U.S. Privacy Policy

Last revision of this policy: June 2024

The following terms: “MindMaze”, “we”, “us”, “our” or the “Company” are references to MindMaze Inc, and to companies held by MindMaze Holding SA authorized to use or disclose Electronic Health Records or under a business associate contract with a covered entity.

MindMaze attaches great importance to the protection and respect of your privacy and health information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its executing regulations limit MindMaze capability to use and disclose protected health information (PHI).

PHI stands for any information about personal data, health status, provision of health care, or payment for health care that is created or collected by a Covered Entity or a Business Associate of a Covered Entity and can be related to an individual.

1. Who are we?

MindMaze Inc , MindMaze Holding SA and the other companies of the MindMaze group including MindMaze Inc in US create intuitive human-machine interfaces on their revolutionary IT platform inspired by neuroscience. Our innovations are at the intersection of neuroscience, mixed reality and artificial intelligence and are therefore ready to transform a large number of industries.

2. What data do we collect?

2.1. The data we collect from you

We collect information about you when you use one of our MindMotion devices and/or participate in our registry, clinical studies, clinical trials or clinical evaluations. These data are for example:

  1. Your name, first name, address, date of birth, phone
    number, and email address
  2. Your laterality (right-handed or left-handed);
  3. Your Gender (Male or Female);

Our products collect information about your impairment by tracking your different sessions (activity score, game time, etc.). They also produce information that allows us to identify you. This information can be, for example:

  1. Your patient and user ID;
  2. Your calibration measurements (values, timestamps,
  3. Your exercise and session IDs;
  4. Your exercise values (type, inventory, level, side,
    date, duration, performance, etc.);

We need this personal information to provide you with our services and improve your user experience. Without this information, it would be impossible for you to use our services. However, you may choose not to provide personal information that may help identify you, such as:

  1. Your full name, address, email address or phone number

2.2. Data we collect from other sources

As business associate, we may receive your personal and health information from sources such as hospitals, our subsidiaries, or other companies active in the health. The information received is then combined with other information we may already have about you. This data can be, for example:

  1. Your pathologies
  2. Your rehabilitation exercises that you do at home
  3. Your statistics and performance
  4. Other information about your health

The various sources that will send us your data will have their privacy policies that do not always apply to ours and vice versa. They will probably have obtained your consent or not to the collection and processing of your information, when using their platforms or when using their services. However, we are subject to HIPAA and strict limitation on and disclosure of your protected health information, so we will act accordingly as required by law.

2.3. Data we collect from your devices

When you visit our website mindmaze.com, mindmotionweb.com or mm-companion.com using your mobile devices or from a computer, we collect and store information in their internal storage space. We then reuse this data to improve your user experience or to perform statistics. The different data we collect can be, for example:

  1. Your IP address and location data
  2. The type of device you use
  3. The link from which you access our platform
  4. Configurations on certain equipment for the use of our

You will be able to choose whether or not to store this information by accepting cookies or not.

2.4. The different types of cookies we use

Cookies are small amounts of information stored in files within your computer’s browser itself. Cookies are accessible and stored by the websites you visit, and by companies that display their advertisements on websites, so that they can recognize the browser. Websites can only access the cookies they have stored on your computer.

By using our website, you consent to the use of cookies placed by them.

Our websites or web applications use cookies for the following purposes:

  1. Site Usage: to help us recognize your browser as that
    of a previous visitor and to record the preferences you determined during your
    previous visit to the Site. For example, we may record your login information
    so that you do not have to log in each time you visit the Site;
  2. Social networks: to check if you are connected to
    third party services (Facebook, Twitter, Google+…).
  3. Targeting: to allow us to target (emailing, basic
    enrichment) later or in real time the Internet user who navigates on our site.
  4. Audience measurement: to track statistical data on
    Site usage (i.e., users’ use of the Site and to improve the Site’s services)
    and to help us measure and study the effectiveness of our interactive online
    content, features, advertising and other communications.

2.5. Your choices regarding cookies and web beacons

You have the option of configuring your browser to accept all cookies, reject all cookies, notify you when a cookie is issued, its validity period and content, and allow you to refuse to save it on your device, and delete your cookies periodically.

You can set your Internet browser to disable cookies. Please note, however, that if you disable cookies, your username and password will no longer be saved on any website. For more information on how to delete and control cookies stored on your computer, visit https://www.aboutcookies.org/

Your consent to the use of cookies will be requested when you access our sites. You will be able to set them up and adjust them to your preferences.

