We are very pleased about your interest in Cosmos Clinical and our services. Data protection is of a particularly high priority for the management of Cosmos Clinical. The use of the Internet pages of Cosmos Clinical is possible without any indication of personal data. However, if a data subject wants to use our services, processing of personal data could become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain the consent of the data subject.
The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), Georgia’s Personal Identity Protection Act (PIPA) and in accordance with the Health Insurance Portability and Accountability Act (HIPPA) applicable to Cosmos Clinical. By means of this privacy policy, our company would like to inform the public about the nature, scope and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed of their rights by means of this privacy policy.
As the controller, Cosmos Clinical has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can always be subject to security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.
Definitions
We use the following terms, among others, in this privacy policy:
a) Personal data
Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject means any identified or identifiable natural person whose personal data are processed by the controller.
c) Processing
Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
e) Profiling
Profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects relating to that natural person’s job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.
f) Pseudonymization
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
g) Controller or person responsible for the processing.
The controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for in accordance with Union or Member State law.
h) Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
i) Recipient
Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.
j) Third Party
Third-party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.
k) Consent
The consent shall mean any freely given indication of the data subject’s wishes for the specific case in an informed and unambiguous manner, in the form of a declaration or any other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.
General Information
Name and address of the controller
The controller within the meaning of the applicable data protection laws and other provisions with data protection character is:
Cosmos Clinical
750 Hammond Dr., Atlanta, GA 30328, USA
E-mail: info@cosmosclinical.com
Website: www.cosmosclinical.com
Facebook: https://www.facebook.com/Cosmos-Clinical-102945918965881/
Twitter: https://twitter.com/COSMOSClinical
LinkedIn: https://www.linkedin.com/in/cosmosclinical/
Our principles
Cosmos Clinical processes personal data in order to better understand the needs of its customers and thus to be able to improve its services.
Personal data will only be used in the specific context of your customer relationship with Cosmos Clinical to the extent permitted by law or on the basis of your prior express consent.
In particular, we are committed to the following key principles:
· We protect your privacy and aim to provide you with a service that is tailored to your needs.
· Personal data is collected for specific purposes based on your consent or a legitimate interest when you contact us.
· You have the right to information and access to your personal data at any time and may request its correction or deletion.
· We do not sell your personal data to third parties. However, if necessary and if explicitly mentioned afterward or if you have consented, we may share your data with group companies, brand licensees, partners and other service providers. In this case, their own privacy policies may also apply.
· We take all reasonable measures to ensure the security and protection of your data from misuse.
· Personal data are processed by us only as necessary and for the purpose of providing a functional and user-friendly website, including its contents and the services offered.
How we use information
The main reason we use your information is to provide and improve our services. We also use your information to protect you and to provide you with advertisements that may be of interest to you. Read on for a more detailed explanation of the various reasons we use your information, along with practical examples.
· To provide our services to you
· To provide you with customer support and respond to your inquiries
·
To complete your transactions
·
To communicate with you about our services
·
To improve our services and develop new services
·
To conduct research and analysis of user behavior to improve our services and content (e.g., we may decide to change the look and feel or even substantially modify a particular feature based on user behavior)
·
To develop new features and services
·
To prevent, detect and respond to fraud or other illegal or unauthorized activities
·
To address ongoing or perceived misconduct
·
To perform data analysis to better understand these activities and develop countermeasures
·
To retain data related to fraudulent activity to prevent a recurrence
·
To ensure compliance with laws
·
To comply with legal requirements
·
To assist law enforcement
·
To enforce or exercise our rights, for example, our terms of use
Legal basis of processing
Art. 6 I lit. a GDPR serves us as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the
processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.
If we are subject to a legal obligation by which processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.
In rare cases, the processing of personal data might become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result, his or her name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or another third party. Then the processing would be based on Art. 6 I lit. d GDPR.
Ultimately, processing operations could be based on Art. 6 I lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47 sentence 2 GDPR).
