OBERD Privacy Policy
Introduction
At Universal Research Solutions, LLC ("URS") we respect privacy and commit to protecting it through compliance with the practices described in this privacy policy. URS adheres to Privacy Shield Principles issued by the United States Department of Commerce.
This privacy policy describes URS's practices for collecting, using, maintaining, protecting, and disclosing the personal data that we possess. This privacy policy applies to all personal data collected by URS, regardless of the country where the data subject is located.
Please read this privacy policy carefully to understand URS's policies and practices for processing and storing personal data.
SECTION 1: GENERAL INFORMATION
1.1 About Universal Research Solutions
At URS, we seek to drive efficiency and progress in healthcare through the use of data. URS's core product is the OBERD software system, the foundational technology for all of our products. OBERD stands for Outcomes Based Electronic Research Database. URS drives healthcare forward in two ways: (1) by providing products and services to facilitate data-driven healthcare; and (2) by building global databases of anonymous aggregated data that can be utilized to drive innovation in healthcare. URS's products and services help facilitate the provider-patient relationship, improve communication and education related to medical products and services, and improve the quality and efficiency of patient care.
OBERD facilitates the administration and collection of Patient-Reported Outcomes (PRO) and other questionnaires, and makes data available to healthcare providers in meaningful and useful ways. A PRO is a health outcome directly reported by the patient who experienced it. Other questionnaires generally consist of patient satisfaction surveys, which healthcare providers utilize to improve healthcare operations. OBERD eliminates paper forms by administering and collecting forms electronically.
The information OBERD makes available to healthcare providers may help inform decisions related to care, but is not the sole basis for decisions. Data made available to healthcare providers is only one factor that informs a healthcare provider's professional judgment.
1.2 Product Overviews
URS has three platforms: (1) OBERD; (2) AO Global Data powered by OBERD (AOGD); and (3) ACTIVE TRACK. All platforms require opt-in consent for data processing activities.
1.2.1 OBERD
OBERD is a software platform used by healthcare providers for data collection. Healthcare providers select PRO and other questionnaire forms from OBERD's form library to be administered to patients. The selected forms are then automatically administered to patients on predetermined timelines. OBERD's global benchmarking feature allows healthcare providers to gain deeper insight into a patient's condition through data analytics.
The primary purpose of OBERD is to provide healthcare providers with high quality data. Participation in OBERD requires that patients consent to URS anonymizing their personal data, because our system relies on anonymous data to facilitate the necessary benchmarking and data analytics.
1.2.2 AOGD
AOGD is a unique version of OBERD that we developed for the AO Foundation, and in principle operates the same way that OBERD does. The AO Foundation has preselected the PRO forms that healthcare providers can administer and the time intervals for administration.
The primary purpose of AOGD is to encourage the use of data in medicine and create a fully anonymized global database. The AO Foundation utilizes the data from the anonymized global database to drive innovation in medicine. Participation in AOGD requires that patients consent to URS anonymizing their personal data, because our system relies on anonymous data in order to facilitate the necessary benchmarking and data analytics.
1.2.3 ACTIVE TRACK
ACTIVE TRACK is an app that can be downloaded to a mobile phone or wearable device that allows a healthcare provider to receive and use the everyday activity data collected by a device. ACTIVE TRACK data is used in combination with traditional patient-reported outcomes responses and scores in order to better assess the results of your treatment in terms of ability to get back to everyday functions.
SECTION 2: GENERAL PRIVACY INFORMATION
THE INFORMATION CONTAINED IN THIS SECTION 2 APPLIES TO ALL PROCESSING ACTIVITIES DESCRIBED IN THIS PRIVACY POLICY
2.1 Data Protection Officer
URS has appointed a Data Protection Officer pursuant to Article 37(1)(c) of the General Data Protection Regulation (GDPR). For questions about URS's privacy policy or to exercise a data protection right, please contact us. Contact information can be found in Section 2.2.
