Developer Security Policy

  1. PURPOSE
    The purpose of this Developer Security Policy (“Policy”) is to provide a common set of security requirements for all Developers who use the Developer Services to access and build Applications upon the DataQ Platform. Both you and DataQ each acknowledge that protecting the security and integrity of the Developer Services, the DataQ Platform, and your Application and information systems requires coordination of certain security-related obligations between DataQ and its Developers. Accordingly, you also acknowledge that we have a responsibility to require you and other Developers to meet certain minimum standards for information security for the good of all Users of the DataQ Platform.
    This Policy applies to all Developers and is incorporated into the Developer Terms of Service (“Developer Terms”).  This Policy may be updated or amended from time to time in accordance with provisions of the Developer Terms.
  2. POLICY
    1. Definitions
      1. General. Capitalized terms used but not defined in this Policy or the Developer Terms will have the meanings set forth in HIPAA or other Applicable Law.
      2. Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent, where this Policy incorporates definitions from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in the Developer Terms.
      3. Policy Definitions. The following definitions will apply for purposes of this policy.
        Access Attempts” means unauthorized probes, scans, “pings”, and other activities which may or may not indicate threats, whose sources may be difficult or impossible to identify whose motives are generally unknown, and which do not result in access to the Developer Services, your Application or information systems, or to any Unsecured Patient Data.
        Breach” means a Breach of Unsecured Patient Data as defined in 45 CFR 164.402 as well as any Unauthorized Use or Disclosure of Patient Data or related information to the extent that Applicable Law requires such Unauthorized Use or Disclosure to be reported to a state agency or disclosed to the individuals who are the subject of such information.
        Security Incident” has the definition set forth in 45 CFR 164.304 with respect to the Developer Services and your information systems, but for purposes of this Policy does not include an Access Attempt.
        Unauthorized Use or Disclosure” means any access, use or disclosure of Patient Data that is not permitted by the Developer Terms, the BAA, this Policy or Applicable Law.
    2. Security of the Developer Services
      1. DataQ BAA. At a minimum, we will comply with the information security obligations which are applicable under the DataQ BAA with regard to protection of PHI, including applicable provisions of the HIPAA Security Rule. Developer BAA
      2. Additional Safeguards. We may implement or require information security safeguards which we deem appropriate, including safeguards that include requirements or conditions for you to use the Developer  Services and access the DataQ Platform and DataQ Network (“Additional Safeguards”). These Additional Safeguards will not be less stringent than Applicable Law (including HIPAA) but may create obligations or responsibilities on you beyond minimum requirements of Applicable Law where we believe necessary to protect the Developer Services and the DataQ Platform and create a safe environment for all Participants in the DataQ Network.
      3. Your Remedies. If you reasonably determine that we have materially failed to comply with our obligations in this Section, and that such failures create a material vulnerability affecting your information systems, you will promptly notify us of your determination and you may suspend or limit access or connectivity between the Developer Services and your information systems. Any such failures by us will be a curable breach under Section 9 of the Developer Terms. Upon receipt of any notice by you under this Section, we will use our best efforts to come into compliance with our obligations under this Section within the applicable cure period.
    3. Developer Security Responsibilities
      1. Minimum Security Requirements. You will comply at all times with the following requirements, which are based upon and consistent with the standards required by the HIPAA Security Rule, in building and managing your Application and information systems, administering access to your Application or the Developer Services by Your You specifically agree that you will comply with the following practices:
        1. User You will maintain and follow policies and procedures for determining reasonable and appropriate access privileges of Your Users.
        2. User You will ensure each of Your Users have a unique login identity for accessing the Developer Services and DataQ Platform and maintain policies disallowing the sharing of these identities.
        3. User You will maintain and follow DataQ’s policies and procedures for authorizing, suspending, and terminating the authorization of Your Users to access the Developer Services and DataQ Platform or otherwise access, use, or disclose information through the Developer Services and DataQ Network.
        4. User Access Limitations; Minimum You will maintain and follow DataQ’s policies and procedures requiring Your Users to limit their access to and use of the Developer Services, DataQ Platform, or your Application, as applicable, and any information available through the Developer Services and DataQ Network in accordance with the HIPAA Minimum Necessary Standard, to the extent applicable, and any other Applicable Law.
        5. Acceptable Use You will maintain and enforce appropriate acceptable use policies which are substantially consistent with DataQ’s Acceptable Use Policy in connection with your use of and access to the Developer Services, the DataQ Platform, the DataQ Network, your Application, information systems, workstations, and devices whereby Your Users access the Developer Services or the DataQ Platform or any information from the Developer Services.
        6. Access You will maintain appropriate administrative, physical and technical access control safeguards in accordance with the HIPAA Security Rule.
        7. Workstation You will ensure that the devices used by Your Users to access the Developer Services or the DataQ Platform enforce a screen lock after a period of inactivity of a maximum of 15 minutes.
