Last updated: September 23, 2022
MediGO products transfer and store electronic PHI through direct input from Customer/users as text, videos, or images. MediGO Products are not considered EHR systems by HITECH.
All data transferred and stored by MediGO Products reside and processed within the United States. Data is encrypted at rest and in transit (TLS 1.2) meeting NIST Special Publications 800-52 Rev1 and 800-111 standards. Data destruction/sanitation and storage reclamation processes are designed to prevent customer data form being exposed to unauthorized individuals. These processes follow techniques detailed in DoD 5220.22-M and NIST 800-88r1. No removeable drives are used for PHI/PII storage. Each customer’s data will be segregated from other customers through logical controls. Backend access is controlled and includes role-based controls to manage and audit admin/backend users. Customer data will never be shared with third parties without express permission from customer. Customer will be informed in case of requirements of customer data sharing with regulators or law enforcement agencies.
MediGO uses Amazon Web Services (AWS) for hosting its products and services. AWS is SSAE18 certified with SOC 2 Type 2 completed regularly. AWS provides several reports from third-party auditors who have verified compliance with a variety of computer security standards and regulations (aws.amazon.com/compliance) including ISO 27001 ISMS. MediGO has signed a BAA with AWS after fulfilling the compliance requirements.
Redundancy is built into the databases and products offering customizable data archiving and retention as required by HIPAA and other regulations. Customer data will be retained, available from export at the termination of the contract, and then sanitized from MediGO exceeding guidelines from NIST SP 800-88 rev1.
MediGO engages third parties for conducting VAPT tests on its Products and environment periodically. MediGO has implemented an Incident Management policy along with associated procedures for notifications to customers, regulators and other stakeholders.
MediGO has implemented a documented and tested BCP and DRP as required by HIPAA. BCP and DRP are updated, reviewed and exercised on a regular basis, atleast once every year and anytime a major change is made to the Product or environment. AWS hosting used by MediGO is ISO 22301 BCMS compliant as certified by third party auditors.
In order to access Products, unique login and password are required. Account and password criteria, expiration, auto-logoff, and other administrative policies/procedures are configurable by administrators from backend. Session lockouts and logoffs have been implemented for enhanced security.
MediGO products are accessible via any of our certified web or mobile platforms. For native mobile application Products, a user is registered using a phone number and email. Data is not stored locally or in cache on any Products, data is merely accessed by Products and displayed for the users. Data is transferred to/from the phone using TLS v1.2 or above.
By checking the “I Consent” checkbox when accessing these Services, you agree that you:
We collect the following information for the purpose of providing you with the functionality of our app:
“Personal Information” means any data, whether used alone or when combined with other identifying information, which can be used to distinguish or trace your identity, such as your name or other personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, inventory of other apps on the device, microphone, camera, location data and other sensitive device or usage data, company name, email, address or telephone number. Unless you or your organization provides it to us voluntarily, we do not collect Personal Information about you in connection with your use of our Services.
“Non-Personal Information” means data that cannot be used on its own to trace or identify you. This includes your web browser type, domain name, referring site(s), date/time, and IP address from which you utilized our Services, as well as from your transactions with us and our affiliates or non-affiliated third parties. This “Non-Personal Information” is used to improve the operations, functionality, and appearance of our Services.
We do not intend to collect Personal Information from minors (children under 18 years of age, or any other age of minority as defined by applicable law). If we become aware that a minor is attempting to or has submitted Personal Information via our Services, we will notify the user that we will not accept their Personal Information. We will then delete any such Personal Information from our records. If you believe that a minor has submitted their Personal Information, please contact us at 1703 S. Clinton St., Baltimore MD 21224.
We use your Personal Information only for the purpose for which it was submitted. For example, if you enroll in our SMS notification system, we will send text message notifications to the provided phone number. We may use Non-Personal Information to help diagnose problems with our server, and to administer our Services, for example, to:
We will retain your Personal Information only for as long as necessary to fulfill the purpose of collection. We may retain your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. We will establish and maintain commercially reasonable safeguards against the destruction, loss or alteration of Personal Information in our possession that are no less rigorous than those in effect for our operations.
We may also retain Non-Personal Information for internal analysis purposes. Non-Personal Information will be disposed of and/or destroyed in accordance with industry best practices when no longer needed.
Our platform includes a live chat service that enables you to communicate with us as well as other users of our platform. You hereby acknowledge that any content that you post when using the chat service will be visible to those other users with whom you are communicating, and we are not responsible for maintaining your privacy with respect to those messages.
For clarifications and reporting Information Security / Privacy concerns please contact:
Chief Compliance and Privacy Officer, MediGO
Call: (443) 961-9444
1703 S. Clinton Street,
Baltimore, Maryland 21224