Privacy Policy

Your privacy is very important to DrChrono. This Privacy Policy (this “Policy”) sets out how we handle and secure information collected by DrChrono’s onpatient website and applications (collectively, the “onpatient website”). Please review this policy carefully.

How we collect data

Information submitted that you submit: There are several ways you can submit data to DrChrono in using the onpatient website. Some examples of those are by:

  • typing information into our website (examples: registering with onpatient, sending a message to your provider, scheduling an appointment);
  • uploading an image, a document or any other data; or
  • requesting that DrChrono retrieve or import information from another party on your behalf.

Other information: the onpatient website stores additional data when you view, navigate to, log in or otherwise interact with it. As with other websites and interactive services, whenever you interact with the onpatient website, your computer, mobile phone or tablet (a “device”) and its software sends a “request” to us. That request will include non-personal information received from your Device (and any related software) that we use to identify and appropriately route the information your Device is requesting (in a “reply”). “Requests” and “replies” of this sort are used by all websites and Internet services. Therefore, whenever you:

  • Visit and navigate through the onpatient website,
  • Click on a link,
  • Open a webpage or web form,
  • Open a web-enabled email sent by DrChrono, or
  • Otherwise use the elements of the onpatient website,

your Device transmits non-personal information to DrChrono.

In addition to managing the appropriate routing of information, we use cookies, web beacons, server logs and other tools to enhance the quality of the onpatient website and the content you receive. We have several tools that we use that allow us to:

  • save user preferences;
  • preserve session settings and activity;
  • help authenticate users;
  • allow users to auto-fill sign-in pages of websites they frequently visit;
  • debug and evaluate the performance of the onpatient website.

Thus, even when you do not submit any personal information on the onpatient website (for example, by logging in), your Device will transmit, and these tools will receive, information about your Device. We call such data “Engagement Data.”

Engagement Data can include several pieces of information such as the time a “request” was made, the type of browser used to make a request, the version of the onpatient application you are using on the iPad, IP address, the Device’s geographic location, the URL a Device most recently visited, and, when using the onpatient mobile application, an anonymous unique number. Engagement Data generally does not personally identify any particular user. Nevertheless, Engagement Data can be used in conjunction with personal information. If these circumstances, DrChrono treats such combined information as personal information. In the event that the tools we mentioned above collect data containing personal information, DrChrono will treat that data as personal information.

Personal Information: “Personal Information” is information that you submit to us that identifies you or can be used to contact you. Personal Information can include government-issued ID numbers (such as a social security number), information used by banks and credit cards to identify you or, as another example, insurance-issued ID numbers. DrChrono sometimes combines non-personal information with other information in a way that makes the combined information Personal Information. Drchrono treats this combined information the same way we treat personal information.

How DrChrono uses your information

We use personal and non-personal information for:

  • Maintaining and operating the onpatient website (this may include registering you, processing payments or providing you with customer support);
  • Responding to questions and communications, which we retain in the ordinary course of business;
  • Announcements about onpatient features, terms, policies or other aspects of the onpatient website;
  • Protecting the onpatient website, the information it protects, the rights of third parties and in response to legal process (more fully discussed below) and
  • Any other purpose described in this Policy. We use non-personal information for:
  • Evaluating and profiling the performance of the onpatient website, including analyzing usage trends and patterns and measuring the effectiveness of content, advertising, features or services;
  • Creating new features and services;
  • Contextual and cookie-based content delivery (for example for delivering certain images to you and your Device) and
  • Other purposes described in this Policy or your User Agreement.

We may also use non-personal information to prepare aggregate reports that illustrate trends about the general use of the onpatient website. Such reports may include age, gender or other general user information. These reports will not include personal information.

Consents and Authorizations:

DrChrono may request your consent or authorization in connection with the use or sharing of your information. In some instances, this will be because this Policy or applicable law or regulations require us to obtain such consent. In other instances, such consent will be for informational purposes. Any request to obtain your consent does not narrow the scope of this Policy. By using the onpatient website, you accept and agree to DrChrono’s information handling practices in the manner described.

How users share information:

Scheduling appointments: When you contact or schedule an appointment with a provider, the provider will need your name, contact information, as well as other information.

Direct Communications: You can use the onpatient website to facilitate direct communications between users:

  • Requesting an appointment with a healthcare provider;
  • Authorizing another onpatient user to receive information and communications from a particular provider or
  • Receiving or sending a message to a provider.

In any direct communication, users may send information to one another. Depending on the contents of this information, personal information could be included.

Surveys and Ratings: DrChrono sometimes asks users to provide feedback to help DrChrono improve its operations. The content of feedback is presumed public. DrChrono will let you know in advance how it will use survey or rating feedback in any such request. You should exercise care in selecting the information that you share in a survey or feedback communication. We strongly recommend against providing DrChrono any personal health or other sensitive information that could be traced to you or any other individual.

Records: The onpatient website allows you to store personal and health information (“Records”), including Records that identify other individuals, including other users. The onpatient website allows you to share all or portions of these Records at your discretion.

