OBERD Privacy Policy
Introduction
At Universal Research Solutions, LLC ("URS") we respect privacy and commit to protecting it through compliance with the practices described in this privacy policy. URS adheres to Privacy Shield Principles issued by the United States Department of Commerce.
This privacy policy describes URS's practices for collecting, using, maintaining, protecting, and disclosing the personal data that we possess. This privacy policy applies to all personal data collected by URS, regardless of the country where the data subject is located.
Please read this privacy policy carefully to understand URS's policies and practices for processing and storing personal data.
SECTION 1: GENERAL INFORMATION
1.1 About Universal Research Solutions
At URS, we seek to drive efficiency and progress in healthcare through the use of data. URS's core product is the OBERD software system, the foundational technology for all of our products. OBERD stands for Outcomes Based Electronic Research Database. URS drives healthcare forward in two ways: (1) by providing products and services to facilitate data-driven healthcare; and (2) by building global databases of anonymous aggregated data that can be utilized to drive innovation in healthcare. URS's products and services help facilitate the provider-patient relationship, improve communication and education related to medical products and services, and improve the quality and efficiency of patient care.
OBERD facilitates the administration and collection of Patient-Reported Outcomes (PRO) and other questionnaires, and makes data available to healthcare providers in meaningful and useful ways. A PRO is a health outcome directly reported by the patient who experienced it. Other questionnaires generally consist of patient satisfaction surveys, which healthcare providers utilize to improve healthcare operations. OBERD eliminates paper forms by administering and collecting forms electronically.
The information OBERD makes available to healthcare providers may help inform decisions related to care, but is not the sole basis for decisions. Data made available to healthcare providers is only one factor that informs a healthcare provider's professional judgment.
1.2 Product Overviews
URS has two platforms: (1) OBERD; and (2) ACTIVE TRACK. Both platforms require opt-in consent for data processing activities.
1.2.1 OBERD
OBERD is a software platform used by healthcare providers for data collection. Healthcare providers select PRO and other questionnaire forms from OBERD's form library to be administered to patients. The selected forms are then automatically administered to patients on predetermined timelines. OBERD's global benchmarking feature allows healthcare providers to gain deeper insight into a patient's condition through data analytics.
The primary purpose of OBERD is to provide healthcare providers with high quality data. Participation in OBERD requires that patients consent to URS anonymizing their personal data, because our system relies on anonymous data to facilitate the necessary benchmarking and data analytics.
1.2.2 ACTIVE TRACK
ACTIVE TRACK is an app that can be downloaded to a mobile phone or wearable device that allows a healthcare provider to receive and use the everyday activity data collected by a device. ACTIVE TRACK data is used in combination with traditional patient-reported outcomes responses and scores in order to better assess the results of your treatment in terms of ability to get back to everyday functions.
SECTION 2: GENERAL PRIVACY INFORMATION
THE INFORMATION CONTAINED IN THIS SECTION 2 APPLIES TO ALL PROCESSING ACTIVITIES DESCRIBED IN THIS PRIVACY POLICY
2.1 Data Protection Officer
URS has appointed a Data Protection Officer pursuant to Article 37(1)(c) of the General Data Protection Regulation (GDPR). For questions about URS's privacy policy or to exercise a data protection right, please contact us. Contact information can be found in Section 2.2.
2.2 Data Subject's Data Protection Rights
2.2.1 Data Subject Rights:
All rights described in this section may be exercised directly with URS for patients seeking treatment outside of the United States. For patients seeking treatment in the US, please contact your healthcare provider. All Data Subjects have the following rights with regard to their personal data:
(1) The Right to Withdraw Consent: means the right to withdraw consent to data processing activities conducted by URS. This right may be exercised at any time.
(2) The Right to Access: means the right to request copies or information regarding a data subject's personal data that is held by URS. In exceptional circumstances, such as excessive requests, we may charge a small fee for this service.
