: Data or information is accessible and usable upon demand by an authorized person.
Data or information is not made available or disclosed to unauthorized persons or processes.
: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.
: Data or information has not been altered or destroyed in an unauthorized manner.
Protected Health Information (PHI)
: PHI is health information, including demographic information, created or received by Sway which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.
“Personally Identifiable Information
”, “Personal Information
”, or “PII
” means any data element that: (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual whether through the information or the collection of the information and other, publicly available, information on the individual.
Sway shall inform a customer or employee of the purpose for which it collects and uses the PHI and PII and the types of non-agent third parties to which Sway discloses or may disclose that information. Sway shall provide the individual with the choice and means for limiting the use and disclosure of their PHI/PII. Notice will be provided in clear and conspicuous language when individuals are first asked to provide PHI/PII to Sway, or as soon as practicable thereafter, and in any event before Sway uses or discloses the PHI/PII for a purpose other than for which it was originally collected.
Use of PHI
All Protected Health Information is de-identified upon storage and only associated with a random unique ID to prevent re-identification. Sway only uses de-identified data for product improvement including the development of normative data sets, research, and new product development.
Sway has established a comprehensive data security and privacy program to protect PHI/PII from loss, misuse and unauthorized access, disclosure, alteration and destruction. This program includes appropriate administrative, physical, and technical safeguards to secure PHI/PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.
Sway shall only process PHI/PII in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual. To the extent necessary for those purposes, Sway shall take reasonable steps to ensure that PHI/PII is accurate, complete, current and reliable for its intended use.
AccessAccess to customer or employee PHI/PII
In the event Sway is storing PHI/PII of an individual, Sway shall allow individual access to their PHI/PII and allow the individual to correct, amend, or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Our products support patient privacy and provider security through the following product features: SSL Encryption System-User Identifiers Multiple User Access Levels Data Access Tracking/ Alerts Secure Data Storage Compliant with ISO 27001. As part of our commitment to product security and customer service, Sway supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHI. Specifically, Sway is using the Manufacturer Disclosure Statement for Medical Device Security (MDS2) to provide HIPAA-related security information about its products. Access Sway MDS2 form here
Compliance [§ 164.308(a)(1)(ii)(C)]A. The Information Security Policy applies to all users of Sway information including: employees, consultants, contractors, and outside affiliates. Failure to comply with Information Security Policies and Standards may result in disciplinary action up to and including dismissal in accordance with applicable Sway procedures, or, in the case of outside affiliates, termination of the affiliation. Further, penalties associated with state and federal laws may apply. B. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following: • Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement. • Unauthorized disclosure of a sign-on code (user id) or password. • Attempting to obtain a sign-on code or password that belongs to another person. • Using or attempting to use another person’s sign-on code or password.• Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review. • The intentional unauthorized destruction of Sway information. • Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.
Questions, comments or complaints regarding the Sway Privacy and Security Policy or data collection and processing practices can be mailed or emailed to: Sway Medical, Inc.
Attn: Security and Privacy Officer
32 S. Lewis Ave. Tulsa, Ok 74101
Effective Date: July 30, 2020