2.2 Data Subject's Data Protection Rights
2.2.1 Data Subject Rights:
All rights described in this section may be exercised directly with URS for patients seeking treatment outside of the United States. For patients seeking treatment in the US, please contact your healthcare provider. All Data Subjects have the following rights with regard to their personal data:
(1) The Right to Withdraw Consent: means the right to withdraw consent to data processing activities conducted by URS. This right may be exercised at any time.
(2) The Right to Access: means the right to request copies or information regarding a data subject's personal data that is held by URS. In exceptional circumstances, such as excessive requests, we may charge a small fee for this service.
(3) The Right to Rectification: means the right to request that URS correct any information believed to be inaccurate or incomplete. You may also need to contact your healthcare provider to ensure your information is fully corrected.
(4) The Right to Erasure: means the right to request that URS erase personal data, under certain conditions. Data erased from URS's system does not result in information being erased from a healthcare providers system.
(5) The Right to Restrict Processing: means the right to request that URS restrict the processing of personal data, under certain conditions. You may also need to contact your healthcare provider concerning certain processing restrictions.
(6) The Right to Object to Processing: means the right to object to URS's processing of personal data, under certain conditions.
(7) The Right to Data Portability: means the right to request that URS transfer personal data that we hold to another organization, or directly to the data subject, under certain conditions.
URS CANNOT TRANSFER MEDICAL RECORDS, ONLY YOUR HEALTHCARE SERVICE PROVIDER CAN TRANSFER YOUR MEDICAL RECORDS.
(8) The Right to Nondiscrimination for the Exercise of Data Subject Rights: means URS is prohibited from taking any adverse action against a data subject for exercising any data protection rights.
(9) The Right to Lodge a Complaint with the Appropriate Supervisory Authority: means the right to lodge a complaint with the appropriate authority if you feel URS has violated a data subject's data rights.
2.2.2 Response Times
Pursuant to GDPR Article 12(3), URS must provide information to data subjects regarding their request within one (1) month of receiving a request. URS may require additional information from data subjects to process a request and confirm a data subject's identity.
Pursuant to the California Consumer Privacy Act 1798.130(a)(2), URS has 45 days from the date that a Verifiable Consumer Request is received to disclose and deliver information requested by a California consumer. URS may require additional information from data subjects to process a request and confirm a data subject's identity.
2.2.3: Contact Information
If you would like to exercise any of these rights or have questions about this privacy policy, you can contact us by:
email us at dpo@oberd.com
write to us at:
Universal Research Solutions, LLC
Attn: DPO
414 E. Broadway, Suite 102
Columbia, Missouri 65201.
2.3 Dispute Resolution
URS commits to resolve complaints about our collection or use of personal information. Individuals with inquiries or complaints regarding our privacy policy or data processing activities should first contact URS at dpo@oberd.com
URS has committed to refer unresolved privacy complaints under the Privacy Shield Principles to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint. These recourse mechanisms are available to data subjects at no cost. Damages may be awarded in accordance with applicable law. Please note that if a complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield panel. In cases of onward transfer to third parties of EU or Swiss individuals' data that URS receives pursuant to the Privacy Shield, URS is potentially liable. URS is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and The Department of Health and Human Services (HSS).
If a data subject wishes to report a complaint or feels that URS has not addressed a concern in a satisfactory manner, data subjects may contact the data protection authorities in their country.
2.4: Transfers outside the EU and Suitable Safeguards
All personal data of European Union Citizens and Citizens of Switzerland (collectively herein "EU") is stored on our AWS server located in Ireland, and no personal data of EU Citizens is transferred outside of the European Economic Area. URS is a Delaware limited liability company headquartered in Columbia, Missouri.
Pursuant to Article 46 of the GDPR, URS adheres to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (collectively Privacy Shield) as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data from EU Member Countries and Switzerland. URS has certified to the United States Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for onward transfers, security, data integrity, purpose limitation, access, recourse, enforcement, and liability. All personal data received from the EU and Switzerland in reliance on the URS's participation in Privacy Shield is subject to Privacy Shield Principles.
