Legal Notices - General
Please familiarize yourself with b.well Legal Notices. We maintain these notices on our website (bwell.com/legal).
These notices are important for our shared compliance responsibilities under federal and state healthcare and consumer privacy laws, and the rules for consumer-mediated health data access and exchange from HIPAA regulated entities. b.well can modify these at any time in our discretion. Updates are effective as of the dates written on published updates. The notices include links to prior versions.
We only modify notices to advance transparency and compliance. Changes are not intended to impair contractual rights that you have already negotiated with us in commercial agreements. Any interpretation will be resolved with priority for the protection of consumer privacy and information security.
Purposes:
- Affirms b.well’s contractual obligations to enterprise customers as a service provider (data processor)
- Supports developers’ education of their end users about this relationship
Rationale:
- Education is important because consumer-mediated health data access and exchange occurs through b.well’s network of connections
- The parties on the other side of these connections understand that b.well is the trusted data application developer
- Some connections require b.well to be appointed as the “individual access service provider” or ask consumers to confirm that they authorized b.well to retrieve their health data and share it with your app
- This education goes hand in hand with our contact terms, which require developers to collect a user consent that b.well can retrieve their health data and transmit it to your app
These steps can be accomplished through consumer education, where you have a choice of referencing this Legal Notice.
Implementation Recommendations:
- Create consumer-facing education that introduces b.well as your trusted health data intermediary
- Add a disclosure of this relationship in your app’s terms and/or privacy policy
- Get pre-launch feedback from b.well about this content and workflow (usually done when we review your consent screens)
Sample Disclosure
[Developer] partners with b.well Connected Health, Inc., a trusted health data intermediary, to securely connect your health information. When you authorize data connections, you consent to b.well accessing your health records using your credentials and providing them to [Developer] for purposes consistent with our Terms and Privacy Policy. You also authorize [Developer] to share information from your account with b.well as needed to maintain these connections. When connecting to data sources, you confirm you are using your own credentials. You can disconnect any source or delete data from specific sources at any time by [describe method]**. Disconnecting stops future data collection but does not affect information already provided to [Developer]**, though you can separately request deletion of such data. Learn more about how b.well uses your data in its Privacy and Security Statement.
Relevant Documentation
- Account Creation & Consent Workflow Guides (Link to Health SDK for Web example)
Purposes:
- Informs consumers of privacy rights they can exercise through enterprise customers, including:
- The right of access to all ePHR Information retrieved with their consent and at their direction
- The right to give consent before ePHR Information is retrieved on their behalf
- The right to know what ePHR Information is held by enterprise customers (directly or through their sub-processors, including b.well), and how it is processed or shared
- The right to withdraw consent to the retrieval and/or processing and/or sharing of their ePHR Information, at any time
- The right to request the deletion of their ePHR Information, and for that right to be honored, subject to data maintained temporarily in backup systems and audit logs
- The right to request a portable copy of their ePHR
Rationale:
- Use of the consumer-directed data access pathway is conditioned on consumers having an ability to actually see and manage their health data through the Permitted Consumer-Facing Application identified in the agreement between you and b.well
- Consumers also have minimum privacy rights and protections under different state laws, which b.well facilitates through calls to our FHIR Server
- As your connector to the wider health interoperability ecosystem, b.well has independent obligations to ensure consumers can exercise these minimum privacy rights and protections
- Building a consumer experience that helps your verified end users exercise these rights reduces confusion and misunderstandings about your data practices
- Contract terms between you and b.well require you to comply with applicable laws, and notify b.well of changes in a consumer’s consent status.
Implementation recommendations
- Consult with your privacy, product and/or legal teams regarding compliance obligations and design reviews
- Implement privacy-by-design documentation, education and user experiences your verified users can easily understand their choices, and how to exercise them
- Refer to relevant Documentation in b.well’s Developer Portal to Implement automated calls through your integration with b.well so we can automatically reflect changes those changes as your data processor, to support your compliance posture
- Get pre-launch feedback and approval from b.well of your approach for giving users:
- Access to all their ePHR Information through your app
- A way to easily halt retrieval of ePHR Information from specific connections, or all connections
- A way to easily request deletion of all their ePHR Information
- Schedule time with b.well to provide feedback on your approach for enabling other self-service choices, including:
- The ability to mark errors, and/or learn how to correct data errors
- The ability to share all or parts of their ePHR Information with themselves, or others
Relevant Documentation
- Account Creation & Consent Workflow Guides (Link to Health SDK for Web example)
- Managing Connections Workflow Guides (Link to Health SDK for Web example)
- Health Record Retrieval Workflow Guides (Link to Health SDK for Web example)
- User Account Deletion Workflow Guides (Link to Health SDK for Web example)
Purposes: Your end users must affirmatively accept b.well’s Smart Connect Terms if b.well is retrieving their health data with an IAL2-compliant digital identity and making it available for them in your app.
Rationale:
- These terms must be presented and accepted as a requirement of TEFCA and other different sources via IAL2/AAL2-compliant digital identity instead of patient portal credentials
- Even so, the Smart Connect Terms (and also the Privacy and Security Statement) explain that b.well must continue to meet its contractual obligations to you as a service provider (data processor), and does not gain new data rights.
- This requirement goes hand in hand with collecting a separate affirmative and revocable consent for b.well to retrieve their data and make it available to them through your app
Implementation Recommendations:
- Create a consent workflow with associated education
- Get pre-launch feedback and approval from b.well of your Smart Connect implementation before launching in production (covered by separate documentation)
- Share material changes to approved workflows and content that directly concerns b.well or the Smart Connect functionality for b.well’s feedback/approval before implementing
Relevant Documentation
- IAL2 Verification Integration Guide
- Locating & Managing Connections Workflow Guides (Link to Health SDK for Web example)
Purposes: Discloses b.well’s limited use of tracking technologies for essential internal business purposes (not for secondary use, sale, cross-platform behavioral advertising, for ex)
Rationale:
- Supports your compliance responsibilities
Implementation Recommendations:
- Consult with your privacy or legal teams regarding implementation impacts
- Their recommendations can vary with your method of deploying b.well services (for we may offer a white-labeled version of this policy for a managed white-labeled deployment on our technology platform)
Purposes: Discloses b.well’s sub-processors and our practices for vetting and contracting with them, according to our third party risk management policies and customer responsibilities
Rationale:
- Supports your compliance responsibilities
Implementation Recommendations:
- Consult with your privacy or legal teams for implementation advice, as appropriate
Updated 3 days ago