You should be aware that this Policy covers only the information you submit through the onpatient website or the information that is provided to you by your provider via the onpatient website. If you exchange or transmit information through any means other than the onpatient website, such activity is not covered by this Policy.

Because the onpatient website allows users to share information, you should take care in selecting the persons with whom you share your Records. Although the onpatient website processes and facilitates such transmissions, DrChrono does not take responsibility for the actions of other users or persons with whom you share your Records.

Confidentiality of Health Information: Some of our users—such as healthcare providers— are subject to laws and regulations governing the use and disclosure of health information they create or receive. Included among them is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health of 2009 (“HITECH”), and the regulations adopted thereunder. When DrChrono stores, processes or transmits “individually identifiable health information” (as such term is defined by HIPAA) on behalf of a health care provider who has entered a Healthcare Provider User Agreement, we do so as its “business associate” (as also defined by HIPAA). Under this agreement, DrChrono is prohibited from using individually identifiable health information in a manner that the provider itself may not. DrChrono is required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity and availability of individually identifiable health information we store and process on behalf of such providers. DrChrono is subject to laws and regulations governing the use and information of certain personal and health information, including HIPAA, when it operates as a business associate of a healthcare provider.

Email communications received from users and DrChrono’s administrative announcements are often transactional or relationship messages, such as appointment requests, reminders and cancellations and other notifications. DrChrono may not offer you the option of opting out of receiving some of these messages although DrChrono may allow you to modify how often you receive such messages. If you opt-in to receiving marketing announcements from DrChrono, we will allow you to opt-out of receiving those announcements.

In some instances, DrChrono may also use tools (such as “cookies,” “web beacons” and “server logs”) in its emails to users to collect Engagement Data, and DrChrono may use vendors to assist in sending you emails.

Of course, this Policy does not apply to emails or other communications from individuals that do not use DrChrono or the onpatient website, or that are being sent in connection with subject matter other than your use of the onpatient website. For example, if you were to apply to DrChrono for employment, that communication would not be covered by this Policy. Similarly, this Policy would not apply to ideas or suggestions you provide in feedback regarding the onpatient website or other products or services by any means—e.g., email or other communication channels.

Sharing of Information

We will not share any personal information you submit except under the following circumstances:

  • When you choose to share such information through the onpatient website;
  • When DrChrono notifies you at the time you provide such information or DrChrono otherwise has your or your provider’s express consent;
  • Your provider (including his or her staff) will have access to your account information, including your personal information. Your provider may: (i) receive and store your account information; (ii) change your password; (iii) restrict your ability to submit, delete or edit information; (iv) suspend or terminate your account access or (v) access or retain any information you provide or otherwise stored as part of your account for any purposes required or permitted under applicable law;
  • When DrChrono shares such information with its current and future affiliates;
  • When DrChrono provides such information to trusted service providers consistent with the terms of this Policy with the approval of your provider. Such service providers will be bound by appropriate confidentiality and security obligations which may include business associate contract obligations;
  • When DrChrono protects the onpatient website, the information it stores, the rights of third parties and in response to legal process, as more fully described below;
  • In connection with a sale, merger, reorganization or other disposition (whether of assets, stock, or otherwise) of all or a portion of the business conducted by DrChrono to which this Policy applies. This Policy will govern any such acquiring company’s use of your personal information and
  • Any other purposes described in this Policy.

Other users (for example, providers or staff) that submit your information to, or receive your information from, the DrChrono website, could share that information with other persons, without separately notifying you or seeking your consent.

Persons under the age of 13

The onpatient website is not intended for or designed to attract persons under the age of 13 (“child” or “children”). DrChrono does not knowingly collect personal information from children. If DrChrono learns that it has obtained personal information from a child, DrChrono will delete that information as soon as practicable. If your child has provided us with personal information without your consent, please contact DrChrono immediately.

Without limiting the above, the onpatient website does allow persons above the age of 18 years—such as healthcare providers, parents and guardians—to provide, share and store personal information about others, including minors and children. Any user providing, storing or submitting information on behalf of a child assumes full responsibility over the submission, use and transmission of such information.

Security and safety of the onpatient website

DrChrono employs technical measures to help safeguard the confidentiality, integrity and accessibility of sensitive information you might store and share through the onpatient website. Certain laws and regulations require us to investigate potential or suspected threats to the onpatient website or the confidentiality, integrity or availability of the information DrChrono stores and maintains. DrChrono may use, preserve and disclose information—including your personal and non-personal information—when it has a good faith belief that it is necessary or advisable to:

  • detect, prevent and address potential or suspected threats to the onpatient website or the confidentiality, integrity or availability of any information it stores;
  • to detect, prevent and address illegal activity;
  • to detect, prevent and address or violations of DrChrono’s Terms of Use and
  • to protect DrChrono, you and third parties.

DrChrono may also use, preserve and disclose such information in order to respond to legal process, a search warrant, court order, subpoena or a judicial proceeding. Some legal processes may prohibit DrChrono from notifying the users or other individuals or entities identified in the requested information or take other actions that would otherwise be a violation of this Policy. DrChrono may preserve information pursuant to this section for extended periods of time as necessary or appropriate under the circumstances. This may include the preservation of information from accounts that have been disabled.