(3) The Right to Rectification: means the right to request that URS correct any information believed to be inaccurate or incomplete. You may also need to contact your healthcare provider to ensure your information is fully corrected.
(4) The Right to Erasure: means the right to request that URS erase personal data, under certain conditions. Data erased from URS's system does not result in information being erased from a healthcare providers system.
(5) The Right to Restrict Processing: means the right to request that URS restrict the processing of personal data, under certain conditions. You may also need to contact your healthcare provider concerning certain processing restrictions.
(6) The Right to Object to Processing: means the right to object to URS's processing of personal data, under certain conditions.
(7) The Right to Data Portability: means the right to request that URS transfer personal data that we hold to another organization, or directly to the data subject, under certain conditions.
URS CANNOT TRANSFER MEDICAL RECORDS, ONLY YOUR HEALTHCARE SERVICE PROVIDER CAN TRANSFER YOUR MEDICAL RECORDS.
(8) The Right to Nondiscrimination for the Exercise of Data Subject Rights: means URS is prohibited from taking any adverse action against a data subject for exercising any data protection rights.
(9) The Right to Lodge a Complaint with the Appropriate Supervisory Authority: means the right to lodge a complaint with the appropriate authority if you feel URS has violated a data subject's data rights.
2.2.2 Response Times
Pursuant to GDPR Article 12(3), URS must provide information to data subjects regarding their request within one (1) month of receiving a request. URS may require additional information from data subjects to process a request and confirm a data subject's identity.
Pursuant to the California Consumer Privacy Act 1798.130(a)(2), URS has 45 days from the date that a Verifiable Consumer Request is received to disclose and deliver information requested by a California consumer. URS may require additional information from data subjects to process a request and confirm a data subject's identity.
2.2.3: Contact Information
If you would like to exercise any of these rights or have questions about this privacy policy, you can contact us by:
email us at dpo@oberd.com
write to us at:
Universal Research Solutions, LLC
Attn: DPO
414 E. Broadway, Suite 102
Columbia, Missouri 65201.
2.3: Transfers outside the EU, UK, Switzerland, and Suitable Safeguards
All personal data of European Union Citizens, Citizens of the United Kingdom, and Citizens of Switzerland is stored on our AWS server located in Ireland, and no personal data of the mentioned Citizens is transferred outside of the Ireland AWS services. URS is a Delaware limited liability company headquartered in Columbia, Missouri. In the event that some data is inadvertently transferred into the US, we are certified under the Data Privacy Framework Principles.
URS complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. URS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. URS has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the DPF Principles, we affirm the following:
- We are subject to the jurisdiction and enforcement authority of the United States Federal Trade Commission.
- We are liable for information transferred to third parties acting as our agents unless we can prove we were not a party to the event giving rise to the damages.
- We acknowledge the right of EU, UK, and Swiss individuals to access their data that is in the United States and to update, correct or amend inaccurate or incomplete data. Furthermore, said individuals also have the right to erase data that has been handled in violation of the DPF Principles.
- We may be required to release personal data in response to lawful requests by public authorities including to meet national security and law enforcement requirements.
- In cases of onward transfer to third parties of EU, UK, or Swiss individuals' data that URS receives pursuant to the Data Privacy Framework program, URS is liable unless we can prove we were not an agent to the events giving rise to the damages.
2.4 Dispute Resolution
In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), URS commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact URS at dpo@oberd.com.
URS has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf
2.5 European Union Representative
Pursuant to GDPR Article 27, URS is required to appoint a European Union Representative. In compliance with GDPR Article 27, URS has appointed activeMind.legal as our European Union Representative. Our European Union Representative's contact information is:
activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Potsdamer Straße 3
80802 München. Germany
Email: eu-privacy@oberd.com
2.6 Compelled Disclosure
URS may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
2.7 Data Security and Privacy Policy Compliance
URS uses appropriate technical, organization and administrative measures to protect all of the personal information we process. URS uses reasonable measures to help protect personal information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. The information subject to this privacy statement is stored in a secure third-party facility under the terms of a hosting agreement between URS and our third-party facility (AWS).
