This Privacy Policy describes how Doc.com Inc. collects and uses Personal Data about you through the use of our websites, mobile applications, and through email, text, and other electronic communications between you and Doc.com Inc.
Doc.com Inc. (“Doc.com” or “we,” “our,” or “us”) is involved in the administration of telemedicine, telepsychology, telepsychiatry, telepharmaceutical, televeterinary, and online product marketplace services, as described in the Terms of Use through the use of a digital medium (the “Platform”). Doc.com has adopted this policy to ensure compliance of the Platform under HIPAA.
This Privacy Policy (our “Privacy Policy”) describes the types of information we may collect from you or that you may provide when you visit the https://www.doc.com websites (collectively, our “Website”) and the associated Doc.com applications (“Application”), and our practices for collecting, using, maintaining, protecting, and disclosing that information.
This policy applies to information we collect:
Members of Doc.com’s workforce may have access to the “protected health information” (as described below) of Platform participants and dependents on behalf of the Platform or of Doc.com in relation to its administrative functions. HIPAA restricts Doc.com’s use and disclosure of protected health information relating to the Platform, including by the Platform’s “business associates”.
“Protected health information” (“PHI”) means information that is created or received by the Platform and relates to the past, present, or future physical, mental health, or condition of a participant; the provision of healthcare to a participant; or the past, present, or future payment for the provision of healthcare to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information concerning persons living or deceased. The Security Rule governs electronically conveyed PHI, or “E-PHI.” (“PHI” herein includes “E-PHI” unless “E-PHI” is specified.) Special aspects of Security Rule compliance are addressed in Article 2, below. Doc.com has adopted this Privacy Policy regarding the use and disclosure of PHI and individuals’ rights relating to their PHI. All members of Doc.com’s workforce who have access to PHI must comply with this Privacy Policy. Individuals who would be considered part of Doc.com’s workforce under HIPAA are employees, independent contractors, volunteers, trainees, and other persons whose work performance is under the direct control of Doc.com, whether or not they are paid by Doc.com. The term “employee” herein includes all of these types of workers.
Note, Doc.com is not a medical, psychological, psychiatric, pharmaceutical, or veterinary group. Any telemedicine, telepsychology, telepsychiatry, telepharmaceutical, televeterinary, and online product marketplace services or consults obtained through our Website are provided by independent licensed practitioners including, but not limited to, Doc.com Provider Group, LLC, an independent medical group with a network of United States based medical, psychological, psychiatric, pharmaceutical, or veterinary providers (each, a “Provider”).
Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website and Application. By accessing or using our Website and/or Application, you agree to this Privacy Policy.
This Privacy Policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of our Website or Application after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.
Our Website and Application are not intended for children under the age of 18 and children under the age of 18 are not permitted to use our Website or our Application without parental or guardian consent. We will remove any information about a child under the age of 18 if we become aware of it.
Our Website and Application are not intended for children under 18 years of age. No one under age 18 may provide any information to or through the Website or Application. We do not knowingly collect Personal Data from children under 18. If you are under the age of 18 and wish to create an account with Doc.com or receive services through our Website and Application, your parent or legal guardian must create the account, submit your personal information, agree to the Terms of Use and the Privacy Policy on your behalf. If we learn we have collected or received Personal Data from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from a child under 18, please contact us at support@doc.com
II.1. Privacy Official & Contact Person: The Privacy Official will be responsible for the administration of policies and procedures relating to privacy, including but not limited to this Privacy Policy.
The Privacy Official is the contact person (“Contact Person”) for all regular and routine matters, as set forth herein. The Contact Person will serve as the person available to participants who have questions, concerns, or complaints about their PHI.
II.2. Security Official & Contact Person: The Privacy Official will be the Security Official. The Security Official will serve as the person available for any issues of a technical nature specific to the HIPAA Security implementation specifications. The Privacy Official will serve as Contact Person for Privacy and Security Rule regular and routine matters.
II.3. Persons with Access & Workforce Training: It is Doc.com policy to limit access to PHI to those who have need and to train employees who have access to PHI on its privacy and security policies
and procedures. The Privacy Official, Security Official, and Contact Person will develop training schedules and programs so that employees who have access to PHI (including E-PHI) receive the training necessary and appropriate to permit them to carry out their functions within the Platform.
