ERPHealth, LLC – Patient Privacy Notice
Last updated: October, 2022
Welcome to ERP Health, LLC (“ERPHealth”). This “Privacy Notice” describes how your personal information may be collected and used by ERPHealth related to your use of our web-based platform (the “ERPHealth Platform”). It is intended to be read in conjunction with the Terms of Use for the ERPHealth Platform. By clicking “Accept” below, or on any portion of the ERPHealth Platform and using the ERPHealth Platform, you are expressly agreeing that you have read and understood this Privacy Notice.
Please read this Privacy Notice carefully. Access to and use of the ERPHealth Platform, and the services provided on it is subject to this Privacy Notice as set forth below.
Revisions to this Privacy Notice
This Privacy Notice was last updated as of the date indicated above. ERPHealth may revise this Privacy Notice at any time. ERPHealth will indicate that a change has been made to this Privacy Notice on your next use of the ERPHealth Platform. Any revision and/or addition to this Privacy Notice shall become effective and binding on you when you continue to use the ERPHealth Platform on or after posting of such revision and/or addition.
No Medical or Legal Advice
The ERPHealth Platform allows treatment centers and healthcare providers (“Providers”) to input and store certain clinical information about you, their patient, for the purpose of tracking behavioral-health related medical data (the “Data”). The Provider operates a federally assisted part 2 program that must comply with the Federal Confidentiality of Alcohol and Drug Abuse Patient Records law and regulations, 42 USC §290dd-2 and 42 CFR Part 2 (collectively, “Part 2”). ERPHealth is the Provider’s Business Associate, and a Qualified Service Organization (“QSO”) under Part 2. As such, ERPhealth provides an outcome tracking platform (i.e. the ERPHealth Platform) to deliver measurement-based care for behavioral health (the “Services”).
ERPHealth’s goal is to try to help you understand your progress, allowing you the opportunity to communicate with your Providers. The Services we provide you are for informational purposes only. No material contained within or provided through the ERPHealth Platform should be construed as medical advice and/or treatment. Your Provider is the only individual qualified to provide medical advice and/or treatment and to interpret the Data that is input and stored in the ERPHealth Platform. ERPHealth does not practice medicine and no physician or nurse to patient relationship is created as a result of your use of the ERPHealth Platform.
IF YOU ARE EXPERIENCING A HEALTH EMERGENCY, CALL 911 OR YOUR HEALTHCARE PROFESSIONAL IMMEDIATELY.
IF ERPHEALTH REASONABLY SUSPECTS THAT YOU MAY BE EXPERIENCING A MEDICAL EMERGENCY, OR MAY BE A DANGER TO YOURSELF OR ANOTHER PERSON, ERPHEALTH RESERVES THE RIGHT, AND YOU EXPRESSLY AGREE, THAT ERPHEALTH MAY CONTACT THE APPROPRIATE EMERGENCY SERVICES, INCLUDING CALLING 911, CONTACTING CHILD PROTECTION SERVICES, A SUICIDE HOTLINE OR OTHER APPROPRIATE SERVICE, AS CONSISTENT WITH OUR OBLIGATIONS UNDER HIPAA AND PART 2. ERPHEALTH IS UNDER NO OBLIGATION TO MONITOR YOUR PROGRESS OR IDENTIFY ANY LIFE THREATENING BEHAVIORS OR CONDITIONS.
Nothing contained or provided through the ERPHealth Platform is intended or should be construed as legal advice or guidance. No attorney-client relationship is created between you and ERPHealth or its personnel. If you have any questions about any law, rule or regulation, or seek legal advice regarding your healthcare, you should contact your own legal counsel.
Information We Collect
ERPHealth Platform will allow you to collate and track your treatment data for care management and coordination purposes and communicate with your Provider. All such interactions are strictly limited to and for the purpose of providing a seamless treatment program for you. This Privacy Notice is designed to advise you:
- of how we (ERPHealth) will access, transmit, and store your information as part of your use of the ERPHealth Platform,
- how we protect such information,
- how your information may be used or disclosed, and what rights you have to access your information.
Unless otherwise specified, this Privacy Notice is intended to describe how ERPHealth may handle your information collected through the ERPHealth Platform, which in the case of Your Personal Information (defined below) will always be consistent with our Notice of Privacy Practices, the Notice of Privacy Practices from Provider, the consent to collect such data given to you by your Provider, and all consent for treatment consistent with HIPAA and Part 2.
