Odessa Notice of Privacy Practices and Privacy Policy

Welcome to Odessa. This Privacy Policy (“privacy policy” or “policy”) describes how Odessa Health, Inc. (“Odessa”, “us”, “we”, “our”) collects, maintains, uses, discloses, and processes certain information about you. Please carefully read this privacy policy as it contains important information about your legal rights. By accessing or using the Services, you consent to this Privacy Policy and to our collection, maintenance, use, disclosure, and processing of Personal Information, all as described in this Privacy Policy.  All of our systems, procedures, use of data, and Services are in accordance with the Family Education Rights and Privacy Act of 1974 (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) governing the use of student data, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. § 300gg) governing the safeguarding of medical information. Our Services comply with all applicable provisions of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. 6501 et seq.). To the extent COPPA applies to the information we collect, we process such information for educational purposes only, at the direction of the partnering School and on the basis of educational institutional consent. We encourage you to read through and understand this Privacy Policy.

This Privacy Policy applies to your access to and use of the following services, which we refer to collectively as the “Services”:

  • Odessa’s digitally-based health programs (the “Odessa Programs”);*

  • Odessa’s mobile applications (the “Apps”);*

  • the websites that Odessa operates (including Odessa.care) and

  • all related services and features that Odessa provides.

What is the purpose of this Privacy Policy?

Personal Information regarding our users is an integral part of our business. This Privacy Policy explains how we collect, maintain, use, disclose, and process your information, which includes, among other things, gathering, storing, evaluating, modifying, deleting, combining, sharing, and transferring that information. Unless we obtain your permission, we will not share your Personal Information with other people or non-affiliated companies except as expressly permitted or required by this Privacy Policy and our HIPAA Privacy Practices described below.

Student Information

Odessa receives Student Data from Parents and Schools in order to provide Services under its Agreement with the School. When a School enters into an Agreement with Odessa, the School may be asked to input Student Data into the Odessa platform. Odessa also receives Student Data from parents or guardians.

Use or Sharing of Student Data

We share Student Data solely for the purposes of performing Services under our Agreement, and for purposes required by law.

  • Education and Health: With parents’ consent, Odessa may share Student Data with the teachers, school health staff, school administrators, the family’s doctor and the family’s health plan for the purposes of improved educational experience and better access to care

  • Disclosures by Law: We may disclose Student Data when required or permitted by law.

  • De-identified Data: We may use de-identified data to improve our products or services and for other related purposes.

Security

The security of Student Data is important to us. Odessa stores and processes Student Data in accordance with industry standards and applicable law, ensuring that Student Data is protected from unauthorized access, use and disclosure. In the event that we believe that the security of Student Data has been compromised, we will notify you as required by applicable law and the terms of the Agreement. We will always attempt to notify you as promptly as possible under the circumstances of any security breach affecting Student Data that we believe may pose a material risk of harm. Upon notice from a parent or School to delete or destroy Student Data, we will ensure that the deletion of Student Data complies with FERPA and HIPAA standards. In all instances we will ensure that procedures concerning the Student Data we use to perform Services comply with FERPA and HIPAA. To protect Student Data from unauthorized access, use, and disclosure, Odessa maintains a comprehensive information security program and employs reasonable and appropriate physical, administrative, and technical safeguards. Odessa performs periodic risk assessments of its information security program and prioritizes remediation of identified security vulnerabilities.

Odessa will NEVER: 1) Sell student data to third parties; 2) share Student Data with third parties for the purpose of targeted advertising; 3) use Student Data for marketing purposes; 4) claim ownership of Student Data.

Personal Information – In General

In this Privacy Policy, we use the term “Personal Information” to refer to information we gather that could be used to identify or contact you and any information we gather concerning your use or potential use of the Services. Your Personal Information that we receive may include “personal information”, including your first and last name, your personal profile, your email address or other contact information, and all User Submissions.

What Personal Information Do We Collect?

We collect various Personal Information from you and certain devices that you may use, as further described below. This includes information collected through clinical screeners, applications, registrations, and your use of the Services. We also collect Personal Information in connection with your inquiries. Collection starts from the time that you initially access our Services.

Information that we gather enables us:

  • to administer your account,

  • to provide you with the Services,

  • to send you communications regarding the services we offer,

  • to respond to your inquiries,

  • to obtain your feedback on our Services,

  • to understand who is using our Services and how the Services are performing,

  • to otherwise analyze user behavior and activity,

  • to personalize and improve our Services,

  • to conduct research activities,

  • to manage the security of the Services, and

  • to fulfill any requirements imposed on us by applicable laws and regulations.

Personal Information that You Provide to Us

We receive and store any information that you enter on our Site or through one of our Apps, information that you share with us by email or phone, and any other information that you provide to us through the Services. Personal Information that you provide may include your full name, gender, username and password, contact information (e.g., your phone number, your email address and the email address of your contacts, home and business postal addresses), certain health information (e.g., weight, pre-existing medical conditions, blood glucose and blood pressure readings, information concerning your exercise, sleep, and other activities), health insurance information, and any other information or data that you provide when using our Services.

