MD.ai Security and Privacy Policy

Last modified: August 10, 2018

The MD.ai Privacy Policy describes how MD.ai treats data when you use MD.ai's products, including information provided when you use MD.ai's products. In addition, the following describes our privacy practices that are specific to MD.ai, a service that helps you store, organize, label, and annotate health data and information.

HIPAA Statement

Compliance with state and federal regulations regarding patient confidentiality, security, and privacy is the responsibility of all health care providers and related vendors. This includes, but is not limited to, compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. MD.ai offers a set of DICOM compliant storage products that also comply with HIPAA and other privacy and security requirements and configurable storage and distribution systems that are designed to protect the privacy and security of patient information. MD.ai software is configurable to help meet the end user’s needs and includes user authentication models such as traditional username and password, as well as SSL certificate verification and other customizable security tokens. One or more of these authentication models are required for all users accessing MD.ai-provided systems and software. Most access to data is performed via the DICOM TLS protocol or HTTPS.

MD.ai products adhere to the DICOM standard. MD.ai prohibits any user from sharing or disclosing their password, username, or other security tokens such as client SSL certificates, and any such disclosure shall constitute a breach of the Policies which shall allow MD.ai in its sole discretion to terminate your account and prohibit any further access to the Site or the MD.ai services.

MD.ai software allows for encryption when information is transmitted via the internet (SSL, TLS, or VPN). MD.ai software provides an audit trail of all electronic events related to any data within our system. The log can be viewed for further analysis. MD.ai supplies fault tolerant storage servers and other related technologies to support your disaster planning.

Your Data

  1. MD.ai will host only anonymized data based on DICOM anonymization standards, unless the data is restricted to a HIPAA-compliant environment, with a BAA and other procedures in place.
  2. You control who can access your data. By default, you are the only user who can view and edit your information. If you choose to, you can share your data with others.
  3. MD.ai will not sell, rent, or share your data without your explicit consent, except in the limited situations described in the MD.ai Terms of Service, such as when MD.ai believes it is required to do so by law.
  4. You can completely delete your data at any time. Deletion will be initiated immediately, and you information will be purged from your account shortly thereafter. Additional backup copies of deleted data may persist for a short time. Since deleted data will not be restored, you may want to ensure you have another copy of your data before deleting it.

Sharing your data

  1. If you share your data with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to access your data, that party will no longer be able to see your data, but may have already seen or may retain a copy of that data.

How MD.ai uses your data

  1. To store your information in MD.ai, you will need a MD.ai Account. When you create a MD.ai Account, MD.ai asks for your name, email address, and a password, which is used to protect your account from unauthorized access.
  2. MD.ai's servers automatically record log information about your use of MD.ai (such as number of sign-ins). This information is temporarily stored in association with your MD.ai Account for a few months, at which point it is aggregated with other data and is no longer associated with your account. The log information will be used to operate and improve the service and will not be correlated with your use of other MD.ai services.
  3. MD.ai periodically reviews trend statistics and associations. MD.ai may use data from your MD.ai account to analyze these trends statistics which are aggregated data sets and do not contain any personally identifiable information.
  4. Certain features of MD.ai can be used in conjunction with other MD.ai products, and those features may share information to provide a better user experience and to improve the quality of our services.

Security

Security informs everything we do and build at MD.ai. To ensure the highest standards of security, we:

  1. Enforce HTTPS everywhere, so data is encrypted with TLS in-transit.
  2. Ensure databases and file storage systems are encrypted at rest with AES-128 or AES-256.
  3. Operate servers within ISO 27001 certified data centers (and where required, HIPAA certified data centers) with multiple layers of physical security.
  4. Maintain detailed audit logs of all internal systems.
  5. Regularly review all internal systems for vulnerabilities and carry out patching as necessary.
  6. Regularly review log files for signs of intrusion, and inform impacted customers of security incidents as quickly as possible.
  7. Perform background checks on all employees who may potentially access confidential information.
  8. Conduct security training with all employees upon hire and regularly throughout employment.
  9. Perform code and security reviews of all software developed internally.
  10. For enterprise HIPAA environments, we maintain compliance with HIPAA regulations covering the security and privacy of confidential patient data by putting in place additional technical, physical, and administrative safeguards, as well as regularly engaging in third-party audits.

More information

MD.ai complies with the US-EU Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. MD.ai has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit http://www.export.gov/safeharbor/.

In compliance with the US-EU Safe Harbor Principles, MD.ai commits to resolve complaints about your privacy and our collection or use of your personal information. European Union citizens with inquiries or complaints regarding this privacy policy should first contact MD.ai.

MD.ai has further committed to refer unresolved privacy complaints under the US-EU Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by MD.ai, please visit the BBB EU SAFE HARBOR web site at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.

If you have additional questions, please contact us any time:

MD.ai, Inc
110 Wall St
New York, NY 10005

termsandprivacy@md.ai

© 2018 MD.ai, Inc.