In order to provide you with access to the ERPHealth Platform, there is certain personal and Protected Health Information that the ERPHealth Platform will securely access, transmit, and collect. We gather various types of information from you as the patient, and from your Provider, as explained in more detail below, including information that identifies you as an individual as well as Protected Health Information that is collected from you as an individual and is created or received by your Provider (i.e. a covered entity), and relates to the past, present or future physical health or condition of an individual. Protected Health Information may directly identify you as an individual as well.
Information Provided by Your Healthcare Provider/Treatment Facility
Registration information. When you, as a patient, are added to the ERPHealth Platform by your Provider you will be required to activate your Patient Portal Account (“PPA”) or access the ERPHealth Platform through one of our TAP devices. Whether you access through the PPA or the TAP device, the information collected will be the same. Your Provider will include in your PPA Personal Information such as your first name, last name, email address, and date-of-birth (“Personal Information”). In addition to Personal Information, the PPA will include insurance information, therapist, clinic, treatment start date, diagnosis, current and past goals, current and past functional outcomes score, and adherence to treatment questionnaires (i.e. protected health information or “PHI”).
In order to activate your Patient Portal and use the Services, you will be sent an email from ERPHealth that you will need to authenticate and verify using your date-of-birth or you will be given access to your PPA by using a TAP device at the treatment center.
By using the Services, you are specifically certifying that you have signed and provided consent to sharing your Personal Information and PHI with your Provider and that you have expressly consented to having your Provider share your Personal Information and PHI with ERPHealth consistent with the obligations set forth in HIPAA and Part 2.When you first log into the ERPHealth Platform, you will also be asked to consent to sharing your PHI with ERPHealth. You cannot use the ERPHealth Platform without consenting.
Once you are registered, and agree to use the ERPHealth Platform, you are permitting ERPHealth to receive and store Personal Information and/or any PHI via the ERPHealth Platform. The ERPHealth Platform allows you to view certain Personal Information, including treatment data, that ERPHealth received from your Provider when you first registered or were admitted and consented to the same. ERPhealth uses the data to allow providers to conduct healthcare operations and quality improvement activities related to your treatment. The content ERPHealth provides you is for informational purposes only. ERPHealth does not provide medical advice, provide nursing care, diagnose or deliver treatment. Those are activities for you to undertake with your doctor or other appropriately trained and qualified health professional.
Communications between you and ERPHealth. If you email us, we may keep your message, email address and contact information to respond to your request as well as for archiving purposes. We may send you Service-related emails (e.g., account verification, changes/updates to features of the Service, technical and security notices, or other notifications and auto-responders), and we may collect and store these communications. All communications are saved and stored into our databases indefinitely. You can control the communications that you receive from ERPHealth through your account settings. Note that you may not opt-out of Service-related emails from us. In addition, ERPHealth may contact you through SMS notifications. Message frequency varies. Message and data rates apply. Text “HELP” for help. Text “STOP” to cancel.
General Data Collected. Beyond Personal Information, ERPHealth may collect certain other information from you when you are using the ERPHealth Platform such as device type, geolocation, access or duration of use times, server logs, cookies, pixel tags or beacons and other tracking tools, and/or app navigation and general analytics.
This general data does not include Personal Information or PHI (as defined above), and, in general, relates to information from which ERPHealth can understand how users use and interact with the ERPHealth Platform, so that we can improve the quality of such features or remove features that are not being used. This general data may also be used to provide technical support to our users. The uses are further described in the “HOW WE USE GENERAL USAGE INFORMATION” section below. If General Usage Information is combined with Your Personal Information, then it is treated as Your Personal Information and subject to HIPAA, Part 2, and the standards set forth in the “HOW WE USE YOUR PERSONAL INFORMATION” section below.
Information We Gather From Your Use of Our Service
Analytics. We use third-party analytics tools to help us measure traffic and usage trends and other non-personal Information for the ERPHealth Platform (e.g. date and time when you log in and log out of the app, geolocation/current location of user to show nearby projects) (“Third-Parties”). These tools collect information sent by your device or the ERPHealth Platform, including the web pages you visit, add-ons, and other information that assist us in improving the ERPHealth Platform. This analytical information is de-identified and combined with information collected from other users. For further information on how we share information with third-parties, see below.