        8. Workstation and Device You will maintain and follow DataQ’s policies and procedures for the authorization, secure operation, and disposal of all of the devices which you permit Your Users to use in order to access the Developer Services or the DataQ Platform (each, an “Authorized Device”). We may, in our discretion, limit or prohibit the use of certain devices as Authorized Devices upon notice to you.
        9. User You will conduct, and you will require all of Your Users to undergo, privacy and security training in accordance with the requirements of all Applicable Law, the DataQ BAA, and DataQ Policies.
        10. Sanctions for You will apply sanctions and disciplinary procedures for Your Users or any other person subject to your authority for accessing or using the Developer Services, the DataQ Platform or the DataQ Network in violation of Applicable Law, the Developer Terms, the DataQ BAA, or DataQ Policies.
        11. Audit Trails You will maintain audit logs for your transmission of all Patient Data to or from the Developer Services.
        12. Software You will maintain and enforce policies and procedures related to patch management and change management for hardware and software included in your Application and your information systems which access, or which may be used to access, the Developer Services or the DataQ Platform or any information from the Developer Services.
        13. Malware You will maintain up-to-date anti-virus and anti-malware software on all applicable components of your Application and information systems with access, or which may be used to access, the Developer Services or the DataQ Platform or any information from the Developer Services.
        14. Additional Safeguards. You will employ such Additional Safeguards that we may identify and require as described in Section B(2)(b) of this policy.
      2. DataQ Remedies. If we determine that you have failed to comply with this Policy, we may suspend or limit your access to or use of the Developer Services in accordance with Section A(9)(d) of the Developer Terms. Upon receipt of a notice by us of any suspension, you will use your best efforts to come into compliance within the applicable cure period.
    4. Mutual Responsibilities for Security Incidents and Breaches
      1. Monitoring
        1. Our We will monitor all activity, or ensure that activity is monitored, in (i) the Developer Services and DataQ Platform, and (ii) any information system or facilities that we use to host, operate or manage the Developer Services or DataQ Platform.
        2. Your You will monitor all activity, or ensure that activity is monitored, in (i) your Application or information systems, (ii) Authorized Devices, and (iii) facilities where you may access the Developer Services or DataQ Platform or any information from the Developer Services.
      2. Investigations
        1. DataQ We will investigate any Unauthorized Use or Disclosure of your Patient Data and any Security Incident which may affect or have affected the Developer Services or any of your Patient Data promptly upon receiving notice from you or otherwise becoming aware of such an event. We will document the results of each such investigation.
        2. Your You will investigate any Unauthorized Use or Disclosure of your Patient Data received from the Developer Services and any Security Incident which may affect or have affected the Developer Services or DataQ Platform or any Patient Data received from the Developer Services promptly upon receiving notice from us or your otherwise becoming aware of such an event. You will document the results of each such investigation.
        3. Breach If we determine that an Unauthorized Disclosure of PHI constitutes a Breach, we will promptly notify you of this determination provided that you will be responsible for making your own determination regarding whether the event constitutes a Breach upon receipt of the information we provide to you.
        4. Each party will reasonably cooperate with the other party in their performance of investigations and determinations under this Policy, and in identifying and implementing measures to mitigate the harmful effects of any event and to prevent events of the same or similar type to the extent practicable.
      3. Reporting & Notifications
        1. Notice of Ongoing Access DataQ will not provide you notice of ongoing Access Attempts. You and DataQ acknowledge and agree that Access Attempts fall under HIPAA’s definition of a Security Event but that our reporting and your review of information about Access Attempts would be materially burdensome to both parties without reducing risks to information systems or PHI of either party.
        2. DataQ Reporting We will report to you any Security Incident (not including Access Attempts) or Breach which affects your PHI within the time period(s) set forth in the DataQ BAA.
        3. Your Reporting You will require Your Users, your employees, and any subcontractors to report to you any Security Incident (not including Access Attempts) and Unauthorized Uses or Disclosures of PHI of which they become aware. You will report to us any Security Incident (not including Access Attempts) or Breach involving the Developer Services or Patient Data which comes from the DataQ Platform within five (5) business days of your becoming aware of such events.
        4. Breach You and DataQ each acknowledge and agree that, as between you and DataQ, you have the more direct relationship with the Patient who is the subject of the Patient Data used and disclosed through the Developer Services and DataQ Platform. Accordingly, you will be responsible for providing notification of Breaches to the affected individuals, applicable regulatory authorities, and the media where required by Applicable Law or elected by you. Any notification by you to affected individuals, regulatory authorities, or media shall be deemed a notification as well by DataQ, and you will identify DataQ as a notifying party in the notification, except to the extent that DataQ may otherwise direct you in writing. In the event that you elect not to or fail to timely notify potentially affected individuals, regulatory authorities, or media as provided above, and we reasonably determine that it may be required by Applicable Law to give such a notification, we may give the notification at our discretion.
        5. Other Law Enforcement Notification. In case of any ambiguity, either you or DataQ may notify appropriate law enforcement agencies in the event that you or we reasonably believe that an Unauthorized Use or Disclosure of PHI is the result of criminal activity.
Scroll to Top