Privacy Policy
Introduction
Welcome to HealthTree®, tools (Cure Hub, Connect, Coach, University, Events, Chapters, Podcasts and Moves) created by the HealthTree Foundation ("Company", "We", "Us"). HealthTree is a data platform for cancer patients, researchers and clinical practitioners to help advance cures.
Please read this Policy carefully to understand our practices regarding your information. By accessing or using the Platform, you agree to this Privacy Policy. If you do not want to agree to this Privacy Policy, you must not access or use the Platform.
We may revise this Privacy Policy from time to time. Upon any material changes, you will be notified upon entering the platform that this policy has been updated with a link to the policy. Clicking ok on this message is your agreement to what is contained within this privacy policy.
Purpose of This Privacy Policy
The purpose of this Policy is to explain how we collect and use information about you through the Platform, including personally identifiable information that you provide to us, such as your name, demographics, age, email address, phone number, birthdate, fitness level, and information about your medical history, health conditions, and prior treatments (“Personal Information”). We want you to know how your Personal Information will be protected, under what circumstances we may share it with third parties, and for what purposes.
This Policy describes the types of information we may collect from you (paper records, electronic records, e-mail, text, chat and other electronic messages) or that you may provide when you visit https://www.healthtree.org/ (the "Platform") and our practices for collecting, using, maintaining, protecting and disclosing that information.
The Policy does not apply to information collected by us offline or through any other means, including on any other website operated by Company or any third party, including through any application or content (including advertising) that may link to or be accessible from the Platform.
Why We Collect Your Personal Information
HealthTree provides information about potential treatment options and clinical trials. This requires the collection of Personal Information in order to process and display personalized treatment possibilities or clinical trials and other information tailored to your needs, such as collective reports (e.g., time to progression based on treatment, fitness level impact on overall outcomes, etc.).
We Care About Your Privacy
Sharing information benefits other cancer patients and the research communities, but we want you to understand exactly what you are sharing and how your information is protected.
-
The information you share about yourself, your condition, and your treatments becomes part of a database that is normalized and anonymous. This database is used for research purposes.
-
You will be asked to choose a username and profile picture that appears throughout the platform. We recommend choosing a username and profile picture that is non-identifying if you don't want people to know who you are.
-
At any time, you may revoke your consent to this Policy and our Terms of Use and stop using the Platform. You can deactivate your account anytime by going to your account profile. Your account will become inactive immediately upon deletion. Many people accidentally delete their accounts, if you decide to reactivate your account, you have seven days to request reactivation without losing any information previously entered by emailing support@healthtree.org, or calling us at 1-800-709-1113. Your account, including any data in your profile, will be permanently deleted exactly seven days after it becomes inactive.
-
We maintain all accounts as active accounts regardless of use or how frequently accessed. We do not delete accounts due to a lack of use over a certain period of time.
Why Should You Share Your Data
Curing cancer is a group effort, there is power in numbers and when we combine our medical information together the power becomes unmeasurable. Our lives become one big story that has the context researchers are looking for.
At HealthTree, we believe the answers to a cure are out there but we can't get to it. Sharing your data allows researchers to see you as a whole person rather than just a certain part of you at a certain time. Building a robust flow of data that represents you provides the potential to find the answers that move us to a cure faster.
Many of the recently approved treatments started in development 17 years ago. That is way too long for life-saving drugs, and we believe sharing our data can cut that time in half, if not more.
Consent to Collect Your Personal Information
You must register to use HealthTree and create a profile that may include your Personal Information. We collect information about you relating to your care and treatment directly from you and third parties. There are three ways to share your information with HealthTree.
-
Connect your facilities portal (electronic medical records) to the platform. By doing so your information will update automatically on the platform.
-
Share your username and password to your facility portal if an electronic connection does not exist between your facility and HealthTree. HealthTree's medical team will complete your HealthTree Cure Hub profile using your credentials.
-
Request consent to collect your paper medical information from your facility if they do not have a portal.
We also offer you the option of revoking your consent ("opting out" or "unsubscribing") if you later decide that you no longer want to use the Platform or receive additional information from us. If we wish to use this information for purposes incompatible with the purposes for which the data was initially collected, we will offer an effective way to opt out of the secondary use.
You may be invited to participate in surveys facilitated by the Company, third parties or researchers. Your responses will be received and stored on HealthTree servers. We may collect and publish profile information and postings (Twin Machine or Connect) on the Platform to permit users to share information with each other and with other partners. We may also use HealthTree Connect posts in email communications to encourage answers, help inform other users, and encourage involvement in our communities. We may also collect the information you share with our support team.
Importing Data By Third-Party Services and Personal Devices
You may choose to sync your Platform account from your other accounts held by third parties, such as healthcare providers Electronic Health Record (EHR), EPIC, 1UP, The VA, Apple Health or wearable technology fitness monitors such as Fitbit or Apple Watch and genetic testing companies, bio-banks, etc.)