URS regularly trains employees on this privacy policy and data security issues. Failure by any URS employee to follow URS's privacy policy or data security protocols is subject to discipline. URS reviews this privacy policy and its data security protocols at least annually.
2.8 Use of Cookies
The data processing activities that are described below utilize cookies, and more information about the specific use of cookies in the particular processing activities can be found below. This Section 2.8 only provides information about cookies in general, for information about URS's use of cookies see sections 3.10 and 3.11.
What are Cookies: Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. For further information, visit allaboutcookies.org.
How to Manage Cookies: You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
2.9 Changes to this Privacy Statement
URS keeps its privacy statement under regular review and places any updates on this web page https://www.oberd.com/privacy-policy. This privacy statement was last updated on October 24, 2023.
SECTION 3: PROCESSING ACTIVITY, PATIENT PORTAL
3.1 Patient Portal Description
URS's Patient Portal is the primary means for data collection. Patient Portals are secure online environments offered to each patient. The Patient Portal is where patients electronically complete the forms assigned by the patient's healthcare provider. When a form is assigned by the patient's healthcare provider, URS sends an email to the patient notifying them that a form is available and can be accessed in the Patient Portal.
URS utilizes the Patient Portal to facilitate data collection. Only a patient's healthcare provider can access the personal data collected through the Patient Portal.
3.2 Purposes and Legal Basis for Processing
Purposes of Data Processing: URS processes personal data for the following purposes: (1) maintaining system security; (2) to carry out data processing activities on behalf of healthcare providers pursuant to the data processing agreement between URS and healthcare providers; and (3) the anonymization of personal data for the creation of anonymous aggregate global databases that are used for medical research.
Legal Basis: URS relies on patient consent as its legal basis for processing personal data. Patients provide consent: (1) directly to their healthcare provider; and (2) directly to URS. Patients give consent for data processing to URS when setting up their Patient Portal.
This Section 3.2 relates to the independent processing activities conducted by URS only. Healthcare providers process personal data for their own distinct purposes.
3.3 How We Store Your Data and Storage Period
URS securely stores personal data on Amazon Web-based Services, Inc. (AWS) servers. All personal data stored and transmitted by URS is encrypted using the AES-256 method, and is encrypted both at rest and in transit. URS strictly limits access to AWS to necessary employees. URS maintains an AWS access log, which is reviewed on a regular basis. URS has servers in the United States, Canada, Ireland, Australia, and South America. URS stores personal data on a server appropriate to the region in which the data subject is located, i.e. all EU personal data is stored on URS's AWS server in Ireland. URS stores personal, health, and technical information for the duration of URS's contract with a healthcare provider, unless a patient requests that their data be erased. When a contract with a healthcare provider expires or is terminated, URS destroys all personal data associated with that healthcare provider.
3.4 Provision of Data
URS processes personal data pursuant to and in accordance with our contracts with healthcare providers. All contracts include the relevant and appropriate data protection agreement for the jurisdiction in which the healthcare provider operates. Data subjects are under no obligation to provide their data to URS and may withdraw consent to the processing of personal data at any time.
3.5 Automated Decision Making (Including Profiling)
URS's Patient Portal utilizes automated decision making for purposes of assigning the proper forms and communicating reminders to patients. URS's Patient Portal also utilizes automated decision making through our Computer Adapted Testing (CAT) forms. In general, CAT forms can reduce the number of questions a patient answers based on a patient's responses to certain questions.
3.6 What Data Do We Collect
The following charts identify the categories of personal data collected by URS. The examples listed in the charts below are not an exhaustive list, but do represent some of the specific pieces of personal information collected by URS.
