WardControl LogoWardControl

Privacy Policy

Effective Date: June 14, 2024

Version: 1.0

1. Introduction

Welcome to WardControl ("we," "our," "us"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, process, and disclose your information, including personal data and Protected Health Information (PHI), in conjunction with your access to and use of the WardControl application and services.

This policy is designed to comply with applicable data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union.

2. Information We Collect

As a Business Associate to your healthcare institution (the Covered Entity), we may collect and process the following types of information:

  • User Profile Information: Information you provide when you register for an account, such as your name, email address, professional role, and department affiliation. This is used for authentication, authorization, and communication.
  • Protected Health Information (PHI): We process PHI on behalf of the Covered Entity. This may include patient names, medical record numbers, diagnoses, bed assignments, and clinical notes. Our access to and use of PHI is strictly governed by our Business Associate Agreement (BAA) with your institution.
  • Log and Usage Data: Information about your interactions with our service, such as IP addresses, access times, pages viewed, and actions taken (e.g., bed status changes, patient assignments). This data is used for security auditing, system monitoring, and improving our services.
  • Cookies and Similar Technologies: We may use cookies to maintain your session and preferences. Our use of cookies will be limited to what is strictly necessary for the functioning of the service.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To Provide and Maintain Our Service: To manage user accounts, facilitate bed management, track patient allocation, and provide all other features of the WardControl application as directed by the Covered Entity.
  • To Meet Our Obligations: To fulfill our contractual and legal obligations as a Business Associate under HIPAA and a Data Processor under GDPR.
  • For Security and Auditing: To monitor for security incidents, protect against malicious activity, and maintain a trail of access and changes to PHI.
  • For Communication: To send you service-related notifications and administrative messages.

4. Data Sharing and Disclosure

We do not sell your personal data or PHI. We will only disclose your information in the following circumstances:

  • To the Covered Entity: We will share information, including PHI, with your healthcare institution as necessary to perform our services and as permitted by our BAA.
  • With Service Providers (Sub-processors): We may engage third-party service providers (e.g., cloud hosting providers) to assist in providing our service. We will have BAAs in place with these sub-processors, and they will be bound by the same data protection obligations as we are.
  • For Legal Compliance: We may disclose information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is reasonably necessary to (i) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (ii) enforce our agreements with you, (iii) investigate and defend ourselves against any third-party claims or allegations.

5. Your Rights Under GDPR

If you are a data subject in the European Union, you have the following rights:

  • The right to access, correct, update, or request deletion of your personal information.
  • The right to object to processing of your personal information.
  • The right to request portability of your personal information.
  • The right to withdraw consent at any time.

Please direct any such requests to your institution's Data Protection Officer. As a Data Processor, we will assist the Covered Entity in fulfilling these requests.

6. Data Security

We implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all electronic PHI we receive, maintain, or transmit. These measures include access controls, encryption of data at rest and in transit, and regular security assessments.

7. Data Retention

We will retain your personal information and PHI for as long as necessary to provide our services to the Covered Entity and as required by our BAA and applicable laws.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and, if the changes are significant, we will provide a more prominent notice and may require you to re-accept the terms.

9. Contact Us

If you have questions about this Privacy Policy, please contact your institution's designated Privacy Officer or Administrator.