AnaMee Privacy Policy

AnaMee takes privacy very seriously. AnaMee shares a commitment with Covered Entities to protect the privacy and confidentiality of Protected Health Information that AnaMee obtains subject to the terms of a Business Associate Agreement and under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including, without limitation, amendments by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, “HIPAA/HITECH”).

This Privacy Policy is provided to help you better understand how AnaMee uses, discloses, and protects Protected Health Information in accordance with the terms of Business Associate Agreements.

Definitions

• “Business Associate” (“BA”) means an entity that performs functions or activities on behalf of a Covered Entity when those services involve access to, or the use or disclosure of, Protected Health Information.
• “Business Associate Agreement” (“BAA”) means a formal written contract between a BA and a Covered Entity that requires the BA to comply with specific requirements related to PHI.
• “Covered Entity” means a health plan, healthcare provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.
• “Protected Health Information” (“PHI”) means all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment, or in relation to the payment for the provision of health care services. 

Use and Disclosure of PHI “Protected Health Information”

• AnaMee may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under our services agreements to Covered Entities, provided that such use or disclosure is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA/HITECH, including its Privacy Rule or Security Rule as applicable to Business Associates.
• AnaMee may use PHI internally for our own internal management, administration, data aggregation, and legal obligations, but only to the extent such use of PHI is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA/HITECH, including its Privacy Rule or Security Rule as applicable to Business Associates.
• AnaMee may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena.
• AnaMee may disclose PHI to downstream subcontractors or agents that provide supporting services to us; however, AnaMee will require such subcontractors and agents to comply with the same terms and conditions that apply to us under the applicable Business Associate Agreement and PHI, including the implementation and maintenance of required safeguards.
• Other uses and disclosures not described in this Privacy Policy will be made only with your express written authorization.

Revocation of Your Consent to Use and Disclose PHI

Many permitted uses and disclosures of PHI are only possible with your express consent. Your written authorization is required for any use or disclosure of PHI that is not for treatment, payment, or health care operations, or otherwise permitted or required by the Privacy Rule. Examples of disclosures that require your authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, disclosures to a pharmaceutical firm for marketing purposes, and disclosures of psychotherapy notes. The requirement of your authorization relating to disclosures of psychotherapy notes is subject to exceptions. One exception is that a Covered Entity that originated the notes may use them for treatment. The other exception is that a Covered Entity may use or disclose, without your authorization, psychotherapy notes for its own training, and to defend itself in legal proceedings brought by the individual whom the notes concern, for the U.S. Department of Health and Human Services to investigate or determine the Covered Entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner, or as required by law. As stated, a Covered Entity must obtain your authorization to use or disclose your PHI for marketing and for a Covered Entity’s provision of promotional gifts of nominal value. Your authorization is not required for face-to-face marketing communications between a Covered Entity and an individual. In addition, your authorization is not needed to make a communication that falls within one of the exceptions to the marketing definition. Those exceptions are communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the Covered Entity making the communication; communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan; communications for treatment of the individual; and communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.

You may revoke your consent to use and disclose your PHI at any time by sending a written revocation of your consent to the processing of your PHI to us at HIPAA.Privacy@al-enterprise.com. All PHI processed before AnaMee receives your revocation of consent will be considered legally processed with your consent. In addition, you may request that all of your PHI be removed from our systems and processes by sending a written request for the removal and destruction of all your data to us at  HIPAA.Privacy@al-enterprise.com. Upon receipt of your request, AnaMee will take all steps necessary to remove all of your PHI completely and permanently unless AnaMee is unable to do so for legal, compliance, or other legitimate reasons.

Your Rights

You may request information about:

• The purpose of our use and disclosure of your PHI;
• The legal basis for our your and disclosure of your PHI;
• The categories of PHI and the subject concerned;
• Information on the type or identity of third parties to which your PHI may be disclosed to and the protection provided;
• The source of the PHI (if you didn’t provide it directly to us); and
• How long it will be stored.