Data Processing When Using Our
Website
Cookies
www.cosmosclinical.com uses cookies. Cookies are text files that are stored on a computer system via an Internet browser.
Numerous Internet pages and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified via the unique cookie ID. For more general information on cookies please visit, www.allaboutcookies.org and for specific details on the cookies we use please read our cookie policy.
Collection of general data and information
www.cosmosclinical.com collects a series of general data and information each time a data subject or automated system calls up the website. This general data and information is stored in the server log files. The following data may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of an access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.
When using these general data and information, Cosmos Clinical does not draw any conclusions about the data subject. Rather, this information is needed (1) to deliver the contents of our website correctly, (2) to optimize the contents of our website and the advertising for these, (3) to ensure the long-term functionality of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack. Therefore, Cosmos Clinical analyzes anonymously collected data and information on one hand, and on the other hand, with the aim of increasing the data protection and data security of our enterprise so that we can ultimately ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.
Contact possibility via the website
www.cosmosclinical.com contains information that enables a quick electronic contact, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address).
If a data subject contacts the controller, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for the purposes of processing or contacting the data subject. There is no disclosure of this personal data to third parties.
Routine erasure and blocking of personal data.
The controller processes and stores personal data of the data subject only for the period of time necessary to achieve the purpose of storage or insofar as this has been provided for in laws or regulations to which the controller is subject.
If the storage purpose ceases to apply or if a storage period prescribed expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
Processing of personal data
when using the offered services
Personal data will be collected, processed or used (“used") in connection with the services offered. This is always done in compliance with applicable law. Insofar as we use your personal data for a purpose that requires your consent according to the legal provisions, we will always ask for your express consent.
Direct marketing
The legal basis for the processing of your personal data in the context of direct marketing measures is either your consent or our legitimate interest in marketing and promoting our courses and services. The purpose of processing your personal data in the context of direct marketing measures is to send information, offers and, if applicable, to promote sales.
Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected; this is the case in particular upon receipt of the revocation or objection. You can revoke your consent at any time for the future or object to the processing of your personal data in the context of direct marketing measures at any time for the future.
Commercial and business services
We process information of our contractual and business partners, e.g.,customers and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g., to answer inquiries.
We process this information to fulfil our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization. We only disclose the information of the contractual partners to third parties within the scope of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the contractual partners (e.g., to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).
Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioral marketing. And, the Legal bases are Contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.
Administration, financial accounting, office organization, contact management
We process data in the context of administrative tasks as well as organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The processing bases are Article 6 (1) (c) GDPR, Article 6 (1) (f) GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the data mentioned in these processing activities.
In this context, we disclose or transfer data to the tax authorities,consultants, such as tax advisors or auditors, as well as other fee offices and payment service provider.
Furthermore, based on our business interests, we store information on suppliers, and other business partners, e.g., for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.
Information processing for the purpose of fraud prevention and optimization of our payment processes
Where applicable, we provide our service providers with further information, which they use together with the information necessary for the processing of the payment as our processors for the purpose of fraud prevention and optimization of our payment processes (e.g., invoicing, processing of contested payments, accounting support). This serves to protect our legitimate interests in our protection against fraud or in efficient payment management, which outweigh our interests in the context of a balancing of interests.
Technical services
We process the data of our customers and clients in order to enable them to select, purchase or commission the selected services or works as well as associated activities and to pay for and deliver them or to execute or provide them. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information.
Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioural marketing. And, the Legal bases are Contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.
Data transfer to payment service providers
In order to fulfill the contract, we pass on your data to the company commissioned with the payment, insofar as this is necessary for the payment of our services. Depending on which payment method you select, we pass on the payment data collected for this purpose to the credit institution commissioned with the payment and, if applicable, to payment service providers commissioned by us or to the selected payment service provider. In some cases, the selected payment service providers also collect this data themselves. In this case, the privacy policy of the respective payment service provider applies. The legal basis for the data processing is contract.
Miscellaneous
Duration for which the personal data are stored.