A violation of our commitment to Privacy Shield maybe investigated by the Federal Trade Commission (FTC) and/or the United States Department of Commerce. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view URS's certification, please visit https://www.privacyshield.gov/list.
2.5 European Union Representative
Pursuant to GDPR Article 27, URS is required to appoint a European Union Representative. In compliance with GDPR Article 27, URS has appointed activeMind.legal as our European Union Representative. Our European Union Representative's contact information is:
activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Potsdamer Straße 3
80802 München. Germany
Email: eu-privacy@oberd.com
2.6 Compelled Disclosure
URS may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
2.7 Data Security and Privacy Policy Compliance
URS uses appropriate technical, organization and administrative measures to protect all of the personal information we process. URS uses reasonable measures to help protect personal information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. The information subject to this privacy statement is stored in a secure third-party facility under the terms of a hosting agreement between URS and our third-party facility (AWS).
URS regularly trains employees on this privacy policy and data security issues. Failure by any URS employee to follow URS's privacy policy or data security protocols is subject to discipline. URS reviews this privacy policy and its data security protocols at least annually.
2.8 Use of Cookies
The data processing activities that are described below utilize cookies, and more information about the specific use of cookies in the particular processing activities can be found below. This Section 2.8 only provides information about cookies in general, for information about URS's use of cookies see sections 3.10, 3.11, 4.9and 4.10 below.
What are Cookies: Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. For further information, visit allaboutcookies.org.
How to Manage Cookies: You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
2.9 Changes to this Privacy Statement
URS keeps its privacy statement under regular review and places any updates on this web page https://www.oberd.com/privacy-policy. This privacy statement was last updated on May 12, 2020.
SECTION 3: PROCESSING ACTIVITY 1, PATIENT PORTAL
3.1 Patient Portal Description
URS's Patient Portal is the primary means for data collection. Patient Portals are secure online environments offered to each patient. The Patient Portal is where patients electronically complete the forms assigned by the patient's healthcare provider. When a form is assigned by the patient's healthcare provider, URS sends an email to the patient notifying them that a form is available and can be accessed in the Patient Portal.
OBERD and AOGD both utilize the Patient Portal to facilitate data collection. Only a patient's healthcare provider can access the personal data collected through the Patient Portal.
3.2 Purposes and Legal Basis for Processing
Purposes of Data Processing: URS processes personal data for the following purposes: (1) maintaining system security; (2) to carry out data processing activities on behalf of healthcare providers pursuant to the data processing agreement between URS and healthcare providers; and (3) the anonymization of personal data for the creation of anonymous aggregate global databases that are used for medical research.
Legal Basis: URS relies on patient consent as its legal basis for processing personal data. Patients provide consent: (1) directly to their healthcare provider; and (2) directly to URS. Patients give consent for data processing to URS when setting up their Patient Portal.
This Section 3.2 relates to the independent processing activities conducted by URS only. Healthcare providers process personal data for their own distinct purposes.
3.3 How We Store Your Data and Storage Period
URS securely stores personal data on Amazon Web-based Services, Inc. (AWS) servers. All personal data stored and transmitted by URS is encrypted using the AES-256 method, and is encrypted both at rest and in transit. URS strictly limits access to AWS to necessary employees. URS maintains an AWS access log, which is reviewed on a regular basis. URS has servers in the United States, Canada, Ireland, Australia, and South America. URS stores personal data on a server appropriate to the region in which the data subject is located, i.e. all EU personal data is stored on URS's AWS server in Ireland. URS stores personal, health, and technical information for the duration of URS's contract with a healthcare provider, unless a patient requests that their data be erased. When a contract with a healthcare provider expires or is terminated, URS destroys all personal data associated with that healthcare provider.
3.4 Provision of Data
URS processes personal data pursuant to and in accordance with our contracts with healthcare providers. All contracts include the relevant and appropriate data protection agreement for the jurisdiction in which the healthcare provider operates. Data subjects are under no obligation to provide their data to URS and may withdraw consent to the processing of personal data at any time.