You have a right to:

• Access your PHI;
• Have inaccurate PHI corrected;
• Request erasure of PHI;
• Restrict the processing of your PHI;
• Object to the processing of your PHI; 
• Data portability;
• Opt out of PHI being transferred to a third party, unless there is a legal reason to do so; and
• Opt out of direct marketing. 

To exercise your rights, you can write to our HIPAA Compliance Officer at HIPAA.Privacy@al-enterprise.com.

Requests Regarding PHI

Requests for access to your PHI, request to amend your PHI, or requests for an accounting of disclosures of your PHI shall be in writing to our HIPAA Compliance Officer at HIPAA.Privacy@al-enterprise.com. AnaMee will act on your request no later than thirty (30) calendar days after AnaMee receives your request. If AnaMee is not able to act within this timeframe, AnaMee will provide you with a written statement of the reasons for the delay and the date by which AnaMee will complete our action on your request, which date will be no more than an additional thirty (30) calendar days from the original thirty (30) days. 

In the event that AnaMee denies any request, the response will include an explanation as to why access was denied. The denial of your request may be based on a number of reasons. An individual does not have a right to access PHI that is not part of a designated record set given that such information is not used to make decisions about individuals. This information may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the Covered Entity’s designated record set and subject to access by the individual. In addition, two categories of information are expressly excluded from the right of access. One is psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. The other is information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. However, the underlying PHI from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual.

Access to PHI

As provided in the BAA, AnaMee will make available to Covered Entities information necessary for the Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, AnaMee will make our internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of a Covered Entity, available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.

Our Responsibilities

As a Business Associate, AnaMee has a number of legal responsibilities. They include the responsibility to enter into a written BAA with Covered Entities that requires us to maintain the privacy of PHI, limit our use or disclosure of PHI to those purposes authorized by the Covered Entities, and assist Covered Entities in responding to your requests concerning your PHI; the responsibility to amend PHI relating to you when requested by a Covered Entity; the responsibility to make certain disclosures available to a Covered Entity in order for the Covered Entity to fulfill its obligation to you to provide accountings of certain disclosures to you; the responsibility to enter into a BAA with each of our subcontractors who may have access to your PHI; the responsibility to comply with Privacy Rule provisions, including rules governing the uses and disclosure of PHI and your rights concerning your PHI; the responsibility to perform a Security Rule risk analysis; the responsibility to implement Security Rule safeguards; the responsibility to train personnel concerning the HIPAA Rules; the responsibility to respond immediately to any security violation or breach; the responsibility to timely report security incidents and breaches; and the responsibility to maintain required documentation.

Safeguards

AnaMee uses appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BAA. AnaMee has implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that AnaMee creates, receives, maintains, or transmits on behalf of a Covered Entity. Such safeguards include:

• Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures
• Providing appropriate training for our staff to assure that our staff complies with our security policies;
• Making use of appropriate encryption when transmitting PHI over the Internet
• Utilizing appropriate storage, backup, disposal, and reuse procedures to protect PHI;
• Utilizing appropriate authentication and access controls to safeguard PHI;
• Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
• Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI AnaMee hold on behalf of a Covered Entity is available when needed.

Mitigation of Harm

In the event of a use or disclosure of PHI that is in violation of the requirements of the BAA, AnaMee will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:

• Reporting any use or disclosure of PHI not provided for by the BAA and any security incident of which AnaMee becomes aware to the Covered Entity; and
• Documenting such disclosures of PHI and information related to such disclosures would be required for the Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

Changes to Our Privacy Policy

From time to time AnaMee may change or update our Privacy Policy. AnaMee reserves the right to make changes or updates at any time. If AnaMee makes material changes to the way AnaMee processes your PHI, AnaMee will provide you notice via our services or by other communication channels.

How to Contact Us

If you have any questions regarding this Privacy Policy, please contact our HIPAA Compliance Officer at:

Attn: Legal, HIPAA Compliance Officer ALE USA Inc. 2000 Corporate Center Drive Thousand Oaks, CA 91320
Email: HIPAA.Privacy@al-enterprise.com
Telephone: (747) 388-7468
Revised: March 15, 2023

. Disclosures of your Personal Data

We may share your Personal Data with the parties set out below for the purposes set out in the table above.