The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data will be routinely deleted, provided that they are no longer required for the performance of the contract or the initiation of the contract. legal or contractual provisions for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is sometimes required by law (e.g., tax regulations) or may also result from contractual regulations (e.g., information on the contractual partner). Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. Before providing personal data by the data subject, the data subject must contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.
General technical organizational measures
Cosmos Clinical has taken a variety of security measures to protect personal information to an appropriate extent and adequately. All information held by Cosmos Clinical is protected by physical, technical, and procedural measures that limit access to the information to specifically authorized persons in accordance with this Privacy Policy.
Legal defense and enforcement of our rights
The legal basis for the processing of your personal data in the context of legal defense and enforcement of our rights is our legitimate interest. The purpose of processing your personal data in the context of legal defense and enforcement of our rights is the defense against unjustified claims and the legal enforcement and assertion of claims and rights.
Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The processing of your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement of our rights. Consequently, there is no possibility for you to object.
SSL encryption
To protect the security of your data during transmission, we use state-of-the-art encryption procedures (e.g. SSL) via HTTPS.
Existence of automated decision-making
As a responsible company, we do not use automated decision-making or profiling.
Accountability
In certain countries, including in the European Union, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how we process information. The data protection authority you can lodge a complaint with notably may be that of your habitual residence, where you work or where we are established.
Accuracy
It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.
Children Data
Our website is not intended for children, and we do not knowingly collect data relating to children. If you become aware that your Child has provided us with Personal Data, without parental consent, please contact us and we take the necessary steps to remove that information from our server
Social Media
The data you enter on our social media pages, such as comments, videos, pictures, likes, public messages, etc. are published by the social media platform and are not used or processed by us for any other purpose at any time. We only reserve the right to delete content if this should be necessary. Where applicable, we share your content on our site if this is a function of the social media platform and communicate with you via the social media platform. The legal basis is our legitimate interest. The data processing is carried out in the interest of our public relations and communication.
If you wish to object to certain data processing over which we have an influence, please contact us. We will then examine your objection. If you send us a request on the social media platform, we may also refer you to other secure communication channels that guarantee confidentiality, depending on the response required. You always have the option of sending us confidential inquiries to our address stated in the imprint.
As already stated, where the social media platform provider gives us the opportunity, we take care to design our social media pages to be as data protection compliant as possible. With regard to statistics that the provider of the social media platform makes available to us, we can only influence these to a limited extent and cannot switch them off. However, we make sure that no additional optional statistics are made available to us.
Data processing by the operator of the social media platform
The operator of the social media platform uses web tracking methods. The web tracking can also take place regardless of whether you are logged in or registered with the social media platform. As already explained, we can unfortunately hardly influence the web tracking methods of the social media platform. We cannot, for example, switch this off.
Please be aware: It cannot be ruled out that the provider of the social media platform uses your profile and behavioral data, for example to evaluate your habits, personal relationships, preferences, etc. We have no influence on this. In this respect, we have no influence on the processing of your data by the provider of the social media platform.
Georgia’s Personal Identity Protection Act
(PIPA) Statement
Commercial Partners
Individual(s) or companies that have been approved by us as a recipient of organizational PII and from which Cosmos Clinical has received confirmation of their data protection practices conformance with the requirements of this policy. Commercial Partners include all external providers of services to Cosmos Clinical and include proposed Commercial Partners. No PII information can be transmitted to any vendor in any method unless the vendor has been pre-certified for the receipt of such information.
PII Training
All new hires entering Cosmos Clinical who may have access to PII are provided with introductory training regarding the provisions of this policy, a copy of this policy and implementing procedures for the department to which they are assigned. Employees in positions with regular ongoing access to PII or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PII data and shall receive annual training regarding the security and protection of PII data and company proprietary data
PII Audit(s)
Cosmos Clinical conducts audits of PII information maintained by Cosmos Clinical in conjunction with fiscal year closing activities to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PII information. Where the need no longer exists, PII information will be destroyed in accordance with protocols for the destruction of such records and logs maintained for the dates of destruction.
Data Breaches/Notification
Databases or data sets that include PII may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, Cosmos Clinical will notify all affected individuals whose PII data may have been compromised, and the notice will be accompanied by a description of the action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after the breach was discovered.
Confirmation of Confidentiality
All company employees must maintain the confidentiality of PII as well as company proprietary data to which they may have access and understand that such PII is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgment reminders annually attesting to their understanding of this company requirement.
Violations of PII Policies and Procedures
Cosmos Clinical views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under Cosmos Clinical’s discipline policy and may include suspension or termination in the case of severe or repeat
violations. PII violations and disciplinary actions are incorporated in Cosmos Clinical’s PII onboarding and refresher training to reinforce Cosmos Clinical’s continuing commitment to ensuring that this data is protected by the highest standards.
Health Insurance
Portability and Accountability Act (HIPAA) Statement
At Cosmos Clinical, we take all necessary measures to comply with the most stringent privacy and security regulations, including HIPAA guidelines. The Cosmos Clinical system is designed to enable our customers to comply with such requirements under applicable patient privacy laws.
In addition, Cosmos Clinical takes all reasonable steps to keep the use or disclosure of protected health information to an absolute minimum in order to provide the promised services to its customers. Cosmos Clinical works hard so that its products and services meet or exceed industry standards with respect to the U.S. Health Insurance Portability and Accountability Act (“HIPAA") of 1996.
The Health Insurance Portability and Accountability Act (HIPAA) establishes two important rules for your practice in connection with the use of Cosmos Clinical: the security provision and the privacy provision, which are established under a general HIPAA category called the
Administrative Simplification Act. Both provisions affect the transmission, storage, and management of patient information.
In the security provision: the HIPAA security provision became effective on April 21, 2003. Its purpose is to protect confidential medical information. The security provision establishes guidelines to facilitate the storage, maintenance, and transmission of protected health information in a “secure electronic environment" for a medical practice. This includes administrative procedures and physical safeguards, as well as technical measures to control and monitor access to protected health information and prevent unauthorized access to data during transmission.
Privacy Rule: HIPAA’s privacy rule addresses the use and disclosure of protected health information and became effective April 14, 2001. It required all practices to comply with the Privacy Rule as of April 14, 2003.
The Privacy Rule requires practices to make reasonable efforts to limit the use and disclosure of such protected health information by staff to the “minimum necessary" to perform their jobs. Practices are further expected to limit the likelihood of “inadvertent disclosure" to individuals for whom there is no reasonable need to know as a matter of law. In addition, practices must maintain a log of disclosures of certain protected health information that is not directly related to the patient’s care.
Products and Services
Cosmos Clinical’s products and services are designed with specific features to help our customers comply with HIPAA regulations. Cosmos
Clinical uses a relational database that employs a secured username and password login process. This means users must have specific access rights, such as to edit or add data, or are denied access to certain data. When a user adds or changes data in the database, a record is created indicating the change. The revision log created in this way can be reviewed by authorized administrators.
Customer Support
Cosmos Clinical’s product support staff assists customers in using Cosmos Clinical’s products in a HIPAA-compliant environment. All remote access by Cosmos Clinical product support staff to patient data at the customer site is via a fully encrypted protocol.
Business partner
HIPAA requires healthcare providers to enter into specific “business associate" contracts with certain entities to which they disclose patient health information. These business associate contracts generally require the recipients of such information to take appropriate precautions to protect the patient health information they receive. To perform certain service and support tasks, Cosmos Clinical employees may need access to patient health information maintained by Cosmos Clinical customers. As a result, Cosmos Clinical may be considered a business associate (“Business Associate") of the customers who receive these services. Cosmos Clinical is providing a new Business Associate standard contract for its customers that meets HIPAA requirements.
Cosmos Clinical’s new Business Associate Agreement provides general assurances to customers that the company will use the patient data they submit only to provide services and support and will protect that data against misuse.
HIPPA Policy
To implement these requirements for business associates and to protect the confidentiality and integrity of patient data received, the HIPPA Policy sets forth the following:
· It provides that the Company will retrieve and use confidential patient data provided by its customers only to the extent necessary to perform customer service and support.
· It restricts access to such data to those employees and agents who provide specific services and support.
· It prohibits the disclosure of patient data provided by customers to anyone who is not an employee or agent of the Company, unless specifically authorized by Cosmos Clinical and by the customer and/or patient, as appropriate.
· It requires all Company employees and agents to report any use or disclosure of patient data in violation of Cosmos Clinical’s HIPPA Policy.
· It provides that Cosmos Clinical will investigate all reports that patient data has been used in a manner not permitted by Cosmos Clinical’s HIPPA Policy and will impose appropriate sanctions on conduct prohibited by the policy.
· It specifies that Cosmos Clinical employees who may come into contact with patient data receive training on Cosmos Clinical’s
privacy and security policy and the importance of protecting the confidentiality and security of patient data.
· It provides for transferring patient data provided by customers in a secured manner so that the integrity, confidentiality and availability of the data is protected.
Cosmos Clinical has put together some suggestions to help ensure that your patients’ data are managed by your practice in a responsible and HIPAA-compliant manner when using Cosmos Clinical:
· Be sure to obtain explicit (preferably written) permission from your patients to use Cosmos Clinical services.
· Keep your passwords in a secure location that unauthorized staff and patients cannot access.
· Set up user accounts for your computers that require users to log in with a password.
· Always lock or log out of your Cosmos Clinical account when not in use.
Use unique identifiers for your patients when using Cosmos Clinical with patient photos to increase privacy.
· Develop standard procedures under which every handling of patient images must be documented.
· Keep your laptop, computer and digital camera within your practice in a secure location with limited access.
· Keep a copy of your User Agreement (issued at the time you subscribe to our services).
In addition to complying with HIPAA security recommendations, Cosmos Clinical adheres to the FTC’s Security by Design Guidelines:
· Data security is carefully assessed for each component of our platform
· Data is encrypted both in transit and at rest
· Cosmos Clinical uses two-factor authentication
· Cosmos Clinical is protected against common vulnerabilities
· Our team keeps up to date with new vulnerabilities and keeps the software updated accordingly
Network Protection
Cosmos Clinical servers and supporting systems are protected from hackers and network intrusion by firewalls and other leading security measures.
Controlled Employee Access
Certain Cosmos Clinical staff and system administrators may need to access the Cosmos Clinical system to provide operational/administrative support. Access rights are strictly controlled, and access is granted only to those who need it to support the Cosmos Clinical system and its users. All Cosmos Clinical employees and subcontractors are required to sign confidentiality agreements. Access to the system is granted only after validation of the user’s identification data, assigned role and system permissions.
User Passwords
Users must enter their username and password to gain access to the Cosmos Clinical system. These credentials are created by users
during registration. To reset a password, the information is sent to the user’s email on file. If two-factor authentication is enabled, a unique passcode is sent via SMS after the account password is entered. Administrators do not have access to user passwords and passwords can only be reset by following a link sent via email User Request.
Encryption
Encryption provides users with a secure way to exchange information with websites through their web browsers by (scrambling) the information as it is transmitted. This makes it unusable for anyone who does not have a protected decryption key to (decrypt) the information. Cosmos Clinical provides encryption for user interactions through Secure Socket Layer (SSL) technology with a robust 256-bit encryption key. Cosmos Clinical also uses industry-proven encryption standards, TLS) when health information is transmitted into or out of Cosmos Clinical.
Physical Security
The Cosmos Clinical server and supporting systems are physically secured and protected world-class data centers. Access to the physical systems is carefully controlled through security measures at multiple levels. of authentication requirements (e.g., user keys, biometrics), security guard and registration check-in requirements, and state-of-the-art security monitoring and alert systems.
Access tracking and disclosure
In accordance with HIPAA standards, Cosmos Clinical logs relevant details each time health information is viewed, edited, or exported to ensure system integrity.
Your Rights
Georgia Specific Rights
If you are a Georgia resident, you have the following rights:
· Right to Know and Access. You may submit a verifiable request for information regarding the:
(1) categories of Personal Information we collect, use, or share; (2) purposes for which categories of Personal Information are collected or used by us; (3) categories of sources from which we collect Personal Information; and (4) specific pieces of Personal Information we have collected about you.
·
Right to Equal Service. We will not discriminate against you if you exercise your privacy rights.
·
Right to Delete. You may submit a verifiable request to close your account and we will delete Personal Information about you that we have collected.
·
Request that a business that sells a consumer’s personal data, not sell the consumer’s personal data.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us. We do not sell the Personal Information of our users. For more information about these rights, please contact us.
Your HIPPA Rights
When it comes to your health information, you have additional rights. To exercise any of these rights, contact us at the contact information listed above.
In particular:
·
You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you.
·
You can ask us to correct health information about you that you think is incorrect or incomplete.
·
You can ask us to contact you in a specific way (for example, home or office phone) or at a specific location (for example, to send mail to a different address).
·
You can tell us your choices about what we share.
·
You can ask us to limit what we use or share
·
You can get a list of those with whom we have shared information
·
You can get a copy of this Notice
·
You can choose someone to act for you
·
You can file a complaint if you feel your rights are violated
GDPR Specific Rights
a) Right to information
You have the right to request information and/or copies of the personal data stored about you.
b) Right to rectification
You have the right to request that personal data relating to you be corrected and/or completed without delay.
c) Right to restriction of processing
You have the right to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure, and we no longer require the data, but you need it for the assertion, exercise, or defense of legal claims, or you have lodged an objection to the processing.
d) Right to erasure
You have the right to request the erasure of your personal data stored by us, unless the exercise of the right to freedom of expression and information, the processing is necessary for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise, or defense of legal claims.
e) Right to information
If you have exercised the right to rectification, erasure, or restriction of processing, we will inform all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
f) Right to data portability
You have the right to have personal data that you have provided to us handed over to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done insofar as it is technically feasible.
g) Right of objection
Insofar as your personal data are processed on the basis of legitimate interests pursuant to Article 6 (1) (f) of the GDPR, you have the right to object to the processing at any time pursuant to Article 21 (1) of the GDPR.
If we process your data for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing in accordance with Art. 21 (2) GDPR; this also applies to profiling insofar as it is related
to such direct marketing.
h) Right to withdraw consent
You have the right to revoke your consent to the collection of data at any time with effect for the future. The data collected until the revocation becomes legally effective will remain unaffected. Please understand that the implementation of your revocation may take a little time for technical reasons and that you may still receive messages from us in the meantime.
i) Right to complain to a supervisory authority
If the processing of your personal data violates data protection law or if your data protection rights have otherwise been violated in any way, you may complain to the supervisory authority.
You can also exercise your rights of rectification and deletion most quickly, easily and conveniently by logging into your customer account and directly editing or deleting your data stored there. Please note that after deleting your data, the offers of our product partners via our website will also no longer be available to you. This includes, among other things, re-download options. Therefore, please save your data before asserting a claim for deletion. Data that we are required to store due to legal, statutory or contractual retention obligations will be blocked instead of being deleted in order to prevent it from being used for other purposes.
j) Automated decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you (scoring).
Closing
Am I Obliged to Provide Data?
The processing of your data is necessary for the conclusion or fulfillment of the contract you have entered into with us. If you do not provide us with this data, we will usually have to refuse to conclude the contract or will no longer be able to perform an existing contract and consequently have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant for the fulfillment of the contract or that is not required by law.
Can we make changes to this Privacy Policy?
We reserve the right to update and amend all or parts of this Privacy Policy, at any time, to the fullest extent permitted under applicable law. The version published on the Site is the version actually in force.
As an individual whose personal data is processed as described in this Privacy Policy, you have a number of rights which are summarized below. Please note that exercising these rights is subject to certain requirements and conditions as set forth in applicable law.