More information regarding cookie management is given in our cookie policy. 

3. How do we process your information?

We may use your personal data and/or data related to your neurological impairment for the following purposes:

  1. to provide our services and to enable the use of our
  2. to ensure the maintenance of our products;
  3. to improve our services and/or products;
  4. to develop new services and/or products;
  5. to conduct quality assessment and improvement
  6. to participate in registries, clinical studies,
    clinical trials or clinical evaluations;
  7. to develop clinical guidelines;
  8. to gather information for scientific research;
  9. to provide evidence to support scientific initiatives;
  10. to conduct patient safety activities as defined in
    applicable regulations;
  11. to develop protocols;
  12. to conduct case management and care coordination,
    including care planning
  13. to conduct training programs or credentialing
  14. for the publication of articles or similar
    communications, including scientific and marketing articles; and
  15. to support fraud and abuse detection and compliance
  16. for statistics, performance analysis.
  17. to execute our missions based on a business associate

Your PHI may only be used with your express consent, which must be collected in advance, except for the use of data other than those relating to your impairment, for the intended purposes mentioned in points (1) and (2), which is based on the contractual agreement you have concluded with MindMaze or another company in the MindMaze group, as an end user, customer or other.

PHI collected by MindMaze and other companies in the MindMaze group will only be kept for as long as necessary until we have achieved the purposes for which they were collected. To ensure that we do not keep them longer than necessary, we periodically review and delete our files in accordance with these objectives. In certain circumstance for example, when we are acting on behalf of a covered entity, we might keep your data longer to comply with the business associated contract we have with the covered entity.

Only specific MindMaze employees can achieve that periodical review and are under a non-disclosure agreement clause is included in their contract. They also must apply and follow all policies, processes and procedures resulting of the HIPAA implementation. Your PHI a are extremely sensitive and are classified as confidential.

4. Who may access your information?

MindMaze employees and consultants: to improve our services, products, user experience, security and the proper performance of the contract between you and MindMaze.

Third party service providers working for us: we are authorized to share your personal or health information with our third party service providers, agents and subcontractors and other associated organizations for the purpose of performing tasks and providing services on our behalf. When we use third party service providers, however, we only disclose pseudo-anonymized information necessary to provide the relevant services and we enter into a written agreement (including in electronic form) in accordance with US law requiring them to ensure the security of your information and not to use it for their own purposes, except with your express consent.

Third-party product suppliers with whom we work: we work closely with various third party suppliers to provide you with quality and reliable products and services designed to meet your needs. When you are interested in one or more of these products or when you purchase them, the third party supplier of the product(s) concerned will use the information about you to inform you and fulfil its obligations under any contract you have concluded with it. In some cases, he or she will act as the controller of the processing of your personal information. That is why we recommend that you read its Privacy Policy. These third-party product providers may share your information with us, and we will use it in accordance with this Privacy Policy.

Government or health plans: we may act on behalf of a health care provider to disclose your health information to a health plan for payment purposes.

Insurance companies: we may act on behalf of a health care provider to disclose your health information to submit a claim to the insurer.

Researchers: to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR 164.512(i) or as a limited data set pursuant to 45 CFR 164.514(e).

Financial institutions: we may need to disclose your personal information when a financial institution processes consumer-conducted financial transactions by debit, credit or other payment card, clears, checks, initiates or processes electronic funds transfers or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care, services, activities.

We are also authorized to disclose your personal information to a third party if we are required to disclose or share your personal data in order to comply with a legal obligation, to apply or enforce our terms of use or to protect the rights, property or safety of our customers or, with the exception of personal data relating to your health or to your impairment, in connection with the sale of all or part of our activities and assets to a third party or in connection with a restructuring or reorganization of our business. However, we will take all appropriate measures to ensure that your data remain protected and that all our actions comply with HIPAA and agreements made with covered entity.

We do not sell your data.

5. Our Responsibilities

5.1. Data Protection Officer (DPO)

The DPO ensures that the Company is HIPAA compliant and follow US data protection regulation such as the California Data Privacy Act (CDPA). He is responsible for implementing and maintain the HIPAA-compliant privacy program and ensuring privacy policies to safeguard the integrity and confidentiality of PHI are enforced. The DPO is also responsible to deliver or oversee ongoing staff privacy training, conduct risk assessments, develop security policies and ensure that technical implementations are aligned to them and to business agreement contracts, to monitor compliance, to implement and maintain procedures and processes and ensure that they remain aligned with law revisions. The DPO can be reached anytime at [email protected] or by using the contact us details.