II.4. Technical, Physical Safeguards, & Firewall: An analysis of all Doc.com’s information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats—internal or external, natural or manmade, electronic and non-electronic—that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination, and protection. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity, and availability of the information will be determined. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.
II.5. Protection Measures: All computer equipment and network systems are assets of Doc.com and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based on the following:
The following physical controls must be in place:
(4) Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.
II.6 Privacy Notice: The Privacy Official will maintain the Platform’s Notice of the Privacy Practices that describes the uses and disclosures of PHI that may be made by the Platform; the individual’s rights with respect to use and disclosure of PHI; and the Platform’s legal duties with respect to the PHI.
The Notice informs participants that Doc.com and certain third parties as described therein will have access to PHI in connection with Platform administrative functions. The Notice also provides details of Doc.com’s complaint procedures specifically for HIPAA Privacy and Security, the name and telephone number of the Privacy Official, Contact Person, and Security Official for further information and assistance, and the date of the notice, among other elements.
II.7 Complaints: The Contact Person is responsible for administering a process for individuals to lodge complaints about the Platform’s privacy and security procedures. A copy of the complaint procedure shall be provided to any participant upon request.
II.8 Sanctions for Violations of Privacy and Security Policy: Sanctions for using or disclosing PHI in violation of this HIPAA Privacy and Security Policy will be imposed in accordance with Doc.com’s discipline policy.
II.9 Mitigation of Inadvertent Disclosures of Protected Health Information: com shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of PHI that violates this Policy, either by an employee of the Platform or a third-party administrator or Provider, the employee may contact the Privacy Official so that the appropriate steps can be taken to mitigate the harm to the participant.II.10 Breach Notification Requirements: The Platform will comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and its implementing regulations with respect to notifications in the event of a breach of unsecured PHI. As a result, if an employee becomes aware of a potential breach of unsecured PHI, the employee shall contact the Privacy Official. Promptly after a report of suspected breach of unsecured PHI, the
Privacy Official shall direct and undertake an investigation and risk assessment to determine if a breach of unsecured PHI occurred and the scope of such breach. There is a reportable breach only if all of the following have occurred, as determined by the Privacy Official:
PHI • The violation resulted in a compromise of the security or privacy of the PHI
If the Privacy Official determines that there is a low probability that the PHI was compromised, the Platform will document the determination in writing and keep the documentation on file.
The Platform shall, following the discovery of a breach of unsecured PHI that is required to be reported, notify each individual whose unsecured PHI has been, or is reasonably believed by the Platform to have been, accessed, acquired, used, or disclosed as a result of such breach as well as the Secretary of HHS.
For a breach of unsecured PHI involving 500 or more residents of a state or jurisdiction, the Platform shall notify prominent media outlets serving the state or jurisdiction.
For a breach of unsecured PHI involving 500 or more individuals, the Platform shall notify the Secretary of HHS contemporaneously with the notice to affected individuals and in the manner specified on the HHS website.
The above notices shall be provided without unreasonable delay and in no case later than 60 days after discovery of the breach and shall comply with the requirements of the HITECH Act and its implementing regulations with respect to the content and method of notification.
A business associate is required to do the same.
II.11 Breach Notification DefinitionA use or disclosure of PHI that does not include the identifiers listed at 45 CFR § 164.514(e)(2), date of birth, and zip code does not compromise the security or privacy of the protected health information.
Breach excludes:
such disclosure is not further used or disclosed in a manner not permitted under HIPAA and its implementing regulations
No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy & Security: No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.
No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility.
II.12. Documentation & Document Retention: The Platform’s and Doc.com’s privacy policies and procedures must be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must promptly be documented.
If a change in law impacts the Notice, the Notice must promptly be revised and made available to the necessary parties. Such change is effective only with respect to PHI created or received after the effective date of the Notice. The Platform and Doc.com shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights. The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. Covered entities must maintain such documentation for at least six years, beginning with documents created on or after April 14, 2003.
We collect different types of information about you, including information that may directly identify you, information that is about you, but individually does not personally identify you, and information that we combine with our other users. This includes information that we collect directly from you or through automated collection technologies.