We will use the Personal Information that you provide for the purposes described above (and any other purposes intrinsic to the Services that you use) and to provide you with an engaging and personalized experience in using the Services. You can choose not to provide us with certain information, but if you do make that choice, we may be unable to provide you with access to or use of many of our features.

Personal Information Collected Automatically

In addition to any information that you provide to us through the Services, we and our third-party service providers may use a variety of technologies that store or collect certain information from you automatically (or passively) when you visit or interact with the Site, the Apps, or other aspects of the Services (“Usage Information”). This Usage Information may be stored or accessed using technologies downloaded to your device whenever you visit or interact with the Services. Examples of Usage Information include: your IP address, other unique device identifiers assigned to your device that allow our computers to recognize you, details of your device’s characteristics and functionality (e.g., browser, operating system, mobile network information), the areas within the Site, the Apps, or other aspects of the Services that you visit and your activities there, your device’s location, and certain other data regarding your device. To the extent we associate Usage Information with your Personal Information that we collect directly from you, we will treat it as Personal Information.

Information from Your Browser or Device

We automatically receive and record Usage Information from your browser on our server logs whenever you interact with the Site, the Apps, or other aspects of the Services. We may use this Usage Information to provide you with customer service and support.

Our Services also collect Usage Information to determine how often visitors use parts of the Site, the Apps, or other aspects of the Services so that we can improve our Services and strive to ensure that the Services appeal to as many users and customers as possible. Our Services collect this data in a manner similar to how TV ratings may indicate the number of people that watched a particular show. We may provide this de-identified, aggregate data to our partners and/or customers to identify how our users use our Services, but we only use this data in aggregate form as a statistical measure to monitor how the Services function and not in a manner that would permit us to identify you personally.

You may set your browser to refuse or disable these data collection methods, but doing so may change your experience with the Site, the Apps, or other aspects of the Services, diminish certain aspects of the Services’ functionality, or render certain features inoperable. For example, the Site may not recognize or respond to your browser with “do not track” technologies employed.

Email Communications

We may receive a confirmation when you open an email from us if your device supports this type of program. We use this confirmation to make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. If you would like assistance in unsubscribing from email communications, please contact us in any of the manners described at the end of this Privacy Policy. Please keep in mind that, by opting out of further email communications after you enroll in an Odessa Program, you may limit program reminders and other valuable program content and components.

Cookies and Internet Tags

We may collect and process information about your use of the Services to help us improve the Services and to compile aggregate statistics about the use of Services for internal purposes through the use of “cookies.” Cookies also enable you to sign in to the Service and access your stored preferences and settings. If you choose to block this function, it may impair or prevent required functionality and therefore your use of the Service.

Who Owns Personal Information You Disclose to the Company?

You retain all ownership or license rights that you possess in your User Submissions (including any Personal Information and PHI), provided that when you use the Services or otherwise disclose or authorize others to disclose any User Submissions to us, you grant us a license to those User Submissions as described in our Terms of Use, this Privacy Policy, and our Notice of HIPAA Privacy Practices.

Protected Health Information

In this Privacy Policy, we use the terms “Protected Health Information” or “PHI” to refer to the subset of Personal Information that we create, receive, transmit, or maintain as part of your application for or participation in an Odessa Program or from our online clinical screeners where that information relates to (a) your past, present, or future physical or mental health or condition; (b) the provision of healthcare to you; or (c) your past, present, or future payment for that healthcare. Federal and state law afford you certain rights with respect to any access to, use of, or disclosure of your PHI. We are required by law to have this privacy policy and maintain your health information in a manner consistent with this policy and law. This notice is in five parts to describe our privacy practices. We hope through this policy that we answer any questions you have about how Odessa maintains your health information.

The sections are as follows:

1) What is Protected Health Information (“PHI”)?

2) What PHI does Odessa collect?

3) Who does Odessa share my PHI with and why?

4) What are my rights to my PHI?

5) What should I do if I have a question or concern about my collected PHI?

Notice of HIPAA Privacy Practices

What is Protected Health Information?

As many health service providers, Odessa receives and maintains certain personal information about all our members. Some of this personal information is protected by federal and state laws. This type of information is known as “protected health information” or “PHI”. PHI is health information that identifies or could be used to identify a specific person.

What PHI does Odessa collect?

When you voluntarily give your PHI to Odessa through our online website and through your use of our Odessa programs we maintain such PHI in our secure systems.

Examples of PHI you may provide to Odessa include:

  • When you choose to register for the Odessa programs, you provide your personal information such as your name, address, telephone number, and birth date

  • When you use the Odessa programs, we will receive health information from you such as your physical, mental, and emotional symptoms, lab results, and other health data.

Who does Odessa share my PHI with and why?

We use or disclose your PHI for healthcare operations purposes and other purposes permitted or required by law. By registering for the Odessa program, you authorize Odessa to use or disclose your PHI for such purposes, which are described below. We need your written authorization to use or disclose your health information for any purpose not covered by one of the categories below. We will not use or disclose your PHI for marketing purposes or sell your PHI, unless you have agreed to this use or disclosure.