5.2. Privacy Notice

The DPO is responsible for developing and maintaining a notice of the Company’s privacy practices that described:

  1. the uses and disclosures of PHI that may be made by the Company;
  2. the individual’s rights; and
  3. the Company’s legal duties with respect to the PHI.

The privacy notice will inform participants that the Company will have access to PHI. The privacy notice will also provide a description of the Company’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The notice of privacy practices will be individually delivered to all participants:

  1. on an ongoing basis, at the time of an individual’s enrolment into a Company program or at the time of treatment and consent; and
  2. within 60 calendar days after a material change to the notice.

The Company will also provide notice of availability of the privacy notice at least once every three years.

5.3. Employee Training

MindMaze employees who may have access to PHI receive data protection and HIPAA training. The DPO in collaboration with management decides in the event an incident has occurred, if additional training is necessary and which staff should receive it in order to avoid incident occurrence.

5.4. Complaints

The DPO will be the Company’s contact person for receiving complaints. The DPO is responsible for creating a process for individuals to lodge complaints about the Company’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint form shall be provided to any participant upon request.

5.5. Safeguards

When you provide us with personal information about yourself, we take steps to ensure its security. All the information you send us is encrypted using TLS and a 256-bit security key.

Our products you use are also designed to comply with the best production, physical security, and storage security practices. Risk studies are carried out there in order to limit them as much as possible.

We regularly carry out security reviews on our platforms and services that we offer you and correct weaknesses as soon as possible. We strive to keep all our systems as up-to-date as possible with the latest security patches.

The accounts you create with us are all protected by a password that is your responsibility. You must define one that is complex enough to limit the risk that it will be easily deductible. To help you in this task we have defined a password complexity policy. When you define your password, we give you the expected criteria for it to be accepted. On our systems, your passwords are not displayed in clear text, but secured with secure cryptographic algorithms.

Despite all the measures taken to guarantee the security of your information, we draw your attention to the fact that there is no such thing as zero risk. We do our best to protect your information, but we cannot guarantee 100% flawless security. Safety is effective when all parties follow good practices. You are responsible for keeping your login information and any other access data to our services confidential.

MindMaze uses powerful solutions to provide you with the best user experience, quality and reliable services. In the criteria for choosing our suppliers of third-party products and services, information security plays a very important role. However, MindMaze has no control over the internal policies of our suppliers and cannot guarantee 100% flawless security of the products and/or services we use at home.

You can refer to the security and privacy policy of our third-party product and service providers by going directly to their website.

5.6. Mitigation of Inadvertent Disclosures of PHI

MindMaze will mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of an Participant’s PHI in violation of the policies and procedures set forth in this policy. The DPO will take appropriate steps to mitigate the harm to the participants.

5.7. No Intimidating or Retaliatory Acts/No Waiver of HIPAA

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrolment or eligibility.

5.8. Plan Document

The Plan document includes provisions to describe the permitted and required uses and disclosures of PHI by MindMaze. Specifically, the Plan document requires MindMaze to:

  1. not
    use or further disclose PHI other than as permitted by the Plan documents or as
    required by law;
  2. ensure
    that any agents or subcontractors to whom it provides PHI received from the
    Company agree to the same restrictions and conditions that apply to MindMaze;
  3. report
    to the DPO any use or disclosure of the information that is inconsistent with
    the permitted uses or disclosures;
  4. make
    PHI available to Participants, consider their amendments and, upon request,
    provide them with an accounting of PHI disclosures;
  5. make
    the Company’s internal practices and records relating to the use and disclosure
    of PHI received by the Company available to the Department of Health and Human
    Services (DHHS) upon request;

As business associate, the plan document will always be updated based on the agreement concluded with the covered entity.

5.9. Incident Report

The Company has developed an Incident Report form. This form is used to document reports of privacy breaches that have been referred to the DPO from staff members who have reviewed or received the suspected incident.

After receiving the Incident Report form from staff members, the DPO classifies the incident and its severity and analyses the situation. Documentation shall be retained by the Company for a minimum of six years from the date of the reported incident.

If the DPO is able to resolve the incident, the DPO shall also document the actions taken to resolve the issue in the Incident Report form.