• Internal Third Parties  being companies in our group who provide IT and system administration, product development, business development and back-office services and undertake leadership reporting.
• External Third Parties being:
  1. In the case of Healthcare Provider Data, to our users through our Platform.
  2. In the case of Identity and Contact Data, to Healthcare Providers with whom you have booked appointments through our Platform.
  3. In the case of Identity, Contact, Financial Data and Transaction Data, to Healthcare Providers with whom you have booked appointments for online consultations through our Platform.
  4. In the case of your health and any other special categories of data to Healthcare Providers and physicians upon your instructions and Pharmacies selected by us to fulfill your prescriptions.
  5. Service providers acting as processors based in the United Arab Emirates, Saudi Arabia and Indonesia who provide IT, system administration and payment processing services.
  6. Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in the United Arab Emirates, Saudi Arabia, Algeria, and Indonesia who provide consultancy, banking, legal, insurance and accounting services.
  7. Regulators and other authorities acting as processors or joint controllers based in the United Arab Emirates, Saudi Arabia, Algeria, and Indonesia who require reporting of processing activities in certain circumstances.
  8. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

. Data Retention

We store the information we collect about you for as long as is necessary for the purpose(s) for which we originally collected it or for other legitimate business purposes, including to meet our legal, regulatory, and other compliance obligations.

In particular, the Dubai Health Authority requires certain audio recordings to be retained for a period of 90 days. Unless you have consented to such access the Dubai Health Authority will not have access.

. Aggregated Data

We also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity and is anonymised. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Platform feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.

. Minors

By accessing, using and/or submitting information to or through the Platform and the Services, you represent that you are not a child, being a person under the age of 18 (“Minor”). If we learn that we have received any information directly from a Minor without his/her parent’s written consent, we will use that information only to respond directly to that Minor (or his/her parent or legal guardian) to inform the Minor that he/she cannot use the Services, and we will subsequently delete that information. If you are a parent or legal guardian of a Minor, you may, in compliance with the Terms of Use, use the Services on behalf of such Minor. Any information that you provide us while using the Services on behalf of the Minor will be treated as Personal Data as otherwise provided herein. If you are a parent or legal guardian, and you allow a Minor to use the Services, then these terms (Terms of Service) apply to you, and you are responsible for the Minor’s activity on the Services. Please refer to our Terms of Service.

.Consent

Consent is one lawful basis for processing. When we ask for your consent, we do not use pre ticked boxes. For example, when you register your account with us, you will need to read and accept our Privacy Policy and Terms of Use by ticking the ‘I agree’ box provided. This is known as positive opt in.

Here is an example:

Please note, that you may withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or Services to you. We will advise you if this is the case at the time you withdraw your consent.

When you make an appointment using our Platform, the consultant, or the Healthcare Provider that you are seen at, either in person, or via the video conference would be responsible, as a data controller, to obtain your consent and manage the consent process. Your health and care organisation should be able to provide you with information about how your personal or confidential patient information is used during a video consultation. You must contact the consultant or the clinical practice directly if you would like to withdraw your consent related to your appointment and consultation.

. Transfers of Personal Data outside of the United Arab Emirates.

The Personal Data that we collect from you will not be transferred to and stored at a destination outside of the jurisdictions in which the persons to whom such Personal Data relates being United Arab Emirates respectively.

We ensure your Personal Data is protected by requiring all our group companies to follow the same rules when processing your Personal Data. Whenever we transfer your Personal Data to third parties, we aim to ensure a similar degree of protection is afforded to it using contractual obligations.

. Marketing / Research

 General

We would like to send you information about our Services, and we use MailChimp for marketing purposes. If you have agreed to receive marketing, you may always opt out later by following the opt-out/unsubscribe links on any marketing message sent to you or by contacting us at any time by sending an email to

help@Influenceihi.com.

Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us because of a product/service experience or other transactions.

. Promotional offers from us

We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

 Third-party marketing

It is the responsibility of the third party, such as our White Label partners, to obtain your consent and get your express opt-in consent before they contact you for marketing purposes.

