The CARIN Alliance Code of Conduct

As an organization that handles personally identifiable health care information outside of HIPAA, we commit to the following regarding how we will handle personally identifiable consumer health care data.

I. Consent

The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the subject.

We will:

a)  Avoid default data sharing and obtain informed, proactive consent from users, with such consent clearly describing how user data will be collected, used and shared.

b)  Obtain separate consent (either opt-in or opt-out) to uses or disclosures for marketing purposes.

c). Comply with the Children’s Online Privacy Protection Act with respect to collection, use or disclosure of data from and about individuals under the age of 13 including any applicable state laws.

d)  Provide users with advanced notice of our privacy policy changes.

e)  Be clear with users on how they can withdraw consent to use our service and what will happen to their data after withdrawal.

f)  On behalf of our users, request a copy of their health data from the HIPAA designated record set maintained by a health care provider, health plank, or health information exchange by

1) Requiring as an option the consumer uses technology that supports NIST IAL2 & AAL2 standard
2) Clearly indicating the destination for sending the health information

II. Use & Disclosure

The Principle of Use Limitation, which provides that there must be limits to the internal uses of personal data and that the data should be used only for the purposes specified at the time of collection. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority.

We will:

a) Via contracts bind third-party vendors to our privacy policies and prohibit use or disclosure of user information for independent purposes absent express consent from the user.

b)  Limit the collection of health information to only what the user has expressly consented that the service can collect

c) Collect, use, and disclose health information in ways that are consistent with reasonable user expectations given the context in which users provided (or authorized the provision of) the health information.

III. IndividualAccess

The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to correct or remove any data that is not timely, accurate, relevant, or complete.

We will:

a)  Provide the ability for a consumer to access their health information on their own and/or assign access to caregivers (defined as an unpaid family member, foster parent, or other unpaid adult who provides in-home monitoring, management, supervision, or treatment of a child or adult with a special need, such as a disease, disability, or the frailties of old age) or other third-parties.

b)  Establish and communicate to users clear policies with respect to health information collected by the service that may not be timely, accurate, relevant or complete.

c)  Upon consumer request, securely dispose of the consumer’s relevant identifiable health data completely andindefinitely to allow the consumer the right to be forgotten.

IV. Security

The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.

We will:

a)  Store and retain health information in a manner consistent with industry-leading best practices that includes the highest levels of security and confidentiality.

b)  Protect health information through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements, and contractual obligations, and accountability measures (e.g. training, access controls and logs, and independent audits).

c)  Follow industry-leading safeguards for how to protect a consumer’s health information against such risks as loss or unauthorized access, use, destruction, annotation, or disclosure.

d)  Provide meaningful remedies for all participants involved in consumer-directed health information exchange to address security breaches, privacy, or other violations incurred because of misuse of the consumer’shealth information.

V. Transparency

The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data

We will:

a)  Have a privacy policy that is prominent, publicly accessible, and easy to read.

b)  In that policy specify the Company’s data collection, consent, use, disclosure, access, security, and retention/deletion practices, including with respect to de-identified, pseudonymized or anonymized data.

c)  Provide clear updates when those practices have changed.

d)  Develop privacy policies based on industry best practices to manage health data.

e)  Specify in the privacy policy what will happen to a consumer’s data in the event of a transfer of ownership or in the case of a company ending or selling its business, either: (i) provide users with clear option to either securely dispose of, or transmit or download their health information securely, or (ii) ensure successor entity commitments are consistent with the then-existing privacy policy.

VI. Provenance

The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely.

We will:

a) Where possible, provide consumers and their caregivers with data provenance to identify who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.

VII. Accountability

The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices.

We will:

a)  Designate a responsible officer within the company who is committed to these health information principles and to ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.

b)  Train our employees on these principles and ensure compliance by regularly evaluating our performance internally.

c)  Be transparent with the public whether or not we have obtained independent third-party certification

VIII. Education

We will:

a) Inform consumers about their health information sharing choices and the consequences of those choices including the risks, benefits, and limitations of data sharing by providing educational materials ourselves or pointing to appropriate third-party resources.

IX. Availability

We will:

a)  Actively work with data holders to expand the set of consumer health information available for reliable, consistent electronic access and to exchange with individuals, caregivers, and clinicians.

b)  Actively work to expand the amount of machine-readable data to ensure a consumer can electronically access all of their health information when, where, and how they want to achieve their goals.