Privacy

INTRODUCTION:

Protecting the privacy of our customers, their patients, and our employees is important to Sway Operations, LLC, (“Sway”). Sway implemented administrative and technical measures to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) regulating the security and privacy of protected health information in the United States.

This privacy policy outlines our general policy regarding data security and privacy, including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of and their ability to correct that information. This privacy policy applies to all personally identifiable information received by Sway whether in electronic, paper or verbal form.

DEFINITIONS:

Availability: Data or information is accessible and usable upon demand by an authorized person.

Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.

HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.

Integrity: Data or information has not been altered or destroyed in an unauthorized manner.

Protected Health Information (PHI): PHI is health information, including demographic information, created or received by Sway which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.

Personally Identifiable Information”, “Personal Information”, or “PII” means any data element that: (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual whether through the information or the collection of the information and other, publically available, information on the individual.

PRINCIPLES:

Notice
Sway shall inform a customer or employee of the purpose for which it collects and uses the PHI and PII and the types of non-agent third parties to which Sway discloses or may disclose that information. Sway shall provide the individual with the choice and means for limiting the use and disclosure of their SHI/PII. Notice will be provided in clear and conspicuous language when individuals are first asked to provide PHI/PII to Sway, or as soon as practicable thereafter, and in any event before Sway uses or discloses the PHI/PII for a purpose other than for which it was originally collected.

Choice
Sway will offer customers or employees the opportunity to choose (opt out) whether their PHI/PII is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

Data Security
Sway has established a comprehensive data security and privacy program to protect PHI/PII from loss, misuse and unauthorized access, disclosure, alteration and destruction. This program includes appropriate administrative, physical, and technical safeguards to secure PHI/PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.

Data Integrity
Sway shall only process PHI/PII in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual. To the extent necessary for those purposes, Sway shall take reasonable steps to ensure that PHI/PII is accurate, complete, current and reliable for its intended use.

Access
Access to customer or employee PHI/PII
In the event Sway is storing PHI/PII of an individual, Sway shall allow individual access to their PHI/PII and allow the individual to correct, amend, or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

Enforcement
Sway uses a self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Regulations. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of Personally Identifiable Information in accordance with the Regulations.

Product Security

Our products support patient privacy and provider security through the following product features:

SSL Encryption

System-User Identifiers

Multiple User Access Levels

Data Access Tracking/Alerts

Secure Data Storage Compliant with ISO 27001

 

As part of our commitment to product security and customer service, Sway supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHI. Specifically, Sway is using the Manufacturer Disclosure Statement for Medical Device Security (MDS2) to provide HIPAA-related security information about its products.

Access Sway MDS2 form here.

AMENDMENTS:

This privacy policy may be amended from time to time consistent with the requirements of the HIPAA regulations. We will post any revised policy on this website: https://swaymedical.com/privacy

Compliance [§ 164.308(a)(1)(ii)(C)]

 

A. The Information Security Policy applies to all users of Sway information including: employees, consultants, contractors, and outside affiliates. Failure to comply with Information Security Policies and Standards may result in disciplinary action up to and including dismissal in accordance with applicable Sway procedures, or, in the case of outside affiliates, termination of the affiliation. Further, penalties associated with state and federal laws may apply.

 

B. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:

• Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement.

• Unauthorized disclosure of a sign-on code (user id) or password.

• Attempting to obtain a sign-on code or password that belongs to another person.

• Using or attempting to use another person’s sign-on code or password.

• Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review.

• The intentional unauthorized destruction of Sway information.

• Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.

 

CONTACT INFORMATION:

Questions, comments or complaints regarding the Sway Privacy and Security Policy or data collection and processing practices can be mailed or emailed to:

Sway Operations, LLC
Attn: Security and Privacy Officer
PO Box 837
Aledo, TX 76008
USA

Effective Date: July 9, 2018