strict access controls to ensure the confidentiality and security of the data.
Data retention policy review: We review our data retention policies and procedures regularly to ensure that they are up to date and in compliance with legal and regulatory requirements.
Client requests: If a client requests the deletion of their data, we will comply with the request, subject to legal and regulatory requirements.
Compliance
Legal and regulatory requirements: We stay up to date with all applicable legal and regulatory requirements related to data privacy and security in the healthcare and healthcare-adjacent industries, including HIPAA, GDPR, and CCPA.
Compliance training: We provide regular training to our employees on compliance with legal and regulatory requirements to ensure that they are aware of their responsibilities and obligations.
Risk assessments: We conduct regular risk assessments to identify potential risks to data privacy and security and implement measures to mitigate those risks.
Data breach response: We have established clear procedures for responding to data breaches, including notifying affected parties and regulatory authorities, as required by law.
Vendor management: We ensure that all of our vendors, including those providing cloud services and data storage, are compliant with legal and regulatory requirements related to data privacy and security.
Auditing and reporting: We conduct regular audits of our systems and processes to ensure that we are in compliance with legal and regulatory requirements. We also provide regular reports to our clients on our compliance efforts.
Access and Control
Access controls: We use industry-standard access controls, such as multi-factor authentication and role-based access controls, to ensure that only authorized personnel have access to our clients' data.
User authentication: We require strong passwords and enforce regular password changes to ensure that user authentication is secure.
Monitoring and logging: We monitor and log all access to our clients' data to ensure that any unauthorized access attempts are detected and investigated.
Encryption: We use encryption to protect our clients' data both in transit and at rest, to ensure that it remains confidential and secure.
Data segregation: We ensure that our clients' data is segregated from other clients' data to prevent unauthorized access and maintain confidentiality.
Access request process: We have established a clear access request process that requires proper authorization and documentation for any access requests.
Access reviews: We conduct regular access reviews to ensure that access controls and permissions are up to date and that access is limited to only those who require it to perform their job functions.
Changes to Policy
Notification of changes: We will notify our clients of any changes to our privacy policy through email, our website, or other means of communication.
Effective date: We will clearly indicate the effective date of any changes to our privacy policy.
Review and approval: Any changes to our privacy policy will be reviewed and approved by our legal team and senior management.
Reason for change: We will provide a clear and concise reason for any changes to our privacy policy.
Client feedback: We welcome feedback from our clients regarding any changes to our privacy policy and will consider it in our decision-making process.
Continued use: Clients' continued use of our products and services following any changes to our privacy policy will be considered as acceptance of the changes.
We value the privacy and confidentiality of our clients' data and information. We understand that some clients may be interested in participating in case studies to showcase the success of our products and services. We have established clear policies and procedures for using our clients for case studies to ensure transparency and accountability and to respect our clients' concerns.
Our policies and procedures for using our clients for case studies include the following:
Client consent: We require explicit written consent from our clients to use their data and information for case studies.
Anonymization: We will anonymize any personal or identifiable information before using it for case studies to protect our clients' privacy.
Client approval: We will provide our clients with an advance copy of any case study materials and obtain their approval before publishing or sharing them publicly.
Purpose: We will clearly state the purpose of the case study and ensure that it aligns with our clients' goals and objectives.
Benefits: We will clearly explain the benefits of participating in a case study to our clients and ensure that they have the option to decline or opt-out at any time.
Confidentiality: We will maintain confidentiality and ensure that any shared information or data is used solely for the purpose of the case study and is not shared with any third parties without our clients' explicit consent.
At NodOps, we are committed to maintaining transparency and accountability in our policies and procedures for using our clients for case studies. We continuously review and improve our policies and procedures to ensure that they are effective and in compliance with legal and regulatory requirements, and that they respect our clients' concerns and privacy.
If you have any questions or concerns regarding this privacy policy or our data handling practices, please contact us at privacy@nodops.com.