Privacy Policy & Terms
Compris, Inc. Terms and Conditions/Privacy Policy
Effective Date November 10, 2018
Compris, Inc. (“us”, “we”, or “our”) operates the ComprisCare.com website, and is the author of the Behavioral Health and Substance Use Disorder (SUD) risk assessment tool on the website (website and tool hereinafter referred to as the “Service”).This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use the Service and the choices you have associated with that data. We use your data to provide and improve the Service. By using the Service, you are being made aware of and agree that no collection and use of Protected Health Information (“PHI”) will be utilized in accordance with this policy.
​
HIPAA and Hitech Security:
Before using the Service, a Disclaimer has been made available to you. By using the Service, you indicate your consent to participate in the healthcare assessment the Service provides. By consenting to do this assessment, you are acknowledging that the Service has not obtained any PHI from you. Although Compris, Inc. is not obtaining any PHI, the Service is a Health Insurance Portability and Accountability (“HIPAA”)-compliant website, and is fully encrypted. We will never intentionally make your medical information available to third parties without your express consent. HIPAA and Health Information Technology for Economic and Clinical Health (“HITECH”) provide national minimum standards to protect an individual’s PHI. The U.S. Department of Health and Human Services (“HHS”) manages and enforces these standards. The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (“ePHI”), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of a HIPAA encryption strategy. The HITECH Act then expands the compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (“PHR”), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule. HIPAA was originally created to streamline healthcare processes and reduce costs by standardizing certain common health care transactions, while protecting the security and privacy of individuals’ PHI. HITECH expanded on the privacy and security requirements of HIPAA. HIPAA and HITECH focus on PHI, which generally includes any personally identifiable information regarding an individual’s physical or mental health, the provision of health care to him or her, or payment for related services. PHI also includes any personally identifiable demographic information, including, for example, name, address, phone numbers, and Social Security numbers. These standards affect the use and disclosure of PHI by covered entities (such as health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) and their business associates.
​
The 4 HIPAA Rules:
1. HIPAA Privacy Rule: HIPAA’s Privacy Rule restricts intentional and unintentional use or disclosure of PHI that is in violation of the requirements of HIPAA.
A. Do not allow impermissible use or disclosure of PHI;
B. Provide breach notification to covered entity;
C. Provide individual or the covered entity access to the PHI;
D. Disclose PHI to the Secretary of the HHS if compelled to do so;
E. Provide an accounting of disclosures;
F. Comply with the requirements of HIPAA Security Rule.
2. HIPAA Security Rule: HIPAA’s Security Rule requires covered entities to put in place detailed administrative, physical, and technical safeguards to protect electronic PHI.
3. HIPAA Enforcement Rule: It spells out penalties and procedures for hearing.
4. HIPAA Breach Notification Rule: It requires healthcare providers to notify patients in the case of breach of unsecured ePHI & PHI. The Service is delivered via serves hosted in data centers that are HIPAA compliant.
​
Security Policy:
Our internal Security Policy mandates all of the following:
-
Physical Safeguards – Only authorized Compris, Inc. employees and contractors can access the servers.
-
Administrative Safeguards – Access to the data within the application is controlled by the covered entity, while Access to the server is controlled by the Compris, Inc. team. Compris, Inc. provides role-based access control to restrict access to certain users.
-
Technical Safeguards – Compris, Inc. maintains an active monitoring system to find and fix any vulnerabilities in Operating System, Web Server, and Database.
Compris, Inc. has employed an SSL, database encryption, and data obfuscation where possible, and will capture as little data as necessary in an attempt to and safeguard the data and privacy of its participants. Compris, Inc. cannot guarantee the safety of Compris, Inc.’s assessment participants data from those who attempt to steal, intercept, or misuse it, however since no PHI is being requested, data is not connected to any one particular identity.If a breach has occurred at the service level, Compris, Inc. will alert you.
-
Physical Safeguards – Only authorized Compris, Inc. employees and contractors can access the servers.
-
Administrative Safeguards – Access to the data within the application is controlled by the covered entity, while Access to the server is controlled by the Compris, Inc. team. Compris, Inc. provides role-based access control to restrict access to certain users.
-
Technical Safeguards – Compris, Inc. maintains an active monitoring system to find and fix any vulnerabilities in Operating System, Web Server, and Database.
​
Breach Notification:
If a breach has occurred at the service level, since no PHI is being requested, there will be no identifying information obtainable.
Information Collection and Use:
We do not collect PHI & ePHI as described above and below.
Personal Data: Protected health information, PHI & ePHI may include, but is not limited to:
-
Email address
-
First name and last name
-
Phone number
-
Address, State, Province, ZIP/Postal code, City
-
Date of Birth
-
Cookies and Usage Data
Usage Data: ComprisCare.com may collect information on how the Service is accessed and used (“Usage Data”). This Usage Data may include the pages of the Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data. However, at no time will your unique device identifiers be captured or matched up with specific data obtained from taking the assessment.
Tracking & Cookies Data: We use cookies and similar tracking technologies to track the activity on the Service and hold certain information. Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze the Service. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of the Service.
Use of Data: Compris, Inc. uses the collected data for various purposes to:
-
Provide and maintain the Service
-
Allow you to participate in interactive features of the Service when you choose
-
Provide customer care and support
-
Provide analysis or valuable information so that we can improve the Service
-
Monitor the usage of the Service
-
Detect, prevent and address technical issues
Transfer of Data: Compris, Inc.’s information and data may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those within your jurisdiction. If you are located outside United States and choose to provide information to us, please note that we transfer the data to United States and process it there. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. Compris, Inc. will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.
Disclosure of Data: Compris, Inc.. may disclose unidentifiable impersonal data:in the good faith impersonal data: in the good faith belief that such action is necessary to:
-
Comply with a legal obligation
-
Protect and defend the rights or property of Compris, Inc.
-
Prevent or investigate possible wrongdoing in connection with the Service
-
Protect the personal safety of users of the Service or the public
-
Protect against legal liability
Security of Data: The security of data is important to us but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect our data we cannot guarantee its absolute security.
Service Providers: We may employ third party companies and individuals to facilitate the Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how the Service is used. These third parties do not have access to any PHI & ePHI.
Analytics: We may use third-party Service Providers to monitor and analyze the use of the Service, including Google Analytics. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of the Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en
Links to Other Sites: The Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
Children’s Privacy: The Service does not address anyone under the age of 18 (“Children”). We do not knowingly collect personally identifiable information from anyone at any age. If you are a parent or guardian and you are aware that your Children have taken the assessment, please contact us. If we become aware that we have collected data from Children without verification of parental consent, we take steps to remove that information from our servers.
Changes to This Privacy Policy: We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via website updates and/or a prominent notice on the Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.