Metadata. Metadata is usually technical data that is associated with other data, including content. For example, metadata can describe how, when and by whom a piece of content was collected and how that content is formatted. We may store metadata to provide you with particular services. The collection, use, and storage of this metadata can be controlled as described below in the “Cookie Policy.”
Device Identifiers. For each device you use to access the ERPHealth Platform (e.g., mobile phone, tablet, computer), we may access, collect, monitor, store on your device, or remotely store one or more “device identifiers.” Device identifiers are small data files or similar data structures stored on or associated with your device, which uniquely identify your device. A device identifier may be data stored in connection with the device hardware, data stored in connection with the device’s operating system or other software, or data sent to the device by ERPHealth. In the alternative, a device identifier may be a serial number or other identification associated with a particular type of device or part that is unique to your device (e.g., a “media access control” number or “MAC”) that we store to identify and differentiate different devices. A device identifier may be used to deliver information to us or to a third-party partner about how you browse and use the ERPHealth Platform and may help us or others provide reports or personalized content and ads. Some features of the ERPHealth Platform may not function properly if use or availability of device identifiers is impaired or disabled. The collection, use, and storage of these device identifiers can be controlled as described below in the “Cookie Policy.”
Log Data. Our servers may automatically record information (“Log Data”) created by your use of the ERPHealth Platform. Log Data may include information such as your Internet Protocol (“IP”) address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We receive Log Data when you interact with our Service, for example, when you visit our Application, sign into the ERPHealth Platform or interact with our email notifications. ERPHealth uses Log Data to provide the ERPHealth Platform and to measure, customize, and improve the ERPHealth Platform.
ALL ANALYTICS, METADATA, DEVICE IDENTIFIERS, AND LOG DATA IS HEREINAFTER REFERRED TO AS “USE DATA” AND IS DE-IDENTIFIED CONSISTENT WITH THE REQUIREMENTS SET FORTH IN HIPAA.
Live Chat.
ERPHealth has a Live Chat feature on its website. The Live Chat is intended to provide after-hours support services for the providers and facilities we serve. The Live Chat is not intended for patient use and does not provide any services for the patient. If you, as the patient, contact ERPHealth through Live Chat, the service may collect your first name, last name, and contact information. However, you are not able to reach your physician or healthcare provider through Live Chat.
How We Store Your Information
We provide the Service from within the United States, and we store all Personal Information and PHI that we currently collect, process, and retain on servers located within the United States. In the future, we reserve the right to store Personal Information and PHI on servers located outside the United States.
Privacy laws outside of the United States may be more stringent than the privacy laws within the United States that apply to ERPHealth. By providing ERPHealth with your Personal Information, you consent to the storage and processing of your Personal Information in the United States as further stated in the current version of this Privacy Notice. ERPHealth reserves the right to update its Privacy Notice from time to time.
Certain types of content you submit to us might reveal your gender, ethnic origin, nationality, age, religion, sexual orientation, or other Personal Information and PHI about you or others. By using our Service, or by submitting your Personal Information and PHI to us, you consent to the collection, storage, processing and onward transfer of your Personal Information and PHI as stated in the current version of this Privacy Notice and the current version of the Terms of Service (“Terms”) erphealth.com/terms.
How We Use the Information
Generally speaking, we access and use your Personal Information and/or PHI only as may be necessary to provide the Services offered on the ERPHealth Platform. ERPHealth makes every effort to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules, and Part 2 for all PHI that is stored and collected using the ERPHealth Platform. Further, we will make every effort to keep all data, regardless of whether it is PHI or just your Personal Information, privacy and security. By using the ERPHealth Platform it is your express desire to share PHI and Personal Information with the Providers who are treating you or for healthcare operations, treatment, quality improvement, billing, or claims purposes.
Where Personal Information also constitutes PHI under HIPAA and Part 2, Personal Information will be handled in accordance with HIPAA, Part 2, and other applicable laws, and as Required by Law, consistent with that definition and its meaning under 45 C.F.R. § 164.103. These standards will govern ERPHealth’s permitted uses and disclosures.
The following explains how ERPHealth generally uses your Personal Information and/or PHI:
With Your Consent. For certain Personal Information, we will only share that information with companies, organizations or individuals outside of ERPHealth when we have your specific consent to do so.
