Developer Privacy Policy

  1. PURPOSE
    The purpose of the Prime DataQ Health, LLC Developer Privacy Policy (“Policy”) is to provide important protections for privacy of Patients or Users whose PHI is stored in the DataQ Platform and to detail the conditions and requirements for access to such data when using the Developer Services. This Policy applies to all Developers and your Users and is incorporated into the Developer Terms of Service (“Developer Terms”). This Policy may be updated or amended from time to time in accordance with provisions of the Developer Terms.
  2. POLICY
    1. DEFINITIONS
      1. Capitalized terms used but not defined in this Policy or the Developer Terms will have the meanings set forth in HIPAA or other Applicable Laws.
      2. Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent across all types of Patient Data, where this Policy incorporates definitions from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in the Developer Terms.
        Authorized Activities” means Treatment Activities, Payment Activities, Health Care Operations Activities, and Public Health Activities, as defined in the Policy.“Designated Record Set”, as set forth in 45 CFR 154.501 of the HIPAA Privacy Rule, means (1) a group of records maintained by or for a Covered Entity that is: (i) the medical records and billing records about the individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a Health Plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals. For purposes of this definition, the term “record” means any item, collection or grouping of information that includes Patient Data and is maintained, collected, used or disseminated by or for a Covered Entity.“DRS Requirements” mean the minimum requirements set forth in this Policy for which Patient Data provided must be included in the Designated Record Set made available through the Common Patient Record.“Health Care” means care, services, or supplies related to the health of an individual. Health Care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other term in the accordance with a prescription, as defined at 45 CFR 160.103.

        Health Care Operations Activities” means any of the following activities of a Covered Entity to the extent they relate to covered functions: (1) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines (providing that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities); patient safety activities; population-based activities relating to improving health or reducing healthcare costs, protocol development, case management and care coordination, contacting of Health Care Providers and Patients with information about treatment alternatives; and related functions that do not include treatment; (2) reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) except where excluded under and consistent with the requirements of HIPAA, underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for Health Care; (4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity; including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) business management and general administrative activities of the entity, including but not limited to management activities relating to implementation and compliance of HIPAA; customer service, including provision of data analyses for policy holders, plan sponsors, or other customers (provided that PHI is not disclosed to such policy holder, plan sponsor or customer); resolution of internal grievances; the sale, transfer, merger or consolidation of all or part of the Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity, and due diligence related to such activity; and consistent with the applicable provisions of HIPAA, creating de-identified health information or a limited data set, and fundraising for the benefit of the Covered Entity; as defined in 45 CFR 164.501.

        Health Care Provider” means a facility-based provider of services (such as a hospital, skilled nursing facility, home health agency or hospice), a provider of medical or health services under Medicare or Medicaid, and any other person or organization who furnishes, bills or is paid for Health Care in the normal course of business, as defined in 45 CFR 160.103.

        Information Blocking” has the same meaning as the term is defined in the ONC Cures Rules at 45 CFR Part 171.

        Patient Relationship” has the meaning set forth in Section B(2)(a)(ii) of this Policy.

        Payment Activities” mean activities of (1) a Health Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; (2) a Health Care Provider or Health Plan to obtain or provide reimbursement for the provision of Health care, including (but not limited to) the following: determinations of eligibility or coverage and adjudication or subrogation of health benefit claims; risk adjusting amounts due based on enrollee health status and demographic characteristics; billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing; review of Health Care services with respect to medical necessity, coverage under a health plan, appropriateness of car, or justification of charges; utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; as defined at 45 CFR 164.501.

        Permitted Access Requirements” mean the criteria set forth in Section B(2)(a)(i) below.

        Public Health Activities” means, for public health authorities (as defined in 45 CFR 164.501), preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, and for an entity subject to the jurisdiction of the Food and Drug Administration (FDA) for an FDA-regulated product or activity, activities related to the quality, safety or effectiveness of FDA products or activities (including collecting or reporting adverse events, product defects or problems, or biological product deviations, tracking FDA-regulated products, enabling product recalls, repairs, replacement or lookback to notify individuals who have received products that have been recalled, withdrawn, or to conduct post marketing surveillance, as described in 45 CFR 164.512(b). “Treatment Activities” mean the provision, coordination, or management of Health Care and related services by one or more Health Care Providers, including the coordination or management of health care by a Health Care Provider with a third- party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one Health Care Provider to another, as defined in 45 CFR 164.501.

