Last revision of this policy: July 2020
The following terms: “MindMaze”, “we”, “us”, “our” or the “Company” are references to MindMaze Inc, and to companies held by MindMaze Holding SA authorized to use or disclose Electronic Health Records or under a business associate contract with a covered entity.
MindMaze attaches great importance to the protection and respect of your privacy and health information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its executing regulations limit MindMaze capability to use and disclose protected health information (PHI).
PHI stands for any information about personal data, health status, provision of health care, or payment for health care that is created or collected by a Covered Entity or a Business Associate of a Covered Entity and can be related to an individual.
MindMaze Inc , MindMaze Holding SA and the other companies of the MindMaze group including MindMaze Inc in US create intuitive human-machine interfaces on their revolutionary IT platform inspired by neuroscience. Our innovations are at the intersection of neuroscience, mixed reality and artificial intelligence and are therefore ready to transform a large number of industries.
We collect information about you when you use one of our MindMotion devices and/or participate in our registry, clinical studies, clinical trials or clinical evaluations. These data are for example:
Our products collect information about your impairment by tracking your different sessions (activity score, game time, etc.). They also produce information that allows us to identify you. This information can be, for example:
We need this personal information to provide you with our services and improve your user experience. Without this information, it would be impossible for you to use our services. However, you may choose not to provide personal information that may help identify you, such as:
As business associate, we may receive your personal and health information from sources such as hospitals, our subsidiaries, or other companies active in the health. The information received is then combined with other information we may already have about you. This data can be, for example:
The various sources that will send us your data will have their privacy policies that do not always apply to ours and vice versa. They will probably have obtained your consent or not to the collection and processing of your information, when using their platforms or when using their services. However, we are subject to HIPAA and strict limitation on and disclosure of your protected health information, so we will act accordingly as required by law.
When you visit our website mindmaze.com , mindmotionweb.com or mm-companion.com using your mobile devices or from a computer, we collect and store information in their internal storage space. We then reuse this data to improve your user experience or to perform statistics. The different data we collect can be, for example:
You will be able to choose whether or not to store this information by accepting cookies or not.
Cookies are small amounts of information stored in files within your computer’s browser itself. Cookies are accessible and stored by the websites you visit, and by companies that display their advertisements on websites, so that they can recognize the browser. Websites can only access the cookies they have stored on your computer.
You have the option of configuring your browser to accept all cookies, reject all cookies, notify you when a cookie is issued, its validity period and content, and allow you to refuse to save it on your device, and delete your cookies periodically.
You can set your Internet browser to disable cookies. Please note, however, that if you disable cookies, your username and password will no longer be saved on any website. For more information on how to delete and control cookies stored on your computer, visit https://www.aboutcookies.org/
We may use your personal data and/or data related to your neurological impairment for the following purposes:
Your PHI may only be used with your express consent, which must be collected in advance, except for the use of data other than those relating to your impairment, for the intended purposes mentioned in points (1) and (2), which is based on the contractual agreement you have concluded with MindMaze or another company in the MindMaze group, as an end user, customer or other.
PHI collected by MindMaze and other companies in the MindMaze group will only be kept for as long as necessary until we have achieved the purposes for which they were collected. To ensure that we do not keep them longer than necessary, we periodically review and delete our files in accordance with these objectives. In certain circumstance for example, when we are acting on behalf of a covered entity, we might keep your data longer to comply with the business associated contract we have with the covered entity.
Only specific MindMaze employees can achieve that periodical review and are under a non-disclosure agreement clause is included in their contract. They also must apply and follow all policies, processes and procedures resulting of the HIPAA implementation. Your PHI a are extremely sensitive and are classified as confidential.
MindMaze employees and consultants : to improve our services, products, user experience, security and the proper performance of the contract between you and MindMaze.
Third party service providers working for us : we are authorized to share your personal or health information with our third party service providers, agents and subcontractors and other associated organizations for the purpose of performing tasks and providing services on our behalf. When we use third party service providers, however, we only disclose pseudo-anonymized information necessary to provide the relevant services and we enter into a written agreement (including in electronic form) in accordance with US law requiring them to ensure the security of your information and not to use it for their own purposes, except with your express consent.
