Privacy Policy

Purpose

This Privacy Policy outlines how OneHealthPort ("we," "us," or "our") collects, uses, protects, and discloses personal and clinical information across its multiple services. Our goal is to ensure the privacy and security of the information we handle while providing valuable services to our users.

Policy Statement

OneHealthPort is committed to maintaining the highest standards of privacy and security for the information we collect and process. We adhere to applicable data protection laws and regulations, and we strive to be transparent about our data practices.

Applicability

This Privacy Policy applies to all individuals and entities that use OneHealthPort's services, including the Single Sign-On (SSO), Health Information Exchange (HIE), Clinical Data Repository (CDR) and Credentialing (ProviderSource).

Personal Information Collection and Use

Single Sign-On (SSO):

  • We collect Personally Identifiable Information (PII) such as name, address, email, and year of birth to verify identity and assist in account management.

  • The collected PII is used solely for the purpose of facilitating secure access to our services and our participating organization sites.

  • The SSO service does not store or process Protected Health Information (PHI).

  • During the registration process, OneHealthPort uses a third-party service to vet the identity of the organization Administrators. The information collected by the third-party service is not visible to or stored by OneHealthPort.

Health Information Exchange (HIE):

  • Our HIE service acts as a secure conduit for the exchange of clinical and business information between trading partner systems.

  • Other than the Clinical Data Repository (CDR), no information that is transmitted by the HIE is accessed or stored by OneHealthPort.

  • During the HIE contracting process, OneHealthPort collects and stores the contact names, organization name, address, emails, and phone numbers for the purpose of contacting the customer for billing, contracting or technical needs.

Clinical Data Repository (CDR):

  • The CDR stores clinical records that contain Protected Health Information (PHI).

  • Information is encrypted and cannot be accessed during transmission.

  • Users can view patient records individually through a clinical portal or apply for permission to receive aggregated data.

  • OneHealthPort is not responsible for obtaining patient consent; responsibility lies with the providers submitting the clinical data.

Credentialing (ProviderSource):

  • OneHealthPort contracts with a third-party vendor to provide the credentialing service, ProviderSource.

  • While ProviderSource is operated independently from OneHealthPort by a third party, OneHealthPort does provide it’s identity and access management services.

  • Users may upload PII such as DOB, SSN and other data as part of the credentialing process. 

  • The third-party vendor is responsible for the collection, storage, protection, and dissemination of the provider data.

  • OneHealthPort has no access to the credentialing data. 

Disclosure of Personal Information

  • OneHealthPort forwards your SSO credential electronically to the participating organization’s website you are trying to access. Your credential includes your login ID, employer name, and your assigned role(s). This is necessary to properly identify a user to the participating organization’s website.

  • OneHealthPort will share SSO user contact information (name, organization, and email) with a participating organization for the purposes of troubleshooting login issues or to assist with an investigation of a potential security incident.

  • OneHealthPort will share an organization’s technical contact information (name, organization, and email) to support the organization with onboarding and troubleshooting for the HIE.

Exceptions to Disclosure Policy

OneHealthPort will not disclose personal information except in response to lawful requests by public authorities, when required by law, to protect its rights in emergencies affecting the safety of individuals or property, or in response to a potential security incident or breach.

Protection of Personal Information

We implement technical and organizational measures to safeguard the information we collect and process, including but not limited to:

  • Encryption of data in transit and at rest.

  • Access controls and authentication mechanisms.

  • Regular security assessments and audits to identify and address vulnerabilities.

Retention

We retain personal and clinical information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law.

Updates to Privacy Policy

We may update this Privacy Policy as necessary to reflect changes in our services, legal requirements, or industry practices. We encourage users to review this policy periodically for any updates.

Contact Information

For questions or concerns about this Privacy Policy or our data practices, please complete our Contact Us form.

By using our services, you agree to the terms outlined in this Privacy Policy.