III.2. We collect several types of information from and about users of our Website and Applications, specifically information:
III.4. The information we collect on or through our Website or through our Application are:
III.5. As you navigate through and interact with our Website and Application, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, specifically:
III.6. The information we collect automatically may include Personal Data or we may maintain it or associate it with Personal Data we collect in other ways or receive from third parties. It helps us to improve our Website and Application and to deliver a better and more personalized service by enabling us to:
We use your Personal Data for various purposes described below, including to:
IV.1. We use information that we collect about you or that you provide to us, including any Personal Data:
IV.2. We may disclose Personal Data that we collect or you provide as described in this privacy policy:
IV.3. We may also disclose your Personal Data:
IV.4. We may also use your information to contact you about goods and services that may be of interest to you, including through newsletters. If you wish to opt out of receiving such communications, you may do so at any time by clicking unsubscribe at the bottom of these communications.
IV.5. We may use how you browse and shop in order to show you ads for our advertising partners that are more relevant to your interests. We may use cookies and other information to provide relevant interest-based advertising to you. Interest-based ads are ads presented to you based on your browsing behavior in order to provide you with ads more tailored to your interests. These interest based ads may be presented to you while you are browsing our site or third-party sites not owned by Doc.com.
IV.6. We do not control the collection and use of your information collected by third parties described in this Article IV. When possible, these organizations are under contractual obligations to use this data only for providing the services to us and to maintain this information strictly confidential. These third parties may, however, aggregate the information they collect with information from their other customers for their own purposes.
IV.7. In addition, we strive to provide you with choices regarding the Personal Data you provide to us. We have created mechanisms to provide you with control over your Personal Data.
IV.8. Tracking Technologies and Advertising: You can set your browser or operating system to refuse all or some cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of our Website or Application may then be inaccessible or not function properly.
IV.9. Promotional Offers from Doc.com: If you do not wish to have your email address used by Doc.com to promote our own products and services, you can opt out at any time by clicking the unsubscribe link at the bottom of any email or other marketing communications you receive from us or logging onto your profile page. This opt-out does not apply to information provided to Doc.com as a result of a product purchase or your use of our services.
IV.10. Targeted Advertising: We belong to ad networks that may use your browsing activity across participating websites to show you interest-based advertisements on those websites. To learn more about interest-based advertisements and your opt-out rights and options, visit the Digital Advertising Alliance and also visit the Network Advertising Initiative websites (aboutads.info and www.networkadvertising.org). Please note that if you choose to opt out, you will continue to see ads, but they will not be based on your online activity. We do not control third parties’ collection or use of
your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can also opt out of receiving targeted ads from members of the NAI on its website.
V.1. California Civil Code Section 1798.100 (The California Consumer Privacy Act (“CCPA”)) provides California residents with the right to:
V.2. The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and satisfies at least one of the following thresholds:
Earns more than half of its annual revenue from selling consumers' personal information
V.3. A “Do Not Sell My Personal Information” link on the home page of the website of Doc.com, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident's personal information is available.
VI.1. Use and Disclosure Defined: Doc.com and the Platform will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:
VI.2. Workforce Must Comply with Company’s Policy and Procedures: All Doc.com Employees, Providers, Business Associates, and third parties must comply with all Doc.com Terms of Use and Privacy Policies.
VI.3. Access to PHI is Limited to Certain Employees: As set forth in the Articles above, only the Persons with Access shall have regular and recurring access to and use of PHI.
Persons with Access may use and disclose PHI for Platform administrative functions, and they may disclose PHI to other Persons with Access for Platform administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the Platform administrative function). Persons with Access may not generally disclose PHI to employees (other than other Persons with
Access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy.
VI.4. No Disclosure of PHI for Non-Health Platform Purposes: PHI may only be disclosed to Providers for health and mental healthcare purposes only, unless you have provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.
VI.5. Mandatory Disclosures of PHI to Individual & HHS: A participant’s PHI must be disclosed as required by HIPAA in two situations:
VI.6. Permissive Disclosures of PHI for Legal & Public Policy Purposes: PHI may be disclosed in the following situations without a participant’s authorization when specific requirements are satisfied. The permissive disclosures are:
VI.7. Disclosures of PHI Pursuant to an Authorization: PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. The Contact Person will have a supply of the authorization form.