Government or health plans : we may act on behalf of a health care provider to disclose your health information to a health plan for payment purposes.
Insurance companies : we may act on behalf of a health care provider to disclose your health information to submit a claim to the insurer.
Researchers : to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR 164.512(i) or as a limited data set pursuant to 45 CFR 164.514(e).
Financial institutions : we may need to disclose your personal information when a financial institution processes consumer-conducted financial transactions by debit, credit or other payment card, clears, checks, initiates or processes electronic funds transfers or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care, services, activities.
We are also authorized to conclude contracts with third parties to enable them to offer you devices and solutions to improve the treatment of your disabilities or handicaps. In this context, we are authorized to transmit your personal information to insurance companies and pharmaceutical companies for a fee, only for this purpose and subject to your express consent.
The DPO ensures that the Company is HIPAA compliant and follow US data protection regulation such as the California Data Privacy Act (CDPA). He is responsible for implementing and maintain the HIPAA-compliant privacy program and ensuring privacy policies to safeguard the integrity and confidentiality of PHI are enforced. The DPO is also responsible to deliver or oversee ongoing staff privacy training, conduct risk assessments, develop security policies and ensure that technical implementations are aligned to them and to business agreement contracts, to monitor compliance, to implement and maintain procedures and processes and ensure that they remain aligned with law revisions. The DPO can be reached anytime at [email protected] or by using the contact us details.
The DPO is responsible for developing and maintaining a notice of the Company’s privacy practices that described:
The privacy notice will inform participants that the Company will have access to PHI. The privacy notice will also provide a description of the Company’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.
The notice of privacy practices will be individually delivered to all participants:
The Company will also provide notice of availability of the privacy notice at least once every three years.
MindMaze employees who may have access to PHI receive data protection and HIPAA training. The DPO in collaboration with management decides in the event an incident has occurred, if additional training is necessary and which staff should receive it in order to avoid incident occurrence.
The DPO will be the Company’s contact person for receiving complaints. The DPO is responsible for creating a process for individuals to lodge complaints about the Company’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint form shall be provided to any participant upon request.
When you provide us with personal information about yourself, we take steps to ensure its security. All the information you send us is encrypted using TLS and a 256-bit security key.
Our products you use are also designed to comply with the best production, physical security, and storage security practices. Risk studies are carried out there in order to limit them as much as possible.
We regularly carry out security reviews on our platforms and services that we offer you and correct weaknesses as soon as possible. We strive to keep all our systems as up-to-date as possible with the latest security patches.
The accounts you create with us are all protected by a password that is your responsibility. You must define one that is complex enough to limit the risk that it will be easily deductible. To help you in this task we have defined a password complexity policy. When you define your password, we give you the expected criteria for it to be accepted. On our systems, your passwords are not displayed in clear text, but secured with secure cryptographic algorithms.
Despite all the measures taken to guarantee the security of your information, we draw your attention to the fact that there is no such thing as zero risk. We do our best to protect your information, but we cannot guarantee 100% flawless security. Safety is effective when all parties follow good practices. You are responsible for keeping your login information and any other access data to our services confidential.
MindMaze uses powerful solutions to provide you with the best user experience, quality and reliable services. In the criteria for choosing our suppliers of third-party products and services, information security plays a very important role. However, MindMaze has no control over the internal policies of our suppliers and cannot guarantee 100% flawless security of the products and/or services we use at home.
MindMaze will mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of an Participant’s PHI in violation of the policies and procedures set forth in this policy. The DPO will take appropriate steps to mitigate the harm to the participants.
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrolment or eligibility.
The Plan document includes provisions to describe the permitted and required uses and disclosures of PHI by MindMaze. Specifically, the Plan document requires MindMaze to:
As business associate, the plan document will always be updated based on the agreement concluded with the covered entity.
