The purpose of the Privacy Policy is to provide important protections for privacy of users and patients whose PHI is stored in the DataQ Platform. This policy applies to all users, including developers ("you"). DataQ reserves the right to revise or modify this policy at any time and in any manner. By accessing the DataQ Platform, you agree to the latest version of this policy.
Capitalized terms used but not defined in this policy will have the meanings set forth in 45 CFR 154.501 and other applicable laws.
"Authorized Activities" means Treatment, Payment, Health Care Operations, and Public Health Activities.
"Health Care" means care, services, or supplies related to the health of an individual. Health Care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other term in the accordance with a prescription, as defined at 45 CFR 160.103.
"Health Care Provider" means a facility-based provider of services (such as a hospital, skilled nursing facility, home health agency or hospice), a provider of medical or health services under Medicare or Medicaid, and any other person or organization who furnishes, bills or is paid for Health Care in the normal course of business, as defined in 45 CFR 160.103.
"Information Blocking" has the same meaning as the term is defined in the ONC Cures Rules at 45 CFR Part 171.
"Patient Relationship" has the meaning set forth in Section B(2)(a)(ii) of this Policy.
"Permitted Access Requirements" mean the criteria set forth in Section B(2)(a)(i) below.
"Public Health Activities" means, for public health authorities (as defined in 45 CFR 164.501), preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, and for an entity subject to the jurisdiction of the Food and Drug Administration (FDA) for an FDA-regulated product or activity, activities related to the quality, safety or effectiveness of FDA products or activities (including collecting or reporting adverse events, product defects or problems, or biological product deviations, tracking FDA-regulated products, enabling product recalls, repairs, replacement or lookback to notify individuals who have received products that have been recalled, withdrawn, or to conduct post marketing surveillance, as described in 45 CFR 164.512(b).
"USCDI" means the United States Core Data for Interoperability developed, published and maintained by the ONC under the Cures Rules.
i. Permitted Access Requirements. A developer may only access patient data through the DataQ Platform after they have met the following requirements: (i) the developer has successfully completed our verification process, (ii) the developer has a Patient Relationship (defined below) with the patient for which it is requesting access to, (iii) the developer accesses the patient data only for authorized activities, and (iv) the developer is currently satisfying all of its obligations under all required DataQ Policies and requirements.
ii. Patient Relationship. No user may access patient data in the DataQ Platform for a particular patient unless it is for an Authorized Activity and the user has provided DataQ documentation of an established and active Patient Relationship. DataQ supports the following methods for documenting that user has the required Patient Relationship:
1. Uploading a patient roster or member eligibility file with a list of patients. When you make this assertion, you are making a legally binding representation to us that you have a Patient Relationship, and DataQ is relying on this representation to give you the requested access to the patient data. DataQ will cooperate with regulators or other legal authorities to the fullest possible extent under applicable law if you falsely or fraudulently assert a Patient Relationship.
2. DataQ may determine that you have a Patient Relationship through the patient data we receive that evidences such a relationship (e.g., an ADT Encounter Notification that identifies you as a treating provider or location, a medication order that identifies you as the prescribing provider, or a claim file that identifies you as the entity receiving payment for a service). In making these determinations we must rely on the quality and accuracy of the patient data we receive, and we are not responsible for any errors or mistakes made about a Patient Relationship because of quality or accuracy issues in patient data we have received.
a. General Requirement. The HIPAA Privacy Rule and the ONC Cures Rules require, and this policy implements the requirement, that a patient has certain rights relating to a Covered Entity's Designated Record Set. Also, the ONC Cures Rules require that Covered Entities share a Designated Record Set and not engage in Information Blocking. This policy establishes identical patient rights and requirements for sharing a Designated Record Set for all patient data, including PHI.
b. DRS Requirements. DataQ requires that the categories of documents or records in this Section be included in the Designated Record Set, which is available in the common patient record. DataQ will enable developers to designate additional documents or records as included in the Designated Record Set at their discretion. These requirements are based on the currently adopted and published version of the USCDI and DataQ may add additional requirements as the USCDI standard is expanded over time.
| Account | DeviceRequest | MedicationRequest |
| AllergyIntolerance | DiagnosticReport | MedicationStatement |
| Appointment | DocumentManifest | MolecularSequence |
| AppointmentResponse | DocumentReference | NutritionOrder |
| BodyStructure | Encounter | Observation |
| CarePlan | EpisodeOfCare | Patient |
| CareTeam | FamilyMemberHistory | Person |
| ClinicalImpression | Flag | Procedure |
| Composition | Goal | Provenance |
| Condition | ImagingStudy | RelatedPerson |
| Consent | Immunization | RiskAssessment |
| Coverage | ImmunizationEvaluation | ServiceRequest |
| CoverageEligibilityRequest | ImmunizationRecommendation | Specimen |
| CoverageEligibilityResponse | MeasureReport | SupplyDelivery |
| DetectedIssue | MedicationAdministration | SupplyRequest |
| Device | MedicationDispense | VisionPrescription |