Activate Care Privacy Policy
Annual Review: August 23, 2024

Scope

Accountable Care Transactions, Inc. ("Activate Care," "we," "us," "our") believes that everybody engaged in the healthcare system - clinicians, patients, families, and communities - can act together to make health happen, wherever they are. Our products and services offer a better approach to managing many of healthcare's complex tasks.

This Privacy Policy describes the information we collect when you and others interact with us through our products and services, including our web-based Activate Care Care Coordination Platform; Activate Care's Path Assist; our websites; applications; definitions, protocols, and tools for building applications; documentation; and training materials (collectively, the "Services"). It also explains how we use and share that information, the measures we take to secure the information, and the choices you have with respect to information about you.

Consent

Please read this Privacy Policy carefully. You agree to this Privacy Policy by using the Services.

If you are using the Services on behalf of a company, organization, government, or other legal entity, or through an association or affiliation with one of these entities, your use certifies to us that an authorized person from your organization has accepted this Privacy Policy on your behalf, that you are authorized to use the Services, and that your use is within the scope of that relationship.

Changes to the Privacy Policy

We may revise this Privacy Policy from time to time. Unless stated otherwise, the most current version of the Policy, which is posted at https://go.act.md/pages/privacy, applies to all information covered by this Policy. We will try to notify you of material revisions, for example via a Service notification or an email if you have an Account. We will also keep prior versions of this Privacy Policy in an archive for your review. By continuing to access or use the Services after those revisions become effective, you agree to be bound by the revised Policy.

Children

We respect and endorse laws that protect and limit the collection of information from children under the age of 13. Therefore, our Services, including our websites, are not targeted or directed at children under 13. Any information we receive about children under 13 must come from someone authorized by law or consent to give it to us, such as parents, guardians, legal representatives, health care clinicians & providers, hospitals, and insurance companies.

Privacy Laws

Some of the information we collect and use is subject to specific state and federal privacy laws. For example, many of our customers in the United States healthcare industry are subject to regulations issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Among other things, HIPAA outlines the ways health care providers, health plans, certain data processors, and companies they hire to perform certain functions on their behalf (such as Activate Care) may use and share personally identifiable information about a patient. When we receive information that is subject to privacy laws, such as HIPAA, we may be legally or contractually obligated to follow those laws. If there is a conflict between this Privacy Policy and privacy laws to which we are bound, the privacy laws shall govern.

Information We Collect

We collect both personally identifiable and non-identifiable information as part of our Services. Personally identifiable information means information that identifies you, such as your name, address, birthdate, phone number, e-mail address, social security number, and medical or health record number.

We collect information from a variety of sources.

Information you Provide

We collect information from you when you create a Service Account, or provide information as part of our identity verification process. This information may include personally identifiable information, as well as account authentication information like username, password, and security questions.

We collect the information that you upload or enter when you use the Services. For example, you may enter information, which may include personally identifiable information, about you or others as part of:

• An individual care plan;

• A referral request; or

• A consultation with an outside health care provider.

Information We Collect When You Access our Services

We collect information about the Services you use and how you use them. This information includes:

Log Files and Device Information

Log files include information such as your IP address (a number that identifies your computer or other device connected to the internet), internet browser type, pages visited, and search terms. We may also collect information about the device you use to connect to our Services, including your device type and operating system.

Cookies

We use Cookies (small text files placed on your device) to provide our Services and help collect data. We use Cookies for four main purposes: (1) confirmation of your identity during sign-in to access your account; (2) security and Service integrity; (3) store your preferences and settings; and (4) analyze how our Services are performing.

Information We Receive from Other Sources

We receive and store information, which may include information about you, including personally identifiable information, from our customers and third parties.

Our Customers

We may receive information about you from our customers. For example, many of our customers are health care providers who use our Services to help coordinate their patients' care. Thus if you are a patient of one of our customers, we may receive information about you when the customer enters or uploads patient information into the Services.

Third Parties

We may receive information about you from third parties. For example, we may receive information about you from:

government agencies, such as the Centers for Medicare and Medicaid Services, that is used to improve health care decisions.

an identity provider/authenticator when you enable single sign-on to access your account (such as using your Google account to sign in to our Services).

How We Use Information We Collect

We may use the information we receive to:

• provide, operate, maintain, improve, extend, and test the Services;

• provide and create documentation, training, and professional services related to the Services;

• fulfill our legal and contractual obligations;

• create and deliver analyses of data;

• develop de-identified data analyses for our own, or our customer's quality improvement purposes; and

• develop, test, defend, use, and publish standards for the effective creation and engagement of clinical teams and patients, in coordinating care.

Examples of ways we use the information for the reasons described above include:

• to display your account information;

• to ensure that Service users only see the information they are authorized to see;

• monitoring our systems to ensure that they are working as intended and to detect and fix errors;

• accessing log information to investigate problems or unauthorized use; and

• analyzing data and usage patterns to make the Services easier to use.

We may use the information we collect to contact you. For example, we may send you:

• Notifications and reminders when you are mentioned or assigned an action in the Services;

• Appointment reminders;

• News & information about the Services or your account; and

• Requests to conduct surveys & provide feedback.

We may also use the information we collect to:

• protect our rights or property, or the security or integrity of our Services;

• enforce the terms of the Terms of Service;

• verify your identity;

• protect us, users of our Services or the public from harm or potentially prohibited or illegal activities;

• investigate, detect, and prevent fraud, security breaches; or

• comply with any applicable law, regulation, legal process, or governmental request.