The Company has developed an Incident Report form. This form is used to document reports of privacy breaches that have been referred to the DPO from staff members who have reviewed or received the suspected incident.
After receiving the Incident Report form from staff members, the DPO classifies the incident and its severity and analyses the situation. Documentation shall be retained by the Company for a minimum of six years from the date of the reported incident.
If the DPO is able to resolve the incident, the DPO shall also document the actions taken to resolve the issue in the Incident Report form.
Just like paper records, Electronic Health Records must comply with HIPAA, and other state and federal laws. Unlike paper records, electronic health records can be encrypted – using technology that makes them unreadable to anyone other than an authorized user – and security access parameters are set so that only authorized individuals can view them. Further, EHRs offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them.
MindMaze will grant access to PHI based on their job functions and responsibilities. The DPO in collaboration with IT and senior management is responsible for the determination of which individuals require access to PHI and what level of access they require through discussions with the individual’s manager and or department head. The IT department will keep a record of authorized users and the rights that they have been granted with respect to PHI. IT keeps a comprehensive matrix of how and to who rights are granted. A summary of user rights can be found in the table below.
The Company will use and disclose PHI only as permitted under HIPAA and Business associate contracts established between the Company and Covered Entities. The terms “use” and “disclosure” are defined as follows:
Use: The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Company, or by a Business Associate of the Company.
Disclosure: For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within MindMaze with a business need to know PHI.
MindMaze staff has not access by default to PHI data that could be transferred to us. The DPO ensures that access to PHI is monitored and necessary to help the company achieve its objectives (for example, for the execution of the Business Associates Contract).
MindMaze will never use or disclose PHI without patient or Covered Entity consent. Thus, we use de-identified data to improve our product or create new services that will best fit your needs.
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. The Company’s use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. Permitted are disclosures:
As business associates, we may be subject to more or less permissive disclosures depending of the nature of duties the Covered Entity we’re associated with.
HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure. The “minimum-necessary” standard does not apply to any of the following:
Minimum Necessary When Disclosing PHI. For making disclosures of PHI to any business associate or providers, or internal/external auditing purposes, only the minimum necessary amount of information will be disclosed.
All other disclosures must be reviewed on an individual basis with the DPO to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.
Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from business associates, providers or participants for purposes of claims payment/adjudication or internal/external auditing purposes, only the minimum necessary amount of information will be requested.
All other requests must be reviewed on an individual basis with the DPO to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.
As business associates, we will always use or disclose PHI even limited to the “minimum-necessary with the consent of the Covered Entity we are associated with.
With the approval of the DPO and in compliance with HIPAA privacy rule, employees may disclose PHI to the Company’s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company will first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” MindMaze employees will contact the DPO and verify that a business associate contract is in place.
Business Associate is an entity that:
Examples of Business Associates are:
When acting on behalf of a Covered Entity as Business Associates, we are not allowed to disclose any PHI to other Business Associates without a written authorization of the Covered Entity.
However in certain circumstances, we will work with business associates approved by a covered entity to help us achieve the processing mentioned in section 4.
The Company may freely use and disclose de-identified information.
De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity or a business associate can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers. 18 specific elements listed below relating to the participant, employee, relatives, or employer – will be removed if found in your data record set, and we will ascertain there is no other available information that could be used alone or in combination to identify an individual.
MindMaze do not collect all that information, but as a business associate, covered entities we are associated with, may share with or transfer to us additional information to data mentioned in section 2. That information can fall in the list above.
The HIPAA privacy rule provides to individuals a set of rights over their personal or health data:
The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity or business associate that comprises the:
We will always act on the individual’s request within maximum 30 calendar days of receiving the request. If we are unable to provide you PHI or the request of an accounting of disclosures of your PHI within the 30 calendar days, we will inform you about an extension of 30 additional calendar days. This is an outer limit and we will always try to respond as soon as possible. At any time, you may access your PHI directly through the web portal of MindMotion Companion. In case you are performing sessions with a therapist, you might want to ask to your therapist to create for you a remote session account. The remote session account will provide you PHI that were filled in by the therapist.