3.5 Automated Decision Making (Including Profiling)
URS's Patient Portal utilizes automated decision making for purposes of assigning the proper forms and communicating reminders to patients. URS's Patient Portal also utilizes automated decision making through our Computer Adapted Testing (CAT) forms. In general, CAT forms can reduce the number of questions a patient answers based on a patient's responses to certain questions.
3.6 What Data Do We Collect
The following charts identify the categories of personal data collected by URS. The examples listed in the charts below are not an exhaustive list, but do represent some of the specific pieces of personal information collected by URS.
The personal information URS holds on a particular data subject varies depending on the healthcare provider, this is because healthcare providers can select different forms to be administered, and can have different purposes for data collection.
| Non-sensitive categories of Personal Information | Description of Category | Examples |
|---|---|---|
| Authenticating | Information used to authenticate an individual with something they know. | Passwords, answers to security questions. |
| Identifying | Information that uniquely or semi-uniquely identifies a specific individual. | Name, user-name, unique identifier, government issued identification, date of birth |
| Physical Characteristics | Information that describes an individual's physical characteristics. | Height, weight, age, gender |
| Contact | Information that provides a mechanism for contacting an individual. | Email address, physical address, telephone number |
| Demographic | Information that describes an individual's characteristics shared with others. | Age ranges, physical traits, geographic |
| Computer, Device, Technical Information | Information about a device or technology that an individual uses for personal use. | IP address, Mac address, browser type, operating system, pages accessed. |
| Location | Information about an individual's location | Country, state, territory. |
| Sensitive Categories of Personal Data | Description of Category | Examples |
|---|---|---|
| Medical and Health | Information that describes an individual's health, medical conditions or healthcare. | Physical and mental health, prescriptions, disabilities, health history, health records, family and/or individual health history. |
| Ethnicity | Information that describes an individual's origins and lineage. | Race, national or ethnic origin, languages spoken |
3.7 How we Collect Data
URS collects personal data both directly from patients and indirectly from healthcare providers.
Direct Data Collection: Patients provide personal data directly to URS through the forms that they complete in the Patient Portal. URS also allows patients to complete Forms through SMS messaging, but only when their healthcare provider has purchased this feature. URS obtains information directly from patients through the Patient Portal set up process, and through the use of technically necessary cookies within the Patient Portal.
Indirect Data Collection: URS also collects personal data indirectly through a patient's healthcare provider. URS receives appointment information and demographic information, which allows us to assign and administer the proper forms.
3.8 How will we use your Data
Personal data is processed consistent with the purposes described in Section 3.2 and the consent forms completed by patients. Personal data is used to provide data to healthcare providers that can be used in patient treatment and healthcare operations.
URS does not use your personal data for marketing purposes, nor does it disclose or sell your personal data to other companies for marketing or any other purpose.
3.9 Recipients
URS shares personal data processed through the Patient Portal with the following third-parties:
- The data subject's healthcare provider for purposes of data collection and analytics
- Amazon Web Services, because our software is hosted on their servers
- Logic Plus Pty Ltd, a URS distributor of OBERD in Australia for purposes of offering OBERD in Australia. (only applicable to data subjects in Australia and New Zealand)
3.10 Technically Necessary Cookies
URS utilizes the following cookies, which are technically necessary for the secure operation of the OBERD Patient Portal:
| Cookie name | Expiration | Description | Technically Necessary |
|---|---|---|---|
| Authorization_environment | Session | Used for tracking authentication to the system | Yes |
| PHPSESSID | Session | Used for tracking authentication to the system | Yes |
3.11 Technically Non-Necessary Cookies:
URS's Patient Portal does not use any cookies that are not technically necessary for the secure operation of the Patient Portal.