The personal information URS holds on a particular data subject varies depending on the healthcare provider, this is because healthcare providers can select different forms to be administered, and can have different purposes for data collection.
| Non-sensitive categories of Personal Information | Description of Category | Examples |
|---|---|---|
| Authenticating | Information used to authenticate an individual with something they know. | Passwords, answers to security questions. |
| Identifying | Information that uniquely or semi-uniquely identifies a specific individual. | Name, user-name, unique identifier, government issued identification, date of birth |
| Physical Characteristics | Information that describes an individual's physical characteristics. | Height, weight, age, gender |
| Contact | Information that provides a mechanism for contacting an individual. | Email address, physical address, telephone number |
| Demographic | Information that describes an individual's characteristics shared with others. | Age ranges, physical traits, geographic |
| Computer, Device, Technical Information | Information about a device or technology that an individual uses for personal use. | IP address, Mac address, browser type, operating system, pages accessed. |
| Location | Information about an individual's location | Country, state, territory. |
| Sensitive Categories of Personal Data | Description of Category | Examples |
|---|---|---|
| Medical and Health | Information that describes an individual's health, medical conditions or healthcare. | Physical and mental health, prescriptions, disabilities, health history, health records, family and/or individual health history. |
| Ethnicity | Information that describes an individual's origins and lineage. | Race, national or ethnic origin, languages spoken |
3.7 How we Collect Data
URS collects personal data both directly from patients and indirectly from healthcare providers.
Direct Data Collection: Patients provide personal data directly to URS through the forms that they complete in the Patient Portal. URS also allows patients to complete Forms through SMS messaging, but only when their healthcare provider has purchased this feature. URS obtains information directly from patients through the Patient Portal set up process, and through the use of technically necessary cookies within the Patient Portal.
Indirect Data Collection: URS also collects personal data indirectly through a patient's healthcare provider. URS receives appointment information and demographic information, which allows us to assign and administer the proper forms.
3.8 How will we use your Data
Personal data is processed consistent with the purposes described in Section 3.2 and the consent forms completed by patients. Personal data is used to provide data to healthcare providers that can be used in patient treatment and healthcare operations.
URS does not use your personal data for marketing purposes, nor does it disclose or sell your personal data to other companies for marketing or any other purpose.
3.9 Recipients
URS shares personal data processed through the Patient Portal with the following third-parties:
- The data subject's healthcare provider for purposes of data collection and analytics
- Amazon Web Services, because our software is hosted on their servers
3.10 Technically Necessary Cookies
URS utilizes the following cookies, which are technically necessary for the secure operation of the OBERD Patient Portal:
| Cookie name | Expiration | Description | Technically Necessary |
|---|---|---|---|
| Authorization_environment | Session | Used for tracking authentication to the system | Yes |
| PHPSESSID | Session | Used for tracking authentication to the system | Yes |
3.11 Technically Non-Necessary Cookies:
URS's Patient Portal does not use any cookies that are not technically necessary for the secure operation of the Patient Portal.
SECTION 4: PROCESSING ACTIVITY, PUBLIC WEBSITE OBERD.COM
4.1 How We Store Your Data and Storage Period
Oberd.com does not store or collect the information through the cookies used on our website.
SECTION 5: PROCESSING ACTIVITY, ACTIVE TRACK APP
5.1 ACTIVE TRACK App Description
The ACTIVE TRACK app provides your healthcare provider with views of everyday activity data captured by your phone or other wearable device in order to better follow your recovery. Your healthcare practitioner may use the everyday activity data made available through ACTIVE TRACK in combination with traditional patient-reported outcomes responses and scores to better assess the results of your treatment in terms of ability to get back to everyday functions.
5.2 Purposes and Legal Basis for Processing
Legal basis for Processing:
URS relies on patient consent as its legal basis for processing personal data. Patients provide consent: (1) directly to their healthcare provider; and (2) directly to URS. Patients give consent for data processing to URS when setting up Active Track.
Purposes of Data Processing:
URS processes personal data for the following purposes: (1) maintaining system security; (2) to carry out data processing activities on behalf of healthcare providers pursuant to the data processing agreement between URS and healthcare providers; and (3) the anonymization of personal data for the creation of anonymous aggregate global databases that are used for medical research.