Third parties can control or give you the option of how long your medical record connection remains in place. It can be until you disconnect the connection or it can allow you to select anywhere from 1 hour to a year. If the connection stops, you will get a message from HealthTree letting you know the connection is no longer in place and you will need to reconnect to continue syncing your records to the Platform.
By connecting your Platform account, you authorize the Platform to access your third-party account information maintained by identified third parties on your behalf as your agent, and you expressly authorize such third parties to disclose your information to us.
The Platform always allows you to remove or delete your medical information connection with HealthTree. Epic EHR system gives users the option of how long they want their records to sync with HealthTree. For those connections, upon disconnection, you can reconnect yourself or ask HealthTree to re-sync your account for you. If you ask HealthTree to re-sync your account, you will be asked to provide your username and password to HealthTree.
Please note that HealthTree may log in to your third-party accounts occasionally to connect and update your Platform Account with information from your third-party accounts. More specifically, HealthTree will only log in to your third-party accounts to establish, maintain, or debug a secure connection and update or validate medical information in the Platform. Again, we will not share or disclose your Health Information or any other information associated with your third-party accounts to any other party unless you expressly direct us to do so.
Collection of Anonymous Computer Information
We collect non-personal information such as website usage, traffic patterns, site performance, and related statistics regarding your visits to the Platform using “cookies,” which are small files placed on the hard drive of your computer through your web browser. Cookies are not associated with your personal identity. We use cookies to track users’ paths through the Platform during a visit to help us understand how people use the Platform and to recognize a repeat visitor to the Platform, enabling us to offer the user a set of services or information requested in a previous visit. You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting, you may be unable to access certain parts of the Platform. Unless you have adjusted your browser setting to refuse cookies, our system will issue cookies when you direct your browser to the Platform.
How We Use Your Information
We may use and disclose your Personal Information for the following purposes:
-
We may use and disclose information you have entered to communicate with you by email or phone for account management purposes, notifications and reminders, systems maintenance and other purposes.
-
We analyze the information we collect to improve patient care. We may share de-identified data to perform research and produce reports for you as a patient and for the research community.
-
Your de-identified data may be shared with other users or with service providers such as hosting and data analytics companies or third-party vendors. If your data is ever shared with any third parties, they will be bound to the terms outlined in this privacy policy.
-
Your data may be shared to comply with legal obligations, law enforcement requests, legal directives such as a court order or subpoena, or to protect your, our or others’ rights, property, or safety.
-
When you participate in surveys that we or our partners facilitate, your de-identified information may be shared with your survey responses. Participation in such surveys is optional.
-
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your Personal Information may be disclosed in connection with the negotiation of such transaction, and/or sold or transferred as part of such a transaction as permitted by law and/or contract. You will be notified by email twice before any ownership or transition of service changes. Upon your request, your entire HealthTree profile, which includes your account information and all of your data, will be permanently deleted.
We do not contract with insurance companies or provide insurance companies access to your Personal Information. However, we cannot guarantee that insurance companies will not be able to access the de-identified information publicly available on HealthTree’s website.
We will not disclose your Personal Information to the general public. We will not sell your Personal Information for third-party marketing purposes.
Medical Record Research Retention
HealthTree is required to keep the medical records of participants in our research studies. If we later, learn something about the safety profile of an intervention, we are ethically and legally required to reach out to the research participants. HealthTree's policy is to keep such research-related records on file for six years.
Reference the following federal agencies policies below:
-
The Department of Health and Human Services regulations require that records be kept for three years ((45 CFR 46.115(b) and 21 CFR 56.115(b)).
-
For research subject to the Health Insurance Portability and Accountability Act (HIPAA), records must be kept for six years after completion (45 CFR 164.530(j)). This includes records of IRB determinations of waivers of authorization, and records of disclosure not listed in the consent and authorization document (e.g. secondary analysis of data studies conducted under a waiver).
-
For federal agencies, the length of record retention can be determined by the grant period. Depending on the agencies, records must be kept for up to seven years from the expiration of the grant.
-
For studies regulated by the Food and Drug Administration, records must be kept for two years after the last marketing approval (21 CFR 312.62).
How We Protect Your Information
You agree that the information you provide to us through the Platform is accurate and that you will keep it up-to-date. When you register for a user profile on the Platform, you will be asked to provide a password. You are solely responsible for maintaining the confidentiality of your user profile and password, and you accept responsibility for all activities that occur under your user profile.
If you believe that your account is no longer secure, you must immediately notify us at support@healthtree.org, or calling 1-800-709-1113.
The account in question will be immediately deactivated while we investigate the suspected issue. Any issues discovered will be addressed to prevent further security issues. The account holder and any other accounts affected by the issue will be notified of any actions required on their part.
Company is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and therefore is not required by law to comply with HIPAA’s requirements for handling protected health information. Company has a security program in place that seeks to mitigate risk and to use reasonable and appropriate procedures and technologies to help protect the confidentiality of Personal Information collected through the Platform. We periodically review and modify our security policies and procedures, as appropriate.