SECTION 4: PROCESSING ACTIVITY 2, PUBLIC WEBSITE OBERD.COM
4.1 Purposes and Legal Basis for Processing
Purpose of Processing:
Oberd.com processes personal data for purposes of supporting our live chat feature.
Legal Basis:
Oberd.com relies on data subject consent as the legal basis for processing personal data.
4.2 How We Store Your Data and Storage Period
Oberd.com does not store the information collected through the cookies used on our website. HubSpot, which is the provider of the chat feature on oberd.com, maintains all information collected through the cookies on oberd.com. HubSpot's privacy policy can be accessed via this link: https://legal.hubspot.com/privacy-policy.
4.3 Provision of Data
Oberd.com is not required to collect personal data from data subjects, all personal data collected through Oberd.com is voluntary. There are no consequences to the data subject for refusing the use of cookies when using Oberd.com.
4.4 Automated Decision Making (Including Profiling)
Oberd.com does not engage in automatic decision making or profiling of data subjects.
4.5 What Data Do We Collect
Oberd.com processes non-sensitive personal data. The following list indicates the categories of personal data processed by Oberd.com:
- Non-Sensitive Data Types:
- Identification Number
- Technical Usage Data
4.6 How We Collect Data
Oberd.com collects your personal information through the use of cookies. For more information about how Oberd.com uses cookies, please see Section 4.10 below.
4.7 How Will We Use Your Data
URS uses HubSpot to support the live chat feature on our public website, oberd.com. For information on the use of data collected through the live chat feature on oberd.com, please see HubSpot's privacy policy: https://legal.hubspot.com/privacy-policy.
4.8 Recipients
The data collected through the live chat feature on oberd.com is shared with HubSpot. HubSpot's privacy policy can be accessed via this link: https://legal.hubspot.com/privacy-policy.
4.9 Technically Necessary Cookies
URS uses the following technically necessary cookies on oberd.com:
| Cookie name | Expiration | Description | Technically Necessary |
|---|---|---|---|
| _hstc | 6 months | This cookie is set by Hubspot analytics to record the different times you visit our website at. | Yes |
| hubspotutk | 6 months | This cookie is set by Hubspot to keep track of a website visitor's identity. If you submit a form on our website, it is passed to HubSpot to make sure we don't have duplicate contacts in our system. | Yes |
| _hssrc | Session | This cookie helps Hubspot determine if a website visit is a new session for reporting purposes. | Yes |
| _hssc | 30 minutes | This cookie helps Hubspot track the number of sessions per user on our website for reporting purposes. | Yes |
| _cf_bm | 30 minutes | This cookie is set by Cloudflare (a web security software), and helps stop bots from attacking our Hubspot account. | Yes |
| _ga | 2 years | Used to distinguish users. | Yes |
| _gid | 24 hours | Used to distinguish users. | Yes |
| _gat | 1 minute | Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_property-id. | Yes |
| AMP_TOKEN | 30 seconds to 1 year | Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service. | Yes |
| _gac_property-id | 90 days | Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. | Yes |
4.10: Technically Non-Necessary Cookies
URS does not use any technically non-necessary cookies on oberd.com.
SECTION 5: PROCESSING ACTIVITY 3, ACTIVE TRACK APP
5.1 ACTIVE TRACK App Description
The ACTIVE TRACK app provides your healthcare provider with views of everyday activity data captured by your phone or other wearable device in order to better follow your recovery. Your healthcare practitioner may use the everyday activity data made available through ACTIVE TRACK in combination with traditional patient-reported outcomes responses and scores to better assess the results of your treatment in terms of ability to get back to everyday functions.
5.2 Purposes and Legal Basis for Processing
Legal basis for Processing:
URS relies on patient consent as its legal basis for processing personal data. Patients provide consent: (1) directly to their healthcare provider; and (2) directly to URS. Patients give consent for data processing to URS when setting up Active Track.
Purposes of Data Processing:
URS processes personal data for the following purposes: (1) maintaining system security; (2) to carry out data processing activities on behalf of healthcare providers pursuant to the data processing agreement between URS and healthcare providers; and (3) the anonymization of personal data for the creation of anonymous aggregate global databases that are used for medical research.