5.10. Electronic Health Records

Just like paper records, Electronic Health Records must comply with HIPAA, and other state and federal laws. Unlike paper records, electronic health records can be encrypted – using technology that makes them unreadable to anyone other than an authorized user – and security access parameters are set so that only authorized individuals can view them. Further, EHRs offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them.

5.11. Access authorization

MindMaze will grant access to PHI based on their job functions and responsibilities. The DPO in collaboration with IT and senior management is responsible for the determination of which individuals require access to PHI and what level of access they require through discussions with the individual’s manager and or department head. The IT department will keep a record of authorized users and the rights that they have been granted with respect to PHI. IT keeps a comprehensive matrix of how and to who rights are granted. A summary of user rights can be found in the table below.

6. Use and Disclosure of PHI

6.1. Definitions

The Company will use and disclose PHI only as permitted under HIPAA and Business associate contracts established between the Company and Covered Entities. The terms “use” and “disclosure” are defined as follows:

Use: The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Company, or by a Business Associate of the Company.

Disclosure: For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within MindMaze with a business need to know PHI.

6.2. Access to PHI by MindMaze Employee

MindMaze staff has not access by default to PHI data that could be transferred to us. The DPO ensures that access to PHI is monitored and necessary to help the company achieve its objectives (for example, for the execution of the Business Associates Contract).

MindMaze will never use or disclose PHI without patient or Covered Entity consent. Thus, we use de-identified data to improve our product or create new services that will best fit your needs.

6.3. Disclosures of PHI Pursuant to an Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

6.4. Permissive Disclosures of PHI: for Legal and Public Policy Purposes

PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. The Company’s use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. Permitted are disclosures:

  1. for judicial and administrative proceedings;
  2. for law enforcement purposes;
  3. for public health activities;
  4. for health oversight activities;
  5. for certain limited research purposes;
  6. to avert a serious threat to health or safety;
  7. for specialized government functions; and
  8. that relate to worker’s compensation programs.

As business associates, we may be subject to more or less permissive disclosures depending of the nature of duties the Covered Entity we’re associated with. 

6.5. Disclosures of the “Minimum-Necessary” Information

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure. The “minimum-necessary” standard does not apply to any of the following:

  1. uses or disclosures made to the individual;
  2. uses or disclosures made pursuant to a valid authorization;
  3. disclosures made to the Department of Labor;
  4. uses or disclosures required by law; and
  5. uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI. For making disclosures of PHI to any business associate or providers, or internal/external auditing purposes, only the minimum necessary amount of information will be disclosed.

All other disclosures must be reviewed on an individual basis with the DPO to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from business associates, providers or participants for purposes of claims payment/adjudication or internal/external auditing purposes, only the minimum necessary amount of information will be requested.

All other requests must be reviewed on an individual basis with the DPO to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

As business associates, we will always use or disclose PHI even limited to the “minimum-necessary with the consent of the Covered Entity we are associated with. 

6.6. Disclosures of PHI to Business Associates

With the approval of the DPO and in compliance with HIPAA privacy rule, employees may disclose PHI to the Company’s business associates and allow the Company’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Company will first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” MindMaze employees will contact the DPO and verify that a business associate contract is in place.

Business Associate is an entity that:

  1. performs or assists in performing a Company function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.); or
  2. provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.

Examples of Business Associates are:

  • A third party administrator that assists the Company with claims processing.
  • A CPA firm whose accounting services to a health care provider involves access to protected health information.
  • An attorney whose legal services involve access to protected health information.
  • A consultant that performs utilization reviews for the Company.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of the Company and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services for the Company.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

When acting on behalf of a Covered Entity as Business Associates, we are not allowed to disclose any PHI to other Business Associates without a written authorization of the Covered Entity.

However in certain circumstances, we will work with business associates approved by a covered entity to help us achieve the processing mentioned in section 4.

6.7. Disclosures of De-Identified Information

The Company may freely use and disclose de-identified information.

De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity or a business associate can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers. 18 specific elements listed below relating to the participant, employee, relatives, or employer – will be removed if found in your data record set, and we will ascertain there is no other available information that could be used alone or in combination to identify an individual.

  1. Patient names
  2. Geographic elements (street address, city, country or zip code)
  3. All elements of dates (except year) related to an individual – including dates of admission, discharge, birth, death, or exact age of a patient older than 89.
  4. Telephone numbers
  5. FAX numbers
  6. Electronic mail addresses
  7. Social Security Number
  8. Medical Record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet protocol addresses
  16. Biometric identifiers, including finger and voice prints
  17. Full face photos, and comparable images
  18. Any unique identifying number, characteristic or code

MindMaze do not collect all that information, but as a business associate,  covered entities we are associated with, may share with or transfer to us additional information to data mentioned in section 2. That information can fall in the list above.