5.3 How We Store Your Data and Storage Period
URS securely stores personal data on Amazon Web-based Services, Inc. (AWS) servers. All personal data stored and transmitted by URS is encrypted using the AES-256 method, and is encrypted both at rest and in transit. URS strictly limits access to AWS to necessary employees. URS maintains an AWS access log, which is reviewed on a regular basis. URS has servers in the United States, Canada, Ireland, Australia, and South America. URS stores personal data on a server appropriate to the region in which the data subject is located, i.e. all EU personal data is stored on URS's AWS server in Ireland. URS stores personal, health, and technical information for the duration of URS's contract with a healthcare provider, unless a patient request their data be erased. When a contract with a healthcare provider expires or is terminated, URS destroys all personal data associated with that healthcare provider.
5.4 Provision of Data
URS processes personal data pursuant to and in accordance with our contracts with healthcare providers. All contracts include the relevant and appropriate data protection agreement for the jurisdiction in which the healthcare provider operates. Data subjects are under no obligation to provide their data to URS and may withdraw consent to the processing of personal data at any time.
5.5 Automated Decision Making (Including Profiling)
Active Track utilizes automated decision making for purposes of assigning the proper forms and communicating reminders to patients. Active Track may utilize automated decision making through our Computer Adapted Testing (CAT) forms. In general, CAT forms can reduce the number of questions a patient answers based on a patient's responses to certain questions.
5.6 What Data Do We Collect
The following charts identify the categories of personal data that may be collected by URS. The examples listed in the charts below are not an exhaustive list, but do represent some of the specific pieces of personal information collected by URS.
The personal information URS collects on any given data subject through Active Track depends on the data sharing setting selected by the data subject. Active Track allows the data subject to control the data that is shared with Active Track.
| Non-sensitive categories of Personal Information | Description of Category | Examples |
|---|---|---|
| Authenticating | Information used to authenticate an individual with something they know. | Passwords, answers to security questions. |
| Identifying | Information that uniquely or semi-uniquely identifies a specific individual. | Name, user-name, unique identifier, government issued identification, date of birth |
| Physical Characteristics | Information that describes an individual's physical characteristics. | Height, weight, age, gender |
| Contact | Information that provides a mechanism for contacting an individual. | Email address, physical address, telephone number |
| Demographic | Information that describes an individual's characteristics shared with others. | Age ranges, physical traits, geographic |
| Computer, Device, Technical Information | Information about a device or technology that an individual uses for personal use. | IP address, Mac address, browser type, operating system, pages accessed. |
| Location | Information about an individual's location | Country, state, territory. |
| Sensitive Categories of Personal Data | Description of Category | Examples |
|---|---|---|
| Medical and Health | Information that describes an individual's health, medical conditions or healthcare. | Physical and mental health, prescriptions, disabilities, health history, health records, family and/or individual health history. |
| Ethnicity | Information that describes an individual's origins and lineage. | Race, national or ethnic origin, languages spoken |
5.7 How We Collect Data
Active Track collects personal data that other apps on your mobile or wearable device share with Active Track. Data subjects are in control of which apps share information with Active Track, and what data is processed through Active Track. Active Track also collects data directly from data subjects through questionnaires administered in Active Track, and indirectly from the apps selected by the data subject.
5.8 How Will We Use Your Data
Personal Data is used consistent with the purposes described in Section 5.2 of this privacy policy and consistent with the consent forms completed by patients. Personal Data collected through Active Track is made available to a patient's healthcare provider. Users are also in control of who receives the data collected through Active Track.
5.9 Recipients
URS shares personal data processed through Active Track with the following third-parties:
- The data subject's healthcare provider for purposes of data collection and analytics
- Amazon Web Services, because our software is hosted on their servers
- Apple Inc, for purposes offering our app on Apple devices
- Google Inc, for purposes of offering our app on Android devices