DrChrono employs a wide range of technical, physical and administrative safeguards to prevent unauthorized access, maintain data accuracy and ensure the appropriate use of your personal and non-personal information, including: encryption, firewalls, system alerts and other information system security technologies; housing information in secure facilities that restrict physical and network access and regular evaluation and enhancement of our information technology systems, facilities and practices. DrChrono applies reasonable and proportional measures to protect the confidentiality, integrity and availability of individually identifiable health information (as such term is defined by HIPAA) residing on and processed by the onpatient website. Nevertheless, no system can guarantee 100% security, thus DrChrono cannot and does not guarantee the security of information stored on or transmitted to or from the onpatient website.

DrChrono may notify you and inform you of potential countermeasures if DrChrono learns of a security vulnerability or risk. You can proactively take some precautionary steps to improve the security of your information and reduce the likelihood of unintended disclosure:

  • Regularly use virus and malware detection programs that scan your system and incoming traffic—such as computer viruses, worms, Trojan Horses and spyware. Viruses and malware are created and modified continuously, so you should be sure to keep your definition files up to date.
  • Use a firewall to prevent unauthorized access to your Device.
  • Keep your software programs up to date with the latest security patches because viruses often target known or disclosed vulnerabilities in existing operating systems, browsers, plug-ins and other programs. Many vendors will try to notify you of any security vulnerabilities to recommend immediate installation of such security hotfixes.
  • Choose a password that uses a combination of letters, numbers and special characters that is not easily guessed. Do not share your password with others.
  • Close all active programs and log out (or lock your screen) before leaving your Device unattended.
  • Use two-factor authentication or biometric authentication in addition to a password.
  • Use restrictive wireless network settings on your Device—especially when using a public wireless network.
  • Restrict all folders or directories to “no share” when you have file sharing enabled.
  • Responding to emails requesting you to share personal information only with extreme caution.
  • Verify that you are using HTTPS (by checking, for example, for a lock symbol on or near your browser’s address bar) or some other secure transport layer before supplying personal information.
  • Exercise good judgment and care when participating in open communication systems, particularly when sharing personal or health information.

United States only

Access to the onpatient website is administered in the United States and is intended solely for users within the United States. You may not use the onpatient website in any jurisdiction where accessing or using the onpatient website would be illegal or unlawful. Any information that you submit to us while outside of the United States will be transferred to onpatient systems that reside in the United States. You consent to this transfer when you use the onpatient website. You also consent to the transfer and processing of any personal information by us or any of the other parties described in the sections above (in any country) for the purposes described in this Policy, or for any other specific purposes to which you consent. If you are located in a country other than the United States, you should be mindful that, at present, the laws of the United States and certain other countries have not been approved by the European Commission or privacy authorities in certain other countries as providing “adequate protection” for personal information within the meaning of the European Union Data Protection Directive or applicable laws of other countries.

Changes to this Policy

DrChrono may change this Policy from time to time for example to respond to changing technical and security landscape, to respond to new laws and regulations or as circumstances may otherwise warrant. DrChrono will post such changes along with their effective date on this page. You should reread this Policy from time to time to see if there have been any changes that affect you. Your use of the onpatient website, including the continued storage of your information on onpatient systems, following any such change constitutes your agreement that all information collected from or about you through the onpatient website will be subject to the terms of the revised Policy.

Viewing, updating and deactivating information

The onpatient website aims to provide you with access to the information you submit and the means to update it. This can be accomplished by using the onpatient website or having your provider contact DrChrono on your behalf. Under certain circumstances, DrChrono may ask your provider to verify your identity before DrChrono request is processed. DrChrono may charge your provider an extra fee when, for example, it would require a disproportionate effort. DrChrono may reject requests that are unreasonably repetitive, require significant technical effort (for example, developing a new subsystem or fundamentally changing an existing practice), risk the privacy of others or would otherwise be extremely impractical (for instance, requests concerning information residing on backup storage).

If you desire to deactivate your account please have your provider contact us. Upon receiving such a request, DrChrono will deactivate your account and archive your personal information and Records. DrChrono may retain archived information for a period of five years (or longer if required by law) as necessary to comply with legal obligations, resolve disputes and enforce our agreements and other authorized uses under this Policy.

Unless you are an administrator that has administrative rights over another user’s account, you are not entitled to review another user’s personal information or Records. Accordingly, you will not be able to access, update or delete that shared information pursuant to this Policy for information that you share with another user or other party through the onpatient website. Others may also submit personal information that identifies you (for example, when submitting medical family history). You will also not be able to access, update or delete that information pursuant to this Policy. Certain users—such as healthcare providers—may be required under HIPAA and other applicable laws to retain such information for extended periods of time. DrChrono will continue to retain such information on their behalf. Patients should submit requests to access or correct their health information directly to their providers.

DrChrono indefinitely stores non-personal information, including Engagement Data and de-identified health information, as well as any feedback you provide us.

Last updated October 6th, 2014.