7. What are your rights regarding your information?

7.1. The right of Access

The HIPAA privacy rule provides to individuals a set of rights over their personal or health data:

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

  1. Access your health information and other information belonging to you
  2. Request an accounting of disclosures of your PHI.
  3. Request changes or amendments to your PHI
  4. Request certain restrictions on the use and disclosure of your PHI
  5. Request that we contact you at different place or via different means than the provider

Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity or business associate that comprises the:

  1. Medical records and billing records about individuals maintained by or for a covered health care provider;
  2. Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  3. Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

We will always act on the individual’s request within maximum 30 calendar days of receiving the request. If we are unable to provide you PHI or the request of an accounting of disclosures of your PHI within the 30 calendar days, we will inform you about an extension of 30 additional calendar days. This is an outer limit and we will always try to respond as soon as possible. At any time, you may access your PHI directly through the web portal of MindMotion Companion. In case you are performing sessions with a therapist, you might want to ask to your therapist to create for you a remote session account. The remote session account will provide you PHI that were filled in by the therapist.

7.2. The right to direct to another person

You have a right to direct a covered entity or a business associate to transmit your PHI directly to another person or entity designated by you. Your request to direct the PHI to another person must be in writing, signed by you and clearly identify the designated person and where to send the PHI. We may accept and electronic copy of a signed request (e.g. PDF), as well as an electronically executed request (e.g. via a secure web portal) that includes an electronic signature.

As business associate, if your request is addressed directly to us instead of the covered entity, we will forward it to the covered entity we are associated with and we will rely on their decision and the accepted method. We may also redirect you directly to the covered entity.

7.3. Personal Representatives

Your personal representative has the right to access your PHI in a designated record set (as well as to direct a covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request.

7.4. Information Excluded from the Right of Access

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

7.5. Request for restrictions on use and disclosures of PHI

As described in section 3, we may process your PHI only with your consent. Insofar as we process your PHI based on your consent, you have the right to withdraw your consent at any time. However, the withdrawal of your consent does not compromise the lawfulness of the processing operation before your consent is withdrawn.

If you are unable to legally establish contractual links with MindMaze or another company of the MindMaze group or to give your consent to the processing of your PHI, for medical or similar reasons, your personal data may however only be processed if this is necessary to safeguard your vital interests or if we have to comply with the law.

You also have the right to request restrictions on the use and disclosure of your PHI if they were use and disclose without your express consent. When doing so, the DPO is charged with the responsibility for processing the request and ensure that the procedures, processes and policies are update accordingly, and the staff trained properly to take that request into consideration. It remains at our sole discretion to honour such request if the request is not reasonable. We will however act at your best interest and will always comply with HIPAA privacy rule and our business associate contract.

7.6. Fees for copies

The HIPAA Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information).  The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual ( 45 CFR 164.524(c)(4)).

As business associate and accordingly to our business associate agreement with a covered entity we will charge you fees for copies based on the case.

7.7. Deny of Access or Deny Amending PHI

Under certain limited circumstances, we may deny an individual’s request for amend to all or a portion of the PHI requested.  In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.

We may deny to amending PHI for the following reasons:

  1. The PHI was not created by us, or by a covered entity we are associated with;
  2. The request PHI is not par of the Designated Record Set;
  3. The PHI would not be available for inspection; and
  4. The PHI is accurate and complete

We may deny of access for the following reasons:

  1. The request concerns information compiled in reasonable anticipation of or for use in a legal proceeding;
  2. The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research;
  3. The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.

In a any case, we will send you a denial in writing no later than within 30 calendar days of the request (or no later than within 60 calendar days if we notify you of an extension). The denial will be in plain language and will describe the basis for denial.

As business associate, we will always refer to the decision of the covered entity we are acting on behalf. Any request of access will be forwarded to the covered entity for approval. In such case, you may submit a complaint to the covered entity, to us or the HHS Office for Civil Rights (45 CFR 164.524(d)(3)).

