Privacy Policy

Updated November 8, 2024

  • We collect emails to contact and identify you but we do not share them with anyone.
  • We do not read or use your information except as directed by policies you can customize.
  • We do not disclose your information except as directed by policies you can customize.
  • Trustee Community issues access credentials based on a specific email invitation or a patient’s policy linked to active Doximity accounts.
  • Patient data in the cloud is secured through encryption in transit and at rest. Access and policy enforcement are based on the IETF RFC 9635 protocol. Access authorization is secured with Passkeys to prevent password phishing and sharing.
  • Data retention is entirely patient-controlled. Patients can easily delete their health record data at any time, leaving only their contact email in our files. We do not review, share or use invitation email addresses or other access authorization policies except for the specific purpose of access authorization.
  • Trustee clinical data and authorization services are managed through typical hosting accounts at Digital Ocean, Inc. or Netlify, Inc. Neither HIE of One or our hosting providers share data with third-parties.
  • As a free and non-commercial demonstration, Trustee accounts may be closed and data deleted at any time. Users are encouraged to make and keep local copies on their computer or mobile device.
  • Trustee protects against unintended or overly broad data sharing in multiple ways:
    • Patients have fine-grained control over health record segments they capture from hospital records via SMART on FHIR,
    • As a free service, patients concerned about family access demands can easily create alternate health records by simply using a different email address.
    • The use of Passkeys instead of passwords discourages requests for password sharing.
    • Patients also have fine-grained control over data shared through invited access via email or via policy.
    • Patients have access to synthetic data files as a “sandbox” to help them better understand health record and sharing functionality before using Trustee with real patient data.
  • Restriction or withdrawal of an invited email address and changes in policy-based access are done on-line and effective immediately.