You can inform us at any time that you no longer allow us to use or disclose your PHI for the reasons shown below, but this will not stop any disclosure that we made based on your prior authorization. The law permits us to use and disclose your health information for the following purposes:

  • Treatment: We may use or disclose your PHI to healthcare professionals for treatment purposes.

  • Healthcare Operations – We may use or disclose your PHI for activities necessary to support our healthcare operations, such as performing quality checks on our services, internal audits, arranging for legal services, data analysis or developing reference ranges for our services. We provide only the minimal PHI to accomplish the intended purpose of the use and disclosure of the PHI. These entities are also required to keep the PHI confidential and secure.

  • Business Associates – We may disclose your PHI to other companies or individuals that need the information to provide services to us. These other entities, known as “business associates,” are required to also keep the PHI confidential and secure. For example, we may provide information to companies that assist us with support services or billing of our services.

  • De-identifiable and Aggregated Format – We may use and disclose your PHI in a de-identifiable and aggregated manner to review our impact on all our members health and in hopes of making the Odessa programs even more effective to help you with your management of your chronic condition.

  • Research – We may also use and disclose PHI for research purposes when an Institutional Review Board or privacy board has reviewed the research proposal and established protocols to ensure the privacy of your PHI and determined that the researcher does not need to obtain your authorization prior to using your PHI for research purposes.

  • As Required by Law – We may use or disclose your PHI as required by law.

  • Law Enforcement Activities, Legal Proceedings and Court Orders – We may use and disclose your PHI to prevent or minimize a serious threat to your health and safety or that of another person. We may also provide PHI to law enforcement officials, for example, in response to a warrant, investigative demand or similar legal process, or for officials to identify or locate a suspect, fugitive, material witness, or missing person. We may also disclose PHI to appropriate agencies if we reasonably believe an individual to be a victim of abuse, neglect or domestic violence. We may disclose your PHI if required to do so with a court or administrative order. We may disclose your PHI in response to a subpoena, discovery request or other legal process during a judicial or administrative proceeding. We may also disclose PHI to those assisting in disaster relief efforts so that others can be notified about your condition, status and location.

  • Family and Friends: At your request, we may disclose PHI to a family member, friend, or anyone else you inform us to provide the information to.

  • Other Uses and Disclosures: As permitted by HIPAA, we may disclose your PHI to:

  • Public Health Authorities

  • The Food and Drug Administration

  • Health Oversight Agencies

  • Military Command Authorities

  • National Security and Intelligence Organizations

  • Correctional Institutions

  • Organ and Tissue Donation Organizations

  • Coroners, Medical Examiners and Funeral Directors

  • Workers Compensation Agents

What are my rights to my PHI?

You have rights to your PHI that we collect. You can request Odessa restrict the use and disclosure of your PHI by sending written request to the address below. You can access your PHI we created or PHI you provided us with a formal written request, and we will send your health information by alternative means to an alternative address. Once you review your PHI, if you see any problems with your PHI, you may request  amendments to your PHI by making a written request to us at the address below. We may deny the request in some cases. If we deny your request to change your PHI we will provide you with a written explanation of the reason for the denial and additional information regarding further actions that you may take. You also have the right to receive a list of certain disclosures of your PHI made by us in the past six years from the date of your written request to us at the address below. Under the law, this does not include disclosures made for purposes of treatment, payment, or healthcare operations or the other certain other purposes we have stated above. Please be aware that we are required as stated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to notify you in the event of a breach involving your PHI and will do so as required by law.

You have the right to obtain a paper copy of this Privacy Policy by written request to the address below. Para recibir una copia de este aviso en español, llame a Asistencia para miembros de Odessa al 1 508-203-7407 o envíe un mensaje por correo electrónico a odaa@odessa.care

What should I do if I have a question or concern about my collected PHI?

If you believe your privacy rights have been violated, you have the right to file a complaint with us. You also have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against any individual for filing a complaint.

To file a complaint with us, or should you have any questions about this Privacy Policy and Notice of Privacy Practices, send an email to our Senior Security Official and Senior Privacy Official at odaa@Odessa.care, or write to us at the following address:

Odessa, Inc.

921 N. Orange Street

Wilmington, DE 19801

You can also call us at 1 508-203-7407

 Note:

We reserve the right to amend the terms of this Privacy Policy and Notice of Privacy Practices to reflect changes in our privacy practices, and to make the new terms and practices applicable to all PHI that we maintain about you, including PHI created or received prior to the effective date of the Privacy Policy and Notice of Privacy Practices revision. Our Privacy Policy and Notice of Privacy Practices is displayed on our website and a copy is available upon request. If we make changes that are material to the use of personally identifiable information, then we will attempt to provide you with notice of those changes. We reserve the right to revise this policy, with such revisions effective immediately upon the posting of the revised policy. Your use of Services after such posting constitutes your acceptance of those terms as revised.Accordingly, please check back periodically.