Legal & regulatory
Terms of use & legal details
Understand how moveUP leads in compliance and regulatory affairs.
Privacy Policy
We are particularly vigilant to the protection of Protected Health Information and Personal Identifiable Information (hereinafter collectively referred to as protected information) and to the respect of the privacy of our current, past, and potential patients and healthcare providers for which we are providing services (“Protected Parties”). We act transparently, in accordance with national and international provisions, in particular the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and further expanded by the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of theAmerican Recovery and Reinvestment Act (“HITECH”), the HIPAA Omnibus ruling of 2013, and the regulations related to these laws and mandates.
This Notice outlines our practices, policies, and legal duties to maintain and protect against prohibited disclosure and describes how protected information about you may be used and disclosed and how you can access this information. Please read it carefully.
1. Definitions
In this statement, the following words and expressions shall be understood as follows:
Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
Breach: The unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed, would not reasonably have been able to retain such information.
Business Associate (BA): Entities that perform activities on behalf of the CE and provide the services of creating, receiving, maintaining, and transmitting ePHI information. The solution providers, cloud service providers, engineering services firms, sub-contractors, and quality management consultants are typically called BAs.
Business Associate Agreement is a legal contract between the business associate and the covered entity. This includes the PHI that the business associates may access, how they can utilize the information, and terms about returning or discarding the information upon task completion.
Covered Entity (CE): Entities that handle patient information and transmits it electronically. Typically, CE includes hospitals, research organizations, medical service providers, insurance organizations, etc.
De-Identified: Information that does not identify an individual, and for which there is no reasonable basis to believe that the information can be used to identifyan individual.
Disclosure: Release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.
Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
General terms and conditions of use: The general terms and conditions and the condition of use of moveUP which administer the use of moveUP.
HIPAA: Health Insurance Portability and Accountability Act of 1996, and further expanded by the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of the American Recovery and Reinvestment Act (“HITECH”), the HIPAA Omnibus ruling of 2013, and the regulations related to these laws and mandates
HIPAA Privacy and Security Officer: The person who monitors moveUP’s compliance with the HIPAA regulation.
Incidental Use and Disclosure: Secondary use(s)and disclosure(s) of protected health information (PHI) that cannot reasonably be prevented, is limited in nature, and occur as a byproduct of an otherwise permitted use or disclosure.
Our professional healthcare partners: The healthcare professionals who are connected to the patient via moveUP.
Our services: All the services we provide in the context of our professional moveUP activity.
Protected Health Information (PHI): Individually identifiable information relating to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present or future payment for healthcare provided to an individual. PHI includes personal medical information plus any one of the following that would identify an individual:
1. Demographic information: Name, address, date of birth, phone number, email address, etc.
2. Medical records: Diagnoses, treatments, medications, test results, and other clinical information.
3. Health insurance information: Policy numbers, coverage details, and payment information.
4. Any other information that could be used to identify an individual in connection with their healthcare.
Personal Identifiable Information (PII): any information that can be used to identify or locate an individual. This includes, but is not limited to, personal data such as names, addresses, phone numbers, social security numbers, email addresses, financial information, and biometric records. PII is considered sensitive and requires protection to prevent unauthorized access or misuse, as it can pose risks to an individual's privacy and security if mishandled.
Protected Information: collectively referredto PII and PHI
Protected Parties: Individuals or entities granted legal rights and responsibilities related to the protection and privacy of PHI.
Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
Your information: means PII and/or PHI, also referred to as ‘your data’ or ‘your personal data’.
2. Primary Uses and Disclosures of Protected Information.
We use and disclose protected information with your best interest at heart.
We use and disclose Protected Information about Protected Parties for treatment, payment, and healthcare operations. Privacy Rule does not generally “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the PrivacyRules, might impose a privacy standard under which we will be required to operate. For example, where such laws have been enacted, we will follow more stringent state privacy laws that relate to uses and disclosures of the ProtectedInformation.
In addition to these law requirements, we also may use or disclose Protected Information in the following situations:
• Treatment: We might use and disclose your Protected Information for all activities included within the definition of “treatment” within the Privacy Rules. For example, we might share the patient's medical history, test results, and treatment plans with a consulting specialist to ensure appropriate care.
• Payment: We might use and disclose your Protected Information for all activities included within the definition of “payment” within the Privacy Rules. For example, we might use and disclose a Protected Party’s Protected Information to assist with the payment of claims for services provided to that Protected Party by doctors, hospitals, pharmacies, and others for services.
• Health Care Operations: We might use and disclose a Protected Party’s Protected Information for all activities included within the definition of“health care operations” within the Privacy Rules.For example, we might use and disclose the Protected Information of a Protected Party to an insurer to determine the premiums for your health plan, to conduct quality assessment and improvement activities, to engage in care coordination or case management, and to manage our business.
• Business Associates: In connection with our treatment, payment, and healthcare operations activities, we contract with individuals and entities to perform various functions on our behalf or to provide certain types of services.To perform these functions or to provide the services, they will receive, have access to, create, maintain, use, or disclose Protected Information, but only after we require the subcontractor to agree in writing to contract terms designed to appropriately safeguard your information.
• Other CoveredEntities: In addition, we might use or disclose your Protected Information to assist healthcare providers in connection with their treatment or payment activities, or to assist other covered entities in connection with certain of their healthcare operations. For example, we might disclose a Protected Party’s Protected Information to a healthcare provider when needed by the provider to render treatment to that party, and we might disclose Protected Information to another covered entity or subcontractor to conduct healthcare operations related to billing, claims payment, or enrollment.
• Situations permitted or required by law : We also may use or disclose your Protected Information without your written permission for other purposes permitted or required by law, including, but not limited to the following:
o To a public health authority for purpose of public health activities (such as to the Federal Food and Drug Administration to report consumer product defects, or Centers for Disease Control necessary to fulfill public health obligations and track the occurrence of certain diseases or health conditions);
o To a law enforcement official for law enforcement purposes or in response to a court order or in the course of any judicial or administrative proceeding
o To organ procurement organizations or other entities for approved research
o To a governmental authority, including a social service or protective services agency, authorized to receive reports of abuse, neglect, or domestic violence.
• No objection from you: In certain limited circumstances, we may use or disclose your Protected Information after we have allowed you to object, and you have not objected. For example, if you do not object, we may use limited information about you to maintain an office directory, to notify family members or any other person identified by you regarding issues directly related to such person’s involvement with your care or payment for that care, or in emergency circumstances.
• Written Permission: For Purposes for which we have obtained your written permission. All other uses or disclosures of your will be made only with your written permission, and you may revoke any permission that you give us at any time.
• Other: in view of a merger, sale, or other request of a legal, judicial, administrative authority or auxiliary of justice
We obtain protected information (1) that you provide to directly to us, in conversations or other forms that you or a Protected Party completes (2) while using our services or as a result of our transactions with you & (3) from other sources or affiliates.
For all other uses and disclosures, we first must obtain your permission.
Your information will never be shared on social media, without explicit authorization of you.
In all circumstances, we ensure the protection of your data by agreements ensuring confidentiality.
3. How do we protect your privacy?
We strive to optimally protect your personal data against unauthorized use and leakages.
We take the appropriate safeguards to avoid incidental use and disclosure as much as possible.
To this end, we use physical, organizational, technological, administrative, and appropriate measures such as, and not limited to:
• We use recognized security and encryption processes to ensure the security of the transmission and storage of your data to and from moveUP.
• We have organizational measures in place, such as restricting access to our computer systems in accordance with the strict needs of each member of staff, with respect to his or her job;
• Your data will be de-identified (depending on the purpose) as soon as we can.
• We have an internal security policy and conduct regular basic training to maintain data privacy awareness.
• We have Business Associate Agreements with third parties when they assist us with our activities.
• We are ISO 27001 certified, an internationally recognized standard for the overall management of information security.
Due to the nature of the internet, be aware that for your PII and PHI security,
there can’t be a 100% guarantee given by any software party. Disclosing your information to us remains at your own risk.
4. How long is your data kept?
Per the HIPAA Law, your personal data will be kept for at least 6 years. Data may be kept longer if:
• State laws require longer retention;
• If your data involves a personal injury or breach of contract dispute.
o Regarding disputes: Any controversy or claim arising out of or relating to our privacy policy, or the breach thereof, the parties agree first to try in good faith to settle the dispute by mediation administered by the American Arbitration Association under its Commercial Mediation Procedures before resorting to arbitration, litigation, or some other dispute resolution procedures.
5. What are your rights and how to exercise them?
Youcan exercise the following rights by contacting us via
Right of complaint.
You may complain either directly to us, your State Attorney General, or to the Secretary of Health and Human Services if you believe that your rights with respect to our protection of your ProtectedInformation have been violated. To file a complaint with us, you may send a written statement outlining your complaint, and the facts and circumstances surrounding your complaint, including the names, dates, and as many details as possible. You will not be retaliated against in anyway for filing a complaint
Right to request additional restrictions
You can request that we place additional restrictions on our uses and disclosures of the Protected Information of Protected Parties. However, we are not obligated to agree to impose any such additional restrictions.
Right of access, inspect, copy and rectify Protected Information
You can request to access, inspect, and copy the protected information pertaining to Protected Parties that we maintain in our files. You can request information at any time, the objectives pursued, the categories of PII and PHI that we hold about you, the categories of recipients of this data (third countries or international organizations), the retention periods or criteria for determining these periods, your other rights or other sources of your data. You may also ask for your data to be corrected, amended, or supplemented if it is incorrect or incomplete.
Right to receive accounting of the disclosures of Protected Information
You can request to receive an accounting of the disclosures of the Protected Information we maintain on Protected Parties that we make for purposes other than activities related to payment functions or other health care operations.
Right to request confidentiality
You can request that communications containing a Protected Party’s Protected Information are sent in a confidential manner.
Right to request paper version of the privacy notice
If you received this notice electronically, you also have the right to obtain a paper copy of this notice from us on request.
6. How do we handle data breaches?
We take an active role in preventing & analyzing the severity of data breaches.Without delay, the Department of Health will be notified conform the reporting standard of your state of residence.If your data is subject to a data breach, or your data is impermissibly used or disclosed, you will be promptly informed.
7. Do we use and disclose data from children?
No. Our product is not intended to be used by children; therefore, we do not knowingly collect information from children.
8. Do we use cookies?
A cookie is a code in a file stored on your computer. Cookies help us to improve our website, facilitate your browsing, and analyze audiences.
To learn more about our Cookie Policy, please visit our website under the "Cookies Policy" tab.
9. Be mindful to the update of this notice!
This Notice can be updated at anytime without notice of modification for those who aren’t actively using the moveUP application. We advise you and invite you to consult it regularly on the moveUP website. We reserve the right to make new Notice provisions effective for all Protected Information we maintain, regardless of whether the Protected Information was created or received before issuing the revised Notice.
ISO13485 certificate
ISO 13485 specifies requirements for a quality management system where an organisation needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. To obtain the ISO 13485 certificate, moveUP was checked by an external, independent and professional agency on all the requirements. More about ISO 13485 >
ISO27001 certificate
ISO/IEC 27001 is an international standard on how to manage information security. To provide you with personalised care, moveUP asks and stores patient data. Patient data are stored safely. moveUP adheres to all requirements that ISO puts on information systems. More about ISO 27001 >