 Mobile app push notifications

On downloading the IHI app, you will receive notifications asking whether you consent to: (a) IHI identifying and using your mobile device location; and (b) to receiving future notifications from IHI.

. Data Security

. General

We have put in place appropriate security measures to protect your Personal Data. We process your data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. We also have procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where required by law.

Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem using the contact details provided in section 17.

IHI does not warrant the accuracy, completeness, currency, or reliability of any of the content or data found on this website and IHI assumes no responsibility and shall not be liable for any damages to, or viruses that may infect, your computer or other equipment or other property on account of your access to, use of, or browsing on the website. In no event shall IHI be liable for any injury, loss, claim, damages, or any exemplary, punitive, direct, indirect, incidental, or consequential damages of any kind (including but not limited to lost profits or lost savings) whether based in contract, tort, strict liability, negligence, product liability or otherwise. The entire risk as to the quality, performance and use of this website is with you. Any communications, messages and other information obtained while using the Website is obtained at your risk and you bear the entire responsibility for any losses that you may experience because of your use of our website.

Data Retention and Destruction Policy

1. Retention of Personal Health Information

In accordance with applicable healthcare ICT laws and regulations, including those governing the handling of personal health information (PHI), we are committed to safeguarding your personal data. Your data, including health records and any other personal information collected through the mobile application, will be retained for a period of 25 years from the date of its collection.

2. Purpose of Retention

The extended retention period is to ensure that your healthcare records remain available for any necessary medical, legal, or regulatory purposes. This retention period is based on best practices and healthcare regulations aimed at ensuring continuity of care and compliance with legal obligations.

3. Data Deletion and Destruction

At the end of the 25-year retention period, your personal data, including any identifiable health information, will be securely destroyed. The destruction process will involve the permanent deletion of digital records and, if applicable, the secure disposal of physical records, ensuring that the data cannot be recovered or accessed by unauthorized parties.

We implement industry-standard procedures and technologies, including encryption, to securely destroy your data in compliance with healthcare ICT laws and relevant data protection regulations.

4. Data Protection During Retention Period

During the retention period, your data will be stored securely using state-of-the-art security measures, including encryption, access controls, and monitoring, to protect against unauthorized access, loss, or misuse.

5. Your Rights Regarding Data

While your data is stored with us, you retain certain rights regarding access, modification, or deletion of your personal information under applicable data protection laws. If you wish to exercise these rights, please contact our support team as described in our [Contact Us] section.

Compliance with ICT and Healthcare Regulations

This data retention and destruction policy has been created in compliance with healthcare ICT laws applicable to the jurisdiction in which we operate. We are committed to ensuring that all personal health information is handled responsibly, securely, and in accordance with legal requirements.

 Passwords and Confidentiality (Including your Mobile Number and email address).

If you are provided with a password or any other piece of information as part of our security procedures for a registration-only section of our Platform, you are responsible for all activities that are carried out under them. We do not have the means to check the identities of people using the Platform and we will not be liable where your password or username, email address or your mobile number is used by someone else. You agree to contact us immediately of any unauthorised use of your password or username of which you become aware. We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if you have failed to comply with any of the provisions of these terms or the Terms of Use.

. Our Use of Cookies

For more information about the cookies we use, please see our Cookies Policy.

. Special Note in Relation to Online Consultations

During any online consultation with a practitioner which is held on our Platform, you may exchange with the practitioner through the Platform special Personal Data including in relation to health (health history, symptoms, examinations and tests and the results thereof, diagnosis, treatment, and care plan), ethnicity, sexual orientation, sex life, religious beliefs or opinion or genetic data as relevant to the practitioner. This information is held and used by the practitioner or the Healthcare Provider in accordance with its Privacy Policy, terms and conditions of service and applicable laws and regulations.

. Any further questions

If you have any questions about this Policy or about your Personal Data, please contact the Data Protection Officer at

hani@ influenceIHI.com.

General enquiries not related to this Privacy Policy or your Personal Data can be directed to our Client On boarding team who can help you with your enquiries, please contact

help@influenceIHI.com.