VI.8. Complying with the “Minimum-Necessary” Standard: HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure, as determined by the Privacy Official case-by-case, or, in the instance of routine and recurring disclosures, as set forth in the Uses and Disclosures Policy. The “Minimum Necessary” Standard does not apply to any of the following:
Minimum Necessary When Disclosing PHI: For routine and recurring disclosures developing prospectively, the Privacy Official (or Contact Person if directed by the Privacy Official) will direct an analysis of such disclosures and further, specific standards will be developed.
All other disclosures must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.
VI.9. Disclosures of PHI to Business Associates: Persons with Access may disclose PHI to the Platform’s business associates and allow the Platform’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Platform must first obtain assurances from the business associate (in the form of business associate agreements) that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate”, employees must contact the Contact Person and verify that a business associate agreement is in place.
A “Business Associate” is an entity or person who:
VI.10. Disclosures of De-identified Information & Limited Data Sets: The Platform may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers under HIPAA.
VI.11. Policies Specific to E-PHI/Security Rule: com has performed a risk analysis and assessment, and developed a document called the HIPAA Security Risk Analysis and Assessment document, including recommended administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of electronic PHI that Doc.com creates, receives, maintains, or transmits.
[List specific administrative, physical, and technical safeguards as suggested by Security Rule Evaluation and Assessment document.]
VII.1. Access to Protected Health Information & Requests for Amendment: HIPAA gives participants on the Platform the right to access and obtain copies of their PHI that the Platform (or its business associates) maintains in designated record sets. HIPAA also provides that participants may request to have their PHI amended. The Platform will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants as set forth in the Notice of Privacy Practices.
VII.2. Accounting: An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years, other than disclosures:
care or other notification purposes
The Platform shall respond to an accounting request within 60 days. If the Platform is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.
The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).
The first accounting in any 12-month period shall be provided free of charge. The Contact Person may impose reasonable production and mailing costs for subsequent accountings.
VII.3. Requests for Requested Confidential Communications: Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. Such requests shall be honored if, in the sole discretion of Doc.com, the requests are reasonable.
However, Doc.com shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant. The Contact Person has responsibility for addressing requests for confidential communications.
VII.4. Requests for Restrictions on Uses & Disclosures of PHI: A participant may request restrictions on the use and disclosure of the participant’s PHI. It is Doc.com’s policy to attempt to honor such requests if, in the sole discretion of Doc.com, the requests are reasonable. The Contact Person is charged with responsibility for addressing requests for restrictions.
VII.5.Requests for Amendment: No third-party rights (including, but not limited to rights of Platform participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. Doc.com reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon Doc.com. This Policy does not address requirements under other Federal laws or under state laws.
VIII.1. We also may use automated data collection technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they “do not track” your online activities. At this time, we do not honor such signals and we do not modify what information we collect or how we use that information based upon whether such signal is broadcast or received.
IX.1. We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology for information sent and received by us.
IX.2. The safety and security of your information also depends on you. Where you have chosen a password for the use of our Application, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
IX.3. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to our Website or on or through our Application. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website, in your operating system, or in the Application.
X.1. Certain location-enabled functionality made available on the Website and Application is provided by Google, Apple Inc., and other third-party providers. Your use of that functionality may be subject to additional privacy (and other) terms and conditions (as updated from time-to-time), including the terms that are accessible through: http://www.google.com/intl/en-US_US/help/terms_maps.html and https://www.apple.com/legal/internet-services/maps/terms-en.html. You must exercise your own judgment as to the adequacy and appropriateness of the sharing of this information with us.
XI.1. We may change this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on the Website’s home page or the Application’s home screen. If we make material changes to how we treat our users’ Personal Data, we will notify you by email to the email address specified in your account and/or through a notice on the Website’s home page or the Application’s home screen. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically accessing the Application or visiting our Website and reviewing this Privacy Policy to check for any changes.
XII.1. If you have any questions, concerns, complaints, or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below or through the “Contact” page on our Website or in the Application.
XII.2. How to Contact Us: Doc.com Inc. 169 Madison Ave. suite 15043, New York, NY 10016.
Email: support@doc.com
.svg)
.svg)
.svg)
