RxPhoto Data Privacy and Protection Policy
This policy is intended to clearly communicate how RxPhoto collects, uses, protects, and otherwise handles Personally Identifiable Information (PII) and Protected Health Information (PHI) for clinicians and patients.
What is RxPhoto?
RxPhoto is a clinical photography photo management, documentation, and storage platform for the dermatology, aesthetics, plastic surgery, vein treatment, medical spa and wound care fields.
RxPhoto is committed to respecting the privacy of our clinicians and patients. It is our belief that individuals ultimately have the right to understand and control how their personal data is used. We have instituted policies and procedures to ensure your privacy rights are protected.
RxPhoto will, so far as is reasonably practical, comply with the privacy and data protection principles of all countries and with all laws within the United States to ensure that all data is:
- Fairly and lawfully processed
- Obtained and used for specific and clearly stated purposes
- Adequate, relevant, and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed in accordance with your rights
- Not transferred to other countries without adequate protection
What is PII and PHI?
Personally identifiable information, or PII, as described in US privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual. You can be identified from information such as your name, email address, phone number, home address, driver’s license number, and passport number. You may also be identified from information such as an online identifier, IP address, unique device ID, or website cookie; this type of information becomes PII when combined with information that further identifies who you are.
Protected Health Information, or PHI, is essentially PII along with any of your medical or health information. This includes medical records, health insurance records, medical images such as x-rays, communication with healthcare professionals, and any other information about your medical or health condition that can be tied directly to you.
When do we collect information about you?
We collect information from clinicians or representatives of clinics when they sign up for RxPhoto service through our website. We collect information from patients on behalf of clinicians through the RxPhoto and RxPortal mobile apps, along with the companion RxAdmin website.
What information do we collect and store?
When ordering or registering on our site, clinic representatives will be asked to enter your name, email address, mailing address, phone number, credit card information and other details to help you with your order. Clinicians customize their own forms to collect information needed to treat their patients. Examples of patient data typically collected and stored include patient contact information, health insurance information, treatment information, and face and body photos used during the treatment process.
How do we use your information?
If you are a clinician, we may use the information we collect from you when you purchase our product, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:
- To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.
- To improve our website in order to better serve you.
- To allow us to better service you in responding to your customer service requests.
- To quickly process your transactions.
- To send periodic emails regarding your order or other products and services.
- To follow up with you after correspondence (live chat, email or phone inquiries).
- To bill you periodically for our product or service.
Patient data is used by clinicians for the purposes of treating the patient.
What is our “legal basis” for processing of your data?
With respect of each of the purposes for which we use your personal data, the General Data Protection Regulation (GDPR) and other regulations require us to ensure that we have a “legal basis” for that use. Most commonly, we will rely on one of the following legal bases:
- We process the information that we collect when you decide to use our services and register on RxPhoto and/or make a purchase, on the legal basis that data processing is necessary to perform a contract we are about to enter into or have entered into with you (“Contractual Necessity”). In the event you fail to provide such data, you may not be able to use our services;
- An additional legal basis exists when we have attained your specific consent to process your personal data in connection with your election to use our services. This consent is affirmatively expressed when you enter your data in our system. We use your consent for legal base of processing also when you sign up for our newsletter or respond to a survey or marketing communication or use certain other site features.
- Our legal basis to process the data we collect when you visit and surf our website (data collected with cookies) is an additional form of your consent. You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.
How RxPhoto may share your data
We may share your data with software companies that are responsible for the maintenance of our website (Hosting companies, IT service providers etc.). We also may share your data with other companies and electronic medical records systems (EMRs) involved in managing your practice or individual health care. If you are a patient, your data will be shared with and ultimately managed by the clinic responsible for your treatment.
How RxPhoto protects your data
As a HIPAA compliant service provider, RxPhoto maintains a comprehensive set of security policies and protocols designed to ensure that your data is accessible only to the relevant patient and clinics using our services. We implement a variety of security measures to maintain the safety of your personal information. Specific data security measures include:
- All personal data (PII and PHI) is stored on physically secure hardware behind network firewalls.
- No financial information, including credit cards information, is stored on RxPhoto servers. Transactions involving credit cards are processed directly through payment gateways and full credit card numbers are not stored.
- All data collected for registration and patient services are hosted on Amazon Web Services (AWS). Data in transit is encrypted via SSL/TLS and data at rest is encrypted at AWS.
- Management access and data transfers are done via SSH.
- Access to protected data requires login credentials.
- In the unlikely event of a data breach, RxPhoto has policies in place to notify affected parties.
- Data security is regularly audited by third parties.
RxPhoto’s security team performs quarterly risk assessments including security auditing, penetration testing, vulnerabilities assessment, and account auditing. Based on the assessment, security recommendations are made to the relevant organizational departments, and security patches and software upgrades are performed. If vulnerabilities are discovered, security updates and/software updates are performed immediately. An investigation into any resulting breaches is immediately performed as per the RxPhoto Data Breach Policy.
The majority of user activity in our mobile and web applications is tracked by the ID entered when the user logs in.
On our website, RxPhoto uses a variety of Google’s advertising and tracking technologies. Google’s advertising policies can be summed up by Google’s Advertising Principles. They are put in place to provide a positive experience for users.
We use retargeting cookies in order to show our site visitors relevant product and promotional information when visiting our site or other websites that promote our products.
We have implemented the following:
- Remarketing with Google AdSense and Facebook
- Google Display Network Impression Reporting
- We, along with third-party vendors such as Google, use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together, to compile data regarding user interactions with ad impressions and other ad service functions as they relate to our website.
- Opting out: Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out Browser add on.
We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place. It’s also important to note that we do not allow third-party behavioral tracking.
Adherence to Privacy Laws and Practices
RxPhoto recognizes principles and requirements of international and domestic privacy acts including but not limited to General Data Protection Regulation (GDPR), California Consumer Privacy Act, CAN SPAM, Mexico, Canadian Anti-Spam Law, OPPA, Fair Information Practices, and Nevada privacy laws through our Privacy and Data Protection Policy.
We recognize that all personal information you submit to RxPhoto belongs to the you, and that we use your data only with your permission. You have the following specific rights:
- Informed: We will tell you exactly how we use your data in clear, plain language.
- Consent: RxPhoto will not store or use your data without your consent.
- Access and Portability: View and download all personal data RxPhoto may store.
- Modification: Request changes or updates to any personal data RxPhpoto stores.
- Erasure: Request that RxPhoto purge all personal identifying information at any time.
If you have any request related to your data, including modifications or erasure, you may contact our Data Protection Officer at [email protected].
You may also use the following form: https://rxphoto.com/gdpr/data_rights_form/.
You may also write or call us at:
75 State Street, Suite 100
Boston, MA 02109