Skip to main content

Privacy FAQ

Abigail Watson
Updated

Symptomatic_-_Timelines_-_Data_Privacy_Diagram.png

  

How does your app integrate with the Apple’s Clinical Health Records API?

Symptomatic Timelines access the Apple Clinical Health Records API on the iPhone.  It then allows the user to export that data in a FHIR Bundle (aka a Continuity of Care Document, or CCD).  We point the user to exporting and saving the data on iCloud by default. The user can then pull in that CCD Bundle into the iPad, Desktop, or Web versions of the app. 

A video of importing HealthRecords into an earlier version of the app:
https://youtu.be/S6kPOoQwX6k

Workflow walkthroughs can currently be found on the Helpdesk. 
https://symptomatic.zendesk.com/hc/en-us/sections/360004642552-Timelines

 

What features of your app require access to Apple Health Records?
The primary purpose of Timelines is to view, edit, sort, compose, visualize, and otherwise analyze Health Record data.    Essentially, the entire app requires access to FHIR data, either through Apple Health Records or SMART on FHIR.

 

Where is this functionality enabled, and are users able to disable this functionality?

Health Record API access is currently only enabled on the iPhone. 

The user has the option to grant as many or as few of the Health Record category types as they wish; and can disable that access at any time via the Apple Health App.   Once loaded, it can be transferred to the Symptomatic Timelines app running on other devices. 

The user has the choice to delete their entire Symptomatic account from Symptomatic servers from within their app. 

Users have the ability to turn off lookup functionality via the Privacy Controls Page.

 

Who are the relevant parties that will have access to this information?

Generally speaking, only the Patient. For our initial entry into the App Store, we’ve been trying to keep things as simple and patient centric as possible.  As such, this application does not have any use cases involving sending identifiable PHI to 3rd parties, and does not implement public health surveillance, practice management, biomarker discovery, telehealth, or other such use cases.

Terminology providers currently include LOINC and 3M; while geocoding and analytics are provided by Google.  All receive anonymized data points and can’t be traced back to the patient.  No patient names or identifiers are sent during these lookup queries.

Where does this app store user data?

Timelines stores your Protected Health Information (PHI) locally on your iPhone, and allows you to export that PHI into a Continuity of Care Document Bundle, which is typically stored in the user's Apple iCloud account.  The app can perform its core functionality without communicating to external servers.

However, the app does store some basic demographic information in the user’s profile on Symptomatic servers, including name, gender, age, and theming preferences.  This allows the user to log onto multiple devices and to use the web version of the app.  We also store a HIPAA Audit Log on Symptomatic servers.

 

Where is the user's information uploaded and stored? 

User PHI is stored on the user’s iPhone, and in the user’s iCloud account if they wish to export it.   This app has been developed as much as possible to not store Protected Health Information (PHI) on Symptomatic servers. 

When deciding business models, we chose not to go with a subscription SaaS model which stores PHI on our servers or data lake - precisely because of concerns around HIPAA violations.   Rather, we are using a more traditional paid-app model, similar to Microsoft Word, Adobe Acrobat, Final Cut Pro, or any other application that a user licenses and then loads/saves or import/exports files from. 

The two exceptions are:

  • User Collection -  exception is the users account, which contains core user login information.  It has a profile object attached to it that approximates the FHIR Patient demographic resource.  That collection is only used for account login purposes, and to save profile configuration for the app between devices.  
  • Audit Log - we keep a collection using the FHIR AuditEvent that tracks opening of the application, import/export of records, toggling of the Privacy Screen, and a few other events that are commonly considered as being relevant to HIPAA. 

A few other caveats include opt-in functionality that the user can enable via privacy controls:

  • participating in anonymized Google Analytics for performance improvement
  • physical address data sent to Google to be geocoded
  • SNOMED, LOINC, ICD10 to be translated by terminology servers
  • SNOMED, LOINC, ICD10 sent out to fetch patient education materials

Opt-in privacy controls are provided for each of the above categories, and can generate patient Consent records, as needed.  The above functionality is anonymized and does not transmit contextualized PHI, meaning no names or patient identifiers are sent when doing a lookup.

  

For how long does this app store user data?

This app does not store Protected Health Information, and will delete all PHI when the user logs out or closes the app.  The user will need to re-import PHI data each time they open the app. 

Demographic data in the user’s profile will be stored indefinitely until the user account is deleted.  We currently cap our HIPAA Audit Log at 3 months.

 

Does this app allow users to delete the data that have been stored about them?

Yes, this app allows users to delete their user account and profile.

 

Is user data retained after a user deletes the app and closes their account?

No. 

 

Other than the user, who has access to user data?

No one; PHI never leaves the user's device. 

If the user chooses to opt-into data sharing in the privacy controls, they may choose to send data points to terminology servers at 3M or LOINC for terminology lookup, or to Google for geocoding, or companies such as EBSCO for evidence based medicine or medical illustration studios for patient education materials.  But these companies are acting as service providers, and do not ‘have access’ to the patient’s health records as a whole.

 

Other than providing direct service to the user, how does the app developer use data about the user?

The app developer doesn't use data about users beyond providing direct services and improving its services in the future.

 

Does this app allow users to obtain a record of who has accessed data about them?

Not currently applicable.

When we release the Enterprise version that supports Provider Launch Context, we will offer this functionality via user-accessible HIPAA Audit Logs. 

 

How is the collected information utilized?

We are currently not engaging in any sort of clinical data mining, population health surveillance, datalake hydration, or other forms of PHI aggregation.

 

Does your .io domain mean you outsource work or store data outside of the United States?

No.  There was a small fad among startups circa 2015 where the .io domain name was picked up by services companies.  In tech parlance, ‘io’ sometimes refers to ‘in/out’, which is understood to refer to services.   Our .io domain name has nothing to do with the India Ocean, and we are discontinuing its use and migrating to https://symptomatic.healthcare

All work is done within the United States, and application servers and any operational user data we collect are all are hosted and stored on US soil. 

Please describe the company offering the app to users/patients?

Symptomatic began as a consulting business by an independent developer, and is now restructuring into a multi-member Illinois LLC (with series), with the intent of eventually registering as a B-Corp.

 

Do you have a business associate agreement with each covered entity that your app will connect to?

Symptomatic was founded in order to exercise patient rights under the 21st Century Cures Act.  Under the Cures Act, Patients have the right to access their health records from any covered entity by API access.  HIPAA Business Associate Agreements, on the other hand, are an obligation that clinicians must meet.  As such, we provide BAA documents when a covered entity wishes to use the Enterprise version of Timelines.  However, the Patient version connects to covered entities via the 21st Century Cures API endpoints, which don’t require BAA agreements.

 

Are you able and willing to sign a Business Associate Agreement?

Yes.  We sign BAA documents with any covered entity that wishes to provide Timelines, Switchboard, or other Symptomatic apps to their clinical staff.  We sign BAA agreements in any situation where we implement Provider Launch Context and a clinician will be accessing another person’s health records.  As part of the BAA, we run an Audit Log on any clinician access.

 

How is this app funded?

Timelines was originally produced by volunteers and made available in the open source community.  We now fund it through purchases, subscriptions, and donations.

We do not fund this app through advertisements, sale of data, data access to other organizations, debt, or venture capital.  We actively avoid funding models that may create financial incentives to abuse access to patient data.  Hence our seeking B-Corp status.

 

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk