HIPAA does not control your use of your health information. HIPAA grants you the legal right to view and access your legal health record. It is a set of federal rules designed for health care providers, health insurance companies and other identified “covered entities” that control who can look at and receive your health information. HIPAA regulations also ensure that your privacy is protected to the greatest extent, with best practice policies and safeguards in place to minimize any exposure or misuse.
Must QRepublik comply with HIPAA?
No, we are working on behalf of health care consumers who are exercising their legal right to obtain, aggregate and use their own health information. Because we are not what the federal government considers a “covered entity”, QRepublik is not subject to HIPAA regulations.
Just because QRepublik is not legally required to be HIPAA compliant does it still meet its security standards?
Yes! We respect your privacy and understand the importance of securing your information. Therefore we choose to meet the highest possible standards to earn your trust. We meet the technical, physical and administrative safeguard requirements defined by the HIPAA Security Rule to be considered “safe” with regards to privacy protection for the QRepublik Private Profile. The QRepublik Public profile is designed to be shared in case of emergency and falls outside of HIPAA for this reason.
In addition to following HIPAA security recommendations, QRepublik adheres to the FTC's Security by Design Guidelines:
- Data security is carefully considered for each component of the QRepublik platform
- Data is encrypted both in transit and at rest
- QRepublik uses two-factor authentication
- QRepublik is protected from common vulnerabilities
- Our team stays current with knowledge of new vulnerabilities and keeps software appropriately updated
We process the following personal data of the User
|Last Name||must be distributed||Personal Identification|
|Name||must be distributed||Personal Identification|
|Middle name (if any)||distributed at the option of the subject|
|Year of birth||must be distributed||Personal Identification|
|Birth month||must be distributed||Personal Identification|
|Date of birth||must be distributed||Personal Identification|
|Address||distributed at the option of the subject||If the swipe is switched to the YES position|
|Diseases||distributed at the option of the subject||If the swipe is switched to the YES position|
|Insurance Information||distributed at the option of the subject||If the swipe is switched to the YES position|
|Emergency Contact Points||distributed at the option of the subject||If the swipe is switched to the YES position|
|Allergies||distributed at the option of the subject||If the swipe is switched to the YES position|
|Attending physicians||distributed at the option of the subject||If the swipe is switched to the YES position|
|Procedures||distributed at the option of the subject||If the swipe is switched to the YES position|
|Laboratory Research||distributed at the option of the subject||If the swipe is switched to the YES position|
|Vaccination||distributed at the option of the subject||If the swipe is switched to the YES position|
|Medicines||distributed at the option of the subject||If the swipe is switched to the YES position|
|Medical digital documents||distributed at the option of the subject||If the swipe is switched to the YES position|
|Responsible Persons||distributed at the option of the subject||If the swipe is switched to the YES position|
|Additional Information||distributed at the option of the subject||If the swipe is switched to the YES position|
|Pregnancy||distributed at the option of the subject||If the swipe is switched to the YES position|
|Special categories of personal data*|
|Race||distributed at the option of the subject||If the swipe is switched to the YES position|
|Nationality||distributed at the option of the subject||If the swipe is switched to the YES position|
|Health status||distributed at the option of the subject||If the swipe is switched to the YES position|
|Biometric Personal Data**|
|Biometric Personal Data||distributed at the option of the subject||If the swipe is switched to the YES position|
QRepublik servers and supporting systems are protected from hackers and network intrusion using firewalls and other leading security measures.
CONTROLLED EMPLOYEE ACCESS
Certain QRepublik employees and system administrators may need to access the QRepublik system to provide operational / administrative support. Access rights are strictly controlled and access is only granted to those who require it to support the QRepublik system and its users. All QRepublik employees and subcontractors are required to sign confidentiality agreements. Access to the system is only granted after validation of the user’s identification credentials, assigned role and system permissions.
Users must enter their username and password to get granted access to the QRepublik system. These credentials are created by users upon registration. To reset a password, the information will be sent to the user’s email in file. If two-factor authentication is enabled, then once the user enters the account password a unique passcode will be sent via text message. Administrators will not have access to user passwords and passwords can only be reset by following a link sent by email upon user request.
Encryption provides a secure way for users to exchange information with web sites via their web browsers by “scrambling” the information as it is submitted. This makes it unusable to anyone who does not possess a protected decryption key to “unscramble” the information. QRepublik provides encryption for user interactions through Secure Socket Layer (SSL) technology using a robust 256 bit encryption key. QRepublik also leverages industry best practice encryption standards (e.g. S/MIME, X.509 certificates, TLS) whenever health information is transmitted in or out of QRepublik.
PHYSICAL SITE SECURITY
The QRepublik servers and supporting systems are physically secured and protected in Amazon Web Services' world class data centers in the United States. Access to the physical systems is carefully controlled by security measures including multiple levels of authentication requirements (e.g. user keys, biometrics), security guard and registry check-in requirements, and state of the art security monitoring and alerting systems.
TRACKING ACCESS AND DISCLOSURES
According to HIPAA standards, QRepublik logs pertinent details anytime health information is viewed edited or exported in order to ensure the integrity of the system.
PERSONAL IDENTIFIABLE INFORMATION/ PUBLIC PROFILE
Conversely, given that a portion of the purpose of the Websites and App is to share what its customers have experienced with others, our policy regarding Submissions is very different. While our objective is to safeguard your identity, privacy and anonymity, our goal is also to publicly publish and promote the Submissions that describe what you have experienced without identifying who you are so that others can recognize experiences that have been shared by people who are similar in background to themselves. Always use caution when giving out any personally identifiable information about yourself, other family members or friends in the Websites and App. QRepublik does not control or endorse the content, messages or information exchanged by means of the Websites and, therefore, QRepublik specifically disclaims any liability with regard to the Websites and App and any actions resulting from your participation in the Websites and App. QRepublik collects Personal Information when you register with, use or visit the Website, and when you visit the pages of certain QRepublik partners. QRepublik may combine information about you that we have with information we obtain from business partners or other companies. When you register, we ask for information such as your user name, password, email address, and personal profile. Once you register with QRepublik and sign in to a Website you may not be completely anonymous to us. QRepublik may collect information about your transactions with us and with some of our business partners. QRepublik may set and access cookies on your computer.
MEDICATION REMINDERS WITHIN THE APP
The QRepublik Application is intended as a helpful backup reminder system that you can personalize for taking your medications. You should not and must not rely on the Application as your primary tool for determining whether and when to take medication, the Application might not function as intended. Specifically, the Application will not operate properly if your device is broken or powered off, if the Application software is not enabled or if any hardware or software on your device prevents the Application from operating as intended. The maintenance of your mobile and computing devices is under your responsibility. You acknowledge that the Application, and the utility of any of its alerts or notifications, depends on information that you input into the Application. You are solely responsible for ensuring that the correct medication is taken at the proper times and in the proper dosages. Persons using the Application assume full responsibility for the use of the Application and agree that we are not responsible or liable for any claim, loss, or damage arising from the use of the Application.