At Your Direction. By using the ERPHealth Platform, you are provided with the capability to store all treatment data and progress, to communicate with your Providers, and provide you with the ability to easily port your behavioral-health related data to other treatment facilities to allow continuity of treatment. By consenting to this Privacy Notice and using the ERPHealth Platform, you are directing ERPHealth to store and allow us to share that information with the parties involved in your treatment. However, you are solely responsible for your interactions with those individuals. Moreover, the data you input into the ERPHealth Platform either belongs to the Provider or the Patient. ERPHealth will only share PHI at your direction. However, any Use Data is completely de-identified and belongs to ERPHealth.
Service Providers. We may employ third-party companies and individuals to facilitate the ERPHealth Platform (e.g., maintenance, analysis, audit, marketing and development). These third-parties may have limited access to your information only to perform these tasks on our behalf and are obligated to ERPHealth not to disclose or use it for other purposes consistent with our obligations under HIPAA and Part 2.
Required by Law. We may access, preserve, and share your Personal Information in response to a legal request (like a search warrant, court order or subpoena). We may also access, preserve and share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; and to prevent death or imminent bodily harm. Information we receive about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm. Any disclosures required by law are subject to our obligations to the Provider consistent with the HIPAA, and Part 2.
Change of Control/Business Transfers. If we sell or otherwise transfer part or the whole of ERPHealth or our assets to another organization (e.g., in the course of a transaction like a merger, acquisition, bankruptcy, dissolution, liquidation), your Personal Information such as user name and email address, content and any other information collected through the ERPHealth Platform may be one of the assets sold or transferred to a third-party. Any such sale, transfer, or otherwise sharing of our assets shall be subject to the restrictions of this Privacy Notice and any applicable data protection laws. You will continue to own your content, but the license you granted in the Terms may be transferred to others.
Non-Personal Information. We may share aggregated information that is not personally-identifiable, de-identified information (“Non-Personal Information”) publicly and with publishers, marketers, advertisers or connected sites. For example, we may share Non-Personal Information publicly to show trends about the general use of the ERPHealth Platform. Non-Personal Information includes collective information about multiple users that does not reflect or reference an individually-identifiable user.
Additional Disclosures. We reserve the right to disclose Personal Information about you with your permission, as required by law, as necessary to enforce our Terms of Service or Privacy Notice, to investigate or defend against third-party claims or allegations, to protect the security and integrity of the ERPHealth Platform and property, to protect our rights or personal safety and that of our users or others and to respond to valid requests by public authorities, including to meet national security or law enforcement requirements.
Other. In addition to some of the specific uses of information we describe in this Privacy Notice above, we may use your Personal Information that we receive to:
- help support value-based care.
- help you efficiently access your information after you sign in.
- remember information so you will not have to re-enter it during your visit or the next time you visit the ERPHealth Platform.
- provide personalized content and information to you and others, which, in the future, could include online ads or other forms of marketing.
- provide, improve, test, and monitor the effectiveness of the ERPHealth Platform.
- develop and test new products and features.
- monitor metrics such as total number of visitors, traffic, and demographic patterns.
- diagnose or fix technology problems.
Cookie Policy – How We Use Cookies and Other Tracking Technologies
Our Services may use “cookies” and other tracking mechanisms (e.g., Use Data, described above) to collect information about you when you use the Platform. Certain of those cookies (noted below) are necessary for the functioning of the Services, and as such, cannot be denied if you visit and/or use the Platform. For permissive cookies (noted below), you can control the use of those permissive cookies directly via your browser settings. Below are links to instructions for certain browsers on how to manage cookies.
About cookies. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but Personal Information that we store about you may be linked to the information stored in and obtained from cookies.
Cookies that we use. As explained in more detail below, ERPHealth may send one or more cookies to your browser to help facilitate the Service.
We use cookies for the following purposes:
- Authentication and Personalization – we use cookies to identify you when you use our Services and as you navigate the Platform to store information about your preferences and to personalize our Services for you.
- Security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our Website generally.
- Analysis – we use cookies to help us to analyze the use and performance of our Services.
The categories of ERPHealth cookies you may encounter on our Platform include, but are not limited to Analysis (e.g. Google analytics).
Permissive Cookies: These cookies are not necessary to the functioning of the Services and a user must opt-in to the use of these cookies.
Strictly Necessary Local Storage: ERPHealth uses local storage of data that is strictly necessary to the provision of the Service. Local storage is data that is stored on your computer in order to maintain data for current and future use of the Service. The storage of this data is necessary for the Services to function and cannot be switched off in our systems. It is usually only set in response to actions made by you on the Platform.