Information We Share

Some of our Services are designed to facilitate communication and information sharing among the people and organizations involved in a patient's health care, and who are legally permitted to receive the information. In some cases, we may share this information without the patient's explicit authorization. For example, as part of our Services, we may share patient information, including personally identifiable information:

• Among members of that patient's care team for treatment purposes;

• With others involved in that patient's health care for treatment, payment, or health care operations purposes;

• With others who are legally permitted to receive the information, such as consulting health care providers, certain public health authorities, health oversight and government agencies;

• For judicial and administrative proceedings, and law enforcement purposes;

• As part of legally authorized research studies;

• For other purposes allowed or required by law; and

We may also share information after obtaining the patient's authorization to others who are part of that patient's non-medical community care team, such as family members or friends, schools, social service agencies, utility companies, and government agencies not otherwise permitted to receive patient information.

More broadly, and subject to applicable confidentiality requirements and privacy laws, we may also share the information we collect:

• At the request of one of our customers, but only to the extent that the request is legal, and pertains to information the customer is authorized to control;

• With any of our parent, subsidiary, or affiliate companies for the uses outlined in this policy;

• With third parties to provide, maintain, and improve our Services, including service providers who access information about you to perform services on our behalf, such as:

• hosting (data processing and storage) services,

• identity verification services,

           • e-mail and text messaging services,

           • providers of data analyses services.

• In connection with corporate transactions, for example, if we:

           • Purchase another company;

           • are purchased by another company;

           • raise funds or borrow money; or

           • if we go out of business or file for bankruptcy.

• If we believe it is necessary to:

           • protect our rights or property, or the security or integrity of our Services;

           • enforce the terms of the Terms of Service;

           • verify your identity;

           • protect us, users of our Services, or the public from harm or potentially prohibited or illegal activities.

           • investigate, detect, and prevent fraud and security breaches; or

           • comply with any applicable law, regulation, legal process, or governmental request.

• For other purposes after obtaining your authorization.

We do not sell, lease, or share the personally identifiable information we collect to third parties for marketing purposes.

We may share aggregated de-identified information with third parties.

Your Choices

You have choices with respect to your information.

Your Account Information

If you have an account, you may access, change, or correct your personal account information at any time by logging into your account. You may also make the request to us using the contact details below, in which case we may need to verify your identity before granting access or otherwise changing or correcting your information.

Deactivating Your Account

If you wish to deactivate your account, you may make the request to us using the contact details below. We generally retain information about you only as long as reasonably necessary to provide you the Services. However, even after you deactivate your account, we may retain archived copies of information about you for a period of time that is consistent with applicable law, or as we believe is reasonably necessary to comply with applicable law, regulation, legal process, or governmental request, to prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce our Terms of Service, for analytics purposes, or to take any other actions consistent with applicable law.

Your Personal Information

If you believe that we have information about you that should be changed or corrected, you may make the request to us using the contact details below, in which case we may need to verify your identity before granting access or otherwise changing or correcting your information. However, due to legal, contractual, and technical restrictions, we may not be able to make the change or correction. For example,

• If we received the information about you from one of our customers, and that information is subject to HIPAA, then we are both legally and contractually required to refer your request to the customer.

• In the event of legal action or dispute, we may be prohibited from altering any information.

• We maintain regular backups and archives of our data, and changing archived data may be impracticable.

Cookies

Most web and mobile device browsers are set to automatically accept cookies by default. However, you can change your browser settings to prevent automatic acceptance of cookies, or to notify you each time a cookie is set.

You also can learn more about cookies by visiting http://www.allaboutcookies.org, which includes additional useful information on cookies and how to block cookies on different types of browsers and mobile devices. Please note, however, that by blocking or deleting cookies used in the Services, you may not be able to use, or take full advantage of the Services.

Do Not Track

Do Not Track ("DNT") is an optional browser setting that allows you to express your preferences regarding tracking across websites. We currently do not respond to DNT signals. We may continue to collect information in the manner described in this Privacy Policy from web browsers that have enabled DNT signals or similar mechanisms.

Security

We work hard to maintain the security, reliability, accuracy, and completeness of our Services and the information we hold. In particular, we:

• Implement administrative, technical, and physical safeguards, to protect your information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction.

• Use security technologies, such as encryption.

• Review our information collection, storage, and processing practices, including physical security measures, to guard against unauthorized access to systems.

• Restrict access to personal information to employees, contractors and agents who need to know that information to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

• Only use third-party service providers to store and transmit personal information in compliance with this Policy, and who agree to appropriate confidentiality and security measures, and undergo industry recognized independent third party data security audits.

Since much of the information we collect is provided by our Users, we cannot guarantee the authenticity or accuracy of any data that these Users provide.

Links to Other Services

While using the Service, you may be directed through links to third party websites or services. For example, you may be linked to:

• A third-party authentication site;

• Applications from the following third parties that we have integrated into the Services:

             • Zoom Video Communications, Inc. (video conferencing): https://zoom.us

             • SendGrid (electronic communications): https://sendgrid.com/

             • MaxMD (electronic communications): https://www.maxmdirect.com/

             • InterFax (facsimile service): https://www.interfax.net/en

             • Scrypt Corporation (SFax facsimile service): https://www.scrypt.com/sfax/

We are not responsible for the terms of service or privacy policies of those websites or services. You are responsible for reading and understanding the third party terms of service and policies before using their services.

Contact

If you have questions or comments about our privacy policy, please email us at privacy@activatecare.com, with "Privacy Policy" in the subject line or contact us at:

Activate Care
200 State Street, 12th Floor
Boston, MA 02109