Welcome to HealthTree®, tools (Cure Hub, Connect, Coach, University, Events, Chapters, Podcasts and Moves) created by the HealthTree Foundation ("Company", "We", "Us"). HealthTree is a data platform for cancer patients, researchers and clinical practitioners to help advance cures.
The purpose of this Policy is to explain how we collect and use information about you through the Platform, including personally identifiable information that you provide to us, such as your name, demographics, age, email address, phone number, birthdate, fitness level, and information about your medical history, health conditions, and prior treatments (“Personal Information”). We want you to know how your Personal Information will be protected, under what circumstances we may share it with third parties, and for what purposes.
This Policy describes the types of information we may collect from you (paper records, electronic records, e-mail, text, chat and other electronic messages) or that you may provide when you visit https://www.healthtree.org/ (the "Platform") and our practices for collecting, using, maintaining, protecting and disclosing that information.
The Policy does not apply to information collected by us offline or through any other means, including on any other website operated by Company or any third party, including through any application or content (including advertising) that may link to or be accessible from the Platform.
Why We Collect Your Personal Information
HealthTree provides information about potential treatment options and clinical trials. This requires the collection of Personal Information in order to process and display personalized treatment possibilities or clinical trials and other information tailored to your needs, such as collective reports (e.g., time to progression based on treatment, fitness level impact on overall outcomes, etc.).
We Care About Your Privacy
Sharing information benefits other cancer patients and the research communities, but we want you to understand exactly what you are sharing and how your information is protected.
The information you share about yourself, your condition, and your treatments becomes part of a database that is normalized and anonymous. This database is used for research purposes.
You will be asked to choose a username and profile picture that appears throughout the platform. We recommend choosing a username and profile picture that is non-identifying if you don't want people to know who you are.
You can delete your account and information at any time. To do so, please contact us at firstname.lastname@example.org, call us at 1-800-709-1113.
Why Should You Share Your Data
Curing cancer is a group effort, no one individual is going to find a cure alone. There is power in numbers and when we combine our medical information together the power becomes unmeasurable. Our lives become one big story that has the context researchers are looking for.
At HealthTree we believe the answers to a cure are out there but we can't get to it. Sharing your data allows researchers to see you as a whole person rather than just a certain part of you at a certain time. Building a robust flow of data that represents you, provides the potential to find the answers that move us to a cure faster.
Many of the recently approved treatments started in development 17 years ago. That is way too long for life-saving drugs and we believe sharing our data can cut that time in half if not more.
Consent to Collect Your Personal Information
You must register to use HealthTree and create a profile that may include your Personal Information. We collect information about you relating to your care and treatment directly from you as well as from third parties, for example, we will ask you to connect your facilities portal (electronic medical records) to the platform. By doing so your information will update automatically on the platform. If your facility does not have a portal we will request your consent to collect your paper medical information from your facility. Both options are optional.
We also offer you the option of revoking your consent ("opting out" or "unsubscribing") if you later decide that you no longer want to use the Platform or receive additional information from us. If we wish to use this information for purposes incompatible with the purposes for which the data was initially collected, we will offer an effective way to opt-out of the secondary use.
You may be invited to participate in surveys facilitated by the Company, third parties or researchers. Your responses will be received and stored on HealthTree servers. We may collect and publish profile information and postings (Twin Machine or Connect) on the Platform to permit users to share information with each other and with other partners. We may also collect the information you share with our support team.
Collection of Anonymous Computer Information
Importing Data By Third-Party Services and Personal Devices
You may choose to sync your Platform account from your other accounts held by third parties, such as healthcare providers Electronic Health Record (EHR), EPIC on FHIR, 1UP, The VA, Apple Health or wearable technology fitness monitors such as Fitbit or Apple Watch and genetic testing companies, bio-banks, etc.)
Third parties can control or give you the option of how long your medical record connection remains in place. It can be until you disconnect the connection or it can allow you to select anywhere from 1 hour to a year. If the connection stops you will get a message from HealthTree letting you know the connection is no longer in place and you will need to reconnect to continue syncing your records to the Platform.
By connecting your Platform account, you authorize the Platform to access your third-party account information maintained by identified third parties, on your behalf as your agent, and you expressly authorize such third parties to disclose your information to us.
The Platform always gives you the option to remove or delete your medical information connection with HealthTree. Epic EHR system gives users the option of how long they want their records to sync with HealthTree. For those connections, upon disconnection, we will ask if you want HealthTree to re-sync your account for you. If you select yes you will be asked to provide your username and password to HealthTree.
Please note that HealthTree may log in to your third-party accounts from time to time to connect and update your Platform Account with information from your third-party accounts. More specifically, HealthTree will only log in to your third-party accounts to establish, maintain, or debug a secure connection and update or validate medical information in the Platform. Again, we will not share or disclose your Health Information or any other information associated with your third-party accounts to any other party unless you expressly direct us to do so.
How We Use Your Information
We may use and disclose your Personal Information for the following purposes:
We may use and disclose information you have entered to communicate with you by email or phone for account management purposes, notifications and reminders, systems maintenance and other purposes.
We analyze the information we collect to improve patient care. We may share de-identified data to perform research and produce reports for you as a patient and for the research community.
Your data may be shared to comply with legal obligations, law enforcement requests, legal directives such as a court order or subpoena, or to protect your, our or others’ rights, property, or safety.
When you participate in surveys that we or our partners facilitate, your de-identified information may be shared with your survey responses. Participation in such surveys is optional.
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your Personal Information may be disclosed in connection with the negotiation of such transaction, and/or sold or transferred as part of such a transaction as permitted by law and/or contract. You will be notified by email twice prior to any ownership or transition of service changes. Upon your request, your entire HealthTree profile which includes your account information and all of your data will be permanently deleted.