The data stored may include:
First Name
Last Name
Token
Depending on the browser used to view and access the Platform, you may review the cookies and local storage in use by ERPHealth at any time by viewing site information from your browser. This is typically displayed to the left of the address bar of your browser.
Managing cookies. Most browsers allow you to refuse or accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. Blocking all cookies will have a negative impact upon the usability of many websites.
You are able to control and manage cookies directly through your browser settings. Please note that if you choose to refuse cookies you may not be able to use the full functionality of our Website. The settings to change the cookies will typically be found in the “options” or “preferences” menu of your browser. Please refer to your browser’s privacy or help documentation to find instructions for blocking or deleting cookies in your browser. In order to understand these settings, the following links may be helpful.
- Cookie settings in Internet Explorer
- Cookie settings in Firefox
- Cookie settings in Chrome
- Cookie settings in in Safari web and iOS
How We Share and Disclose Information to Third-Parties
Your Personal Information will not be sold, licensed, or disclosed to unaffiliated third parties, except in connection with the sale, transfer, merger, consolidation or other transaction involving all or part of our company or as may be permitted under HIPAA, Part 2, and state privacy laws.
Under HIPAA, Part 2, and other state privacy laws, ERPHealth may be permitted to disclose PHI to the Provider (i.e. your healthcare professional and/or treatment facility) or business associates of ERPHealth or its customers who perform various functions or provide services on their behalf. To perform these functions or to provide services, business associates will receive, create, maintain, use, or disclose PHI that has been provided to or made available to the business associate by ERPHealth, but only after we require the business associates to agree in writing to contract terms designed to safeguard your information and provide reasonable assurance that they will safeguard the Personal Information.
ERPHealth will collect and share data, in particular PHI, which has been provided by your Provider. ERPHealth will only collect and share data with the healthcare provider or treatment facility that treats you.
We utilize Google Analytics, a web analysis service provided by Google, to better understand your use of the ERPHealth Platform. Google Analytics collects information such as how often users use the ERPHealth Platform. Google’s ability to use and share information collected by Google Analytics about your visits to the ERPHealth Platform is restricted by the Google Analytics Terms of Use and the Google Privacy Notice. Google offers an opt-out mechanism for the web available here.
We utilize Amazon Web Services (“AWS”) to store Personal Information. AWS does not have access to this Personal Information and any processing and/or accessing of Personal Information is controlled solely by ERPHealth.
Security of Your Personal Information
We take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and implement appropriate technical, physical and organizational measures to ensure an appropriate level of security to protect the personal information that we collect and process, both while in transit and while in storage. No method of transmission over the Internet or method of electronic storage is 100% secure, however. Therefore, while we use reasonable security safeguards to protect your personal information, we cannot guarantee absolute security.
Your Privacy Rights
You can always opt not and choose not to use the ERPHealth Platform.
De-Identified Personal Information. Please note that we may still use any aggregated and de-identified Personal Information that does not identify any individual. ERPHealth will also retain any Personal Information to the extent necessary to comply with ERPHealth’ legal obligations, resolve disputes, and enforce ERPHealth’ agreements, as outlined in this Privacy Notice.
Special Types of Data and Data Transfers
International Data Transfer
Personal Information you submit on the ERPHealth Platform is stored and will be primarily processed in the United States. The ERPHealth Platform is intended only for users located within the United States. If you choose to use the ERPHealth Platform from regions outside the United States that have laws governing data collection and use that differ from U.S. law, you acknowledge and agree that you are transferring personal information outside of that region to the United States and, by providing such information, you consent to the use of your personal data as identified in this Privacy Notice and the transfer of your personal data to the United States.
Changes to this Privacy Notice
We reserve the right to change or modify this Privacy Notice from time to time. We will alert you to material changes by, for example, placing a notice on the ERPHealth Platform and requesting that you review and consent to any changes when we are required to do so by applicable law. You can see when this Privacy Notice was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Privacy Notice.
Contact Us
If you have any questions or concerns regarding our Privacy Notice, please contact us at privacy@erphealth.com or by postal mail addressed to the following address and our Privacy team will respond within a reasonable time:
ERPHealth, LLC
123 N 3rd Street
Philadelphia, PA 19106