5.3 How We Store Your Data and Storage Period
URS securely stores personal data on Amazon Web-based Services, Inc. (AWS) servers. All personal data stored and transmitted by URS is encrypted using the AES-256 method, and is encrypted both at rest and in transit. URS strictly limits access to AWS to necessary employees. URS maintains an AWS access log, which is reviewed on a regular basis. URS has servers in the United States, Canada, Ireland, Australia, and South America. URS stores personal data on a server appropriate to the region in which the data subject is located, i.e. all EU personal data is stored on URS's AWS server in Ireland. URS stores personal, health, and technical information for the duration of URS's contract with a healthcare provider, unless a patient request their data be erased. When a contract with a healthcare provider expires or is terminated, URS destroys all personal data associated with that healthcare provider.
5.4 Provision of Data
URS processes personal data pursuant to and in accordance with our contracts with healthcare providers. All contracts include the relevant and appropriate data protection agreement for the jurisdiction in which the healthcare provider operates. Data subjects are under no obligation to provide their data to URS and may withdraw consent to the processing of personal data at any time.
5.5 Automated Decision Making (Including Profiling)
Active Track utilizes automated decision making for purposes of assigning the proper forms and communicating reminders to patients. Active Track may utilize automated decision making through our Computer Adapted Testing (CAT) forms. In general, CAT forms can reduce the number of questions a patient answers based on a patient's responses to certain questions.
5.6 What Data Do We Collect
The following charts identify the categories of personal data that may be collected by URS. The examples listed in the charts below are not an exhaustive list, but do represent some of the specific pieces of personal information collected by URS.
The personal information URS collects on any given data subject through Active Track depends on the data sharing setting selected by the data subject. Active Track allows the data subject to control the data that is shared with Active Track.
| Non-sensitive categories of Personal Information | Description of Category | Examples |
|---|---|---|
| Authenticating | Information used to authenticate an individual with something they know. | Passwords, answers to security questions. |
| Identifying | Information that uniquely or semi-uniquely identifies a specific individual. | Name, user-name, unique identifier, government issued identification, date of birth |
| Physical Characteristics | Information that describes an individual's physical characteristics. | Height, weight, age, gender |
| Contact | Information that provides a mechanism for contacting an individual. | Email address, physical address, telephone number |
| Demographic | Information that describes an individual's characteristics shared with others. | Age ranges, physical traits, geographic |
| Computer, Device, Technical Information | Information about a device or technology that an individual uses for personal use. | IP address, Mac address, browser type, operating system, pages accessed. |
| Location | Information about an individual's location | Country, state, territory. |
| Sensitive Categories of Personal Data | Description of Category | Examples |
|---|---|---|
| Medical and Health | Information that describes an individual's health, medical conditions or healthcare. | Physical and mental health, prescriptions, disabilities, health history, health records, family and/or individual health history. |
| Ethnicity | Information that describes an individual's origins and lineage. | Race, national or ethnic origin, languages spoken |
5.7 How We Collect Data
Active Track collects personal data that other apps on your mobile or wearable device share with Active Track. Data subjects are in control of which apps share information with Active Track, and what data is processed through Active Track. Active Track also collects data directly from data subjects through questionnaires administered in Active Track, and indirectly from the apps selected by the data subject.
5.8 How Will We Use Your Data
Personal Data is used consistent with the purposes described in Section 5.2 of this privacy policy and consistent with the consent forms completed by patients. Personal Data collected through Active Track is made available to a patient's healthcare provider. Users are also in control of who receives the data collected through Active Track.
5.9 Recipients
URS shares personal data processed through Active Track with the following third-parties:
- The data subject's healthcare provider for purposes of data collection and analytics
- Amazon Web Services, because our software is hosted on their servers
- Apple Inc, for purposes offering our app on Apple devices
- Google Inc, for purposes of offering our app on Android devices