We do not contract with insurance companies or provide insurance companies access to your Personal Information. However, we cannot guarantee that insurance companies will not be able to access the de-identified information publicly available on HealthTree’s website.
We will not disclose your Personal Information to the general public. We do not host advertising on our site and will not sell your Personal Information for third-party marketing purposes.
Access to Information
You may access and update the information you post to HealthTree using your user profile dashboard. You may remove any information you have added to your HealthTree user profile at any time.
When you correct or amend information through HealthTree, such action may not affect the information that other users have already obtained through the Platform. For example, if a researcher began using your de-identified information for a research project prior to when you changed such information, the researcher may continue to use the information previously obtained.
We maintain all accounts as active accounts regardless of use or how frequently accessed. We do not delete accounts due to a lack of use over a certain period of time.
How We Protect Your Information
You agree that the information you provide to us through the Platform is accurate and that you will keep it up-to-date. When you register for a user profile on the Platform, you will be asked to provide a password. You are solely responsible for maintaining the confidentiality of your user profile and password, and you accept responsibility for all activities that occur under your user profile.
If you believe that your account is no longer secure, you must immediately notify us at email@example.com.
The account in question will be immediately deactivated while we investigate the suspected issue. Any issues discovered will be addressed to prevent further security issues. The account holder and any other accounts affected by the issue will be notified of any actions required on their part.
Company is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and therefore is not required by law to comply with HIPAA’s requirements for handling protected health information. Company has a security program in place that seeks to mitigate risk and to use reasonable and appropriate procedures and technologies to help protect the confidentiality of Personal Information collected through the Platform. We periodically review and modify our security policies and procedures, as appropriate.
Please note that despite our precautions, no website can be absolutely protected against intentional or malicious intrusion. Furthermore, Company does not control the devices, computers, or network over which you may choose to send Personal Information to the Platform, and therefore cannot prevent potential interceptions or compromises to your information while in transit to the Platform. Company has implemented measures designed to safeguard your Personal Information but cannot make any guarantees as to the security, integrity, or confidentiality of electronic communications made over the Internet or any information transmitted to or from or maintained on the Platform.
Patients who join the HealthTree Cure Hub are willing to share their data. Our security model is built on top of Google’s best-in-class network that offers secure by default encryption mechanisms.
The following security best practices are in place:
Encryption at transit
All of the communications from our web and mobile client to our google servers environment is encrypted at transit using TLS. This ensures that the patient’s data is safe no matter the network they are accessing the platform from. Removing the need to trust the lower layers of the network which are commonly provided by third parties.
Encryption at rest
All of the data on both Firestore and Google HealthCare APIs is encrypted at rest using AES256. This provides an extra level of security for our patients in case of any unauthorized physical access to the storage.
The platform uses a role system to give granular access to administrative users. The platform supports Super Admins, Patient Experience Members, Coaches, Caregivers, and Patients.
The role system can be extended to support more roles.
All of the operations to Firestore and Google HealthCare APIs are traceable, meaning that every time any of the different users read, edit, or delete any data, the system logs an event containing the difference between the old and new data and the following metadata: User, Role, Timestamp, Operation Type. This mechanism allows a granular audit trail of any authorized or unauthorized access to the data.
Two Factor Authentication - 2FA
All users with administrative access to the admin panel platform are forced to implement a mechanism for two-factor authentication. This provides an extra security layer in case credentials are compromised or a device is stolen.
What Happens If There Is A Data Breach
If there has been a breach of your data (your information is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so) HealthTree will reach out to you via email and a written letter mailed to the address on file informing you of the breach and what to do next.
What will HealthTree do?
Investigate the breach ASAP to understand what was taken, who it was taken from, and how it was taken.
Informing you of:
The type of breach
What information was affected
What you need to do to mitigate losses such as change your password
What HealthTree will do to mitigate and correct the breach
How HealthTree will prevent the same issue from occurring again
If you believe that your account is no longer secure, you must immediately notify us at firstname.lastname@example.org.
Applicable to California Residents
California Civil Code Section § 1798.83 permits users of the Platform that are California residents to request certain information regarding the disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact us at email@example.com.
If you reside in California, you have the right to ask one (1) time each year if we have shared your Personal Information with third parties for their direct marketing purposes. Keep in mind, at the present time we do not share any information for marketing purposes. If you would like to make a request, send an email to firstname.lastname@example.org indicating that you are a California resident making a “Shine the Light” request.
Company operates solely in the United States, and the Platform is intended to be used by persons residing in the United States. If you choose to use our Services from the European Economic Area, the United Kingdom, or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note by accessing and using the Platform you consent to the transfer of your Personally Identifiable Information to the United States and the processing of your information in the United States. By providing any information, including personal information, on or to the Platform, you consent to such transfer, storage, and processing and acknowledge that US law may not offer the same privacy protections as the law of your jurisdiction.
If you are a resident of the European Economic Area (EEA), you have certain data protection rights. If you wish to be informed what Personal Information we hold about you and if you want it to be removed from our systems, please contact us at email@example.com.
In certain circumstances, you may have the following data protection rights:
The right to access, update or to delete the information we have about you.
The right of rectification.
The right to object.
The right of restriction.
The right to data portability.
The right to withdraw consent.
Platform Not Intended For Use By Children Under 13 Years of Age
We do not knowingly collect Personal Information from children under 13 years of age. If you are under 13, do not use or provide any information on or through the Platform or any of its features, or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn that we have collected or received Personal Information from a child under 13 without verification of parental consent, we will delete such information. If you believe we may have any information from or about a child under 13, please contact us at firstname.lastname@example.org.
If you have any questions, comments or concerns you may contact us at email@example.com, call us at 1-800-709-1113 or you can write to:
2600 Executive Parkway
Lehi, Utah 84043