Please note that despite our precautions, no website can be absolutely protected against intentional or malicious intrusion. Furthermore, the Company does not control the devices, computers, or network over which you may choose to send Personal Information to the Platform, and therefore cannot prevent potential interceptions or compromises to your information while in transit to the Platform. The Company has implemented measures designed to safeguard your Personal Information but cannot make any guarantees as to the security, integrity, or confidentiality of electronic communications made over the Internet or any information transmitted to or from or maintained on the Platform.
Security Program
Patients who join the HealthTree Cure Hub are willing to share their data. Our security model is built on top of Google’s best-in-class network that offers secure by default encryption mechanisms.
The following security best practices are in place:
Encryption at transit
-
All of the communications from our web and mobile client to our google servers environment is encrypted at transit using TLS. This ensures that the patient’s data is safe no matter the network they are accessing the platform from. Removing the need to trust the lower layers of the network which are commonly provided by third parties.
Encryption at rest
-
All of the data on both Firestore and Google HealthCare APIs is encrypted at rest using AES256. This provides an extra level of security for our patients in case of any unauthorized physical access to the storage.
Role-based access
-
The platform uses a role system to give granular access to administrative users. The platform supports Super Admins, Patient Experience Members, Coaches, Caregivers, and Patients.
-
The role system can be extended to support more roles.
Traceability
-
All of the operations to Firestore and Google HealthCare APIs are traceable, meaning that every time any of the different users read, edit, or delete any data, the system logs an event containing the difference between the old and new data and the following metadata: User, Role, Timestamp, Operation Type. This mechanism allows a granular audit trail of any authorized or unauthorized access to the data.
Two Factor Authentication - 2FA
-
All users with administrative access to the admin panel platform are forced to implement a mechanism for two-factor authentication. This provides an extra security layer in case credentials are compromised or a device is stolen.
What Happens If There Is A Data Breach
If there has been a breach of your data (your information is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so) HealthTree will reach out to you via email and a written letter mailed to the address on file informing you of the breach and what to do next.
What will HealthTree do?
-
Investigate the breach ASAP to understand what was taken, who it was taken from, and how it was taken.
-
Informing you of:
-
The type of breach
-
What information was affected
-
What you need to do to mitigate losses such as change your password
-
What HealthTree will do to mitigate and correct the breach
-
How HealthTree will prevent the same issue from occurring again
-
If you believe that your account is no longer secure, you must immediately notify us at support@healthtree.org, or calling 1-800-709-1113.
Applicable to California Residents
California Civil Code Section § 1798.83 permits users of the Platform that are California residents to request certain information regarding the disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact us at support@healthtree.org, or calling 1-800-709-1113.
If you reside in California, you have the right to ask one (1) time each year if we have shared your Personal Information with third parties for their direct marketing purposes. Keep in mind, at the present time we do not share any information for marketing purposes. If you would like to make a request, send an email to support@healthtree.org, or calling 1-800-709-1113 indicating that you are a California resident making a “Shine the Light” request.
International Users
Company operates solely in the United States, and the Platform is intended to be used by persons residing in the United States. If you choose to use our Services from the European Economic Area, the United Kingdom, or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note by accessing and using the Platform you consent to the transfer of your Personally Identifiable Information to the United States and the processing of your information in the United States. By providing any information, including personal information, on or to the Platform, you consent to such transfer, storage, and processing and acknowledge that US law may not offer the same privacy protections as the law of your jurisdiction.
If you are a resident of the European Economic Area (EEA), you have certain data protection rights. If you wish to be informed what Personal Information we hold about you and if you want it to be removed from our systems, please contact us at support@healthtree.org, or calling 1-800-709-1113.
In certain circumstances, you may have the following data protection rights:
-
The right to access, update or to delete the information we have about you.
-
The right of rectification.
-
The right to object.
-
The right of restriction.
-
The right to data portability.
-
The right to withdraw consent.
Platform Not Intended For Use By Children Under 13 Years of Age
We do not knowingly collect Personal Information from children under 13 years of age. If you are under 13, do not use or provide any information on or through the Platform or any of its features, or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn that we have collected or received Personal Information from a child under 13 without verification of parental consent, we will delete such information. If you believe we may have any information from or about a child under 13, please contact us at support@healthtree.org, or calling 1-800-709-1113.
Updates to Privacy Policy
We may revise this Privacy Policy from time to time. Upon any material changes, you will be notified upon entering the platform that this policy has been updated with a link to the policy. Clicking ok on this message is your agreement to what is contained within this privacy policy.
You can determine when this privacy policy was last updated by checking the effective date in the section. We encourage you to review our Privacy Policy periodically to stay up-to-date about our privacy practices. As long as you use the Platform, you are agreeing to this Privacy Policy and any updates made to it. If you have questions regarding this Privacy Policy, please contact us at support@healthtree.org, or calling 1-800-709-1113.
Contact Us
If you have any questions, comments or concerns you may contact us at support@healthtree.org, call us at 1-800-709-1113 or you can write to:
HealthTree Foundation
10897 S River Front Parkway
Suite #400
South Jordan, Utah 84095
This Privacy Policy was last updated on April 17, 2024.
© Copyright HealthTree Foundation 2024