You have a right to direct a covered entity or a business associate to transmit your PHI directly to another person or entity designated by you. Your request to direct the PHI to another person must be in writing, signed by you and clearly identify the designated person and where to send the PHI. We may accept and electronic copy of a signed request (e.g. PDF), as well as an electronically executed request (e.g. via a secure web portal) that includes an electronic signature.
As business associate, if your request is addressed directly to us instead of the covered entity, we will forward it to the covered entity we are associated with and we will rely on their decision and the accepted method. We may also redirect you directly to the covered entity.
Your personal representative has the right to access your PHI in a designated record set (as well as to direct a covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request.
An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.
As described in section 3, we may process your PHI only with your consent. Insofar as we process your PHI based on your consent, you have the right to withdraw your consent at any time. However, the withdrawal of your consent does not compromise the lawfulness of the processing operation before your consent is withdrawn.
If you are unable to legally establish contractual links with MindMaze or another company of the MindMaze group or to give your consent to the processing of your PHI, for medical or similar reasons, your personal data may however only be processed if this is necessary to safeguard your vital interests or if we have to comply with the law.
You also have the right to request restrictions on the use and disclosure of your PHI if they were use and disclose without your express consent. When doing so, the DPO is charged with the responsibility for processing the request and ensure that the procedures, processes and policies are update accordingly, and the staff trained properly to take that request into consideration. It remains at our sole discretion to honour such request if the request is not reasonable. We will however act at your best interest and will always comply with HIPAA privacy rule and our business associate contract.
The HIPAA Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual ( 45 CFR 164.524(c)(4)).
As business associate and accordingly to our business associate agreement with a covered entity we will charge you fees for copies based on the case.
Under certain limited circumstances, we may deny an individual’s request for amend to all or a portion of the PHI requested. In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.
We may deny to amending PHI for the following reasons:
We may deny of access for the following reasons:
In a any case, we will send you a denial in writing no later than within 30 calendar days of the request (or no later than within 60 calendar days if we notify you of an extension). The denial will be in plain language and will describe the basis for denial.
As business associate, we will always refer to the decision of the covered entity we are acting on behalf. Any request of access will be forwarded to the covered entity for approval. In such case, you may submit a complaint to the covered entity, to us or the HHS Office for Civil Rights (45 CFR 164.524(d)(3)).
7.8. How to exercise your rights
We will take reasonable steps to verify the identity of the individual making a request for access to his/her own PHI. You will be able to request access to your PHI if you fall in the following situation:
When acting on behalf of a covered entity, the requests on (1), (3), (4) and (5) will be redirected to the covered entity and handling according to our business associate contract.
A privacy breach is an adverse event or action that is unplanned, unusual, and unwanted that happens as a result of non-compliance with the privacy policies and procedures of the Company. A privacy breach must pertain to the unauthorized use or disclosure of health information, including ‘accidental disclosures’ such as misdirected e-mails or faxes.
The DPO will immediately investigate and attempt to resolve all reported suspected privacy breaches.
Following a breach of unsecured protected health information, we will provide notification of the breach to affected individuals if necessary. The communication will be made based on the information we have:
As business associate, we will notify covered entities we are associated with, following the discovery of the breach, without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, we should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.
us with personal data without your consent, please contact us using the information in the “Contact Us” section below. We will take steps to remove this personal information from our systems.
The Company will not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any person who has reported a privacy incident. All privacy incident will be reported to the DPO and documented. You can freely exercise your rights to access your complaints any time.
Founded in 2012, MindMaze is a global leader in brain technology with a mission to accelerate humanity’s ability to recover, learn and adapt.
With over a decade of work at the intersection of neuroscience, biosensing, engineering, mixed reality and artificial intelligence, we have enhanced the recovery potential of patients with neurological diseases. Combining our FDA cleared and CE marked digital therapeutics with best-in-class motion analytics, AI and cloud technologies, our goal is to create the universal platform for brain health.