        USCDI” means the United States Core Data for Interoperability developed, published and maintained by the ONC under the Cures Rules.

    2. USE & ACCESS OF PATIENT DATA
      1. When we permit access to Patient
        1. Permitted Access Requirements. We will only enable access to Patient Data through the Developer Services or the DataQ Platform to a Developer that meets the following Permitted Access Requirements:
          1. the Developer has successfully completed our Verification Process,
          2. the Developer has a Patient Relationship (defined below) with the Patient for which it is requesting access to Patient Data,
          3. the Developer accesses the Patient Data only for Authorized Activities, and (iv) the Developer is currently satisfying all of its obligations under DataQ Policies and the Developer Terms (collectively, “Permitted Access Requirements”).
        2. Patient Relationship. No Developer or Participant may access Patient Data in the DataQ Platform for a particular patient unless it provides DataQ documentation of an established and active patient relationship for that patient (“Patient Relationship”). DataQ supports the following methods for documenting that a Participant or Developer has a Patient Relationship with a Patient:
          1. You make an assertion to DataQ that you have a Patient Relationship with the Patient by uploading a Patient Roster or Member Eligibility File with a list of Patients. When you make this assertion, you are making a legally binding representation to us that you have a Patient Relationship, and DataQ is relying on this representation to give you the requested access to the Patient DataQ will cooperate with regulators or other legal authorities to the fullest possible extent under Applicable Law if you falsely or fraudulently assert a Patient Relationship.
          2. DataQ may determine that you have a Patient Relationship through the Patient Data we receive that evidences such a relationship (e.g., an ADT Encounter Notification that identifies you as a treating provider or location, a medication order that identifies you as the prescribing provider, or a claim file that identifies you as the entity receiving payment for a service). In making these determinations we must rely on the quality and accuracy of the Patient Data we receive, and we are not responsible for any errors or mistakes made about a Patient Relationship because of quality or accuracy issues in Patient Data we have received.
      2. We only permit use of Patient Data for Authorized We only permit Developers who meet Permitted Access Requirements to use or disclose Patient Data through the Developer Services or DataQ Platform for Authorized Activities.
  3. SHARING PATIENT DATA: DESIGNATED RECORD SET
    1. General Requirement. The HIPAA Privacy Rule and the ONC Cures Rules require, and this Policy implements the requirement, that a Patient has certain rights relating to a Covered Entity’s Designated Record Also, the ONC Cures Rules require that Covered Entities share a Designated Record Set and not engage in Information Blocking. This Policy establishes identical Patient Rights and requirements for sharing a Designated Record Set for all Patient Data, including PHI covered by HIPAA.
    2. DRS Requirements. DataQ requires that the categories of documents or records in this Section be included in the Designated Record Set, which is available in the Common Patient DataQ will enable Developers to designate additional documents or records as included in the Designated Record Set at their discretion. These requirements are based on the currently adopted and published version of the USCDI and DataQ may add additional requirements as the USCDI standard is expanded over time.
      Account DeviceRequest MedicationRequest
      AllergyIntolerance DiagnosticReport MedicationStatement
      Appointment DocumentManifest MolecularSequence
      AppointmentResponse DocumentReference NutritionOrder
      BodyStructure Encounter Observation
      CarePlan EpisodeOfCare Patient
      CareTeam FamilyMemberHistory Person
      ClinicalImpression Flag Procedure
      Composition Goal Provenance
      Condition ImagingStudy RelatedPerson
      Consent Immunization RiskAssessment
      Coverage ImmunizationEvaluation ServiceRequest
      CoverageEligibilityRequest ImmunizationRecommendation Specimen
      CoverageEligibilityResponse MeasureReport SupplyDelivery
      DetectedIssue MedicationAdministration SupplyRequest
      Device MedicationDispense VisionPrescription
Scroll to Top