7.8. How to exercise your rights

We will take reasonable steps to verify the identity of the individual making a request for access to his/her own PHI. You will be able to request access to your PHI if you fall in the following situation:

  1. If the request is made in person: Verification of identity will be accomplished by requesting identifying information such as social security number, birth date and confirming that this information matches what is in the participant’s record
  2. If the request is made online: You will have to use our web portal MindMotion Companion by using the credentials needed to access the data. We will never provide you those credentials by email, in writing or by phone. If you have forgotten you credentials, you will always be able to reinitialize them or ask to your therapist to create new ones.
  3. If the request is made over the telephone: verification will be accomplished by requesting identifying information such as social security number, birth date, and medical record number and confirming that this information matches what is in the participant’s record. Or, verification will occur through a callback process using phone numbers documented in the participant record to validate the caller’s identity
  4. If the request is made in writing: verification will be accomplished by requesting a photocopy of photo identification if a photocopy of the ID is not available, the signature on the written request must be compared with the signature in the participant record. In addition, MindMaze will need to verify the validity of the written request by contacting the participant by telephone.
  5. If the requestor is your legally authorized representative: Verification of identity will be accomplished by asking for a valid photo identification (such as driver’s license) if the request is made in person. Once identity is established, authority in such situations may be determined by confirming the person is named in the medical record or in the participant’s profile as the participant’s legally authorized representative. Or, if there is no person listed in the medical record as the participant’s legally authorized representative, authority may be established by the person presenting an original of a valid power of attorney for health care or a copy of a court order appointing the person guardian of the participant and a valid photo I.D. A copy of the I.D. and legal notice will be attached to the request and placed in the participant record

When acting on behalf of a covered entity, the requests on (1), (3), (4) and (5) will be redirected to the covered entity and handling according to our business associate contract.

8. Breach reporting

A privacy breach is an adverse event or action that is unplanned, unusual, and unwanted that happens as a result of non-compliance with the privacy policies and procedures of the Company. A privacy breach must pertain to the unauthorized use or disclosure of health information, including ‘accidental disclosures’ such as misdirected e-mails or faxes.

The DPO will immediately investigate and attempt to resolve all reported suspected privacy breaches.

Following a breach of unsecured protected health information, we will provide notification of the breach to affected individuals if necessary. The communication will be made based on the information we have:

  1. If we have all individual emails up-to-date: the notification will be sent by email
  2. If we have insufficient or out-of-date contact information for 10 or more individuals: we will post a notice on the home page of either MindMaze or MindMotionWeb or MindMotion Companion website.
  3. In certain circumstances for fewer out-of-date contact information, fewer than 10 individuals, we may provide substitute notice by an alternative form of written, telephone or other means.
  4. A breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 calendar days following the discovery of a breach and must include the same information required for the individual notice.
  5. In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 calendar days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 calendar days after the end of the calendar year in which the breaches occurred.

As business associate, we will notify covered entities we are associated with, following the discovery of the breach, without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, we should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

9. Complaint/Concerns reporting

As individual, you can complaint of alleged privacy rights violations of the current privacy policy at any time. We use different channels such as telephone calls, letter via mail/email, in person. Your complaint should be addressed in the following way:

  1. Telephone Call or In-Person Request to File a Complaint: We will complete the Privacy Complaint Form and immediately forward to the DPO. Offer to forward a copy of the complaint form to the complainant.
  2. Letter or Email (print out) – We will Complete the Privacy Complaint Form and immediately forward to the DPO. Your written complaint will be attached to the complaint form.
  3. Anonymous Complaint– We will Complete the Privacy Complaint Form based on the information provided and immediately forward to DPO. In this case, be aware that the company has an obligation to follow up on complaints whether or not they are anonymously filed.

us with personal data without your consent, please contact us using the information in the “Contact Us” section below. We will take steps to remove this personal information from our systems.

10. Non-Retaliation

The Company will not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any person who has reported a privacy incident. All privacy incident will be reported to the DPO and documented. You can freely exercise your rights to access your complaints any time.

11. Review of the Privacy Policy

We regularly review this privacy policy and may update it at any time to better protect you. Any future changes or additions to the processing of personal or neurological impairment data described in this document concerning you will only be applicable to you with your express consent.

12. Contact Us

Any questions regarding this privacy policy and our privacy practices should be sent to our Data Protection Officer:

  1. by e-mail [email protected];
  2. by post to
    MindMaze Inc, 535 Mission Street 14th Floor,  CA 94105 San Francisco, United States of America
    or MindMaze SA, Chemin de Roseneck 5, 1006 Lausanne, Switzerland.
  3. by phone
    call on +41 (0)21 552 0801.